Share Isaca CISA exam practice questions and answers from exam2pass latest updated CISA dumps free of charge.
Get the latest uploaded CISA dumps pdf from google driver online. To get the full Isaca CISA dumps PDF or dumps
VCE visit: https://www.exam2pass.com/cisa.html (Q&As: 3107). all Isaca CISA exam questions have been updated, the answer has been corrected!
Make sure your exam questions are real and effective to help you pass your first exam!
[Isaca CISA Dumps pdf] Latest Isaca CISA Dumps PDF collected by exam2pass Google Drive:
https://drive.google.com/file/d/1CCeyedV9IFXCaeNwL8cOk_EsDJXNTYrG/
[Isaca CISA Youtube] Isaca CISA exam questions and answers are shared free of charge from Youtube watching uploads from exam2pass
Latest Update Isaca CISA Exam Practice Questions and Answers Online Test
QUESTION 1
Which of the following is the BEST way for management to ensure the effectiveness of the cybersecurity incident
response process?
A. Periodic update of incident response process documentation
B. Periodic reporting of cybersecurity incidents to key stakeholders
C. Periodic tabletop exercises involving key stakeholders
D. Periodic cybersecurity training for staff involved in incident response
Correct Answer: C
QUESTION 2
Which of the following is MOST important when an organization contracts for the long-term use of a custom-developed
application?
A. Documented coding standards
B. Error correction management
C. Contract renewal provisions
D. Escrow clause
Correct Answer: C
QUESTION 3
What would be the major purpose of rootkit?
A. to hide evidence from system administrators.
B. to encrypt files for system administrators.
C. to corrupt files for system administrators.
D. to hijack system sessions.
E. None of the choices.
Correct Answer: A
rootkit originally describes those recompiled Unix tools that would hide any trace of the intruder.
You can say that the only purpose of rootkit is to hide evidence from system administrators so there is no way to detect
malicious special privilege access attempts.
QUESTION 4
Which of the following network configuration options contains a direct link between any two host machines?
A. Bus
B. Ring
C. Star
D. Completely connected (mesh)
Correct Answer: D
A completely connected mesh configuration creates a direct link between any two host machines.
QUESTION 5
In a public key infrastructure (PKI), the authority responsible for the identification and authentication of an applicant for a
digital certificate (i.e., certificate subjects) is the:
A. registration authority (RA).
B. issuing certification authority (CA).
C. subject CA.
D. policy management authority.
Correct Answer: A
A RA is an entity that is responsible for identification and authentication of certificate subjects, but the RA does not sign
or issue certificates. The certificate subject usually interacts with the RA for completing the process of subscribing to the
services of the certification authority in terms of getting identity validated with standard identification documents, as
detailed in the certificate policies of the CA. In the context of a particular certificate, the issuing CA is the CA that issued
the certificate. In the context of a particular CA certificate, the subject CA is the CA whose public key is certified in the
certificate.
QUESTION 6
TEMPEST is a hardware for which of the following purposes?
A. Eavedropping
B. Social engineering
C. Virus scanning
D. Firewalling
E. None of the choices.
Correct Answer: A
Any data that is transmitted over a network is at some risk of being eavesdropped, or even modified by a malicious
person. Even machines that operate as a closed system can be eavesdropped upon via monitoring the faint
electromagnetic transmissions generated by the hardware such as TEMPEST.
QUESTION 7
What would be an IS auditor\\’s GREATEST concern when using a test environment for an application audit?
A. Test and production environments lack data encryption.
B. Developers have access to the test environment.
C. Retention period of test data has been exceeded.
D. Test and production environments do not mirror each other.
Correct Answer: D
QUESTION 8
A small organization does not have enough employees to implement adequate segregation of duties in accounts
payable. Which of the following is the BEST compensating control to mitigate the risk associated with this situation?
A. Regular reconciliation of key transactions approved by a supervisor
B. Supervisory review of logs to detect changes in vendors
C. Review of transactions exceeding a specific threshold
D. Rotation of duties among existing personnel
Correct Answer: B
QUESTION 9
What control detects transmission errors by appending calculated bits onto the end of each segment of data?
A. Reasonableness check
B. Parity check
C. Redundancy check
D. Check digits
Correct Answer: C
A redundancy check detects transmission errors by appending calculated bits onto the end of each segment of data. A
reasonableness check compares data to predefined reasonability limits or occurrence rates established for the data. A
parity check is a hardware control that detects data errors when data are read from one computer to another, from
memory or during transmission.
Check digits detect transposition and transcription errors.
QUESTION 10
Applying a retention date on a file will ensure that:
A. data cannot be read until the date is set.
B. data will not be deleted before that date.
C. backup copies are not retained after that date.
D. datasets having the same name are differentiated.
Correct Answer: B
A retention date will ensure that a file cannot be overwritten before that date has passed. The retention date will not
affect the ability to read the file. Backup copies would be expected to have a different retention date and therefore may
be retained after the file has been overwritten. The creation date, not the retention date, will differentiate files with the
same name.
QUESTION 11
Which policy helps an auditor to gain a better understanding of biometrics system in an organization?
A. BIMS Policy
B. BOMS Policy
C. BMS Policy
D. BOS Policy
Correct Answer: A
The auditor should use a Biometric Information Management System (BIMS) Policy to gain better understanding of the
biometric system in use.
Management of Biometrics
Management of biometrics should address effective security for the collection, distribution and processing of biometrics
data encompassing:
Data integrity, authenticity and non-repudiation
Management of biometric data across its life cycle ?compromised of the enrollment, transmission and storage,
verification, identification, and termination process Usage of biometric technology, including one-to-one and one-tomany matching, for identification and authentication Application of biometric technology for internal and external, as well
as logical and physical access control Encapsulation of biometric data Security of the physical hardware used
throughout the biometric data life cycle Techniques for integrity and privacy protection of biometric data.
Management should develop and approve a Biometric Information Management and Security (BIMS) policy. The auditor
should use the BIMS policy to gain better understanding of the biometric system in use. With respect to testing, the
auditor should make sure this policy has been developed and biometric information system is being secured
appropriately.
The identification and authentication procedures for individual enrollment and template creation should be specified in
BIMS policy.
The following were incorrect answers:
All other choices presented were incorrect answers because they are not valid policies.
Reference:
CISA review manual 2014 Page number 331 and 332
QUESTION 12
Which of the following is the PRIMARY objective of implementing privacy-related controls within an organization?
A. To identify data at rest and data in transit for encryption
B. To prevent confidential data loss
C. To comply with legal and regulatory requirements
D. To provide options to individuals regarding use of their data
Correct Answer: C
QUESTION 13
Who is mainly responsible for protecting information assets they have been entrusted with on a daily basis by defining
who can access the data, it\\’s sensitivity level, type of access, and adhering to corporate information security policies?
A. Data Owner
B. Security Officer
C. Senior Management
D. End User
Correct Answer: A
The Data Owner is the person who has been entrusted with a data set that belong to the company. As such they are
responsible to classify the data according to it\\’s value and sensitivity. The Data Owner decides who will get access to
the data, what type of access would be granted. The Data Owner will tell the Data Custodian or System Administrator
what access to configure within the systems.
A business executive or manager is typically responsible for an information asset. These are the individuals that assign
the appropriate classification to information assets. They ensure that the business information is protected with
appropriate controls. Periodically, the information asset owners need to review the classification and access rights
associated with information assets. The owners, or their delegates, may be required to approve access to the
information. Owners also need to determine the criticality, sensitivity, retention, backups, and safeguards for the
information. Owners or their delegates are responsible for understanding the risks that exist with regards to the
information that they control.
The following answers are incorrect:
Executive Management/Senior Management – Executive management maintains the overall responsibility for protection
of the information assets. The business operations are dependent upon information being available, accurate, and
protected from individuals without a need to know.
Security Officer – The security officer directs, coordinates, plans, and organizes information security activities throughout
the organization. The security officer works with many different individuals, such as executive management,
management of the business units, technical staff, business partners, auditors, and third parties such as vendors. The
security officer and his or her team are responsible for the design, implementation, management, and review of the
organization\\’s security policies, standards, procedures, baselines, and guidelines.
End User – The end user does not decide on classification of the data
Reference:
CISA review manual 2014 page number 108 Official ISC2 guide to CISSP CBK 3rd Edition Page number 342
For the full Isaca CISA exam dumps from exam2pass CISA Dumps pdf or Dumps VCE visit: https://www.exam2pass.com/cisa.html (Q&As: 3107 dumps)
ps.
Get free Isaca CISA dumps PDF online: https://drive.google.com/file/d/1CCeyedV9IFXCaeNwL8cOk_EsDJXNTYrG/