Download New Updated (July) Isaca CISA Actual Test 321-330

Ensurepass

 

QUESTION 321

As an outcome of information security governance, strategic alignment provides:

 

A.

security requirements driven by enterprise requirements.

B.

baseline security following best practices.

C.

institutionalized and commoditized solutions.

D.

an understanding of risk exposure.

 

Correct Answer: A

Explanation:

Information security governance, when properly implemented, should provide four basic outcomes: strategic alignment, value delivery, risk management and performance measurement. Strategic alignment provides input for security requirements driven by enterprise requirements. Value delivery provides a standard set of security practices, i.e.,
baseline security following best practices or institutionalized and commoditized solutions. Risk management provides an understanding of risk exposure.

 

 

QUESTION 322

Before implementing an IT balanced scorecard, an organization must:

 

A.

deliver effective and efficient services.

B.

define key performance indicators.

C.

provide business value to IT projects.

D.

control IT expenses.

 

Correct Answer: B

Explanation:

A definition of key performance indicators is required before implementing an IT balanced scorecard. Choices A, C and D are objectives.

 

 

QUESTION 323

To address the risk of operations staff’s failure to perform the daily backup, management requires that the systems administrator sign off on the daily backup. This is an example of risk:

 

A.

avoidance.

B.

transference.

C.

mitigation.

D.

acceptance.

 

Correct Answer: C

Explanation:

Mitigation is the strategy that provides for the definition and implementation of controls to address the risk described. Avoidance is a strategy that provides for not implementing certain activities or processes that would incur risk. Transference is the strategy that provides for sharing risk with partners or taking insurance coverage. Acceptance is a strategy that provides for formal acknowledgement of the existence of a risk and the monitoring of that risk.

 

 

 

 

 

 

QUESTION 324

In the context of effective information security governance, the primary objective of value delivery is to:

 

A.

optimize security investments in support of business objectives.

B.

implement a standard set of security practices.

C.

institute a standards-based solution.

D.

implement a continuous improvement culture.

 

Correct Answer: A

Explanation:

In the context of effective information security governance, value delivery is implemented to ensure optimization of security investments in support of business objectives. The tools and techniques for implementing value delivery include implementation of a standard set of security practices, institutionalization and commoditization of standards-based solutions, and implementation of a continuous improvement culture considering security as a process, not an event.

 

 

QUESTION 325

Which of the following would an IS auditor consider the MOST relevant to short-term planning for an IS department?

 

A.

Allocating resources

B.

Keeping current with technology advances

C.

Conducting control self-assessment

D.

Evaluating hardware needs

 

Correct Answer: A

Explanation:

The IS department should specifically consider the manner in which resources are allocated in the short term. Investments in IT need to be aligned with top management strategies, rather than focusing on technology for technology’s sake. Conducting control self-assessments and evaluating hardware needs are not as critical as allocating resources during short-term planning for the IS department.

 

 

QUESTION 326

An IS auditor reviewing the risk assessment process of an organization should FIRST:

 

A.

identify the reasonable threats to the information assets.

B.

analyze the technical and organizational vulnerabilities.

C.

< font style="font-size: 10pt" color="#000000">identify and rank the information assets.

D.

evaluate the effect of a potential security breach.

 

Correct Answer: C

Explanation:

Identification and ranking of information assets-e.g., data criticality, locations of assets-will set the tone or scope of how to assess risk in relation to the organizational value of the asset. Second, the threats facing each of the organization’s assets should be analyzed according to their value to the organization. Third, weaknesses should be identified so that controls can be evaluated to determine if they mitigate the weaknesses. Fourth, analyze how these weaknesses, in absence of given controls, would impact the organization information assets.

 

QUESTION 327

Which of the following is the MOST important element for the successful implementation of IT governance?

 

A.

Implementing an IT scorecard

B.

Identifying organizational strategies

C.

Performing a risk assessment

D.

Creating a formal security policy

 

Correct Answer: B

Explanation:

The key objective of an IT governance program is to support the business, thus the identification of organizational strategies is necessary to ensure alignment between IT and corporate governance. Without identification of organizational strategies,the remaining choices-even if implemented-would be ineffective.

 

 

QUESTION 328

During an audit, an IS auditor notices that the IT department of a medium-sized organization has no separate risk management function, and the organization’s operational risk documentation only contains a few broadly described IT risks. What is the MOST appropriate recommendation in this situation?

 

A.

Create an IT risk management department and establish an IT risk framework with the aid of external risk management experts.

B.

Use common industry standard aids to divide the existing risk documentation into several individual risks which will be easier to handle.

C.

No recommendation is necessary since the current approach is appropriate for a medium-sized organization.

D.

Establish regular IT risk management meetings to identify and assess risks, and create a mitigation plan as input to the organization’s risk management.

 

Correct Answer: D

Explanation:

Establishing regular meetings is the best way to identify and assess risks in a medium- sized organization, to address responsibilities to the respective management and to keep the risk list and mitigation plans up to date. A medium-sized organizationwould normally not have a separate IT risk management department. Moreover, the risks are usually manageable enough so that external help would not be needed. While common risks may be covered by common industry standards, they cannot address the specific situation of an organization. Individual risks will not be discovered without a detailed assessment from within the organization. Splitting the one risk position into several is not sufficient.

 

 

QUESTION 329

From a control perspective, the key element in job descriptions is that they:

 

A.

provide instructions on how to do the job and define authority.

B.

are current, documented and readily available to the employee.

C.

communicate management’s specific job performance expectations.

D.

establish responsibility and accountability for the employee’s actions.

 

Correct Answer: D

Explanation:

From a control perspective, a job description should establish responsibility and accountability. This will aid in ensuring that users are given system access in accordance with their defined job responsibilities. The other choices are not directly related to controls. Providing instructions on how to do the job and defining authority addresses the managerial and procedural aspects of the job. It is important that job descriptions are current, documented and readily available to the employee, but this in itself is not a control. Communication of management’s specific expectations for job performance outlines the standard of performance and would not necessarily include controls.

 

 

QUESTION 330

The output of the risk management process is an input for making:

 

A.

business plans.

B.

audit charters.

C.

security policy decisions.

D.

software design decisions.

 

Correct Answer: C

Explanation:

The risk management process is about making specific, security-related decisions, such as the level of acceptable risk. Choices A, B and D are not ultimate goals of the risk management process.

 

Free VCE & PDF File for Isaca CISA Real Exam

Instant Access to Free VCE Files: CompTIA | VMware | SAP …
Instant Access to Free PDF Files: CompTIA | VMware | SAP …

This entry was posted in CISA Real Tests (July) and tagged , , , , , , . Bookmark the permalink.