Download New Updated (July) Isaca CISA Actual Test 371-380

Ensurepass

 

QUESTION 371

Which of the following is a mechanism for mitigating risks?

 

A.

Security and control practices

B.

Property and liability insurance

C.

Audit and certification

D.

Contracts and service level agreements (SLAs)

 

Correct Answer: A

Explanation:

Risks are mitigated by implementing appropriate security and control practices. Insurance is a mechanism for transferring risk. Audit and certification are mechanisms of risk assurance, while contracts and SLAs are mechanisms of risk allocation.

 

 

QUESTION 372

To assist an organization in planning for IT investments, an IS auditor should recommend the use of:

 

A.

project management tools.

B.

an object-oriented architecture.

C.

tactical planning.

D.

enterprise architecture (EA).

 

Correct Answer: D

Explanation:

Enterprise architecture (EA) involves documenting the organization’s IT assets and processes in a structured manner to facilitate understanding, management and planning for IT investments. It involves both a current state and a representa
tion of an optimized future state. In attempting to complete an EA, organizations can address the problem either from a technology perspective or a business process perspective. Project management does not consider IT investment aspects; it is a tool to aid in delivering projects. Object-oriented architecture is a software development methodology and does not assist in planning for IT investment, while tactical planning is relevant only after high-level IT investment decisions have been made.

 

 

QUESTION 373

Which of the following controls would an IS auditor look for in an environment where duties cannot be appropriately segregated?

 

A.

Overlapping controls

B.

Boundary controls

C.

Access controls

D.

Compensating controls

 

Correct Answer: D

Explanation:

Compensating controls are internal controls that are intended to reduce the risk of an existing or potential control weakness that may arise when duties cannot be appropriately segregated. Overlapping controls are two controls addressing the same control objective or exposure. Since primary controls cannot be achieved when duties cannot or are not appropriately segregated, it is difficult to install overlapping controls. Boundary controls establish the interface between the would-be user of a computer system and the computer system itself, and are individual-based, not role-based, controls. Access controls for resources are based on individuals and not on roles.

 

 

QUESTION 374

An IS auditor reviewing an outsourcing contract of IT facilities would expect it to define the:

 

A.

hardware configuration.

B.

access control software.

C.

ownership of intellectual property.

D.

application development methodology.

 

Correct Answer: C

Explanation:

Of the choices, the hardware and access control software is generally irrelevant as long as the functionality, availability and security can be affected, which are specific contractual obligations. Similarly, the development methodology should be ofno real concern. The contract must, however, specify who owns the intellectual property (i.e., information being processed, application programs). Ownership of intellectual property will have a significant cost and is a key aspect to be defined in an outsourcing contract.

 

 

QUESTION 375

The initial step in establishing an information security program is the:

 

A.

development and implementation of an information security standards manual.

B.

performance of a comprehensive security control review by the IS auditor.

C.

adoption of a corporate information security policy statement.

D.

purchase of security access control software.

 

Correct Answer: C

Explanation:

A policy statement reflects the intent and support provided by executive management for proper security and establishes a starting point for developing the security program.

 

 

QUESTION 376

An IS auditor should expect which of the following items to be included in the request for proposal (RFP) when IS is procuring services from an independent service provider (ISP)?

 

A.

References from other customers

B.

Service level agreement (SLA) template

C.

Maintenance agreement

D.

Conversion plan

 

Correct Answer: A

Explanation:

An IS auditor should look for an independent verification that the ISP can perform the tasks being contracted for. References from other customers would provide an independent, external review and verification of procedures and processes the ISP follows-issues which would be of concern to an IS auditor. Checking references is a means of obtaining an independent verification that the vendor can perform the services it says it can. A maintenance agreement relates more to equipment than to services, and a conversion plan, while important, is less important than verification that the ISP can provide the services they propose.

 

 

QUESTION 377

An IT steering committee should review information systems PRIMARILY to assess:

 

A.

whether IT processes support business requirements.

B.

if proposed system functionality is adequate.

C.

the stability of existing software.

D.

the complexity of installed technology.

 

Correct Answer: A

Explanation:

The role of an IT steering committee is to ensure that the IS department is in harmony with the organization’s mission and objectives. To ensure this, the committee must determine whether IS processes support the business requirements. Assessing proposed additional functionality and evaluating software stability and the complexity of technology are too narrow in scope to ensure that IT processes are, in fact, supporting the organization’s goals.

 

 

QUESTION 378

An IS auditor is reviewing a project to implement a payment system between a parent bank and a subsidiary. The IS auditor should FIRST verify that the:

 

A.

technical platforms between the two companies are interoperable.

B.

parent bank is authorized to serve as a service provider.

C.

security features are in place to segregate subsidiary trades.

D.

subsidiary can join as a co-owner of this payment system.

 

Correct Answer: B

Explanation:

Even between parent and subsidiary companies, contractual agreement(s) should be in place to conduct shared services. This is particularly important in highly regulated organizations such as banking. Unless granted to serve as a service provider, itmay not be legal for the bank to extend business to the subsidiary companies. Technical aspects should always be considered; however, this can be initiated after confirming that the parent bank can serve as a service provider. Security aspects are another important factor; however, this should be considered after confirming that the parent bank can serve as a service provider. The ownership of the payment system is not as important as the legal authorization to operate the system.

 

 

QUESTION 379

An IS auditor was hired to review e-business security. The IS auditor’s first task was to examine each existing e-business application looking for vulnerabilities. What would be the next task?

 

A.

Report the risks to the CIO and CEO immediately

B.

Examine e-business application in development

C.

Identify threats and likelihood of occurrence

D.

Check the budget available for risk management

 

Correct Answer: C

Explanation:

An IS auditor must identify the assets, look for vulnerabilities, and then identify the threats and the likelihood of occurrence. Choices A, B and D should be discussed with the CIO, and a report should be delivered to the CEO. The report should include the findings along with priorities and costs.

 

 

 

 

 

 

 

QUESTION 380

An organization has outsourced its help desk activities. An IS auditor’s GREATEST concern when reviewing the contract and associated service level agreement (SLA) between the organization and vendor should be the provisions for:

 

A.

documentation of staff background checks.

B.

independent audit reports or full audit access.

C.

reporting the year-to-year incremental cost reductions.

D.

reporting staff turnover, development or training.

 

Correct Answer: B

Explanation:

When the functions of an IS department are outsourced, an IS auditor should ensure that a provision is made for independent audit reports that cover all essential areas, or that the outsourcer has full audit access. Although it is necessary to document the fact that background checks are performed, this is not as important as provisions for audits. Financial measures such as year-to-year incremental cost reductions are desirable to have in a service level agreement (SLA); however, cost reductions are not as important as the availability of independent audit reports or full audit access. An SLA might include human relationship measures such as resource planning, staff turnover, development or training, but this is not as important as the requirements for independent reports or full audit access by the outsourcing organization.

 

Free VCE & PDF File for Isaca CISA Real Exam

Instant Access to Free VCE Files: CompTIA | VMware | SAP …
Instant Access to Free PDF Files: CompTIA | VMware | SAP …

This entry was posted in CISA Real Tests (July) and tagged , , , , , , . Bookmark the permalink.