Free CISA Exam Files Downloaded Instantly UPDATED [2024]
100% Pass Guaranteed Free CISA Exam Dumps
Career Prospects for Successful Exam-Passers
Any successful candidate who manages to pass the ISACA CISA certification exam can take the role of information systems auditor in international companies. According to Payscale.com, a mid-level auditor with a minimum of 5-9 years of experience can get an annual salary of $75k.
ISACA CISA certification is a globally recognized certification that evaluates the knowledge and expertise of professionals in the field of information systems auditing, control, and security. Certified Information Systems Auditor certification is highly valued in the industry and provides a competitive advantage to professionals who are seeking to advance their careers in the field of information systems auditing. The CISA exam covers five domains and is comprehensive, testing the candidate's knowledge and skills across these domains.
NEW QUESTION # 414
An IS auditor notes that the anticipated benefits from an ongoing infrastructure project have changed due to recent organizational restructuring. Which of the following is the IS auditor's BEST recommendation?
- A. Review and reapprove the business case.
- B. Revise business goals and objectives.
- C. Conduct a new feasibility study.
- D. Review and update the business impact analysis (BIA).
Answer: B
Explanation:
Section: The process of Auditing Information System
NEW QUESTION # 415
From a control perspective, the PRIMARY objective of classifying information assets is to:
- A. identify which assets need to be insured against losses.
- B. establish guidelines for the level of access controls that should be assigned.
- C. assist management and auditors in risk assessment.
- D. ensure access controls are assigned to all information assets.
Answer: B
Explanation:
Explanation/Reference:
Explanation:
Information has varying degrees of sensitivity and criticality in meeting business objectives. By assigning classes or levels of sensitivity and criticality to information resources, management can establish guidelines for the level of access controls that should be assigned. End user management and the security administrator will use these classifications in their risk assessment process to assign a given class to each asset.
NEW QUESTION # 416
Which of the following is MOST important to ensure when planning a black box penetration test?
- A. Diagrams of the organization's network architecture are available
- B. The test results will be documented and communicated to management.
- C. The environment and penetration test scope have been determined
- D. The management of the client organization is aware of the testing
Answer: D
NEW QUESTION # 417
Which of the following methods should be used to effectively erase sensitive data from portable storage devices that are to be reused?
- A. Exposing the portable device to a magnetic field
- B. Using media sanitization software
- C. Formatting the portable device
- D. Overwriting the sensitive data
Answer: A
NEW QUESTION # 418
How does the digital envelop work? What are the correct steps to follow?
- A. You encrypt the data using a session key and then encrypt session key using private key of a sender
- B. You encrypt the data using the session key and then you encrypt the session key using sender's public
key - C. You encrypt the data using the session key and then you encrypt the session key using the receiver's
public key - D. You encrypt the data using the session key and then you encrypt the session key using the receiver's
private key
Answer: C
Explanation:
Section: Protection of Information Assets
Explanation/Reference:
The process of encrypting bulk data using symmetric key cryptography and then encrypting the session key
using public key algorithm is referred as a digital envelope.
A Digital Envelope is used to send encrypted information using symmetric crypto cipher and then key
session along with it. It is secure method to send electronic document without compromising the data
integrity, authentication and non-repudiation, which were obtained with the use of symmetric keys.
A Digital envelope mechanism works as follows:
The symmetric key used to encrypt the message can be referred to as session key. The bulk of the
message would take advantage of the high speed provided by Symmetric Cipher.
The session key must then be communicated to the receiver in a secure way to allow the receiver to
decrypt the message.
If the session key is sent to receiver in the plain text, it could be captured in clear text over the network and
anyone could access the session key which would lead to confidentiality being compromised.
Therefore it is critical to encrypt the session key with the receiver public key before sending it to the
receiver. The receiver's will use their matching private key to decrypt the session key which then allow them
to decrypt the message using the session key.
The encrypted message and the encrypted session key are sent to the receiver who, in turn decrypts the
session key with the receiver's private key. The session key is then applied to the message cipher text to
get the plain text.
The following were incorrect answers:
You encrypt the data using a session key and then encrypt session key using private key of a sender - If
the session key is encrypted using sender's private key, it can be decrypted only using sender's public key.
The sender's public key is known to everyone so anyone can decrypt session key and message.
You encrypt the data using the session key and then you encrypt the session key using sender's public key
- If the session key is encrypted by using sender's public key then only sender can decrypt the session key
using his/her own private key and receiver will not be able to decrypt the same.
You encrypt the data using the session key and then you encrypt the session key using the receiver's
private key - Sender should not have access to receiver's private key. This is not a valid option.
The following reference(s) were/was used to create this question:
CISA review manual 2014 Page number 350 and 351
NEW QUESTION # 419
Which of the following is MOST likely to ensure that an organization's systems development meets its business objectives?
- A. A focus on strategic projects
- B. Business owner involvement
- C. Segregation of systems development and testing
- D. A project plan with clearly identified requirements
Answer: B
NEW QUESTION # 420
A virtual private network (VPN) provides data confidentiality by using:
- A. Tunnelling
- B. Phishing
- C. Secure Sockets Layer (SSL)
- D. Digital signatures
Answer: A
Explanation:
VPNs secure data in transit by encapsulating traffic, a process known as tunnelling . SSL is a symmetric method of encryption between a server and a browser. Digital signatures are not used in the VPN process, while phishing is a form of a social engineering attack.
NEW QUESTION # 421
Which of the following BEST describes the role of a directory server in a public key infrastructure (PKI)?
- A. Makes other users' certificates available to applications
- B. Stores certificate revocation lists (CRLs)
- C. Encrypts the information transmitted over the network
- D. Facilitates the implementation of a password policy
Answer: A
Explanation:
A directory server makes other users' certificates available to applications. Encrypting the information transmitted over the network and storing certificate revocation lists (CRLs) are roles performed by a security server. Facilitating the implementation of a password policy is not relevant to public key infrastructure ( PKl ).
NEW QUESTION # 422
Which of the following would BEST manage the risk of changes in requirements after the analysis phase of a business application development project?
- A. Sign-off from the IT team
- B. Quality assurance (QA) review
- C. Ongoing participation by relevant stakeholders
- D. Expected deliverables meeting project deadlines
Answer: C
NEW QUESTION # 423
An organization using instant messaging to communicate with customers can prevent legitimate customers from being impersonated by:
- A. logging conversations.
- B. using firewalls to limit network traffic to authorized ports.
- C. authenticating users before conversations are initiated
- D. using call monitoring
Answer: C
NEW QUESTION # 424
Due to a high volume of customer orders, an organization plans to implement a new application for customers to use for online ordering Which type of testing is MOST important to ensure the security of the application prior to go-live?
- A. Regression testing
- B. User acceptance testing (UAT)
- C. Vulnerability testing
- D. Stress testing
Answer: C
NEW QUESTION # 425
When testing segregation of duties, which of the following audit techniques provides the MOST reliable evidence?
- A. Interviewing managers and end users
- B. Evaluating the department structure via the organizational chart
- C. Observing daily operations for the area in scope
- D. Reviewing departmental procedure handbooks
Answer: C
NEW QUESTION # 426
A substantive test to verify that tape library inventory records are accurate is:
- A. conducting a physical count of the tape inventory.
- B. checking if receipts and issues of tapes are accurately recorded.
- C. determining whether the movement of tapes is authorized.
- D. determining whether bar code readers are installed.
Answer: A
Explanation:
Explanation/Reference:
Explanation:
A substantive test includes gathering evidence to evaluate the integrity of individual transactions, data or other information. Conducting a physical count of the tape inventory is a substantive test. Choices A, B and D are compliance tests.
NEW QUESTION # 427
When engaging services from external auditors, which of the following should be established FIRST7
- A. Termination conditions agreements
- B. Nondisclosure agreements
- C. Operational level agreements
- D. Service level agreements
Answer: B
NEW QUESTION # 428
Which of the following would be of GREATEST concern to an IS auditor evaluating governance over open source development components?
- A. The development project has gone over budget and time
- B. Existing open source policies have not been approved in over a year
- C. The open source development components do not meet industry best practices
- D. The software is not analyzed for compliance with organizational requirements
Answer: D
NEW QUESTION # 429
Which of the following occurs during the issues management process for a system development project?
- A. Help desk management
- B. Impact assessment
- C. Configuration management
- D. Contingency planning
Answer: A
Explanation:
Section: Information System Operations, Maintenance and Support
NEW QUESTION # 430
When developing a risk management program, what is the FIRST activity to be performed?
- A. Threat assessment
- B. Classification of data
- C. Inventory of assets
- D. Criticality analysis
Answer: C
Explanation:
Explanation/Reference:
Explanation:
Identification of the assets to be protected is the first step in the development of a risk management program. A listing of the threats that can affect the performance of these assets and criticality analysis are later steps in the process. Data classification is required for defining access controls and in criticality analysis.
NEW QUESTION # 431
......
Latest CISA dumps - Instant Download PDF: https://www.testinsides.top/CISA-dumps-review.html
Verified & Latest CISA Dump Q&As with Correct Answers: https://drive.google.com/open?id=1RtnmdV8CkntefgIXQh3RUSkfRT7WjPgc