• Home
  • Articles
  • CISA Dumps - Grab Out For [NEW-2021] ISACA Exam [Q300-Q325]

CISA Dumps - Grab Out For [NEW-2021] ISACA Exam [Q300-Q325]

Share

CISA Dumps - Grab Out For [NEW-2021] ISACA Exam

CISA Exam Dumps PDF Guaranteed Success  with Accurate & Updated Questions


As a renowned validation among tech specialists, the Isaca CISA exam can strategically help in plotting your career goals. This certification test is designed to fortify your command in information systems and management. It’s one of the most practical validations for mid-career individuals eyeing to take the next step in their careers.

 

NEW QUESTION 300
Which of the following strategies BEST optimizes data storage without compromising data retention practices?

  • A. Limiting the size of file attachments being sent via email
  • B. Allowing employees to store large emails on flash drives
  • C. Automatically deleting emails older than one year
  • D. Moving emails to a virtual email vault after 30 days

Answer: A

 

NEW QUESTION 301
An IS auditor reviewing database controls discovered that changes to the database during normal working
hours were handled through a standard set of procedures. However, changes made after normal hours
required only an abbreviated number of steps. In this situation, which of the following would be considered
an adequate set of compensating controls?

  • A. Use the DBA user account to make changes, log the changes and review the change log the following
    day.
  • B. Allow changes to be made only with the DBA user account.
  • C. Use the normal user account to make changes, log the changes and review the change log the
    following day.
  • D. Make changes to the database after granting access to a normal user account.

Answer: A

Explanation:
Section: Protection of Information Assets
Explanation:
The use of a database administrator (DBA) user account is normally set up to log all changes made and is
most appropriate for changes made outside of normal hours. The use of a log, which records the changes,
allows changes to be reviewed. The use of the DBA user account without logging would permit uncontrolled
changes to be made to databases once access to the account was obtained. The use of a normal user
account with no restrictions would allow uncontrolled changes to any of the databases. Logging would only
provide information on changes made, but would not limit changes to only those that were authorized.
Hence, logging coupled with review form an appropriate set of compensating controls.

 

NEW QUESTION 302
Who is responsible for ensuring that system controls and supporting processes provides an effective level
of protection, based on the data classification set in accordance with corporate security policies and
procedures?

  • A. User Management
  • B. Project Sponsor
  • C. Security Officer
  • D. Senior Management

Answer: C

Explanation:
Section: Information System Acquisition, Development and Implementation
Explanation/Reference:
Security Officer ensures that system controls and supporting processes provides an effective level of
protection, based on the data classification set in accordance with corporate security policies and
procedures: consult throughout the life cycle on appropriate security measures that should be incorporated
into the system.
For the CISA exam you should know the information below about roles and responsibilities of groups/
individuals that may be involved in the development process are summarized below:
Senior Management - Demonstrate commitment to the project and approves the necessary resources to
complete the project. This commitment from senior management helps ensure involvement by those
needed to complete the project.
User Management -Assumes ownership of the project and resulting system, allocates qualified
representatives to the team, and actively participates in business process redesign, system requirement
definitions, test case development, acceptance testing and user training. User management is concerned
primarily with the following questions:
Are the required functions available in the software?
How reliable is the software?
How effective is the software?
Is the software easy to use?
How easy is to transfer or adapt old data from preexisting software to this environment?
Is it possible to add new functions?
Does it meet regulatory requirement?
Project Steering Committee -Provides overall directions and ensures appropriate representation of the
major stakeholders in the project's outcome. The project steering committee is ultimately responsible for all
deliverables, project costs and schedules. This committee should be compromised of senior representative
from each business area that will be significantly impacted by the proposed new system or system
modifications.
System Development Management -Provides technical support for hardware and software environment by
developing, installing and operating the requested system.
Project Manager -Provides day-to-day management and leadership of the project, ensures that project
activities remain in line with the overall directions, ensures appropriate representation of the affected
departments, ensures that the project adheres local standards, ensures that deliverable meet the quality
expectation of key stakeholder, resolve interdepartmental conflict, and monitors and controls cost of the
project timetables.
Project Sponsor - Project sponsor provides funding for the project and works closely with the project
manager to define critical success factor(CSFs) and metrics for measuring the success of the project. It is
crucial that success is translated to measurable and quantifiable terms. Data and application ownership are
assigned to a project sponsor. A project sponsor is typically the senior manager in charge of the primary
business unit that the application will support.
System Development Project Team -Completes assigned tasks, communicates effectively with user by
actively involving them in the development process, works according to local standards, and advise the
project manager of necessary plan deviations.
User Project Team -Completes assigned tasks, communicate effectively with the system developers by
actively involving themselves in the development process as Subject Matter Expert (SME) and works
according to local standards, and advise the project manager of expected and actual project deviations.
Security Officer - Ensures that system controls and supporting processes provides an effective level of
protection, based on the data classification set in accordance with corporate security policies and
procedures: consult throughout the life cycle on appropriate security measures that should be incorporated
into the system.
Quality Assurance - Personnel who review result and deliverables within each phase and at the end of
each phase, and confirm compliance with requirements. Their objective is to ensure that the quality of the
project by measuring adherence of the project staff to the organization's software development life cycle
(SDLC), advise on the deviation and propose recommendation for process improvement or greater control
points when deviation occur.
The following were incorrect answers:
Project Sponsor - Project sponsor provides funding for the project and works closely with the project
manager to define critical success factor(CSFs) and metrics for measuring the success of the project. It is
crucial that success is translated to measurable and quantifiable terms. Data and application ownership are
assigned to a project sponsor. A project sponsor is typically the senior manager in charge of the primary
business unit that the application will support.
User Management -Assumes ownership of the project and resulting system, allocates qualified
representatives to the team, and actively participates in business process redesign, system requirement
definitions, test case development, acceptance testing and user training.
Senior Management - Demonstrate commitment to the project and approves the necessary resources to
complete the project. This commitment from senior management helps ensure involvement by those
needed to complete the project.
The following reference(s) were/was used to create this question:
CISA review manual 2014 Page number 150

 

NEW QUESTION 303
Which of the following is the BEST way to satisfy a two-factor user authentication?

  • A. A smart card requiring the user's PIN
  • B. User ID along with password
  • C. Iris scanning plus fingerprint scanning
  • D. A magnetic card requiring the user's PIN

Answer: A

Explanation:
Explanation/Reference:
Explanation:
A smart card addresses what the user has. This is generally used in conjunction with testing what the user knows, e.g., a keyboard password or personal identification number (PIN). An ID and password, what the user knows, is a single-factor user authentication. Choice C is not a two-factor user authentication because it is only biometric. Choice D is similar to choice A, but the magnetic card may be copied; therefore, choice A is the best way to satisfy a two-factor user authentication.

 

NEW QUESTION 304
What is the PRIMARY reason for hardening new devices before introducing into a corporate network?

  • A. To comply with organizational rules
  • B. To ease maintenance of devices
  • C. To avoid software licensing conflicts
  • D. To reduce exposure to attacks

Answer: D

Explanation:
Section: Information System Operations, Maintenance and Support

 

NEW QUESTION 305
During an integrated audit at a retail bank, an IS auditor is evaluating whether monthly service fees are appropriately charged for business accounts and waived for individual consumer accounts. Which of the following test approaches would utilize data analytics to facilitate the testing?

  • A. Attempt to charge a monthly service fee to an individual consumer account.
  • B. Evaluate whether user acceptance testing plans were designed and executed appropriately.
  • C. Compare the system configuration settings with the business requirements document.
  • D. Review customer accounts over the last year to determine whether appropriate charges were applied.

Answer: D

Explanation:
Section: The process of Auditing Information System

 

NEW QUESTION 306
Which of the following findings should be of GREATEST concern to an IS auditor reviewing the effectiveness of an organization's problem management practices?

  • A. Problem records are prioritized based on the impact of incidents
  • B. Some incidents are closed without problem resolution.
  • C. Problems are frequently escalated to management for resolution
  • D. Root causes are not adequately identified

Answer: D

 

NEW QUESTION 307
The FIRST step in establishing a firewall security policy is to determine the:

  • A. business requirements,
  • B. existing firewall configuration,
  • C. expected data Throughput.
  • D. necessary logical access rights

Answer: A

 

NEW QUESTION 308
An IS auditor has been asked to audit a complex system with computerized and manual elements. Which
of the following should be identified FIRST?

  • A. Manual controls
  • B. Programmed controls
  • C. Input validation
  • D. System risks

Answer: C

Explanation:
Section: Protection of Information Assets
Explanation

 

NEW QUESTION 309
Library control software restricts source code to:

  • A. Write-only access
  • B. Read-only access
  • C. Read-write access
  • D. Full access

Answer: B

Explanation:
Section: Protection of Information Assets
Explanation: Library control software restricts source code to read-only access.

 

NEW QUESTION 310
An IS auditor finds that an employee lost a mobile device containing sensitive company data. Which of the following would have BEST prevented data leakage?

  • A. Data on the device was encrypted.
  • B. The employee promptly reported the lost device.
  • C. The employee acknowledged the acceptable use policy.
  • D. Data on the device was backed up.

Answer: A

 

NEW QUESTION 311
An information security policy stating that 'the display of passwords must be masked or suppressed' addresses which of the following attack methods?

  • A. Piggybacking
  • B. Shoulder surfing
  • C. Impersonation
  • D. Dumpster diving

Answer: B

Explanation:
Explanation/Reference:
Explanation:
If a password is displayed on a monitor, any person nearby could look over the shoulder of the user to obtain the password. Piggybacking refers to unauthorized persons following, either physically or virtually, authorized persons into restricted areas. Masking the display of passwords would not prevent someone from tailgating an authorized person. This policy only refers to 'the display of passwords.' If the policy referred to 'the display and printing of passwords' the nit would address shoulder surfing and dumpster diving (looking through an organization's trash for valuable information), impersonation refers to someone acting as an employee in an attempt to retrieve desired information.

 

NEW QUESTION 312
The maturity level of an organization s problem management support function is optimized when the function

  • A. analyzes critical incidents to identify root cause.
  • B. proactively provides solutions
  • C. has formally documented the escalation process.
  • D. resolves requests in a timely manner

Answer: B

 

NEW QUESTION 313
.What should IS auditors always check when auditing password files?

  • A. That password files are archived
  • B. That password files are not accessible over the network
  • C. That password files are encrypted
  • D. That deleting password files is protected

Answer: C

Explanation:
IS auditors should always check to ensure that password files are encrypted.

 

NEW QUESTION 314
In the course of performing a risk analysis, an IS auditor has identified threats and potential impacts. Next, the IS auditor should:

  • A. identify and assess the risk assessment process used by management.
  • B. identify information assets and the underlying systems.
  • C. identify and evaluate the existing controls.
  • D. disclose the threats and impacts to management.

Answer: C

Explanation:
It is important for an IS auditor to identify and evaluate the existing controls and security once the potential threats and possible impacts are identified. Upon completion of an audit an IS auditor should describe and discuss with management the threats and potential impacts on the assets.

 

NEW QUESTION 315
When responding to an ongoing denial of service (DoS) attack, an organization's FIRST course of action should be to

  • A. restore service
  • B. minimize impact
  • C. investigate damage
  • D. analyze the attack path

Answer: D

 

NEW QUESTION 316
How is risk affected if users have direct access to a database at the system level?

  • A. Risk of unauthorized access decreases, but risk of untraceable changes to the database increases.
  • B. Risk of unauthorized and untraceable changes to the database decreases.
  • C. Risk of unauthorized and untraceable changes to the database increases.
  • D. Risk of unauthorized access increases, but risk of untraceable changes to the database decreases.

Answer: C

Explanation:
Section: Protection of Information Assets
Explanation:
If users have direct access to a database at the system level, risk of unauthorized and untraceable
changes to the database increases.

 

NEW QUESTION 317
Which of the following requirements in a document control standard would provide nonrepudiation to digitally signed legal documents?

  • A. All documents requiring digital signatures must be signed by both the customer and a witness.
  • B. All digital signatures must include a hashing algorithm.
  • C. All digitally signed documents must be stored in an encrypted database.
  • D. Only secure file transfer protocol (SFTP) may be used for digitally signed documentation.

Answer: B

 

NEW QUESTION 318
Which of the following would have the GREATEST impact on defining the classification levels for electronic documents?

  • A. Value of information
  • B. End user preferences
  • C. Document archival requirements
  • D. Volume of information

Answer: A

 

NEW QUESTION 319
When performing a database review, an IS auditor notices that some tables in the database are not normalized. The IS auditor should next:

  • A. review the justification.
  • B. review the conceptual data model.
  • C. review the stored procedures.
  • D. recommend that the database be normalized.

Answer: A

Explanation:
Explanation/Reference:
Explanation:
If the database is not normalized, the IS auditor should review the justification since, in some situations, denormalization is recommended for performance reasons. The IS auditor should not recommend normalizing the database until further investigation takes place. Reviewing the conceptual data model or the stored procedures will not provide information about normalization.

 

NEW QUESTION 320
Which of the following attack could be avoided by creating more security awareness in the organization and provide adequate security knowledge to all employees?

  • A. Interrupt attack
  • B. Phishing
  • C. surf attack
  • D. Traffic analysis

Answer: B

Explanation:
Explanation/Reference:
Phishing techniques include social engineering, link manipulation, spear phishing, whaling, dishing, or web site forgery techniques.
For your exam you should know the information below:
Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, banks, online payment processors or IT administrators are commonly used to lure unsuspecting public. Phishing emails may contain links to websites that are infected with malware. Phishing is typically carried out by email spoofing or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Phishing is an example of social engineering techniques used to deceive users, and exploits the poor usability of current web security technologies. Attempts to deal with the growing number of reported phishing incidents include legislation, user training, public awareness, and technical security measures.
Spear phishing
Phishing attempts directed at specific individuals or companies have been termed spear phishing.
Attackers may gather personal information about their target to increase their probability of success.
Link manipulation
Most methods of phishing use some form of technical deception designed to make a link in an email (and the spoofed website it leads to) appear to belong to the spoofed organization. Misspelled URLs or the use of sub domains are common tricks used by phishes. In the following example URL, http:// www.yourbank.example.com/, it appears as though the URL will take you to the example section of the your bank website; actually this URL points to the "your bank" (i.e. phishing) section of the example website. Another common trick is to make the displayed text for a link (the text between the tags) suggest a reliable destination, when the link actually goes to the phishes' site. The following example link, // en.wikipedia.org/wiki/Genuine, appears to direct the user to an article entitled "Genuine"; clicking on it will in fact take the user to the article entitled "Deception". In the lower left hand corner of most browsers users can preview and verify where the link is going to take them. Hovering your cursor over the link for a couple of seconds may do a similar thing, but this can still be set by the phishes through the HTML tooltip tag.
Website forgery
Once a victim visits the phishing website, the deception is not over. Some phishing scams use JavaScript commands in order to alter the address bar. This is done either by placing a picture of a legitimate URL over the address bar, or by closing the original bar and opening up a new one with the legitimate URL.
An attacker can even use flaws in a trusted website's own scripts against the victim. These types of attacks (known as cross-site scripting) are particularly problematic, because they direct the user to sign in at their bank or service's own web page, where everything from the web address to the security certificates appears correct. In reality, the link to the website is crafted to carry out the attack, making it very difficult to spot without specialist knowledge.
The following answers are incorrect:
Smurf Attack - Occurs when mix-configured network device allow packet to be sent to all hosts on a particular network via the broadcast address of the network
Traffic analysis - is the process of intercepting and examining messages in order to deduce information from patterns in communication. It can be performed even when the messages are encrypted and cannot be decrypted. In general, the greater the number of messages observed, or even intercepted and stored, the more can be inferred from the traffic. Traffic analysis can be performed in the context of military intelligence, counter-intelligence, or pattern-of-life analysis, and is a concern in computer security.
Interrupt attack- Interrupt attack occurs when a malicious action is performed by invoking the operating system to execute a particular system call.
Following reference(s) were/was used to create this question:
CISA review manual 2014 Page number 323
Official ISC2 guide to CISSP CBK 3rd Edition Page number 493
http://en.wikipedia.org/wiki/Phishing

 

NEW QUESTION 321
To affix a digital signature to a message, the sender must first create a message digest by applying a cryptographic hashing algorithm against:

  • A. the entire message and thereafter enciphering the message using the sender's private key.
  • B. the entire message and thereafter enciphering the message along with the message digest using the sender's private key.
  • C. the entire message and thereafter enciphering the message digest using the sender's private key.
  • D. any arbitrary part of the message and thereafter enciphering the message digest using the sender's private key.

Answer: C

Explanation:
A digital signature is a cryptographic method that ensures data integrity, authentication of the message, and non-repudiation. To ensure these, the sender first creates a message digest by applying a cryptographic hashing algorithm against the entire message and thereafter enciphers the message digest using the sender's private key. A message digest is created by applying a cryptographic hashing algorithm against the entire message not on any arbitrary part of the message. After creating the message digest, only the message digest is enciphered using the sender's private key, not the message.

 

NEW QUESTION 322
After discovering a security vulnerability in a third-party application that interfaces with several external
systems, a patch is applied to a significant number of modules. Which of the following tests should an IS
auditor recommend?

  • A. Interface
  • B. Black box
  • C. System
  • D. Stress

Answer: C

Explanation:
Section: Protection of Information Assets
Explanation:
Given the extensiveness of the patch and its interfaces to external systems, system testing is most
appropriate. Interface testing is not enough, and stress or black box testing are inadequate in these
circumstances.

 

NEW QUESTION 323
Which of the following would be MOST useful to an IS auditor confirming that an IS department meets its service level agreements (SLAs)

  • A. System utilization reports
  • B. IS strategic plan
  • C. Capacity planning tools
  • D. System downtime reports

Answer: D

 

NEW QUESTION 324
Which of the following would BEST help ensure information security is effective following the outsourcing of network operations?

  • A. Test security controls periodically.
  • B. Review security key performance indicators (KPIs).
  • C. Establish security service level agreements (SLAs).
  • D. Appoint a security service delivery monitoring manager.

Answer: C

Explanation:
Section: Protection of Information Assets

 

NEW QUESTION 325
......

Get New CISA Certification Practice Test Questions Exam Dumps: https://www.actual4exams.com/CISA-valid-dump.html

Pass CISA Exam - Real Test Engine PDF with 973 Questions: https://drive.google.com/open?id=1d-QLRE916frl-bRgYP3OoVtMMPwVie_t

Related Articles

more
ISACA CISA Certification Practice Exam

Take our exam training material as your study reference, and pass your exam with the help of our actual exam dumps. When you choose our latest exam torrent, you will get your IT certification with more confident and more ease.

Latest Actual Exam Dump

Useful Links

Contact Us

Our Working Time: ( GMT 0:00-15:00 )
From Monday to Saturday

Support: Contact now 

If you have any question please leave me your email address, we will reply and send email to you in 12 hours.

Copyright © 2024 Actual4Exams NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy