Test your basic knowledge |

CISA: Certified Information Systems Auditor

Subjects : certifications, cisa, it-skills

Instructions:

Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can study here.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.

1. A critical application is backed up once per day. The recovery point objective (RPO) for an application that is backed up once per day cannot be ________.
less than 24 hours
Inform the auditee
Information security policy
(1.) Man-made (2.) Natural

2. (1.) Operational (2.) Financial (3.) Integrated (4.) IS (5.) Administrative (6.) Compliance (7.) Forensic (8.) Service Provider
Attribute Sampling
Audit logging
List of systems examined
The Eight Types of Audits

3. Support the functioning of the application controls
General Controls
Dimensions of the COSO cube
Power system controls
Transport Layer Protocols

4. Define 10 elements of an Audit - (1.) Subject of audit (2.) Audit Objective (3.) Type of audit (4.) Audit scope (5.) Pre-audit planning (6.) Audit procedures (7.) Communication plan (8.) Report Preparation (9.) Wrap-up (10.) Post-audit follow-up
TCP/IP Transport Layer packet delivery
OSI: Physical Layer
Audit Methodologies
Wet pipe fire sprinkler system

5. (1.) IP (2.) ICMP (3.) RRC (Radio Resource Control) (4.) AppleTalk
Risk Management
Network Layer Protocols
Reduced sign-on
Advantages of outsourcing

6. n audit strategy and plans that include: (1.) Scope (2.) Objectives (3.) Resources (4.) Procedures used to evaluation controls and processes
Sample Standard Deviation
OSI: Transport Layer
Server cluster
The audit program

7. 1.) Executive Support (2.) Well-defined roles and responsibilities.
Criticality analysis
Information security policy
Control Risk
Examples of IT General Controls

8. Outsourcing is an opportunity for the organization to focus on core competencies. When an organization oursources a business function - it no longer needs to be concerned about training employees in that function. Outsources does not always reduce co
A Virtual Server
Elements of the COSO pyramid
Advantages of outsourcing
Information security policy

9. Any event which is not part of the standard operation of service and which causes or may cause an interruption to or reduction in quality of that service. Includes THREE incident types: (1.) Service Outage (2.) Service Slowdown (3.) Software Bug
List of systems examined
Incident Management
Compliance Testing
Entire password for an encryption key

10. Deliver messages from one station to another on the same network or on different networks. Messaging at this layer is not guaranteed.
Personnel involved in the requirements phase of a software development project
ISO 20000 Standard:
Resource details
TCP/IP Internet Layer

11. Individual events may often create combined threats to enterprise operations: A tornado might also spawn ____________________.
Primary security features of relational databases
Sampling Risk
Formal waterfall
Structural fires and transportation accidents

12. A software developer has informed the project manager that a portion of the application development is going to take five additional days to complete. The project manager make a __________________ to document the reason for the change.
The availability of IT systems
Project change request
Options for Risk Treatment
Background checks performed

13. Focuses on: maintaining service availability with the least disruption to standard operating parameters during an event
Input validation checking
Business Continuity
Network Layer Protocols
TCP/IP Transport Layer

14. (1.) Reliable delivery (2.) Connection oriented (persistent connection) (3.) Order of Delivery (4.) Flow Control (transfer rate is throttled) (5.) Port Number
OSI: Physical Layer
TCP/IP Transport Layer packet delivery
The Release process
An IS audit

15. Change Management includes a _____________ of six steps: (1.) Proposal or Request (2.) Review (3.) Approval (4.) Implementation (5.) Verification (6.) Post-change Review
Formal waterfall
A Virtual Server
OSI Layer 6: Presentation
(1.) Man-made (2.) Natural

16. The 5 types of risks that are related to audits include: (1.) Control Risk (2.) Detection Risk (3.) Inherent risk (4.) _____________ (5.) Sampling risk
Substantive Testing (test of transaction integrity)
Structural fires and transportation accidents
Overall audit risk
Buffers

17. (1.) TCP (2.) UDP
Transport Layer Protocols
Elements of the COSO pyramid
Elements of the COBIT Framework
Dimensions of the COSO cube

18. A maturity model that represents the aggregations of other maturity models.
Volumes of COSO framework
A Financial Audit
Capability Maturity Model Integration (CMMI)
Service Level Management

19. Handle application processing
Detection Risk
Notify the Audit Committee
Lacks specific expertise or resources to conduct an internal audit
Application Controls

20. When several incidents have occurred that appear to have the same or a similar root cause - a PROBLEM is occurring.
Volumes of COSO framework
The Eight Types of Audits
Prblem Management
OSI Layer 5: Session

21. (1.) Automatic (2.) Manual
Geographic location
The two Categories of Controls
A Cold Site
Types of sampling an auditor can perform.

22. (1.) Executive Summary (2.) Governance and control framework (3.) Control Objectives (4.) Management Guidelines (5.) Implementation Guide (6.) IT Assurance Guide
Application Layer protocols
Power system controls
Elements of the COBIT Framework
Types of sampling an auditor can perform.

23. The probability that a sample selected actually represents the entire population. This is usually expressed as a percentage.
Application Layer protocols
To identify the tasks that are responsible for project delays
Confidence coefficient
OSI: Network Layer

24. Concerned with electrical and physical specifications for devices. No frames or packets involved.
OSI: Physical Layer
OSI Layer 6: Presentation
ISO 20000 Standard:
Annualized Loss Expectance (ALE)

25. (1.) Access controls (2.) Encryption (3.) Audit logging
Six steps of the Release Management process
Buffers
Primary security features of relational databases
SDLC Phases

26. (1.) Feasibility Study (2.) Definition of Requirements (3.) Design (4.) Development (5.) Testing (6.) Implementation (7.) Post-implementation phase
A Sample Mean
Structural fires and transportation accidents
IT standards are not being reviewed often enough
SDLC Phases

27. Must be tested to validate effectiveness through: (1.) Document Review (2.) Walkthrough (3.) Simulation (4.) Parallel testing (5.) Cutover testing practices
A Financial Audit
IT Services Financial Management
Stratified Sampling
BCP Plans

28. Consists of 11 distinct activities: (1.) Service Desk (2.) Incident Management (3.) Problem Management (4.) Change Management (5.) Configuration Management (6.) Release Management (7.) Service-level Management (8.) Financial Management (9.) Capacity
IT Service Management
Criticality analysis
SDLC Phases
A Problem

29. The inventory of all in-scope business processes and systems
Confidence coefficient
Vulnerability in the organization's PBX
The first step in a business impact analysis
Sampling

30. Used to illustrate the relationship between planned activities. PERT diagrams show multiple routes through the project activities - as necessary for accomplishing a goal.
Business impact analysis
OSI Layer 6: Presentation
PERT Diagram?
List of systems examined

31. An audit report usually includes the following 10 elements: (1.) Cover letter (2.) Introduction (3.) Summary (4.) Audit description (5.) _______________ (6.) Interviewees (7.) Evidence (8.) Explanation of sampling techniques (9.) Findings (10.) Recom
List of systems examined
OSI: Data Link Layer
Geographic location
Split custody

32. An external IS auditor has discovered a _______________________ - The external auditor can only document the finding in the audit report. An external auditor is not in a position to implement controls.
A Cold Site
Segregation of duties issue in a high value process
Resource details
A Server Cluster

33. A programmer is updating an application that saves passwords in plaintext. In this case - Passwords should be stored in a _____. This makes it impossible for any person to retrieve a password - which could lead to account compromise.
Formal waterfall
Control Unit
Hash
OSI Layer 7: Application

34. What three elements allow validation of business practices against acceptable measures of regulatory compliance - performance - and standard operational guidelines.
(1.) Polices (2.) Procedures (3.) Standards
OSI: Data Link Layer
The Release process
A Financial Audit

35. A facility that is used to store and manage access to an organization's application source and object code. It consists of 5 parts: (1.) Access and authorization controls (2.) Program checkout (3.) Program Check-in (4.) Version Control (5.) Code Ana
Documentation and interview personnel
Concentrate on samples known to represent high risk
The Software Program Library
Entire password for an encryption key

36. A database term - which means that the database will not permit a program (or user) to deleted rows from a table if there are records in other tables whose foreign keys reference the row to be deleted.
To identify the tasks that are responsible for project delays
Referential Integrity
Prblem Management
Blade Computer Architecture

37. A computer uses RAM for several purposes: (1.) Operating System - to store info regarding running processes (2.) ____________ - that are used to temporarily store information retrieved from hard disks (3.) Storage of program code (4.) Storage of prog
TCP/IP Link Layer
Substantive Testing (test of transaction integrity)
Audit logging
Buffers

38. An organization is building a data center in an area frequented by power outages. The organization cannot tolerate power outages. The best _________________solution is an electric generator and an uninterruptible power supply. The UPS responds to the
Power system controls
Transport Layer Protocols
IT Service Management
TCP/IP Link Layer

39. The primary source for test plans in a software development project is: ________________ that are developed for a project should be the primary source for detailed tests.
Security Awareness program
The Requirements
ITIL - IT Infrastructure Library
Capability Maturity Model

40. Application controls limit ___________ in three ways: (1.) Point of Entry (Input Controls) (2.) During consumption (process controls) (3.) At the point of expression (Output Controls)
Annualized Loss Expectance (ALE)
Personnel involved in the requirements phase of a software development project
Information systems access
Stratified Sampling

41. (1.) Observations (2.) Written Notes (3.) Correspondence (4.) Process and Procedure documentation (5.) Business records
BCP Plans
The 5 types of Evidence that the auditor will collect during an audit.
TCP/IP Transport Layer
TCP/IP Internet Layer

42. A dynamically scalable and usually virtualized computing environment that is provided as a service. Clout computing services may be rented or leased so that an organization can have a scalable application without the need for supporting hardware.
Change management
Service Continuity Management
Prblem Management
Cloud computing

43. An estimate that expresses the percent of errors or exceptions that may exist in an entire population
General Controls
Recovery time objective
Expected Error Rate
TCP/IP Transport Layer

44. (1.) Hardware Complement (physical specifications) (2.) Hardware Configuration (firmware settings) (3.) Operating system version and configuration (4.) Software versions and configuration
The Business Process Life Cycle
PERT Diagram?
The typical Configuration Items in Configuration Management
An Integrated Audit

45. (1.) Statistical (2.) Judgmental (3.) Attribute (4.) Variable (5.) Stop-or-Go (6.) Discovery (7.) Stratified
More difficult to perform
SDLC Phases
TCP/IP Link Layer
Types of sampling an auditor can perform.

46. A sampling technique used to study the characteristics of a population to determine the numeric total of a specific attribute from the entire population.
Department Charters
Variable Sampling
Advantages of outsourcing
Sampling

47. Aids in the coordinating of business processes using a sequence of three events -(1.) Business process creation (2.) Implementation (3.) Maintenance 3a. Benchmarking: Facilitates continuous improvement within the BPLC
The Business Process Life Cycle
The BCP process
Six steps of the Release Management process
Sampling Risk

48. 0. No process at all (1.) Process are ad hoc and disorganized (2.) Consistent processes (3.) Documented processes (4.) Measured and managed processes (5.) Processes are continuously improved
Antivirus software on the email servers
Primary security features of relational databases
Rating Scale for Process Maturity
(1.) Man-made (2.) Natural

49. One of a database table's fields - whose value is unique.
Balanced Scorecard
Employee termination process
Database primary key
Overall audit risk

50. Information is arranged in frames and transported across the medium. Collision detection. Checksum verification of delivery.
OSI: Data Link Layer
Resource details
SDLC Phases
Attribute Sampling