《ISACA 新增的官方习题(95道).doc》由会员分享,可在线阅读,更多相关《ISACA 新增的官方习题(95道).doc(30页珍藏版)》请在三一办公上搜索。
1、2009 CISA PRACTICE QUESTION(NEW)QUESTIONS:1、A benefit of open system architecture is that it:A、facilitates interoperability.B、facilitates the integration of proprietary components.C、will be a basis for volume discounts from equipment vendors.D、allows for the achievement of more economies of scale fo
2、r equipment.ANSWER: ANOTE: Open systems are those for which suppliers provide components whose interfacesare defined by public standards, thus facilitating interoperability between systemsmade by different vendors. In contrast, closed system components are built toproprietary standards so that other
3、 suppliers systems cannot or will not interfacewith existing systems.2、An IS auditor discovers that developers have operator access to the command lineof a production environment operating system. Which of the following controls wouldBEST mitigate the risk of undetected and unauthorized program chan
4、ges to theproduction environment?A、Commands typed on the command line are loggedB、Hash keys are calculated periodically for programs and matched against hashkeys calculated for the most recent authorized versions of the programsC、Access to the operating system command line is granted through an acce
5、ssrestriction tool with preapproved rightsD、Software development tools and compilers have been removed from the productionenvironmentANSWER: BNOTE: The matching of hash keys over time would allow detection of changes to files.Choice A is incorrect because having a log is not a control, reviewing the
6、 log isa control. Choice C is incorrect because the access was already grantedit does notmatter how. Choice D is wrong because files can be copied to and from the productionenvironment.3 、In the context of effective information security governance, the primaryobjective of value delivery is to:A、opti
7、mize security investments in support of business objectives.B、implement a standard set of security practices.C、institute a standards-based solution.D、implement a continuous improvement culture.ANSWER: ANOTE: In the context of effective information security governance, value deliveryis implemented to
8、 ensure optimization of security investments in support of businessobjectives. The tools and techniques for implementing value delivery includeimplementation of a standard set of security practices, institutionalization andcommoditization of standards-based solutions, and implementation of a continu
9、ousimprovement culture considering security as a process, not an event.4、During a review of a business continuity plan, an IS auditor noticed that the point at which a situation is declared to be a crisis has not been defined. The MAJORrisk associated with this is that:A、assessment of the situation
10、may be delayed.B、execution of the disaster recovery plan could be impacted.C、notification of the teams might not occur.D、potential crisis recognition might be ineffective.ANSWER: BNOTE: Execution of the business continuity plan would be impacted if the organizationdoes not know when to declare a cri
11、sis. Choices A, C and D are steps that must beperformed to know whether to declare a crisis. Problem and severity assessment wouldprovide information necessary in declaring a disaster. Once a potential crisis isrecognized, the teams responsible for crisis management need to be notified. Delayingthis
12、 step until a disaster has been declared would negate the effect of having responseteams. Potential crisis recognition is the first step in responding to a disaster.5 、When implementing an IT governance framework in an organization the MOSTimportant objective is:A、IT alignment with the business.B、ac
13、countability.C、value realization with IT.D、enhancing the return on IT investments.ANSWER: ANOTE: The goals of IT governance are to improve IT performance, to deliver optimumbusiness value and to ensure regulatory compliance. The key practice in support ofthese goals is the strategic alignment of IT
14、with the business (choice A). To achievealignment, all other choices need to be tied to business practices and strategies.6、When reviewing an implementation of a VoIP system over a corporate WAN, an ISauditor should expect to find:A、an integrated services digital network (ISDN) data link.B、traffic e
15、ngineering.C、wired equivalent privacy (WEP) encryption of data.D、analog phone terminals.ANSWER: BNOTE: To ensure that quality of service requirements are achieved, the Voice-overIP (VoIP) service over the wide area network (WAN) should be protected from packetlosses, latency or jitter. To reach this
16、 objective, the network performance can bemanaged using statistical techniques such as traffic engineering. The standardbandwidth of an integrated services digital network (ISDN) data link would not providethe quality of services required for corporate VoIP services. WEP is an encryptionscheme relat
17、ed to wireless networking. The VoIP phones are usually connected to acorporate local area network (LAN) and are not analog.7、An IS auditor selects a server for a penetration test that will be carried outby a technical specialist. Which of the following is MOST important?A、The tools used to conduct t
18、he testB、Certifications held by the IS auditor C、Permission from the data owner of the serverD、An intrusion detection system (IDS) is enabledANSWER: CNOTE: The data owner should be informed of the risks associated with a penetrationtest, what types of tests are to be conducted and other relevant det
19、ails. All otherchoices are not as important as the data owners responsibility for the security ofthe data assets.8、Which of the following is a risk of cross-training?A、Increases the dependence on one employeeB、Does not assist in succession planningC、One employee may know all parts of a systemD、Does
20、not help in achieving a continuity of operationsANSWER: CNOTE: When cross-training, it would be prudent to first assess the risk of any personknowing all parts of a system and what exposures this may cause. Cross-training hasthe advantage of decreasing dependence on one employee and, hence, can be p
21、art ofsuccession planning. It also provides backup for personnel in the event of absencefor any reason and thereby facilitates the continuity of operations.9、The use of digital signatures:A、requires the use of a one-time password generator.B、provides encryption to a message.C、validates the source of
22、 a message.D、ensures message confidentiality.ANSWER: CNOTE: The use of a digital signature verifies the identity of the sender, but doesnot encrypt the whole message, and hence is not enough to ensure confidentiality.A one-time password generator is an option, but is not a requirement for using digi
23、talsignatures.10、A retail outlet has introduced radio frequency identification (RFID) tags tocreate unique serial numbers for all products. Which of the following is the PRIMARYconcern associated with this initiative?A、Issues of privacyB、Wavelength can be absorbed by the human bodyC、RFID tags may no
24、t be removableD、RFID eliminates line-of-sight readingANSWER: ANOTE: The purchaser of an item will not necessarily be aware of the presence of thetag. If a tagged item is paid for by credit card, it would be possible to tie theunique ID of that item to the identity of the purchaser. Privacy violation
25、s are asignificant concern because RFID can carry unique identifier numbers. If desired itwould be possible for a firm to track individuals who purchase an item containingan RFID. Choices B and C are concerns of less importance. Choice D is not a concern.11、A lower recovery time objective (RTO) resu
26、lts in:A、higher disaster tolerance. B、higher cost.C、wider interruption windows.D、more permissive data loss.ANSWER: BNOTE: A recovery time objective (RTO) is based on the acceptable downtime in caseof a disruption of operations. The lower the RTO, the higher the cost of recoverystrategies. The lower
27、the disaster tolerance, the narrower the interruption windows,and the lesser the permissive data loss.12、During the requirements definition phase of a software development project,the aspects of software testing that should be addressed are developing:A、test data covering critical applications.B、det
28、ailed test plans.C、quality assurance test specifications.D、user acceptance testing specifications.ANSWER: DNOTE: A key objective in any software development project is to ensure that thedeveloped software will meet the business objectives and the requirements of the user.The users should be involved
29、 in the requirements definition phase of a developmentproject and user acceptance test specification should be developed during this phase.The other choices are generally performed during the system testing phase.13、The BEST filter rule for protecting a network from being used as an amplifierin a de
30、nial of service (DoS) attack is to deny all:A、outgoing traffic with IP source addresses external to the network.B、incoming traffic with discernible spoofed IP source addresses.C、incoming traffic with IP options set.D、incoming traffic to critical hosts.ANSWER: ANOTE: Outgoing traffic with an IP sourc
31、e address different than the IP range in thenetwork is invalid. In most of the cases, it signals a DoS attack originated by aninternal user or by a previously compromised internal machine; in both cases, applyingthis filter will stop the attack.14、What is the BEST backup strategy for a large databas
32、e with data supporting onlinesales?A、Weekly full backup with daily incremental backupB、Daily full backupC、Clustered serversD、Mirrored hard disksANSWER: ANOTE: Weekly full backup and daily incremental backup is the best backup strategy;it ensures the ability to recover the database and yet reduces th
33、e daily backup timerequirements. A full backup normally requires a couple of hours, and therefore itcan be impractical to conduct a full backup every day. Clustered servers provide aredundant processing capability, but are not a backup. Mirrored hard disks will nothelp in case of disaster. 15、Which
34、of the following is a feature of Wi-Fi Protected Access (WPA) in wirelessnetworks?A、Session keys are dynamicB、Private symmetric keys are usedC、Keys are static and sharedD、Source addresses are not encrypted or authenticatedANSWER: ANOTE: WPA uses dynamic session keys, achieving stronger encryption th
35、an wirelessencryption privacy (WEP), which operates with static keys (same key is used foreveryone in the wireless network). All other choices are weaknesses of WEP.16、The ultimate purpose of IT governance is to:A、encourage optimal use of IT.B、reduce IT costs.C、decentralize IT resources across the o
36、rganization.D、centralize control of IT.ANSWER: ANOTE: IT governance is intended to specify the combination of decision rights andaccountability that is best for the enterprise. It is different for every enterprise.Reducing IT costs may not be the best IT governance outcome for an enterprise.Decentra
37、lizing IT resources across the organization is not always desired, althoughit may be desired in a decentralized environment. Centralizing control of IT is notalways desired. An example of where it might be desired is an enterprise desiringa single point of customer contact.17、The MAIN purpose of a t
38、ransaction audit trail is to:A、reduce the use of storage media.B、determine accountability and responsibility for processed transactions.C、help an IS auditor trace transactions.D、provide useful information for capacity planning.ANSWER: BNOTE: Enabling audit trails aids in establishing the accountabil
39、ity andresponsibility for processed transactions by tracing them through the informationsystem. Enabling audit trails increases the use of disk space. A transaction log filewould be used to trace transactions, but would not aid in determining accountabilityand responsibility. The objective of capaci
40、ty planning is the efficient and effectiveuse of IT resources and requires information such as CPU utilization, bandwidth,number of users, etc.18、An IS auditor invited to a development project meeting notes that no projectrisks have been documented. When the IS auditor raises this issue, the project
41、 managerresponds that it is too early to identify risks and that, if risks do start impactingthe project, a risk manager will be hired. The appropriate response of the IS auditorwould be to:A、stress the importance of spending time at this point in the project to considerand document risks, and to de
42、velop contingency plans.B、accept the project managers position as the project manager is accountable for the outcome of the project.C、offer to work with the risk manager when one is appointed.D、inform the project manager that the IS auditor will conduct a review of therisks at the completion of the
43、requirements definition phase of the project.ANSWER: ANOTE: The majority of project risks can typically be identified before a projectbegins, allowing mitigation/avoidance plans to be put in place to deal with theserisks. A project should have a clear link back to corporate strategy and tacticalplan
44、s to support this strategy. The process of setting corporate strategy, settingobjectives and developing tactical plans should include the consideration of risks.Appointing a risk manager is a good practice but waiting until the project has beenimpacted by risks is misguided. Risk management needs to
45、 be forward looking; allowingrisks to evolve into issues that adversely impact the project represents a failureof risk management. With or without a risk manager, persons within and outside ofthe project team need to be consulted and encouraged to comment when they believenew risks have emerged or r
46、isk priorities have changed. The IS auditor has anobligation to the project sponsor and the organization to advise on appropriateproject management practices. Waiting for the possible appointment of a risk managerrepresents an unnecessary and dangerous delay to implementing risk management.19、A data
47、 center has a badge-entry system. Which of the following is MOST importantto protect the computing assets in the center?A、Badge readers are installed in locations where tampering would be noticedB、The computer that controls the badge system is backed up frequentlyC、A process for promptly deactivatin
48、g lost or stolen badges existsD、All badge entry attempts are loggedANSWER: CNOTE: Tampering with a badge reader cannot open the door, so this is irrelevant.Logging the entry attempts may be of limited value. The biggest risk is fromunauthorized individuals who can enter the data center, whether they are employeesor not. Thus, a process of deactivating lost or stolen badges is importa
