Professional Documents
Culture Documents
CISA Domain 2 Questions
CISA Domain 2 Questions
Executive Management would used the key IT governance practices including the IT balanced
Scorecard, a risk management process, as well as a working with strategy committees
Strategy Committee
IT Balanced Scorecard
The overall set of responsibilites and practices used by an organization management to provide
stategic direction, including risk and organizational resources is commmonly referred to as:
Governance is defined as the system by which business corporations are directed and controlled The
system includes strategic direction, risk management, and resource allocation
IT Management
Risk Assessment
Organizational Scorecard
Risk Management
COBIT is a generally accepted framework for IT security and control practices. The COBIT framework
was intiated by ITACA, and knowledge of COBIT is not specifically tested on the CITA exam
COBIT
ITO/IEC 27001
ITIL
Why is Audit important to successful IT Governance?
Audit is the organizational entity that monitors compliance with the organization established controls
Audit monitors compliance and can remediate items that fail the organization standards.
Audit monitors compliance and can make recommendations towards successful IT Governance.
Which of the following describes the IT Governance focus area called performance management?
Performance measurement is one of the IT Governance Focus Areas outlined in COBIT. Performance
Management, Resource Management, Value Delivery, Risk Management, and Strategic Alignment
IT Balanced Scorecard is used to assess IT functionss and processes in light of IT Governance as well as
report on performance, capabilities, and risks
IT Dashboard
IT Balanced Scorecard
A high level document that represents an organizations tone or philosophy towards governance is
known as what?
Policies communicate a clear and coherent environment or standard. Procedures and controls then flow
from the content of the policy
Procedure
Vision Quest
Balanced Scorecard
Policy
Broad enterprise policies should be aligned with which of the following?
The organization policies must always be in harmony with the business objectives. Customer
satisfaction and mission statements are important, but they do not create environment of the
organization. </font></p></textformat></correctAnswerFeedback>
Business Objectives
When applying a balanced scorecard to IT, the three layer structure included Mission, Strategies, and
Measures
Investments
Mission
Measures
Strategies
Information security governance includes physical security, the security of technology as well as privacy
of information. It must be driving by COOs, CEOs, CTOs, and other members of executive management
Employee Leadership
Executive Management
Internal Auditors
Which of the following should not be enforced from the executive or board level down through the
organization?
If executive management does not establish and reinforce the need for information security
governance, the organization security posture will be compromised.
</font></p></textformat></correctAnswerFeedback>
Corporate Policies
Exceptions to policies
Development of strategic plans for IT usually take what duration?
Developing strategic plans for IT involved aligning technology projects with the goals and onjectives of
the organization as a whole. This generally take 3-5 years
1-2 years
1-3 years
3-5 years
3-7 years
Which of the following committees reviews and approves sourcing strategies such as insourcing or
outsourcing, offshoring of functions as well as resource allocation?
An organization information security strategy is defined and maintained by a steering committee. Many
organization will refer to this committee by different names, but ITACA has gernally defined this
committee as a steering committee
Steering Committee
Audit Committee
Governance Committee
What committee supports the development and implementation of the enterprise information
security management program?
The IT auditor will need understand the responsibilties of the steering committee and identify the group
that performs those functions. </font></p></textformat></correctAnswerFeedback>
Goverance Committee
Steering Committee
Which of the following are high-level documents that represent the corporate philosphy of an
organization?
Policies should flow the executive management and be as clear and concisely written as possible
Standards
Policies
Statements of Work
Confidentality Clauses
When should an employee sign an acceptable use policy?
Acceptable use policies define appropriate and inappropriate use of computers and other information
systems, and protect both the employee and the employer
High level documents that define how users behavior while on the Internet
Risk mangement involves identifying vulnerabilities and and threats, and they deciding what
countermeasures to take to reduce the risk, if any
Refuse
Avoid
Ignore
Reframe
Understanding the organization appetite risk is the foundation to building a risk management program
tailored to the organization business goals
Presenting the Board of Directors with a "Get Out of Jail free Card"
The organization has determined a vulnerability at the entrances to its buildings. The threat is that non-
employees may steal equipment. The organization has choosen to mitigate the risk by installing badge
scanners at the entrances. </font></p></textformat></correctAnswerFeedback>
Avoidance
Acceptance
Deflection
Mitigation
A threat is defined as &quot;any circumstances or events with the potential to cause harm to an
information resource&quot;
Controls that received the lowest score on the external auditor report
Qualitative Analysis uses words to describe the likehood of an event, and can be quite subjective
Financial numbers
Human Resource Management is the organization policies and procedures concerning an organzitaion
personnel. An auditor may be asked to review controls that help prevent internal fraud
Separation of duties
Mandatory vacations
Job rotation
Which of the following documents would an auditor request to review the organization vacation
policies?
Employee handkbooks are generlaly distrinuted to employees when they are hired. Employee
handbooks usually contain policies such as security policies, aceptable use policies, and vacation policies
Employee handbook
Noncompete agreement
Which of the following is not a sourcing practice for information system functions?
When an organization is evaluating how to deliver information systems, it may choose insourced,
outsourced, or a hybrid of both
Outsourced
Composite Sourced
Insourced
Hybrid
An organization decides to operate a held desk center overseas, yet provide second level support
from its American headquarters. This is an example of :
This example highlights a hybrid sourcing agreement with most help center staffing located overseas,
will level two support being provided from the USA headquarters
Outsourcing
Insourcing
Hybrid Sourcing
Globization Sourcing
An auditor has been hired to review the organization decision to move its information systems to a
cloud-based solution. Which of the following would not be an advantage of this outsourcing agreement?
Outsourcing agreements can yield possible advantages as well as disadvantages. An auditor should be
aware of this distinctions
With an outsourcing agreement, what services as the gatekeeper or the instrument of control?
The contract is way that organizations manage those information resources controlled and managed by
an outsourced vendor. </font></p></textformat></correctAnswerFeedback>
Contract
Nondisclosure agreement
Warranty
Regulatory Requirements
A cloud computing vendor that provides a cloud infrastructure with programming interfaces and
tools supported by that vendor is providing :
There are three main cloud computing models the auditor needs to be familiar with. Software as a
service (Saas), Infrastructure as a service (IaaS), and Platform as a Service
(PaaS)</font></p></textformat></correctAnswerFeedback>
With an outsourcing agreement in place between an organization and a cloud service provider, what
remains the responsibility of the organization?
An organization may choose to outsource because of pressure on profit margins, cost reductions in IT
services, or for other stategic decisions. Even though the service is outsourced, the risk management
and accountability remain with the organization
Service delivery
Community Clouds can be shared by several organizations to achieve a decrease in IT service delivery
costs. This deployment model may not scale like a public cloud model
A cloud-bursting model that allows for load balancing between clouds and communities
A cloud services vendor has an information security team, a compliance team, and an customer
service team. Who has the ultimate responsibility for information security?
The organization will want to esablish relationships with members of the the cloud vendor teams, and
understand responsibilities for information security, but ultimately the risks and responsibilites reside
with the organization
Compliance team
Quality Management involves well documented processes that are controlled, measured, and improved
upon. The most popular quality management standard is the ISO 9001:2000
When an organization defines job responsibilities with the goal of reducing potential damage from
the actions of any one person, this is knowns as;
Segregation of duties helps a business reduce or eliminate risks of unauthorized access, modification of
data, improper use of systems, to name a few business risks
Conflict Resolution
CIA Triad
Segregation of Duties
Mandatory Vacations
In one small business, there is only a single IT person who has full administrative rights to the
information systems. The business owner wants to implement a compensating control to address this
risk. Which of following would you recommend?
Contracting with a third-party to establish audit trails on the systems allows the organization to have a
detective control in place and have accountability with the in house IT staff member. The goal of this
control is accountability, and logging plus third party review services will help to achieve those goals
Contract with a third-party to perform a pentration test to determine if the systems are functioning
correctly
Which of the following roles, when combined with the role of Systems Analyst, may create a
potential segregation of duties control weakness?
The organizational role of Systems Analyst should not be combined with the role of Support Manager as
this combination of job responsibilities may create a potential control weakness. ISACA has provided a
very helpful Segregation of Duties Control Matrix that the CISA candidate should be very familiar with
prior to taking the CISA exam
Support Manager
Application Programmer
Data Entry
Network Administrator
Which of the following roles, when combined with the role of Network Administrator, may create a
potential segregation of duties control weakness?
The organizational role of Network Administrator should not be combined with the role of Database
Administrator as this combination of job responsibilities may create a potential control weakness. ISACA
has provided a very helpful Segregation of Duties Control Matrix that the CISA candidate should be very
familiar with prior to taking the CISA exam
Systems Administrator
Database Administrator
Security Administrator
Quality Assurance
Which of the following roles, when combined with the role of End User, may create a potential
segregation of duties control weakness?
The organizational role of End User should not be combined with the role of Network Administrator as
this combination of job responsibilities may create a potential control weakness. ISACA has provided a
very helpful Segregation of Duties Control Matrix that the CISA candidate should be very familiar with
prior to taking the CISA exam
Control Group
Data Entry
Network Administrator
Security Administrator
Which of the following roles, when combined with the role of Support Manager, may create a
potential segregation of duties control weakness?
The organizational role of Support Manager should not be combined with the role of Application
Programmer as this combination of job responsibilities may create a potential control weakness. ISACA
has provided a very helpful Segregation of Duties Control Matrix that the CISA candidate should be very
familiar with prior to taking the CISA exam
Computer Operator
Security Administrator
Quality Assurance
Application Programmer
Which of the following roles, when combined with the role of Database Administrator, may create a
potential segregation of duties control weakness?
The organizational role of Database Administrator should not be combined with the role of Computer
Operator as this combination of job responsibilities may create a potential control weakness. ISACA has
provided a very helpful Segregation of Duties Control Matrix that the CISA candidate should be very
familiar with prior to taking the CISA exam
Computer Operator
Systems Analyst
Security Administrator
Quality Assurance
Which of the following roles, when combined with the role of Security Administrator, may create a
potential segregation of duties control weakness?
The organizational role of Security Administrator should not be combined with the role of Systems
Programmer as this combination of job responsibilities may create a potential control weakness. ISACA
has provided a very helpful Segregation of Duties Control Matrix that the CISA candidate should be very
familiar with prior to taking the CISA exam
Support Manager
Systems Programmer
End User
Quality Assurance
Which of the following roles, when combined with the role of Systems Programmer, may create a
potential segregation of duties control weakness?
The organizational role of Systems Programmer should not be combined with the role of Quality
Assurance as this combination of job responsibilities may create a potential control weakness. ISACA has
provided a very helpful Segregation of Duties Control Matrix that the CISA candidate should be very
familiar with prior to taking the CISA exam
Systems Analyst
Network Administrator
Quality Assurance
Systems Programmer
Which of the following roles, when combined with the role of System Administrator, may create a
potential segregation of duties control weakness?
The organizational role of System Administrator should not be combined with the role of Control Group
as this combination of job responsibilities may create a potential control weakness. ISACA has provided
a very helpful Segregation of Duties Control Matrix that the CISA candidate should be very familiar with
prior to taking the CISA exam
Systems Analyst
End User
Network Administrator
Control Group
Which of the following help the IS auditor by providing a map to retrace the flow of a transaction?
Audit trails help the IS auditor by providing a map to retrace the flow of a transaction. The other review
functions listed are still valued review functions that the auditor should consider, however they serve
other purposes in an organization
Audit trail
Reconciliation
Exception Reporting
Supervisory Reviews
Which of the following types of independent verification increases the level of confidence that the
application processed successfully and the data are in proper balance?
Reconciliation is a type of independent verification increases the level of confidence that the application
processed successfully and the data are in proper balance. The other review functions listed are still
valued review functions that the auditor should consider, however they serve other purposes in an
organization
Audit trail
Reconciliation
Exception Reporting
Supervisory Reviews
Which of the following should be handled at the supervisory level and require evidence noting that it
has been handled properly?
Exception reporting should be handled at the supervisory level and require evidence noting that it has
been handled properly. The other review functions listed are still valued review functions that the
auditor should consider, however they serve other purposes in an organization
Audit trail
Reconciliation
Exception Reporting
Supervisory Reviews
Which of the following are particularly important when duties in a small organization cannot be
appropriately segregated?
Independent reviews are particularly important when duties in a small organization cannot be
appropriately segregated. The other review functions listed are still valued review functions that the
auditor should consider, however they serve other purposes in an organization
Audit Trail
Independent Reviews
Exception Reporting
Supervisory Reviews
When reviewing which of the following the IS auditor should be able to determine who initiated the
transaction, time of day and date of entry, type of entry, and other similar fields?
When reviewing audit trails the IS auditor should be able to determine who initiated the transaction,
time of day and date of entry, type of entry, and other similar fields. The other review functions listed
are still valued review functions that the auditor should consider, however they serve other purposes in
an organization
Audit Trail
Independent Reviews
Exception Reporting
Supervisory Reviews