• Home
  • Articles
  • CISA Exam Dumps - PDF Questions and Testing Engine [Q99-Q117]

CISA Exam Dumps - PDF Questions and Testing Engine [Q99-Q117]

Share

CISA Exam Dumps - PDF Questions and Testing Engine

CISA Dumps - The Sure Way To Pass Exam

NEW QUESTION # 99
What privilege on a server containing data with different security classifications?

  • A. Obtaining formal agreement by users to comply with the data classification policy
  • B. Limiting access to the data files based on frequency of use
  • C. Applying access controls determined by the data owner
  • D. Using scripted access control lists to prevent unauthorized access to the server

Answer: C


NEW QUESTION # 100
Which of the following is the BEST method to delete sensitive information from storage media that will be reused?

  • A. Crypto-shredding
  • B. Multiple-overwriting
  • C. Re-partitioning
  • D. Reformatting

Answer: A


NEW QUESTION # 101
An organization allows its employees to use personal mobile devices for work. Which of the following would BEST maintain information security without compromising employee privacy?

  • A. Installing security software on the devices
  • B. Restricting the use of devices for personal purposes during working hours
  • C. Partitioning the work environment from personal space on devices
  • D. Preventing users from adding applications

Answer: C


NEW QUESTION # 102
Which of the following is the GREATEST risk associated with in-house program development and customization?

  • A. The lack of a test environment
  • B. The lack of secure coding expertise
  • C. The lack of documentation for programs developed
  • D. The lack of a quality assurance function

Answer: B


NEW QUESTION # 103
Which of the following is MOST likely to be detected by an IS auditor applying data analytic techniques?

  • A. Issues resulting from an unsecured application automatically uploading transactions to the general ledger
  • B. Completion of inappropriate cross-border transmission of personally identifiable information (Pll)
  • C. Potentially fraudulent invoice payments originating within the accounts payable department
  • D. Unauthorized salary or benefit changes to the payroll system generated by authorized users

Answer: C


NEW QUESTION # 104
Due to advancements in technology and electronic records, an IS auditor has completed an engagement by email only. Which of the following did the IS auditor potentially compromise?

  • A. Due professional care
  • B. Proficiency
  • C. Reporting
  • D. Sufficient evidence

Answer: A

Explanation:
Explanation
Due professional care is the obligation of an IS auditor to exercise the appropriate level of skill, competence, and diligence in performing an audit. It also requires the IS auditor to comply with the relevant standards, guidelines, and ethical principles of the profession. Completing an engagement by email only may compromise due professional care, as it may limit the IS auditor's ability to obtain sufficient and appropriate evidence, to communicate effectively with the auditee and other stakeholders, and to perform adequate quality assurance and review procedures. The other options are not as relevant as due professional care, as they relate to specific aspects of an audit, such as proficiency (the knowledge and skills of the IS auditor), sufficient evidence (the quantity and quality of the audit evidence), and reporting (the presentation and communication of the audit results). References: CISA Review Manual (Digital Version), Domain 1: The Process of Auditing Information Systems, Section 1.2 ISACA IT Audit and Assurance Standards


NEW QUESTION # 105
Which of the following is a MAJOR benefit of using a wireless network?

  • A. Faster network speed
  • B. Stronger authentication
  • C. Lower installation cost
  • D. Protection against eavesdropping

Answer: B

Explanation:
Section: Protection of Information Assets


NEW QUESTION # 106
The performance, risks, and capabilities of an IT infrastructure are BEST measured using a:

  • A. risk management review.
  • B. balanced Scorecard.
  • C. control self-assessment (CSA).
  • D. service level agreement (SLA).

Answer: B


NEW QUESTION # 107
Due to limited storage capacity, an organization has decided to reduce the actual retention period for media containing completed low-value transactions. Which of the following is MOST important for the organization to ensure?

  • A. The policy includes a strong risk-based approach.
  • B. The retention period allows for review during the year-end audit.
  • C. The retention period complies with data owner responsibilities.
  • D. The total transaction amount has no impact on financial reporting.

Answer: C

Explanation:
Section: Information System Operations, Maintenance and Support


NEW QUESTION # 108
The MAJOR reason for segregating test programs from production programs is to:

  • A. achieve segregation of duties between IS staff and end users.
  • B. provide control over program changes.
  • C. provide the basis for efficient system change management.
  • D. limit access rights of IS staff to the development environment.

Answer: C

Explanation:
Section: Information System Operations, Maintenance and Support


NEW QUESTION # 109
An organization is disposing of a system containing sensitive data and has deleted ail files from the hard disk. An IS auditor should be concerned because:

  • A. deleting the files logically does not overwrite the files' physical data.
  • B. deleted data cannot easily be retrieved.
  • C. deleting all files separately is not as efficient as formatting the hard disk.
  • D. backup copies of files were not deleted as well.

Answer: A


NEW QUESTION # 110
Which of the following is an analytical review procedure for a payroll system?

  • A. Evaluating the performance of the payroll system using benchmarking software
  • B. Testing hours reported on time sheets
  • C. Performing reasonableness tests by multiplying the number of employees by the average wage rate
  • D. Performing penetration attempts on the payroll system

Answer: B


NEW QUESTION # 111
Which of the following should be considered FIRST when implementing a risk management program?

  • A. A determination of risk management priorities based on potential consequences
  • B. An understanding of the organization's threat, vulnerability and risk profile
  • C. An understanding of the risk exposures and the potential consequences of compromise
  • D. A risk mitigation strategy sufficient to keep risk consequences at an acceptable level

Answer: B

Explanation:
Implementing risk management, as one of the outcomes of effective information security governance, would require a collective understanding of the organization's threat, vulnerability and risk profile as a first step. Based on this, an understanding of risk exposure and potential consequences of compromise could be determined. Risk management priorities based on potential consequences could then be developed. This would provide a basis for the formulation of strategies for risk mitigation sufficient to keep the consequences from risk at an acceptable level.


NEW QUESTION # 112
Which of the following would be of GREATEST concern to an IS auditor reviewing an organization's security incident handling procedures?

  • A. Guidelines for prioritizing incidents have not been identified.
  • B. Workstation antivirus software alerts are not regularly reviewed.
  • C. Roles for computer emergency response learn (CERT) members have not been formally documented.
  • D. Annual tabletop exercises are performed instead of functional incident response exercises.

Answer: A


NEW QUESTION # 113
In an online application, which of the following would provide the MOST information about the transaction audit trail?

  • A. System/process flowchart
  • B. Data architecture
  • C. File layouts
  • D. Source code documentation

Answer: B

Explanation:
Explanation
In an online application, data architecture provides the most information about the transaction audit trail, as it describes how data are created, stored, processed, accessed and exchanged among different components of the application. Data architecture includes data models, schemas, dictionaries, metadata, standards and policies that define the structure, quality, integrity, security and governance of data. Data architecture can help the IS auditor to trace the origin, flow, transformation and destination of data in an online transaction, and to identify the key data elements, attributes and relationships that are relevant for audit purposes. A system/process flowchart is a graphical representation of the sequence of steps or activities that are performed by a system or process. A system/process flowchart can provide some information about the transaction audit trail, but it is not as detailed or comprehensive as data architecture. A system/process flowchart shows the inputs, outputs, decisions and actions of a system or process, but it does not show the data elements, attributes and relationships that are involved in each step or activity. A file layout is a specification of the format and structure of a data file. A file layout can provide some information about the transaction audit trail, but it is not as detailed or comprehensive as data architecture. A file layout shows the fields, types, lengths and positions of data in a file, but it does not show the origin, flow, transformation and destination of data in an online transaction. Source code documentation is a description of the logic, functionality and purpose of a program or module written in a programming language. Source code documentation can provide some information about the transaction audit trail, but it is not as detailed or comprehensive as data architecture. Source code documentation shows the instructions, variables and parameters that are used to perform calculations and operations on data, but it does not show the data elements, attributes and relationships that are involved in each instruction or operation. References: CISA Review Manual (Digital Version) 1, Chapter 4: Information Systems Operations and Business Resilience, Section 4.2: Data Administration Practices.


NEW QUESTION # 114
Which of the following statement correctly describes the difference between symmetric key encryption and asymmetric key encryption?

  • A. In symmetric key encryption the same key is used for encryption and decryption where as asymmetric key uses private key for encryption and decryption
  • B. In symmetric key encryption the same key is used for encryption and decryption where as in asymmetric key encryption the public key is used for encryption and private key is used for decryption.
  • C. In symmetric key encryption the public key is used for encryption and the symmetric key for decryption.
    Where as in asymmetric key encryption the public key is used for encryption and private key is used for decryption
  • D. Both uses private key for encryption and the decryption process can be done using public key

Answer: B

Explanation:
Explanation/Reference:
There are two basic techniques for encrypting information: symmetric encryption (also called secret key encryption) and asymmetric encryption (also called public key encryption.) Symmetric Encryption
Symmetric encryption is the oldest and best-known technique. A secret key, which can be a number, a word, or just a string of random letters, is applied to the text of a message to change the content in a particular way. This might be as simple as shifting each letter by a number of places in the alphabet. As long as both sender and recipient know the secret key, they can encrypt and decrypt all messages that use this key.
Few examples of symmetric key algorithms are DES, AES, Blowfish, etc
Asymmetric Encryption
The problem with secret keys is exchanging them over the Internet or a large network while preventing them from falling into the wrong hands. Anyone who knows the secret key can decrypt the message. One answer is the usage of asymmetric encryption, in which there are two related keys, usually called a key pair. The public key is made freely available to anyone who might want to send you a message. The second key, called the private key is kept secret, so that only you know it.
Any message (text, binary files, or documents) that are encrypted using the public key can only be decrypted by the matching private key. Any message that is encrypted by using the private key can only be decrypted by using the matching public key.
This means that you do not have to worry about passing public keys over the Internet (the keys are supposed to be public).A problem with asymmetric encryption, however, is that it is slower than symmetric encryption. It requires far more processing power to both encrypt and decrypt the content of the message.
Few examples of asymmetric key algorithms are RSA, Elliptic key Cryptography (ECC), El Gamal, Differ- Hellman, etc
The following were incorrect answers:
The other options don't describe correctly the difference between symmetric key and asymmetric key encryption.
The following reference(s) were/was used to create this question:
CISA review manual 2014 Page number 348 and 349
http://support.microsoft.com/kb/246071
http://www.engineersgarage.com/articles/what-is-cryptography-encryption?page=3


NEW QUESTION # 115
The technique used to ensure security in virtual private networks (VPNs) is:

  • A. encapsulation.
  • B. wrapping.
  • C. encryption.
  • D. transform.

Answer: A

Explanation:
Explanation/Reference:
Explanation:
Encapsulation, or tunneling, is a technique used to carry the traffic of one protocol over a network that does not support that protocol directly. The original packet is wrapped in another packet. The other choices are not security techniques specific to VPNs.


NEW QUESTION # 116
Which of the following BEST describes the concept of ""defense in depth""?

  • A. multiple firewalls are implemented.
  • B. more than one subsystem needs to be compromised to compromise the security of the system and the information it holds.
  • C. None of the choices.
  • D. intrusion detection and firewall filtering are required.
  • E. multiple firewalls and multiple network OS are implemented.

Answer: B

Explanation:
Explanation/Reference:
Explanation:
With 0""defense in depth"", more than one subsystem needs to be compromised to compromise the security of the system and the information it holds. Subsystems should default to secure settings, and wherever possible should be designed to ""fail secure"" rather than ""fail insecure"".


NEW QUESTION # 117
......

Pass ISACA CISA Exam Quickly With PracticeDump: https://pass4sure.practicedump.com/CISA-exam-questions.html

Related Articles

more
ISACA CISA Certification Practice Exam

Copyright © 2026 PracticeDump NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy

Disclaimer:
SAP, Microsoft, Google, Amazon, Certiport, Qualtrics are Registered Trade Mark.
PracticeDump offers only Probable Questions and Answers.
PracticeDump offer learning materials and practice tests created by subject matter experts to assist and help learner prepare for those exams.
All Certification Brands used on the website are owned by the respective brand owners.
PracticeDump does not own or claim any ownership on any of the brands.
The site pass4sure.practicedump.com is in no way affiliated with SAP SE.