• Home
  • Articles
  • CISA Exam Dumps Pass with Updated Jan-2023 Tests Dumps [Q134-Q152]

CISA Exam Dumps Pass with Updated Jan-2023 Tests Dumps [Q134-Q152]

Share

CISA Exam Dumps Pass with Updated Jan-2023 Tests Dumps

CISA exam questions for practice in 2023 Updated 500 Questions


Topics of ISACA CISA Certification Exam

The CISA certification exam covers the following topics like Regulation and manage, Information Security Governance and Risk Management, Technology Infrastructure Security, Access Control and Identity Management, Cryptography and Data Security, Information Assurance and Information Lifecycle Management, Information System Audit and Control, Incident Handling and Incident Response, Computer Forensics and Incident Response, Communications Security (CISSP certification exam only) and Computer Networking Defense (CNSSP certification exam only).

 

NEW QUESTION 134
An IS auditor finds that user acceptance testing of a new system is being repeatedly interrupted as defect fixes are implemented by developers. Which of the following would be the BEST recommendation for an IS auditor to make?

  • A. Only retest high priority defects
  • B. Consider feasibility of a separate user acceptance environment
  • C. Schedule user testing to occur at a given time each day
  • D. implement a source code version control tool

Answer: B

Explanation:
Explanation/Reference:
Explanation:
A separate environment or environments is normally necessary for testing to be efficient and effective, and to ensure the integrity of production code, it is important that the development and testing code base be separate. When defects are identified they can be fixed in the development environment, without interrupting testing, before being migrated in a controlled manner to the test environment. A separate test environment can also be used as the final staging area from which code is migrated to production. This enforces a separation between development and production code. The logistics of setting up and refreshing customized test data is easier if a separate environment is maintained. If developers and testers are sharing the same environment, they have to work effectively at separate times of the day. It is unlikely that this would provide optimum productivity. Use of a source code control tool is a good practice, but it does not properly mitigate the lack of an appropriate testing environment. Even low priority fixes run the risk of introducing unintended results when combined with the rest of the system code. To prevent this, regular regression testing covering all code changes should occur. A separate test environment makes the logistics of regression testing easier to manage.

 

NEW QUESTION 135
How can minimizing single points of failure or vulnerabilities of a common disaster best be controlled?

  • A. By implementing redundant systems and applications onsite
  • B. By retaining onsite data backup in fireproof vaults
  • C. By preparing BCP and DRP documents for commonly identified disasters
  • D. By geographically dispersing resources

Answer: D

Explanation:
Explanation/Reference:
Explanation:
Minimizing single points of failure or vulnerabilities of a common disaster is mitigated by geographically dispersing resources.

 

NEW QUESTION 136
An organization wants to reuse company-provided smartphones collected from staff leaving the organization.
Which of the following would be the BEST recommendation?

  • A. Data should be securely deleted from the smartphones.
  • B. Smartphones should not be reused, but physically destroyed.
  • C. The SIM card and telephone number should be changed.
  • D. The memory cards of the smartphones should be replaced.

Answer: A

 

NEW QUESTION 137
There are several types of penetration tests depending upon the scope, objective and nature of a test.
Which of the following describes a penetration test where you attack and attempt to circumvent the controls of the targeted network from the outside, usually the Internet?

  • A. External Testing
  • B. Blind Testing
  • C. Internal Testing
  • D. Targeted Testing

Answer: A

Explanation:
Explanation/Reference:
External testing refers to attack and control circumvention attempts on a target's network perimeter from outside the target's system, usually the Internet.
For the CISA exam you should know penetration test types listed below:
External Testing -Refers to attack and control circumvention attempts on a target's network perimeter from outside the target's system, usually the Internet Internal Testing - Refers to attack and control circumvention attempt on target from within the perimeter.
The objective is to identify what would occur if the external perimeter was successfully compromised and/ or an authorized user from within the network wanted to compromise security of a specific resource on a network.
Blind Testing -Refers to the condition of testing when the penetration tester is provided with limited or no knowledge of the target's information systems. Such testing is expensive, since penetration tester have to research the target and profile it based on publicly available information.
Double Blind Testing -It is an extension of blind testing, since the administrator and security staff at the target are also not aware of test. Such a testing can effectively evaluate the incident handling and response capability of the target and how well managed the environment is.
Targeted Testing - Refers to attack and control circumvention attempts on the target, while both the target's IT team and penetration tester are aware of the testing activities. Penetration testers are provided with information related to target and network design. Additionally, they are also provided with a limited privilege user account to be used as a starting point to identify privilege escalation possibilities in the system.
The following were incorrect answers:
Internal Testing - Refers to attack and control circumvention attempt on target from within the perimeter.
The objective is to identify what would occur if the external perimeter was successfully compromised and/ or an authorized user from within the network wanted to compromise security of a specific resource on a network.
Blind Testing -Refers to the condition of testing when the penetration tester is provided with limited or no knowledge of the target's information systems. Such a testing is expensive, since penetration tester have to research the target and profile it based on publicly available information.
Targeted Testing - Refers to attack and control circumvention attempts on the target, while both the target's IT team and penetration tester are aware of the testing activities. Penetration testers are provided with information related to target and network design. Additionally, they are also provided with a limited privilege user account to be used as a starting point to identify privilege escalation possibilities in the system.
Following reference(s) were/was used to create this question:
CISA review manual 2014 Page number 369

 

NEW QUESTION 138
During an internal audit review of an HR recruitment system implementation, the IS auditor notes a number
of defects were unresolved at the time the system went live. Which of the following is the auditor's MOST
important task prior to formulating an audit opinion?

  • A. Verify risk acceptance by the project steering committee.
  • B. Confirm the timeline for migration of the defects.
  • C. Review the user acceptance test results.
  • D. Identify the root cause of the defects to confirm severity.

Answer: C

Explanation:
Section: Information System Acquisition, Development and Implementation

 

NEW QUESTION 139
Which of the following are valid examples of Malware (choose all that apply):

  • A. All of the above
  • B. viruses
  • C. spyware
  • D. worms
  • E. trojan horses

Answer: A

Explanation:
Malware is software designed to infiltrate or damage a computer system without the owner's informed consent. Software is considered malware based on the intent of the creator rather than any particular features. It includes computer viruses, worms, trojan horses, spyware, adware, and other malicious and unwanted software.

 

NEW QUESTION 140
A hub is a device that connects:

  • A. a LAN with a metropolitan area network (MAN).
  • B. two segments of a single LAN.
  • C. a LAN with a WAN.
  • D. two LANs using different protocols.

Answer: B

Explanation:
A hub is a device that connects two segments of a single LAN. A hub is a repeater. It provides transparent connectivity to users on all segments of the same LAN. It is a level 1 device.

 

NEW QUESTION 141
While executing follow-up activities, an IS auditor is concerned that management has implemented corrective actions that are different from those originally discussed and agreed with the audit function. In order to resolve the situation, the IS auditor's BEST course of action would be to:

  • A. postpone follow-up activities and escalate the alternative controls to senior audit management.
  • B. schedule a follow-up audit in the next audit cycle.
  • C. determine whether the alternative controls sufficiently mitigate the risk.
  • D. re-prioritize the original issue as high risk and escalate to senior management.

Answer: C

 

NEW QUESTION 142
During which of the following phases in system development would user acceptance test plans normally be prepared?

  • A. Postimplementation review
  • B. Requirements definition
  • C. Feasibility study
  • D. implementation planning

Answer: B

Explanation:
During requirements definition, the project team will be working with the users to define their precise objectives and functional needs. At this time, the users should be working with the team to consider and document how the system functionality canbe tested to ensure it meets their stated needs. The feasibility study is too early for such detailed user involvement, and the implementation planning and postimplementation review phases are too late. An IS auditor should know at what point user testing should be planned to ensure it is most effective and efficient.

 

NEW QUESTION 143
Which of the following is the BEST compensating control for a lack of proper segregation of duties in an IT department?

  • A. Authorization forms
  • B. System activity logging
  • C. Audit trail reviews
  • D. Control self-assessment (CSA)

Answer: C

 

NEW QUESTION 144
Which of the following roles combined with the role of a database administrator (DBA) will create a segregation of duties conflict?

  • A. Systems analyst
  • B. Quality assurance
  • C. Application end user
  • D. Security administrator

Answer: D

Explanation:
Section: Governance and Management of IT

 

NEW QUESTION 145
The PRIMARY benefit of implementing a security program as part of a security governance framework is the:

  • A. implementation of the chief information security officer's (CISO) recommendations.
  • B. reduction of the cost for IT security.
  • C. alignment of the IT activities with IS audit recommendations.
  • D. enforcement of the management of security risks.

Answer: D

Explanation:
The major benefit of implementing a security program is management's assessment of risk and its mitigation to an appropriate level of risk, and the monitoring of the remaining residual risks. Recommendations, visions and objectives of the auditor and the chief information security officer (CISO) are usually included within a security program, but they would not be the major benefit. The cost of IT security may or may not be reduced.

 

NEW QUESTION 146
What determines the strength of a secret key within a symmetric key cryptosystem?

  • A. A combination of key length, initial input vectors, and the complexity of the data- encryption algorithm that uses the key
  • B. A combination of key length and the complexity of the data-encryption algorithm that uses the key
  • C. Initial input vectors and the complexity of the data-encryption algorithm that uses the key
  • D. A combination of key length, degree of permutation, and the complexity of the data- encryption algorithm that uses the key

Answer: A

Explanation:
Explanation/Reference:
Explanation:
The strength of a secret key within a symmetric key cryptosystem is determined by a combination of key length, initial input vectors, and the complexity of the data-encryption algorithm that uses the key.

 

NEW QUESTION 147
Which of the following is MOST important to include in forensic data collection and preservation procedures?

  • A. Preserving data integrity
  • B. Maintaining chain of custody
  • C. Assuring the physical security of devices
  • D. Determining tools to be used

Answer: D

 

NEW QUESTION 148
The optimum business continuity strategy for an entity is determined by the:

  • A. lowest downtime cost and highest recovery cost.
  • B. lowest sum of downtime cost and recovery cost.
  • C. lowest recovery cost and highest downtime cost.
  • D. average of the combined downtime and recovery cost.

Answer: B

Explanation:
Section: Protection of Information Assets
Explanation:
Both costs have to be minimized, and the strategy for which the costs are lowest is the optimum strategy.
The strategy with the highest recovery cost cannot be the optimum strategy. The strategy with the highest
downtime cost cannot be the optimum strategy. The average of the combined downtime and recovery cost
will be higher than the lowest combined cost of downtime and recovery.

 

NEW QUESTION 149
When performing an audit of access rights, an IS auditor should be suspicious of which of the following if allocated to a computer operator?

  • A. Delete access to transaction data files
  • B. Logged read/execute access to programs
  • C. Read access to data
  • D. Update access to job control language/script files

Answer: A

Explanation:
Section: Protection of Information Assets
Explanation:
Deletion of transaction data files should be a function of the application support team, not operations staff.
Read access to production data is a normal requirement of a computer operator, as is logged access to programs and access to JCL to control job execution.

 

NEW QUESTION 150
An IS auditor is executing a risk-based IS audit strategy to ensure that key areas are audited Which of the following should be of GREATEST concern to the auditor?

  • A. The risk assessment database does not include a complete audit universe
  • B. The risk assessment methodology does not permit the collection of financial audit data
  • C. The risk assessment methodology relies on subjective audit judgments at certain points of the process
  • D. The risk assessment approach has not been approved by the risk manager

Answer: C

 

NEW QUESTION 151
A TCP/IP-based environment is exposed to the Internet. Which of the following BEST ensures that complete encryption and authentication protocols exist for protecting information while transmitted?

  • A. Work is being completed in TCP services.
  • B. Work is completed in tunnel mode with IP security using the nested services of authentication header (AH) and encapsulating security payload (ESP).
  • C. A digital signature with RSA has been implemented.
  • D. Digital certificates with RSA are being used.

Answer: B

Explanation:
Section: Protection of Information Assets
Explanation:
Tunnel mode with IP security provides encryption and authentication of the complete IP package. To accomplish this, the AH and ESP services can be nested. Choices B and C provide authentication and integrity. TCP services do not provide encryption and authentication.

 

NEW QUESTION 152
......


Which skills and knowledge are required for passing the ISACA CISA Exam?

A person would have sufficient knowledge in how to perform systems analysis, documentation of security policy implementation including full life cycle assessment from design and development through maintenance and compliance monitoring as well as designing system architectures with an emphasis on safeguarding information assets both physical and virtual. CISA certification validates that an individual has the competence, sufficient knowledge, skill, experience, and training to do these tasks. It is an important credential for individuals seeking entry-level employment in IT auditing or assurance. Individuals who are already employed in the IT industry may choose to pursue CISA Certification to improve job opportunities or increase their salaries.


What are the language, duration, and format of the ISACA CISA Certification Exam?

The Language, span, and format of the ISACA CISA Certification Exam are as follows:

  • Time Duration: Candidates will have 240 min (04 hours) to attempt his/her CISA exam.

  • Language: The CISA exam is being administered in 11 languages. Those languages are Chinese Traditional, Chinese Simplified, English, French, German, Hebrew, Italian, Japanese, Korean, Spanish, and Turkish.

  • A number of questions: There will be 150 questions in the CISA exam. You have to answer all the questions. Questions of the CISA exam will be in the form of multiple choice.

 

Authentic CISA Dumps With 100% Passing Rate Practice Tests Dumps: https://www.trainingdumps.com/CISA_exam-valid-dumps.html

Updated Premium CISA Exam Engine pdf: https://drive.google.com/open?id=1XJojWCtNwBCaVaW4SO1DQ8KlzePpaUpC

Related Articles

more
ISACA CISA Certification Practice Exam

TrainingDumps offers you the latest and useful exam training dumps, with which you can face the coming exam more relaxed.

Latest Training Dumps

Useful Links

Contact Us

Our Working Time: ( GMT 0:00-15:00 )
From Monday to Saturday

Support: Contact now 

If you have any question please leave me your email address, we will reply and send email to you in 12 hours.

Copyright © 2026 TrainingDumps NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy