Latest CISA Exam Premium Dumps provide by TrainingQuiz.com to help you Passing CISA Exam! TrainingQuiz.com offers the updated CISA exam dumps, the TrainingQuiz.com CISA exam questions has been updated to correct Answer. Get the latest TrainingQuiz.com CISA pdf dumps with Exam Engine here:
(1588 Q&As Dumps, 40%OFF Special Discount: DumpsDB)
Batch control reconciliation is a _____________________ (fill the blank) control for mitigating risk of inadequate segregation of duties.
Correct Answer: D
Section: Protection of Information Assets Explanation: Batch control reconciliations is a compensatory control for mitigating risk of inadequate segregation of duties.
Question 162
By evaluating application development projects against the capability maturity model (CMM), an IS auditor should be able to verify that:
Correct Answer: D
Section: Protection of Information Assets Explanation: By evaluating the organization's development projects against the CMM, an IS auditor determines whether the development organization follows a stable, predictable software process. Although the likelihood of success should increase as the software processes mature toward the optimizing level, mature processes do not guarantee a reliable product. CMM does not evaluate technical processes such as programming nor does it evaluate security requirements or other application controls.
Question 163
The BEST way to provide assurance that a project is adhering to the project plan is to:
Correct Answer: D
The best way to provide assurance that a project is adhering to the project plan is to conduct compliance audits at major system milestones. A compliance audit is a systematic and independent examination of the project's activities, documents, and deliverables to determine whether they conform to the project plan and its specifications, standards, and requirements1. A major system milestone is a significant point or event in the project's life cycle that marks the completion of a phase, stage, or deliverable2. By conducting compliance audits at major system milestones, the auditor can provide assurance that the project is adhering to the project plan by: Verifying that the project's scope, schedule, budget, quality, and risks are aligned with the project plan and its objectives1 Identifying any deviations, discrepancies, or non-compliances that may affect the project's performance or outcome1 Recommending and monitoring corrective and preventive actions to address the identified issues and improve the project's compliance1 Reporting and communicating the audit findings, conclusions, and recommendations to the relevant stakeholders1 The other options are not as effective as conducting compliance audits at major system milestones for providing assurance that the project is adhering to the project plan. Requiring design reviews at appropriate points in the life cycle is a useful technique for ensuring that the project's design meets the user and business requirements and follows the design standards and best practices3. However, design reviews are not sufficient for providing assurance that the project is adhering to the project plan, as they do not cover other aspects of the project such as schedule, budget, quality, or risks. Having an IS auditor participate on the steering committee is a possible way for providing assurance that the project is adhering to the project plan, as the auditor can provide independent advice and oversight to the steering committee on quality management issues and remediation efforts4. However, this may not be feasible or appropriate for every project, as it may create a conflict of interest or compromise the auditor's objectivity and independence. Having an IS auditor participate on the quality assurance (QA) team is another possible way for providing assurance that the project is adhering to the project plan, as the auditor can assist the QA team in implementing procedures to facilitate adoption of quality management best practices5. However, this may also not be feasible or appropriate for every project, as it may create a conflict of interest or compromise the auditor's objectivity and independence. Therefore, option D is the correct answer. References: What Is Compliance Audit? Definition & Process | ASQ What Is A Project Milestone? - The Basics Design Review - an overview | ScienceDirect Topics Project success through project assurance - Project Management Institute Quality Assurance Team: Roles & Responsibilities
Question 164
In RFID technology which of the following risk could represent a threat to non-RFID networked or collocated systems, assets, and people?
Correct Answer: D
Explanation/Reference: RFID technology potentially could represent a threat to non-RFID networked or collocated systems, assets, and people. RFID systems typically are not isolated from other systems and assets in the enterprise. Every connection point between the RFID system and something outside the RFID system represents a potential vulnerability for the entity on the other side of the connection, whether that is an application process, a valued asset, or a person. Externality risks are present for both the RF and enterprise subsystems of an RFID system. The main externality risk for the RF subsystem is hazards resulting from electromagnetic radiation, which could possibly range from adverse human health effects to ignition of combustible material, such as fuel or ordnance. The main externality risk for the enterprise subsystem is successful computer network attacks on networked devices and applications. Computer network attacks can involve malware (e.g., worms and viruses) or attack tools that exploit software vulnerabilities and configuration weaknesses to gain access to systems, perform a denial of service, or cause other damage. The impact of computer network attacks can range from performance degradation to complete compromise of a mission-critical application. Because the externality risk by definition involves risks outside of the RFID system, it is distinct from both the business process and business intelligence risks; externality risks can be realized without having any effect on RFID-supported business processes or without revealing any information to adversaries. For your exam you should know the information below: Radio-frequency identification (RFID) is the wireless non-contact use of radio-frequency electromagnetic fields to transfer data, for the purposes of automatically identifying and tracking tags attached to objects. The tags contain electronically stored information. Some tags are powered by and read at short ranges (a few meters) via magnetic fields (electromagnetic induction). Others use a local power source such as a battery, or else have no battery but collect energy from the interrogating EM field, and then act as a passive transponder to emit microwaves or UHF radio waves (i.e., electromagnetic radiation at high frequencies). Battery powered tags may operate at hundreds of meters. Unlike a barcode, the tag does not necessarily need to be within line of sight of the reader, and may be embedded in the tracked object. RFID tags are used in many industries. An RFID tag attached to an automobile during production can be used to track its progress through the assembly line. Pharmaceuticals can be tracked through warehouses. Livestock and pets may have tags injected, allowing positive identification of the animal. RFID RISKS RFID technology enables an organization to significantly change its business processes to: Increase its efficiency, which results in lower costs, Increase its effectiveness, which improves mission performance and makes the implementing organization more resilient and better able to assign accountability, and Respond to customer requirements to use RFID technology to support supply chains and other applications. The RFID technology itself is complex, combining a number of different computing and communications technologies to achieve the desired objectives. Unfortunately, both change and complexity generate risk. For RFID implementations to be successful, organizations need to effectively manage that risk, which requires an understanding of its sources and its potential characteristics. This section reviews the major high-level business risks associated with RFID systems so that organizations planning or operating these systems can better identify, characterize, and manage the risk in their environments. The risks are as follows: Business Process Risk -Direct attacks on RFID system components potentially could undermine the business processes the RFID system was designed to enable. Business Intelligence Risk- An adversary or competitor potentially could gain unauthorized access to RFID-generated information and use it to harm the interests of the organization implementing the RFID system. Privacy Risk - Personal privacy rights or expectations may be compromised if an RFID system uses what is considered personally identifiable information for a purpose other than originally intended or understood. The personal possession of functioning tags also is a privacy risk because it could enable tracking of those holding tagged items. Externality Risk -RFID technology potentially could represent a threat to non-RFID networked or collocated systems, assets, and people. An important characteristic of RFID that impacts all of these risks is that RF communication is invisible to operators and users. The following answers are incorrect: Business Process Risk -Direct attacks on RFID system components potentially could undermine the business processes the RFID system was designed to enable. Business Intelligence Risk- An adversary or competitor potentially could gain unauthorized access to RFID-generated information and use it to harm the interests of the organization implementing the RFID system. Privacy Risk - Personal privacy rights or expectations may be compromised if an RFID system uses what is considered personally identifiable information for a purpose other than originally intended or understood. The personal possession of functioning tags also is a privacy risk because it could enable tracking of those holding tagged items. The following reference(s) were/was used to create this question: CISA review manual 2014 page number 248 NIST SP 800-98 RFID 2007 - http://www.csrc.nist.gov/publications/nistpubs/800-98/SP800-98_RFID- 2007.pdf
Question 165
Which of the following is the PRIMARY benefit of a tabletop exercise for an incident response plan?
Correct Answer: D
The primary benefit of a tabletop exercise for an incident response plan is to increase confidence in the team's response readiness (D). A tabletop exercise is a simulated scenario that tests the effectiveness and efficiency of the incident response plan and team. It allows the team to practice their roles and responsibilities, review their procedures and tools, and identify and resolve any gaps or issues in their response process. A tabletop exercise can help the team to improve their skills, knowledge, and communication, and to prepare for real incidents1.
