CISA Modulo 2

When an organization is outsourcing their information security function, which of the following should be kept in the organization?. A. Accountability for the corporate security policy. B. Defining the corporate security policy. C. Implementing the corporate security policy. D. Defining security procedures and guidelines.

When auditing the IT governance framework and IT risk management practices that exist within an organization, the IS auditor identified some undefined responsibilities regarding IT management and governance roles. Which of the following recommendations is the MOST appropriate?. A. Review the strategic alignment of IT with the business. B. Implement accountability rules within the organization. C. Ensure that independent IT audits are conducted periodically. D. Create a chief risk officer (CRO) role in the organization.

When reviewing the IT strategic planning process, an IS auditor should ensure that the plan: A. incorporates state of the art technology. B. addresses the required operational controls. C. articulates the IT mission and vision. D. specifies project management practices.

The PRIMARY purpose of a business impact analysis (BIA) is to: A. A provide a plan for resuming operations after a disaster. B. identify the events that could impact the continuity of an organization’s operations. C. publicize the commitment of the organization to physical and logical security. D. provide the framework for an effective disaster recovery plan.

Which of the following would have the HIGHEST priority in a business continuity plan?. A. Resuming critical processes. B. Recovering sensitive processes. C. Restoring the site. D. Relocating operations to an alternative site.

An IS auditor is performing a review of the software quality management process in an organization. The FIRST step should be to: A. verify how the organization follows the standards. B. identify and report the controls currently in place. C. review the metrics for quality evaluation. D. request all standards that have been adopted by the organization.

Which of the following is the MOST important aspect of effective business continuity management?. A. The recovery site is secure and located an appropriate distance from the primary site. B. The recovery plans are periodically tested. C. Fully tested backup hardware is available at the recovery site. D. Network links are available from multiple service providers.

An IS auditor reviewing an organization’s IT strategic plan should FIRST review: A. the existing IT environment. B. the business plan. C. the present IT budget. D. current technology trends.

An IS auditor noted that an organization had adequate business continuity plans for each individual process, but no comprehensive business continuity plan. Which would be the BEST course of action for the IS auditor?. A. Recommend that an additional comprehensive business continuity plan be developed. B. Determine whether the business continuity plans are consistent. C. Accept the business continuity plans as written. D. Recommend the creation of a single business continuity plan.

During a review of a business continuity plan, an IS auditor noticed that the point at which a situation is declared to be a crisis has not been defined. The MAJOR risk associated with this is that: A. assessment of the situation may be delayed. B. execution of the disaster recovery plan could be impacted. C. notification of the teams might not occur. D. potential crisis recognition might be ineffective.