Certified Information Systems Security Professional (CISSP) Practice Test
Certified Information Systems Auditor (CISA) Practice Test
Certified Information Security Manager (CISM) Practice Test
Your Score
1
1
/
Result
FAIL
PASS
Question ID:
What would be the NEXT step of an IS auditor when he discovers that there is no documented security procedures?
CISA#1
+1
0
Conduct a substantive test.
Inform the management about the risk and continue auditing.
To identify and evaluate the practices used by the organization.
Help the security management to prepare a security procedure.
Correct Answer:
Option3
Question ID:
What an IS auditor should do when he identifies a threat and its impacts?
CISA#2
+1
0
Inform the auditee about the threats and help them to prepare a corrective action.
Disclose the findings to the management.
Identify and evaluate the existing controls.
Continue the audit without disclosing any information.
Correct Answer:
Option3
Question ID:
The amount of data collected during an audit is primarily determined by
CISA#3
+1
0
Risk assessment.
Purpose and scope of audit.
Business risk.
Auditee.
Correct Answer:
Option2
Question ID:
Which risk is directly affected by IS auditor's decision?
CISA#4
+1
0
Control risk.
Business risk.
Detection risk.
Audit risk.
Correct Answer:
Option3
Question ID:
Which action an IS auditor should take if he/she discovers the existence of unauthorized software during an audit?
CISA#5
+1
0
Inform law enforcement agency.
Report the user and the user management about the risk of using unauthorized software.
Report to auditee.
Delete all the unauthorized copies.
Correct Answer:
Option2
Question ID:
The audit technique that will provide the best evidence for segregation of duties is
CISA#6
+1
0
Talking with the managers and end users.
Reviewing the structure of the organizational chart
Interviewing top management and stakeholders.
Observation and interviewing.
Correct Answer:
Option4
Question ID:
What is the most secure way to destroy data?
CISA#7
+1
0
Erasing data.
Destroy hard disk completely.
Hard disk sanitization with automated tools.
Formatting hard disk twice.
Correct Answer:
Option2
Question ID:
When an auditee takes a corrective action after discovering a audit finding, the auditor should
CISA#8
+1
0
Not include the finding in the reprot.
Include the finding in the report mentioning the corrective action taken by the auditee.
Informally discuss with the managment during the final meeting of the audit.
Should inform the IS security manager to make an entry in the risk register.
Correct Answer:
Option2
Question ID:
What is the main benefit of practicing control self-assessment?
CISA#9
+1
0
Improve overall governance of IT.
Identify high riks areas.
Replacing auditors' roles.
Help management to estbalish control over audit fucntions.
Correct Answer:
Option2
Question ID:
Which factor contributes the most for the success of CSA (control self-assessment)?
CISA#10
+1
0
Implementation of automated monitoring system.
Line managers taking some of the control monitoring responsiblities.
Support from higher mangerment and internal audit team.
Control training to the employees.
Correct Answer:
Option2
Question ID:
Which one is considered to be the most reliable evidence to an auditor?
CISA#11
+1
0
Data gather from the Internet
Assurance from the management of the organiztion that is being audited
A confirmation from independent third party
Assurance from the operation manager
Correct Answer:
Option3
Question ID:
The reason why an IS auditor review an organizational chart is
CISA#12
+1
0
To understand responsiblities and authority of every person in the organiztion.
To understand segregation of duties in the IS depratment
To gain understanding of the work flow
To increase efficiency in each department
Correct Answer:
Option1
Question ID:
What is the main reason for using audit trails?
CISA#13
+1
0
To establish accountablity.
To improve security.
To help IS auditor to trace trasactions.
Part of internal controls.
Correct Answer:
Option1
Question ID:
Which one is the effective method to find errors in data processing?
CISA#14
+1
0
Hash totals.
Audit screen.
Input controls.
Audit trails.
Correct Answer:
Option1
Question ID:
The best way to confirm the accuracy of a transaction balance calculation system is to
CISA#15
+1
0
Understand the calculation algorithm.
Test the logic of the calculation programme and to test the result with simulated data.
Data completeness checking.
Run a simulation and compare the simulated result with the pre-calculated result.
Correct Answer:
Option4
Question ID:
Which one is critical while making IS audit plan?
CISA#16
+1
0
Review previous audit findings.
Become familiar with the business process.
Risk assessment.
Review IS security policy.
Correct Answer:
Option3
Question ID:
Which one should concern an IS auditor the most while he performs an forensic investigation?
CISA#17
+1
0
Hash total.
State of host operation system.
Presence of hidden codes in the data.
Preservation of data.
Correct Answer:
Option4
Question ID:
What is the main reason of using data flow diagram?
CISA#18
+1
0
To trace data from its origination to destination.
To understand the hierarchical order of data.
To understnd the requirement of segregation of duties.
To generate audit trails.
Correct Answer:
Option1
Question ID:
The best sampling method for compliance test is
CISA#19
+1
0
Statistical sampling.
Variable sampling.
Attribute sampling.
Probability estimation.
Correct Answer:
Option3
Question ID:
What is audit risk?
CISA#20
+1
0
Inherent risk .
Detection risk.
A combinaiton of inherenet, detection and control risk.
Control risk.
Correct Answer:
Option3
Question ID:
When developing an information security program, what is the MOST useful source of information for determining available resources?
CISM#10
+1
0
Proficiency test
Job descriptions
Organization chart
Skills inventory
Correct Answer:
Option4
Question ID:
Information security governance is PRIMARILY driven by:
CISM#9
+1
0
technology constraints.
regulatory requirements.
litigation potential.
business strategy.
Correct Answer:
Option4
Question ID:
Which of the following should be the FIRST step in developing an information security plan?
CISM#8
+1
0
Perform a technical vulnerabilities assessment
Analyze the current business strategy
Perform a business impact analysis
Assess the current levels of security awareness
Correct Answer:
Option2
Question ID:
An information security manager must understand the relationship between information security and business operations in order to:
CISM#7
+1
0
support organizational objectives.
determine likely areas of noncompliance.
assess the possible impacts of compromise.
understand the threats to the business.
Correct Answer:
Option1
Question ID:
Minimum standards for securing the technical infrastructure should be defined in a security:
CISM#6
+1
0
strategy.
guidelines.
model.
architecture.
Correct Answer:
Option4
Question ID:
When a security standard conflicts with a business objective, the situation should be resolved by:
CISM#5
+1
0
changing the security standard.
changing the business objective.
performing a risk analysis.
authorizing a risk acceptance.
Correct Answer:
Option3
Question ID:
A security manager is preparing a report to obtain the commitment of executive management to a security program. Inclusion of which of the following would be of MOST value?
CISM#4
+1
0
Examples of genuine incidents at similar organizations
Statement of generally accepted best practices
Associating realistic threats to corporate objectives
Analysis of current technological exposures
Correct Answer:
Option3
Question ID:
Investment in security technology and processes should be based on:
CISM#3
+1
0
clear alignment with the goals and objectives of the organization.
success cases that have been experienced in previous projects.
best business practices.
safeguards that are inherent in existing technology.
Correct Answer:
Option1
Question ID:
The MOST important component of a privacy policy is:
CISM#2
+1
0
notifications.
warranties.
liabilities.
geographic coverage.
Correct Answer:
Option1
Question ID:
Who should be responsible for enforcing access rights to application data?
CISM#1
+1
0
Data owners
Business process owners
The security steering committee
Security administrators
Correct Answer:
Option4