CISA

Certified Information Systems Auditor

Q&A

DEMO Version
Important Note
Please Read Carefully

For demonstration purpose only, this free version Chinatag study guide contains 10 full length questions selected
from our full version products which have more than 200 questions each.

This Study guide has been carefully written and compiled by Chinatag certification experts. It is designed to help you
learn the concepts behind the questions rather than be a strict memorization tool. Repeated readings will increase
your comprehension.

For promotion purposes, all PDF files are not encrypted. Feel free to distribute copies among your friends and let
them know Chinatag website.

Study Tips
This product will provide you questions and answers along with detailed explanations carefully compiled and written
by our experts. Try to understand the concepts behind the questions instead of cramming the questions. Go through
the entire document at least twice so that you make sure that you are not missing anything.

Latest Version
We are constantly reviewing our products. New material is added and old material is revised. Free updates are
available for 90 days after the purchase. You should check the products page on the http://www.chinatag.com
website for an update 3-4 days before the scheduled exam date.

Please tell us what you think of our products. We appreciate both positive and critical comments as your feedback
helps us improve future versions. Feedback on specific questions should be send to feedback@chinatag.com.

Thanks for purchasing our products and look forward to supplying you with all your Certification training needs.

Good studying!

Technical and Support Team

Chinatag LLC.

Leading the way in IT testing and certification tools, www.chinatag.com -2-

 CISA
2008 CISA PRACTICE QUESTION
QUESTIONS:
1、The extent to which data will be collected during an IS audit
should be determined based on the:
A、availability of critical and required information.
B、auditor's familiarity with the circumstances.
C、auditee's ability to find relevant evidence.
D、purpose and scope of the audit being done.
ANSWER: D
NOTE: The extent to which data will be collected during an IS audit
should be related directly to the scope and purpose of the audit. An
audit with a narrow purpose and scope would result most likely in less
data collection, than an audit with a wider purpose and scope. The
scope of an IS audit should not be constrained by the ease of obtaining
the information or by the auditor's familiarity with the area being
audited. Collecting all the required evidence is a required element of
an IS audit, and the scope of the audit should not be limited by the
auditee's ability to find relevant evidence.
2、Which of the following ensures a sender's authenticity and an e-
mail's confidentiality?
A、Encrypting the hash of the message with the sender's private
key and thereafter encrypting the hash of the message with the
receiver's public key
B、The sender digitally signing the message and thereafter
encrypting the hash of the message with the sender's private key
C、Encrypting the hash of the message with the sender's private
key and thereafter encrypting the message with the receiver's public
key
D、Encrypting the message with the sender's private key and
encrypting the message hash with the receiver's public key
ANSWER: C
NOTE: To ensure authenticity and confidentiality, a message must be
encrypted twice: first with the sender's private key, and then with the
receiver's public key. The receiver can decrypt the message, thus
ensuring confidentiality of the message. Thereafter, the decrypted
message can be decrypted with the public key of the sender, ensuring
authenticity of the message. Encrypting the message with the sender's
private key enables anyone to decrypt it.
3、Which of the following is the GREATEST advantage of elliptic
curve encryption over RSA encryption?
A、Computation speed
B、Ability to support digital signatures
C、Simpler key distribution
D、Greater strength for a given key length
ANSWER: A
NOTE: The main advantage of elliptic curve encryption over RSA
encryption is its computation speed. This method was first
independently suggested by Neal Koblitz and Victor S. Miller. Both
encryption methods support digital signatures and are used for public
key encryption and distribution. However, a stronger key per se does
not necessarily guarantee better performance, but rather the actual
algorithm employed.
3
 CISA
4、Which of the following controls would provide the GREATEST
assurance of database integrity?
A、Audit log procedures
B、Table link/reference checks
C、Query/table access time checks
D、Rollback and rollforward database features
ANSWER: B
NOTE: Performing table link/reference checks serves to detect table
linking errors (such as completeness and accuracy of the contents of
the database), and thus provides the greatest assurance of database
integrity. Audit log procedures enable recording of all events that have
been identified and help in tracing the events. However, they only point
to the event and do not ensure completeness or accuracy of the
database's contents. Querying/monitoring table access time checks
helps designers improve database performance, but not integrity.
Rollback and rollforward database features ensure recovery from an
abnormal disruption. They assure the integrity of the transaction that
was being processed at the time of disruption, but do not provide
assurance on the integrity of the contents of the database.
5、A benefit of open system architecture is that it:
A、facilitates interoperability.
B、facilitates the integration of proprietary components.
C、will be a basis for volume discounts from equipment vendors.
D、allows for the achievement of more economies of scale for
equipment.
ANSWER: A
NOTE: Open systems are those for which suppliers provide
components whose interfaces are defined by public standards, thus
facilitating interoperability between systems made by different vendors.
In contrast, closed system components are built to proprietary
standards so that other suppliers' systems cannot or will not interface
with existing systems.
6、An IS auditor discovers that developers have operator access to
the command line of a production environment operating system.
Which of the following controls would BEST mitigate the risk of
undetected and unauthorized program changes to the production
environment?
A、Commands typed on the command line are logged
B、Hash keys are calculated periodically for programs and matched
against hash keys calculated for the most recent authorized versions of
the programs
C、Access to the operating system command line is granted
through an access restriction tool with preapproved rights
D、Software development tools and compilers have been removed
from the production environment
ANSWER: B
NOTE: The matching of hash keys over time would allow detection of
changes to files. Choice A is incorrect because having a log is not a
control, reviewing the log is a control. Choice C is incorrect because
the access was already granted—it does not matter how. Choice D is
wrong because files can be copied to and from the production
environment.
7、Which of the following BEST ensures the integrity of a server's
operating system?
4
 CISA
A、Protecting the server in a secure location
B、Setting a boot password
C、Hardening the server configuration
D、Implementing activity logging
ANSWER: C
NOTE: Hardening a system means to configure it in the most secure
manner (install latest security patches, properly define the access
authorization for users and administrators, disable insecure options
and uninstall unused services) to prevent nonprivileged users from
gaining the right to execute privileged instructions and thus take control
of the entire machine, jeopardizing the OS's integrity. Protecting the
server in a secure location and setting a boot password are good
practices, but do not ensure that a user will not try to exploit logical
vulnerabilities and compromise the OS. Activity logging has two
weaknesses in this scenario—it is a detective control (not a preventive
one), and the attacker who already gained privileged access can
modify logs or disable them.
8、An investment advisor e-mails periodic newsletters to clients and
wants reasonable assurance that no one has modified the newsletter.
This objective can be achieved by:
A、encrypting the hash of the newsletter using the advisor's private
key.
B、encrypting the hash of the newsletter using the advisor's public
key.
C、digitally signing the document using the advisor's private key.
D、encrypting the newsletter using the advisor's private key.
ANSWER: A
NOTE: There is no attempt on the part of the investment advisor to
prove their identity or to keep the newsletter confidential. The objective
is to assure the receivers that it came to them without any modification,
i.e., it has message integrity. Choice A is correct because the hash is
encrypted using the advisor's private key. The recipients can open the
newsletter, recompute the hash and decrypt the received hash using
the advisor's public key. If the two hashes are equal, the newsletter
was not modified in transit. Choice B is not feasible, for no one other
than the investment advisor can open it. Choice C addresses sender
authentication but not message integrity. Choice D addresses
confidentiality, but not message integrity, because anyone can obtain
the investment advisor's public key, decrypt the newsletter, modify it
and send it to others. The interceptor will not be able to use the
advisor's private key, because they do not have it. Anything encrypted
using the interceptor's private key can be decrypted by the receiver
only by using their public key.
9、In reviewing the IS short-range (tactical) plan, an IS auditor should
determine whether:
A、there is an integration of IS and business staffs within projects.
B、there is a clear definition of the IS mission and vision.
C、a strategic information technology planning methodology is in
place.
D、the plan correlates business objectives to IS goals and
objectives.
ANSWER: A
NOTE: The integration of IS and business staff in projects is an
operational issue and should be considered while reviewing the short-
range plan. A strategic plan would provide a framework for the IS
5
 CISA

short-range plan. Choices B, C and D are areas covered by a strategic

plan.

10、An IS auditor is performing an audit of a network operating

system. Which of the following is a user feature the IS auditor should
review?

A、Availability of online network documentation

B、Support of terminal access to remote hosts

C、Handling file transfer between hosts and interuser

communications

D、Performance management, audit and control

ANSWER: A

NOTE: Network operating system user features include online

availability of network documentation. Other features would be user
access to various resources of network hosts, user authorization to
access particular resources, and the network and host computers used
without special user actions or commands. Choices B, C and D are
examples of network operating systems functions.