Which of the following should an IS auditor recommend to best enforce alignment of an IT project portfolio with strategic organizational priorities?

The latest ISACA CISA (Certified Information Systems Auditor) certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the ISACA CISA exam and earn ISACA CISA certification.

CISA Question 631

Question

An example of a direct benefit to be derived from a proposed IT-related business investment is:

A. enhanced reputation. B. enhanced staff morale. C. the use of new technology.

D. increased market penetration.

Answer

D. increased market penetration.

Explanation

A comprehensive business case for any proposed IT-related business investment should have clearly defined business benefits to enable the expected return to be calculated. These benefits usually fall into two categories: direct and indirect, or soft. Direct benefits usually comprise the quantifiable financial benefits that the new system is expected to generate. The potential benefits of enhanced reputation and enhanced staff morale are difficult to quantify, but should be quantified to the extent possible. IT investments should not be made just for the sake of new technology but should be based on a quantifiable business need.

CISA Question 632

Question

Which of the following should an IS auditor recommend to BEST enforce alignment of an IT project portfolio with strategic organizational priorities?

A. Define a balanced scorecard (BSC) for measuring performance B. Consider user satisfaction in the key performance indicators (KPIs) C. Select projects according to business benefits and risks

D. Modify the yearly process of defining the project portfolio

Answer

C. Select projects according to business benefits and risks

Explanation

Prioritization of projects on the basis of their expected benefit(s) to business, and the related risks, is the best measure for achieving alignment of the project portfolio to an organization’s strategic priorities. Modifying the yearly process of the projects portfolio definition might improve the situation, but only if the portfolio definition process is currently not tied to the definition of corporate strategies; however, this is unlikely since the difficulties are in maintaining the alignment, and not in setting it up initially. Measures such as balanced scorecard (BSC) and key performance indicators (KPIs) are helpful, but they do not guarantee that the projects are aligned with business strategy.

CISA Question 633

Question

The PRIMARY objective of implementing corporate governance by an organization’s management is to:

A. provide strategic direction. B. control business operations. C. align IT with business.

D. implement best practices.

Answer

A. provide strategic direction.

Explanation

Corporate governance is a set of management practices to provide strategic direction, thereby ensuring that goals are achievable, risks are properly addressed and organizational resources are properly utilized. Hence, the primary objective of corporate governance is to provide strategic direction. Based on the strategic direction, business operations are directed and controlled.

CISA Question 634

Question

Which of the following provides the best evidence of the adequacy of a security awareness program?

A. The number of stakeholders including employees trained at various levels B. Coverage of training at all locations across the enterprise C. The implementation of security devices from different vendors

D. Periodic reviews and comparison with best practices

Answer

D. Periodic reviews and comparison with best practices

Explanation

The adequacy of security awareness content can best be assessed by determining whether it is periodically reviewed and compared to industry best practices.
Choices A, B and C provide metrics for measuring various aspects of a security awareness program, but do not help assess the content.

CISA Question 635

Question

IT control objectives are useful to IS auditors, as they provide the basis for understanding the:

A. desired result or purpose of implementing specific control procedures. B. best IT security control practices relevant to a specific entity. C. techniques for securing information.

D. security policy.

Answer

A. desired result or purpose of implementing specific control procedures.

Explanation

An IT control objective is defined as the statement of the desired result or purpose to be achieved by implementing control procedures in a particular IT activity.
They provide the actual objectives for implementing controls and may or may not be the best practices. Techniques are the means of achieving an objective, and a security policy is a subset of IT control objectives.

CISA Question 636

Question

An IS auditor is reviewing a project to implement a payment system between a parent bank and a subsidiary. The IS auditor should FIRST verify that the:

A. technical platforms between the two companies are interoperable. B. parent bank is authorized to serve as a service provider. C. security features are in place to segregate subsidiary trades.

D. subsidiary can join as a co-owner of this payment system.

Answer

B. parent bank is authorized to serve as a service provider.

Explanation

Even between parent and subsidiary companies, contractual agreement(s) should be in place to conduct shared services. This is particularly important in highly regulated organizations such as banking. Unless granted to serve as a service provider, it may not be legal for the bank to extend business to the subsidiary companies. Technical aspects should always be considered; however, this can be initiated after confirming that the parent bank can serve as a service provider.
Security aspects are another important factor; however, this should be considered after confirming that the parent bank can serve as a service provider. The ownership of the payment system is not as important as the legal authorization to operate the system.

CISA Question 637

Question

An IS auditor finds that, in accordance with IS policy, IDs of terminated users are deactivated within 90 days of termination. The IS auditor should:

A. report that the control is operating effectively since deactivation happens within the time frame stated in the IS policy. B. verify that user access rights have been granted on a need-to-have basis. C. recommend changes to the IS policy to ensure deactivation of user IDs upon termination.

D. recommend that activity logs of terminated users be reviewed on a regular basis.

Answer

C. recommend changes to the IS policy to ensure deactivation of user IDs upon termination.

Explanation

Although a policy provides a reference for performing IS audit assignments, an IS auditor needs to review the adequacy and the appropriateness of the policy. If, in the opinion of the auditor, the time frame defined for deactivation is inappropriate, the auditor needs to communicate this to management and recommend changes to the policy. Though the deactivation happens as stated in the policy, it cannot be concluded that the control is effective. Best practice would require that the ID of a terminated user be deactivated immediately. Verifying that user access rights have been granted on a need-to-have basis is necessary when permissions are granted.
Recommending that activity logs of terminated users be reviewed on a regular basis is a good practice, but not as effective as deactivation upon termination.

CISA Question 638

Question

When developing a security architecture, which of the following steps should be executed FIRST?

A. Developing security procedures B. Defining a security policy C. Specifying an access control methodology

D. Defining roles and responsibilities

Answer

B. Defining a security policy

Explanation

Defining a security policy for information and related technology is the first step toward building a security architecture. A security policy communicates a coherent security standard to users, management and technical staff. Security policies will often set the stage in terms of what tools and procedures are needed for an organization. The other choices should be executed only after defining a security policy.

CISA Question 639

Question

A retail outlet has introduced radio frequency identification (RFID) tags to create unique serial numbers for all products. Which of the following is the PRIMARY concern associated with this initiative?

A. Issues of privacy B. Wavelength can be absorbed by the human body C. RFID tags may not be removable

D. RFID eliminates line-of-sight reading

Answer

A. Issues of privacy

Explanation

The purchaser of an item will not necessarily be aware of the presence of the tag. If a tagged item is paid for by credit card, it would be possible to tie the unique ID of that item to the identity of the purchaser. Privacy violations are a significant concern because RFID can carry unique identifier numbers. If desired it would be possible for a firm to track individuals who purchase an item containing an RFID. Choices B and C are concerns of less importance. Choice D is not a concern.

CISA Question 640

Question

Which of the following would MOST likely indicate that a customer data warehouse should remain in-house rather than be outsourced to an offshore operation?

A. Time zone differences could impede communications between IT teams. B. Telecommunications cost could be much higher in the first year. C. Privacy laws could prevent cross-border flow of information.

D. Software development may require more detailed specifications.

Answer

C. Privacy laws could prevent cross-border flow of information.

Explanation

Privacy laws prohibiting the cross-border flow of personally identifiable information would make it impossible to locate a data warehouse containing customer information in another country. Time zone differences and higher telecommunications costs are more manageable.
Software development typically requires more detailed specifications when dealing with offshore operations.