FREE CISA CERTIFICATION SAMPLE QUESTION:                                                    >>Home

1) You have recently been hired by a firm to assess an organization's recoverability in case of a disaster. You are in the process of reviewing the organization's disaster recovery plan. While reviewing the plan, you learned that the organization had contracted with an outside consulting firm to develop the recovery plan. Which of the following is the MOST appropriate action to take?

(A) Review the plan to ensure that all mission-critical applications have been identified
(B) Review the plan to ensure adequate input from the relevant business and IS personnel during plan development
(C) Review the plan to ensure that the key decisions dictated by the consulting firm are appropriate for the organization
(D) Review the plan to determine whether all aspects of the current processes are described in detail
(E) Review the plan to determine whether the methodology used by the consulting firm was appropriate for the organization

2) Although ensuring that all mission critical applications are identified is an important aspect of the recovery plan, such a goal cannot be achieved without first ensuring that the key business and IS personnel are identified and involved during the recovery plan development.

Reviewing the plan to determine whether all processes are described in detail is NOT appropriate. During a disaster, only mission-critical applications / systems will likely be recovered. Non-critical systems will be ignored. Hence, a recovery plan should not document all the processes in detail, but rather describe the procedures necessary to recover the mission-critical applications. Since many of the current processes may not be relevant during a disaster, documenting the un-necessary process may actually hinder and interfere with the recovery process.

While reviewing the methodology used by the consulting firm may be relevant to the audit, it is NOT as important as ensuring that key IS personnel were involved during the plan development. Lastly, a consulting firm should NOT dictate key decisions during recovery planning. Instead, those who are intimately involved in the management and operations of the business, such as senior management and key IS staff, should be involved in the key decision making process. In fact, if a consulting firm was making key decisions on behalf of the organization, this would constitute a material weakness.

Alice wants to send a digitally signed message to her friend Bob. All of the following statements are true EXCEPT:

(A) Alice must apply a hash function to the message to create a message digest
(B)Alice must encrypt the entire message with her private key
(C) Bob must apply the same hash function as Alice to the message
(D) Bob must decrypt the encrypted message digest using Alice's public key
(E) If Bob is unable to verify the digital signature, either someone is trying to impersonate Alice or the message has been altered since Alice signed it

3) You are auditing a software development project plan for the development of a risk management platform. As software development can be very chaotic, the company had elected to follow a more rigorous approach to software development.

Specifically, the company has chosen to adopt the XP (Extreme Programming) for the current software project. The XP methodology is highly iterative, and produces numerous deliverables include UML diagrams, architecture diagrams, prototypes, and test-cases.

While reviewing the project, you observed that an independent quality assurance team was formed to review and test the risk management platform. All of the following are functions of the QA team EXCEPT

(A) Reviewing code to ensure that documentation, coding, and management standards are followed
(B) Developing test plans
(C) Ensuring that processes meet prescribed standards
(D) Ensuring that defects are logged and testing continues until the tests produce acceptable results
(E) Logging, tracking, and fixing application defects.