Free Access ISACA.CISA.v2022-08-28.q129 Practice Test (Page 23)

Question 106

Which of the following is MOST critical to the success of an information security program?

A.Integration of business and information security

B.Alignment of information security with IT objectives

C.Management's commitment to information security

D.User accountability for information security

Question 107

Regarding a disaster recovery plan, the role of an IS auditor should include:

A.identifying critical applications.

B.determining the external service providers involved in a recovery test.

C.observing the tests of the disaster recovery plan. determining the criteria for

D.establishing a recovery time objective (RTO).

Question 108

Which type of losing BEST determines whether a now system meets business requirements and is ready to be placed into production?

A.Load testing

B.User acceptance testing (UAT)

C.Performance testing

D.Volume testing

Question 109

An IS auditor is assigned to review the IS department's quality procedures. Upon contacting the IS manager, the auditor finds that there is an informal unwritten set of standards. Which of the following should be the auditor's NEXT action?

A.Document and test compliance with the informal standards.

B.Finalize the audit and report the finding.

C.Make recommendations to IS management as to appropriate quality standards.

D.Postpone the audit until IS management implements written standards.

Question 110

Which of the following is penetration test where the penetration tester is provided with limited or no knowledge of the target's information systems?

A.External Testing

B.Internal Testing

C.Blind Testing

D.Targeted Testing

Correct Answer: C

Explanation/Reference:
Blind Testing refers to the condition of testing when the penetration tester is provided with limited or no knowledge of the target. Such a testing is expensive, since the penetration tester has to research the target and profile it based on publicly available information.
For your exam you should know below mentioned penetration types
External Testing -Refers to attack and control circumvention attempts on a target's network perimeter from outside the target's system is usually the Internet
Internal Testing - Refers to attack and control circumvention attempt on target from within the perimeter.
The objective is to identify what would occur if the external perimeter was successfully compromised and/ or an authorized user from within the network wanted to compromise security of a specific resource on a network.
Blind Testing -Refers to the condition of testing when the penetration tester is provided with limited or no knowledge of the target's information systems. Such a testing is expensive, since penetration tester have to research the target and profile it based on publicly available information.
Double Blind Testing -It is an extension of blind testing, since the administrator and security staff at the target are also not aware of test. Such a testing can effectively evaluate the incident handling and response capability of the target.
Targeted Testing - Refers to attack and control circumvention attempts on the target, while both the target's IT team and penetration tester are aware of the testing activities. Penetration testers are provided with information related to target and network design. Additionally, they are also provided with a limited privilege user account to be used as a starting point to identify privilege escalation possibilities in the system.
The following were incorrect answers:
External Testing -Refers to attack and control circumvention attempts on a target's network perimeter from outside the target's system is usually the Internet
Internal Testing - Refers to attack and control circumvention attempt on target from within the perimeter.
The objective is to identify what would occur if the external perimeter was successfully compromised and/ or an authorized user from within the network wanted to compromise security of a specific resource on a network.
Targeted Testing - Refers to attack and control circumvention attempts on the target, while both the target's IT team and penetration tester are aware of the testing activities. Penetration testers are provided with information related to target and network design. Additionally, they are also provided with a limited privilege user account to be used as a starting point to identify privilege escalation possibilities in the system.
The Following reference(s) were/was used to create this question:
CISA review manual 2014 Page number 369

Other Version: 4516ISACA.CISA.v2025-05-24.q773; 1565ISACA.CISA.v2024-10-22.q310; 4135ISACA.CISA.v2023-10-02.q715; 3714ISACA.CISA.v2023-03-29.q119; 2375ISACA.CISA.v2023-02-09.q181; 1485ISACA.CISA.v2023-02-06.q107; 4197ISACA.CISA.v2022-02-25.q148; 126ISACA.Actualtestpdf.CISA.v2021-11-13.by.sarah.721q.pdf; 5594ISACA.CISA.v2021-11-11.q194; 8785ISACA.CISA.v2021-10-08.q198; 9763ISACA.CISA.v2021-09-28.q199; 12226ISACA.CISA.v2021-09-11.q201

Latest Upload: 107Oracle.1Z0-1057-23.v2025-09-10.q47; 146Google.Professional-Cloud-Network-Engineer.v2025-09-09.q179; 131SAP.C-S4EWM-2023.v2025-09-08.q83; 155TheSecOpsGroup.CNSP.v2025-09-08.q20; 204CFAInstitute.ESG-Investing.v2025-09-08.q173; 152PECB.ISO-IEC-27001-Lead-Implementer.v2025-09-06.q132; 140Salesforce.Data-Architect.v2025-09-05.q216; 136Adobe.AD0-E605.v2025-09-05.q50; 176Nutanix.NCP-MCI-6.10.v2025-09-05.q55; 114Oracle.1z0-591.v2025-09-05.q104

Question 106

Question 107

Question 108

Question 109

Question 110

Download PDF File