Home > CISA (Certified Information Systems Auditor) > Quizzes > CISA Domain 2: Governance and Management of IT
CISA Domain 2: Governance and Management of IT
Fast practice, instant feedback. Timer auto-submits when time’s up.
Avg score: 23% Most missed: “Management’s control of information technology processes is best described as:”
CISA Domain 2: Governance and Management of IT
Time left 00:00
25 Questions

1. A member of the board of directors has asked Ravila, a CIRO, to produce a metric showing the reduction of risk as a result of the organization making key improvements to its security information and event management system. Which type of metric is most suitable for this purpose?
2. What is the best approach to developing security controls in a new organization?
3. Ernie, a CIO who manages a large IT team, wants to create a mission statement for the team. What is the best approach for creating this mission statement?
4. The U.S. law that regulates the protection of data related to medical care is:
5. Which security metric is best considered a leading indicator of an attack?
6. Which of the following is the best description of the Business Model for Information Security (BMIS)?
7. What is the primary distinction between a network engineer and a telecom engineer?
8. What is the correct name for the model shown here?
9. Which of the following is the best description of the COBIT framework?
10. One distinct disadvantage of the ISO 27001 standard is:
11. Which of the following is the best definition of custodial responsibility?
12. Jacqueline, an experienced CISO, is reading the findings in a recent risk assessment that describes deficiencies in the organization’s vulnerability management process. How would Jacqueline use the Business Model for Information Security (BMIS) to analyze the deficiency?
13. Roberta has located her organization’s mission statement and a list of strategic objectives. What steps should Roberta take to ensure that the IT department aligns with the business?
14. What are three factors that a risk manager might consider when developing an information security strategy?
15. Joseph, a CIO, is collecting statistics on several operational areas and needs to find a standard way of measuring and publishing information about the effectiveness of his program. Which of the following is the best approach to follow?
16. Steve, a CISO, has vulnerability management metrics and needs to build business-level metrics. Which of the following is the best business-level, leading indicator metric suitable for his organization’s board of directors?
17. Which of the following statements is the best description for the purpose of performing risk management?
18. Examples of security program performance metrics include all of the following except:
19. In a U.S. public company, a CIO will generally report the state of the organization’s IT function to:
20. An IT architect needs to document the flow of data from one system to another, including external systems operated by third-party service providers. What kind of documentation does the IT architect need to develop?
21. The purpose of metrics in an IT department is to:
22. A security operations manager is proposing that engineers who design and manage information systems play a role in the monitoring of those systems. Is design and management compatible with monitoring? Why or why not?
23. Which of the following statements is true about controls in the Payment Card Industry Data Security Standard?
24. The PCI-DSS is an example of:
25. Which of the following would constitute an appropriate use of the Zachman enterprise framework?