Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1011:

  The PRIMARY responsibility of a project steering committee is to:

  A. sign off on the final build document.
  B. ensure that each project deadline is met.
  C. ensure that developed systems meet business needs.
  D. provide regular project updates and oversight.
  D. provide regular project updates and oversight.

  ---

  Explanation

  The primary responsibility of a project steering committee is to provide regular project updates and oversight. A project steering committee is an advisory group that consists of senior stakeholders and experts who offer guidance and support to a project manager and their team. The steering committee is mainly concerned with the direction, scope, budget, timeline, and methods used to realize a given project1. One of the key roles of a steering committee is to monitor the progress and performance of the project and ensure that it aligns with the business objectives and stakeholder expectations. The steering committee also provides feedback, advice, and recommendations to the project manager and helps them resolve any issues or challenges that may arise during the project lifecycle. The steering committee communicates regularly with the project manager and other stakeholders through meetings, reports, and presentations. Therefore, providing regular project updates and oversight is the primary responsibility of a project steering committee.

  References: Steering Committee: Definition, Roles and Meeting Tips - ProjectManager Project Steering Committee: Roles, Best Practices, Challenges ?ProjectPractical Steering Committee: Complete Guide with Examples and Templates - Status.net

• Question 1012:

  Data from a system of sensors located outside of a network is received by the open ports on a server. Which of the following is the BEST way to ensure the integrity of the data being collected from the sensor system?

  A. Implement network address translation on the sensor system.
  B. Route the traffic from the sensor system through a proxy server.
  C. Hash the data that is transmitted from the sensor system.
  D. Transmit the sensor data via a virtual private network (VPN) to the server.
  D. Transmit the sensor data via a virtual private network (VPN) to the server.

  ---

  Explanation

• Question 1013:

  An organization's senior management thinks current security controls may be excessive and requests an IS auditor's advice on how to assess the adequacy of current measures. What is the auditor's BEST recommendation to management?

  A. Perform correlation analysis between incidents and investments.
  B. Downgrade security controls on low-risk systems.
  C. Introduce automated security monitoring tools.
  D. Re-evaluate the organization's risk and control framework.
  D. Re-evaluate the organization's risk and control framework.

  ---

  Explanation

  A risk and control framework is a set of principles, processes, and tools that guide an organization in identifying, assessing, managing, and monitoring the risks and controls that affect its objectives and performance. A risk and control

  framework helps an organization to align its risk appetite and tolerance with its strategy, culture, and values, and to ensure that its security controls are appropriate, effective, and efficient1. Re-evaluating the organization's risk and control

  framework is the best recommendation to management because it can help them to:

  Review the current risk environment and the sources, causes, and impacts of potential threats and vulnerabilities.

  Update the risk assessment and analysis methods and criteria, such as likelihood, impact, severity, and priority.

  Reconsider the risk response and treatment options, such as avoidance, reduction, transfer, or acceptance.

  Realign the security controls with the risk profile and the business needs and expectations. Evaluate the performance and effectiveness of the security controls using key indicators and metrics.

  Identify the gaps, weaknesses, or inefficiencies in the security controls and implement corrective or improvement actions.

  Communicate and report the risk and control status and results to relevant stakeholders. Re-evaluating the organization's risk and control framework can help management to determine whether the current security controls are excessive or

  not, and to make informed and rational decisions on how to adjust them accordingly.

• Question 1014:

  Which of the following factors constitutes a strength in regard to the use of a disaster recovery planning reciprocal agreement?

  A. Reciprocal agreements may not be formally established in a contract.
  B. The two companies might share a need for a specialized piece of equipment
  C. Changes to the hardware or software environment by one company could make the agreement ineffective or obsolete.
  D. A disaster could occur that would affect both companies.
  B. The two companies might share a need for a specialized piece of equipment

  ---

  Explanation

• Question 1015:

  Which of the following security testing techniques is MOST effective for confirming that inputs to a web application have been properly sanitized?

  A. SQL injection
  B. Fuzzing
  C. Brute force
  D. Password spraying
  B. Fuzzing

  ---

  Explanation

  Comprehensive and Detailed Step-by-Step

  To verify thatweb application inputs are sanitized,fuzzingis the best method because it testsvarious malformed inputsto detect security flaws. Option A (Incorrect):SQL injectionis a specificattack technique, not a comprehensive input validation

  test.

  Option B (Correct):Fuzzingis adynamic security testing techniquethat sendsrandom, malformed, or unexpected inputsto check if the application properly sanitizes and validates data.

  Option C (Incorrect):Brute forceattacks targetauthentication mechanisms, notinput sanitization.

  Option D (Incorrect):Password sprayingis an attack method, not a testing technique forinput validation.

  ISACA CISA Review Manual -Domain 5: Protection of Information Assets?Coverssecurity testing techniques, application security, and input validation best practices.

• Question 1016:

  After delivering an audit report, the audit manager discovers that evidence was overlooked during the audit This evidence indicates that a procedural control may have failed and could contradict a conclusion of the audit Which of the following risks is MOST affected by this oversight?

  A. Inherent
  B. Operational
  C. Audit
  D. Financial
  C. Audit

  ---

  Explanation

  The risk that is most affected by this oversight is audit risk. Audit risk is the risk that the auditor may express an inappropriate opinion or conclusion based on the audit evidence obtained. Audit risk consists of inherent risk, control risk, and detection risk. Inherent risk is the risk that material errors or frauds exist in the audited area before considering the effectiveness of internal controls. Control risk is the risk that the internal controls fail to prevent or detect material errors or frauds. Detection risk is the risk that the auditor fails to identify material errors or frauds using the audit procedures performed. In this case, the auditor has overlooked evidence that could contradict a conclusion of the audit, which increases the detection risk and consequently the audit risk.

  References: CISA Review Manual (Digital Version), Chapter 2, Section 2.31 CISA Online Review Course, Domain 1, Module 1, Lesson 32

• Question 1017:

  Which of the following should be of GREATEST concern to an IS auditor reviewing an organization's business continuity plan (BCP)?

  A. The BCP's contact information needs to be updated.
  B. The BCP is not version-controlled.
  C. The BCP has not been approved by senior management.
  D. The BCP has not been tested since it was first issued.
  D. The BCP has not been tested since it was first issued.

  ---

  Explanation

• Question 1018:

  Which of the following would be the BEST process for continuous auditing to a large financial Institution?

  A. Testing encryption standards on the disaster recovery system
  B. Validating access controls for real-time data systems
  C. Performing parallel testing between systems
  D. Validating performance of help desk metrics
  B. Validating access controls for real-time data systems

  ---

  Explanation

  The best process for continuous auditing for a large financial institution is validating access controls for real-time data systems. This is because access controls are critical for ensuring the confidentiality, integrity, and availability of the financial data that is processed and transmitted by the real-time data systems. Real-time data systems are systems that provide timely and accurate information to support decision-making and transactions in a dynamic and complex environment. Examples of real-time data systems in the financial sector include payment systems, trading platforms, risk management systems, and fraud detection systems. Continuous auditing of access controls can help detect and prevent unauthorized access, data leakage, data manipulation, or data loss that could compromise the security, reliability, or compliance of the real-time data systems. Testing encryption standards on the disaster recovery system is not the best process for continuous auditing for a large financial institution. Encryption standards are important for protecting the data stored or transmitted by the disaster recovery system, which is a system that provides backup and recovery capabilities in case of a disruption or disaster. However, testing encryption standards is not a continuous process, but rather a periodic or event-driven process that can be performed as part of the disaster recovery plan testing or validation. Performing parallel testing between systems is not the best process for continuous auditing for a large financial institution. Parallel testing is a process of comparing the results of two or more systems that perform the same function or task, such as a new system and an old system, or a primary system and a backup system. Parallel testing can help verify the accuracy, consistency, and compatibility of the systems. However, parallel testing is not a continuous process, but rather a temporary or transitional process that can be performed as part of the system implementation or migration. Validating performance of help desk metrics is not the best process for continuous auditing for a large financial institution. Help desk metrics are indicators that measure the efficiency, effectiveness, and quality of the help desk service, which is a service that provides technical support and assistance to the users of information systems and technology. Help desk metrics can include metrics such as response time, resolution time, customer satisfaction, and service level agreement (SLA) compliance. Validating performance of help desk metrics can help evaluate and improve the help desk service. However, validating performance of help desk metrics is not a continuous auditing process, but rather a continuous monitoring process that can be performed by the help desk management or quality assurance team.

  References: All eyes on: Continuous auditing - KPMG Global 1 Internal audit's role at financial institutions: PwC 2 The Fed - Supervisory Policy and Guidance Topics - Large Banking ... 3 Continuous Audit: Definition, Steps, Advantages and Disadvantages 4

• Question 1019:

  What is the FIRST step when creating a data classification program?

  A. Categorize and prioritize data.
  B. Develop data process maps.
  C. Categorize information by owner.
  D. Develop a policy.
  D. Develop a policy.

  ---

  Explanation

  The first step when creating a data classification program is to develop a policy (D). A data classification policy is a document that defines the purpose, scope, objectives, roles, responsibilities, and procedures of the data classification program. A data classification policy is essential for establishing the governance framework, standards, and guidelines for the data classification process. A data classification policy also helps to communicate the expectations and benefits of the data classification program to the stakeholders, such as data owners, users, custodians, and auditors. Categorizing and prioritizing data (A) is not the first step when creating a data classification program, but the third step. Categorizing and prioritizing data involves defining and applying the criteria and labels for classifying data based on its sensitivity, value, and risk. For example, data can be categorized into public, internal, confidential, or restricted levels. Categorizing and prioritizing data helps to identify and protect the most critical and sensitive data assets of the organization. Developing data process maps (B) is not the first step when creating a data classification program, but the fourth step. Developing data process maps involves documenting and analyzing the flow and lifecycle of data within the organization. Data process maps show how data is created, collected, stored, processed, transmitted, used, shared, archived, and disposed of. Developing data process maps helps to understand the context and dependencies of data, as well as to identify and mitigate any potential risks or issues related to data quality, security, or compliance. Categorizing information by owner ?is not the first step when creating a data classification program, but the second step. Categorizing information by owner involves assigning roles and responsibilities for each type of data based on its ownership and stewardship. Data owners are the individuals or entities that have the authority and accountability for the data. Data stewards are the individuals or entities that have the operational responsibility for managing and maintaining the data. Data custodians are the individuals or entities that have the technical responsibility for implementing and enforcing the security and access controls for the data.

• Question 1020:

  An organization is modernizing its technology policy framework to demonstrate compliance with external industry standards. Which of the following would be MOST useful to an IS auditor for validating the outcome?

  A. Benchmarking of internal standards against peer organizations
  B. Inventory of the organization's approved policy exceptions
  C. Policy recommendations from a leading external consulting agency
  D. Mapping of relevant standards against the organization's controls
  D. Mapping of relevant standards against the organization's controls

  ---

  Explanation