Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1021:

  A business application's database is copied to a replication server within minutes. Which of the following processes taking place during business hours will MOST benefit from this architecture?

  A. Rolling forward of transactions when a production server fails
  B. Ad hoc batch reporting jobs from the replication server
  C. Analysis of application performance degradation
  D. Hardware replacement work involving databases
  B. Ad hoc batch reporting jobs from the replication server

  ---

  Explanation

• Question 1022:

  An IS auditor is reviewing a contract for the outsourcing of IT facilities. If missing, which of the following should present the GREATEST concern to the auditor?

  A. Hardware configurations
  B. Access control requirements
  C. Help desk availability
  D. Perimeter network security diagram
  B. Access control requirements

  ---

  Explanation

  The missing access control requirements should present the greatest concern to the IS auditor when reviewing a contract for the outsourcing of IT facilities. Access control requirements are essential for ensuring the confidentiality, integrity, and availability of the outsourced IT resources and data. They specify the roles, responsibilities, and permissions of the outsourcing vendor and its staff, as well as the client and its users, in accessing and managing the IT facilities. They also define the security policies, standards, and procedures that the outsourcing vendor must follow to protect the IT facilities from unauthorized or malicious access, use, modification, or disclosure. Without clear and comprehensive access control requirements, the outsourcing contract may expose the client to significant risks of data breaches, compliance violations, service disruptions, or reputational damage. Hardware configurations, help desk availability, and perimeter network security diagram are important aspects of an outsourcing contract, but they are not as critical as access control requirements. Hardware configurations describe the technical specifications and performance of the IT equipment that the outsourcing vendor will provide and maintain. Help desk availability defines the service levels and support channels that the outsourcing vendor will offer to the client and its users. Perimeter network security diagram illustrates the network architecture and security measures that the outsourcing vendor will implement to protect the IT facilities from external threats. These aspects can be verified or modified during the implementation or operation phases of the outsourcing contract, but access control requirements need to be established and agreed upon before signing the contract.

  References: ISACA, CISA Review Manual, 27th Edition, Chapter 5: Protection of Information Assets, Section 5.3: Logical Access CIO.com, 7 tips for managing an IT outsourcing contract2 Brainhub.eu, 8 Tips for Managing an IT Outsourcing Contract

• Question 1023:

  Which of the following is MOST helpful for an IS auditor to review when evaluating an organizations business process that are supported by applications and IT systems?

  A. Configuration management database (CMDB)
  B. Enterprise architecture (EA)
  C. IT portfolio management
  D. IT service management
  B. Enterprise architecture (EA)

  ---

  Explanation

  The most helpful thing for an IS auditor to review when evaluating an organization's business processes that are supported by applications and IT systems is the enterprise architecture (EA). EA is the practice of designing a business with a holistic view, considering all of its parts and how they interact. EA defines the overall goals, the strategies that support those goals, and the tactics that are needed to execute those strategies. EA also outlines the ways various components of IT projects interact with one another and with the business processes. By reviewing the EA, an IS auditor can gain a comprehensive understanding of how the organization aligns its IT efforts with its overall mission, business strategy, and priorities. An IS auditor can also assess the effectiveness, efficiency, agility, and continuity of complex business operations. The other options are not as helpful as option

  B. A configuration management database (CMDB) is a database that stores and manages information about the components that make up an IT system. A CMDB tracks individual configuration items (CIs), such as hardware, software, or data assets, and their attributes, dependencies, and changes over time. A CMDB can help an IS auditor to monitor the performance, availability, and configuration of IT assets, but it does not provide a holistic view of how they support the business processes. IT portfolio management is the practice of managing IT investments, projects, and activities as a portfolio. IT portfolio management aims to optimize the value, risk, and cost of IT initiatives and align them with the business objectives. IT portfolio management can help an IS auditor to evaluate the return on IT investments and the alignment of IT projects with the business strategy, but it does not provide a detailed view of how they support the business processes. IT service management (ITSM) is the practice of planning, implementing, managing, and optimizing IT services to meet the needs of end users and customers. ITSM focuses on delivering IT as a service using standardized processes and best practices. ITSM can help an IS auditor to review the quality, efficiency, and effectiveness of IT service delivery and support, but it does not provide a comprehensive view of how they support the business processes.

• Question 1024:

  An IS auditor is reviewing a decision to consolidate processing for multiple applications onto a single large server. Which of the following is the MOST significant impact from this decision?

  A. Higher operating system license fees
  B. More applications affected by a server outage
  C. Simplified asset management
  D. Fewer application servers requiring vulnerability scans
  B. More applications affected by a server outage

  ---

  Explanation

  Comprehensive and Detailed Step-by-Step

  Consolidating multiple applications on asingle serverincreases the risk that aserver outagewillimpact multiple applicationssimultaneously. More Applications Affected by Outage (Correct Answer ?B) Higher OS License Fees (Incorrect ?A)

  Simplified Asset Management (Incorrect ?C)

  Fewer Vulnerability Scans (Incorrect ?D)

  References:

  ISACA CISA Review Manual

  NIST 800-160 (System Security Engineering)

• Question 1025:

  Which of the following is the BEST way to determine the adequacy of controls for detecting inappropriate network activity in an organization?

  A. Reviewing SIEM reports of suspicious events in a timely manner
  B. Reviewing business application logs on a regular basis
  C. Troubleshooting connectivity issues routinely
  D. Installing a packet filtering firewall to block malicious traffic
  A. Reviewing SIEM reports of suspicious events in a timely manner

  ---

  Explanation

  Explanation

• Question 1026:

  An accounting department uses a spreadsheet to calculate sensitive financial transactions. Which of the following is the MOST important control for maintaining the security of data in the spreadsheet?

  A. There Is a reconciliation process between the spreadsheet and the finance system
  B. A separate copy of the spreadsheet is routinely backed up
  C. The spreadsheet is locked down to avoid inadvertent changes
  D. Access to the spreadsheet is given only to those who require access
  D. Access to the spreadsheet is given only to those who require access

  ---

  Explanation

  Access to the spreadsheet is given only to those who require access is the most important control for maintaining the security of data in the spreadsheet. An IS auditor should ensure that the principle of least privilege is applied to limit the access to sensitive financial data and prevent unauthorized disclosure, modification, or deletion. The other options are less important controls that may enhance the accuracy, availability, or integrity of data in the spreadsheet, but not its security.

  References: CISA Review Manual (Digital Version), Chapter 6, Section 6.31 CISA Review Questions, Answers and Explanations Database

• Question 1027:

  Which of the following is the GREATEST concern associated with IS risk-based auditing when audit resources are limited?

  A. The audit schedule may become too predictable.
  B. Some business processes may not be audited.
  C. There may be significant delays in responding to management audit requests.
  D. Conducting risk assessments may reduce the time available for auditing.
  B. Some business processes may not be audited.

  ---

  Explanation

  Explanation

• Question 1028:

  An organization is choosing key performance indicators (KPIs) for its information security management. Which of the following KPIs would provide stakeholders with the MOST useful information about whether information security risk is being managed?

  A. Time from initial reporting of an incident to appropriate escalation
  B. Time from identifying a security threat to implementing a solution
  C. The number of security controls implemented
  D. The number of security incidents during the past quarter
  B. Time from identifying a security threat to implementing a solution

  ---

  Explanation

• Question 1029:

  A development team has designed a new application and incorporated best practices for secure coding. Prior to launch, which of the following is the IS auditor's BEST recommendation to mitigate the associated security risk?

  A. User acceptance testing
  B. Unit testing
  C. Integration testing
  D. Penetration testing
  A. User acceptance testing

  ---

  Explanation

• Question 1030:

  An IS auditor is reviewing an organization's cloud access security broker (CASB) solution. Which ofthe following is MOST important for the auditor to verify?

  A. Cloud services are classified.
  B. Users are centrally managed.
  C. Cloud processes are resilient.
  D. Users are periodically recertified.
  D. Users are periodically recertified.

  ---

  Explanation

  Periodic recertification of users ensures that only authorized individuals retain access to cloud services and helps identify and revoke access for users who no longer require it. This is a critical control for maintaining security and compliance in

  a cloud environment. Classifying Cloud Services (Option A):This is foundational but does not verify ongoing user access.

  Centrally Managing Users (Option B):While useful for consistency, it does not assess whether access rights are still valid.

  Ensuring Cloud Process Resilience (Option C):This focuses on operational continuity rather than access control.

  Periodic recertification aligns with governance practices to ensure access rights remain appropriate over time.

  ISACA CISA Review Manual, Job Practice Area 4: Protection of Information Assets.