Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1121:

  Which of the following is a concern associated with virtualization?

  A. The physical footprint of servers could decrease within the data center.
  B. Performance issues with the host could impact the guest operating systems.
  C. Processing capacity may be shared across multiple operating systems.
  D. One host may have multiple versions of the same operating system.
  B. Performance issues with the host could impact the guest operating systems.

  ---

  Explanation

  A concern associated with virtualization is that performance issues with the host could impact the guest operating systems, which are the operating systems that run on virtual machines within the host. For example, if the host has insufficient memory, CPU, disk space, or network bandwidth, it could affect the performance and availability of the guest operating systems and the applications running on them. The physical footprint of servers could decrease within the data center, processing capacity may be shared across multiple operating systems, and one host may have multiple versions of the same operating system are not concerns associated with virtualization, but rather benefits or features of virtualization that can help reduce costs, improve efficiency, and enhance flexibility.

  References: CISA Review Manual (Digital Version), Chapter 4: Information Systems Operations and Business Resilience, Section 4.2: IT Service Delivery and Support

• Question 1122:

  At what point in software development should the user acceptance test plan be prepared?

  A. Implementation planning
  B. Requirements definition
  C. Transfer into production
  D. Feasibility study
  A. Implementation planning

  ---

  Explanation

• Question 1123:

  Which of the following should be the FIRST step when drafting an incident response plan for a new cyber-attack scenario?

  A. Schedule response testing
  B. Create a new incident response team
  C. Create a reporting template
  D. Identify relevant stakeholders
  D. Identify relevant stakeholders

  ---

  Explanation

• Question 1124:

  Which of the following is the BEST way to enforce the principle of least privilege on a server containing data with different security classifications?

  A. Limiting access to the data files based on frequency of use
  B. Obtaining formal agreement by users to comply with the data classification policy
  C. Applying access controls determined by the data owner
  D. Using scripted access control lists to prevent unauthorized access to the server
  C. Applying access controls determined by the data owner

  ---

  Explanation

  The best way to enforce the principle of least privilege on a server containing data with different security classifications is to apply access controls determined by the data owner. The principle of least privilege states that users should only have the minimum level of access required to perform their tasks. The data owner is the person who has the authority and responsibility to classify, label, and protect the data according to its sensitivity and value. The data owner can define the access rights and permissions for each user or role based on the data classification policy and the business needs. This will ensure that only authorized and appropriate users can access the data and prevent unauthorized or excessive access that could compromise the confidentiality, integrity, or availability of the data.

  References: CISA Review Manual (Digital Version) CISA Questions, Answers and Explanations Database

• Question 1125:

  Which of the following is the BEST way to ensure that an application is performing according to its specifications?

  A. Unit testing
  B. Pilot testing
  C. System testing
  D. Integration testing
  D. Integration testing

  ---

  Explanation

  Integration testing is the best way to ensure that an application is performing according to its specifications, because it tests the interaction and compatibility of different modules or components of the application. Unit testing, pilot testing and system testing are also important, but they do not cover the whole functionality and integration of the application as well as integration testing does.

  References: CISA Review Manual (Digital Version)1, Chapter 4, Section 4.2.3

• Question 1126:

  An IS auditor reviewing the system development life cycle (SDLC) finds there is no requirement for business cases. Which of the following should be offGREATEST concern to the organization?

  A. Vendor selection criteria are not sufficiently evaluated.
  B. Business resources have not been optimally assigned.
  C. Business impacts of projects are not adequately analyzed.
  D. Project costs exceed established budgets.
  B. Business resources have not been optimally assigned.

  ---

  Explanation

• Question 1127:

  Secure code reviews as part of a continuous deployment program are which type of control?

  A. Detective
  B. Logical
  C. Preventive
  D. Corrective
  C. Preventive

  ---

  Explanation

  Secure code reviews as part of a continuous deployment program are preventive controls. Preventive controls are controls that aim to prevent or avoid undesirable events or outcomes from occurring, such as errors, defects, or incidents. Secure code reviews are activities that examine and evaluate the source code of a software or application to identify and eliminate any vulnerabilities, flaws, or weaknesses that may compromise its security, functionality, or performance. Secure code reviews as part of a continuous deployment program can help prevent or avoid security issues or incidents from occurring by ensuring that the code is secure and compliant before it is deployed to production. The other options are not correct types of controls for secure code reviews as part of a continuous deployment program, as they have different meanings and functions. Detective controls are controls that aim to detect or discover undesirable events or outcomes that have occurred, such as errors, defects, or incidents. Logical controls are controls that use software or hardware mechanisms to regulate or restrict access to IT resources, such as data, systems, or networks. Corrective controls are controls that aim to correct or rectify undesirable events or outcomes that have occurred, such as errors, defects, or incidents.

  References: CISA Review Manual (Digital Version), Chapter 3, Section 3.2

• Question 1128:

  Which of the following is the GREATEST risk resulting from conducting periodic reviews of IT over several years based on the same audit program?

  A. The amount of errors will increase because the routine work promotes inattentiveness.
  B. Detection risk is increased because auditees already know the audit program.
  C. Audit risk is increased because the programs might not be adapted to the organization's current situation.
  D. Staff turnover in the audit department will increase because fieldwork becomes less interesting.
  C. Audit risk is increased because the programs might not be adapted to the organization's current situation.

  ---

  Explanation

• Question 1129:

  An IS auditor reviewing an information processing environment decides to conduct external penetration testing. Which of the following is MOST appropriate to include in the audit scope for the organization to distinguish between the auditor's penetration attacks and actual attacks?

  A. Restricted host IP addresses of simulated attacks
  B. Testing techniques of simulated attacks
  C. Source IP addresses of simulated attacks
  D. Timing of simulated attacks
  C. Source IP addresses of simulated attacks

  ---

  Explanation

• Question 1130:

  Which of the following is the PRIMARY benefit of using an integrated audit approach?

  A. Higher acceptance of the findings from the audited business areas
  B. The avoidance of duplicated work and redundant recommendations
  C. Enhanced allocation of resources and reduced audit costs
  D. A holistic perspective of overall risk and a better understanding of controls
  D. A holistic perspective of overall risk and a better understanding of controls

  ---

  Explanation