Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1131:

  A large insurance company is about to replace a major financial application. Which of the following is the IS auditor's PRIMARY focus when conducting the pre-implementation review?

  A. Procedure updates
  B. Migration of data
  C. System manuals
  D. Unit testing
  D. Unit testing

  ---

  Explanation

• Question 1132:

  Which of the following is the BEST indication to an IS auditor that management's post- implementation review was effective?

  A. Lessons learned were documented and applied.
  B. Business and IT stakeholders participated in the post-implementation review.
  C. Post-implementation review is a formal phase in the system development life cycle (SDLC).
  D. Internal audit follow-up was completed without any findings.
  A. Lessons learned were documented and applied.

  ---

  Explanation

  The best indication to an IS auditor that management's post-implementation review was effective is that lessons learned were documented and applied, as this shows that the management has identified and addressed the issues and gaps that arose during the implementation, and has improved the processes and practices for future projects. Business and IT stakeholders participating in the post-implementation review is a good practice, but it does not guarantee that the review was effective or that the outcomes were implemented. Post-implementation review being a formal phase in the system development life cycle (SDLC) is a requirement, but it does not ensure that the review was effective or that the outcomes were implemented. Internal audit follow-up being completed without any findings is a desirable result, but it does not indicate that the management's post- implementation review was effective or that the outcomes were implemented.

  References: CISA Review Manual (Digital Version), Chapter 3: Information Systems Acquisition, Development and Implementation, Section 3.2: Project Management Practices1

• Question 1133:

  As part of an international expansion plan, an organization has acquired a company located in another jurisdiction. Which of the following would be the BEST way to maintain an effective information security program?

  A. Determine new factors that could influence the information security strategy.
  B. Implement the current information security program in the acquired company.
  C. Merge the two information security programs to establish continuity.
  D. Ensure information security is included in any change control efforts.
  A. Determine new factors that could influence the information security strategy.

  ---

  Explanation

• Question 1134:

  Cross-site scripting (XSS) attacks are BEST prevented through:

  A. application firewall policy settings.
  B. a three-tier web architecture.
  C. secure coding practices.
  D. use of common industry frameworks.
  C. secure coding practices.

  ---

  Explanation

  Secure coding practices are the best way to prevent cross-site scripting (XSS) attacks, because they can ensure that the web application validates and sanitizes user input and output data to prevent malicious scripts from being executed on the web browser. XSS attacks are a type of web application vulnerability that exploit the lack of input validation or output encoding in web pages that accept user input or display dynamic content. Application firewall policy settings, a three-tier web architecture, and use of common industry frameworks are not effective controls to prevent XSS attacks, because they do not address the root cause of the vulnerability in the web application code.

  References: CISA Review Manual (Digital Version), Chapter 5, Section 5.4.2

• Question 1135:

  The PRIMARY role of an IS auditor in the remediation of problems found during an audit engagement is to:

  A. help auditee management by providing the solution.
  B. explain the findings and provide general advice.
  C. present updated policies to management for approval.
  D. take ownership of the problems and oversee remediation efforts.
  B. explain the findings and provide general advice.

  ---

  Explanation

• Question 1136:

  Which of the following should an IS auditor expect to see in a network vulnerability assessment?

  A. Misconfiguration and missing updates
  B. Malicious software and spyware
  C. Zero-day vulnerabilities
  D. Security design flaws
  A. Misconfiguration and missing updates

  ---

  Explanation

  A network vulnerability assessment is a process of identifying and evaluating the weaknesses and exposures in a network that could be exploited by attackers to compromise the confidentiality, integrity, or availability of the network or its resources. A network vulnerability assessment typically involves scanning the network devices, such as routers, switches, firewalls, servers, and workstations, using automated tools that compare the device configurations, software versions, and patch levels against a database of known vulnerabilities. A network vulnerability assessment can also include manual testing and verification of the network architecture, design, policies, and procedures. One of the main objectives of a network vulnerability assessment is to detect and report any misconfiguration and missing updates in the network devices that could pose a security risk1. Misconfiguration refers to any deviation from the recommended or best practice settings for the network devices, such as weak passwords, open ports, unnecessary services, default accounts, or incorrect permissions. Missing updates refer to any outdated or unsupported software or firmware that has not been patched with the latest security fixes or enhancements from the vendors2. Misconfiguration and missing updates are common sources of network vulnerabilities that can be exploited by attackers to gain unauthorized access, execute malicious code, cause denial of service, or escalate privileges on the network devices3. Therefore, an IS auditor should expect to see misconfiguration and missing updates in a network vulnerability assessment. The other options are less relevant or incorrect because:

  B. Malicious software and spyware are not usually detected by a network vulnerability assessment, as they are more related to the content and behavior of the network traffic rather than the configuration and patch level of the network devices. Malicious software and spyware are programs that infect or monitor the network devices or their users for malicious purposes, such as stealing data, displaying ads, or performing remote commands. Malicious software and spyware can be detected by other security tools, such as antivirus software, firewalls, or intrusion detection systems4.

  C. Zero-day vulnerabilities are not usually detected by a network vulnerability assessment, as they are unknown or undisclosed vulnerabilities that have not been reported or patched by the vendors or the security community. Zero-day vulnerabilities are rare and difficult to discover, as they require advanced techniques and skills to exploit them. Zero-day vulnerabilities can be detected by other security tools, such as intrusion prevention systems, anomaly detection systems, or artificial intelligence systems5.

  D. Security design flaws are not usually detected by a network vulnerability assessment, as they are more related to the logic and functionality of the network rather than the configuration and patch level of the network devices. Security design flaws are errors or weaknesses in the network architecture, design, policies, or procedures that could compromise the security objectives of the network. Security design flaws can be detected by other security methods, such as security reviews, audits, or assessments6.

  References: Network Vulnerability Assessment - ISACA, Network Vulnerability Scanning - NIST, Network Vulnerabilities - SANS, Malware - ISACA, Zero-Day Attacks - ISACA, Security Design Principles NIST

• Question 1137:

  What is the BEST justification for allocating more funds to implement a control for an IT asset than the actual cost of the IT asset?

  A. To protect the associated intangible business value
  B. To comply with information security best practices
  C. To avoid future audit findings
  D. To maintain the residual value of the asset
  A. To protect the associated intangible business value

  ---

  Explanation

• Question 1138:

  During a review of system access, an IS auditor notes that an employee who has recently changed roles within the organization still has previous access rights. The auditor's NEXT step should be to:

  A. recommend a control to automatically update access rights.
  B. determine the reason why access rights have not been revoked.
  C. direct management to revoke current access rights.
  D. determine if access rights are in violation of software licenses.
  B. determine the reason why access rights have not been revoked.

  ---

  Explanation

  The NEXT step for the IS auditor after noting that an employee who has recently changed roles within the organization still has previous access rights should be to

  B. determine the reason why access rights have not been revoked. Identifying the cause of this situation is crucial for understanding whether it's due to oversight, process gaps, or other factors. Once the reason is determined, appropriate corrective actions can be recommended to ensure that access rights are aligned with the employee's current role and responsibilities

• Question 1139:

  Following an IS audit, which of the following types of risk would be MOST critical to communicate to key stakeholders?

  A. Control
  B. Residual
  C. Audit
  D. Inherent
  C. Audit

  ---

  Explanation

• Question 1140:

  A banking organization has outsourced its customer data processing facilities to an external service provider. Which of the following roles is accountable for ensuring the security of customer data?

  A. The service provider's data privacy officer
  B. The bank's vendor risk manager
  C. The service provider's data processor
  D. The bank's senior management
  D. The bank's senior management

  ---

  Explanation