Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1141:

  Which of the following is the BEST control lo mitigate attacks that redirect Internet traffic to an unauthorized website?

  A. Utilize a network-based firewall.
  B. Conduct regular user security awareness training.
  C. Perform domain name system (DNS) server security hardening.
  D. Enforce a strong password policy meeting complexity requirement.
  C. Perform domain name system (DNS) server security hardening.

  ---

  Explanation

  The best control to mitigate attacks that redirect Internet traffic to an unauthorized website is to perform domain name system (DNS) server security hardening. DNS servers are responsible for resolving domain names into IP addresses, and they are often targeted by attackers who want to manipulate or spoof DNS records to redirect users to malicious websites4. By applying security best practices to DNS servers, such as encrypting DNS traffic, implementing DNSSEC, restricting access and updating patches, the organization can reduce the risk of DNS hijacking attacks. A network-based firewall, user security awareness training and a strong password policy are also important controls, but they are not as effective as DNS server security hardening in preventing this specific type of attack.

  References: CISA Review Manual, 27th Edition, page 4021 CISA Review Questions, Answers and Explanations Database - 12 Month Subscription

• Question 1142:

  Which of the following is MOST important for an IS auditor to look for in a project feasibility study?

  A. An assessment of whether requirements will be fully met
  B. An assessment indicating security controls will operate effectively
  C. An assessment of whether the expected benefits can be achieved
  D. An assessment indicating the benefits will exceed the implement
  C. An assessment of whether the expected benefits can be achieved

  ---

  Explanation

  The most important thing for an IS auditor to look for in a project feasibility study is an assessment of whether the expected benefits can be achieved. A project feasibility study is a preliminary analysis that evaluates the viability and suitability of a proposed project based on various criteria, such as technical, economic, legal, operational, and social factors. The expected benefits are the positive outcomes and value that the project aims to deliver to the organization and its stakeholders. The IS auditor should verify whether the project feasibility study has clearly defined and quantified the expected benefits, and whether it has assessed the likelihood and feasibility of achieving them within the project scope, budget, schedule, and quality parameters. The other options are also important for an IS auditor to look for in a project feasibility study, but not as important as an assessment of whether the expected benefits can be achieved, because they either focus on specific aspects of the project rather than the overall value proposition, or they assume that the project will be implemented rather than evaluating its viability.

  References: CISA Review Manual (Digital Version)1, Chapter 4, Section 4.2.1

• Question 1143:

  An IS auditor is reviewing the key payroll interface that collects wage rates from various business applications to process payroll. Which of the following is MOST likely to cause errors in payroll processing?

  A. User acceptance testing (UAT) has not been properly documented for all changes.
  B. Data conversion procedures did not include all business applications and interfaces.
  C. The payroll processing application does not follow a regularly scheduled patching cycle.
  D. Changes to the interface configuration settings were not adequately tested and approved.
  D. Changes to the interface configuration settings were not adequately tested and approved.

  ---

  Explanation

• Question 1144:

  During a database management evaluation an IS auditor discovers that some accounts with database administrator (DBA) privileges have been assigned a default password with an unlimited number of failed login attempts Which of the following is the auditor's BEST course of action?

  A. Identify accounts that have had excessive failed login attempts and request they be disabled
  B. Request the IT manager to change administrator security parameters and update the finding
  C. Document the finding and explain the risk of having administrator accounts with inappropriate security settings
  C. Document the finding and explain the risk of having administrator accounts with inappropriate security settings

  ---

  Explanation

  The auditor's best course of action is to document the finding and explain the risk of having administrator accounts with inappropriate security settings. This is because the auditor's role is to identify and report the issues, not to fix them or request others to fix them. The auditor should also communicate the impact of the finding, such as the possibility of unauthorized access, data tampering, or denial of service attacks. The auditor should not assume the responsibility of the IT manager or the DBA, who are in charge of changing the security parameters or disabling the accounts.

  References: CISA Review Manual (Digital Version), Chapter 4, Section 4.2.21 CISA Online Review Course, Domain 1, Module 3, Lesson 32

• Question 1145:

  Which of the following level in CMMI model focuses on process definition and process deployment?

  A. Level 4
  B. Level 5
  C. Level 3
  D. Level 2
  C. Level 3

  ---

  Explanation

  Level 3 is the defined step and focus on process definition and process deployment.

  For CISA Exam you should know below information about Capability Maturity Model Integration (CMMI) mode:

  Maturity model

  A maturity model can be viewed as a set of structured levels that describe how well the behaviors, practices and processes of an organization can reliably and sustainable produce required outcomes.

  CMMI Levels

  

  A maturity model can be used as a benchmark for comparison and as an aid to understanding - for example, for comparative assessment of different organizations where there is something in common that can be used as a basis for

  comparison. In the case of the CMM, for example, the basis for comparison would be the organizations' software development processes.

  Structure

  The model involves five aspects:

  Maturity Levels: a 5-level process maturity continuum - where the uppermost (5th) level is a notional ideal state where processes would be systematically managed by a combination of process optimization and continuous process

  improvement.

  Key Process Areas: a Key Process Area identifies a cluster of related activities that, when performed together, achieve a set of goals considered important. Goals: the goals of a key process area summarize the states that must exist for that

  key process area to have been implemented in an effective and lasting way. The extent to which the goals have been accomplished is an indicator of how much capability the organization has established at that maturity level. The goals

  signify the scope, boundaries, and intent of each key process area. Common Features: common features include practices that implement and institutionalize a key process area. There are five types of common features: commitment to

  perform, ability to perform, activities performed, measurement and analysis, and verifying implementation.

  Key Practices: The key practices describe the elements of infrastructure and practice that contribute most effectively to the implementation and institutionalization of the area.

  Levels

  There are five levels defined along the continuum of the model and, according to the SEI: "Predictability, effectiveness, and control of an organization's software processes are believed to improve as the organization moves up these five

  levels. While not rigorous, the empirical evidence to date supports this belief".[citation needed]

  Initial (chaotic, ad hoc, individual heroics) - the starting point for use of a new or undocumented repeat process.

  Repeatable - the process is at least documented sufficiently such that repeating the same steps may be attempted.

  Defined - the process is defined/confirmed as a standard business process, and decomposed to levels 0, 1 and 2 (the last being Work Instructions).

  Managed - the process is quantitatively managed in accordance with agreed-upon metrics.

  Optimizing - process management includes deliberate process optimization/improvement.

  Within each of these maturity levels are Key Process Areas which characteristic that level, and for each such area there are five factors: goals, commitment, ability, measurement, and verification. These are not necessarily unique to CMM,

  representing -- as they do -- the stages that organizations must go through on the way to becoming mature.

  The model provides a theoretical continuum along which process maturity can be developed incrementally from one level to the next. Skipping levels is not allowed/feasible.

  Level 1 - Initial (Chaotic)

  It is characteristic of processes at this level that they are (typically) undocumented and in a state of dynamic change, tending to be driven in an ad hoc, uncontrolled and reactive manner by users or events. This provides a chaotic or unstable

  environment for the processes.

  Level 2 - Repeatable

  It is characteristic of processes at this level that some processes are repeatable, possibly with consistent results. Process discipline is unlikely to be rigorous, but where it exists it may help to ensure that existing processes are maintained

  during times of stress.

  Level 3 - Defined

  It is characteristic of processes at this level that there are sets of defined and documented standard processes established and subject to some degree of improvement over time. These standard processes are in place (i.e., they are the AS-IS

  processes) and used to establish consistency of process performance across the organization.

  Level 4 - Managed

  It is characteristic of processes at this level that, using process metrics, management can effectively control the AS-IS process (e.g., for software development ). In particular, management can identify ways to adjust and adapt the process to

  particular projects without measurable losses of quality or deviations from specifications. Process Capability is established from this level.

  Level 5 - Optimizing

  It is a characteristic of processes at this level that the focus is on continually improving process performance through both incremental and innovative technological changes/improvements.

  At maturity level 5, processes are concerned with addressing statistical common causes of process variation and changing the process (for example, to shift the mean of the process performance) to improve process performance. This would

  be done at the same time as maintaining the likelihood of achieving the established quantitative process-improvement objectives.

  The following were incorrect answers:

  Level 4 ?Focus on process management and process control

  Level 5 ?Process innovation and continuous optimization.

  Level 2 ?Performance management and work product management.

  CISA review manual 2014 Page number 188

• Question 1146:

  While planning a security audit, an IS auditor is made aware of a security review carried out by external consultants. It is MOST important for the auditor to:

  A. re-perform the security review.
  B. accept the findings and conclusions of the consultants.
  C. review similar reports issued by the consultants.
  D. assess the objectivity and competence of the consultants.
  D. assess the objectivity and competence of the consultants.

  ---

  Explanation

• Question 1147:

  An IS auditor observes that a business-critical application does not currently have any level of fault tolerance. Which of the following is the GREATEST concern with this situation?

  A. Degradation of services
  B. Limited tolerance for damage
  C. Decreased mean time between failures (MTBF)
  D. Single point of failure
  D. Single point of failure

  ---

  Explanation

  The greatest concern with this situation is that a business-critical application does not currently have any level of fault tolerance and thus has a single point of failure. A single point of failure is a component or element of a system that, if it fails,

  will cause the entire system to stop functioning. Fault tolerance is the ability of a system to continue operating without interruption or degradation in the event of a failure of one or more of its components or elements. Fault tolerance can be

  achieved by using techniques such as redundancy, replication, backup, or failover. A business-critical application should have a high level of fault tolerance to ensure its availability, reliability, and continuity.

  References:

  CISA Review Manual (Digital Version), Chapter 5, Section 5.51 CISA Online Review Course, Domain 3, Module 3, Lesson 22

• Question 1148:

  A start-up organization wants to develop a data loss prevention program (DLP). The FIRST step should be to implement:

  A. data encryption.
  B. access controls.
  C. data classification.
  D. security awareness training.
  C. data classification.

  ---

  Explanation

• Question 1149:

  Which type of control has been established when an organization implements a security information and event management (SIEM) system?

  A. Preventive
  B. Detective
  C. Directive
  D. Corrective
  C. Directive

  ---

  Explanation

• Question 1150:

  An IS auditor is a member of an application development team that is selecting software. Which of the following would impair the auditor's independence?

  A. Verifying the weighting of each selection criteria
  B. Approving the vendor selection methodology
  C. Reviewing the request for proposal (RFP)
  D. Witnessing the vendor selection process
  B. Approving the vendor selection methodology

  ---

  Explanation