Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1151:

  What should be an IS auditor's PRIMARY focus when reviewing a patch management procedure in an environment where availability is a top priority?

  A. Deployment automation to all servers
  B. Technical skills of the deployment team
  C. Comprehensive testing prior to deployment
  D. Validity certification prior to deployment
  C. Comprehensive testing prior to deployment

  ---

  Explanation

• Question 1152:

  The MAIN benefit of using an integrated test facility (ITF) as an online auditing technique is that it enables:

  A. a cost-effective approach to application controls audit
  B. auditors to investigate fraudulent transactions
  C. auditors to test without impacting production data
  D. the integration of financial and audit tests
  C. auditors to test without impacting production data

  ---

  Explanation

• Question 1153:

  Which of the following would an IS auditor recommend as the MOST effective preventive control to reduce the risk of data leakage?

  A. Ensure that paper documents arc disposed security.
  B. Implement an intrusion detection system (IDS).
  C. Verify that application logs capture any changes made.
  D. Validate that all data files contain digital watermarks
  D. Validate that all data files contain digital watermarks

  ---

  Explanation

  Digital watermarks are hidden marks or codes that can be embedded into digital files, such as images, videos, audio, or documents. They can be used to identify the source, owner, or authorized user of the data, as well as to track any

  unauthorized copying or distribution of the data. Digital watermarks can help prevent data leakage by deterring potential leakers from sharing sensitive data or by providing evidence of data leakage if it occurs. The other options are not as

  effective as digital watermarks in preventing data leakage. Ensuring that paper documents are disposed securely can reduce the risk of physical data leakage, but it does not address the digital data leakage that is more prevalent in today's

  environment. Implementing an intrusion detection system (IDS) can help detect and respond to cyberattacks that may cause data leakage, but it does not prevent data leakage from insiders or authorized users who have legitimate access to

  the data. Verifying that application logs capture any changes made can help audit and investigate data leakage incidents, but it does not prevent them from happening in the first place.

  References:

  What is Data Leakage?

  What is Digital Watermarking?

• Question 1154:

  When planning an internal penetration test, which of the following is the MOST important step prior to finalizing the scope of testing?

  A. Ensuring the scope of penetration testing is restricted to the test environment
  B. Obtaining management's consent to the testing scope in writing
  C. Notifying the IT security department regarding the testing scope
  D. Agreeing on systems to be excluded from the testing scope with the IT department
  B. Obtaining management's consent to the testing scope in writing

  ---

  Explanation

  Obtaining management's consent to the testing scope in writing is the most important step prior to finalizing the scope of testing, as it ensures that the penetration testers have the authorization and approval to perform the testing activities. It also protects them from any legal liabilities or accusations of unauthorized access or damage. The other options are not as important as obtaining management's consent, and they may vary depending on the specific situation and agreement. For example, some systems may not be excluded from the testing scope, and some tests may not be restricted to the test environment.

  References: CISA Review Manual (Digital Version) 1, page 381-382.

• Question 1155:

  Which of the following controls is the BEST recommendation to prevent the skimming of debit or credit card data in point of sale (POS) systems?

  A. Encryption
  B. Chip and PIN
  C. Hashing
  D. Biometric authentication
  B. Chip and PIN

  ---

  Explanation

• Question 1156:

  Which of the following function in traditional EDI process manipulates and routes data between the application system and the communication handler?

  A. Communication handler
  B. EDI Interface
  C. Application System
  D. EDI Translator
  B. EDI Interface

  ---

  Explanation

  EDI Interface manipulates and routes data between the application system and the communication handler.

  For your exam you should know below information about Traditional EDI functions.

  Moving data in a batch transmission process through the traditional EDI process generally involves three functions within each trading partner's computer system

  Communication handler ?Process for transmitting and receiving electronic documents between trading partners via dial-up lines, public switched networks, multiple dedicated lines or a value added network (VAN). VAN use computerized

  message switching and storage capabilities to provide electronic mailbox services similar to post offices. The VAN receives all the outbound transactions from an organization, sort them by destination and passes them to precipitants when

  they log on to check their mailbox and receive transmission.

  EDI Interface ?Interface function that manipulates and routes data between the application system and the communication handler. The interface consists of two components

  EDI Translator ?The device translates data between standard format (ANSI X12) and trading partner's propriety information.

  Application Interface ?This interface moves electronic transactions to or from the application systems and perform data mapping. Data mapping is the process by which data are extracted from EDI translation process and integrated with the

  data or process of receiving company.

  3. Application System ?The program that process the data sent to, or received from, the trading partner. Although new controls should be developed for the EDI interface, the control for existing applications, if left unchanged, are usually

  unaffected.

  The following were incorrect answers:

  Communication handler ?Process for transmitting and receiving electronic documents between trading partners via dial-up lines, public switched networks, multiple dedicated lines or a value added network (VAN).

  Application System ?The program that process the data sent to, or received from, the trading partner. Although new controls should be developed for the EDI interface, the control for existing applications, if left unchanged, are usually

  unaffected.

  EDI Translator ?The device translates data between standard format (ANSI X12) and trading partner's propriety information.

  CISA review manual 2014 Page number 178

• Question 1157:

  Which of the following should be an IS auditor's PRIMARY focus when developing a risk- based IS audit program?

  A. Portfolio management
  B. Business plans
  C. Business processes
  D. IT strategic plans
  C. Business processes

  ---

  Explanation

  Business processes should be the primary focus of an IS auditor when developing a risk-based IS audit program, because they represent the core activities and functions of the organization that support its objectives and goals. Business processes also involve the use of IT resources and systems that may pose risks to the organization's performance and compliance. A risk-based IS audit program should identify and assess the risks associated with the business processes and determine the appropriate audit scope and procedures to provide assurance on their effectiveness and efficiency. Portfolio management, business plans, and IT strategic plans are also relevant factors for developing a risk-based IS audit program, but they are not as important as business processes.

  References: CISA Review Manual (Digital Version), Chapter 2, Section 2.2.1

• Question 1158:

  Which of the following is the GREATEST benefit of an effective data classification process?

  A. Data custodians are identified.
  B. Data retention periods are well defined
  C. Data is protected according to its sensitivity
  D. Appropriate ownership over data is assigned
  C. Data is protected according to its sensitivity

  ---

  Explanation

  Explanation

• Question 1159:

  Which of the following documents would be MOST useful in detecting a weakness in segregation of duties?

  A. System flowchart
  B. Data flow diagram
  C. Process flowchart
  D. Entity-relationship diagram
  C. Process flowchart

  ---

  Explanation

  The best document for an IS auditor to use in detecting a weakness in segregation of duties is a process flowchart. A process flowchart is a diagram that illustrates the sequence of steps, activities, tasks, or decisions involved in a business process. A process flowchart can help detect a weakness in segregation of duties by showing who performs what actions or roles in a process, and whether there is any overlap or conflict of interest among them. The other options are not as useful as a process flowchart in detecting a weakness in segregation of duties, as they do not show who performs what actions or roles in a process. A system flowchart is a diagram that illustrates the components, functions, interactions, or logic of an information system. A data flow diagram is a diagram that illustrates how data flows from sources to destinations through processes, stores, or external entities. An entity-relationship diagram is a diagram that illustrates how entities (such as tables) are related to each other through attributes (such as keys) in a database.

  References: CISA Review Manual (Digital Version), Chapter 3, Section 3.2

• Question 1160:

  Which of the following is an IS auditor's BEST recommendation to mitigate the risk of eavesdropping associated with an application programming interface (API) integration implementation?

  A. Encrypt the extensible markup language (XML) file.
  B. Implement Transport Layer Security (TLS).
  C. Implement Simple Object Access Protocol (SOAP).
  D. Mask the API endpoints.
  B. Implement Transport Layer Security (TLS).

  ---

  Explanation

  The best recommendation to mitigate the risk of eavesdropping associated with an API integration implementation is to implement Transport Layer Security (TLS). TLS is a cryptographic protocol that provides secure communication over a network by encrypting the data in transit and authenticating the parties involved. TLS can prevent unauthorized parties from intercepting, modifying or tampering with the data exchanged between the API endpoints. Encrypting the XML file, implementing SOAP, and masking the API endpoints are not sufficient to mitigate the risk of eavesdropping, as they do not provide end-to-end encryption or authentication for the API communication.

  References: IS Audit and Assurance Tools and Techniques, CISA Certification | Certified Information Systems Auditor | ISACA