Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1201:

  Which of the following is a social engineering attack method?

  A. An employee is induced to reveal confidential IP addresses and passwords by answering questions over the phone.
  B. A hacker walks around an office building using scanning tools to search for a wireless network to gain access.
  C. An intruder eavesdrops and collects sensitive information flowing through the network and sells it to third parties.
  D. An unauthorized person attempts to gain access to secure premises by following an authorized person through a secure door.
  A. An employee is induced to reveal confidential IP addresses and passwords by answering questions over the phone.

  ---

  Explanation

  Social engineering is a technique that exploits human weaknesses, such as trust, curiosity, or greed, to obtain information or access from a target. An employee is induced to reveal confidential IP addresses and passwords by answering questions over the phone is an example of a social engineering attack method, as it involves manipulating the employee into divulging sensitive information that can be used to compromise the network or system. A hacker walks around an office building using scanning tools to search for a wireless network to gain access, an intruder eavesdrops and collects sensitive information flowing through the network and sells it to third parties, and an unauthorized person attempts to gain access to secure premises by following an authorized person through a secure door are not examples of social engineering attack methods, as they do not involve human interaction or deception.

  References: [ISACA CISA Review Manual 27th Edition], page 361.

• Question 1202:

  Which of the following findings should be an IS auditor's GREATEST concern when reviewing an organization's purchase of new IT infrastructure hardware?

  A. The new infrastructure arrived with default system settings.
  B. The new infrastructure has residual risk within the organization's risk tolerance.
  C. The new infrastructure's hardening requirements are stronger than required by policy.
  D. The new infrastructure has compatibility issues with existing systems.
  D. The new infrastructure has compatibility issues with existing systems.

  ---

  Explanation

• Question 1203:

  Which of the following BEST ensures that effective change management is in place in an IS environment?

  A. User authorization procedures for application access are well established.
  B. User-prepared detailed test criteria for acceptance testing of the software.
  C. Adequate testing was carried out by the development team.
  D. Access to production source and object programs is well controlled.
  D. Access to production source and object programs is well controlled.

  ---

  Explanation

  Access to production source and object programs is the best way to ensure that effective change management is in place in an IS environment, as it prevents unauthorized or accidental changes to the production code that could affect the functionality, performance, or security of the system. Access to production source and object programs should be restricted to authorized personnel only, and any changes should follow a formal change management process that includes documentation, approval, testing, and review.

  References: ISACA CISA Review Manual, 27th Edition, page 254 Change Management Best Practices for the Engineering and ... Change Management - an overview | ScienceDirect Topics

• Question 1204:

  Which of the following risk scenarios is BEST mitigated through the use of a data loss prevention (DLP) tool?

  A. An employee is sending company documents to an external email to increase productivity.
  B. A former employee retains access to an application that authenticates via single sign-on
  C. An employee uses production data in a test environment.
  D. An employee selects the incorrect data classification on documents.
  C. An employee uses production data in a test environment.

  ---

  Explanation

• Question 1205:

  Which type of attack targets security vulnerabilities in web applications to gain access to data sets?

  A. Denial of service (DOS)
  B. SQL injection
  C. Phishing attacks
  D. Rootkits
  B. SQL injection

  ---

  Explanation

  A SQL injection attack is a type of attack that targets security vulnerabilities in web applications to gain access to data sets. A SQL injection attack exploits a flaw in the web application code that allows an attacker to inject malicious SQL statements into the input fields or parameters of the web application. These SQL statements can then execute on the underlying database server and manipulate or retrieve sensitive data from the database. A SQL injection attack can result in data theft, data corruption, unauthorized access, denial of service or even complete takeover of the database server. A denial of service (DOS) attack is a type of attack that aims to disrupt the availability or functionality of a web application or a network service by overwhelming it with excessive requests or traffic. A phishing attack is a type of attack that uses deceptive emails or websites to trick users into revealing their personal or financial information or credentials. A rootkit is a type of malware that hides itself from detection and grants unauthorized access or control over a compromised system.

  References: IS Audit and Assurance Tools and Techniques, CISA Certification | Certified Information Systems Auditor | ISACA

• Question 1206:

  Which of the following is the MOST effective way to ensure adequate system resources are available for high-priority activities?

  A. System virtualization
  B. Job scheduling
  C. Zero Trust
  D. Code optimization
  B. Job scheduling

  ---

  Explanation

  Explanation

  Job scheduling ensures that system resources are allocated efficiently by prioritizing high- priority tasks during peak periods. It prevents resource contention by scheduling less critical jobs at off-peak times or when resources are

  underutilized. This method is the most direct and effective way to ensure adequate resources for essential activities. System Virtualization (Option A):While useful for optimizing resource utilization, it does not prioritize activities dynamically.

  Zero Trust (Option C):This is a security framework and does not address resource allocation.

  Code Optimization (Option D):This improves performance but is not directly related to resource scheduling.

  ISACA CISA Review Manual, Job Practice Area 3: Information Systems Operations and Business Resilience.

• Question 1207:

  IT management has accepted the risk associated with an IS auditor's finding due to the cost and complexity of the corrective actions. Which of the following should be the auditor's NEXT course of action?

  A. Perform a cost-benefit analysis.
  B. Document and inform the audit committee.
  C. Report the finding to external regulators.
  D. Notify senior management.
  B. Document and inform the audit committee.

  ---

  Explanation

• Question 1208:

  In which of the following system development life cycle (SDLC) phases would an IS auditor expect to find that controls have been incorporated into system specifications?

  A. Implementation
  B. Development
  C. Feasibility
  D. Design
  D. Design

  ---

  Explanation

  The design phase of the system development life cycle (SDLC) is where an IS auditor would expect to find that controls have been incorporated into system specifications, because this is where the system requirements are translated into detailed design specifications that include the technical, functional, and security aspects of the system34. The implementation phase is where the system is deployed and tested, the development phase is where the system is coded and unit tested, and the feasibility phase is where the system objectives and scope are defined.

  References: 3: CISA Review Manual (Digital Version), Chapter 4, Section 4.2.2 4: CISA Online Review Course, Module 4, Lesson 2

• Question 1209:

  Which of the following would an IS auditor find to be the GREATEST risk associated with the server room in a remote office location?

  A. The server room is secured by a key lock instead of an electronic lock.
  B. The server room's location is known by people who work in the area.
  C. The server room does not have temperature controls.
  D. The server room does not have biometric controls.
  C. The server room does not have temperature controls.

  ---

  Explanation

• Question 1210:

  A post-implementation review of a development project concludes that several business requirements were not reflected in the software requirement specifications. Which of the following should an IS auditor recommend to reduce this problem in the future?

  A. Appoint a business unit representative.
  B. Write test cases from the user requirements.
  C. Trace the changes to requirements back to all affected products.
  D. Set up a configuration control board.
  A. Appoint a business unit representative.

  ---

  Explanation