Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1231:

  Which of the following BEST protects an organization's proprietary code during a joint- development activity involving a third party?

  A. Statement of work (SOW)
  B. Nondisclosure agreement (NDA)
  C. Service level agreement (SLA)
  D. Privacy agreement
  B. Nondisclosure agreement (NDA)

  ---

  Explanation

  A nondisclosure agreement (NDA) is the best way to protect an organization's proprietary code during a joint-development activity involving a third party. An NDA is a legal contract that binds the parties involved in a joint-development activity to keep confidential any information, data or materials that are shared or exchanged during the activity. An NDA specifies what constitutes confidential information, how it can be used, disclosed or protected, how long it remains confidential, what are the exceptions and remedies for breach of confidentiality, and other terms and conditions. An NDA can help to protect an organization's proprietary code from being copied, modified, distributed or exploited by unauthorized parties without its consent or knowledge. The other options are not as effective as option B, as they do not address confidentiality issues specifically. A statement of work (SOW) is a document that defines the scope, objectives, deliverables, tasks, roles, responsibilities, timelines and costs of a joint-development activity, but it does not cover confidentiality issues explicitly. A service level agreement (SLA) is a document that defines the quality, performance and availability standards and metrics for a service provided by one party to another party in a joint-development activity, but it does not cover confidentiality issues explicitly. A privacy agreement is a document that defines how personal information collected from customers or users is collected, used, disclosed and protected by one party or both parties in a joint-development activity, but it does not cover confidentiality issues related to proprietary code.

  References: CISA Review Manual (Digital Version) , Chapter 3: Information Systems Acquisition, Development and Implementation, Section 3.2: Project Management Practices.

• Question 1232:

  After areas have been appropriately scoped, what is the IS auditor's NEXT step in the selection for sampling?

  A. Define the population for sampling.
  B. Determine the sampling method.
  C. Calculate the sample size.
  D. Pull the sample.
  A. Define the population for sampling.

  ---

  Explanation

  Explanation

• Question 1233:

  An IS auditor has assessed a payroll service provider's security policy and finds significant topics are missing. Which of the following is the auditor's BEST course of action?

  A. Recommend the service provider update their policy.
  B. Notify the service provider of the discrepancies.
  C. Report the risk to internal management.
  D. Recommend replacement of the service provider.
  C. Report the risk to internal management.

  ---

  Explanation

• Question 1234:

  Which of the following would be of GREATEST concern to an IS auditor reviewing an IT- related customer service project?

  A. The project risk exceeds the organization's risk appetite.
  B. Executing the project will require additional investments.
  C. Expected business value is expressed in qualitative terms.
  D. The organization will be the first to offer the proposed services.
  A. The project risk exceeds the organization's risk appetite.

  ---

  Explanation

• Question 1235:

  Which of the following is the GREATEST risk associated with lack of IT involvement in the organization's strategic planning initiatives?

  A. Business strategies may not align with IT capabilities.
  B. Business strategies may not consider emerging technologies.
  C. IT strategies may not align with business strategies.
  D. IT strategic goals may not be considered by the business.
  C. IT strategies may not align with business strategies.

  ---

  Explanation

  Explanation Comprehensive and Detailed Step-by-Step IfIT is not involvedinstrategic planning,IT strategy may diverge from business needs, leading tomisalignment and inefficiencies. Option A (Incorrect):Business strategy alignmentis important, but the greater risk is thatIT investments do not support business goals. Option B (Incorrect):Lack of emerging technology awareness is a risk, butIT- business misalignment has broader consequences. Option C (Correct):Thegreatest riskis when IT strategyfails to align with business objectives, leading towasted investments, inefficiencies, and competitive disadvantages. Option D (Incorrect):IT goals being overlooked is a concern, butmisalignment of IT and business strategies is a more critical risk.

  ISACA CISA Review Manual -Domain 2: Governance and Management of IT?Coversstrategic IT alignment and governance best practices.

• Question 1236:

  Which of the following management decisions presents the GREATEST risk associated with data leakage?

  A. There is no requirement for desktops to be encrypted
  B. Staff are allowed to work remotely
  C. Security awareness training is not provided to staff
  D. Security policies have not been updated in the past year
  C. Security awareness training is not provided to staff

  ---

  Explanation

  The management decision that presents the greatest risk associated with data leakage is not providing security awareness training to staff. This is because staff are often the weakest link in the information security chain, and they may unintentionally or maliciously leak sensitive data through various channels, such as email, social media, cloud storage, or removable media. Security awareness training is essential to educate staff on the importance of protecting data, the policies and procedures for handling data, and the best practices for preventing and reporting data leakage incidents. Not requiring desktops to be encrypted, allowing staff to work remotely, and not updating security policies in the past year are also management decisions that may increase the risk of data leakage, but they are not as significant as not providing security awareness training to staff. Encryption, remote work, and security policies are technical or administrative controls that can be implemented or enforced by management, but they cannot fully prevent or mitigate human errors or malicious actions by staff.

  References: CISA Review Manual (Digital Version), [ISACA Privacy Principles and Program Management Guide]

• Question 1237:

  Which of the following is the MOST important reason to classify a disaster recovery plan (DRP) as confidential?

  A. Ensure compliance with the data classification policy.
  B. Protect the plan from unauthorized alteration.
  C. Comply with business continuity best practice.
  D. Reduce the risk of data leakage that could lead to an attack.
  D. Reduce the risk of data leakage that could lead to an attack.

  ---

  Explanation

  The most important reason to classify a disaster recovery plan (DRP) as confidential is to reduce the risk of data leakage that could lead to an attack. A DRP contains sensitive information about the organization's IT infrastructure, systems, processes, and procedures for recovering from a disaster. If this information falls into the wrong hands, it could be exploited by malicious actors to launch targeted attacks, sabotage recovery efforts, or extort ransom. Therefore, a DRP should be protected from unauthorized access, disclosure, modification, or destruction. The other options are not as important as reducing the risk of data leakage that could lead to an attack: Ensuring compliance with the data classification policy is a good practice, but it is not a sufficient reason to classify a DRP as confidential. The data classification policy should reflect the level of risk and impact associated with each type of data, and a DRP should be classified as confidential based on its potential harm if compromised. Protecting the plan from unauthorized alteration is a valid concern, but it is not a primary reason to classify a DRP as confidential. A DRP should be protected from unauthorized alteration by implementing access controls, audit trails, version control, and change management processes. Classifying a DRP as confidential may deter some unauthorized alterations, but it does not prevent them. Complying with business continuity best practice is a desirable goal, but it is not a compelling reason to classify a DRP as confidential. Business continuity best practice may recommend classifying a DRP as confidential, but it does not mandate it. The decision to classify a DRP as confidential should be based on a risk assessment and a cost-benefit analysis.

• Question 1238:

  Which of the following would BEST facilitate the successful implementation of an IT-related framework?

  A. Aligning the framework to industry best practices
  B. Establishing committees to support and oversee framework activities
  C. Involving appropriate business representation within the framework
  D. Documenting IT-related policies and procedures
  C. Involving appropriate business representation within the framework

  ---

  Explanation

• Question 1239:

  Which of the following is the MOST important factor when an organization is developing information security policies and procedures?

  A. Alignment with an information security framework
  B. Compliance with relevant regulations
  C. Inclusion of mission and objectives
  D. Consultation with security staff
  B. Compliance with relevant regulations

  ---

  Explanation

• Question 1240:

  Which of the following is an IS auditor's BEST recommendation to help an organization increase the efficiency of computing resources?

  A. Overclocking the central processing unit (CPU)
  B. Virtualization
  C. Real-time backups
  D. Hardware upgrades
  D. Hardware upgrades

  ---

  Explanation