Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1251:

  Which of the following would BEST help to ensure that potential security issues are considered by the development team as part of incremental changes to agile-developed software?

  A. Assign the security risk analysis to a specially trained member of the project management office.
  B. Deploy changes in a controlled environment and observe for security defects.
  C. Include a mandatory step to analyze the security impact when making changes.
  D. Mandate that the change analyses are documented in a standard format.
  C. Include a mandatory step to analyze the security impact when making changes.

  ---

  Explanation

  The best way to ensure that potential security issues are considered by the development team as part of incremental changes to agile-developed software is to include a mandatory step to analyze the security impact when making changes. This will help to identify and mitigate any security risks or vulnerabilities that may arise from the changes, and to ensure that the software meets the security requirements and standards. The other options are not as effective, because they either delegate the security analysis to someone outside the development team, rely on post-deployment testing, or focus on documentation rather than analysis.

  References: CISA Review Manual (Digital Version)1, Chapter 4, Section 4.2.5

• Question 1252:

  The independence of an IS auditor auditing an application is maintained if the auditor's role is limited to:

  A. creating system specifications.
  B. defining user requirements.
  C. recommending system enhancements.
  D. designing access control rules.
  B. defining user requirements.

  ---

  Explanation

• Question 1253:

  During an audit which of the following would be MOST helpful in establishing a baseline for measuring data quality?

  A. Input from customers
  B. Industry standard business definitions
  C. Validation of rules by the business
  D. Built-in data error prevention application controls
  C. Validation of rules by the business

  ---

  Explanation

  Validation of rules by the business is the most helpful in establishing a baseline for measuring data quality because it ensures that the rules reflect the business needs and expectations. Validation of rules by the business also helps to identify and resolve any inconsistencies or conflicts among different data sources or stakeholders. Input from customers, industry standard business definitions and built-in data error prevention application controls are useful for improving data quality, but they are not sufficient for establishing a baseline.

  References: CISA Review Manual (Digital Version) 1, Chapter 5, Section 5.4.1

• Question 1254:

  An IS auditor is reviewing the installation of a new server. The IS auditor's PRIMARY objective is to ensure that

  A. security parameters are set in accordance with the manufacturer s standards.
  B. a detailed business case was formally approved prior to the purchase.
  C. security parameters are set in accordance with the organization's policies.
  D. the procurement project invited lenders from at least three different suppliers.
  C. security parameters are set in accordance with the organization's policies.

  ---

  Explanation

  The primary objective of an IS auditor when reviewing the installation of a new server is to ensure that security parameters are set in accordance with the organization's policies. Security parameters are settings or options that control the security level and behavior of the server, such as authentication methods, encryption algorithms, access rights, audit logs, firewall rules, or password policies7. The organization's policies are documents that define the security goals, requirements, standards, and guidelines for the organization's information systems. An IS auditor should verify that security parameters are set in accordance with the organization's policies to ensure that the new server complies with the organization's security expectations and regulations. The other options are less important or incorrect because:

  A. Security parameters should not be set in accordance with the manufacturer's standards alone, as they may not reflect the organization's specific security needs and environment. The manufacturer's standards are general recommendations or best practices for configuring the server's security parameters based on common scenarios and threats. An IS auditor should compare the manufacturer's standards with the organization's policies and identify any gaps or conflicts that need to be resolved.

  B. A detailed business case should have been formally approved prior to the purchase of a new server rather than during its installation. A business case is a document that justifies the need for a new server based on its expected benefits, costs, risks, and alternatives. A business case should be approved by senior management before initiating a project to acquire a new server.

  D. The procurement project should have invited tenders from at least three different suppliers before purchasing a new server rather than during its installation. A tender is a formal offer or proposal to provide a product or service at a specified price and quality. Inviting tenders from multiple suppliers helps to ensure a fair and competitive procurement process that can result in the best value for money and quality for the organization.

  References: Server Security - ISACA, [Information Security Policy - ISACA], [Server Hardening - ISACA], [Business Case

  -ISACA], [Tender - ISACA], [Procurement Management - ISACA]

• Question 1255:

  Which of the following types of firewalls provide the GREATEST degree of control against hacker intrusion?

  A. Circuit gateway
  B. Application level gateway
  C. Packet filtering router
  D. Screening router
  B. Application level gateway

  ---

  Explanation

  The type of firewall that provides the greatest degree of control against hacker intrusion is an application level gateway. A firewall is a device or software that filters or blocks network traffic based on predefined rules or policies. A firewall can help protect an information system or network from unauthorized access or attack by hackers or other malicious entities. An application level gateway is a type of firewall that operates at the application layer of the network model (layer 7), which is where user applications communicate with each other over the network. An application level gateway provides the greatest degree of control against hacker intrusion, by inspecting and analyzing the content and context of each network packet at the application level, such as protocols, commands, requests, responses, etc., and allowing or denying access based on specific criteria or conditions. An application level gateway can also perform additional functions such as authentication, encryption, caching, logging, etc., to enhance the security and performance of network traffic. A circuit gateway is a type of firewall that operates at the transport layer of the network model (layer 4), which is where data are transferred between end points over the network. A circuit gateway provides a moderate degree of control against hacker intrusion by establishing a secure connection between two end points (such as client and server) and relaying network packets between them without inspecting or analyzing their content. A circuit gateway can also perform functions such as encryption, authentication, or address translation to improve the security and privacy of network traffic. A packet filtering router is a type of firewall that operates at the network layer of the network model (layer 3), which is where data are routed between different networks or subnets. A packet filtering router provides a low degree of control against hacker intrusion by examining the header of each network packet and allowing or denying access based on basic criteria such as source address, destination address, port number, protocol, etc. A packet filtering router can also perform functions such as routing, forwarding, or address translation to optimize the delivery and efficiency of network traffic. A screening router is a type of firewall that operates at the network layer of the network model (layer 3), which is where data are routed between different networks or subnets. A screening router provides a low degree of control against hacker intrusion by examining the header of each network packet and allowing or denying access based on basic criteria such as source address, destination address, port number, protocol, etc. A screening router can also perform functions such as routing, forwarding, or address translation to optimize the delivery and efficiency of network traffic.

• Question 1256:

  Which of the following is a corrective control?

  A. Separating equipment development testing and production
  B. Verifying duplicate calculations in data processing
  C. Reviewing user access rights for segregation
  D. Executing emergency response plans
  D. Executing emergency response plans

  ---

  Explanation

  A corrective control is a control that aims to restore normal operations after a disruption or incident has occurred. Executing emergency response plans is an example of a corrective control, as it helps to mitigate the impact of an incident and resume business functions. Separating equipment development testing and production is a preventive control, as it helps to avoid errors or unauthorized changes in production systems. Verifying duplicate calculations in data processing is a detective control, as it helps to identify errors or anomalies in data processing. Reviewing user access rights for segregation is also a detective control, as it helps to detect any violations of segregation of duties principles.

  References: ISACA, CISA Review Manual, 27th Edition, 2018, page 64

• Question 1257:

  Which of the following clauses is MOST important to include in a contract to help maintain data privacy in the event a Platform as a Service (PaaS) provider becomes financially insolvent?

  A. Intellectual property protection
  B. Software escrow
  C. Data classification
  D. Secure data destruction
  D. Secure data destruction

  ---

  Explanation

• Question 1258:

  Identify the INCORRECT statement from below mentioned testing types

  A. Recovery Testing ?Making sure the modified/new system includes provisions for appropriate access control and does not introduce any security holes that might compromise other systems
  B. Load Testing ?Testing an application with large quantities of data to evaluate its performance during peak hour
  C. Volume testing ?Studying the impact on the application by testing with an incremental volume of records to determine the maximum volume of records that application can process
  D. Stress Testing ?Studying the impact on the application by testing with an incremental umber of concurrent users/services on the application to determine maximum number of concurrent user/service the application can process
  A. Recovery Testing ?Making sure the modified/new system includes provisions for appropriate access control and does not introduce any security holes that might compromise other systems

  ---

  Explanation

  The word INCORRECT is the keyword used in this question. You need to find out the incorrect option specified above. The term recovery testing is incorrectly defined in the above options. The correct description of recovery testing is:

  Recovery Testing ?Checking the system's ability to recover after a software or hardware failure

  For CISA exam you should know below types of testing:

  Unit Testing ?The testing of an individual program or module. Unit testing uses set of test cases that focus on control structure of procedural design. These tests ensure internal operation of the programs according to the specification.

  Interface or integration testing ?A hardware or software test that evaluates the connection of two or more components that pass information from one area to another. The objective it to take unit tested module and build an integrated structure

  dictated by design. The term integration testing is also referred to tests that verify and validate functioning of the application under test with other systems, where a set of data is transferred from one system to another.

  System Testing ?A series of tests designed to ensure that modified programs, objects, database schema, etc , which collectively constitute a new or modified system, function properly. These test procedures are often performed in a non-

  production test/development environment by software developers designated as a test team. The following specific analysis may be carried out during system testing.

  Recovery Testing ?Checking the system's ability to recover after a software or hardware failure.

  Security Testing ?Making sure the modified/new system includes provisions for appropriate access control and does not introduce any security holes that might compromise other systems.

  Load Testing ?Testing an application with large quantities of data to evaluate its performance during peak hour.

  Volume testing ?Studying the impact on the application by testing with an incremental volume of records to determine the maximum volume of records that application can process.

  Stress Testing ?Studying the impact on the application by testing with an incremental umber of concurrent users/services on the application to determine maximum number of concurrent user/service the application can process.

  Performance Testing ?Comparing the system performance to other equivalent systems using well defined benchmarks.

  Final Acceptance Testing ?It has two major parts: Quality Assurance Testing(QAT) focusing on the technical aspect of the application and User acceptance testing focusing on functional aspect of the application. QAT focuses on documented

  specifications and the technology employed. It verifies that application works as documented by testing the logical design and the technology itself. It also ensures that the application meet the documented technical specifications and

  deliverables. QAT is performed primarily by IS department. The participation of end user is minimal and on request. QAT does not focus on functionality testing. UAT supports the process of ensuring that the system is production ready and

  satisfies all documented requirements. The methods include:

  Definition of test strategies and procedure.

  Design of test cases and scenarios

  Execution of the tests.

  Utilization of the result to verify system readiness.

  Acceptance criteria are defined criteria that a deliverable must meet to satisfy the predefined needs of the user. A UAT plan must be documented for the final test of the completed system. The tests are written from a user's perspective and

  should test the system in a manner as close to production possible.

  The following were incorrect answers:

  The other options presented contains valid definitions.

  CISA review manual 2014 Page number 166

• Question 1259:

  An IS auditor reviewing incident response management processes notices that resolution times for reoccurring incidents have not shown improvement. Which of the following is the auditor's BEST recommendation?

  A. Harden IT system and application components based on best practices.
  B. Incorporate a security information and event management (SIEM) system into incident response
  C. Implement a survey to determine future incident response training needs.
  D. Introduce problem management into incident response.
  D. Introduce problem management into incident response.

  ---

  Explanation

  The auditor's best recommendation is

  D. Introduce problem management into incident response. Problem management is a practice that aims to identify, analyze, and resolve the root causes of recurring incidents, and prevent or reduce their impact in the future. Problem management can help improve the resolution times for recurring incidents by eliminating or mitigating the underlying problems that cause them, and by providing permanent solutions that can be reused or automated. Problem management can also help improve the quality and efficiency of incident response by reducing the workload and complexity of dealing with repetitive issues.

• Question 1260:

  Which of the following should be the GREATEST concern to an IS auditor reviewing an organization's method to transport sensitive data between offices?

  A. The method relies exclusively on the use of public key infrastructure (PKI).
  B. The method relies exclusively on the use of digital signatures.
  C. The method relies exclusively on the use of asymmetric encryption algorithms.
  D. The method relies exclusively on the use of 128-bit encryption.
  C. The method relies exclusively on the use of asymmetric encryption algorithms.

  ---

  Explanation

  The greatest concern to an IS auditor reviewing an organization's method to transport sensitive data between offices is that the method relies exclusively on the use of asymmetric encryption algorithms. Asymmetric encryption algorithms, also known as public key encryption, use two different keys for encryption and decryption: a public key that is shared with anyone who wants to communicate with the sender, and a private key that is kept secret by the sender. Asymmetric encryption algorithms are more secure than symmetric encryption algorithms, which use the same key for both encryption and decryption, but they are also slower and more computationally intensive. Therefore, relying exclusively on asymmetric encryption algorithms may not be efficient or practical for transporting large amounts of sensitive data between offices. A better method would be to use a combination of symmetric and asymmetric encryption algorithms, such as using asymmetric encryption to exchange a symmetric key and then using symmetric encryption to encrypt and decrypt the data. The other options are not as concerning as option

  C. The method relying exclusively on the use of public key infrastructure (PKI) is not a concern, because PKI is a system that provides the services and mechanisms for creating, managing, distributing, using, storing, and revoking digital certificates that are based on asymmetric encryption algorithms. PKI enables secure and authenticated communication between parties who do not have a prior trust relationship. The method relying exclusively on the use of digital signatures is not a concern, because digital signatures are a way of verifying the authenticity and integrity of a message or document by using asymmetric encryption algorithms. Digital signatures ensure that the sender cannot deny sending the message or document, and that the receiver can detect any tampering or alteration of the message or document. The method relying exclusively on the use of 128-bit encryption is not a concern, because 128-bit encryption is a level of encryption that uses a 128-bit key to encrypt and decrypt data. 128- bit encryption is considered to be strong enough to resist brute-force attacks by modern computers.

  References: Asymmetric vs Symmetric Encryption: What are differences?, Public Key Infrastructure (PKI), Digital Signature, What is 128-bit Encryption?