Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1351:

  Which of the following should be of GREATEST concern to an IS auditor who is assessing an organization's configuration and release management process?

  A. The organization does not use an industry-recognized methodology
  B. Changes and change approvals are not documented
  C. All changes require middle and senior management approval
  D. There is no centralized configuration management database (CMDB)
  B. Changes and change approvals are not documented

  ---

  Explanation

  The greatest concern to an IS auditor who is assessing an organization's configuration and release management process is that changes and change approvals are not documented. This is because documentation is essential for ensuring the traceability, accountability, and quality of the changes made to the configuration items (CIs) and the releases deployed to the production environment. Without documentation, it would be difficult to verify the authenticity, validity, and authorization of the changes, as well as to identify and resolve any issues or incidents that may arise from the changes. Documentation also helps to maintain compliance with internal and external standards and regulations, as well as to facilitate audits and reviews. The other options are not as concerning as option B, although they may also indicate some weaknesses in the configuration and release management process. The organization does not use an industry-recognized methodology, but this does not necessarily mean that their process is ineffective or inefficient. The organization may have developed their own methodology that suits their specific needs and context. However, using an industry-recognized methodology could help them adopt best practices and improve their process maturity. All changes require middle and senior management approval, but this may not be a problem if the organization has a clear and streamlined approval process that does not cause delays or bottlenecks in the change implementation. However, requiring too many approvals could also introduce unnecessary complexity and bureaucracy in the process. There is no centralized configuration management database (CMDB), but this does not mean that the organization does not have a way of managing their CIs and their relationships. The organization may use other tools or methods to store and access their configuration data, such as spreadsheets, documents, or repositories. However, having a centralized CMDB could help them improve their visibility, accuracy, and consistency of their configuration data.

  References:

  1: The Essential Guide to Release Management | Smartsheet

  2: 5 steps to a successful release management process - Lucidchart

  3: Configuration Management process overview - Micro Focus

  4: Release and Deployment Management process overview - Micro Focus

• Question 1352:

  Post-implementation testing is an example of which of the following control types?

  A. Directive
  B. Deterrent
  C. Preventive
  D. Detective
  D. Detective

  ---

  Explanation

• Question 1353:

  An organization has an acceptable use policy in place, but users do not formally acknowledge the policy. Which of the following is the MOST significant risk from this finding?

  A. Lack of data for measuring compliance
  B. Violation of industry standards
  C. Noncompliance with documentation requirements
  D. Lack of user accountability
  D. Lack of user accountability

  ---

  Explanation

  An acceptable use policy (AUP) is a document that defines the rules and guidelines for using an organization's IT resources, such as networks, devices, and software. It aims to protect the organization's assets, security, and productivity. An AUP should be formally acknowledged by users to ensure that they are aware of their responsibilities and obligations when using the IT resources. Without formal acknowledgment, users may not be held accountable for violating the AUP or may claim ignorance of the policy. This can expose the organization to legal, regulatory, reputational, or operational risks. Lack of data for measuring compliance, violation of industry standards, and noncompliance with documentation requirements are also possible risks from not having users acknowledge the AUP, but they are less significant than lack of user accountability.

  References: Workable: Acceptable use policy template, Wikipedia: Acceptable use policy

• Question 1354:

  Audit frameworks can assist the IS audit function by:

  A. defining the authority and responsibility of the IS audit function.
  B. providing direction and information regarding the performance of audits.
  C. outlining the specific steps needed to complete audits.
  D. providing details on how to execute the audit program.
  B. providing direction and information regarding the performance of audits.

  ---

  Explanation

• Question 1355:

  Which of the following is the process of repeating a portion of a test scenario or test plan to ensure that changes in information system have not introduced any errors?

  A. Parallel Test
  B. Black box testing
  C. Regression Testing
  D. Pilot Testing
  C. Regression Testing

  ---

  Explanation

  Regression testing is the process of rerunning a portion of a test scenario or test plan to ensure that changes or corrections have not introduced new errors. The data used in regression testing should be same as original data.

  For CISA exam you should know below mentioned types of testing

  Alpha and Beta Testing ?An alpha version is early version is an early version of the application system submitted to the internal user for testing. The alpha version may not contain all the features planned for the final version. Typically,

  software goes to two stages testing before it consider finished. The first stage is called alpha testing is often performed only by the user within the organization developing the software. The second stage is called beta testing, a form of user

  acceptance testing, generally involves a limited number of external users. Beta testing is the last stage of testing, and normally involves real world exposure, sending the beta version of the product to independent beta test sites or offering it

  free to interested user.

  Pilot Testing ?A preliminary test that focuses on specific and predefined aspect of a system. It is not meant to replace other testing methods, but rather to provide a limited evaluation of the system. Proof of concept are early pilot tests ?usually

  over interim platform and with only basic functionalities.

  White box testing ?Assess the effectiveness of a software program logic. Specifically, test data are used in determining procedural accuracy or conditions of a program's specific logic path. However, testing all possible logical path in large

  information system is not feasible and would be cost prohibitive, and therefore is used on selective basis only.

  Black Box Testing ?An integrity based form of testing associated with testing components of an information system's "functional" operating effectiveness without regards to any specific internal program structure. Applicable to integration and

  user acceptance testing.

  Function/validation testing ?It is similar to system testing but it is often used to test the functionality of the system against the detailed requirements to ensure that the software that has been built is traceable to customer requirements.

  Regression Testing ?The process of rerunning a portion of a test scenario or test plan to ensure that changes or corrections have not introduced new errors. The data used in regression testing should be same as original data.

  Parallel Testing ?This is the process of feeding test data into two systems ?the modified system and an alternative system and comparing the result.

  Sociability Testing ?The purpose of these tests is to confirm that new or modified system can operate in its target environment without adversely impacting existing system. This should cover not only platform that will perform primary

  application processing and interface with other system but, in a client server and web development, changes to the desktop environment. Multiple application may run on the user's desktop, potentially simultaneously, so it is important to test

  the impact of installing new dynamic link libraries (DLLs), making operating system registry or configuration file modification, and possibly extra memory utilization.

  The following were incorrect answers:

  Parallel Testing ?This is the process of feeding test data into two systems ?the modified system and an alternative system and comparing the result.

  Black Box Testing ?An integrity based form of testing associated with testing components of an information system's "functional" operating effectiveness without regards to any specific internal program structure. Applicable to integration and

  user acceptance testing.

  Pilot Testing ?A preliminary test that focuses on specific and predefined aspect of a system. It is not meant to replace other testing methods, but rather to provide a limited evaluation of the system. Proof of concept are early pilot tests ?usually

  over interim platform and with only basic functionalities

  CISA review manual 2014 Page number 167

• Question 1356:

  A global organization's policy states that all workstations must be scanned for malware each day. Which of the following would provide an IS auditor with the BEST evidence of continuous compliance with this policy?

  A. Penetration testing results
  B. Management attestation
  C. Anti-malware tool audit logs
  D. Recent malware scan reports
  C. Anti-malware tool audit logs

  ---

  Explanation

  Anti-malware tool audit logs would provide an IS auditor with the best evidence of continuous compliance with the global organization's policy that states that all workstations must be scanned for malware each day. Anti-malware tool audit logs are records that capture the activities and events related to the anti-malware software installed on the workstations, such as scan schedules, scan results, updates, alerts, and actions taken1. These logs can help the IS auditor to verify that the anti-malware software is functioning properly, that the scans are performed regularly and effectively, and that any malware incidents are detected and resolved in a timely manner2. Anti-malware tool audit logs can also help the IS auditor to identify any gaps or weaknesses in the anti-malware policy or implementation, and to provide recommendations for improvement3. The other options are not the best evidence of continuous compliance with the anti- malware policy. Penetration testing results are reports that show the vulnerabilities and risks of the workstations and network from an external or internal attacker's perspective4. While penetration testing can help to assess the security posture and resilience of the organization, it does not provide information on the daily anti-malware scans or their outcomes. Management attestation is a statement or declaration from the management that they have complied with the anti-malware policy5. While management attestation can demonstrate commitment and accountability, it does not provide objective or verifiable evidence of compliance. Recent malware scan reports are documents that show the summary or details of the latest antimalware scans performed on the workstations. While recent malware scan reports can indicate the current status and performance of the anti- malware software, they do not provide historical or comprehensive evidence of compliance.

  References: Malwarebytes Anti-Malware (MBAM) log collection and threat reports ... Malicious Behavior Detection using Windows Audit Logs PCI Requirement 5.2 ?Ensure all Anti-Virus Mechanisms are Current ... Management Attestation - an overview | ScienceDirect Topics How to Read a Malware Scan Report | Techwalla

• Question 1357:

  When reviewing a data classification scheme, it is MOST important for an IS auditor to determine if.

  A. each information asset is to a assigned to a different classification.
  B. the security criteria are clearly documented for each classification
  C. Senior IT managers are identified as information owner.
  D. the information owner is required to approve access to the asset
  B. the security criteria are clearly documented for each classification

  ---

  Explanation

  When reviewing a data classification scheme, it is most important for an IS auditor to determine if the security criteria are clearly documented for each classification. This will help the IS auditor to evaluate if the data classification scheme is consistent, comprehensive, and aligned with the organizational objectives and regulatory requirements. The security criteria should define the level of confidentiality, integrity, and availability for each data classification, as well as the corresponding controls such as access control, rights management, and cryptographic protection1. The other options are less important or incorrect because:

  A. Each information asset is not necessarily assigned to a different classification. Data classification schemes usually have a limited number of categories, such as "Sensitive," "Confidential," and "Public," and multiple information assets can belong to the same category2.

  C. Senior IT managers are not necessarily identified as information owners. Information owners are typically the business units or functions that create, use, or maintain the information assets, and they may or may not be senior IT managers3.

  D. The information owner is not required to approve access to the asset. The information owner is responsible for defining the access requirements and rules for the asset, but the actual approval of access requests may be delegated to other roles, such as data custodians or administrators3.

  References: Simplify and Contextualize Your Data Classification Efforts - ISACA, 3.7: Establish and Maintain a Data Classification Scheme, Data Classification and Practices - NIST, CISA Exam Content Outline | CISA Certification | ISACA

• Question 1358:

  During which stage of the penetration test cycle does the tester utilize identified vulnerabilities to attempt to access the target system?

  A. Exfiltration
  B. Exploitation
  C. Reconnaissance
  D. Scanning
  B. Exploitation

  ---

  Explanation

  Comprehensive and Detailed Step-by-Step

  Exploitationis the phase where testersleverage identified vulnerabilitiestogain unauthorized accessto systems.

  Exploitation (Correct Answer ?B)

  Exfiltration (Incorrect ?A)

  Reconnaissance (Incorrect ?C)

  Scanning (Incorrect ?D)

  References:

  ISACA CISA Review Manual

  NIST 800-115 (Technical Guide to Security Testing)

• Question 1359:

  Which of the following MUST be included in emergency change control procedures?

  A. Obtaining user management approval before implementing the changes
  B. Updating production source libraries to reflect the changes
  C. Using an emergency ID to move production programs into development
  D. Requesting that the help desk makes the changes
  A. Obtaining user management approval before implementing the changes

  ---

  Explanation

• Question 1360:

  An organization is replacing a mission-critical system. Which of the following is the BEST implementation strategy to mitigate and reduce the risk of system failure?

  A. Stage
  B. Phase
  C. Parallel
  D. Big-bang
  C. Parallel

  ---

  Explanation