Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1371:

  Which of the following poses the GREATEST risk to a company that allows employees to use personally owned devices to access customer files on the company's network?

  A. The help desk might not be able to support all different types of personal devices.
  B. The company's network might slow down, affecting response time.
  C. Customer data may be compromised if the device is lost or stolen.
  D. Employee productivity may suffer due to personal distractions
  C. Customer data may be compromised if the device is lost or stolen.

  ---

  Explanation

• Question 1372:

  An IS auditor has obtained a large data set containing multiple fields and non-numeric data for analysis. Which of the following activities will MOST improve the quality of conclusions derived from the use of a data analytics tool for this audit?

  A. Data anonymization
  B. Data classification
  C. Data stratification
  D. Data preparation
  C. Data stratification

  ---

  Explanation

• Question 1373:

  Which of the following would MOST likely jeopardize the independence of a quality assurance (QA} team and could lead to conflict of interest?

  A. Cross checking testing assumptions with the solution design
  B. Inspecting code to ensure proper documentation
  C. Ensuring compliance with development methodologies
  D. Correcting coding errors during the testing process
  D. Correcting coding errors during the testing process

  ---

  Explanation

  Explanation

• Question 1374:

  A secure server room has a badge reader system that records name, date, and time information whenever a staff member uses a badge to enter or exit. When reviewing the system logs, an IS auditor notices records for some employees entering, but not exiting, the room. Which of the following would be the MOST effective compensating control to recommend?

  A. Installing security cameras at the doors
  B. Changing to a biometric access control system
  C. Implementing a monitored mantrap at entrance and exit points
  D. Requiring two-factor authentication at entrance and exit points
  C. Implementing a monitored mantrap at entrance and exit points

  ---

  Explanation

  A monitored mantrap at entrance and exit points would be the most effective compensating control in this scenario. A mantrap is a physical security access control system comprising a small space having two sets of interlocking doors such that the first set of doors must close before the second set opens. By implementing a monitored mantrap, unauthorized access can be prevented and it can ensure that all individuals are logged when they enter and exit the server room.

  References: ISACA's Information Systems Auditor Study Materials

• Question 1375:

  An organization's security team created a simulated production environment with multiple vulnerable applications. What would be the PRIMARY purpose of creating such an environment?

  A. To collect digital evidence of cyberattacks
  B. To attract attackers in order to study their behavior
  C. To provide training to security managers
  D. To test the intrusion detection system (IDS)
  B. To attract attackers in order to study their behavior

  ---

  Explanation

  The primary purpose of creating a simulated production environment with multiple vulnerable applications is to attract attackers in order to study their behavior. This is a technique known as honeypotting, which is a form of deception security that lures attackers into a fake system or network that mimics the real one, but is isolated and monitored1. Honeypotting can help security teams to learn about the attackers' methods, tools, motives, and targets, and to collect valuable intelligence that can be used to improve the security posture of the organization. Honeypotting can also help to divert the attackers' attention from the real assets and to waste their time and resources. The other options are not the primary purpose of creating a simulated production environment with multiple vulnerable applications. To collect digital evidence of cyberattacks, security teams would need to use forensic tools and techniques that can preserve and analyze the data from the compromised systems or networks. To provide training to security managers, security teams would need to use simulation tools and scenarios that can test and enhance their skills and knowledge in responding to cyber incidents. To test the intrusion detection system (IDS), security teams would need to use penetration testing tools and methods that can evaluate the effectiveness and performance of the IDS in detecting and preventing malicious activities.

  References: What is a Honeypot? | Imperva Honeypots: A sweet solution for identifying intruders | CSO Online Digital Forensics - an overview | ScienceDirect Topics Cybersecurity Training and Exercises - Homeland Security What is Penetration Testing? | Types and Stages | Imperva

• Question 1376:

  Which of the following is the BEST way to evaluate the effectiveness of access controls to an internal network?

  A. Perform a system penetration test
  B. Test compliance with operating procedures
  C. Review access rights
  D. Review router configuration tables
  A. Perform a system penetration test

  ---

  Explanation

• Question 1377:

  An IS auditor identifies that a legacy application to be decommissioned in three months cannot meet the security requirements established by the current policy. What is the BEST way (or the auditor to address this issue?

  A. Recommend the application be patched to meet requirements.
  B. Inform the IT director of the policy noncompliance.
  C. Verify management has approved a policy exception to accept the risk.
  D. Take no action since the application will be decommissioned in three months.
  C. Verify management has approved a policy exception to accept the risk.

  ---

  Explanation

  The best way for the auditor to address this issue is to verify management has approved a policy exception to accept the risk. A policy exception is a formal authorization that allows a deviation from the established policy requirements for a specific situation or period of time. A policy exception should be based on a risk assessment that evaluates the impact and likelihood of the potential threats and vulnerabilities, as well as the cost and benefit of the alternative controls. A policy exception should also be documented, approved, and monitored by management. Recommending the application be patched to meet requirements is not the best way for the auditor to address this issue. Patching the application may not be feasible, cost-effective, or timely, given that the application will be decommissioned in three months. Patching the application may also introduce new risks or errors that could affect the functionality or performance of the application. Informing the IT director of the policy noncompliance is not the best way for the auditor to address this issue. Informing the IT director of the policy noncompliance may not resolve the issue or mitigate the risk, especially if the IT director is already aware of the situation and has decided to accept it. Informing the IT director of the policy noncompliance may also create unnecessary conflict or tension between the auditor and the auditee. Taking no action since the application will be decommissioned in three months is not the best way for the auditor to address this issue. Taking no action may expose the organization to significant risks or consequences, such as data breaches, regulatory fines, or reputational damage, if the application is compromised or exploited by malicious actors. Taking no action may also violate the auditor's professional standards and responsibilities, such as due care, objectivity, and reporting.

  References: ISACA, CISA Review Manual, 27th Edition, 2019, p. 289 ISACA, CISA Review Questions, Answers and Explanations Database - 12 Month Subscription Cybersecurity Engineering for Legacy Systems: 6 Recommendations - SEI Blog How to Secure Your Company's Legacy Applications - iCorps

• Question 1378:

  Which of the following is found in an audit charter?

  A. The process of developing the annual audit plan
  B. The authority given to the audit function
  C. Required training for audit staff
  D. Audit objectives and scope
  B. The authority given to the audit function

  ---

  Explanation

  The authority given to the audit function is one of the components that is found in an audit charter. According to the IIA, the audit charter is a formal document that defines internal audit's purpose, authority, responsibility and position within the organization1. The authority given to the audit function includes the scope of its activities, the access to records, personnel and physical properties relevant to its work, and the independence and objectivity of its staff2. The authority given to the audit function helps to ensure that internal auditors can perform their duties effectively and efficiently, and that they can provide assurance and consulting services that add value and improve the organization's operations3. The other options are not found in an audit charter. The process of developing the annual audit plan is not part of the audit charter, but rather a separate document that outlines the methodology, criteria and resources for selecting and prioritizing audit engagements based on a risk assessment4. Required training for audit staff is not part of the audit charter, but rather a component of the quality assurance and improvement program that evaluates the competence and performance of internal auditors and provides them with opportunities for professional development5. Audit objectives and scope are not part of the audit charter, but rather specific elements of each individual audit engagement that define the expected outcomes and the boundaries of the audit work.

• Question 1379:

  Which of the following would be an IS auditor's GREATEST concern when reviewing the early stages of a software development project?

  A. The lack of technical documentation to support the program code
  B. The lack of completion of all requirements at the end of each sprint
  C. The lack of acceptance criteria behind user requirements.
  D. The lack of a detailed unit and system test plan
  C. The lack of acceptance criteria behind user requirements.

  ---

  Explanation

  User requirements are statements that describe what the users expect from the software system in terms of functionality, quality, and usability. They are essential inputs for the software development process, as they guide the design, implementation, testing, and deployment of the system. Therefore, an IS auditor's greatest concern when reviewing the early stages of a software development project would be the lack of acceptance criteria behind user requirements. Acceptance criteria are measurable conditions that define when a user requirement is met or satisfied. They help ensure that the user requirements are clear, complete, consistent, testable, and verifiable. Without acceptance criteria, it would be difficult to evaluate whether the system meets the user expectations and delivers value to the organization. Technical documentation, such as program code, is usually produced in later stages of the software development process. Completion of all requirements at the end of each sprint is not mandatory in agile software development methods, as long as there is a prioritized backlog of requirements that can be delivered incrementally. A detailed unit and system test plan is also important for ensuring software quality, but it depends on well-defined user requirements and acceptance criteria.

  References: Information Systems Acquisition, Development and Implementation, CISA Review Manual (Digital Version)

• Question 1380:

  Which of the following provides the BEST evidence that IT portfolio management is aligned with organizational strategies?

  A. Finance committee minutes that include approval for the annual IT budget
  B. Project sponsor sign-off on all project documents from beginning to end
  C. IT steering committee minutes that include approval for prioritization of IT projects
  D. Project sponsor sign-off on IT project proposals and milestones
  C. IT steering committee minutes that include approval for prioritization of IT projects

  ---

  Explanation

  Explanation