Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1431:

  An organization's security team created a simulated production environment with multiple vulnerable applications. What would be the PRIMARY purpose of creating such an environment?

  A. To test the intrusion detection system (IDS)
  B. To provide training to security managers
  C. To collect digital evidence of cyberattacks
  D. To attract attackers in order to study their behavior
  D. To attract attackers in order to study their behavior

  ---

  Explanation

  The primary purpose of creating a simulated production environment with multiple vulnerable applications is

  D. To attract attackers in order to study their behavior. This is also known as a honeypot, which is a decoy system that mimics a real target and lures attackers into revealing their techniques, tools, and motives. A honeypot can help the organization's security team to improve their defense strategies, identify new threats, and collect digital evidence of cyberattacks.

• Question 1432:

  Which of the following protocols should be used when transferring data via the internet?

  A. User Datagram Protocol (UDP)
  B. Hypertext Transfer Protocol (HTTP)
  C. Secure File Transfer Protocol (SFTP)
  D. Remote Desktop Protocol (RDP)
  C. Secure File Transfer Protocol (SFTP)

  ---

  Explanation

  Comprehensive and Detailed Step-by-Step

  SFTP (Secure File Transfer Protocol)is the most secure option for transferring data over the internet, as it encrypts both commands and data, ensuring confidentiality and integrity.

  SFTP (Correct Answer C)

  UDP (Incorrect A)

  HTTP (Incorrect B)

  RDP (Incorrect D)

  References:

  ISACA CISA Review Manual

  NIST 800-52 (Guidelines for Transport Layer Security)

• Question 1433:

  Which of the following control is intended to discourage a potential attacker?

  A. Deterrent
  B. Preventive
  C. Corrective
  D. Recovery
  A. Deterrent

  ---

  Explanation

  Deterrent Control are intended to discourage a potential attacker

  For your exam you should know below information about different security controls

  Deterrent Controls

  Deterrent Controls are intended to discourage a potential attacker. Access controls act as a deterrent to threats and attacks by the simple fact that the existence of the control is enough to keep some potential attackers from attempting to

  circumvent the control. This is often because the effort required to circumvent the control is far greater than the potential reward if the attacker is successful, or, conversely, the negative implications of a failed attack (or getting caught)

  outweigh the benefits of success. For example, by forcing the identification and authentication of a user, service, or application, and all that it implies, the potential for incidents associated with the system is significantly reduced because an

  attacker will fear association with the incident. If there are no controls for a given access path, the number of incidents and the potential impact become infinite. Controls inherently reduce exposure to risk by applying oversight for a process.

  This oversight acts as a deterrent, curbing an attacker's appetite in the face of probable repercussions.

  The best example of a deterrent control is demonstrated by employees and their propensity to intentionally perform unauthorized functions, leading to unwanted events.

  When users begin to understand that by authenticating into a system to perform a function, their activities are logged and monitored, and it reduces the likelihood they will attempt such an action. Many threats are based on the anonymity of

  the threat agent, and any potential for identification and association with their actions is avoided at all costs.

  It is this fundamental reason why access controls are the key target of circumvention by attackers. Deterrents also take the form of potential punishment if users do something unauthorized. For example, if the organization policy specifies that

  an employee installing an unauthorized wireless access point will be fired, that will determine most employees from installing wireless access points.

  Preventative Controls

  Preventive controls are intended to avoid an incident from occurring. Preventative access controls keep a user from performing some activity or function. Preventative controls differ from deterrent controls in that the control is not optional and

  cannot (easily) be bypassed. Deterrent controls work on the theory that it is easier to obey the control

  rather than to risk the consequences of bypassing the control. In other words, the power for action resides with the user (or the attacker). Preventative controls place the power of action with the system, obeying the control is not optional. The

  only way to bypass the control is to find a flaw in the control's implementation.

  Compensating Controls

  Compensating controls are introduced when the existing capabilities of a system do not support the requirement of a policy. Compensating controls can be technical, procedural, or managerial. Although an existing system may not support the

  required controls, there may exist other technology or processes that can supplement the existing environment, closing the gap in controls, meeting policy requirements, and reducing overall risk.

  For example, the access control policy may state that the authentication process must be encrypted when performed over the Internet. Adjusting an application to natively support encryption for authentication purposes may be too costly.

  Secure Socket Layer (SSL), an encryption protocol, can be employed and layered on top of the authentication process to support the policy statement.

  Other examples include a separation of duties environment, which offers the capability to isolate certain tasks to compensate for technical limitations in the system and ensure the security of transactions. In addition, management processes,

  such as authorization, supervision, and administration, can be used to compensate for gaps in the access control environment.

  Detective Controls

  Detective controls warn when something has happened, and are the earliest point in the post-incident timeline. Access controls are a deterrent to threats and can be aggressively utilized to prevent harmful incidents through the application of

  least privilege. However, the detective nature of access controls can provide significant visibility into the access environment and help organizations manage their access strategy and related security risk.

  As mentioned previously, strongly managed access privileges provided to an authenticated user offer the ability to reduce the risk exposure of the enterprise's assets by limiting the capabilities that authenticated user has. However, there are

  few options to control what a user can perform once privileges are provided. For example, if a user is provided write access to a file and that file is damaged, altered, or otherwise negatively impacted (either deliberately or unintentionally), the

  use of applied access controls will offer visibility into the transaction. The control environment can be established to log activity regarding the identification, authentication, authorization, and use of privileges on a system.

  This can be used to detect the occurrence of errors, the attempts to perform an unauthorized action, or to validate when provided credentials were exercised. The logging system as a detective device provides evidence of actions (both

  successful and unsuccessful) and tasks that were executed by authorized users.

  Corrective Controls

  When a security incident occurs, elements within the security infrastructure may require corrective actions. Corrective controls are actions that seek to alter the security posture of an environment to correct any deficiencies and return the

  environment to a secure state. A security incident signals the failure of one or more directive, deterrent, preventative, or compensating controls. The detective controls may have triggered an alarm or notification, but now the corrective controls

  must work to stop the incident in its tracks. Corrective controls can take many forms, all depending on the particular situation at hand or the particular security failure that needs to be dealt with.

  Recovery Controls

  Any changes to the access control environment, whether in the face of a security incident or to offer temporary compensating controls, need to be accurately reinstated and returned to normal operations. There are several situations that may

  affect access controls, their applicability, status, or management.

  Events can include system outages, attacks, project changes, technical demands, administrative gaps, and full-blown disaster situations. For example, if an application is not correctly installed or deployed, it may adversely affect controls

  placed on system files or even have default administrative accounts unknowingly implemented upon install.

  Additionally, an employee may be transferred, quit, or be on temporary leave that may affect policy requirements regarding separation of duties. An attack on systems may have resulted in the implantation of a Trojan horse program,

  potentially exposing private user information, such as credit card information and financial data. In all of these cases, an undesirable situation must be rectified as quickly as possible and controls returned to normal operations.

  The following answers are incorrect:

  Preventive - Preventive controls are intended to avoid an incident from occurring

  Corrective - Corrective control fixes components or systems after an incident has occurred

  Recovery - Recovery controls are intended to bring the environment back to regular operations

  CISA Review Manual 2014 Page number 44

  and

  Official ISC2 CISSP guide 3rd edition Page number 50 and 51

• Question 1434:

  A business has requested an audit to determine whether information stored in an application is adequately protected. Which of the following is the MOST important action before the audit work begins?

  A. Review remediation reports
  B. Establish control objectives.
  C. Assess the threat landscape.
  D. Perform penetration testing.
  B. Establish control objectives.

  ---

  Explanation

  The most important action before the audit work begins is to establish control objectives. Control objectives are the specific goals or outcomes that the audit intends to achieve or verify in relation to the information protection in the application1. Control objectives provide the basis for designing and performing the audit procedures, evaluating the audit evidence, and reporting the audit findings and recommendations2. Control objectives also help to align the audit scope and criteria with the business needs and expectations, and to ensure that the audit is relevant, reliable, and efficient. Some examples of control objectives for an information protection audit are: To ensure that the information stored in the application is classified according to its sensitivity, value, and regulatory requirements To ensure that the information stored in the application is encrypted, masked, or anonymized as appropriate To ensure that the information stored in the application is accessible only by authorized users and processes To ensure that the information stored in the application is backed up, restored, and retained according to the business continuity and retention policies To ensure that the information stored in the application is monitored, logged, and audited for any unauthorized or anomalous activities Therefore, option B is the correct answer. Option A is not correct because reviewing remediation reports is not the most important action before the audit work begins. Remediation reports are documents that describe how previous audit findings or issues have been resolved or addressed by the auditee4. While reviewing remediation reports may be useful for understanding the current state of information protection in the application, it is not a prerequisite for defining the control objectives of the audit. Option C is not correct because assessing the threat landscape is not the most important action before the audit work begins. The threat landscape is the set of potential sources, methods, and impacts of cyberattacks or data breaches that may affect the information stored in the application5. While assessing the threat landscape may be helpful for identifying and prioritizing the risks and vulnerabilities of information protection in the application, it is not a prerequisite for defining the control objectives of the audit. Option D is not correct because performing penetration testing is not the most important action before the audit work begins. Penetration testing is a technique that simulates real- world cyberattacks or data breaches to test the security and resilience of information systems or applications.

• Question 1435:

  Which of the following parameters reflects the risk threshold for an organization experiencing a service disruption?

  A. Maximum tolerable outage (MTO)
  B. Recovery point objective (RPO)
  C. Service delivery objective (SDO)
  D. Allowable interruption window (AIW)
  A. Maximum tolerable outage (MTO)

  ---

  Explanation

  Explanation Maximum Tolerable Outage (MTO) (A) defines the longest time an organization can tolerate an IT service being unavailable before significant business impact occurs.It determines business continuity planning and disaster recovery strategies. Other options: RPO (B)defines acceptable data loss but does not determine the total outage limit. SDO (C)is related to service agreements but does not set the risk threshold. AIW (D)is similar to MTO but is not as commonly used in disaster recovery planning.

  ISACA CISA Review Manual, Information Systems Operations and Business Resilience

• Question 1436:

  Which of the following is MOST important when creating a forensic image of a hard drive?

  A. Requiring an independent third party be present while imaging
  B. Securing a backup copy of the hard drive
  C. Generating a content hash of the hard drive
  D. Choosing an industry-leading forensics software tool
  A. Requiring an independent third party be present while imaging

  ---

  Explanation

• Question 1437:

  Which of the following is the PRIMARY reason for an IS auditor to conduct post- implementation reviews?

  A. To determine whether project objectives in the business case have been achieved
  B. To ensure key stakeholder sign-off has been obtained
  C. To align project objectives with business needs
  D. To document lessons learned to improve future project delivery
  A. To determine whether project objectives in the business case have been achieved

  ---

  Explanation

  The primary reason for an IS auditor to conduct post-implementation reviews is to determine whether project objectives in the business case have been achieved. A post-implementation review is an audit activity that evaluates whether a project has delivered its expected outcomes or benefits in accordance with its objectives, scope, budget, and schedule. A business case is a document that defines and justifies the need, value, and feasibility of a project. A post-implementation review can help assess whether project objectives in the business case have been achieved by comparing actual results with planned expectations and identifying any gaps or deviations. The other options are not primary reasons for conducting post-implementation reviews, as they do not measure whether project objectives in the business case have been achieved. Ensuring key stakeholder sign-off has been obtained is a project closure activity that confirms that all project deliverables have been completed and accepted by key stakeholders, but it does not evaluate whether project objectives in the business case have been achieved. Aligning project objectives with business needs is a project initiation activity that ensures that the project is aligned with the organization's strategy, goals, and priorities, but it does not evaluate whether project objectives in the business case have been achieved. Documenting lessons learned to improve future project delivery is a project learning activity that captures and shares the knowledge, experience, and feedback gained from the project, but it does not evaluate whether project objectives in the business case have been achieved.

  References: CISA Review Manual (Digital Version), Chapter 3, Section 3.3

• Question 1438:

  During the planning stage of a compliance audit, an IS auditor discovers that a bank's inventory of compliance requirements does not include recent regulatory changes related to managing data risk. What should the auditor do FIRST?

  A. Ask management why the regulatory changes have not been Included.
  B. Discuss potential regulatory issues with the legal department
  C. Report the missing regulatory updates to the chief information officer (CIO).
  D. Exclude recent regulatory changes from the audit scope.
  A. Ask management why the regulatory changes have not been Included.

  ---

  Explanation

  Asking management why the regulatory changes have not been included is the first thing that an IS auditor should do during the planning stage of a compliance audit. An IS auditor should inquire about the reasons for not updating the inventory of compliance requirements with recent regulatory changes related to managing data risk. This will help the IS auditor to understand whether there is a gap in awareness, communication, or implementation of compliance obligations within the organization. The other options are not the first things that an IS auditor should do, but rather possible subsequent actions that may depend on management's response.

  References: CISA Review Manual (Digital Version), Chapter 2, Section 2.31 CISA Review Questions, Answers and Explanations Database, Question ID 214

• Question 1439:

  An organization is planning to implement a control self-assessment (CSA) program for selected business processes. Which of the following should be the role of the internal audit team for this program?

  A. Perform testing to validate the accuracy of management's self-assessment.
  B. Advise management on the self-assessment process.
  C. Design testing procedures for management to assess process controls effectively.
  D. De-scope business processes to be covered by CSAs from future audit plans.
  A. Perform testing to validate the accuracy of management's self-assessment.

  ---

  Explanation

  Comprehensive and Detailed Step-by-Step

  Theinternal audit team's roleinControl Self-Assessment (CSA)is toindependently validatemanagement's assessment to ensure accuracy and effectiveness. Perform Testing to Validate Management's Assessment (Correct Answer ?A)

  Advising Management (Incorrect ?B)

  Designing Testing Procedures (Incorrect ?C)

  De-Scoping Business Processes (Incorrect ?D)

  References:

  ISACA CISA Review Manual

  COBIT 2019: Control Self-Assessment

• Question 1440:

  If enabled within firewall rules, which of the following services would present the GREATEST risk?

  A. Simple mail transfer protocol (SMTP)
  B. Simple object access protocol (SOAP)
  C. Hypertext transfer protocol (HTTP)
  D. File transfer protocol (FTP)
  D. File transfer protocol (FTP)

  ---

  Explanation

  File transfer protocol (FTP) is a service that allows users to transfer files between computers over a network. If enabled within firewall rules, FTP would present the greatest risk, as it can expose sensitive data to unauthorized access, modification, or deletion. FTP does not provide encryption or authentication, which makes it vulnerable to eavesdropping, spoofing, and tampering attacks. Simple mail transfer protocol (SMTP), simple object access protocol (SOAP), and hypertext transfer protocol (HTTP) are also services that can be used to exchange data over a network, but they have more security features than FTP, such as encryption, authentication, or validation.

  References: CISA Review Manual (Digital Version)