Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1551:

  Which of the following is the BEST way to address potential data privacy concerns associated with inadvertent disclosure of machine identifier information contained within security logs?

  A. Unit the use of logs to only those purposes for which they were collected
  B. Restrict the transfer of log files from host machine to online storage
  C. Only collect logs from servers classified as business critical
  D. Limit log collection to only periods of increased security activity
  A. Unit the use of logs to only those purposes for which they were collected

  ---

  Explanation

  Limiting the use of logs to only those purposes for which they were collected is the best way to address potential data privacy concerns associated with inadvertent disclosure of machine identifier information contained within security logs, because it minimizes the risk of unauthorized access, misuse, or leakage of personal data that may be embedded in the logs. Logs should be collected and processed in accordance with the data protection principles and regulations, such as the General Data Protection Regulation (GDPR)12. Restricting the transfer of log files from host machine to online storage, only collecting logs from servers classified as business critical, and limiting log collection to only periods of increased security activity are not effective ways to address data privacy concerns, because they do not prevent or mitigate the potential disclosure of personal data in the logs.

  References: 1: CISA Review Manual (Digital Version), Chapter 5, Section

  5.4.4 2: CISA Online Review Course, Module 5, Lesson 4

• Question 1552:

  Which of the following is the PRIMARY reason to involve IS auditors in the software acquisition process?

  A. To help ensure hardware and operating system requirements are considered
  B. To help ensure proposed contracts and service level agreements (SLAs) address key elements
  C. To help ensure the project management process complies with policies and procedures
  D. To help ensure adequate controls to address common threats and risks are considered
  A. To help ensure hardware and operating system requirements are considered

  ---

  Explanation

• Question 1553:

  During an organization's implementation of a data loss prevention (DLP) solution, which of the following activities should be completed FIRST?

  A. Configuring reports
  B. Configuring rule sets
  C. Enabling detection points
  D. Establishing exceptions workflow
  B. Configuring rule sets

  ---

  Explanation

  Configuring rule sets is the first activity that should be completed during the implementation of a DLP solution, because rule sets define the criteria and actions for identifying, monitoring, and preventing data loss incidents. Rule sets are based

  on the organization's data classification, policies, and requirements, and they help to ensure that the DLP solution is aligned with the business objectives and risk appetite. Configuring rule sets before enabling detection points, establishing

  exceptions workflow, or configuring reports helps to avoid false positives, false negatives, or unnecessary alerts.

  References:

  1: 3.13: Deploy a Data Loss Prevention Solution - Read the Docs

  2: Plan and implement data loss prevention (DLP) [Guided] - NICCS

  3: CONTINUOUS DIAGNOSTICS AND MITIGATION PROGRAM DATA PROTECTION ...- CISA

  4: Continuous Diagnostics and Mitigation Program Technical ... - CISA

  5: Data Loss Prevention Best Practices - ISACA Journal

• Question 1554:

  During a follow-up audit, an IS auditor concludes that a previously identified issue has not been adequately remediated. The auditee insists the risk has been addressed. The auditor should:

  A. recommend an independent assessment by a third party
  B. report the disagreement according to established procedures
  C. follow-up on the finding next year
  D. accept the auditee's position and close the finding
  A. recommend an independent assessment by a third party

  ---

  Explanation

• Question 1555:

  Which of the following is me GREATE ST impact as a result of the ongoing deterioration of a detective control?

  A. Increased number of false negatives in security logs
  B. Decreased effectiveness of roof cause analysis
  C. Decreased overall recovery time
  D. Increased demand for storage space for logs
  A. Increased number of false negatives in security logs

  ---

  Explanation

  The greatest impact as a result of the ongoing deterioration of a detective control is an increased number of false negatives in security logs. A detective control is a control that monitors and identifies any deviations or anomalies from the expected or normal behavior or performance of a system or process. A security log is a record of events or activities that occur within a system or network, such as user access, file changes, system errors, or security incidents. A false negative is a situation where a security log fails to detect or report an actual deviation or anomaly that has occurred, such as an unauthorized access, a malicious modification, or a security breach. An increased number of false negatives in security logs can have a significant impact on the organization's security posture and risk management, because it can prevent timely detection and response to security threats, compromise the accuracy and reliability of security monitoring and reporting, and undermine the accountability and auditability of user actions and transactions. The other options are not as impactful as an increased number of false negatives in security logs, because they either do not affect the detection capability of a detective control, or they have less severe consequences for security management.

  References: CISA Review Manual (Digital Version)1, Chapter 5, Section 5.2.1

• Question 1556:

  What is the BEST control to address SQL injection vulnerabilities?

  A. Unicode translation
  B. Secure Sockets Layer (SSL) encryption
  C. Input validation
  D. Digital signatures
  C. Input validation

  ---

  Explanation

  Input validation is the best control to address SQL injection vulnerabilities, because it can prevent malicious users from entering SQL commands or statements into input fields that are intended for data entry, such as usernames or passwords. SQL injection is a technique that exploits a security vulnerability in an application's software by inserting SQL code into a query string that can execute commands on a database server. Unicode translation, SSL encryption, and digital signatures are not effective controls against SQL injection, because they do not prevent or detect SQL code injection into input fields.

  References: CISA Review Manual (Digital Version), Chapter 5, Section 5.4.2

• Question 1557:

  Which of the following components of a risk assessment is MOST helpful to management in determining the level of risk mitigation to apply?

  A. Risk classification
  B. Control self-assessment (CSA)
  C. Risk identification
  D. Impact assessment
  D. Impact assessment

  ---

  Explanation

• Question 1558:

  When auditing an organization's software acquisition process the BEST way for an IS auditor to understand the software benefits to the organization would be to review the

  A. feasibility study
  B. business case
  C. request for proposal (RFP)
  D. alignment with IT strategy
  B. business case

  ---

  Explanation

  The best way for an IS auditor to understand the software benefits to the organization would be to review the business case, which is a document that provides the justification and rationale for acquiring a software solution based on its expected costs, benefits, risks, and alignment with the organization's goals and strategies. The business case helps to evaluate the feasibility and viability of the software acquisition and to support the decision-making process. A feasibility study is a document that analyzes the technical, operational, economic, legal, and social aspects of a software solution to determine its feasibility and suitability for the organization's needs, but it does not necessarily provide a clear indication of the software benefits to the organization. A request for proposal (RFP) is a document that solicits proposals from potential vendors or suppliers for a software solution based on the organization's requirements and specifications, but it does not necessarily provide a clear indication of the software benefits to the organization. The alignment with IT strategy is a factor that influences the software acquisition process and ensures that the software solution supports and enables the organization's IT strategy, but it is not a document that can be reviewed by an IS auditor to understand the software benefits to the organization.

  References: CISA Review Manual (Digital Version), Chapter 3: Information Systems Acquisition, Development and Implementation, Section 3.1: Business Case Development

• Question 1559:

  The PRIMARY purpose of an incident response plan is to:

  A. reduce the impact of an adverse event on information assets.
  B. increase the effectiveness of preventive controls.
  C. reduce the maximum tolerable downtime (MTD) of impacted systems.
  D. increase awareness of impacts from adverse events to IT systems.
  A. reduce the impact of an adverse event on information assets.

  ---

  Explanation

  The primary purpose of an incident response plan is to reduce the impact of an adverse event on information assets. An incident response plan is a set of instructions and procedures that guide the organization's actions in the event of a security breach, cyberattack, or other disruption that affects its information systems and data. An incident response plan aims to: Detect and identify the incident as soon as possible. Contain and isolate the incident to prevent further damage or spread. Analyze and investigate the incident to determine its cause, scope, and impact. Eradicate and eliminate the incident and its root causes from the affected systems and data. Recover and restore the normal operations and functionality of the systems and data. Learn and improve from the incident by documenting the lessons learned, best practices, and recommendations for future prevention and mitigation. By following an incident response plan, the organization can minimize the negative consequences of an adverse event on its information assets, such as: Loss or corruption of data or information. Disclosure or theft of confidential or sensitive data or information. Interruption or degradation of system or service availability or performance. Legal or regulatory noncompliance or liability. Financial or reputational loss or damage. An incident response plan also helps the organization to demonstrate its due diligence and accountability in protecting its information assets and complying with its legal and contractual obligations. The other options are not the primary purpose of an incident response plan, although they may be secondary benefits or outcomes of having one. Increasing the effectiveness of preventive controls is not the primary purpose of an incident response plan. Preventive controls are controls that aim to prevent or deter incidents from occurring in the first place, such as firewalls, antivirus software, encryption, authentication, etc. An incident response plan is a reactive control that deals with incidents after they have occurred. However, an incident response plan may help to improve the effectiveness of preventive controls by identifying and addressing their weaknesses or gaps. Reducing the maximum tolerable downtime (MTD) of impacted systems is not the primary purpose of an incident response plan. MTD is a measure of how long an organization can tolerate a system or service outage before it causes unacceptable harm or loss to its business operations or objectives. An incident response plan may help to reduce the MTD of impacted systems by facilitating a faster and smoother recovery process. However, reducing the MTD is not the main goal of an incident response plan, but rather a desired outcome. Increasing awareness of impacts from adverse events to IT systems is not the primary purpose of an incident response plan. Awareness is a state of being informed or conscious of something. An incident response plan may help to increase awareness of impacts from adverse events to IT systems by providing information and communication channels for stakeholders, such as management, employees, customers, regulators, etc. However, increasing awareness is not the main objective of an incident response plan, but rather a means to achieve other objectives, such as reducing impact, ensuring compliance, or maintaining trust.

• Question 1560:

  Which of the following areas is MOST likely to be overlooked when implementing a new data classification process?

  A. End-user computing (EUC) systems
  B. Email attachments
  C. Data sent to vendors
  D. New system applications
  A. End-user computing (EUC) systems

  ---

  Explanation

  The area that is most likely to be overlooked when implementing a new data classification process is end-user computing (EUC) systems. EUC systems are applications or tools that are developed or customized by end users, often without formal IT involvement or approval. EUC systems may contain sensitive or confidential data that need to be classified and protected according to the organization's policies and standards. However, EUC systems may not be subject to the same controls, oversight, or documentation as formal IT systems, and may not be included in the scope of the data classification process. Therefore, EUC systems pose a significant risk of data leakage, unauthorized access, or noncompliance. The other areas (B, C and D) are less likely to be overlooked, as they are more visible and manageable by the IT department or the data owners.

  References: IS Audit and Assurance Guideline 2202: Evidence Collection Techniques, CISA Review Manual (Digital Version), Chapter 5: Protection of Information Assets, Section 5.2: Data Classification