Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1561:

  Planning for the implementation of an information security program is MOST effective when it:

  A. uses risk-based analysis for security projects.
  B. applies technology-driven solutions to identified needs.
  C. uses decision trees to prioritize security projects.
  D. applies gap analysis to current and future business plans.
  D. applies gap analysis to current and future business plans.

  ---

  Explanation

• Question 1562:

  The use of control totals satisfies which of the following control objectives?

  A. Transaction integrity
  B. Processing integrity
  C. Distribution control
  D. System recoverability
  B. Processing integrity

  ---

  Explanation

  The use of control totals satisfies the control objective of processing integrity. Processing integrity refers to the accuracy, completeness, timeliness, and validity of data processing. Control totals are a method of verifying the correctness of data processing by comparing the total value or count of a batch of transactions before and after processing. For example, if a batch of 100 invoices is entered into an accounting system, the total amount and number of invoices should match before and after processing. If there is a discrepancy, it indicates an error in data entry, transmission, or processing. Control totals help to ensure that no transactions are lost, duplicated, or altered during processing.

  References: Control Objectives and Activities: Examples, Appropriateness Levels and Types of Control | Principles of Management CISA Review Manual 27th Edition, page 337

• Question 1563:

  An organization is enhancing the security of a client-facing web application following a proposal to acquire personal information for a business purpose. Which of the following is MOST important to review before implementing this initiative?

  A. Regulatory compliance requirements
  B. Data ownership assignments
  C. Encryption capabilities
  D. Customer notification procedures
  A. Regulatory compliance requirements

  ---

  Explanation

• Question 1564:

  A startup organization wants to develop a data loss prevention (DLP) program. The FIRST step should be to implement:

  A. Security awareness training
  B. Data encryption
  C. Data classification
  D. Access controls
  C. Data classification

  ---

  Explanation

• Question 1565:

  What is the BEST way to reduce the risk of inaccurate or misleading data proliferating through business intelligence systems?

  A. Establish rules for converting data from one format to another
  B. Implement data entry controls for new and existing applications
  C. Implement a consistent database indexing strategy
  D. Develop a metadata repository to store and access metadata
  A. Establish rules for converting data from one format to another

  ---

  Explanation

  The best way to reduce the risk of inaccurate or misleading data proliferating through business intelligence systems is to establish rules for converting data from one format to another, because this ensures that the data quality and integrity are maintained throughout the data transformation process. Data conversion rules define the standards, procedures, and methods for transforming data from different sources and formats into a common format and structure that can be used by the business intelligence systems12. Implementing data entry controls for new and existing applications, implementing a consistent database indexing strategy, and developing a metadata repository to store and access metadata are not the best ways to reduce the risk of inaccurate or misleading data proliferating through business intelligence systems, because they do not address the issue of data conversion, which is a critical step in the data integration process for business intelligence systems.

  References: 1: CISA Review Manual (Digital Version), Chapter 4, Section 4.3.3 2: CISA Online Review Course, Module 4, Lesson 3

• Question 1566:

  Which of the following is the MOST effective mechanism for ensuring that critical IT operational problems are reported to executive management in a timely manner?

  A. Regular meetings
  B. Escalation procedures
  C. Service level monitoring
  D. Periodic status reports
  C. Service level monitoring

  ---

  Explanation

• Question 1567:

  Which of the following is an objective of IT project portfolio management?

  A. Successful implementation of projects
  B. Selection of sound, strategically aligned investment opportunities
  C. Validation of business case benefits
  D. Establishment of tracking mechanisms
  A. Successful implementation of projects

  ---

  Explanation

  Explanation

• Question 1568:

  Which of the following is the MOST significant risk when an application uses individual end- user accounts to access the underlying database?

  A. Multiple connects to the database are used and slow the process_
  B. User accounts may remain active after a termination.
  C. Users may be able to circumvent application controls.
  D. Application may not capture a complete audit trail.
  C. Users may be able to circumvent application controls.

  ---

  Explanation

  The most significant risk when an application uses individual end-user accounts to access the underlying database is that users may be able to circumvent application controls. Application controls are the policies, procedures, and mechanisms that ensure the accuracy, completeness, validity, and authorization of transactions and data within an application. Application controls can include input validation, output verification, processing logic, reconciliation, exception handling, and audit trails. Application controls can help prevent or detect errors, fraud, or unauthorized access or modification of data. However, if an application uses individual end-user accounts to access the underlying database, it means that the users have direct access to the database without going through the application layer. This can expose the database to potential risks such as: Users may be able to bypass the application controls and manipulate the data in the database directly using SQL commands or other tools. For example, users may be able to change their own or others' salaries, grades, or balances without proper authorization or validation. Users may be able to access or disclose sensitive or confidential data that they are not supposed to see or share. For example, users may be able to view other users' personal information, passwords, or credit card numbers. Users may be able to introduce errors or inconsistencies in the data by entering invalid or incorrect data or by deleting or modifying existing data. For example, users may be able to create duplicate records, break referential integrity, or cause data loss or corruption. Users may be able to compromise the security and performance of the database by creating unauthorized objects, granting excessive privileges, executing malicious code, or consuming excessive resources. For example, users may be able to create backdoors, viruses, or denial-of-service attacks. Therefore, using individual end-user accounts to access the underlying database can pose a serious threat to the integrity, confidentiality, availability, and reliability of the data and the application. The other options are not as significant as option

  C. Multiple connects to the database are used and slow the process is a performance issue that can affect the efficiency and responsiveness of the application and the database, but it does not necessarily compromise the data quality or security. User accounts may remain active after a termination is a security issue that can increase the risk of unauthorized access or misuse of data by former employees or others who have access to their credentials, but it can be mitigated by implementing proper account management and monitoring processes. Application may not capture a complete audit trail is a compliance issue that can affect the accountability and traceability of transactions and data within the application and the database, but it does not directly affect the data accuracy or protection.

  References: Should application users be database users? - Stack Overflow1 An Approach Toward Sarbanes-Oxley ITGC Risk Assessment - ISACA2 ISACA CISA Certified Information Systems Auditor Exam ... - PUPUWEB3 Why inactive accounts are a security risk | Stratosphere4

• Question 1569:

  An IS audit review identifies inconsistencies in privacy requirements across third-party service provider contracts. Which of the following is the BEST recommendation to address this situation?

  A. Suspend contracts with third-party providers that handle sensitive data.
  B. Prioritize contract amendments for third-party providers.
  C. Review privacy requirements when contracts come up for renewal.
  D. Require third-party providers to sign nondisclosure agreements (NDAs).
  B. Prioritize contract amendments for third-party providers.

  ---

  Explanation

  The best recommendation to address the situation of inconsistencies in privacy requirements across third-party service provider contracts is to prioritize contract amendments for third-party providers. This is because: Privacy requirements are essential to ensure the protection of personal information and compliance with relevant laws and regulations, such as the GDPR and the CCPA123. Inconsistencies in privacy requirements can create risks of data breaches, legal liabilities, reputational damage, and consumer distrust for the organization that outsources its data processing to third-party providers. Suspending contracts with third-party providers that handle sensitive data (option A) is not a feasible or effective solution, as it may disrupt the business operations and cause contractual penalties or disputes. Reviewing privacy requirements when contracts come up for renewal (option C) is not a proactive or timely approach, as it may leave the organization exposed to privacy risks for a long period of time until the contracts expire. Requiring third-party providers to sign nondisclosure agreements (NDAs) (option D) is not a sufficient measure, as NDAs only cover the confidentiality of information, but not other aspects of privacy, such as data minimization, retention, access, deletion, and security. Therefore, the best recommendation is to prioritize contract amendments for third-party providers (option B), as this would allow the organization to align the privacy requirements with its own policies and standards, as well as with the applicable laws and regulations. This would also enable the organization to monitor and audit the compliance of third-party providers with the privacy requirements and enforce appropriate remedies or sanctions in case of noncompliance.

• Question 1570:

  Which of the following should be done FIRST when planning a penetration test?

  A. Execute nondisclosure agreements (NDAs).
  B. Determine reporting requirements for vulnerabilities.
  C. Define the testing scope.
  D. Obtain management consent for the testing.
  D. Obtain management consent for the testing.

  ---

  Explanation

  The first step when planning a penetration test is to obtain management consent for the testing. This is because a penetration test involves simulating a cyberattack against the organization's systems and networks, which may have legal, ethical, and operational implications. Without proper authorization from management, a penetration test may violate laws, policies, contracts, or service level agreements. Management consent also helps define the objectives, scope, and boundaries of the test, as well as the roles and responsibilities of the testers and the stakeholders. Obtaining management consent for the testing also demonstrates due care and due diligence on the part of the testers and the organization. Executing nondisclosure agreements (NDAs), determining reporting requirements for vulnerabilities, and defining the testing scope are important steps when planning a penetration test, but they are not the first step. These steps should be done after obtaining management consent for the testing, as they depend on the approval and involvement of management and other parties.