Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1681:

  The MOST efficient way to confirm that an ERP system being implemented satisfies business expectations is to utilize which of the following types of testing?

  A. Parallel
  B. Pilot
  C. Sociability
  D. Alpha
  B. Pilot

  ---

  Explanation

• Question 1682:

  An IS auditor is reviewing the disaster recovery plan (DRP) of an organization with offices across multiple regions. Which of the following should be the auditor's PRIMARY focus?

  A. Recovery point objective (RPO) monitoring
  B. Processes and system dependencies
  C. Disaster recovery training
  D. Data backup and storage changes
  B. Processes and system dependencies

  ---

  Explanation

  Explanation

• Question 1683:

  Which of the following should be an IS auditor's GREATEST concern when a security audit reveals the organization's vulnerability assessment approach is limited to running a vulnerability scanner on its network?

  A. A scanner does not exploit the vulnerability in the systems.
  B. External risks in the organization's environment may go undetected.
  C. Some of the vulnerabilities discovered may be false positives.
  D. System performance may be degraded by the scanner.
  B. External risks in the organization's environment may go undetected.

  ---

  Explanation

• Question 1684:

  What would be an IS auditor's BEST recommendation upon finding that a third-party IT service provider hosts the organization's human resources (HR) system in a foreign country?

  A. Perform background verification checks.
  B. Review third-party audit reports.
  C. Implement change management review.
  D. Conduct a privacy impact analysis.
  D. Conduct a privacy impact analysis.

  ---

  Explanation

  The best recommendation for an IS auditor when finding that a third-party IT service provider hosts the organization's HR system in a foreign country is to conduct a privacy impact analysis. A privacy impact analysis is a systematic process that identifies and evaluates the potential risks and impacts of collecting, using, disclosing, and storing personal information. A privacy impact analysis will help the IS auditor to assess the legal, regulatory, contractual, and ethical obligations of the organization and the service provider regarding the protection of personal information. A privacy impact analysis will also help to identify and mitigate any privacy risks and gaps in the service level agreement.

  References: CISA Certification | Certified Information Systems Auditor | ISACA CISA Questions, Answers and Explanations Database

• Question 1685:

  From an IS auditor's perspective, which of the following would be the GREATEST risk associated with an incomplete inventory of deployed software in an organization?

  A. Inability to close unused ports on critical servers
  B. Inability to identify unused licenses within the organization
  C. Inability to deploy updated security patches
  D. Inability to determine the cost of deployed software
  C. Inability to deploy updated security patches

  ---

  Explanation

  The greatest risk associated with an incomplete inventory of deployed software in an organization is the inability to deploy updated security patches. Security patches are updates that fix vulnerabilities or bugs in software that could be exploited by attackers. Without an accurate inventory of software versions and configurations, it is difficult to identify and apply the relevant patches in a timely manner, which exposes the organization to increased security risks. Inability to close unused ports on critical servers, inability to identify unused licenses within the organization, and inability to determine the cost of deployed software are not as critical as security risks.

  References: ISACA CISA Review Manual 27th Edition, page 308

• Question 1686:

  Which of the following BEST supports an organization's objective of restricting the use of removable storage devices by users?

  A. Data management policy
  B. Updated anti-malware solutions
  C. Data loss prevention (DLP)
  D. Online monitoring
  C. Data loss prevention (DLP)

  ---

  Explanation

• Question 1687:

  Which of the following is the PRIMARY benefit of benchmarking an organization's software development lifecycle practices against a capability maturity model?

  A. Reliable products are guaranteed.
  B. Repeatable software development procedures are established.
  C. Programmers' efficiency is improved.
  D. Security requirements are added to software development processes.
  B. Repeatable software development procedures are established.

  ---

  Explanation

• Question 1688:

  In a database management system (DBMS) normalization is used to:

  A. standardize data names
  B. reduce data redundancy
  C. eliminate processing deadlocks
  D. reduce access time
  B. reduce data redundancy

  ---

  Explanation

• Question 1689:

  During a review, an IS auditor discovers that corporate users are able to access cloud- based applications and data from any Internet-connected web browser.

  Which of the following is the auditor's BEST recommendation to help prevent unauthorized access?

  A. Utilize strong anti-malware controls on all computing devices.
  B. Update security policies and procedures.
  C. Implement an intrusion detection system (IDS).
  D. Implement multi-factor authentication.
  D. Implement multi-factor authentication.

  ---

  Explanation

• Question 1690:

  Retention periods and conditions for the destruction of personal data should be determined by the.

  A. risk manager.
  B. database administrator (DBA).
  C. privacy manager.
  D. business owner.
  D. business owner.

  ---

  Explanation

  The business owner is the person or entity that has the authority and responsibility for defining the purpose and scope of the processing of personal data, as well as the expected outcomes and benefits. The business owner is also accountable for ensuring that the processing of personal data complies with the applicable laws and regulations, such as the General Data Protection Regulation (GDPR) or the Data Protection Act 2018 (DPA 2018). One of the requirements of the GDPR and the DPA 2018 is to adhere to the principle of storage limitation, which states that personal data should be kept for no longer than is necessary for the purposes for which it is processed1. This means that the business owner should determine and justify how long they need to retain personal data, based on factors such as: The nature and sensitivity of the personal data The legal or contractual obligations or rights that apply to the personal data The business or operational needs and expectations that depend on the personal data The risks and impacts that may arise from retaining or deleting the personal data The business owner should also establish and document the conditions and methods for the destruction of personal data, such as: The criteria and triggers for deciding when to destroy personal data The procedures and tools for securely erasing or anonymising personal data The roles and responsibilities for carrying out and overseeing the destruction of personal data The records and reports for verifying and evidencing the destruction of personal data Therefore, retention periods and conditions for the destruction of personal data should be determined by the business owner, as they are in charge of defining and managing the processing of personal data, as well as ensuring its compliance with the law.