Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1731:

  Which of the following should be done FIRST when creating a data protection program?

  A. Implement data loss prevention (DLP) controls.
  B. Perform classification based on standards.
  C. Deploy intrusion detection systems (IDS).
  D. Test logical access controls for effectiveness.
  B. Perform classification based on standards.

  ---

  Explanation

• Question 1732:

  The use of access control lists (ACLs) is the MOST effective method to mitigate security risk for routers because they: (Identify Correct answer and related explanation/references from CISA Certification - Information Systems Auditor official Manual or book)

  A. are recommended by security standards.
  B. can limit Telnet and traffic from the open Internet.
  C. act as fitters between the world and the network.
  D. can detect cyberattacks.
  B. can limit Telnet and traffic from the open Internet.

  ---

  Explanation

  The use of access control lists (ACLs) is the most effective method to mitigate security risk for routers because they can limit Telnet and traffic from the open Internet. Telnet is a protocol that allows remote access to a device, which can pose a security threat if not properly controlled. Traffic from the open Internet can also contain malicious packets that can harm the network or the router itself. ACLs act as filters that can block or allow specific types of traffic based on predefined criteria, such as source and destination addresses, protocols, ports, and flags. By using ACLs, routers can prevent unauthorized access and reduce the exposure to potential attacks.

  References: Protecting Your Core: Infrastructure Protection Access Control Lists Definition, purposes, benefits, and functions of ACL CISA Review Manual 27th Edition, page 336

• Question 1733:

  The following findings are the result of an IS auditor's post-implementation review of a newly implemented system. Which of the following findings is of GREATEST significance?

  A. A lessons-learned session was never conducted.
  B. The projects 10% budget overrun was not reported to senior management.
  C. Measurable benefits were not defined.
  D. Monthly dashboards did not always contain deliverables.
  C. Measurable benefits were not defined.

  ---

  Explanation

  A post-implementation review (PIR) is a process to evaluate whether the objectives of the project were met, determine how effectively this was achieved, learn lessons for the future, and ensure that the organisation gets the most benefit from the implementation of projects. A PIR is an important tool for assessing the success and value of a project, as well as identifying the areas for improvement and best practices for future projects. One of the key elements of a PIR is to measure the benefits of the project against the expected outcomes and benefits that were defined at the beginning of the project. Measurable benefits are the quantifiable and verifiable results or outcomes that the project delivers to the organisation or its stakeholders, such as increased revenue, reduced costs, improved quality, enhanced customer satisfaction, or compliance with regulations. Measurable benefits should be aligned with the organisation's strategy, vision, and goals, and should be SMART (specific, measurable, achievable, relevant, and time-bound). The finding that measurable benefits were not defined is of greatest significance among the four findings, because it implies that: The project did not have a clear and agreed-upon purpose, scope, objectives, and deliverables The project did not have a valid and realistic business case or justification for its initiation and implementation The project did not have a robust and effective monitoring and evaluation mechanism to track its progress, performance, and impact The project did not have a reliable and transparent way to demonstrate its value proposition and return on investment to the organisation or its stakeholders The project did not have a meaningful and actionable way to learn from its achievements and challenges, and to improve its processes and practices Therefore, an IS auditor should recommend that measurable benefits are defined for any project before its implementation, and that they are reviewed and reported regularly during and after the project's completion. The other possible findings are: A lessons-learned session was never conducted: This is a significant finding, but not as significant as the lack of measurable benefits. A lessons-learned session is a process of capturing and documenting the knowledge, experience, and feedback gained from a project, both positive and negative. A lessons-learned session helps to identify the strengths and weaknesses of the project management process, as well as the best practices and lessons for future projects. A lessons-learned session should be conducted at the end of each project phase or milestone, as well as at the end of the project. However, even without a formal lessons-learned session, some learning may still occur informally or implicitly among the project team members or stakeholders. The projects 10% budget overrun was not reported to senior management: This is a significant finding, but not as significant as the lack of measurable benefits. A budget overrun is a situation where the actual cost of a project exceeds its planned or estimated cost. A budget overrun may indicate poor planning, estimation, or control of the project resources, or unexpected changes or risks that occurred during the project implementation. A budget overrun should be reported to senior management as soon as possible, along with the reasons for it and the corrective actions taken or proposed. However, a budget overrun may not necessarily affect the quality or value of the project deliverables or outcomes if they are still within acceptable standards or expectations. Monthly dashboards did not always contain deliverables: This is a significant finding, but not as significant as the lack of measurable benefits. A dashboard is a visual tool that displays key performance indicators (KPIs) or metrics related to a project's progress, status, or results. A dashboard helps to monitor and communicate the performance of a project to various stakeholders in a concise and clear manner. A dashboard should include deliverables as one of its components, along with other elements such as schedule, budget, quality, risks, issues, or benefits. However, even without deliverables in monthly dashboards, some information about them may still be available from other sources such as reports or documents.

  References: 1: What is Post-Implementation Review in Project Management? 2: The role and importance of the Post Implementation Review

• Question 1734:

  Which of the following is MOST critical to the success of an information security program?

  A. User accountability for information security
  B. Management's commitment to information security
  C. Integration of business and information security
  D. Alignment of information security with IT objectives
  B. Management's commitment to information security

  ---

  Explanation

  Management's commitment to information security is the most critical factor for the success of an information security program, as it sets the tone and direction for the organization's security culture and practices. Management's commitment is demonstrated by establishing a clear security policy, providing adequate resources, assigning roles and responsibilities, enforcing compliance, and supporting continuous improvement. The other options are important elements of an information security program, but they depend on management's commitment to be effective.

  References: CISA Review Manual (Digital Version) 1, page 439.

• Question 1735:

  Within the context of an IT-related governance framework, which type of organization would be considered MOST mature?

  A. An organization in which processes are repeatable and results periodically reviewed
  B. An organization m a state of dynamic growth with continuously updated policies and procedures
  C. An organization with established sets of documented standard processes
  D. An organization with processes systematically managed by continuous improvement
  D. An organization with processes systematically managed by continuous improvement

  ---

  Explanation

• Question 1736:

  Which of the following is the MOST effective control for protecting the confidentiality and integrity of data stored unencrypted on virtual machines?

  A. Monitor access to stored images and snapshots of virtual machines.
  B. Restrict access to images and snapshots of virtual machines.
  C. Limit creation of virtual machine images and snapshots.
  D. Review logical access controls on virtual machines regularly.
  A. Monitor access to stored images and snapshots of virtual machines.

  ---

  Explanation

  The most effective control for protecting the confidentiality and integrity of data stored unencrypted on virtual machines is to monitor access to stored images and snapshots of virtual machines. Images and snapshots are copies of virtual machines that can be used for backup, restoration, or cloning purposes. If data stored on virtual machines are unencrypted, they may be exposed or compromised if unauthorized or malicious users access or copy the images or snapshots. Therefore, monitoring access to stored images and snapshots can help detect and prevent any unauthorized or suspicious activities, and provide audit trails for accountability and investigation. Restricting access to images and snapshots of virtual machines, limiting creation of virtual machine images and snapshots, and reviewing logical access controls on virtual machines regularly are not the most effective controls for protecting the confidentiality and integrity of data stored unencrypted on virtual machines. These controls may help reduce the risk or impact of data exposure or compromise, but they do not provide sufficient visibility or assurance of data protection. Restricting access to images and snapshots may not prevent authorized users from abusing their privileges or credentials. Limiting creation of virtual machine images and snapshots may not address the existing copies that may contain sensitive data. Reviewing logical access controls on virtual machines regularly may not reflect the actual access activities on images and snapshots.

• Question 1737:

  Which of the following should be an IS auditor's GREATEST concern when evaluating an organization's ability to recover from system failures?

  A. Data backups being stored onsite
  B. Lack of documentation for data backup procedures
  C. Inadequate backup job monitoring
  D. Lack of periodic data backup restoration testing
  D. Lack of periodic data backup restoration testing

  ---

  Explanation

  Explanation

• Question 1738:

  Which of the following layer of an enterprise data flow architecture does the scheduling of the tasks necessary to build and maintain the Data Warehouse (DW) and also populates Data Marts?

  A. Data preparation layer
  B. Desktop Access Layer
  C. Warehouse management layer
  D. Data access layer
  C. Warehouse management layer

  ---

  Explanation

  Warehouse Management Layer ?The function of this layer is the scheduling of the tasks necessary to build and maintain the DW and populate data marts. This layer is also involved in administration of security.

  For CISA exam you should know below information about business intelligence:

  Business intelligence(BI) is a broad field of IT encompasses the collection and analysis of information to assist decision making and assess organizational performance. To deliver effective BI, organizations need to design and implement a

  data architecture. The complete data architecture consists of two components

  The enterprise data flow architecture (EDFA)

  A logical data architecture

  Various layers/components of this data flow architecture are as follows:

  Presentation/desktop access layer ?This is where end users directly deal with information. This layer includes familiar desktop tools such as spreadsheets, direct querying tools, reporting and analysis suits offered by vendors such as Congas

  and business objects, and purpose built application such as balanced source cards and digital dashboards.

  Data Source Layer ?Enterprise information derives from number of sources:

  Operational data ?Data captured and maintained by an organization's existing systems, and usually held in system-specific database or flat files. External Data ?Data provided to an organization by external sources. This could include data

  such as customer demographic and market share information.

  Nonoperational data ?Information needed by end user that is not currently maintained in a computer accessible format.

  Core data warehouse ?This is where all the data of interest to an organization is captured and organized to assist reporting and analysis. DWs are normally instituted as large relational databases. A property constituted DW should support

  three basic form of an inquiry.

  Drilling up and drilling down ?Using dimension of interest to the business, it should be possible to aggregate data as well as drill down. Attributes available at the more granular levels of the warehouse can also be used to refine the analysis.

  Drill across ?Use common attributes to access a cross section of information in the warehouse such as sum sales across all product lines by customer and group of customers according to length of association with the company. Historical

  Analysis ?The warehouse should support this by holding historical, time variant data. An example of historical analysis would be to report monthly store sales and then repeat the analysis using only customer who were preexisting at the start

  of the year in order to separate the effective new customer from the ability to generate repeat business with existing customers.

  Data Mart Layer ?Data mart represents subset of information from the core DW selected and organized to meet the needs of a particular business unit or business line. Data mart can be relational databases or some form on-line analytical

  processing (OLAP) data structure.

  Data Staging and quality layer ?This layer is responsible for data copying, transformation into DW format and quality control. It is particularly important that only reliable data into core DW. This layer needs to be able to deal with problems

  periodically thrown by operational systems such as change to account number format and reuse of old accounts and customer numbers.

  Data Access Layer ?This layer operates to connect the data storage and quality layer with data stores in the data source layer and, in the process, avoiding the need to know to know exactly how these data stores are organized. Technology

  now permits SQL access to data even if it is not stored in a relational database.

  Data Preparation layer ?This layer is concerned with the assembly and preparation of data for loading into data marts. The usual practice is to per-calculate the values that are loaded into OLAP data repositories to increase access speed. Data mining is concern with exploring large volume of data to determine patterns and trends of information. Data mining often identifies patterns that are counterintuitive due to number and complexity of data relationships. Data quality needs to be very high to not corrupt the result.

  Metadata repository layer ?Metadata are data about data. The information held in metadata layer needs to extend beyond data structure names and formats to provide detail on business purpose and context. The metadata layer should be

  comprehensive in scope, covering data as they flow between the various layers, including documenting transformation and validation rules.

  Warehouse Management Layer ?The function of this layer is the scheduling of the tasks necessary to build and maintain the DW and populate data marts. This layer is also involved in administration of security.

  Application messaging layer ?This layer is concerned with transporting information between the various layers. In addition to business data, this layer encompasses generation, storage and targeted communication of control messages.

  Internet/Intranet layer ?This layer is concerned with basic data communication. Included here are browser based user interface and TCP/IP networking.

  Various analysis models used by data architects/ analysis follows:

  Activity or swim-lane diagram ?De-construct business processes.

  Entity relationship diagram ?Depict data entities and how they relate. These data analysis methods obviously play an important part in developing an enterprise data model. However, it is also crucial that knowledgeable business operative is

  involved in the process. This way proper understanding can be obtained of the business purpose and context of the data. This also mitigates the risk of replication of suboptimal data configuration from existing systems and database into DW.

  The following were incorrect answers:

  Desktop access layer or presentation layer is where end users directly deal with information. This layer includes familiar desktop tools such as spreadsheets, direct querying tools, reporting and analysis suits offered by vendors such as

  Congas and business objects, and purpose built application such as balanced source cards and digital dashboards.

  Data preparation layer ?This layer is concerned with the assembly and preparation of data for loading into data marts. The usual practice is to per-calculate the values that are loaded into OLAP data repositories to increase access speed.

  Data access layer ?his layer operates to connect the data storage and quality layer with data stores in the data source layer and, in the process, avoiding the need to know to know exactly how these data stores are organized. Technology

  now permits SQL access to data even if it is not stored in a relational database.

  CISA review manual 2014 Page number 188

• Question 1739:

  An organization has alternative links in its wide area network (WAN) to provide redundancy. However, each time there is a problem with a link, network administrators have to update the configuration to divert traffic to the other link. Which of the following would be an IS auditor's BEST recommendation?

  A. Reduce the number of alternative links.
  B. Implement a load-balancing mechanism.
  C. Configure a non-proprietary routing protocol.
  D. Implement an exterior routing protocol.
  B. Implement a load-balancing mechanism.

  ---

  Explanation

  Explanation

• Question 1740:

  Which of the following is MOST important to ensure when reviewing a global organization's controls to protect data held on its IT infrastructure across all of its locations?

  A. Relevant data protection legislation and regulations for each location are adhered to.
  B. Technical capabilities exist in each location to manage the data and recovery operations
  C. The capacity of underlying communications infrastructure in the host locations is sufficient.
  D. The threat of natural disasters in each location hosting infrastructure has been accounted for.
  A. Relevant data protection legislation and regulations for each location are adhered to.

  ---

  Explanation