Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1741:

  How does a continuous integration/continuous development (CI/CD) process help to reduce software failure risk?

  A. Easy software version rollback
  B. Smaller incremental changes
  C. Fewer manual milestones
  D. Automated software testing
  B. Smaller incremental changes

  ---

  Explanation

  A continuous integration/continuous development (CI/CD) process helps to reduce software failure risk by enabling smaller incremental changes to the software code, rather than large and infrequent updates. Smaller incremental changes

  allow developers to detect and fix errors, bugs, or vulnerabilities more quickly and easily, and to ensure that the software is always in a working state. Smaller incremental changes also reduce the complexity and uncertainty of the software

  development process, and improve the quality and reliability of the software product.

  References:

  1: What is CI/CD? Continuous integration and continuous delivery explained

  2: CI/CD challenges--and how to solve them | TechBeacon

  3: Continuous Integration vs Continuous Delivery vs Continuous Deployment

  4: CI/CD Challenges and their Must-Know Solutions | BrowserStack

  5: common pitfalls of CI/CD--and how to avoid them | InfoWorld

• Question 1742:

  A PRIMARY objective of risk management is to keep the total cost of risks below the:

  A. amount of losses that would materially damage the firm.
  B. average cost of physical security measures.
  C. administrative cost of risk management.
  D. estimated amount of losses included in the firm's budget
  A. amount of losses that would materially damage the firm.

  ---

  Explanation

  Explanation

• Question 1743:

  An IS auditor discovers that validation controls m a web application have been moved from the server side into the browser to boost performance This would MOST likely increase the risk of a successful attack by.

  A. phishing.
  B. denial of service (DoS)
  C. structured query language (SQL) injection
  D. buffer overflow
  C. structured query language (SQL) injection

  ---

  Explanation

  Moving validation controls from the server side into the browser would most likely increase the risk of a successful attack by structured query language (SQL) injection. SQL injection is a technique that exploits a security vulnerability in an application's database layer by inserting malicious SQL statements into user input fields. Validation controls are used to check and filter user input before sending it to the database. If these controls are moved to the browser, they can be easily bypassed or modified by an attacker, who can then execute arbitrary SQL commands on the database.

  References: CISA Review Manual, 27th Edition, page 361

• Question 1744:

  Which of the following is the BEST source of information for examining the classification of new data?

  A. Input by data custodians
  B. Security policy requirements
  C. Risk assessment results
  D. Current level of protection
  C. Risk assessment results

  ---

  Explanation

  The best source of information for examining the classification of new data is the risk assessment results, because they provide an objective and consistent basis for determining the value, sensitivity, and criticality of the data, as well as the potential impact of unauthorized disclosure, modification, or loss of the data12. The risk assessment results can help to define the appropriate classification levels and criteria for the data, such as public, internal, confidential, or restricted12. Input by data custodians, security policy requirements, and current level of protection are not the best sources of information for examining the classification of new data, because they may not reflect the actual risk exposure or business needs of the data.

  References: 1: CISA Review Manual (Digital Version), Chapter 5, Section 5.4.2 2: CISA Online Review Course, Module 5, Lesson 4

• Question 1745:

  A source code repository should be designed to:

  A. prevent changes from being incorporated into existing code.
  B. prevent developers from accessing secure source code.
  C. provide secure versioning and backup capabilities for existing code.
  D. provide automatic incorporation and distribution of modified code.
  C. provide secure versioning and backup capabilities for existing code.

  ---

  Explanation

  A source code repository is a system that stores and manages the source code of a software project. A source code repository should be designed to provide secure versioning and backup capabilities for existing code, as these are essential features for concurrent development, code quality, and disaster recovery. Versioning allows developers to track, compare, and revert changes to the code over time. Backup ensures that the code is safely stored and can be restored in case of data loss or corruption.

  References: Source Code Repositories: What is a Source Code Repository? Git Source Code Repository Design Considerations Best practices for repositories - GitHub Docs

• Question 1746:

  Which of the following is a method to prevent disclosure of classified documents printed on a shared printer?

  A. Using passwords to allow authorized users to send documents to the printer
  B. Requiring a key code to be entered on the printer to produce hard copy
  C. Encrypting the data stream between the user's computer and the printer
  D. Producing a header page with classification level for printed documents
  B. Requiring a key code to be entered on the printer to produce hard copy

  ---

  Explanation

  Requiring a key code to be entered on the printer to produce hard copy is a method to prevent disclosure of classified documents printed on a shared printer. This is because requiring a key code adds an extra layer of security and authentication to the printing process, ensuring that only authorized users can access and retrieve the printed documents. Requiring a key code also prevents unauthorized users from viewing or tampering with the documents while they are in the printer's queue or output tray1. Using passwords to allow authorized users to send documents to the printer is not a sufficient method to prevent disclosure of classified documents printed on a shared printer. This is because passwords only protect the transmission of the documents from the user's computer to the printer, but they do not protect the documents once they are printed. Passwords can also be compromised or forgotten by users, making them vulnerable to unauthorized access or denial of service. Encrypting the data stream between the user's computer and the printer is not a sufficient method to prevent disclosure of classified documents printed on a shared printer. This is because encryption only protects the confidentiality and integrity of the documents while they are in transit, but they do not protect the documents once they are printed. Encryption can also introduce performance issues or compatibility problems with different printers or devices. Producing a header page with classification level for printed documents is not a method to prevent disclosure of classified documents printed on a shared printer. This is because producing a header page only informs the users about the sensitivity and handling of the documents, but it does not prevent unauthorized users from accessing or viewing them. Producing a header page can also waste paper and ink, as well as increase the risk of misplacing or mixing up the documents

• Question 1747:

  An IS auditor has been asked to perform a post-implementation review of a newly developed system. When reviewing the testing phase results, the auditor observed that separate modules of the system tested correctly in the user acceptance testing (UAT) phase, but some features did not work as expected when moved to production. Which of the following was MOST likely omitted prior to implementation?

  A. Integration testing
  B. End-user training
  C. Full unit testing
  D. Parallel testing
  A. Integration testing

  ---

  Explanation

  Explanation

• Question 1748:

  An organization recently migrated Us data warehouse from a legacy system to a different architecture in the cloud. Which of the following should be of GREATEST concern to the IS auditor reviewing the new data architecture?

  A. The data was not cleansed before moving to the cloud data warehouse.
  B. The cloud data warehouse uses a hybrid cloud architecture.
  C. The migration analyst is not fully trained on the new tools.
  D. The data is stored in a multi-tenant environment.
  A. The data was not cleansed before moving to the cloud data warehouse.

  ---

  Explanation

• Question 1749:

  An IS auditor is reviewing an organizations release management practices and observes inconsistent and inaccurate estimation of the size and complexity of business application development projects. Which of the following should the auditor recommend to address this issue?

  A. Critical path methodology
  B. Agile development approach
  C. Function point analysis
  D. Rapid application development
  C. Function point analysis

  ---

  Explanation

• Question 1750:

  Regression testing should be used during a system development project to ensure that:

  A. system testing will address high-probability errors.
  B. the test plan is based on an analysis of the impact of past testing
  C. the results of testing are statistically vsalid
  D. errors have not been introduced to the system during modification
  D. errors have not been introduced to the system during modification

  ---

  Explanation