Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1751:

  Which of the following should be of GREATEST concern for an IS auditor reviewing an organization's disaster recovery plan (DRP)?

  A. The DRP has not been formally approved by senior management.
  B. The DRP has not been distributed to end users.
  C. The DRP has not been updated since an IT infrastructure upgrade.
  D. The DRP contains recovery procedures for critical servers only.
  C. The DRP has not been updated since an IT infrastructure upgrade.

  ---

  Explanation

  The greatest concern for an IS auditor reviewing an organization's disaster recovery plan (DRP) is that the DRP has not been updated since an IT infrastructure upgrade. This could render the DRP obsolete or ineffective, as it may not reflect the current configuration, dependencies or recovery requirements of the IT systems. The IS auditor should ensure that the DRP is reviewed and updated regularly to align with any changes in the IT environment. The DRP has not been formally approved by senior management is a concern for an IS auditor reviewing an organization's DRP, but it is not as critical as ensuring that the DRP is up to date and valid. The DRP has not been distributed to end users or the DRP contains recovery procedures for critical servers only are issues that relate to the communication or scope of the DRP, but not to its validity or effectiveness.

  References: ISACA, CISA Review Manual, 27th Edition, 2018, page 389

• Question 1752:

  Which of the following is the BEST way for management to ensure the effectiveness of the cybersecurity incident response process?

  A. Periodic reporting of cybersecurity incidents to key stakeholders
  B. Periodic update of incident response process documentation
  C. Periodic cybersecurity training for staff involved in incident response
  D. Periodic tabletop exercises involving key stakeholders
  D. Periodic tabletop exercises involving key stakeholders

  ---

  Explanation

  Tabletop exercises are a type of simulation used to test an organization's incident response plan. They involve key stakeholders in a hypothetical scenario to see how they would respond. This allows management to assess the effectiveness

  of the incident response process and identify areas for improvement. Regularly conducting these exercises ensures that the organization is prepared for a real incident and that the incident response process remains effective over time.

  References:

  Cybersecurity incident response: The 6 steps to success Six steps for building a robust incident response strategy - IBM

• Question 1753:

  Which of the following is the MOST effective control over visitor access to highly secured areas?

  A. Visitors are required to be escorted by authorized personnel.
  B. Visitors are required to use biometric authentication.
  C. Visitors are monitored online by security cameras
  D. Visitors are required to enter through dead-man doors.
  A. Visitors are required to be escorted by authorized personnel.

  ---

  Explanation

  The most effective control over visitor access to highly secured areas is to require visitors to be escorted by authorized personnel. This control ensures that visitors are supervised at all times and do not enter any restricted or sensitive areas without permission. It also allows authorized personnel to verify the identity, purpose, and clearance of the visitors, and to monitor their behavior and activities. Escorting visitors also reduces the risk of tailgating, piggybacking, or unauthorized duplication of access credentials. Requiring visitors to use biometric authentication, monitoring visitors online by security cameras, and requiring visitors to enter through dead-man doors are all examples of technical controls that can enhance visitor access control, but they are not as effective as escorting visitors. Biometric authentication can provide a high level of identity verification, but it does not prevent visitors from accessing unauthorized areas or compromising security in other ways. Security cameras can provide a record of visitor movements and actions, but they may not deter or detect security breaches in real time. Dead-man doors can prevent unauthorized entry by requiring two-factor authentication, but they do not ensure that visitors are accompanied by authorized personnel.

  References: ISC Best Practices for Facility Access Control Visitor Management Best Practices From Top Organizations2 8 Best Practices for Setting Up a Visitor Management System

• Question 1754:

  Which of the following is the GREATEST risk associated with in-house program development and customization?

  A. The lack of a test environment
  B. The lack of a quality assurance function
  C. The lack of secure coding expertise
  D. The lack of documentation for programs developed.
  B. The lack of a quality assurance function

  ---

  Explanation

• Question 1755:

  An IS auditor reviewing the threat assessment tor a data center would be MOST concerned if:

  A. some of the identified throats are unlikely to occur.
  B. all identified throats relate to external entities.
  C. the exercise was completed by local management.
  D. neighboring organizations operations have been included.
  C. the exercise was completed by local management.

  ---

  Explanation

  An IS auditor reviewing the threat assessment for a data center would be most concerned if the exercise was completed by local management, because this could introduce bias, conflict of interest, or lack of expertise in the assessment process. A threat assessment is a systematic method of identifying and evaluating the potential threats that could affect the availability, integrity, or confidentiality of the data center and its assets. A threat assessment should be conducted by an independent and qualified team that has the necessary skills, knowledge, and experience to perform a comprehensive and objective analysis of the data center's environment, vulnerabilities, and risks1. The other options are not as concerning as option C for an IS auditor reviewing the threat assessment for a data center. Option A, some of the identified threats are unlikely to occur, is not a problem as long as the likelihood and impact of each threat are properly estimated and prioritized. A threat assessment should consider all possible scenarios, even if they have a low probability of occurrence, to ensure that the data center is prepared for any eventuality2. Option B, all identified threats relate to external entities, is not a flaw as long as the assessment also considers internal threats, such as human errors, malicious insiders, or equipment failures. External threats are often more visible and severe than internal threats, but they are not the only source of risk for a data center3. Option D, neighboring organizations' operations have been included, is not a mistake as long as the assessment also focuses on the data center's own operations. Neighboring organizations' operations may have an impact on the data center's security and availability, especially if they share physical or network infrastructure or resources. A threat assessment should take into account the interdependencies and interactions between the data center and its external environment4.

  References: ISACA, CISA Review Manual, 27th Edition, 2019 ISACA, CISA Review Questions, Answers and Explanations Database - 12 Month Subscription Data Center Threats and Vulnerabilities1 Datacenter threat, vulnerability, and risk assessment2 Data Centre Risk Assessment3

• Question 1756:

  To address issues related to privileged users identified in an IS audit, management implemented a security information and event management (SIEM) system. Which type of control .........

  A. Directive
  B. Corrective
  C. Preventive
  D. Detective
  D. Detective

  ---

  Explanation

• Question 1757:

  To develop meaningful recommendations 'or findings, which of the following is MOST important 'or an IS auditor to determine and understand?

  A. Root cause
  B. Responsible party
  C. impact
  D. Criteria
  A. Root cause

  ---

  Explanation

  Root cause is the most important thing for an IS auditor to determine and understand to develop meaningful recommendations for findings. A root cause is the underlying factor or condition that leads to a problem or issue. A finding is a statement that describes a problem or issue identified during an audit. A recommendation is a suggestion or advice that aims to address or resolve a finding. To develop meaningful recommendations for findings, an IS auditor should determine and understand the root cause of each finding, as this can help to identify the most effective and appropriate actions to prevent or correct the problem or issue. The other options are not as important as determining and understanding the root cause, as they do not directly address or resolve the finding.

  References: CISA Review Manual, 27th Edition, page 434

• Question 1758:

  What is the PRIMARY purpose of performing a parallel run of a now system?

  A. To train the end users and supporting staff on the new system
  B. To verify the new system provides required business functionality
  C. To reduce the need for additional testing
  D. To validate the new system against its predecessor
  D. To validate the new system against its predecessor

  ---

  Explanation

  The primary purpose of performing a parallel run of a new system is to validate the new system against its predecessor. A parallel run is a strategy for system changeover where a new system slowly assumes the roles of the older system while both systems operate simultaneously. This allows for comparison of the results and outputs of both systems to ensure that the new system is working correctly and reliably. A parallel run can also help identify and resolve any errors, discrepancies, or inconsistencies in the new system before the old system is discontinued. The other options are not the primary purpose of performing a parallel run of a new system. A. To train the end users and supporting staff on the new system. Training is an important part of system implementation, but it is not the main reason for doing a parallel run. Training can be done before, during, or after the parallel run, depending on the needs and preferences of the organization.

  B. To verify the new system provides required business functionality. Verifying the business functionality of the new system is part of user acceptance testing (UAT), which is a formal and structured process of testing whether the new system meets the specifications and expectations of the users and stakeholders. UAT is usually done before the parallel run, as a prerequisite for system changeover.

  C. To reduce the need for additional testing. Reducing the need for additional testing is not the primary purpose of performing a parallel run, but rather a possible benefit or outcome of doing so. A parallel run can help ensure that the new system is thoroughly tested and validated in a real-world environment, which may reduce the likelihood of encountering major issues or defects later on. However, additional testing may still be needed after the parallel run, depending on the feedback and evaluation of the users and stakeholders.

  References: ISACA, CISA Review Manual, 27th Edition, 2019, p. 2471 IS

• Question 1759:

  Management has requested a post-implementation review of a newly implemented purchasing package to determine the extent that business requirements are being met.

  Which of the following is MOST likely to be assessed?

  A. Acceptance testing results
  B. Results of live processing
  C. Implementation methodology
  D. Purchasing guidelines and policies
  C. Implementation methodology

  ---

  Explanation

• Question 1760:

  Which type of control is in place when an organization requires new employees to complete training on applicable privacy and data protection regulations?

  A. Preventive control
  B. Directive control
  C. Detective control
  D. Corrective control
  B. Directive control

  ---

  Explanation