Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 1911:

  Which of the following is the MOST important reason for an IS auditor to examine the results of a post-incident review performed after a security incident?

  A. To evaluate the effectiveness of continuous improvement efforts
  B. To compare incident response metrics with industry benchmarks
  C. To re-analyze the incident to identify any hidden backdoors planted by the attacker
  D. To evaluate the effectiveness of the network firewall against future security breaches
  A. To evaluate the effectiveness of continuous improvement efforts

  ---

  Explanation

  A post-incident review (PIR) is a process to review the incident information from occurrence to closure and to identify potential findings and recommendations for improvement. The most important reason for an IS auditor to examine the results of a PIR is to evaluate the effectiveness of continuous improvement efforts and to ensure that the lessons learned from the incident are implemented and followed up2. A PIR can help an organization to eliminate or reduce the risk of the incident to re-occur, improve the initial incident detection time, identify improvements needed to diagnose and repair the incident, and update the incident management best practices. Therefore, a PIR is a valuable source of information for an IS auditor to assess the maturity and performance of the organization's incident management process.

• Question 1912:

  An organization is implementing a new system that supports a month-end business process. Which of the following implementation strategies would be MOST efficient to decrease business downtime?

  A. Big bang
  B. Phased
  C. Cutover
  D. Parallel
  B. Phased

  ---

  Explanation

  Comprehensive and Detailed Step-by-Step Minimizing business downtime is critical when implementing a new system that supports an essential process like month-end closing. Option A (Incorrect):Thebig bang approachinvolves replacing the old system with the new system all at once. This method carries ahigh riskbecause if issues arise, they may causesignificant downtimeand disruption. Option B (Correct):Aphased approachgradually implements the system in stages, allowing users toadaptand minimizing the risk of complete failure. This strategy is ideal for critical systems that cannot afford extended downtime. Option C (Incorrect):Thecutover approachis a variation of big bang, where the old system is shut down, and the new system is activated. This method isriskyfor month-end processes because errors can causebusiness delays. Option D (Incorrect):Theparallel approachruns both old and new systems simultaneously to verify accuracy, but it isresource-intensiveand may not be practical for a high-volume month-end process.

  ISACA CISA Review Manual -Domain 3: Information Systems Acquisition, Development, and Implementation?Covers system implementation strategies, risk management, and best practices.

• Question 1913:

  An IS auditor is assigned to review the IS department s quality procedures. Upon contacting the IS manager, the auditor finds that there is an informal unwritten set of standards Which of the following should be the auditor's NEXT action1?

  A. Make recommendations to IS management as to appropriate quality standards
  B. Postpone the audit until IS management implements written standards
  C. Document and lest compliance with the informal standards
  D. Finalize the audit and report the finding
  C. Document and lest compliance with the informal standards

  ---

  Explanation

  The auditor's next action after finding that there is an informal unwritten set of standards in the IS department is to document and test compliance with the informal standards. This is because the auditor's role is to evaluate the adequacy and effectiveness of the existing controls, regardless of whether they are formal or informal, written or unwritten. The auditor should also assess the risks and implications of having informal standards, such as lack of consistency, accountability, or traceability. The auditor should not make recommendations, postpone the audit, or finalize the audit without performing the audit procedures.

  References: CISA Review Manual (Digital Version), Chapter 2, Section 2.21 CISA Online Review Course, Domain 1, Module 1, Lesson 12

• Question 1914:

  Which of the following is the MOST effective way to identify exfiltration of sensitive data by a malicious insider?

  A. Implement data loss prevention (DLP) software
  B. Review perimeter firewall logs
  C. Provide ongoing information security awareness training
  D. Establish behavioral analytics monitoring
  D. Establish behavioral analytics monitoring

  ---

  Explanation

  The most effective way to identify exfiltration of sensitive data by a malicious insider is to establish behavioral analytics monitoring. Behavioral analytics is the process of analyzing the patterns and anomalies in user behavior to detect and prevent insider threats. Behavioral analytics can help identify unusual or suspicious activities, such as accessing sensitive data at odd hours, transferring large amounts of data to external devices or locations, or using unauthorized applications or protocols. Behavioral analytics can also help correlate data from multiple sources, such as network logs, user profiles, and access rights, to provide a holistic view of user activity and risk. Data loss prevention (DLP) software is a tool that can help prevent exfiltration of sensitive data by a malicious insider, but it is not the most effective way to identify it. DLP software can block or alert on unauthorized data transfers based on predefined rules and policies, but it may not be able to detect sophisticated or stealthy exfiltration techniques, such as encryption, steganography, or data obfuscation. Reviewing perimeter firewall logs is a way to identify exfiltration of sensitive data by a malicious insider, but it is not the most effective way. Perimeter firewall logs can show the traffic volume and destination of data transfers, but they may not be able to show the content or context of the data. Perimeter firewall logs may also be overwhelmed by the amount of normal traffic and miss the signals of malicious exfiltration. Providing ongoing information security awareness training is a way to reduce the risk of exfiltration of sensitive data by a malicious insider, but it is not a way to identify it. Information security awareness training can help educate users on the importance of protecting sensitive data and the consequences of violating policies and regulations, but it may not deter or detect those who are intentionally or maliciously exfiltrating data.

  References: ISACA, CISA Review Manual, 27th Edition, 2019, p. 300 ISACA, CISA Review Questions, Answers and Explanations Database - 12 Month Subscription 1 Cybersecurity Engineering for Legacy Systems: 6 Recommendations - SEI Blog 2 How to Secure Your Company's Legacy Applications - iCorps

• Question 1915:

  What should an IS auditor do FIRST when management responses to an in-person internal control questionnaire indicate a key internal control is no longer effective?

  A. Determine the resources required to make the control effective.
  B. Validate the overall effectiveness of the internal control.
  C. Verify the impact of the control no longer being effective.
  D. Ascertain the existence of other compensating controls.
  D. Ascertain the existence of other compensating controls.

  ---

  Explanation

  The first thing that an IS auditor should do when management responses to an in-person internal control questionnaire indicate a key internal control is no longer effective is to ascertain the existence of other compensating controls. Compensating controls are alternative controls that provide reasonable assurance of achieving the same objective as the original control. The IS auditor should verify whether there are any compensating controls in place that can mitigate the risk of the key control being ineffective, and evaluate their adequacy and effectiveness. The other options are not the first steps, because they either require more information about the compensating controls, or they are actions to be taken after identifying and assessing the compensating controls.

  References: CISA Review Manual (Digital Version)1, Chapter 2, Section 2.2.3

• Question 1916:

  While executing follow-up activities, an IS auditor is concerned that management has implemented corrective actions that are different from those originally discussed and agreed with the audit function. In order to resolve the situation, the IS auditor's BEST course of action would be to:

  A. re-prioritize the original issue as high risk and escalate to senior management.
  B. schedule a follow-up audit in the next audit cycle.
  C. postpone follow-up activities and escalate the alternative controls to senior audit management.
  D. determine whether the alternative controls sufficiently mitigate the risk.
  D. determine whether the alternative controls sufficiently mitigate the risk.

  ---

  Explanation

  The IS auditor's best course of action in this situation is to determine whether the alternative controls sufficiently mitigate the risk. Alternative controls are different from those originally discussed and agreed with the audit function, but they may still achieve the same objective of addressing the audit issue or reducing the risk to an acceptable level. The IS auditor should evaluate whether the alternative controls are appropriate, effective, and sustainable before closing the audit finding or escalating it to senior management. The other options are not appropriate for resolving this situation, as they do not consider whether the alternative controls are adequate or reasonable. Re- prioritizing the original issue as high risk and escalating to senior management is a drastic step that may undermine the relationship between the auditor and management, and it should be done only after exhausting other means of resolving the issue. Scheduling a follow-up audit in the next audit cycle is unnecessary, as follow-up activities should be performed as soon as possible after management has implemented corrective actions. Postponing follow-up activities and escalating the alternative controls to senior audit management is premature, as follow-up activities should be completed before reporting any findings or recommendations to senior audit management.

  References: CISA Review Manual (Digital Version), Chapter 2, Section 2.4

• Question 1917:

  Which of the following should be the FIRST step in an organization's forensics process to preserve evidence?

  A. Create the forensics analysis reporting template
  B. Determine which forensic tools to use
  C. Perform analytics on digital evidence obtained using forensic methods
  D. Duplicate digital evidence and validate it using a hash function
  D. Duplicate digital evidence and validate it using a hash function

  ---

  Explanation

• Question 1918:

  Which of the following is the MOST appropriate and effective fire suppression method for an unstaffed computer room?

  A. Water sprinkler
  B. Fire extinguishers
  C. Carbon dioxide (CO2)
  D. Dry pipe
  C. Carbon dioxide (CO2)

  ---

  Explanation

  The most appropriate and effective fire suppression method for an un-staffed computer room is carbon dioxide (CO2). Carbon dioxide is a gaseous clean agent that extinguishes fire by displacing oxygen and reducing the combustion process. Carbon dioxide is suitable for un-staffed computer rooms because it does not leave any residue, damage, or corrosion on the electronic equipment, and it does not require water or other chemicals that could harm the environment or human health. However, carbon dioxide can pose a risk of asphyxiation to any person who may enter the computer room during or after the discharge, so proper safety precautions and warning signs should be in place. The other options are not as appropriate or effective as carbon dioxide for an un-staffed computer room: Water sprinkler. This is a common fire suppression method that uses water to cool down and extinguish fire. However, water sprinkler is not suitable for un-staffed computer rooms because it can cause severe damage to the electronic equipment, such as short circuits, corrosion, or data loss. Water sprinkler can also create a risk of electric shock to any person who may enter the computer room during or after the discharge. Fire extinguishers. These are portable devices that contain a pressurized agent that can be sprayed on a fire to put it out. However, fire extinguishers are not effective for un-staffed computer rooms because they require manual operation by a trained person who can identify the type and location of the fire, and use the appropriate extinguisher. Fire extinguishers can also cause damage to the electronic equipment if they contain water or chemical agents. Dry pipe. This is a type of sprinkler system that uses pressurized air or nitrogen in the pipes instead of water until a fire is detected. When a fire is detected, the air or nitrogen is released and water flows into the pipes and sprinklers. However, dry pipe is not ideal for un-staffed computer rooms because it still uses water as the extinguishing agent, which can damage the electronic equipment as mentioned above. Dry pipe also has a slower response time than wet pipe sprinkler systems, which can allow the fire to spread more quickly.

• Question 1919:

  In an organization's feasibility study to acquire hardware to support a new web server, omission of which of the following would be of MOST concern?

  A. Alternatives for financing the acquisition
  B. Financial stability of potential vendors
  C. Reputation of potential vendors
  D. Cost-benefit analysis of available products
  D. Cost-benefit analysis of available products

  ---

  Explanation

  The most important part of a feasibility study is the economics. A cost-benefit analysis of available products is crucial as it helps to understand the economic viability of the project. It compares the costs of the project with the benefits it is

  expected to deliver, which is essential for making informed decisions. Omitting this could lead to investments in hardware that may not provide the expected returns or meet the organization's needs.

  References:

  The Components of a Feasibility Study - ProjectEngineer

• Question 1920:

  Which of the following findings should be of GREATEST concern to an IS auditor reviewing an organization s newly implemented online security awareness program'?

  A. Only new employees are required to attend the program
  B. Metrics have not been established to assess training results
  C. Employees do not receive immediate notification of results
  D. The timing for program updates has not been determined
  B. Metrics have not been established to assess training results

  ---

  Explanation

  The greatest concern for an IS auditor reviewing an online security awareness program is that metrics have not been established to assess training results. Without metrics, it is difficult to measure the effectiveness of the program and identify areas for improvement. The other findings are also issues that need to be addressed, but they are not as significant as the lack of metrics.

  References: CISA Review Manual (Digital Version), Chapter 5, Section 5.3.11