Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 2011:

  Which of the following provides the MOST useful information regarding an organization's risk appetite and tolerance?

  A. Gap analysis
  B. Audit reports
  C. Risk profile
  D. Risk register
  C. Risk profile

  ---

  Explanation

  The most useful information regarding an organization's risk appetite and tolerance is provided by its risk profile, as this is a document that summarizes the key risks that the organization faces, the potential impacts and likelihoods of those risks, and the acceptable levels of risk exposure for different objectives and activities. A gap analysis is a tool that compares the current state and the desired state of a process or a system, and identifies the gaps that need to be addressed. Audit reports are documents that present the findings, conclusions, and recommendations of an audit engagement. A risk register is a tool that records and tracks the identified risks, their causes, their consequences, and their mitigation actions.

  References: CISA Review Manual (Digital Version), Chapter 2: Governance and Management of IT, Section 2.1: IT Governance

• Question 2012:

  Which of the following is the MOST effective way for an organization to project against data loss?

  A. Limit employee internet access.
  B. Implement data classification procedures.
  C. Review firewall logs for anomalies.
  D. Conduct periodic security awareness training.
  D. Conduct periodic security awareness training.

  ---

  Explanation

  Data loss can occur due to various reasons, such as accidental deletion, hardware failure, malware infection, theft, or unauthorized access. Data classification procedures can help to identify and protect sensitive data, but they are not sufficient to prevent data loss. The most effective way to protect against data loss is to conduct periodic security awareness training for employees, which can educate them on the importance of data security, the best practices for data handling and storage, and the common threats and risks to data.

• Question 2013:

  Which of the following would be MOST important to include in an IS audit report?

  A. Observations not reported as findings due to inadequate evidence
  B. The roadmap for addressing the various risk areas
  C. The level of unmitigated risk along with business impact
  D. Specific technology solutions for each audit observation
  C. The level of unmitigated risk along with business impact

  ---

  Explanation

• Question 2014:

  Which of the following would be a result of utilizing a top-down maturity model process?

  A. A means of benchmarking the effectiveness of similar processes with peers
  B. A means of comparing the effectiveness of other processes within the enterprise
  C. Identification of older, more established processes to ensure timely review
  D. Identification of processes with the most improvement opportunities
  D. Identification of processes with the most improvement opportunities

  ---

  Explanation

  A top-down maturity model process is a method of assessing and improving the maturity level of a process or a set of processes within an organization. A maturity level is a measure of how well-defined, controlled, measured, and optimized a process is. A top- down maturity model process starts with defining the desired maturity level and then identifying the gaps and improvement opportunities for each process. This helps prioritize the processes that need the most attention and improvement. Therefore, a result of utilizing a top-down maturity model process is identification of processes with the most improvement opportunities. A means of benchmarking the effectiveness of similar processes with peers, a means of comparing the effectiveness of other processes within the enterprise, and identification of older, more established processes to ensure timely review are not results of utilizing a top- down maturity model process. These are possible benefits or objectives of using other types of maturity models or assessment methods, but they are not specific to a top-down approach.

• Question 2015:

  An internal control audit has revealed a control deficiency related to a legacy system where the compensating controls no longer appear to be effective. Which of the following would BEST help the information security manager determine the security requirements to resolve the control deficiency?

  A. Cost-benefit analysis
  B. Gap analysis
  C. Risk assessment
  D. Business case
  B. Gap analysis

  ---

  Explanation

• Question 2016:

  Which of the following security measures will reduce the risk of propagation when a cyberattack occurs?

  A. Perimeter firewall
  B. Data loss prevention (DLP) system
  C. Network segmentation
  D. Web application firewall (WAF)
  C. Network segmentation

  ---

  Explanation

• Question 2017:

  Which of the following BEST helps data loss prevention (DLP) tools detect movement of sensitive data m transit?

  A. Network traffic logs
  B. Deep packet inspection
  C. Data inventory
  D. Proprietary encryption
  B. Deep packet inspection

  ---

  Explanation

  Deep packet inspection (DPI) is a core capability of data loss prevention (DLP) tools that allows the analysis of the content of data packets in transit. This helps detect the unauthorized movement of sensitive data by examining packet-level

  details. Network Traffic Logs (Option A):These provide historical data but do not actively detect data in transit.

  Data Inventory (Option C):Useful for identifying where sensitive data resides but not for monitoring its movement.

  Proprietary Encryption (Option D):Protects data but does not detect unauthorized transmission.

  ISACA CISA Review Manual, Job Practice Area 4: Protection of Information Assets.

• Question 2018:

  Which type of control is being implemented when a biometric access device is installed at the entrance to a facility?

  A. Preventive
  B. Deterrent
  C. Corrective
  D. Detective
  A. Preventive

  ---

  Explanation

  A biometric access device installed at the entrance to a facility is a type of preventive control. Preventive controls are designed to deter or prevent undesirable events from occurring12. They are proactive measures that aim to inhibit incidents before they happen. In this case, the biometric access device prevents unauthorized individuals from gaining access to the facility by requiring unique biological characteristics for authentication

• Question 2019:

  An IS auditor finds that a recently deployed application has a number of developers with inappropriate update access left over from the testing environment. Which of the following would have BEST prevented the update access from being migrated?

  A. Establishing a role-based matrix for provisioning users
  B. Re-assigning user access rights in the quality assurance (QA) environment
  C. Holding the application owner accountable for application security
  D. Including a step within the system development life cycle (SDLC) to clean up access prior to go-live
  D. Including a step within the system development life cycle (SDLC) to clean up access prior to go-live

  ---

  Explanation

• Question 2020:

  An IS auditor is conducting an IT governance audit and notices many initiatives are managed informally by isolated project managers. Which of the following recommendations would have the GREATEST impact on improving the maturity of the IT team?

  A. Schedule a follow-up audit in the next year to confirm whether IT processes have matured.
  B. Create an interdisciplinary IT steering committee to oversee IT prioritization and spending.
  C. Document and track all IT decisions in a project management tool.
  D. Discontinue all current IT projects until formal approval is obtained and documented.
  B. Create an interdisciplinary IT steering committee to oversee IT prioritization and spending.

  ---

  Explanation

  An IT steering committee is a group of senior executives and stakeholders who provide strategic direction, guidance, and oversight for the IT function of an organization. An IT steering committee can help to improve the maturity of the IT team by ensuring that the IT initiatives are aligned with the business goals and objectives, that the IT resources are allocated and utilized effectively and efficiently, and that the IT performance and value are measured and communicated. An IT steering committee can also help to resolve conflicts, prioritize demands, and foster collaboration among the IT project managers and other business units.

  References: ISACA CISA Review Manual, 27th Edition, page 254 Auditing IT Governance The Impact of Poor IT Audit Planning and Mitigating Audit Risk IS Audit Basics: The Components of the IT Audit Report