Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 2041:

  Which of the following is the MOST important consideration when evaluating the data retention policy for a global organization with regional offices in multiple countries?

  A. The policy aligns with corporate policies and practices.
  B. The policy aligns with global best practices.
  C. The policy aligns with business goals and objectives.
  D. The policy aligns with local laws and regulations.
  D. The policy aligns with local laws and regulations.

  ---

  Explanation

  The data retention policy for a global organization with regional offices in multiple countries should align with local laws and regulations, as they may vary significantly from one country to another and may impose different requirements and penalties for non-compliance. The policy should also consider the corporate policies and practices, the global best practices, and the business goals and objectives, but these are secondary to the legal compliance.

  References: CISA Review Manual (Digital Version), Chapter 5: Protection of Information Assets, Section 5.3: Data Classification and Protection

• Question 2042:

  An organization allows employees to retain confidential data on personal mobile devices. Which of the following is the BEST recommendation to mitigate the risk of data leakage from lost or stolen devices?

  A. Require employees to attend security awareness training.
  B. Password protect critical data files.
  C. Configure to auto-wipe after multiple failed access attempts.
  D. Enable device auto-lock function.
  C. Configure to auto-wipe after multiple failed access attempts.

  ---

  Explanation

  The best recommendation to mitigate the risk of data leakage from lost or stolen devices that contain confidential data is to configure them to auto-wipe after multiple failed access attempts, as this would prevent unauthorized access and erase sensitive information from the device. Requiring employees to attend security awareness training, password protecting critical data files, or enabling device auto-lock function are also good practices, but they may not be sufficient or effective in preventing data leakage from lost or stolen devices.

  References: CISA Review Manual (Digital Version), Chapter 5, Section 5.3

• Question 2043:

  Which of the following is the PRIMARY reason for an IS audit manager to review the work performed by a senior IS auditor prior to presentation of a report?

  A. To ensure the conclusions are adequately supported
  B. To ensure adequate sampling methods were used during fieldwork
  C. To ensure the work is properly documented and filed
  D. To ensure the work is conducted according to industry standards
  A. To ensure the conclusions are adequately supported

  ---

  Explanation

  The primary reason for an IS audit manager to review the work performed by a senior IS auditor prior to presentation of a report is to ensure the conclusions are adequately supported. The IS audit manager is responsible for overseeing and supervising the audit process, ensuring the quality and consistency of the audit work, and approving the audit report and recommendations. The IS audit manager should review the work performed by the senior IS auditor to verify that the audit objectives, scope, and criteria have been met, that the audit evidence is sufficient, reliable, and relevant, and that the audit conclusions are logical, objective, and based on the audit evidence. The IS audit manager should also ensure that the audit report is clear, concise, accurate, and complete, and that it communicates the audit findings, conclusions, and recommendations effectively to the intended audience. The other options are not the primary reason for an IS audit manager to review the work performed by a senior IS auditor prior to presentation of a report, because they either relate to specific aspects or stages of the audit work rather than the overall outcome, or they are part of the senior IS auditor's responsibility rather than the IS audit manager's.

  References: CISA Review Manual (Digital Version)1, Chapter 2, Section 2.2.5

• Question 2044:

  An IS auditor is reviewing a medical device that is attached to a patient's body, which automatically takes and uploads measurements to a cloud server. Treatment may be updated based on the measurements. Which of the following should be the auditor's PRIMARY focus?

  A. Physical access controls on the device
  B. Security and quality certification of the device
  C. Device identification and authentication
  D. Confirmation that the device is regularly updated
  B. Security and quality certification of the device

  ---

  Explanation

• Question 2045:

  An incident response team has been notified of a virus outbreak in a network subnet.

  Which of the following should be the NEXT step?

  A. Verify that the compromised systems are fully functional
  B. Focus on limiting the damage
  C. Document the incident
  D. Remove and restore the affected systems
  B. Focus on limiting the damage

  ---

  Explanation

  An incident response team has been notified of a virus outbreak in a network subnet. The next step should be to focus on limiting the damage by containing the virus and preventing it from spreading further. This may involve isolating the

  affected systems, disconnecting them from the network, blocking malicious traffic or applying patches or antivirus updates. Verifying that the compromised systems are fully functional, documenting the incident and removing and restoring the

  affected systems are possible steps that could be taken after limiting the damage.

  References:

  : [Incident Response Definition]

  : [Incident Response Process | ISACA]

  : [Virus Definition]

• Question 2046:

  A company is planning to implement a new administrative system at many sites. The new system contains four integrated modules. Which of the following implementation approaches would be MOST appropriate?

  A. Parallel implementation module by module
  B. Pilot run of the new system
  C. Full implementation of the new system
  D. Parallel run at all locations
  B. Pilot run of the new system

  ---

  Explanation

• Question 2047:

  In data warehouse (DW) management, what is the BEST way to prevent data quality issues caused by changes from a source system?

  A. Configure data quality alerts to check variances between the data warehouse and the source system
  B. Require approval for changes in the extract/Transfer/load (ETL) process between the two systems
  C. Include the data warehouse in the impact analysis (or any changes m the source system
  D. Restrict access to changes in the extract/transfer/load (ETL) process between the two systems
  C. Include the data warehouse in the impact analysis (or any changes m the source system

  ---

  Explanation

  Including the data warehouse in the impact analysis for any changes in the source system is the best way to prevent data quality issues caused by changes from a source system. A data warehouse is a centralized repository of integrated data from one or more source systems. An impact analysis is a technique of assessing the potential effects and consequences of a change on the existing system or environment. Including the data warehouse in the impact analysis can help to identify and mitigate any data quality issues that may arise from changes in the source system, such as data inconsistency, incompleteness, or inaccuracy. The other options are less effective ways to prevent data quality issues, as they may involve data quality alerts, approval for changes, or access restrictions.

  References: CISA Review Manual (Digital Version), Chapter 5, Section 5.41 CISA Review Questions, Answers and Explanations Database, Question ID 226

• Question 2048:

  Management receives information indicating a high level of risk associated with potential flooding near the organization's data center within the next few years. As a result, a decision has been made to move data center operations to another facility on higher ground. Which approach has been adopted?

  A. Risk avoidance
  B. Risk transfer
  C. Risk acceptance
  D. Risk reduction
  A. Risk avoidance

  ---

  Explanation

  The approach adopted by management in this scenario is risk avoidance. Risk avoidance is the elimination of a risk by discontinuing or not undertaking an activity that poses a threat to the organization3. By moving data center operations to another facility on higher ground, management is avoiding the potential flooding risk that could disrupt or damage the data center. Risk transfer, risk acceptance and risk reduction are other possible approaches for dealing with risks, but they do not apply in this case.

  References: CISA Review Manual, 27th Edition, page 641 CISA Review Questions, Answers and Explanations Database - 12 Month Subscription

• Question 2049:

  Which of the following key performance indicators (KPIs) provides stakeholders with the MOST useful information about whether information security risk is being managed?

  A. Time from identifying security threats to implementing solutions
  B. The number of security controls audited
  C. Time from security log capture to log analysis
  D. The number of entries in the security risk register
  A. Time from identifying security threats to implementing solutions

  ---

  Explanation

  Comprehensive and Detailed Step-by-Step

  Thespeed at which security threats are mitigatedis akey indicatorof an organization'srisk management effectiveness.

  Option A (Correct):Response time to security threatsmeasures how efficiently security teams detect, analyze, and mitigate risks, providingclear insight into security operations. Option B (Incorrect):The number of security controls auditeddoes

  not indicatehow well risk is being managed, only that reviews are taking place. Option C (Incorrect):Log analysis speedis useful, but it does notdirectly measure risk mitigation effectiveness.

  Option D (Incorrect):Risk register entriesindicate known risks but do not provide insight intohow well those risks are managed.

  ISACA CISA Review Manual -Domain 5: Protection of Information Assets?Coverssecurity metrics, KPIs,

  and risk management evaluation.

• Question 2050:

  Which of the following statement correctly describes the difference between black box testing and white box testing?

  A. Black box testing focuses on functional operative effectiveness where as white box assesses the effectiveness of software program logic
  B. White box testing focuses on functional operative effectiveness where as black box assesses the effectiveness of software program logic
  C. White box and black box testing focuses on functional operative effectiveness of an information systems without regard to any internal program structure
  D. White box and black box testing focuses on the effectiveness of the software program logic
  A. Black box testing focuses on functional operative effectiveness where as white box assesses the effectiveness of software program logic

  ---

  Explanation

  For CISA exam you should know below mentioned types of testing

  Alpha and Beta Testing ?An alpha version is early version is an early version of the application system submitted to the internal user for testing. The alpha version may not contain all the features planned for the final version. Typically,

  software goes to two stages testing before it consider finished. The first stage is called alpha testing is often performed only by the user within the organization developing the software. The second stage is called beta testing, a form of user

  acceptance testing, generally involves a limited number of external users. Beta testing is the last stage of testing, and normally involves real world exposure, sending the beta version of the product to independent beta test sites or offering it

  free to interested user.

  Pilot Testing ?A preliminary test that focuses on specific and predefined aspect of a system. It is not meant to replace other testing methods, but rather to provide a limited evaluation of the system. Proof of concept are early pilot tests ?usually

  over interim platform and with only basic functionalities.

  White box testing ?Assess the effectiveness of a software program logic. Specifically, test data are used in determining procedural accuracy or conditions of a program's specific logic path. However, testing all possible logical path in large

  information system is not feasible and would be cost prohibitive, and therefore is used on selective basis only.

  Black Box Testing ?An integrity based form of testing associated with testing components of an information system's "functional" operating effectiveness without regards to any specific internal program structure. Applicable to integration and

  user acceptance testing.

  Function/validation testing ?It is similar to system testing but it is often used to test the functionality of the system against the detailed requirements to ensure that the software that has been built is traceable to customer requirements.

  Regression Testing ?The process of rerunning a portion of a test scenario or test plan to ensure that changes or corrections have not introduced new errors. The data used in regression testing should be same as original data.

  Parallel Testing ?This is the process of feeding test data into two systems ?the modified system and an alternative system and comparing the result.

  Sociability Testing ?The purpose of these tests is to confirm that new or modified system can operate in its target environment without adversely impacting existing system. This should cover not only platform that will perform primary

  application processing and interface with other system but, in a client server and web development, changes to the desktop environment. Multiple application may run on the user's desktop, potentially simultaneously, so it is important to test

  the impact of installing new dynamic link libraries (DLLs) , making operating system registry or configuration file modification, and possibly extra memory utilization.

  The following were incorrect answers:

  The other options presented does not provides correct difference between black box and white box testing.

  CISA review manual 2014 Page number 167