Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 2061:

  An IS auditor is observing transaction processing and notes that a high-priority update job ran out of sequence. What is the MOST significant risk from this observation?

  A. Previous jobs may have failed.
  B. The job may not have run to completion.
  C. Daily schedules may not be accurate.
  D. The job competes with invalid data.
  D. The job competes with invalid data.

  ---

  Explanation

• Question 2062:

  An IS auditor is reviewing processes for importing market price data from external data providers. Which of the following findings should the auditor consider MOST critical?

  A. The quality of the data is not monitored.
  B. Imported data is not disposed frequently.
  C. The transfer protocol is not encrypted.
  D. The transfer protocol does not require authentication.
  A. The quality of the data is not monitored.

  ---

  Explanation

  The most critical finding that the IS auditor should consider when reviewing processes for importing market price data from external data providers is that the quality of the data is not monitored. This is because market price data is essential for financial transactions, risk management, valuation and reporting, and any errors or inaccuracies in the data can have significant impact on the organization's performance, reputation and compliance. The IS auditor should ensure that the organization has established quality criteria and controls for the imported data, such as validity, completeness, timeliness, consistency and accuracy, and that the data is regularly checked and verified against these criteria. The other findings are also important, but not as critical as data quality.

  References: CISA Review Manual (Digital Version)1, Chapter 5, Section 5.2.7

• Question 2063:

  Which of the following is the MOST important task of an IS auditor during an application post-implementation review?

  A. Conduct a business impact analysis (BIA)
  B. Perform penetration testing
  C. identify project delays
  D. Verify user access controls
  D. Verify user access controls

  ---

  Explanation

  Explanation

• Question 2064:

  Which of the following is the MOST important consideration when establishing vulnerability scanning on critical IT infrastructure?

  A. The scanning will be performed during non-peak hours.
  B. The scanning will be followed by penetration testing.
  C. The scanning will be cost-effective.
  D. The scanning will not degrade system performance.
  B. The scanning will be followed by penetration testing.

  ---

  Explanation

  The scanning will not degrade system performance. This is the most important consideration when establishing vulnerability scanning on critical IT infrastructure, because any degradation of system performance could affect the availability,

  reliability, and functionality of the IT services that depend on the infrastructure. Scanning during non-peak hours (A) could reduce the impact of scanning on system performance, but it does not guarantee that the scanning will not cause any

  degradation. Scanning followed by penetration testing (B) could provide more in-depth information about the vulnerabilities and their exploitability, but it does not address the potential impact of scanning on system performance. Scanning

  cost-effectiveness ?is a relevant factor for choosing a scanning service or tool, but it is not as important as ensuring that the scanning will not compromise the system performance.

  CISA Vulnerability Scanning, Description.

• Question 2065:

  Having knowledge in which of the following areas is MOST relevant for an IS auditor reviewing public key infrastructure (PKI)?

  A. Design and application of key controls in public audit
  B. Security strategy in public cloud Infrastructure as a Service (IaaS)
  C. Modern encoding methods for digital communications
  D. Technology and process life cycle for digital certificates and key pairs
  D. Technology and process life cycle for digital certificates and key pairs

  ---

  Explanation

• Question 2066:

  An IS auditor discovers that validation controls in a web application have been moved from the server side into the browser to boost performance. This would MOST likely increase the risk of a successful attack by:

  A. structured query language (SQL) injection
  B. buffer overflow.
  C. denial of service (DoS).
  D. phishing.
  A. structured query language (SQL) injection

  ---

  Explanation

  Validation controls are used to check the input data from the user before processing it on the server. If the validation controls are moved from the server side to the browser, it means that the user can modify or bypass them using tools such as browser developer tools, JavaScript console, or proxy tools. This would increase the risk of a successful attack by structured query language (SQL) injection, which is a technique that exploits a security vulnerability in an application's software layer that allows an attacker to execute arbitrary SQL commands on the underlying database. SQL injection can result in data theft, data corruption, or unauthorized access to the system. Buffer overflow, denial of service (DoS), and phishing are not directly related to the validation controls in a web application. Buffer overflow is a type of attack that exploits a memory management flaw in an application or system that allows an attacker to write data beyond the allocated buffer size and overwrite adjacent memory locations. DoS is a type of attack that prevents legitimate users from accessing a service or resource by overwhelming it with requests or traffic. Phishing is a type of attack that uses fraudulent emails or websites to trick users into revealing sensitive information or installing malware.

  References: Client-side form validation - Learn web development | MDN JavaScript: client-side vs. server-side validation - Stack Overflow SQL Injection - OWASP

• Question 2067:

  Which of the following should be of GREATEST concern to an |$ auditor reviewing data conversion and migration during the implementation of a new application system?

  A. The change management process was not formally documented
  B. Backups of the old system and data are not available online
  C. Unauthorized data modifications occurred during conversion,
  D. Data conversion was performed using manual processes
  C. Unauthorized data modifications occurred during conversion,

  ---

  Explanation

  The finding that should be of greatest concern to an IS auditor reviewing data conversion and migration during the implementation of a new application system is that unauthorized data modifications occurred during conversion. Data conversion and migration is a process that involves transferring data from one system to another, ensuring its accuracy, completeness, integrity, and usability. Unauthorized data modifications during conversion can result in data loss, corruption, inconsistency, or duplication, which can affect the functionality, performance, reliability, and security of the new system. Unauthorized data modifications can also have serious business implications, such as affecting decision making, reporting, compliance, customer service, and revenue. The IS auditor should verify that adequate controls are in place to prevent, detect, and correct unauthorized data modifications during conversion, such as access control, data validation, reconciliation, audit trail, and backup and recovery. The other findings (A, B and D) are less concerning, as they can be mitigated by documenting the change management process, restoring the backups of the old system and data from offline storage, or automating the data conversion process.

  References: CISA Review Manual (Digital Version), Chapter 3: Information Systems Acquisition, Development and Implementation, Section 3.4: System Implementation

• Question 2068:

  An organization decides to establish a formal incident response capability with clear roles and responsibilities facilitating centralized reporting of security incidents. Which type of control is being implemented?

  A. Corrective control
  B. Compensating control
  C. Preventive control
  D. Detective control
  A. Corrective control

  ---

  Explanation

• Question 2069:

  Which of the following controls is MOST important for ensuring the integrity of system interfaces?

  A. Periodic audits
  B. File counts
  C. File checksums
  D. IT operator monitoring
  C. File checksums

  ---

  Explanation

  File checksums are values that are calculated from the contents of a file and can detect any changes or corruption in the file. They are used to verify that the files that are transferred or processed through system interfaces are not altered in any way. File checksums are more effective than periodic audits, file counts, or IT operator monitoring, which are other types of controls that can help ensure the integrity of system interfaces, but they are not as reliable or timely as file checksums.

• Question 2070:

  Which of the following public key infrastructure (PKI) elements provides detailed descriptions for dealing with a compromised private key?

  A. Certification practice statement
  B. Certificate policy
  C. PKI disclosure statement
  D. Certificate revocation list
  A. Certification practice statement

  ---

  Explanation

  Explanation