Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 2081:

  Of the following, who should approve a release to a critical application that would make the application inaccessible for 24 hours?

  A. Business process owner
  B. Data custodian
  C. Project manager
  D. Chief information security officer (CISO)
  A. Business process owner

  ---

  Explanation

• Question 2082:

  Which of the following information security requirements BE ST enables the tracking of organizational data in a bring your own device (BYOD) environment?

  A. Employees must immediately report lost or stolen mobile devices containing organizational data
  B. Employees must sign acknowledgment of the organization's mobile device acceptable use policy
  C. Employees must enroll their personal devices in the organization's mobile device management program
  C. Employees must enroll their personal devices in the organization's mobile device management program

  ---

  Explanation

  The best way to track organizational data in a BYOD environment is to enroll the personal devices in the organization's mobile device management (MDM) program. This will allow the organization to monitor, control, and secure the data on the devices remotely. Employees must also report lost or stolen devices and sign the acceptable use policy, but these are not sufficient to enable tracking of data.

  References: Info Technology and Systems Resources | COBIT, Risk, Governance ... - ISACA, section "Book IT Control Objectives for Sarbanes-Oxley, 4th Edition | Digital | English"

• Question 2083:

  During an audit of a data center, an IS auditor's BEST way to gain an understanding of physical security controls is to:

  A. review the data center's physical security procedures.
  B. contact the alarm vendor and identify where alarms are installed in the data center.
  C. take a tour of the facility and identify physical security controls.
  D. obtain the engineering plans for the building and identify points of entry.
  C. take a tour of the facility and identify physical security controls.

  ---

  Explanation

• Question 2084:

  Which of the following controls is MOST effective at preventing system failures when implementing a new web application?

  A. System recovery plan
  B. System testing
  C. Business continuity plan (BCP)
  D. Transaction monitoring
  B. System testing

  ---

  Explanation

  Explanation

  Comprehensive and Detailed Step-by-Step

  Thoroughsystem testingbefore deployment helps identify potentialbugs, vulnerabilities, and performance issuesto prevent system failures.

  System Testing (Correct Answer ?B)

  System Recovery Plan (Incorrect ?A)

  Business Continuity Plan (Incorrect ?C)

  Transaction Monitoring (Incorrect ?D)

  References:

  ISACA CISA Review Manual

  NIST 800-160 (Systems Security Engineering)

• Question 2085:

  Who is responsible for providing technical support for the hardware and software environment by developing, installing and operating the requested system?

  A. System Development Management
  B. Quality Assurance
  C. User Management
  D. Senior Management
  A. System Development Management

  ---

  Explanation

  System Development Management provides technical support for hardware and software environment by developing, installing and operating the requested system.

  For the CISA exam you should know the information below about roles and responsibilities of groups/individuals that may be involved in the development process are summarized below:

  Senior Management ?Demonstrate commitment to the project and approves the necessary resources to complete the project. This commitment from senior management helps ensure involvement by those needed to complete the project.

  User Management ?Assumes ownership of the project and resulting system, allocates qualified representatives to the team, and actively participates in business process redesign, system requirement definitions, test case development,

  acceptance testing and user training. User management is concerned primarily with the following questions:

  Are the required functions available in the software?

  How reliable is the software?

  How effective is the software?

  Is the software easy to use?

  How easy is to transfer or adapt old data from preexisting software to this environment?

  Is it possible to add new functions?

  Does it meet regulatory requirement?

  Project Steering Committee ?Provides overall directions and ensures appropriate representation of the major stakeholders in the project's outcome. The project steering committee is ultimately responsible for all deliverables, project costs and

  schedules. This committee should be compromised of senior representative from each business area that will be significantly impacted by the proposed new system or system modifications.

  System Development Management ?Provides technical support for hardware and software environment by developing, installing and operating the requested system.

  Project Manager ?Provides day-to-day management and leadership of the project, ensures that project activities remain in line with the overall directions, ensures appropriate representation of the affected departments, ensures that the

  project adheres local standards, ensures that deliverable meet the quality expectation of key stakeholder, resolve interdepartmental conflict, and monitors and controls cost of the project timetables.

  Project Sponsor ?Project sponsor provides funding for the project and works closely with the project manager to define critical success factor(CSFs) and metrics for measuring the success of the project. It is crucial that success is translated

  to measurable and quantifiable terms. Data and application ownership are assigned to a project sponsor. A project sponsor is typically the senior manager in charge of the primary business unit that the application will support.

  System Development Project Team ?Completes assigned tasks, communicates effectively with user by actively involving them in the development process, works according to local standards, and advise the project manager of necessary

  plan deviations.

  User Project Team ?Completes assigned tasks, communicate effectively with the system developers by actively involving themselves in the development process as Subject Matter Expert (SME) and works according to local standards, and

  advise the project manager of expected and actual project deviations.

  Security Officer ?Ensures that system controls and supporting processes provides an effective level of protection, based on the data classification set in accordance with corporate security policies and procedures: consult throughout the life

  cycle on appropriate security measures that should be incorporated into the system.

  Quality Assurance ?Personnel who review result and deliverables within each phase and at the end of each phase, and confirm compliance with requirements. Their objective is to ensure that the quality of the project by measuring adherence

  of the project staff to the organization's software development life cycle (SDLC), advise on the deviation and propose recommendation for process improvement or greater control points when deviation occur.

  The following were incorrect answers:

  Quality Assurance ?Personnel who review result and deliverables within each phase and at the end of each phase, and confirm compliance with requirements. Their objective is to ensure that the quality of the project by measuring adherence

  of the project staff to the organization's software development life cycle (SDLC), advise on the deviation and propose recommendation for process improvement or greater control points when deviation occur.

  User Management ?Assumes ownership of the project and resulting system, allocates qualified representatives to the team, and actively participates in business process redesign, system requirement definitions, test case development,

  acceptance testing and user training.

  Senior Management ?Demonstrate commitment to the project and approves the necessary resources to complete the project. This commitment from senior management helps ensure involvement by those needed to complete the project.

  CISA review manual 2014 Page number 150

• Question 2086:

  An IS auditor finds that needed security patches cannot be applied to some of an organization's network devices due to compatibility issues. The organization has not budgeted sufficiently for security upgrades. Which of the following should the auditor recommend be done FIRST?

  A. Perform a risk analysis of the relevant security issues.
  B. Prioritize funding for next year's budget.
  C. Discuss adding compensating controls with the vendor.
  D. Implement stronger security patch management processes.
  A. Perform a risk analysis of the relevant security issues.

  ---

  Explanation

• Question 2087:

  A new regulation in one country of a global organization has recently prohibited cross- border transfer of personal data. An IS auditor has been asked to determine the organization's level of exposure In the affected country. Which of the following would be MOST helpful in making this assessment?

  A. Developing an inventory of all business entities that exchange personal data with the affected jurisdiction
  B. Identifying data security threats in the affected jurisdiction
  C. Reviewing data classification procedures associated with the affected jurisdiction
  D. Identifying business processes associated with personal data exchange with the affected jurisdiction
  D. Identifying business processes associated with personal data exchange with the affected jurisdiction

  ---

  Explanation

  Identifying business processes associated with personal data exchange with the affected jurisdiction is the most helpful activity in making an assessment of the organization's level of exposure in the affected country. An IS auditor should

  understand how the organization's business operations and functions rely on or involve the cross- border transfer of personal data, as well as the potential impacts and risks of the new regulation on the business continuity and compliance.

  The other options are less helpful activities that may provide additional information or context for the assessment, but not its primary focus.

  References:

  CISA Review Manual (Digital Version), Chapter 7, Section 7.4.21 CISA Review Questions, Answers and Explanations Database, Question ID 221

• Question 2088:

  Which of the following would be MOST useful when analyzing computer performance?

  A. Statistical metrics measuring capacity utilization
  B. Operations report of user dissatisfaction with response time
  C. Tuning of system software to optimize resource usage
  D. Report of off-peak utilization and response time
  A. Statistical metrics measuring capacity utilization

  ---

  Explanation

  Computer performance is the measure of how well a computer system can execute tasks and applications within a given time frame. Computer performance can be affected by various factors, such as hardware specifications, software configuration, network conditions, and user behavior. To analyze computer performance, it is important to use statistical metrics that can quantify the capacity utilization of the system resources, such as CPU, memory, disk, and network. These metrics can help identify the bottlenecks, inefficiencies, and anomalies that may degrade the performance of the system. Examples of such metrics include CPU utilization, memory usage, disk throughput, network bandwidth, and response time. The other options are not as useful as statistical metrics when analyzing computer performance. An operations report of user dissatisfaction with response time is a subjective measure that may not reflect the actual performance of the system. Tuning of system software to optimize resource usage is a corrective action that can improve performance, but it is not a method of analysis. A report of off-peak utilization and response time is a limited snapshot that may not capture

  the peak performance or the average performance of the system.

  References:

  What is Computer Performance?

  How to Measure Computer Performance

• Question 2089:

  The PRIMARY benefit lo using a dry-pipe fire-suppression system rather than a wet-pipe system is that a dry-pipe system:

  A. is more effective at suppressing flames.
  B. allows more time to abort release of the suppressant.
  C. has a decreased risk of leakage.
  D. disperses dry chemical suppressants exclusively.
  C. has a decreased risk of leakage.

  ---

  Explanation

  The primary benefit of using a dry-pipe fire-suppression system rather than a wet-pipe system is that a dry-pipe system has a decreased risk of leakage, as the pipes are filled with pressurized air or nitrogen instead of water until the system is activated. A wet- pipe system has a higher risk of leakage, corrosion, and freezing. A dry-pipe system is not more effective at suppressing flames, as it uses the same water-based suppressant as a wet-pipe system. A dry-pipe system does not allow more time to abort release of the suppressant, as it has a delay of only a few seconds before the water is released. A dry- pipe system does not disperse dry chemical suppressants exclusively, as it uses water as the primary suppressant.

  References: CISA Review Manual (Digital Version), Chapter 5, Section 5.2.3

• Question 2090:

  Which of the following findings would be of GREATEST concern to an IS auditor reviewing the security architecture of an organization that has just implemented a Zero Trust solution?

  A. An increase in security-related costs
  B. User complaints about the new mode of working
  C. An increase in user identification errors
  D. A noticeable drop in the performance of IT systems
  C. An increase in user identification errors

  ---

  Explanation