Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 221:

  Which of the following BEST describes the role of the IS auditor in a control self- assessment (CSA)?

  A. Implementer
  B. Facilitator
  C. Approver
  D. Reviewer
  B. Facilitator

  ---

  Explanation

• Question 222:

  A company requires that all program change requests (PCRs) be approved and all modifications be automatically logged. Which of the following IS audit procedures will BEST determine whether unauthorized changes have been made to production programs?

  A. Trace a sample of complete PCR forms to the log of all program changes
  B. Use source code comparison software to determine whether any changes have been made to a sample of programs since the last audit date
  C. Review a sample of PCRs for proper approval throughout the program change process
  D. Trace a sample of program change from the log to completed PCR forms
  B. Use source code comparison software to determine whether any changes have been made to a sample of programs since the last audit date

  ---

  Explanation

  The best way to determine whether unauthorized changes have been made to production programs is to use source code comparison software to compare the current version of the programs with the previous version or the approved

  version. This will identify any changes that have been made without proper authorization or documentation. Tracing PCRs to logs or vice versa will only verify that the authorized changes have been recorded, but not detect any unauthorized

  changes.

  References: Standards, Guidelines, Tools and Techniques - ISACA, section "IS Audit and Assurance Tools and Techniques"

• Question 223:

  Which of the following is the BEST recommendation to include in an organization's bring your own device (BYOD) policy to help prevent data leakage?

  A. Require employees to waive privacy rights related to data on BYOD devices.
  B. Require multi-factor authentication on BYOD devices,
  C. Specify employee responsibilities for reporting lost or stolen BYOD devices.
  D. Allow only registered BYOD devices to access the network.
  B. Require multi-factor authentication on BYOD devices,

  ---

  Explanation

  The best recommendation to include in an organization's bring your own device (BYOD) policy to help prevent data leakage is to require multi-factor authentication on BYOD devices. BYOD is a practice that allows employees to use their own personal devices, such as smartphones, tablets, or laptops, to access the organization's network, data, and systems. Data leakage is a risk that involves the unauthorized or accidental disclosure or transfer of sensitive or confidential data from the organization to external parties or devices. Multi-factor authentication is a security measure that requires users to provide two or more pieces of evidence to verify their identity and access rights, such as passwords, tokens, biometrics, or codes. Multi-factor authentication can help prevent data leakage by reducing the likelihood of unauthorized access to the organization's data and systems through BYOD devices, especially if they are lost, stolen, or compromised. The other options are not as effective as requiring multi-factor authentication on BYOD devices, because they either do not prevent data leakage directly, or they are reactive rather than proactive measures.

  References: CISA Review Manual (Digital Version)1, Chapter 5, Section 5.2.3

• Question 224:

  Which of the following is the MOST important consideration when establishing operational log management?

  A. Types of data
  B. Log processing efficiency
  C. IT organizational structure
  D. Log retention period
  D. Log retention period

  ---

  Explanation

• Question 225:

  Which of the following should be of GREATEST concern to an IS auditor reviewing the controls for a continuous software release process?

  A. Release documentation is not updated to reflect successful deployment.
  B. Test libraries have not been reviewed in over six months.
  C. Developers are able to approve their own releases.
  D. Testing documentation is not attached to production releases.
  C. Developers are able to approve their own releases.

  ---

  Explanation

• Question 226:

  Which of the following should be an IS auditor's GREATEST concern when a data owner assigns an incorrect classification level to data?

  A. Controls to adequately safeguard the data may not be applied.
  B. Data may not be encrypted by the system administrator.
  C. Competitors may be able to view the data.
  D. Control costs may exceed the intrinsic value of the IT asset.
  A. Controls to adequately safeguard the data may not be applied.

  ---

  Explanation

  The answer A is correct because the greatest concern for an IS auditor when a data owner assigns an incorrect classification level to data is that controls to adequately safeguard the data may not be applied. Data classification is the process of categorizing data assets based on their information sensitivity and business impact. Data classification helps organizations to identify, protect, and manage their data according to their value and risk. Data owners are the individuals or entities who have the authority and responsibility to define, classify, and control the access and use of their data. Data classification typically involves assigning labels or tags to data assets, such as public, internal, confidential, or restricted. These labels indicate the level of protection and handling required for the data. Based on the data classification, organizations can implement appropriate controls to safeguard the data, such as encryption, access control lists, audit logs, backup policies, etc. These controls help to prevent unauthorized access, disclosure, modification, or loss of data, and to ensure compliance with relevant laws and regulations. If a data owner assigns an incorrect classification level to data, it can result in either underprotection or overprotection of the data. Underprotection means that the data is classified at a lower level than it should be, which exposes it to higher risks of compromise or breach. For example, if a data owner classifies personal health information (PHI) as public instead of confidential, it may allow anyone to access or share the data without proper authorization or consent. This can violate the privacy rights of the data subjects and the compliance requirements of regulations such as HIPAA (Health Insurance Portability and Accountability Act). Overprotection means that the data is classified at a higher level than it should be, which limits its availability or usability. For example, if a data owner classifies marketing materials as restricted instead of public, it may prevent potential customers or partners from accessing or viewing the data. This can reduce the business value and opportunities of the data. Therefore, an IS auditor should be concerned about the accuracy and consistency of data classification by data owners, as it affects the security and efficiency of data management. An IS auditor should review the policies and procedures for data classification, verify that the data owners have adequate knowledge and skills to classify their data, and test that the data classification labels match with the actual sensitivity and impact of the data.

  References: Data Classification: What It Is and How to Implement It What Is Data Classification? - Definition, Levels and Examples ... Data Classification: A Guide for Data Security Leaders

• Question 227:

  A financial accounting system audit determined that audit logging of transactions had been disabled by a finance employee. The IS auditor recommended that finance personnel no longer have the capability to change audit logging settings. Which of the following is MOST important to verify during the follow-up?

  A. Finance personnel receive security awareness training.
  B. Audit logs of transactions are reviewed.
  C. Changes to configurations are documented.
  D. Least privilege access is being enforced.
  D. Least privilege access is being enforced.

  ---

  Explanation

  Explanation

• Question 228:

  Which of the following Is the BEST way to ensure payment transaction data is restricted to the appropriate users?

  A. Implementing two-factor authentication
  B. Restricting access to transactions using network security software
  C. implementing role-based access at the application level
  D. Using a single menu tor sensitive application transactions
  C. implementing role-based access at the application level

  ---

  Explanation

  The best way to ensure payment transaction data is restricted to the appropriate users is implementing role-based access at the application level. Role-based access is a method of access control that assigns permissions or privileges to users based on their roles or functions within an organization or system. Role-based access can help ensure that payment transaction data is restricted to the appropriate users, by allowing only authorized users who have a legitimate need or purpose to access or use the payment transaction data, and preventing unauthorized or unnecessary access or use by other users. Implementing two-factor authentication is a possible way to enhance the security and verification of user identities, but it is not the best way to ensure payment transaction data is restricted to the appropriate users, as it does not define what permissions or privileges users have on the payment transaction data. Restricting access to transactions using network security software is a possible way to protect the network communication and transmission of payment transaction data, but it is not the best way to ensure payment transaction data is restricted to the appropriate users, as it does not specify what actions or operations users can perform on the payment transaction data. Using a single menu for sensitive application transactions is a possible way to simplify the user interface and navigation of payment transaction data, but it is not the best way to ensure payment transaction data is restricted to the appropriate users, as it does not limit what users can access or use the payment transaction data.

• Question 229:

  While reviewing similar issues in an organization's help desk system, an IS auditor finds that they were analyzed independently and resolved differently. This situation MOST likely indicates a deficiency in:

  A. IT service level management.
  B. change management.
  C. configuration management.
  D. problem management.
  D. problem management.

  ---

  Explanation

• Question 230:

  Which of the following is an example of a passive attack method?

  A. Keystroke logging
  B. Piggybacking
  C. Eavesdropping
  D. Phishing
  C. Eavesdropping

  ---

  Explanation

  Explanation