Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 261:

  An IS auditor is reviewing an organization's primary router access control list. Which of the following should result in a finding?

  A. There are conflicting permit and deny rules for the IT group.
  B. The network security group can change network address translation (NAT).
  C. Individual permissions are overriding group permissions.
  D. There is only one rule per group with access privileges.
  C. Individual permissions are overriding group permissions.

  ---

  Explanation

  This should result in a finding because it violates the best practice of setting rules for groups rather than users. According to one of the web search results, using group permissions instead of individual permissions can simplify the management and maintenance of ACLs, reduce the risk of human errors, and ensure consistency and compliance. Individual permissions can create conflicts, confusion, and security gaps in the ACLs. Therefore, the IS auditor should report this as a finding and recommend using group permissions instead.

• Question 262:

  Which of the following MUST be completed before selecting and deploying a biometric system that uses facial recognition software?

  A. Privacy impact analysts
  B. Vulnerability assessment
  C. Image interference review
  D. False acceptance testing
  D. False acceptance testing

  ---

  Explanation

• Question 263:

  An IS auditor can BEST evaluate the business impact of system failures by:

  A. assessing user satisfaction levels.
  B. interviewing the security administrator.
  C. analyzing equipment maintenance logs.
  D. reviewing system-generated logs.
  C. analyzing equipment maintenance logs.

  ---

  Explanation

• Question 264:

  In order for a firewall to effectively protect a network against external attacks, what fundamental practice must be followed?

  A. The firewall must be placed in the demilitarized zone (DMZ).
  B. Only essential external services should be permitted.
  C. Filters for external information must be defined.
  D. All external communication must be via the firewall.
  B. Only essential external services should be permitted.

  ---

  Explanation

• Question 265:

  Stress testing should ideally be earned out under a:

  A. test environment with production workloads.
  B. production environment with production workloads.
  C. production environment with test data.
  D. test environment with test data.
  A. test environment with production workloads.

  ---

  Explanation

  Stress testing is a type of performance testing that evaluates the behavior and reliability of a system under extreme conditions, such as high workload, limited resources, or concurrent users. Stress testing should ideally be carried out under a test environment with production workloads, as this would simulate the most realistic and demanding scenario for the system without affecting the actual production environment. A production environment with production workloads is not suitable for stress testing, as it could cause disruption or damage to the system and its users. A production environment with test data is not suitable for stress testing, as it could compromise the integrity and security of the production data. A test environment with test data is not suitable for stress testing, as it could underestimate the potential issues and risks that could occur in the production environment.

  References: CISA Review Manual, 27th Edition, pages 471-4721 CISA Review Questions, Answers and Explanations Database, Question ID: 261

• Question 266:

  Which of the following is the MOST important prerequisite for implementing a data loss prevention (DLP) tool?

  A. Requiring users to save files in secured folders instead of a company-wide shared drive
  B. Reviewing data transfer logs to determine historical patterns of data flow
  C. Developing a DLP policy and requiring signed acknowledgment by users
  D. Identifying where existing data resides and establishing a data classification matrix
  D. Identifying where existing data resides and establishing a data classification matrix

  ---

  Explanation

  A data loss prevention (DLP) tool is a software application that detects and prevents data breaches by monitoring and protecting sensitive data from unauthorized access, transfer, or use1. A DLP tool can help your organization comply with

  regulations, prevent insider threats, and protect your intellectual property.

  Before implementing a DLP tool, the most important prerequisite is to identify where existing data resides and establish a data classification matrix. This is because you need to know what data you have, where it is stored, how sensitive it is,

  and who can access it. A data classification matrix is a framework that defines the categories and levels of data sensitivity, such as public, internal, confidential, or restricted2. By identifying and classifying your data, you can determine the

  appropriate DLP policies and controls to apply to each type of data and prevent data loss or leakage.

• Question 267:

  Which of the following BEST enables alignment of IT with business objectives?

  A. Benchmarking against peer organizations
  B. Developing key performance indicators (KPIs)
  C. Completing an IT risk assessment
  D. Leveraging an IT governance framework
  D. Leveraging an IT governance framework

  ---

  Explanation

  Leveraging an IT governance framework is the best way to enable alignment of IT with business objectives, as it provides a set of principles, standards, processes, and practices that guide the effective delivery of IT services that support the organization's strategy and goals. Benchmarking against peer organizations, developing key performance indicators (KPIs), and completing an IT risk assessment are useful activities that can help measure and improve the performance and value of IT, but they are not sufficient to ensure alignment without a governance framework.

  References: CISA Review Manual (Digital Version), Chapter 1: Information Systems Auditing Process, Section 1.2: IT Governance

• Question 268:

  What is an IS auditor's BEST course of action if informed by a business unit's representatives that they are too busy to cooperate with a scheduled audit?

  A. Reschedule the audit for a time more convenient to the business unit.
  B. Notify the chief audit executive who can negotiate with the head of the business unit.
  C. Begin the audit regardless and insist on cooperation from the business unit.
  D. Notify the audit committee immediately and request they direct the audit begin on schedule.
  B. Notify the chief audit executive who can negotiate with the head of the business unit.

  ---

  Explanation

• Question 269:

  What Is the BEST method to determine if IT resource spending is aligned with planned project spending?

  A. Earned value analysis (EVA)
  B. Return on investment (ROI) analysis
  C. Gantt chart
  D. Critical path analysis
  A. Earned value analysis (EVA)

  ---

  Explanation

  The best method to determine if IT resource spending is aligned with planned project spending is earned value analysis (EVA). EVA is a technique that compares the actual cost, schedule, and scope of a project with the planned or budgeted values. EVA can help to measure the project progress and performance, and identify any variances or deviations from the baseline plan1. EVA uses three basic values to calculate the project status: planned value (PV), earned value (EV), and actual cost (AC). PV is the amount of work that was expected to be completed by a certain date, according to the project plan. EV is the amount of work that was actually completed by that date, measured in terms of the budgeted cost. AC is the amount of money that was actually spent to complete the work by that date1. By comparing these values, EVA can determine if the project is on track, ahead, or behind schedule and budget. EVA can also calculate various indicators, such as cost variance (CV), schedule variance (SV), cost performance index (CPI), and schedule performance index (SPI), to quantify the magnitude and direction of the variances. EVA can also forecast the future performance and completion of the project, based on the current trends and assumptions1. The other options are not as effective as EVA in determining if IT resource spending is aligned with planned project spending. Option B, return on investment (ROI) analysis, is a technique that evaluates the profitability or efficiency of an investment, by comparing the benefits or revenues with the costs. ROI analysis can help to justify or prioritize a project, but it does not measure the actual progress or performance of the project against the plan2. Option C, Gantt chart, is a tool that displays the tasks, durations, dependencies, and milestones of a project in a graphical format. Gantt chart can help to plan and monitor a project schedule, but it does not show the actual cost or scope of the project3. Option D, critical path analysis, is a technique that identifies the longest sequence of tasks or activities that must be completed on time for the project to finish on schedule. Critical path analysis can help to optimize and control a project schedule, but it does not account for the actual cost or scope of the project4.

  References: Earned Value Analysis and Management (EVA/EVM) ?Definitionand; Formulae1 Return on Investment (ROI) Formula2 What Is a Gantt Chart?3 Critical Path Method for Project Management

• Question 270:

  When auditing the adequacy of a cooling system for a data center, which of the following is MOST important for the IS auditor to review?

  A. Environmental performance metrics
  B. Geographical location of the data center
  C. Disaster recovery plan (DRP) testing results
  D. Facilities maintenance records
  A. Environmental performance metrics

  ---

  Explanation