Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 421:

  Sam is the security Manager of a financial institute. Senior management has requested he performs a risk analysis on all critical vulnerabilities reported by an IS auditor. After completing the risk analysis, Sam has observed that for a few of the risks, the cost benefit analysis shows that risk mitigation cost (countermeasures, controls, or safeguard) is more than the potential lost that could be incurred. What kind of a strategy should Sam recommend to the senior management to treat these risks?

  A. Risk Mitigation
  B. Risk Acceptance
  C. Risk Avoidance
  D. Risk transfer
  B. Risk Acceptance

  ---

  Explanation

  Risk acceptance is the practice of accepting certain risk(s), typically based on a business decision that may also weigh the cost versus the benefit of dealing with the risk in another way.

  For your exam you should know below information about risk assessment and treatment:

  A risk assessment, which is a tool for risk management, is a method of identifying vulnerabilities and threats and assessing the possible impacts to determine where to implement security controls. A risk assessment is carried out, and the

  results are analyzed. Risk analysis is used to ensure that security is cost-effective, relevant, timely, and responsive to threats. Security can be quite complex, even for well-versed security professionals, and it is easy to apply too much

  security, not enough security, or the wrong security controls, and to spend too much money in the process without attaining the necessary objectives. Risk analysis helps companies prioritize their risks and shows management the amount of

  resources that should be applied to protecting against those risks in a sensible manner.

  A risk analysis has four main goals:

  Identify assets and their value to the organization.

  Identify vulnerabilities and threats.

  Quantify the probability and business impact of these potential threats.

  Provide an economic balance between the impact of the threat and the cost

  of the countermeasure.

  Treating Risk

  Risk Mitigation

  Risk mitigation is the practice of the elimination of, or the significant decrease in the level of risk presented. Examples of risk mitigation can be seen in everyday life and are readily apparent in the information technology world. Risk Mitigation

  involves applying appropriate control to reduce risk. For example, to lessen the risk of exposing personal and financial information that is highly sensitive and confidential organizations put countermeasures in place, such as firewalls, intrusion

  detection/prevention systems, and other mechanisms, to deter malicious outsiders from accessing this highly sensitive information. In the underage driver example, risk mitigation could take the form of driver education for the youth or

  establishing a policy not allowing the young driver to use a cell phone while driving, or not letting youth of a certain age have more than one friend in the car as a passenger at any given time.

  Risk Transfer

  Risk transfer is the practice of passing on the risk in question to another entity, such as an insurance company. Let us look at one of the examples that were presented above in a different way. The family is evaluating whether to permit an

  underage driver to use the family car. The family decides that it is important for the youth to be mobile, so it transfers the financial risk of a youth being in an accident to the insurance company, which provides the family with auto insurance. It

  is important to note that the transfer of risk may be accompanied by a cost. This is certainly true for the insurance example presented earlier, and can be seen in other insurance instances, such as liability insurance for a vendor or the

  insurance taken out by companies to protect against hardware and software theft or destruction. This may also be true if an organization must purchase and implement security controls in order to make their organization less desirable to

  attack. It is important to remember that not all risk can be transferred. While financial risk is simple to transfer through insurance, reputational risk may almost never be fully transferred.

  Risk Avoidance

  Risk avoidance is the practice of coming up with alternatives so that the risk in question is not realized. For example, have you ever heard a friend, or parents of a friend, complain about the costs of insuring an underage driver? How about the

  risks that many of these children face as they become mobile? Some of these families will decide that the child in question will not be allowed to drive the family car, but will rather wait until he or she is of legal age (i.e., 18 years of age) before

  committing to owning, insuring, and driving a motor vehicle.

  In this case, the family has chosen to avoid the risks (and any associated benefits) associated with an underage driver, such as poor driving performance or the cost of insurance for the child. Although this choice may be available for some

  situations, it is not available for all. Imagine a global retailer who, knowing the risks associated with doing business on the Internet, decides to avoid the practice. This decision will likely cost the company a significant amount of its revenue (if,

  indeed, the company has products or services that consumers wish to purchase). In addition, the decision may require the company to build or lease a site in each of the locations, globally, for which it wishes to continue business. This could

  have a catastrophic effect on the company's ability to continue business operations

  Risk Acceptance

  In some cases, it may be prudent for an organization to simply accept the risk that is presented in certain scenarios. Risk acceptance is the practice of accepting certain risk(s), typically based on a business decision that may also weigh the

  cost versus the benefit of dealing with the risk in another way.

  For example, an executive may be confronted with risks identified during the course of a risk assessment for their organization. These risks have been prioritized by high, medium, and low impact to the organization. The executive notes that

  in order to mitigate or transfer the low-level risks, significant costs could be involved. Mitigation might involve the hiring of additional highly skilled personnel and the purchase of new hardware, software, and office equipment, while

  transference of the risk to an insurance company would require premium payments. The

  executive then further notes that minimal impact to the organization would occur if any of the reported low-level threats were realized. Therefore, he or she (rightly) concludes that it is wiser for the organization to forgo the costs and accept the

  risk. In the young driver example, risk acceptance could be based on the observation that the youngster has demonstrated the responsibility and maturity to warrant the parent's trust in his or her judgment.

  The following answers are incorrect:

  Risk Transfer - Risk transfer is the practice of passing on the risk in question to another entity, such as an insurance company. Let us look at one of the examples that were presented above in a different way.

  Risk Avoidance - Risk avoidance is the practice of coming up with alternatives so that the risk in question is not realized.

  Risk Mitigation -Risk mitigation is the practice of the elimination of, or the significant decrease in the level of risk presented.

  CISA Review Manual 2014 Page number 51

  and

  Official ISC2 guide to CISSP CBK 3rd edition page number 534-539

• Question 422:

  Which of the following is a PRIMARY objective of incident management?

  A. Restoring services based on criticality
  B. Reporting individual incidents to management
  C. Determining the root cause of the incident
  D. Repairing the program that caused the incident
  A. Restoring services based on criticality

  ---

  Explanation

  Explanation

• Question 423:

  Which of the following is the PRIMARY reason an IS auditor should discuss observations with management before delivering a final report?

  A. Validate the audit observations_
  B. Identify business risks associated with the observations.
  C. Assist the management with control enhancements.
  D. Record the proposed course of corrective action.
  A. Validate the audit observations_

  ---

  Explanation

  The primary reason an IS auditor should discuss observations with management before delivering a final report is A. Validate the audit observations. This is because discussing the observations with management can help the auditor to ensure that the findings are accurate, complete, and supported by sufficient evidence. It can also help the auditor to obtain management's perspective and feedback on the issues and risks identified, and to avoid any misunderstandings or surprises when the final report is issued

• Question 424:

  An IS auditor discovers from patch logs that some in-scope systems are not compliant with the regular patching schedule. What should the auditor do NEXT?

  A. Interview IT management to clarify the current procedure.
  B. Report this finding to senior management.
  C. Review the organization's patch management policy.
  D. Request a plan of action to be established as a follow-up item.
  C. Review the organization's patch management policy.

  ---

  Explanation

  The IS auditor should review the organization's patch management policy to determine the expected frequency and scope of patching, as well as the roles and responsibilities of the patch management team. This will help the auditor assess

  the severity and impact of the non-compliance, and identify the root cause and possible remediation actions12.

  References:

  1: How to Create a Patch Management Policy: Complete Guide

  2: Free Patch Management Policy Template (+Examples)

• Question 425:

  An IS auditor is reviewing the upgrading of an operating system. Which of the following would be the GREATEST audit concern?

  A. The lack of release notes
  B. The lack of change control
  C. The lack of malware protection
  D. The lack of activity logging
  B. The lack of change control

  ---

  Explanation

• Question 426:

  Which of the following is the MOST important advantage of participating in beta testing of software products?

  A. It increases an organization's ability to retain staff who prefer to work with new technology.
  B. It improves vendor support and training.
  C. It enhances security and confidentiality.
  D. It enables an organization to gain familiarity with new products and their functionality.
  D. It enables an organization to gain familiarity with new products and their functionality.

  ---

  Explanation

  Beta testing is the process of releasing a near-final version of a software product to a group of external users, known as beta testers, who provide feedback and report bugs based on their real-world experiences. Beta testing offers various

  benefits for both the developers and the users of the software product. Some of these benefits are:

  It reduces product failure risk via customer validation.

  It helps to test post-launch infrastructure.

  It helps to improve product quality via customer feedback. It allows for thorough bug detection and issue resolution.

  It enhances usability and user experience.

  It increases customer satisfaction and loyalty.

  Based on these benefits, the most important advantage of participating in beta testing of software products is

  D. It enables an organization to gain familiarity with new products and their functionality. By being involved in beta testing, an

  organization can learn how to use the new product effectively, discover its features and benefits, and provide suggestions for improvement. This can help the organization to adopt the new product faster, easier, and more efficiently when it is

  officially released. It can also give the organization a competitive edge over other users who are not familiar with the new product.

• Question 427:

  Which of the following should be of MOST concern to an IS auditor reviewing an organization's operational log management?

  A. Log file size has grown year over year.
  B. Critical events are being logged to immutable log files.
  C. Applications are logging events into multiple log files.
  D. Data formats have not been standardized across all logs.
  D. Data formats have not been standardized across all logs.

  ---

  Explanation

• Question 428:

  An IS auditor is involved with a project and finds an IT project stakeholder wants to make a change that could affect both the project scope and schedule. Which of the following would be the MOST appropriate action for the project manager with respect to the change request?

  A. Recommend to the project sponsor whether to approve the change
  B. Modify the project plan as a result of the change
  C. Evaluate the impact of the change
  D. Ignore out-of-scope requests
  C. Evaluate the impact of the change

  ---

  Explanation

• Question 429:

  An organization seeks to control costs related to storage media throughout the information life cycle while still meeting business and regulatory requirements. Which of the following is the BEST way to achieve this objective?

  A. Perform periodic tape backups.
  B. Stream backups to the cloud.
  C. Implement a data retention policy.
  D. Utilize solid state memory.
  C. Implement a data retention policy.

  ---

  Explanation

• Question 430:

  Which of the following procedures should be implemented prior to disposing of surplus computer equipment to employees?

  A. Use operating system commands to delete all files from the hard drive.
  B. Have the employee receiving the machine sign a nondisclosure agreement.
  C. Use application delete commands to remove files.
  D. Overwrite the hard drive with random data.
  D. Overwrite the hard drive with random data.

  ---

  Explanation