Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 451:

  An IS auditor is asked to review a large organization's change management process. Which of the following practices presents the GREATEST risk?

  A. Emergency code changes are promoted without user acceptance testing.
  B. A system administrator performs code migration on planned downtime.
  C. Change management tickets do not contain specific documentation.
  D. Transaction data changes can be made by a senior developer.
  C. Change management tickets do not contain specific documentation.

  ---

  Explanation

• Question 452:

  Which of the following is the PRIMARY purpose of a rollback plan for a system change?

  A. To ensure steps exist to remove the change if necessary
  B. To ensure testing can be re-performed if required
  C. To ensure a backup exists before implementing a change
  D. To ensure the system change is effective
  A. To ensure steps exist to remove the change if necessary

  ---

  Explanation

• Question 453:

  An IS auditor concludes that logging and monitoring mechanisms within an organization are ineffective because critical servers are not included within the central log repository. Which of the following audit procedures would have MOST likely identified this exception?

  A. Inspecting a sample of alerts generated from the central log repository
  B. Comparing a list of all servers from the directory server against a list of all servers present in the central log repository
  C. Inspecting a sample of alert settings configured in the central log repository
  D. Comparing all servers included in the current central log repository with the listing used for the prior-year audit
  B. Comparing a list of all servers from the directory server against a list of all servers present in the central log repository

  ---

  Explanation

  The audit procedure that would have most likely identified the exception of critical servers not included in the central log repository is to compare a list of all servers from the directory server against a list of all servers present in the central log repository. This would allow the IS auditor to detect any discrepancies or omissions in the central log repository. The other audit procedures (A, C and D) would not be effective in identifying this exception, as they would only focus on the alerts generated, the alert settings configured, or the servers included in the previous year's audit, which may not reflect the current state of the central log repository.

  References: IS Audit and Assurance Guideline 2202: Evidence Collection Techniques, CISA Review Manual (Digital Version), Chapter 5: Protection of Information Assets, Section 5.3: Logging and Monitoring

• Question 454:

  An IS audit manager was temporarily tasked with supervising a project manager assigned to the organization's payroll application upgrade. Upon returning to the audit department, the audit manager has been asked to perform an audit to validate the implementation of the payroll application. The audit manager is the only one in the audit department with IT project management experience. What is the BEST course of action?

  A. Transfer the assignment to a different audit manager despite lack of IT project management experience.
  B. Outsource the audit to independent and qualified resources.
  C. Manage the audit since there is no one else with the appropriate experience.
  D. Have a senior IS auditor manage the project with the IS audit manager performing final review.
  B. Outsource the audit to independent and qualified resources.

  ---

  Explanation

  Outsourcing the audit to independent and qualified resources is the best course of action for the IS audit manager who was temporarily tasked with supervising a project manager assigned to the organization's payroll application upgrade. This is because the IS audit manager has a potential conflict of interest and a threat to objectivity and independence, which are essential principles and standards for IS auditors. According to the ISACA Code of Professional Ethics, IS auditors should maintain objectivity and independence in their professional judgment and avoid any situations that may impair or be presumed to impair their objectivity or independence1. Objectivity is the mental attitude of an IS auditor that allows them to perform their work honestly, impartially, and with integrity, while independence is the freedom from conditions that threaten the ability of an IS auditor to carry out their work in an unbiased manner2. The IS audit manager who was involved in supervising the payroll application upgrade project may have a self-review threat, which is the risk that an IS auditor will not appropriately evaluate the results of a previous judgment made or service performed by them or their subordinates3. The IS audit manager may also have a familiarity threat, which is the risk that an IS auditor will be influenced by a close relationship with someone involved in the project or by their own personal interests4. These threats may compromise the IS audit manager's objectivity and independence and affect the quality and credibility of the audit. Therefore, the IS audit manager should disclose their involvement in the project to their senior management and the audit committee and decline to perform or manage the audit. The IS audit manager should also recommend outsourcing the audit to independent and qualified resources who have no connection or interest in the project and who have the necessary skills and experience to conduct a reliable and effective audit. The other options are not the best course of action for the IS audit manager. Transferring the assignment to a different audit manager despite lack of IT project management experience is not the best course of action because it may result in a low- quality audit that does not meet the expectations and standards of the stakeholders. IT project management experience is essential for auditing an IT project, as it requires knowledge of project management methodologies, tools, techniques, risks, and best practices. An audit manager who lacks IT project management experience may not be able to plan, execute, report, and follow up on the audit effectively and efficiently. Managing the audit since there is no one else with the appropriate experience is not the best course of action because it violates the ethical principles and standards of objectivity and independence for IS auditors. Managing the audit would create a conflict of interest and a threat to objectivity and independence for the IS audit manager, as they would be reviewing their own work or that of their subordinate. Managing the audit would also undermine the credibility and reliability of the audit results and recommendations, as they may be biased or influenced by personal or professional relationships or interests. Having a senior IS auditor manage the project with the IS audit manager performing final review is not the best course of action because it still involves the IS audit manager in the audit process, which poses a conflict of interest and a threat to objectivity and independence. Performing final review would require the IS audit manager to evaluate and approve the work done by the senior IS auditor, which may be affected by their previous involvement in or knowledge of the project. Performing final review would also expose the IS audit manager to undue pressure or influence from management or other stakeholders who may have expectations or preferences regarding the audit outcome.

• Question 455:

  When an organization and its IT-hosting service provider are establishing a contract with each other, it is MOST important that the contract includes:

  A. each party's security responsibilities
  B. details of expected security metrics
  C. penalties for noncompliance with security policy
  D. recovery time objectives (RTOs)
  A. each party's security responsibilities

  ---

  Explanation

• Question 456:

  ISO 9126 is a standard to assist in evaluating the quality of a product. Which of the following is defined as a set of attributes that bear on the existence of a set of functions and their specified properties?

  A. Reliability
  B. Usability
  C. Functionality
  D. Maintainability
  C. Functionality

  ---

  Explanation

  Functionality - A set of attributes that bear on the existence of a set of functions and their specified properties.

  The functions are those that satisfy stated or implied needs. Suitability Accuracy Interoperability Security Functionality Compliance

  For CISA Exam you should know below information about ISO 9126 model:

  ISO/IEC 9126 Software engineering -- Product quality was an international standard for the evaluation of software quality. It has been replaced by ISO/IEC 25010:2011.[1] The fundamental objective of the ISO/IEC 9126 standard is to address some of the well-known human biases that can adversely affect the delivery and perception of a software development project. These biases include changing priorities after the start of a project or not having any clear definitions of "success." By clarifying, then agreeing on the project priorities and subsequently converting abstract priorities (compliance) to measurable values (output data can be validated against schema X with zero intervention), ISO/IEC 9126 tries to develop a common understanding of the project's objectives and goals.

  ISO 9126

  

  The standard is divided into four parts:

  Quality model

  External metrics

  Internal metrics

  Quality in use metrics.

  Quality Model

  The quality model presented in the first part of the standard, ISO/IEC 9126-1,[2] classifies software quality in a structured set of characteristics and sub-characteristics as follows:

  Functionality - A set of attributes that bear on the existence of a set of functions and their specified properties. The functions are those that satisfy stated or implied needs.

  Suitability

  Accuracy

  Interoperability

  Security

  Functionality Compliance

  Reliability - A set of attributes that bear on the capability of software to maintain its level of performance under stated conditions for a stated period of time.

  Maturity

  Fault Tolerance

  Recoverability

  Reliability Compliance

  Usability - A set of attributes that bear on the effort needed for use, and on the individual assessment of such use, by a stated or implied set of users.

  Understandability

  Learn ability

  Operability

  Attractiveness

  Usability Compliance

  Efficiency - A set of attributes that bear on the relationship between the level of performance of the software and the amount of resources used, under stated conditions.

  Time Behavior

  Resource Utilization

  Efficiency Compliance

  Maintainability - A set of attributes that bear on the effort needed to make specified modifications.

  Analyzability

  Changeability

  Stability

  Testability

  Maintainability Compliance

  Portability - A set of attributes that bear on the ability of software to be transferred from one environment to another.

  Adaptability

  Install ability

  Co-Existence

  Replace ability

  Portability Compliance

  Each quality sub-characteristic (e.g. adaptability) is further divided into attributes. An attribute is an entity which can be verified or measured in the software product. Attributes are not defined in the standard, as they vary between different

  software products.

  Software product is defined in a broad sense: it encompasses executables, source code, architecture descriptions, and so on. As a result, the notion of user extends to operators as well as to programmers, which are users of components

  such as software libraries.

  The standard provides a framework for organizations to define a quality model for a software product. On doing so, however, it leaves up to each organization the task of specifying precisely its own model. This may be done, for example, by

  specifying target values for quality metrics which evaluates the degree of presence of quality attributes.

  Internal Metrics

  Internal metrics are those which do not rely on software execution (static measure)

  External Metrics

  External metrics are applicable to running software.

  Quality in Use Metrics

  Quality in use metrics are only available when the final product is used in real conditions.

  Ideally, the internal quality determines the external quality and external quality determines quality in use.

  This standard stems from the GE model for describing software quality, presented in 1977 by McCall et al., which is organized around three types of Quality Characteristics:

  Factors (To specify): They describe the external view of the software, as viewed by the users.

  Criteria (To build): They describe the internal view of the software, as seen by the developer.

  Metrics (To control): They are defined and used to provide a scale and method for measurement.

  ISO/IEC 9126 distinguishes between a defect and a nonconformity, a defect being The nonfulfillment of intended usage requirements, whereas a nonconformity is The nonfulfillment of specified requirements. A similar distinction is made

  between validation and verification, known as VandV in the testing trade.

  The following were incorrect answers:

  Reliability - A set of attributes that bear on the capability of software to maintain its level of performance under stated conditions for a stated period of time. Usability - A set of attributes that bear on the effort needed for use, and on the

  individual assessment of such use, by a stated or implied set of users.

  Maintainability - A set of attributes that bear on the effort needed to make specified modifications.

  CISA review manual 2014 Page number 188

• Question 457:

  Which of the following is critical to the successful establishment of an enterprise IT architecture?

  A. A well-defined data migration policy
  B. Comparison of the architecture with that of other organizations
  C. An architecture encompassing only critical systems
  D. Organizational support for standardization
  D. Organizational support for standardization

  ---

  Explanation

• Question 458:

  When implementing a new risk assessment methodology, which of the following is the MOST important requirement?

  A. The methodology must be approved by the chief executive officer.
  B. Risk assessments must be reviewed annually.
  C. Risk assessments must be conducted by certified staff.
  D. The methodology used must be consistent across the organization.
  D. The methodology used must be consistent across the organization.

  ---

  Explanation

• Question 459:

  During an exit meeting, an IS auditor highlights that backup cycles are being missed due to operator error and that these exceptions are not being managed. Which of the following is the BEST way to help management understand the associated risk?

  A. Explain the impact to disaster recovery.
  B. Explain the impact to resource requirements.
  C. Explain the impact to incident management.
  D. Explain the impact to backup scheduling.
  A. Explain the impact to disaster recovery.

  ---

  Explanation

  The best way to help management understand the associated risk of missing backup cycles due to operator error and lack of exception management is to explain the impact to disaster recovery. Disaster recovery is the process of restoring normal operations and functions after a disruptive event, such as a natural disaster, a cyberattack, or a hardware failure. Backup cycles are essential for disaster recovery, because they ensure that the organization has copies of its critical data and systems that can be restored in case of data loss or corruption. If backup cycles are missed due to operator error, and these exceptions are not managed, the organization may not have the latest or complete backups available for disaster recovery, which can result in prolonged downtime, reduced productivity, lost revenue, reputational damage, and legal or regulatory penalties. The other options are not as effective as explaining the impact to disaster recovery, because they either do not address the risk of data loss or corruption, or they focus on operational or technical aspects rather than business outcomes.

  References: CISA Review Manual (Digital Version)1, Chapter 5, Section 5.2.1

• Question 460:

  An organization uses public key infrastructure (PKI) to provide email security. Which of the following would be the MOST efficient method to determine whether email messages have been modified in transit?

  A. The message is encrypted using a symmetric algorithm.
  B. The message is sent using Transport Layer Security (TLS) protocol.
  C. The message is sent along with an encrypted hash of the message.
  D. The message is encrypted using the private key of the sender.
  C. The message is sent along with an encrypted hash of the message.

  ---

  Explanation

  This method is known as creating a digital signature of the message. It ensures the integrity of the message by verifying that it has not been tampered with in transit. The process involves hashing the message and encrypting the hash value with the sender's private key. Any changes to the message will result in a different hash value. This method is used in DomainKeys Identified Mail (DKIM), which verifies an email's domain and helps show that the email has not been tampered with in transit.

  References: Understanding Digital Signatures | CISA Using DomainKeys Identified Mail (DKIM) in your organisation