Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 511:

  Which type of review is MOST important to conduct when an IS auditor is informed that a recent internal exploitation of a bug has been discovered in a business application?

  A. Penetration testing
  B. Application security testing
  C. Forensic audit
  D. Server security audit
  C. Forensic audit

  ---

  Explanation

  The type of review that is most important to conduct when an IS auditor is informed that a recent internal exploitation of a bug has been discovered in a business application is

  C. Forensic audit. A forensic audit is a type of audit that involves collecting, analyzing, and preserving evidence of fraud, corruption, or other illegal or unethical activities. A forensic audit can help the IS auditor to identify and document the source, scope, and impact of the exploitation, as well as the perpetrators, motives, and methods involved. A forensic audit can also help the IS auditor to provide recommendations for preventing or mitigating future exploitations, and to support any legal actions or investigations that may arise from the incident.

• Question 512:

  Which of the following would BEST help to ensure that an incident receives attention from appropriate personnel in a timely manner?

  A. Completing the incident management log
  B. Broadcasting an emergency message
  C. Requiring a dedicated incident response team
  D. Implementing incident escalation procedures
  D. Implementing incident escalation procedures

  ---

  Explanation

  Implementing incident escalation procedures is the best way to ensure that an incident receives attention from appropriate personnel in a timely manner, because it defines the roles and responsibilities, communication channels, and escalation criteria for handling different types of incidents. Incident escalation procedures help to prioritize and coordinate the response efforts and ensure that the incident is resolved by the most qualified and authorized personnel. Completing the incident management log, broadcasting an emergency message, and requiring a dedicated incident response team are not sufficient to ensure that an incident receives attention from appropriate personnel in a timely manner, because they do not specify how to escalate the incident based on its severity, impact, or complexity.

  References: 3: CISA Review Manual (Digital Version), Chapter 6, Section 6.3.2 4: CISA Online Review Course, Module 6, Lesson 3

• Question 513:

  Which of the following is the BEST methodology to use for estimating the complexity of developing a large business application?

  A. Function point analysis
  B. Work breakdown structure
  C. Critical path analysts
  D. Software cost estimation
  A. Function point analysis

  ---

  Explanation

  Function point analysis (FPA) is the best methodology to use for estimating the complexity of developing a large business application. FPA is a technique that measures the functionality of a software system based on the user requirements and the business processes that the system supports. FPA assigns a numerical value to each function or feature of the system, based on its type, complexity, and relative size. The total number of function points represents the size and complexity of the system, which can be used to estimate the development effort, cost, and time. FPA has several advantages over other estimation methods, such as: It is independent of the technology, programming language, or development methodology used for the system. Therefore, it can be applied consistently across different platforms and environments. It is based on the user perspective and the business value of the system, rather than the technical details or implementation aspects. Therefore, it can be performed early in the project life cycle, before the design or coding phases. It is objective and standardized, as it follows a set of rules and guidelines defined by the International Function Point Users Group (IFPUG). Therefore, it can reduce ambiguity and improve accuracy and reliability of the estimates. It is adaptable and scalable, as it can handle changes in the user requirements or the system scope. Therefore, it can support agile and iterative development approaches.

  References:

  1: Function Point Analysis ?Introduction and Fundamentals

  2: Software Engineering | Functional Point (FP) Analysis

• Question 514:

  An IS auditor observes that the CEO has full access to the enterprise resource planning (ERP) system. The IS auditor should FIRST:

  A. accept the level of access provided as appropriate
  B. recommend that the privilege be removed
  C. ignore the observation as not being material to the review
  D. document the finding as a potential risk
  D. document the finding as a potential risk

  ---

  Explanation

• Question 515:

  Which of the following features would BEST address risk associated with data at rest when evaluating a data loss prevention (DLP) solution?

  A. Printing of scan files
  B. File movement detection
  C. Enforcement of access policies
  D. Storage-scanning technology
  D. Storage-scanning technology

  ---

  Explanation

• Question 516:

  Which of the following would be the BEST criteria for monitoring an IT vendor's service levels?

  A. Service auditor's report
  B. Performance metrics
  C. Surprise visit to vendor
  D. Interview with vendor
  B. Performance metrics

  ---

  Explanation

  The best criteria for monitoring an IT vendor's service levels are the performance metrics, as they provide quantifiable and measurable indicators of how well the vendor is delivering the agreed-upon services, such as availability, reliability, quality, timeliness, and customer satisfaction. A service auditor's report is a document that provides an independent opinion on the vendor's controls and processes, but it may not reflect the actual service levels or performance. A surprise visit to the vendor may help to verify the vendor's compliance and operations, but it may not be feasible or effective for monitoring the service levels on a regular basis. An interview with the vendor may help to obtain feedback and insights from the vendor's perspective, but it may not be objective or reliable for monitoring the service levels.

  References: CISA Review Manual (Digital Version), Chapter 2: Governance and Management of IT, Section 2.4: IT Service Delivery and Support

• Question 517:

  A design company has multiple name and address files for its customers in several of its independent systems. Which of the following is the BEST control to ensure that the customer name and address agree across all files?

  A. Use of hash totals on customer records
  B. Periodic review of each master file by management
  C. Matching of records and review of exception reports
  D. Use of authorized master file change forms
  A. Use of hash totals on customer records

  ---

  Explanation

• Question 518:

  During the planning phase of a data loss prevention (DLP) audit, management expresses a concern about mobile computing. Which of the following should the IS auditor identity as the associated risk?

  A. The use of the cloud negatively impacting IT availably
  B. Increased need for user awareness training
  C. Increased vulnerability due to anytime, anywhere accessibility
  D. Lack of governance and oversight for IT infrastructure and applications
  C. Increased vulnerability due to anytime, anywhere accessibility

  ---

  Explanation

  The associated risk of mobile computing that an IS auditor should identify during the planning phase of a data loss prevention (DLP) audit is increased vulnerability due to anytime, anywhere accessibility. Mobile computing refers to the use of portable devices, such as laptops, tablets, smartphones, or wearable devices, that can access data and applications over wireless networks from any location6. Mobile computing enables greater flexibility, productivity, and convenience for users, but also poses significant security challenges for organizations. One of these challenges is increased vulnerability due to anytime, anywhere accessibility. This means that mobile devices are exposed to a higher risk of loss, theft, damage, or unauthorized access than stationary devices7. If mobile devices contain or access sensitive data without proper protection, such as encryption or authentication, they could result in data leakage or breach in case of compromise8. Therefore, an IS auditor should identify this risk as part of a DLP audit. The other options are less relevant or incorrect because:

  A. The use of cloud negatively impacting IT availability is not an associated risk of mobile computing that an IS auditor should identify during the planning phase of a DLP audit, as it is more related to cloud computing than mobile computing. Cloud computing refers to the delivery of computing services, such as data storage or processing, over the Internet from remote servers. Cloud computing may enable or support mobile computing by providing access to data and applications from any device or location, but it does not necessarily imply mobile computing. The use of cloud may negatively impact IT availability if there are disruptions or outages in the cloud service provider's network or infrastructure, but this is not a direct consequence of mobile computing.

  B. Increased need for user awareness training is not an associated risk of mobile computing that an IS auditor should identify during the planning phase of a DLP audit, as it is more of a control or mitigation measure than a risk. User awareness training refers to educating users about security policies, procedures, and best practices for using mobile devices and protecting data. User awareness training may help to reduce the risk of data loss or breach due to mobile computing by increasing user knowledge and responsibility, but it does not eliminate or prevent the risk.

  D. Lack of governance and oversight for IT infrastructure and applications is not an associated risk of mobile computing that an IS auditor should identify during the planning phase of a DLP audit, as it is more of a general or organizational risk than a specific or technical risk. Governance and oversight refer to the establishment and implementation of policies, standards, and procedures for managing IT resources and aligning them with business objectives. Lack of governance and oversight for IT infrastructure and applications may affect the security and performance of mobile devices and data, but it is not a direct or inherent result of mobile computing.

  References: Mobile Computing - ISACA, Mobile Computing Device Threats, Vulnerabilities and Risk Factors Are Ubiquitous - ISACA, Data Loss Prevention--Next Steps - ISACA, [Cloud Computing - ISACA], [Cloud Computing Risk Assessment - ISACA], [User Awareness Training - ISACA], [Governance and Oversight - ISACA]

• Question 519:

  An IS auditor is concerned that unauthorized access to a highly sensitive data center might be gained by piggybacking or tailgating. Which of the following is the BEST recommendation? (Choose Correct answer and give explanation from CISA Certification - Information Systems Auditor official book)

  A. Biometrics
  B. Procedures for escorting visitors
  C. Airlock entrance
  D. Intruder alarms
  C. Airlock entrance

  ---

  Explanation

  The best recommendation to prevent unauthorized access to a highly sensitive data center by piggybacking or tailgating is to use an airlock entrance. An airlock entrance is a type of access control system that consists of two doors that are interlocked, so that only one door can be opened at a time. This prevents an unauthorized person from following an authorized person into the data center without being detected. An airlock entrance can also be integrated with other security measures, such as biometrics, card readers, or PIN pads, to verify the identity and authorization of each person entering the data center. Biometrics (option A) is a method of verifying the identity of a person based on their physical or behavioral characteristics, such as fingerprints, iris scans, or voice recognition. Biometrics can provide a high level of security, but they are not sufficient to prevent piggybacking or tailgating, as an unauthorized person can still follow an authorized person who has been authenticated by the biometric system. Procedures for escorting visitors (option B) is a policy that requires all visitors to the data center to be accompanied by an authorized employee at all times. This can help prevent unauthorized access by visitors, but it does not address the risk of piggybacking or tailgating by other employees or contractors who may have legitimate access to the building but not to the data center. Intruder alarms (option D) are devices that detect and alert when an unauthorized person enters a restricted area. Intruder alarms can provide a deterrent and a response mechanism for unauthorized access, but they are not effective in preventing piggybacking or tailgating, as they rely on the detection of the intruder after they have already entered the data center.

  References:

  1: CISA Certification | Certified Information Systems Auditor | ISACA

  2: CISA Certified Information Systems Auditor Study Guide, 4th Edition

  3: CISA - Certified Information Systems Auditor Study Guide [Book]

• Question 520:

  An organization wants to replace its suite of legacy applications with a new, in-house developed solution. Which of the following is the BEST way to address concerns associated with migration of all mission- critical business functionality?

  A. Strengthen governance by hiring certified and qualified project managers for the migration.
  B. Expedite go-live by migrating in a single release to allow more time for testing in production.
  C. Plan multiple releases to gradually migrate subsets of functionality to reduce production risk.
  D. Increase testing efforts so that all possible combinations of data have been tested prior to go-live.
  C. Plan multiple releases to gradually migrate subsets of functionality to reduce production risk.

  ---

  Explanation