Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 541:

  The PRIMARY objective of a control self-assessment (CSA) is to:

  A. educate functional areas on risks and controls.
  B. ensure appropriate access controls are implemented.
  C. eliminate the audit risk by leveraging management's analysis.
  D. gain assurance for business functions that cannot be audited.
  A. educate functional areas on risks and controls.

  ---

  Explanation

  The primary objective of a control self-assessment (CSA) is to educate functional areas on risks and controls. CSA is a technique that allows managers and work teams directly involved in business units, functions or processes to participate in assessing the organization's risk management and control processes. CSA can help functional areas to obtain a clear and shared understanding of their major activities and objectives, to foster an improved awareness of risk and controls among management and staff, to enhance responsibility and accountability for risks and controls, and to highlight best practices and opportunities to improve business performance. The other options are not the primary objective of a CSA. Ensuring appropriate access controls are implemented is a specific type of control that may be assessed by a CSA, but it is not the main goal of the technique. Eliminating the audit risk by leveraging management's analysis is not a realistic or desirable outcome of a CSA, as audit risk can never be completely eliminated, and management's analysis may not be sufficient or reliable without independent verification. Gaining assurance for business functions that cannot be audited is not a valid reason for conducting a CSA, as all business functions should be subject to audit, and a CSA is not a substitute for an audit.

  References: Control Self Assessments - PwC Control self-assessment - Wikipedia Control Self Assessment - AuditNet

• Question 542:

  When processing speed is the highest priority, which cryptographic algorithm should be used to verify the integrity of a bit-for-bit copy from digital evidence?

  A. MD5
  B. SHA-1
  C. AES
  D. SHA-2
  A. MD5

  ---

  Explanation

  Explanation

• Question 543:

  Which of the following risk handling technique involves the practice of being proactive so that the risk in question is not realized?

  A. Risk Mitigation
  B. Risk Acceptance
  C. Risk Avoidance
  D. Risk transfer
  C. Risk Avoidance

  ---

  Explanation

  Risk avoidance is the practice of coming up with alternatives so that the risk in question is not realized.

  For your exam you should know below information about risk assessment and treatment:

  A risk assessment, which is a tool for risk management, is a method of identifying vulnerabilities and threats and assessing the possible impacts to determine where to implement security controls. A risk assessment is carried out, and the

  results are analyzed. Risk analysis is used to ensure that security is cost-effective, relevant, timely, and responsive to threats. Security can be quite complex, even for well-versed security professionals, and it is easy to apply too much

  security, not enough security, or the wrong security controls, and to spend too much money in the process without attaining the necessary objectives. Risk analysis helps companies prioritize their risks and shows management the amount of

  resources that should be applied to protecting against those risks in a sensible manner.

  A risk analysis has four main goals:

  Identify assets and their value to the organization.

  Identify vulnerabilities and threats.

  Quantify the probability and business impact of these potential threats.

  Provide an economic balance between the impact of the threat and the cost

  of the countermeasure.

  Treating Risk

  Risk Mitigation

  Risk mitigation is the practice of the elimination of, or the significant decrease in the level of risk presented. Examples of risk mitigation can be seen in everyday life and are readily apparent in the information technology world. Risk Mitigation

  involves applying appropriate control to reduce risk. For example, to lessen the risk of exposing personal and financial information that is highly sensitive and confidential organizations put countermeasures in place, such as firewalls, intrusion

  detection/prevention systems, and other mechanisms, to deter malicious outsiders from accessing this highly sensitive information. In the underage driver example, risk mitigation could take the form of driver education for the youth or

  establishing a policy not allowing the young driver to use a cell phone while driving, or not letting youth of a certain age have more than one friend in the car as a passenger at any given time.

  Risk Transfer

  Risk transfer is the practice of passing on the risk in question to another entity, such as an insurance company. Let us look at one of the examples that were presented above in a different way. The family is evaluating whether to permit an

  underage driver to use the family car. The family decides that it is important for the youth to be mobile, so it transfers the financial risk of a youth being in an accident to the insurance company, which provides the family with auto insurance. It

  is important to note that the transfer of risk may be accompanied by a cost. This is certainly true for the insurance example presented earlier, and can be seen in other insurance instances, such as liability insurance for a vendor or the

  insurance taken out by companies to protect against hardware and software theft or destruction. This may also be true if an organization must purchase and implement security controls in order to make their organization less desirable to

  attack. It is important to remember that not all risk can be transferred. While financial risk is simple to transfer through insurance, reputational risk may almost never be fully transferred.

  Risk Avoidance

  Risk avoidance is the practice of coming up with alternatives so that the risk in question is not realized. For example, have you ever heard a friend, or parents of a friend, complain about the costs of insuring an underage driver? How about the

  risks that many of these children face as they become mobile? Some of these families will decide that the child in question will not be allowed to drive the family car, but will rather wait until he or she is of legal age (i.e., 18 years of age) before

  committing to owning, insuring, and driving a motor vehicle.

  In this case, the family has chosen to avoid the risks (and any associated benefits) associated with an underage driver, such as poor driving performance or the cost of insurance for the child. Although this choice may be available for some

  situations, it is not available for all. Imagine a global retailer who, knowing the risks associated with doing business on the Internet, decides to avoid the practice. This decision will likely cost the company a significant amount of its revenue (if,

  indeed, the company has products or services that consumers wish to purchase). In addition, the decision may require the company to build or lease a site in each of the locations, globally, for which it wishes to continue business. This could

  have a catastrophic effect on the company's ability to continue business operations

  Risk Acceptance

  In some cases, it may be prudent for an organization to simply accept the risk that is presented in certain scenarios. Risk acceptance is the practice of accepting certain risk(s), typically based on a business decision that may also weigh the

  cost versus the benefit of dealing with the risk in another way. For example, an executive may be confronted with risks identified during the course of a risk assessment for their organization. These risks have been prioritized by high, medium, and low impact to the organization. The executive notes that in order to mitigate or transfer the low-level risks, significant costs could be involved. Mitigation might involve the hiring of additional highly skilled personnel and the purchase of new hardware, software, and office equipment, while transference of the risk to an insurance company would require premium payments. The executive then further notes that minimal impact to the organization would occur if any of the reported low-level threats were realized. Therefore, he or she (rightly) concludes that it is wiser for the organization to forgo the costs and accept the risk. In the young driver example, risk acceptance could be based on the observation that the youngster has demonstrated the responsibility and maturity to warrant the parent's trust in his or her judgment.

  The following answers are incorrect:

  Risk Transfer - Risk transfer is the practice of passing on the risk in question to another entity, such as an insurance company. Let us look at one of the examples that were presented above in a different way.

  Risk Acceptance - Risk acceptance is the practice of accepting certain risk(s), typically based on a business decision that may also weigh the cost versus the benefit of dealing with the risk in another way.

  Risk Mitigation -Risk mitigation is the practice of the elimination of, or the significant decrease in the level of risk presented

  CISA Review Manual 2014 Page number 51 and Official ISC2 guide to CISSP CBK 3rd edition page number 534-536

• Question 544:

  The MOST effective way to reduce sampling risk is to increase:

  A. confidence interval.
  B. population.
  C. audit sampling training.
  D. sample size.
  D. sample size.

  ---

  Explanation

  Explanation

• Question 545:

  Which of the following is a benefit of the DevOps development methodology?

  A. It leads to a well-defined system development life cycle (SDLC)
  B. It enforces segregation of duties between code developers and release migrators.
  C. It enables increased frequency of software releases to production.
  D. It restricts software releases to a fixed release schedule
  A. It leads to a well-defined system development life cycle (SDLC)

  ---

  Explanation

• Question 546:

  Which of the following is MOST appropriate for measuring a batch processing application's system performance over time?

  A. System utilization
  B. Idle time
  C. Throughput
  D. Uptime
  C. Throughput

  ---

  Explanation

• Question 547:

  Which of the following is the PRIMARY reason to follow a configuration management process to maintain application?

  A. To optimize system resources
  B. To follow system hardening standards
  C. To optimize asset management workflows
  D. To ensure proper change control
  D. To ensure proper change control

  ---

  Explanation

  Following a configuration management process to maintain applications is the primary reason for ensuring proper change control. Configuration management is a process of identifying, documenting, controlling, and verifying the configuration items and their interrelationships within an IT system or environment. Following a configuration management process can help to ensure that any changes to the applications are authorized, tested, documented, and tracked throughout their lifecycle. This will help to prevent unauthorized or improper changes that could affect the functionality, performance, or security of the applications. The other options are not the primary reasons for following a configuration management process, but rather possible benefits or outcomes of doing so.

  References: CISA Review Manual (Digital Version), Chapter 4, Section 4.3.31 CISA Review Questions, Answers and Explanations Database, Question ID 225

• Question 548:

  An organization is disposing of a system containing sensitive data and has deleted all files from the hard disk. An IS auditor should be concerned because:

  A. deleted data cannot easily be retrieved.
  B. deleting the files logically does not overwrite the files' physical data.
  C. backup copies of files were not deleted as well.
  D. deleting all files separately is not as efficient as formatting the hard disk.
  B. deleting the files logically does not overwrite the files' physical data.

  ---

  Explanation

  An IS auditor should be concerned because deleting the files logically does not overwrite the files' physical data. Deleting a file from a hard disk only removes the reference or pointer to the file from the file system, but does not erase the actual data stored on the disk sectors. The deleted data can still be recovered using special tools or techniques until it is overwritten by new data. This poses a risk of data leakage, theft, or misuse if the hard disk falls into the wrong hands. To securely dispose of a system containing sensitive data, the hard disk should be wiped or sanitized using methods that overwrite or destroy the physical data beyond recovery.

  References: CISA Review Manual (Digital Version) CISA Questions, Answers and Explanations Database

• Question 549:

  Which of the following should be the GREATEST concern to an IS auditor reviewing an organization's job scheduling practices?

  A. Most jobs are run manually.
  B. Jobs are executed during working hours.
  C. Job dependencies are undefined.
  D. Job processing procedures are missing.
  C. Job dependencies are undefined.

  ---

  Explanation

• Question 550:

  When a firewall is subjected to a probing attack, the MOST appropriate first response is for the firewall to:

  A. alert the administrator.
  B. break the Internet connection.
  C. drop the packet
  D. reject the packet.
  C. drop the packet

  ---

  Explanation