Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 581:

  Which of the following is the BEST source of organizational direction on when to use cloud services?

  A. Enterprise architecture (EA)
  B. Business continuity plans (BCPs)
  C. Availability requirements
  D. Cloud regulations
  A. Enterprise architecture (EA)

  ---

  Explanation

  Explanation

• Question 582:

  Which of the following is the BEST preventive control to ensure the integrity of server operating systems?

  A. Monitoring server performance
  B. Protecting the server in a secure data center
  C. Logging all activity on the server
  D. Hardening the server configurations
  D. Hardening the server configurations

  ---

  Explanation

• Question 583:

  When an IS audit reveals that a firewall was unable to recognize a number of attack attempts, the auditor's BEST recommendation is to place an intrusion detection system (IDS) between the firewall and:

  A. the organization's network.
  B. the demilitarized zone (DMZ).
  C. the Internet.
  D. the organization's web server.
  C. the Internet.

  ---

  Explanation

• Question 584:

  An IS auditor is performing a follow-up audit and notes that some critical deficiencies have not been addressed. The auditor's BEST course of action is to:

  A. document management's reasons for not addressing deficiencies.
  B. postpone the audit until the deficiencies are addressed.
  C. assess the impact of not addressing deficiencies.
  D. provide new recommendations.
  C. assess the impact of not addressing deficiencies.

  ---

  Explanation

  Explanation

• Question 585:

  An IS auditor finds a segregation of duties issue in an enterprise resource planning (ERP) system. Which of the following is the BEST way to prevent the misconfiguration from recurring?

  A. Monitoring access rights on a regular basis
  B. Referencing a standard user-access matrix
  C. Granting user access using a role-based model
  D. Correcting the segregation of duties conflicts
  C. Granting user access using a role-based model

  ---

  Explanation

  The best way to prevent the misconfiguration from recurring is to grant user access using a role-based model. A role-based access control (RBAC) model is an access control method that assigns permissions to end-users based on their role within the organization1. RBAC provides fine-grained control, offering a simple, manageable approach to access management that is less error-prone than individually assigning permissions1. RBAC also enforces the principle of least privilege, which means that users only have the minimum access required to perform their tasks2. A role-based model can help prevent segregation of duties (SoD) issues in an ERP system by restricting user access to conflicting activities within the application. SoD is a central issue for enterprises to ensure compliance with laws and regulations, and to reduce the risk of fraud and unauthorized transactions3. SoD requires that no single individual or group of individuals should have control over two or more parts of a process or an asset3. For example, a user who can create and approve purchase orders should not be able to process payments or modify vendor records. By using a role-based model, user access provisioning is based on the needs of a group (e.g., accounting department) based on common responsibilities and needs1. This means each role has a given set of permissions, and individuals can be assigned to one or more roles. For example, you may designate a user as an accounts payable clerk, an accounts receivable clerk, or a financial manager, and limit access to specific resources or tasks. The user-role and role-permissions relationships make it easy to perform role assignment because individual users no longer have unique access rights, rather they have privileges that conform to the permissions assigned to their specific role or job function1. The other options are not the best way to prevent the misconfiguration from recurring. Monitoring access rights on a regular basis (option A) is a detective control that can help identify SoD issues after they occur, but it does not prevent them from happening in the first place. Referencing a standard user-access matrix (option B) is a tool that can help document and analyze user access rights, but it does not ensure that the user access rights are configured correctly or consistently. Correcting the segregation of duties conflicts (option D) is a corrective action that can resolve SoD issues once they are detected, but it does not prevent them from happening again.

  References: 3: Implementing Segregation of Duties: A Practical Experience Based on Best Practices 1: What is Role-Based Access Control (RBAC)? Examples, Benefits, and More 2: What is Azure role-based access control (Azure RBAC)?

• Question 586:

  Which of the following statement INCORRECTLY describes the traditional audit approach in comparison to the Control self-assessment approach?

  A. In traditional approach, Staffs at all level, in all functions, are the primary control analyst.
  B. Traditional approach assigns duties/supervises staff
  C. Traditional approach is a policy driven approach
  D. Traditional approach requires limited employee participations.
  A. In traditional approach, Staffs at all level, in all functions, are the primary control analyst.

  ---

  Explanation

  The keyword INCORRECTLY is used in the question. You need to find out an option which incorrectly describes the traditional approach.

  For your exam you should know the information below about control self-assessment and traditional approach:

  The traditional approach can be summarized as any approach in which the primary responsibility for analyzing and reporting on internal control and risk is assigned to auditor and to lesser extent, controller department and outside consultants.

  Control self-assessment is an assessment of controls made by the staff and management of the unit or units involved. It is a management technique that assures stakeholders, customers and other parties that the internal controls of the

  organization are reliable.

  Benefits of CSA

  Early detection of risk

  More efficient and improved internal controls

  Creation of cohesive teams through employee involvement

  Developing a sense of ownership of the controls in the employees and process owners, and reducing their resistance to control improvement initiatives Increased employee awareness of organizational objectives, and knowledge of risk and

  internal controls

  Highly motivated employees

  Improved audit training process

  Reduction in control cost

  Assurance provided to stakeholders and customers

  Traditional and CSA attributes

  Traditional Historical CSA

  Assign duties/supervises staff Empowered/accountable employees

  Policy/rule driven Continuous improvement/learning curve

  Limited employee participation Extensive employee participation and training

  Narrow stakeholders focus Broad stakeholders focus

  Auditors and other specialist Staff at all level, in all functions, are the primary control analysts

  The following answers are incorrect:

  The other options specified are correctly describes about traditional approach.

  CISA review manual 2014 page number 61, 62 and 63

• Question 587:

  An IS auditor will be testing accounts payable controls by performing data analytics on the entire population of transactions. Which of the following is MOST important for the auditor to confirm when sourcing the population data?

  A. The data is taken directly from the system.
  B. There is no privacy information in the data.
  C. The data can be obtained in a timely manner.
  D. The data analysis tools have been recently updated.
  A. The data is taken directly from the system.

  ---

  Explanation

  The most important thing for the auditor to confirm when sourcing the population data for testing accounts payable controls by performing data analytics is that the data is taken directly from the system. Taking the data directly from the system can help ensure that the data is authentic, complete, and accurate, and that it has not been manipulated or modified by any intermediary sources or processes. The other options are not as important as taking the data directly from the system, as they do not affect the validity or reliability of the data. There is no privacy information in the data is a privacy concern that can help protect the confidentiality and integrity of personal or sensitive data, but it does not affect the accuracy or completeness of the data. The data can be obtained in a timely manner is a logistical concern that can help facilitate the efficiency and effectiveness of the data analytics process, but it does not affect the authenticity or accuracy of the data. The data analysis tools have been recently updated is a technical concern that can help enhance the functionality and performance of the data analytics tools, but it does not affect the validity or reliability of the data.

  References: CISA Review Manual (Digital Version), Chapter 3, Section 3.2

• Question 588:

  Which of the following security measures will reduce the risk of propagation when a cyberattack occurs?

  A. Perimeter firewall
  B. Data loss prevention (DLP) system
  C. Web application firewall
  D. Network segmentation
  D. Network segmentation

  ---

  Explanation

  Network segmentation is the best security measure to reduce the risk of propagation when a cyberattack occurs, because it divides the network into smaller subnetworks that are isolated from each other and have different access controls and security policies. This limits the spread of malicious traffic and prevents attackers from accessing sensitive data or systems in other segments. A perimeter firewall, a data loss prevention (DLP) system, and a web application firewall are also useful security measures, but they do not prevent propagation within the network as effectively as network segmentation does.

  References: CISA Review Manual (Digital Version)1, Chapter 5, Section 5.2.3

• Question 589:

  Which of the following is the GREATEST advantage of utilizing guest operating systems m a virtual environment?

  A. They can be logged into and monitored from any location.
  B. They prevent access to the greater environment via Transmission Control Protocol/Internet Protocol (TCP/IP).
  C. They are easier to containerize with minimal impact to the rest of the environment .
  D. They can be wiped quickly in the event of a security breach.
  C. They are easier to containerize with minimal impact to the rest of the environment .

  ---

  Explanation

• Question 590:

  An IS auditor finds a user account where privileged access is not appropriate for the user's role. Which of the following would provide the BEST evidence to determine whether the risk of this access has been exploited?

  A. Activity log for the account
  B. Interview with the user's manager
  C. Last logon date for the account
  D. Documented approval for the account
  A. Activity log for the account

  ---

  Explanation