Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 691:

  During an audit, the client learns that the IS auditor has recently completed a similar security review at a competitor. The client inquires about the competitor's audit results. What is the BEST way for the auditor to address this inquiry?

  A. Explain that it would be inappropriate to discuss the results of another audit client.
  B. Escalate the question to the audit manager for further action.
  C. Discuss the results of the audit omitting specifics related to names and products.
  D. Obtain permission from the competitor to use the audit results as examples for future clients.
  A. Explain that it would be inappropriate to discuss the results of another audit client.

  ---

  Explanation

• Question 692:

  Which of the following BEST demonstrates that IT strategy Is aligned with organizational goals and objectives?

  A. IT strategies are communicated to all Business stakeholders
  B. Organizational strategies are communicated to the chief information officer (CIO).
  C. Business stakeholders are Involved In approving the IT strategy.
  D. The chief information officer (CIO) is involved In approving the organizational strategies
  C. Business stakeholders are Involved In approving the IT strategy.

  ---

  Explanation

  Business stakeholders being involved in approving the IT strategy best demonstrates that IT strategy is aligned with organizational goals and objectives. IT strategy is a plan that defines how IT resources and capabilities will support and enable the achievement of business goals and objectives. Business stakeholders are the individuals or groups who have an interest or influence in the organization's activities and outcomes. By involving business stakeholders in approving the IT strategy, the organization can ensure that the IT strategy reflects and supports the business needs, expectations, and priorities. The other options do not necessarily indicate that IT strategy is aligned with organizational goals and objectives, as they do not involve the participation or feedback of business stakeholders.

  References: CISA Review Manual, 27th Edition, page 97

• Question 693:

  In a large organization, IT deadlines on important projects have been missed because IT resources are not prioritized properly. Which of the following is the BEST recommendation to address this problem?

  A. Revisit the IT strategic plan.
  B. Implement project portfolio management.
  C. Implement an integrated resource management system.
  D. Implement a comprehensive project scorecard.
  B. Implement project portfolio management.

  ---

  Explanation

  The best recommendation to address the problem of missing IT deadlines on important projects because IT resources are not prioritized properly is to implement project portfolio management (PPM). PPM is the process of analyzing and optimizing the costs, resources, technologies, and processes for all the projects and programs within a portfolio. A portfolio is a collection of projects, programs, and processes that are managed together and aligned with the strategic goals and objectives of the organization. PPM can help the organization to: Prioritize the most valuable and relevant projects and programs based on their alignment with the organizational strategy, vision, and mission. Balance the portfolio to ensure that the projects and programs are diversified, feasible, and sustainable, and that they meet the needs and expectations of the stakeholders. Optimize the allocation, utilization, and coordination of IT resources across the portfolio, such as staff, budget, time, equipment, and software. Monitor and control the performance and progress of the projects and programs within the portfolio, and evaluate their outcomes and benefits. By implementing PPM, the organization can improve its IT project delivery and avoid missing deadlines. PPM can also help the organization to increase its efficiency, effectiveness, quality, and value. For more information about PPM, you can refer to the following web search results: Project Portfolio Management (PPM): The Ultimate Guide - ProjectManager A Complete Overview of Project Portfolio Management - Smartsheet PPM 101: What Is Project Portfolio Management?

• Question 694:

  The PRIMARY reason for allocating sufficient time between the "go-live" phase of a new system and conducting a post-implementation review is to:

  A. update project requirements and design documentation
  B. increase availability of system implementation team resources
  C. allow the system to stabilize in production
  D. obtain sign-off on the scope of post-implementation review
  C. allow the system to stabilize in production

  ---

  Explanation

• Question 695:

  Which of the following layer of an enterprise data flow architecture is concerned with transporting information between the various layers?

  A. Data preparation layer
  B. Desktop Access Layer
  C. Application messaging layer
  D. Data access layer
  C. Application messaging layer

  ---

  Explanation

  Application messaging layer ?This layer is concerned with transporting information between the various layers. In addition to business data, this layer encompasses generation, storage and targeted communication of control messages.

  For CISA exam you should know below information about business intelligence:

  Business intelligence(BI) is a broad field of IT encompasses the collection and analysis of information to assist decision making and assess organizational performance. To deliver effective BI, organizations need to design and implement a

  data architecture. The complete data architecture consists of two components

  The enterprise data flow architecture (EDFA)

  A logical data architecture

  Various layers/components of this data flow architecture are as follows:

  Presentation/desktop access layer ?This is where end users directly deal with information. This layer includes familiar desktop tools such as spreadsheets, direct querying tools, reporting and analysis suits offered by vendors such as Congas

  and business objects, and purpose built application such as balanced source cards and digital dashboards.

  Data Source Layer ?Enterprise information derives from number of sources:

  Operational data ?Data captured and maintained by an organization's existing systems, and usually held in system-specific database or flat files. External Data ?Data provided to an organization by external sources. This could include data

  such as customer demographic and market share information.

  Nonoperational data ?Information needed by end user that is not currently maintained in a computer accessible format.

  Core data warehouse ?This is where all the data of interest to an organization is captured and organized to assist reporting and analysis. DWs are normally instituted as large relational databases. A property constituted DW should support

  three basic form of an inquiry.

  Drilling up and drilling down ?Using dimension of interest to the business, it should be possible to aggregate data as well as drill down. Attributes available at the more granular levels of the warehouse can also be used to refine the analysis.

  Drill across ?Use common attributes to access a cross section of information in the warehouse such as sum sales across all product lines by customer and group of customers according to length of association with the company. Historical

  Analysis ?The warehouse should support this by holding historical, time variant data. An example of historical analysis would be to report monthly store sales and then repeat the analysis using only customer who were preexisting at the start

  of the year in order to separate the effective new customer from the ability to generate repeat business with existing customers.

  Data Mart Layer ?Data mart represents subset of information from the core DW selected and organized to meet the needs of a particular business unit or business line. Data mart can be relational databases or some form on-line analytical

  processing (OLAP) data structure.

  Data Staging and quality layer ?This layer is responsible for data copying, transformation into DW format and quality control. It is particularly important that only reliable data into core DW. This layer needs to be able to deal with problems

  periodically thrown by operational systems such as change to account number format and reuse of old accounts and customer numbers.

  Data Access Layer ?This layer operates to connect the data storage and quality layer with data stores in the data source layer and, in the process, avoiding the need to know to know exactly how these data stores are organized. Technology

  now permits SQL access to data even if it is not stored in a relational database.

  Data Preparation layer ?This layer is concerned with the assembly and preparation of data for loading into data marts. The usual practice is to per-calculate the values that are loaded into OLAP data repositories to increase access speed. Data mining is concern with exploring large volume of data to determine patterns and trends of information. Data mining often identifies patterns that are counterintuitive due to number and complexity of data relationships. Data quality needs to be very high to not corrupt the result.

  Metadata repository layer ?Metadata are data about data. The information held in metadata layer needs to extend beyond data structure names and formats to provide detail on business purpose and context. The metadata layer should be

  comprehensive in scope, covering data as they flow between the various layers, including documenting transformation and validation rules.

  Warehouse Management Layer ?The function of this layer is the scheduling of the tasks necessary to build and maintain the DW and populate data marts. This layer is also involved in administration of security.

  Application messaging layer ?This layer is concerned with transporting information between the various layers. In addition to business data, this layer encompasses generation, storage and targeted communication of control messages.

  Internet/Intranet layer ?This layer is concerned with basic data communication. Included here are browser based user interface and TCP/IP networking.

  Various analysis models used by data architects/ analysis follows:

  Activity or swim-lane diagram ?De-construct business processes.

  Entity relationship diagram ?Depict data entities and how they relate. These data analysis methods obviously play an important part in developing an enterprise data model. However, it is also crucial that knowledgeable business operative is

  involved in the process. This way proper understanding can be obtained of the business purpose and context of the data. This also mitigates the risk of replication of suboptimal data configuration from existing systems and database into DW.

  The following were incorrect answers:

  Desktop access layer or presentation layer is where end users directly deal with information. This layer includes familiar desktop tools such as spreadsheets, direct querying tools, reporting and analysis suits offered by vendors such as

  Congas and business objects, and purpose built application such as balanced source cards and digital dashboards.

  Data preparation layer ?This layer is concerned with the assembly and preparation of data for loading into data marts. The usual practice is to per-calculate the values that are loaded into OLAP data repositories to increase access speed.

  Data access layer ?his layer operates to connect the data storage and quality layer with data stores in the data source layer and, in the process, avoiding the need to know to know exactly how these data stores are organized. Technology

  now permits SQL access to data even if it is not stored in a relational database.

  CISA review manual 2014 Page number 188

• Question 696:

  An IS auditor has been asked to review the integrity of data transfer between two business- critical systems that have not been tested since implementation. Which of the following would provide the MOST useful information to plan an audit?

  A. Quality assurance (QA) testing
  B. System change logs
  C. IT testing policies and procedures
  D. Previous system interface testing records
  D. Previous system interface testing records

  ---

  Explanation

• Question 697:

  When an intrusion into an organization network is deleted, which of the following should be done FIRST?

  A. Block all compromised network nodes.
  B. Contact law enforcement.
  C. Notify senior management.
  D. Identity nodes that have been compromised.
  D. Identity nodes that have been compromised.

  ---

  Explanation

  The first thing that should be done when an intrusion into an organization network is detected is to identify nodes that have been compromised. Identifying nodes that have been compromised is a critical step in responding to an intrusion, as it helps determine the scope, impact, and source of the attack, and enables the implementation of appropriate containment and recovery measures. The other options are not the first things that should be done when an intrusion into an organization network is detected, as they may be premature or ineffective without identifying nodes that have been compromised. Blocking all compromised network nodes is a containment measure that can help isolate and prevent the spread of the attack, but it may not be possible or feasible without identifying nodes that have been compromised. Contacting law enforcement is a reporting measure that can help seek external assistance and comply with legal obligations, but it may not be necessary or appropriate without identifying nodes that have been compromised. Notifying senior management is a communication measure that can help inform and escalate the incident, but it may not be urgent or accurate without identifying nodes that have been compromised.

  References: CISA Review Manual (Digital Version), Chapter 4, Section 4.2.2

• Question 698:

  Which of the following would be the MOST significant finding when reviewing a data backup process?

  A. Recovery testing is not performed.
  B. The data backup process is not documented.
  C. Tapes are not consistently rotated offsite.
  D. The key to the data safe is kept by the backup administrator.
  A. Recovery testing is not performed.

  ---

  Explanation

  Explanation

• Question 699:

  Demonstrated support from which of the following roles in an organization has the MOST influence over information security governance?

  A. Chief information security officer (CISO)
  B. Information security steering committee
  C. Board of directors
  D. Chief information officer (CIO)
  C. Board of directors

  ---

  Explanation

  Information security governance is the subset of enterprise governance that provides strategic direction, ensures that objectives are achieved, manages risk appropriately, uses organizational resources responsibly, and monitors the success or failure of the enterprise security program. Information security governance is essential for ensuring that an organization's information assets are protected from internal and external threats, and that the organization complies with relevant laws and standards. Demonstrated support from which of the following roles in an organization has the most influence over information security governance? The answer is C, the board of directors. The board of directors is the highest governing body of an organization, responsible for overseeing its strategic direction, performance, and accountability. The board of directors sets the tone at the top for information security governance by: Establishing a clear vision, mission, and values for information security Approving and reviewing information security policies and standards Allocating sufficient resources and budget for information security Appointing and empowering a chief information security officer (CISO) or equivalent role Holding management accountable for information security performance and compliance Communicating and promoting information security awareness and culture The board of directors has the most influence over information security governance because it has the ultimate authority and responsibility for ensuring that information security is aligned with the organization's business objectives, risks, and stakeholder expectations.

  References:

  10: What is Information Security Governance? -- RiskOptics - Reciprocity

  11: Information Security Governance and Risk Management | Moss Adams

  12: ISO/IEC 27014:2020 - Information security, cybersecurity and privacy ...

• Question 700:

  Which of the following is the BEST preventive control to protect the confidentiality of data on a corporate smartphone in the event it is lost?

  A. Biometric authentication for the device
  B. Remote data wipe program
  C. Encryption of the data stored on the device
  D. Password for device authentication
  C. Encryption of the data stored on the device

  ---

  Explanation