Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 711:

  Which of the following is MOST important for the successful establishment of a security vulnerability management program?

  A. A robust tabletop exercise plan
  B. A comprehensive asset inventory
  C. A tested incident response plan
  D. An approved patching policy
  B. A comprehensive asset inventory

  ---

  Explanation

  A comprehensive asset inventory is the most important factor for the successful establishment of a security vulnerability management program. A security vulnerability management program is a systematic process of identifying, assessing, prioritizing, and remediating vulnerabilities in the organization's IT environment1. A comprehensive asset inventory is a complete and accurate record of all the hardware, software, and network components that the organization owns or uses2. A comprehensive asset inventory helps the organization to: Know what assets are in scope for vulnerability scanning and assessment3. Identify the vulnerabilities that affect each asset and their severity level4. Prioritize the remediation of vulnerabilities based on the criticality and value of each asset. Track the status and progress of vulnerability remediation for each asset. Measure the effectiveness and maturity of the vulnerability management program. A robust tabletop exercise plan is a simulated scenario that tests the organization's preparedness and response capabilities for a potential cyberattack or incident. A tabletop exercise plan is useful for validating and improving the organization's incident response plan, but it is not essential for establishing a security vulnerability management program. A tested incident response plan is a documented process that defines the roles, responsibilities, and actions of the organization's personnel in the event of a cyberattack or incident. A tested incident response plan is important for minimizing the impact and restoring normal operations after a security breach, but it is not critical for establishing a security vulnerability management program. An approved patching policy is a set of rules and guidelines that governs how the organization applies patches and updates to its IT systems and applications. An approved patching policy is a key component of the remediation phase of the vulnerability management program, but it is not sufficient for establishing a security vulnerability management program.

• Question 712:

  A KEY benefit of integrated auditing is that it:

  A. Facilitates the business in reviewing its control environment.
  B. Enables continuous auditing and monitoring.
  C. Improves the review of audit work by team leaders.
  D. Combines skill sets from operational, functional, and IS auditors.
  D. Combines skill sets from operational, functional, and IS auditors.

  ---

  Explanation

  Explanation

• Question 713:

  Which of the following is MOST important to the effectiveness of smoke detectors installed in a data processing facility?

  A. Detectors trigger audible alarms when activated.
  B. Detectors have the correct industry certification.
  C. Detectors are linked to dry pipe fire suppression systems.
  D. Detectors are linked to wet pipe fire suppression systems.
  A. Detectors trigger audible alarms when activated.

  ---

  Explanation

• Question 714:

  Which of the following is a threat to IS auditor independence?

  A. Internal auditors share the audit plan and control test plans with management prior to audit commencement.
  B. Internal auditors design remediation plans to address control gaps identified by internal audit.
  C. Internal auditors attend IT steering committee meetings.
  D. Internal auditors recommend appropriate controls for systems in development.
  B. Internal auditors design remediation plans to address control gaps identified by internal audit.

  ---

  Explanation

• Question 715:

  Which of the following is the MOST effective data loss control when connecting a personally owned mobile device to the corporate email system?

  A. A senior manager must approve each new connection.
  B. Email synchronization must be prevented when connected to a public Wi-Fi hotspot.
  C. Email must be stored in an encrypted format on the mobile device.
  D. Users must agree to allow the mobile device to be wiped if it is lost.
  C. Email must be stored in an encrypted format on the mobile device.

  ---

  Explanation

• Question 716:

  Which of the following should be an IS auditor's GREATEST consideration when scheduling follow-up activities for agreed-upon management responses to remediate audit observations?

  A. Business interruption due to remediation
  B. IT budgeting constraints
  C. Availability of responsible IT personnel
  D. Risk rating of original findings
  D. Risk rating of original findings

  ---

  Explanation

  The most important consideration for an IS auditor when scheduling follow- up activities for agreed-upon management responses to remediate audit observations is the risk rating of original findings. The risk rating of original findings is an assessment of the potential impact or likelihood of an audit issue or observation on the organization's objectives, operations, or reputation. The risk rating of original findings can help determine the priority and urgency of follow-up activities for agreed-upon management responses to remediate audit observations by ensuring that high-risk issues are addressed first and more frequently than low-risk issues. The other options are not as important as the risk rating of original findings in scheduling follow-up activities for agreed-upon management responses to remediate audit observations, as they do not reflect the significance or severity of audit issues or observations. Business interruption due to remediation is a possible consequence of implementing corrective actions to address audit issues or observations, but it does not indicate the priority or urgency of follow-up activities. IT budgeting constraints is a possible factor that may affect the availability or feasibility of resources for implementing corrective actions to address audit issues or observations, but it does not indicate the priority or urgency of follow-up activities. Availability of responsible IT personnel is a possible factor that may affect the accountability or responsiveness of staff for implementing corrective actions to address audit issues or observations, but it does not indicate the priority or urgency of follow-up activities.

  References: CISA Review Manual (Digital Version), Chapter 2, Section 2.4

• Question 717:

  One advantage of managing an entire collection of projects as a portfolio is that it highlights the need to:

  A. Inform users about all ongoing projects.
  B. Manage the quality of each project.
  C. Identify dependencies between projects.
  D. Manage the risk of each individual project.
  C. Identify dependencies between projects.

  ---

  Explanation

  Managing projects as a portfolio allows an organization to oversee and coordinate multiple projects collectively. This approach provides a holistic view, enabling the identification of interdependencies among projects. Recognizing these

  dependencies is crucial for resource allocation, scheduling, and achieving strategic objectives. While informing users, managing quality, and addressing individual project risks are important, they are typically handled within the scope of each

  project. The unique advantage of portfolio management lies in its ability to identify and manage relationships and dependencies across multiple projects, ensuring that the portfolio aligns with the organization's strategic goals.

  References:

  ISACA CISA Review Manual, 28th Edition, Chapter 3: Information Systems Acquisition, Development, and Implementation.

• Question 718:

  Which of the following is the BEST indication that there are potential problems within an organization's IT service desk function?

  A. Undocumented operating procedures
  B. Lack of segregation of duties
  C. An excessive backlog of user requests
  D. Lack of key performance indicators (KPIs)
  C. An excessive backlog of user requests

  ---

  Explanation

  An IT service desk is a function that provides technical support and assistance to the users of an organization's IT systems and services. An IT service desk typically handles issues such as software installation, hardware troubleshooting, network connectivity, password reset, system configuration, and user training. An IT service desk aims to ensure that the IT systems and services are available, reliable, secure, and efficient for the users. One of the best indications that there are potential problems within an organization's IT service desk function is an excessive backlog of user requests. A backlog is a list of user requests that have not been resolved or completed by the IT service desk within a specified time frame. An excessive backlog means that the IT service desk is unable to meet the demand or expectations of the users, and that the users are experiencing delays, dissatisfaction, or frustration with the IT service desk. An excessive backlog of user requests can indicate various problems within the IT service desk function, such as: Insufficient staff, resources, or capacity to handle the volume or complexity of user requests Ineffective processes, procedures, or tools for managing, prioritizing, or resolving user requests Lack of skills, knowledge, or training among the IT service desk staff to deal with different types of user requests Poor communication, collaboration, or coordination among the IT service desk staff or with other IT functions or stakeholders Low quality, performance, or security of the IT systems or services that cause frequent or recurring user issues

  Therefore, an excessive backlog of user requests is the best indication that there are potential problems within an organization's IT service desk function.

  References:

  What is an IT Service Desk? Definition and Functions - Indeed The Most Common IT Help Desk Issues - SherpaDesk Common IT Help Desk Problems and Solutions - E-Pulse Blog

• Question 719:

  Which of the following IT service monitoring tools is MOST effective in identifying abnormal system events?

  A. System network and administrative logs
  B. System exception and deviation reports
  C. Operator problem reports
  D. Operator work schedules
  B. System exception and deviation reports

  ---

  Explanation

  Explanation

• Question 720:

  Identify the correct sequence of Business Process Reengineering (BPR) application steps from the given choices below?

  A. Envision, Initiate, Diagnose, Redesign, Reconstruct and Evaluate
  B. Initiate, Envision, Diagnose, Redesign, Reconstruct and Evaluate
  C. Envision, Diagnose, Initiate, Redesign, Reconstruct and Evaluate
  D. Evaluate, Envision, Initiate, Diagnose, Redesign, Reconstruct
  A. Envision, Initiate, Diagnose, Redesign, Reconstruct and Evaluate

  ---

  Explanation

  The correct sequence of BRP application step is Envision, Initiate, Diagnose, Redesign, Reconstruct and Evaluate.

  For your exam you should know the information below:

  Overview of Business Process Reengineering

  One of the principles in business that remains constant is the need to improve your processes and procedures. Most trade magazines today contain discussions of the detailed planning necessary for implementing change in an organization.

  The concept of change must be accepted as a fundamental principle. Terms such as business evolution and continuous improvement ricochet around the room in business meetings. It's a fact that organizations which fail to change are

  destined to perish.

  As a CISA, you must be prepared to investigate whether process changes within the organization are accounted for with proper documentation. All internal control frameworks require that management be held responsible for safeguarding all

  the assets belonging to their organization. Management is also responsible for increasing revenue.

  BPR Application Steps

  ISACA cites six basic steps in their general approach to BPR. These six steps are simply an extension of Stewart's Plan-Do-Check-Act model for managing projects:

  Envision -Visualize a need (envision). Develop an estimate of the ROI created by the proposed change. Elaborate on the benefit with a preliminary project plan to gain sponsorship from the organization. The plan should define the areas to be

  reviewed and clarify the desired result at the end of the project (aka end state objective). The deliverables of the envision phase include the following:

  Project champion working with the steering committee to gain top management approval

  Brief description of project scope, goals, and objectives description of the specific deliverables from this project with a preliminary charter to evidence management's approval, the project may proceed into the initiation phase.

  Initiate -This phase involves setting BPR goals with the sponsor. Focus on planning the collection of detailed evidence necessary to build the subsequent BPR plan for redesigning the process. Deliverables in the initiation phase include the

  following:

  Identifying internal and external requirements (project specifications)

  Business case explaining why this project makes sense (justification) and the estimated return on investment compared to the total cost (net ROI) Formal project plan with budget, schedule, staffing plan, procurement plan, deliverables, and

  project risk analysis

  Level of authority the BPR project manager will hold and the composition of any support committee or task force that will be required From the profit and loss (PandL) statement, identify the item line number that money will be debited from to

  pay for this project and identify the specific PandL line number that the financial return will later appear under (to provide strict monitoring of the ROI performance) Formal project charter signed by the sponsors

  It's important to realize that some BPR projects will proceed to their planned conclusion and others may be halted because of insufficient evidence. After a plan is formally approved, the BPR project may proceed to the diagnostic phase.

  Diagnose Document existing processes. Now it's time to see what is working and identify the source of each requirement. Each process step is reviewed to calculate the value it creates. The goal of the diagnostic phase is to gain a better

  understanding of existing processes. The data collected in the diagnostic phase forms the basis of all planning decisions:

  Detailed documentation of the existing process

  Performance measurement of individual steps in the process

  Evidence of specific process steps that add customer value

  Identification of process steps that don't add value

  Definition of attributes that create value and quality

  Put in the extra effort to do a good job of collecting and analyzing the evidence. All future assumptions will be based on evidence from the diagnostic phase.

  Redesign- Using the evidence from the diagnostic phase, it's time to develop the new process.

  This will take several planning iterations to ensure that the strategic objectives are met. The formal redesign plans will be reviewed by sponsors and stakeholders. A final plan will be presented to the steering committee for approval. Here's an

  example of deliverables from the redesign phase.

  Comparison of the envisioned objective to actual specifications

  Analysis of alternatives (AoA)

  Prototyping and testing of the redesigned process

  Formal documentation of the final design

  The project will need formal approval to proceed into the reconstruction phase. Otherwise, the redesign is halted pending further scrutiny while comparing the proposed design with available evidence. Insufficient evidence warrants halting the

  project.

  Reconstruct With formal approval received, it's time to begin the implementation phase.

  The current processes are deconstructed and reassembled according to the plan. Reconstruction may be in the form of a parallel process, modular changes, or complete transition. Each method presents a unique risk and reward opportunity.

  Deliverables from this phase include the following:

  Conversion plan with dependencies in time sequence

  Change control management

  Execution of conversion plan with progress monitoring

  Training of users and support personnel

  Pilot implementation to ensure a smooth migration

  Formal approval by the sponsor.

  The reconstructed process must be formally approved by management to witness their consent for fitness of use. IT governance dictates that executive management shall be held responsible for any failures and receive recognition for

  exceptional results. System performance will be evaluated again after entering production use.

  Evaluate (post evaluation) The reconstructed process is monitored to ensure that it works and is producing the strategic value as forecast in the original justification.

  Comparison of original forecast to actual performance Identification of lessons learned

  Total quality management plan to maintain the new process

  A method of continuous improvement is implemented to track the original goals against actual process performance. Annual reevaluation is needed to adapt new requirements or new opportunities.

  Benchmarking as a BPR Tool

  Benchmarking is the process of comparing performance data (aka metrics). It can be used to evaluate business processes that are under consideration for reengineering. Performance data may be obtained by using a self-assessment or by

  auditing for compliance against a standard (reference standard). Evidence captured during the diagnostic phase is considered the key to identifying areas for performance improvement and documenting obstacles. ISACA offers the following

  general guidelines for performing benchmarks:

  Plan Identify the critical processes and create measurement techniques to grade the processes.

  Research Use information about the process and collect regular data (samples) to build a baseline for comparison. Consider input from your customers and use analogous data from other industries. Observe Gather internal data and external

  data from a benchmark partner to aid the comparison results. Benchmark data can also be compared against published standards. Analyze Look for root cause-effect relationships and other dependencies in the process. Use predefined tools

  and procedures to collate the data collected from all available sources. Adapt Translate the findings into hypotheses of how these findings will help or hurt strategic business goals. Design a pilot test to prove or disprove the hypotheses.

  Improve Implement a prototype of the new processes. Study the impact and note any unexpected results. Revise the process by using controlled change management. Measure the process results again. Use reestablished procedures such

  as total quality management for continuous improvement.

  The following answers are incorrect:

  The other options specified does not represent the correct sequence of BRP application steps.

  CISA review manual 2014 page number 219 to 211

  CISA certified information system auditor study guide Second Edition Page Number 154 to 158