Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 721:

  What is the MOST effective way to manage contractors' access to a data center?

  A. Badge identification worn by visitors
  B. Escort requirement for visitor access
  C. Management approval of visitor access
  D. Verification of visitor identification
  B. Escort requirement for visitor access

  ---

  Explanation

• Question 722:

  An IS auditor is reviewing the perimeter security design of a network. Which of the following provides the GREATEST assurance outgoing Internet traffic is controlled?

  A. Intrusion detection system (IDS)
  B. Security information and event management (SIEM) system
  C. Stateful firewall
  D. Load balancer
  C. Stateful firewall

  ---

  Explanation

  A stateful firewall provides the greatest assurance that outgoing Internet traffic is controlled, as it monitors and filters packets based on their source, destination and connection state. A stateful firewall can prevent unauthorized or malicious traffic from leaving the network, as well as block incoming traffic that does not match an established connection. An intrusion detection system (IDS) can detect and alert on suspicious or anomalous traffic, but it does not block or control it. A security information and event management (SIEM) system can collect and analyze logs and events from various sources, but it does not directly control traffic. A load balancer can distribute traffic among multiple servers, but it does not filter or monitor it.

  References: CISA Review Manual (Digital Version), Chapter 6, Section 6.2

• Question 723:

  Which of the following is the PRIMARY benefit of monitoring IT operational logs?

  A. Detecting processing errors in a timely manner
  B. Identifying configuration flaws in operating systems
  C. Managing the usability and capacity of IT resources
  D. Generating exception reports to assess security compliance
  A. Detecting processing errors in a timely manner

  ---

  Explanation

• Question 724:

  An IS auditor is assigned to review the development of a specific application. Which of the following would be the MOST significant step following the feasibility study?

  A. Attend project progress meetings to monitor timely implementation of the application.
  B. Assist users in the design of proper acceptance-testing procedures.
  C. Follow up with project sponsor for project's budgets and actual costs.
  D. Review functional design to determine that appropriate controls are planned.
  D. Review functional design to determine that appropriate controls are planned.

  ---

  Explanation

• Question 725:

  Which of the following BEST enables a benefits realization process for a system development project?

  A. Metrics for the project have been selected before the project begins.
  B. Project budget includes costs to execute the project and costs associated with the solution.
  C. Estimates of business benefits are backed by similar previously completed projects.
  D. Metrics are evaluated immediately after the project has been implemented.
  A. Metrics for the project have been selected before the project begins.

  ---

  Explanation

  A benefits realization process is a systematic way of identifying, defining, planning, tracking and realizing the benefits from a project or program. Benefits are the measurable improvements that result from the delivery of project outputs and outcomes. Benefits realization management (BRM) is the practice of ensuring that benefits are derived from outputs and outcomes. One of the best practices for BRM is to select metrics for the project before it begins. Metrics are the indicators that measure the performance and value of the project and its benefits. By selecting metrics in advance, the project team can align the project objectives with the expected benefits, establish a baseline for comparison, and monitor and evaluate the progress and results of the project. Metrics also help to communicate the value of the project to stakeholders and justify the investment. The other options are not as effective as selecting metrics before the project begins. Project budget is an important factor for BRM, but it does not enable the benefits realization process by itself. It only reflects the costs of executing the project and delivering the solution, not the benefits or value that are expected from them. Estimates of business benefits are useful for planning and forecasting, but they are not sufficient for BRM. They need to be validated by actual data and evidence from similar projects or other sources. Metrics are evaluated after the project has been implemented, but this is only one part of the benefits realization process. BRM requires continuous monitoring and evaluation throughout the project life cycle and beyond, to ensure that benefits are sustained and optimized.

  References: ISACA, CISA Review Manual, 27th Edition, 2019, p. 3261 PMI, Benefits Realization Management: A Practice Guide, 20192 APM, What is benefits management and project success?, 20213

• Question 726:

  An IS auditor learns that a business owner violated the organization's security policy by creating a web page with access to production data. The auditor's NEXT step should be to:

  A. determine if sufficient access controls exist.
  B. assess the sensitivity of the production data.
  C. shut down the web page.
  D. escalate to senior management.
  D. escalate to senior management.

  ---

  Explanation

• Question 727:

  When planning an audit, it is acceptable for an IS auditor to rely on a third-party provider's external audit report on service level management when the

  A. scope and methodology meet audit requirements
  B. service provider is independently certified and accredited
  C. report confirms that service levels were not violated
  D. report was released within the last 12 months
  A. scope and methodology meet audit requirements

  ---

  Explanation

  It is acceptable for an IS auditor to rely on a third-party provider's external audit report on service level management when the scope and methodology meet audit requirements. This means that the external audit report covers the same objectives, criteria, standards and procedures that the IS auditor would use to assess the service level management. This way, the IS auditor can avoid duplication of work and reduce audit costs and efforts. The service provider's certification and accreditation, the report's confirmation of service levels and the report's release date are not sufficient to justify reliance on the external audit report.

  References: CISA Review Manual (Digital Version) , Chapter 2, Section 2.3.3.

• Question 728:

  A firewall between internal network segments improves security and reduces risk by:

  A. Jogging all packets passing through network segments
  B. inspecting all traffic flowing between network segments and applying security policies
  C. monitoring and reporting on sessions between network participants
  D. ensuring all connecting systems have appropriate security controls enabled.
  B. inspecting all traffic flowing between network segments and applying security policies

  ---

  Explanation

  A firewall between internal network segments improves security and reduces risk by inspecting all traffic flowing between network segments and applying security policies. This will prevent unauthorized or malicious access, data leakage, or network attacks from compromising the network resources or data. Logging all packets passing through network segments may provide audit trails and evidence, but not prevent or mitigate security incidents. Monitoring and reporting on sessions between network participants may help to identify anomalous or suspicious activities, but not block or filter them. Ensuring all connecting systems have appropriate security controls enabled may enhance the overall network security posture, but not isolate or segregate different network segments.

  References: Info Technology and Systems Resources | COBIT, Risk, Governance ... - ISACA, section "Book COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution | Digital | English"

• Question 729:

  Which of the following is MOST important for an IS auditor to consider when evaluating a Software as a Service (SaaS) arrangement?

  A. Total cost of ownership
  B. Frequency of software updates
  C. Physical security
  D. Software availability
  D. Software availability

  ---

  Explanation

• Question 730:

  During a review of an organization's network threat response process, the IS auditor noticed that the majority of alerts were closed without resolution. Management responded that those alerts were unworkable due to lack of actionable intelligence, and therefore the support team is allowed to close them. What is the BEST way for the auditor to address this situation?

  A. Further review closed unactioned alerts to identify mishandling of threats.
  B. Omit the finding from the report as this practice is in compliance with the current policy.
  C. Recommend that management enhance the policy and improve threat awareness training.
  D. Reopen unactioned alerts and report to the audit committee.
  A. Further review closed unactioned alerts to identify mishandling of threats.

  ---

  Explanation