Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 731:

  An IS auditor finds that the process for removing access for terminated employees is not documented What is the MOST significant risk from this observation?

  A. Procedures may not align with best practices
  B. Human resources (HR) records may not match system access.
  C. Unauthorized access cannot he identified.
  D. Access rights may not be removed in a timely manner.
  D. Access rights may not be removed in a timely manner.

  ---

  Explanation

  The most significant risk from this observation is that access rights may not be removed in a timely manner. If the process for removing access for terminated employees is not documented, there is no clear guidance or accountability for who,

  how, when, and what actions should be taken to revoke the access rights of the employees who leave the organization. This could result in delays, inconsistencies, or omissions in removing access rights, which could allow terminated

  employees to retain unauthorized access to the organization's systems and data. This could compromise the security, confidentiality, integrity, and availability of the information assets.

  References:

  CISA Review Manual (Digital Version)

  CISA Questions, Answers and Explanations Database

• Question 732:

  Which of the following is the GREATEST risk associated with hypervisors in virtual environments?

  A. Availability issues
  B. Virtual sprawl
  C. Single point of failure
  D. Lack of patches
  C. Single point of failure

  ---

  Explanation

  A single point of failure is a component or system that, if it fails, will cause the entire system to stop functioning. In virtual environments, the hypervisor is the software layer that enables multiple virtual machines to run on a single physical host.

  If the hypervisor is compromised, corrupted, or unavailable, all the virtual machines running on that host will be affected. This can result in data loss, downtime, or security breaches.

  References:

  ISACA CISA Review Manual, 27th Edition, page 254

  Virtualization: What are the security risks?

  What Is a Hypervisor? (Definition, Types, Risks)

• Question 733:

  Following an unauthorized disclosure of data, an organization needs to implement data loss prevention (DLP) measures. The IS auditor's BEST recommendation should be to:

  A. install DLP software on corporate servers to prevent recurrence.
  B. monitor and block outgoing emails based on common DLP criteria.
  C. restrict removable media access on all computer systems.
  D. establish a risk and control framework.
  D. establish a risk and control framework.

  ---

  Explanation

• Question 734:

  Who provides the funding to the project and works closely with the project manager to define critical success factor (CSF)?

  A. Project Sponsor
  B. Security Officer
  C. User Management
  D. Senior Management
  A. Project Sponsor

  ---

  Explanation

  Project sponsor provides funding for the project and works closely with the project manager to define critical success factor(CSFs) and metrics for measuring the success of the project. It is crucial that success is translated to measurable and

  quantifiable terms. Data and application ownership are assigned to a project sponsor. A project sponsor is typically the senior manager in charge of the primary business unit that the application will support.

  For the CISA exam you should know the information below about roles and responsibilities of groups/individuals that may be involved in the development process are summarized below:

  Senior Management ?Demonstrate commitment to the project and approves the necessary resources to complete the project. This commitment from senior management helps ensure involvement by those needed to complete the project.

  User Management ?Assumes ownership of the project and resulting system, allocates qualified representatives to the team, and actively participates in business process redesign, system requirement definitions, test case development,

  acceptance testing and user training. User management is concerned primarily with the following questions:

  Are the required functions available in the software?

  How reliable is the software?

  How effective is the software?

  Is the software easy to use?

  How easy is to transfer or adapt old data from preexisting software to this environment?

  Is it possible to add new functions?

  Does it meet regulatory requirement?

  Project Steering Committee ?Provides overall directions and ensures appropriate representation of the major stakeholders in the project's outcome. The project steering committee is ultimately responsible for all deliverables, project costs and

  schedules. This committee should be compromised of senior representative from each business area that will be significantly impacted by the proposed new system or system modifications.

  System Development Management ?Provides technical support for hardware and software environment by developing, installing and operating the requested system.

  Project Manager ?Provides day-to-day management and leadership of the project, ensures that project activities remain in line with the overall directions, ensures appropriate representation of the affected departments, ensures that the

  project adheres local standards, ensures that deliverable meet the quality expectation of key stakeholder, resolve interdepartmental conflict, and monitors and controls cost of the project timetables.

  Project Sponsor ?Project sponsor provides funding for the project and works closely with the project manager to define critical success factor(CSFs) and metrics for measuring the success of the project. It is crucial that success is translated

  to measurable and quantifiable terms. Data and application ownership are assigned to a project sponsor. A project sponsor is typically the senior manager in charge of the primary business unit that the application will support.

  System Development Project Team ?Completes assigned tasks, communicates effectively with user by actively involving them in the development process, works according to local standards, and advise the project manager of necessary

  plan deviations.

  User Project Team ?Completes assigned tasks, communicate effectively with the system developers by actively involving themselves in the development process as Subject Matter Expert (SME) and works according to local standards, and

  advise the project manager of expected and actual project deviations.

  Security Officer ?Ensures that system controls and supporting processes provides an effective level of protection, based on the data classification set in accordance with corporate security policies and procedures: consult throughout the life

  cycle on appropriate security measures that should be incorporated into the system.

  Quality Assurance ?Personnel who review result and deliverables within each phase and at the end of each phase, and confirm compliance with requirements. Their objective is to ensure that the quality of the project by measuring adherence of the project staff to the organization's software development life cycle (SDLC), advise on the deviation and propose recommendation for process improvement or greater control points when deviation occur.

  The following were incorrect answers:

  Security Officer ?Ensures that system controls and supporting processes provides an effective level of protection, based on the data classification set in accordance with corporate security policies and procedures: consult throughout the life

  cycle on appropriate security measures that should be incorporated into the system.

  User Management ?Assumes ownership of the project and resulting system, allocates qualified representatives to the team, and actively participates in business process redesign, system requirement definitions, test case development,

  acceptance testing and user training.

  Senior Management ?Demonstrate commitment to the project and approves the necessary resources to complete the project. This commitment from senior management helps ensure involvement by those needed to complete the project.

  CISA review manual 2014 Page number 150

• Question 735:

  Which of the following user actions poses the GREATEST risk for inadvertently introducing malware into a local network?

  A. Uploading a file onto an internal server
  B. Viewing a hypertext markup language (HTML) document
  C. Downloading a file from an enterprise file share
  D. Opening an email attachment from an external account
  D. Opening an email attachment from an external account

  ---

  Explanation

• Question 736:

  Which of the following should an IS auditor recommend as MOST critical to an effective performance improvement process for IT services?

  A. Progress on performance goals is regularly reported to the board.
  B. The performance goals are aligned with a commonly accepted framework.
  C. Root cause analysis of service issues is used to develop performance goals.
  D. Management accepts accountability for achieving performance goals.
  B. The performance goals are aligned with a commonly accepted framework.

  ---

  Explanation

• Question 737:

  An organization is permanently transitioning from onsite to fully remote business operations. When should the existing business impact analysis (BIA) be reviewed?

  A. During the next scheduled review
  B. At least one year after the transition
  C. As soon as the decision about the transition is announced
  D. As soon as the new operating model is in place
  D. As soon as the new operating model is in place

  ---

  Explanation

• Question 738:

  Following a breach, what is the BEST source to determine the maximum amount of time before customers must be notified that their personal information may have been compromised?

  A. Information security policy
  B. Industry standards
  C. Incident response plan
  D. Industry regulations
  D. Industry regulations

  ---

  Explanation

• Question 739:

  Which of the following is the BEST way to detect unauthorized copies of licensed software on systems?

  A. Implement controls to prohibit downloads of unauthorized software.
  B. Conduct periodic software scanning.
  C. Perform periodic counting of licenses.
  D. Require senior management approval when installing licenses.
  B. Conduct periodic software scanning.

  ---

  Explanation

  The best way to detect unauthorized copies of licensed software on systems is to conduct periodic software scanning. Software scanning is a process of using specialized tools or programs to scan the systems and identify the software

  installed, the license status, the usage, and the compliance with the software policies and agreements. Software scanning can help to detect any unauthorized, unlicensed, or illegal copies of software on the systems, as well as any

  discrepancies or violations of the software licenses. Software scanning can also help to optimize the software inventory, reduce the software costs, and improve the security and performance of the systems12. Some examples of software scanning tools are:

  Microsoft Software Inventory Analyzer (MSIA): A free tool that scans Windows- based computers and servers and generates reports on the Microsoft products installed, such as operating systems, applications, and updates3. Belarc Advisor:

  A free tool that scans Windows-based computers and generates reports on the hardware and software installed, including license keys, versions, usage, and security status4. Lansweeper: A paid tool that scans Windows, Linux, Mac, and

  other network devices and generates reports on the hardware and software inventory, license compliance, configuration, and vulnerabilities5. To conduct periodic software scanning, you need to:

  Choose a suitable software scanning tool that meets your needs and budget. Define the scope and frequency of the software scanning, such as which systems to scan, how often to scan, and what information to collect. Configure and run the

  software scanning tool according to the instructions and settings.

  Review and analyze the software scanning reports and identify any unauthorized copies of licensed software on the systems.

  Take appropriate actions to remove or regularize the unauthorized copies of licensed software on the systems.

  Document and report the results and findings of the software scanning.

• Question 740:

  Users are complaining that a newly released enterprise resource planning (ERP) system is functioning too slowly. Which of the following tests during the quality assurance (QA) phase would have identified this concern?

  A. Stress
  B. Regression
  C. Interface
  D. Integration
  A. Stress

  ---

  Explanation

  Stress testing is a type of performance testing that evaluates how a system behaves under extreme load conditions, such as high user traffic, large data volumes, or limited resources. It is useful for identifying potential bottlenecks, errors, or failures that may affect the system's functionality or availability. Stress testing during the quality assurance (QA) phase would have identified the concern of users complaining that a newly released ERP system is functioning too slowly. The other options are not as relevant for this concern, as they relate to different aspects of testing, such as regression testing (verifying that existing functionality is not affected by new changes), interface testing (verifying that the system interacts correctly with other systems or components), or integration testing (verifying that the system works as a whole after combining different modules or units).

  References: CISA Review Manual (Digital Version), Domain 5: Protection of Information Assets, Section 5.4 Testing Techniques1