Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 751:

  Which of the following is an example of a control that is both detective and preventive at the same lime?

  A. A payment order to a sanctioned country is detected in the system before the payment is actually made.
  B. Detective fraud controls performed on past transactions prevent legal action being taken against the organization.
  C. Detection of unauthorized activity in a database prevents further manipulation by the database administrator (DBA).
  D. A misconfiguration of an operating system is detected and future recurrence can successfully be prevented.
  C. Detection of unauthorized activity in a database prevents further manipulation by the database administrator (DBA).

  ---

  Explanation

• Question 752:

  An IS auditor is supporting a forensic investigation. An image of affected storage media has been captured while collecting digital forensic evidence. Which of the following techniques would BEST enable an IS auditor to verify that the captured image is an exact, unchanged replica of the original media?

  A. Hash value
  B. Access control list
  C. File allocation table
  D. Size of the file
  A. Hash value

  ---

  Explanation

• Question 753:

  To mitigate the risk of exposing data through application programming interface (API) queries. which of the following design considerations is MOST important?

  A. Data retention
  B. Data minimization
  C. Data quality
  D. Data integrity
  B. Data minimization

  ---

  Explanation

  The answer B is correct because data minimization is the most important design consideration to mitigate the risk of exposing data through application programming interface (API) queries. An API is a set of rules and protocols that allows different software components or systems to communicate and exchange data. API queries are requests sent by users or applications to an API to retrieve or manipulate data. For example, a user may query an API to get information about a product, a service, or a location. Data minimization is the principle of collecting, processing, and storing only the minimum amount of data that are necessary for a specific purpose. Data minimization can help to reduce the risk of exposing data through API queries by limiting the amount and type of data that are available or accessible through the API. Data minimization can also help to protect the privacy and security of the data subjects and the data providers, as well as to

  comply with the relevant laws and regulations.

  Some of the benefits of data minimization for API design are:

  Privacy: Data minimization can enhance the privacy of the data subjects by ensuring that only the data that are relevant and essential for the API purpose are collected and processed. This can prevent unnecessary or excessive collection or

  disclosure of personal or sensitive data, such as names, addresses, phone numbers, email addresses, etc. Data minimization can also help to comply with the privacy laws and regulations that require data protection by design and by default,

  such as GDPR (General Data Protection Regulation) or CCPA (California Consumer Privacy Act).

  Security: Data minimization can improve the security of the data providers by reducing the attack surface and the potential damage of a data breach. If less data are stored or transmitted through the API, there are fewer opportunities for

  attackers to access or compromise the data. Data minimization can also help to implement security controls such as encryption, access control, or logging more efficiently and effectively. Performance: Data minimization can increase the

  performance of the API by optimizing the use of resources and bandwidth. If less data are stored or transmitted through the API, there are less storage space and network traffic required. Data minimization can also help to improve the speed

  and reliability of the API responses.

  Some of the techniques for data minimization in API design are:

  Define clear and specific purposes for the API and document them in the API specification or documentation.

  Identify and classify the data that are needed for each purpose and assign them appropriate labels or levels, such as public, internal, confidential, or restricted. Implement filters or parameters in the API queries that allow users or applications

  to specify or limit the data fields or attributes they want to retrieve or manipulate. Use pagination or throttling in the API responses that limit the number or size of data items returned per request. Use anonymization or pseudonymization

  techniques that remove or replace any identifying information from the data before sending them through the API. Some examples of web resources that discuss data minimization in API design are:

  Data Minimization in Web APIs - World Wide Web Consortium (W3C) Adding Privacy by Design in Secure Application Development Chung-ju/Data-Minimization: A repository of related papers. - GitHub

• Question 754:

  An IS auditor follows up on a recent security incident and finds the incident response was not adequate. Which of the following findings should be considered MOST critical?

  A. The security weakness facilitating the attack was not identified.
  B. The attack was not automatically blocked by the intrusion detection system (IDS).
  C. The attack could not be traced back to the originating person.
  D. Appropriate response documentation was not maintained.
  A. The security weakness facilitating the attack was not identified.

  ---

  Explanation

  The most critical finding for an IS auditor following up on a recent security incident is that the security weakness facilitating the attack was not identified. This finding indicates that the root cause of the incident was not analyzed, and the vulnerability that allowed the attack to succeed was not remediated. This means that the organization is still exposed to the same or similar attacks in the future, and its security posture has not improved. Identifying and addressing the security weakness is a key step in the incident response process, as it helps to prevent recurrence, mitigate impact, and improve resilience. The other findings are not as critical as the failure to identify the security weakness, but they are still important issues that should be addressed by the organization. The attack was not automatically blocked by the intrusion detection system (IDS) is a finding that suggests that the IDS was not configured properly, or that it did not have the latest signatures or rules to detect and prevent the attack. The attack could not be traced back to the originating person is a finding that implies that the organization did not have sufficient logging, monitoring, or forensic capabilities to identify and attribute the attacker. Appropriate response documentation was not maintained is a finding that indicates that the organization did not follow a consistent and formal incident response procedure, or that it did not document its actions, decisions, and lessons learned from the incident.

  References: ISACA CISA Review Manual 27th Edition (2019), page 254 Incident Response Process - ISACA1 Incident Response: How to Identify and Fix Security Weaknesses

• Question 755:

  A steering committee established to oversee an organization's digital transformation program is MOSTlikely to be involved with which of the following activities?

  A. Preparing project status reports
  B. Designing interface controls
  C. Reviewing escalated project issues
  D. Documenting requirements
  C. Reviewing escalated project issues

  ---

  Explanation

• Question 756:

  When performing a post-implementation review, the adequacy of the data conversion effort would BEST be evaluated by performing a thorough review of the:

  A. functional conversion rules
  B. go-live conversion results.
  C. conversion user acceptance testing (UAT) results.
  D. detailed conversion approach templates
  B. go-live conversion results.

  ---

  Explanation

• Question 757:

  Which of the following should be of GREATEST concern for an IS auditor when reviewing user account policies?

  A. There is no policy to revoke an employee's system access upon termination.
  B. There is no policy in place for ongoing security awareness training.
  C. There is no policy requiring employees to sign nondisclosure agreements (NDAs).
  D. There is no policy to revoke previous access rights when employees change roles.
  A. There is no policy to revoke an employee's system access upon termination.

  ---

  Explanation

  Explanation

  Comprehensive and Detailed Step-by-Step

  Failure torevoke access upon terminationposes the greatest security risk, as ex-employees could still access sensitive data or systems.

  No Policy to Revoke Access (Correct Answer ?A)

  Lack of Security Awareness Training (Incorrect ?B) No NDAs (Incorrect ?C)

  No Access Revocation for Role Changes (Incorrect ?D)

  References:

  ISACA CISA Review Manual

  NIST 800-53 (Access Control)

• Question 758:

  Which of the following is the BEST time for an IS auditor to perform a post-implementation review?

  A. When the system has stabilized.
  B. After the completion of user testing.
  C. Before decommissioning the legacy system.
  D. Immediately after the new system goes into production.
  A. When the system has stabilized.

  ---

  Explanation

• Question 759:

  Which of the following is MOST likely to be detected by an IS auditor applying data analytic techniques?

  A. Potentially fraudulent invoice payments originating within the accounts payable department
  B. Completion of inappropriate cross-border transmission of personally identifiable information (Pll)
  C. Unauthorized salary or benefit changes to the payroll system generated by authorized users
  D. Issues resulting from an unsecured application automatically uploading transactions to the general ledger
  A. Potentially fraudulent invoice payments originating within the accounts payable department

  ---

  Explanation

• Question 760:

  Which of the following should be included in a business impact analysis (BIA)

  A. identification of IT resources that support key business processes
  B. Recovery strategy for significant business interruptions
  C. Support documentation for the recovery alternative
  D. Roles and responsibilities for the business continuity process
  A. identification of IT resources that support key business processes

  ---

  Explanation