Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 761:

  An IS auditor is performing a follow-up audit for findings identified in an organization's user provisioning process Which of the following is the MOST appropriate population to sample from when testing for remediation?

  A. All users provisioned after the finding was originally identified
  B. All users provisioned after management resolved the audit issue
  C. All users provisioned after the final audit report was issued
  D. All users who have followed user provisioning processes provided by management
  C. All users provisioned after the final audit report was issued

  ---

  Explanation

  The most appropriate population to sample from when testing for remediation of findings identified in an organization's user provisioning process is all users provisioned after the final audit report was issued. This is because the final audit report is the official document that communicates the audit findings, recommendations, and action plans to the management and other stakeholders. It also establishes a baseline for measuring the progress and effectiveness of the remediation efforts. Therefore, sampling from the users provisioned after the final audit report was issued would provide the most relevant and reliable evidence of whether the audit issues have been resolved or not. The other options are not as appropriate as option C, as they may not reflect the actual status of the remediation efforts. All users provisioned after the finding was originally identified may include users who were provisioned before the final audit report was issued, which may not capture the full impact of the remediation actions. All users provisioned after management resolved the audit issue may not be accurate, as management's resolution may not be verified or validated by an independent party. All users who have followed user provisioning processes provided by management may not be representative, as there may be exceptions or deviations from the processes that could affect the remediation results.

  References:

  6: What Is User Provisioning? Definition, Process and Best Practices - Spiceworks

  7: What Is User Provisioning? All You Need to Know in One Place - G2

  8: What is User Account Provisioning? - Tools4ever

  9: What Is Provisioning and Deprovisioning? | Okta

• Question 762:

  Which of the following should an IS auditor consider FIRST when evaluating firewall rules?

  A. The organization's security policy
  B. The number of remote nodes
  C. The firewalls' default settings
  D. The physical location of the firewalls
  A. The organization's security policy

  ---

  Explanation

  This should be the first thing that an IS auditor considers when evaluating firewall rules, because it defines the objectives, standards, and guidelines for securing the organization's network and information assets. The firewall rules should be

  aligned with the organization's security policy, and reflect the level of risk and protection required for each type of network traffic, system, or data. The IS auditor should compare the firewall rules with the security policy, and identify any

  discrepancies, gaps, or conflicts that could compromise the security or performance of the network. The other options are not as important as the organization's security policy when evaluating firewall rules:

  The number of remote nodes. This is a factor that may affect the complexity and scalability of the firewall rules, but it is not a primary consideration for the IS auditor. Remote nodes are devices or systems that connect to the network from

  outside locations, such as teleworkers, mobile users, or branch offices. The IS auditor should ensure that the firewall rules provide adequate security and access control for remote nodes, but this depends on the organization's security policy

  and business needs.

  The firewalls' default settings. These are the predefined configurations that come with the firewall devices or software, and that determine how they handle network traffic by default. The IS auditor should review the firewalls' default settings,

  and verify that they are appropriate and secure for the organization's network environment. However, the firewalls' default settings may not match the organization's security policy or specific requirements, and may need to be customized or

  overridden by firewall rules.

  The physical location of the firewalls. This is a factor that may affect the placement and design of the firewall rules, but it is not a critical consideration for the IS auditor. The physical location of the firewalls refers to where they are installed or

  deployed in relation to the network topology, such as at the network perimeter, between network segments, or on individual hosts. The IS auditor should ensure that the firewall rules are consistent and coordinated across different locations,

  but this depends on the organization's security policy and network architecture.

• Question 763:

  The PRIMARY reason to follow up on prior-year audit reports is to determine if

  A. prior-year recommendations have become irrelevant
  B. significant changes to the control environment have occurred
  C. identified control weaknesses have been addressed
  D. inherent risks have changed
  C. identified control weaknesses have been addressed

  ---

  Explanation

• Question 764:

  Which of the following is the BEST control to help ensure that security requirements are considered throughout the life cycle of an agile software development project?

  A. Documenting security control requirements and obtaining internal audit sign off
  B. Including project team members who can provide security expertise
  C. Reverting to traditional waterfall software development life cycle (SDLC) techniques
  D. Requiring the project to go through accreditation before release into production
  B. Including project team members who can provide security expertise

  ---

  Explanation

• Question 765:

  Which of the following concerns is MOST effectively addressed by implementing an IT framework for alignment between IT and business objectives?

  A. Inaccurate business impact analysis (BIA)
  B. Inadequate IT change management practices
  C. Lack of a benchmark analysis
  D. Inadequate IT portfolio management
  D. Inadequate IT portfolio management

  ---

  Explanation

  An IT framework for alignment between IT and business objectives is a set of principles, guidelines, and practices that help an organization to ensure that its IT investments support its strategic goals, deliver value, manage risks, and optimize resources. One of the benefits of implementing such a framework is that it enables an effective IT portfolio management, which is the process of selecting, prioritizing, monitoring, and evaluating the IT projects and services that comprise the IT portfolio. An IT portfolio is a collection of IT assets, such as applications, infrastructure, data, and capabilities, that are aligned with the business needs and objectives. An IT portfolio management helps an organization to achieve the following outcomes: Align the IT portfolio with the business strategy and vision Balance the IT portfolio among different types of investments, such as innovation, growth, maintenance, and compliance Optimize the IT portfolio performance, value, and risk Enhance the IT portfolio decision-making and governance Improve the IT portfolio communication and transparency Therefore, an inadequate IT portfolio management is a major concern that can be addressed by implementing an IT framework for alignment between IT and business objectives. An inadequate IT portfolio management can result in the following issues: Misalignment of the IT portfolio with the business needs and expectations Imbalance of the IT portfolio among competing demands and priorities Suboptimal use of the IT resources and capabilities Lack of visibility and accountability of the IT portfolio outcomes and impacts Poor communication and collaboration among the IT portfolio stakeholders The other possible options are: Inaccurate business impact analysis (BIA): A BIA is a process of identifying and assessing the potential effects of a disruption or disaster on the critical business functions and processes. A BIA helps an organization to determine the recovery priorities, objectives, and strategies for its business continuity plan. A BIA is not directly related to an IT framework for alignment between IT and business objectives, although it may use some inputs from the IT portfolio management. Therefore, an inaccurate BIA is not a concern that can be effectively addressed by implementing an IT framework for alignment between IT and business objectives. Inadequate IT change management practices: IT change management is a process of controlling and managing the changes to the IT environment, such as hardware, software, configuration, or documentation. IT change management helps an organization to minimize the risks and disruptions caused by the changes, ensure the quality and consistency of the changes, and align the changes with the business requirements. IT change management is not directly related to an IT framework for alignment between IT and business objectives, although it may support some aspects of the IT portfolio management. Therefore, inadequate IT change management practices are not a concern that can be effectively addressed by implementing an IT framework for alignment between IT and business objectives. Lack of a benchmark analysis: A benchmark analysis is a process of comparing an organization's performance, processes, or practices with those of other organizations or industry standards. A benchmark analysis helps an organization to identify its strengths and weaknesses, set realistic goals and targets, and implement best practices for improvement. A benchmark analysis is not directly related to an IT framework for alignment between IT and business objectives, although it may provide some insights for the IT portfolio management. Therefore, lack of a benchmark analysis is not a concern that can be effectively addressed by implementing an IT framework for alignment between IT and business objectives.

  References: 1: What is Portfolio Management? | Smartsheet 2: What Is Portfolio Management? - Definition from Techopedia 3: What Is Project Portfolio Management (PPM)? | ProjectManager.com 4: What Is Business Impact Analysis? | Smartsheet 5: What Is Change Management? - Definition from Techopedia 6: Benchmarking - Wikipedia

• Question 766:

  An organization plans to centrally decommission end-of-life databases and migrate the data to the latest model of hardware. Which of the following BEST ensures data integrity is preserved during the migration?

  A. Reconciling sample data to most recent backups
  B. Obfuscating confidential data
  C. Encrypting the data
  D. Comparing checksums
  D. Comparing checksums

  ---

  Explanation

• Question 767:

  Which of the following should be the PRIMARY focus for any network design that deploys a Zero Trust architecture?

  A. Protecting network segments
  B. Protecting technology resources
  C. Maintaining network router operating system versions
  D. Ensuring a vendor-agnostic environment
  B. Protecting technology resources

  ---

  Explanation

• Question 768:

  During an audit of a reciprocal disaster recovery agreement between two companies, the IS auditor would be MOST concerned with the:

  A. allocation of resources during an emergency.
  B. frequency of system testing.
  C. differences in IS policies and procedures.
  D. maintenance of hardware and software compatibility.
  A. allocation of resources during an emergency.

  ---

  Explanation

  During an audit of a reciprocal disaster recovery agreement between two companies, the IS auditor would be most concerned with the allocation of resources during an emergency. A reciprocal disaster recovery agreement is an arrangement by which one organization agrees to use another's resources in the event of a business continuity event or incident. The IS auditor would need to ensure that both parties have clearly defined their roles and responsibilities, their resource requirements, their priority levels, their communication channels, and their escalation procedures in case of a disaster. The IS auditor would also need to verify that both parties have tested their agreement and have updated it regularly to reflect any changes in their business environments. The frequency of system testing is not as critical as the allocation of resources during an emergency, because system testing can be performed periodically or on demand, while resource allocation is a dynamic and complex process that requires careful planning and coordination. The differences in IS policies and procedures are not as critical as the allocation of resources during an emergency, because both parties can agree on common standards and protocols for their disaster recovery operations, or they can adapt their policies and procedures to suit each other's needs. The maintenance of hardware and software compatibility is not as critical as the allocation of resources during an emergency, because both parties can use compatible or interoperable systems, or they can use virtualization or cloud computing technologies to overcome any compatibility issues.

  References: ISACA CISA Review Manual 27th Edition, page 281

• Question 769:

  When following up on a data breach, an IS auditor finds a system administrator may have compromised the chain of custody. Which of the following should the system administrator have done FIRST to preserve the evidence?

  A. Perform forensic discovery
  B. Notify key stakeholders
  C. Quarantine the system
  D. Notify the incident response team
  C. Quarantine the system

  ---

  Explanation

• Question 770:

  For an organization that has plans to implement web-based trading, it would be MOST important for an IS auditor to verify the organization's information security plan includes:

  A. attributes for system passwords.
  B. security training prior to implementation.
  C. security requirements for the new application.
  D. the firewall configuration for the web server.
  C. security requirements for the new application.

  ---

  Explanation

  For an organization that has plans to implement web-based trading, it would be most important for an IS auditor to verify that the organization's information security plan includes security requirements for the new application. Security requirements are statements that define what security features and functions are needed to protect the confidentiality, integrity, and availability of the web-based trading application and its data. Security requirements should be identified and documented during the planning phase of the application development life cycle, before any design or coding activities take place. Attributes for system passwords, security training prior to implementation, and firewall configuration for the web server are also important aspects of information security, but they are not as essential as security requirements for ensuring that the web-based trading application meets its security objectives.