Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 801:

  An IS auditor reviewing the database controls for a new e-commerce system discovers a security weakness in the database configuration. Which of the following should be the IS auditor's NEXT course of action?

  A. Identify existing mitigating controls.
  B. Disclose the findings to senior management.
  C. Assist in drafting corrective actions.
  D. Attempt to exploit the weakness.
  A. Identify existing mitigating controls.

  ---

  Explanation

  When an IS auditor discovers a security weakness in the database configuration, the next course of action should be to identify existing mitigating controls. This involves assessing whether any controls are already in place to address the weakness and mitigate the risk. Understanding the current state of controls helps the auditor determine the severity of the issue and whether additional corrective actions are necessary1.

  References: 1(https://www.isaca.org/resources/ insights-and-expertise/audit- programs-and-tools)

• Question 802:

  When planning an audit to assess application controls of a cloud-based system, it is MOST important tor the IS auditor to understand the.

  A. architecture and cloud environment of the system.
  B. business process supported by the system.
  C. policies and procedures of the business area being audited.
  D. availability reports associated with the cloud-based system.
  B. business process supported by the system.

  ---

  Explanation

  The business process supported by the system is the most important factor for an IS auditor to understand when planning an audit to assess application controls of a cloud-based system. An IS auditor should have a clear understanding of the business objectives, requirements, and risks of the process, as well as the expected outputs and outcomes of the system. This will help the IS auditor to determine the scope, objectives, and criteria of the audit, as well as to identify and evaluate the key application controls that ensure the effectiveness, efficiency, and reliability of the process. The other options are less important factors that may provide additional information or context for the audit, but not its primary focus.

  References: CISA Review Manual (Digital Version), Chapter 5, Section 5.31 CISA Review Questions, Answers and Explanations Database, Question ID 212

• Question 803:

  Which of the following is a PRIMARY function of an intrusion detection system (IDS)?

  A. Predicting an attack before it occurs
  B. Alerting when a scheduled backup job fails
  C. Blocking malicious network traffic
  D. Warning when executable programs are modified
  D. Warning when executable programs are modified

  ---

  Explanation

• Question 804:

  Which of the following sampling techniques is BEST to use when verifying the operating effectiveness of internal controls during an audit of transactions?

  A. Attribute sampling
  B. Statistical sampling
  C. Judgmental sampling
  D. Stop-or-go sampling
  B. Statistical sampling

  ---

  Explanation

• Question 805:

  Which of the following will identify a deviation in the information security management process from generally accepted standards of good practices?

  A. Gap analysis
  B. Risk assessment
  C. Business impact analysis (BIA)
  D. Penetration testing
  A. Gap analysis

  ---

  Explanation

• Question 806:

  Management is concerned about sensitive information being intentionally or unintentionally emailed as attachments outside the organization by employees. What is the MOST important task before implementing any associated email controls?

  A. Require all employees to sign nondisclosure agreements (NDAs).
  B. Develop an acceptable use policy for end-user computing (EUC).
  C. Develop an information classification scheme.
  D. Provide notification to employees about possible email monitoring.
  C. Develop an information classification scheme.

  ---

  Explanation

  The most important task before implementing any associated email controls to prevent sensitive information from being emailed outside the organization by employees is to develop an information classification scheme. An information classification scheme is a framework that defines the categories and levels of sensitivity for different types of information, such as public, internal, confidential, or secret. An information classification scheme can help implement email controls by providing criteria and guidelines for identifying, labeling, handling, and protecting sensitive information in email attachments. The other options are not as important as developing an information classification scheme, as they do not address the root cause of the problem or provide the same benefits. Requiring all employees to sign nondisclosure agreements (NDAs) is a legal control that can help deter or penalize employees from disclosing sensitive information, but it does not prevent them from emailing it outside the organization. Developing an acceptable use policy for end-user computing (EUC) is a governance control that can help define and communicate the rules and expectations for using IT resources, such as email, but it does not prevent employees from emailing sensitive information outside the organization. Providing notification to employees about possible email monitoring is a transparency control that can help inform and warn employees about the potential consequences of emailing sensitive information outside the organization, but it does not prevent them from doing so.

  References: CISA Review Manual (Digital Version), Chapter 5, Section 5.3.2

• Question 807:

  Which audit approach is MOST helpful in optimizing the use of IS audit resources?

  A. Agile auditing
  B. Continuous auditing
  C. Outsourced auditing
  D. Risk-based auditing
  D. Risk-based auditing

  ---

  Explanation

  Risk-based auditing is an audit approach that focuses on the analysis and management of risk within an organization. Risk-based auditing helps identify and prioritize the areas or processes that pose the highest risk to the organization's objectives and allocate audit resources accordingly. Risk-based auditing also helps provide assurance and advisory services related to the organization's risk management processes and controls. By using risk-based auditing, internal auditors can optimize the use of their audit resources and add value to the organization. Agile auditing, continuous auditing, and outsourced auditing are not audit approaches that are most helpful in optimizing the use of IS audit resources. Agile auditing is a flexible and iterative audit methodology that adapts to changing circumstances and stakeholder needs. Continuous auditing is a method of performing audit activities on a real-time or near-real- time basis using automated tools and techniques. Outsourced auditing is a practice of contracting external auditors to perform some or all of the internal audit functions. These audit methods may have some advantages or disadvantages depending on the context and objectives of the audit, but they do not necessarily optimize the use of IS audit resources.

• Question 808:

  In a data center audit, an IS auditor finds that the humidity level is very low. The IS auditor would be MOST concerned because of an expected increase in:

  A. risk of fire.
  B. backup tape failures.
  C. static electricity problems.
  D. employee discomfort.
  C. static electricity problems.

  ---

  Explanation

• Question 809:

  Which of following areas is MOST important for an IS auditor to focus on when reviewing the maturity model for a technology organization?

  A. Standard operating procedures
  B. Service level agreements (SLAs)
  C. Roles and responsibility matrix
  D. Business resiliency
  C. Roles and responsibility matrix

  ---

  Explanation

  A maturity model for a technology organization is a tool that measures the progress and capability of the IT function in relation to its goals, processes, and practices. A maturity model can help identify gaps and areas for improvement, as well as benchmark the IT function against industry standards or best practices. One of the key aspects of a maturity model is the definition and clarity of roles and responsibilities for the IT function and its stakeholders. A roles and responsibility matrix, such as a RACI matrix, is a document that clarifies who is responsible, accountable, consulted, and informed for each task or deliverable in a project or process. A roles and responsibility matrix can help avoid confusion, duplication, or omission of work, as well as ensure accountability and communication among the IT function and its customers, partners, and suppliers. Therefore, an IS auditor should focus on reviewing the roles and responsibility matrix when evaluating the maturity model for a technology organization. A standard operating procedure (SOP) is a document that describes the steps and instructions for performing a routine or repetitive task or process. SOPs are important for ensuring consistency, quality, and compliance in the IT function, but they are not directly related to the maturity model. A service level agreement (SLA) is a contract that defines the expectations and obligations between an IT service provider and its customers. SLAs are important for ensuring customer satisfaction, performance measurement, and dispute resolution in the IT function, but they are not directly related to the maturity model. A business resiliency plan is a document that outlines how an IT function will continue to operate or recover from a disruption or disaster. Business resiliency is important for ensuring availability, reliability, and security in the IT function, but it is not directly related to the maturity model.

  References: 1: Maturity Models for IT and Technology | Splunk 2: Responsibility assignment matrix - Wikipedia 3: Roles and Responsibilities Matrix - SDLCforms

• Question 810:

  A data breach has occurred due lo malware. Which of the following should be the FIRST course of action?

  A. Notify the cyber insurance company.
  B. Shut down the affected systems.
  C. Quarantine the impacted systems.
  D. Notify customers of the breach.
  C. Quarantine the impacted systems.

  ---

  Explanation

  The first course of action when a data breach has occurred due to malware is to quarantine the impacted systems. This means isolating the infected systems from the rest of the network and preventing any further communication or data

  transfer with them. This can help contain the spread of the malware, limit the damage and exposure of sensitive data, and facilitate the investigation and remediation of the incident. Quarantining the impacted systems can also help preserve

  the evidence and logs that may be needed for forensic analysis or legal action.

  References:

  [1] provides a guide on how to respond to a data breach caused by malware and recommends quarantining the impacted systems as the first step. [2] explains what is malware and how it can cause data breaches, and suggests quarantining the infected devices as a best practice. [3] describes the steps involved in quarantining a system infected by malware and the benefits of doing so.