Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 871:

  When developing customer-facing IT applications, in which stage of the system development life cycle (SDLC) is it MOST beneficial to consider data privacy principles?

  A. Systems design and architecture
  B. Software selection and acquisition
  C. User acceptance testing (UAT)
  D. Requirements definition
  D. Requirements definition

  ---

  Explanation

  The most beneficial stage of the system development life cycle (SDLC) to consider data privacy principles is

  D. Requirements definition. This is because data privacy principles should be integrated into the design and development of customer-facing IT applications from the very beginning, not as an afterthought or a retrofit1. By considering data privacy principles in the requirements definition stage, the developers can identify the personal data that will be collected, processed, stored, and shared by the application, and ensure that they comply with the relevant laws and regulations, such as the General Data Protection Regulation (GDPR). They can also apply the principles of data minimization, purpose limitation, transparency, consent, and security to protect the privacy rights and interests of the customers.

• Question 872:

  An IS auditor is preparing for a review of controls associated with a manufacturing plant's implementation of industrial Internet of Things (loT) infrastructure Which of the following vulnerabilities would present the GREATEST security risk to the organization?

  A. Insufficient physical security around the lo I devices for theft prevention
  B. Use of open-source software components within the loT devices
  C. Constraints in loT device firmware storage space for code upgrades
  D. loT devices that are not using wireless network connectivity
  B. Use of open-source software components within the loT devices

  ---

  Explanation

  Explanation The use of open-source software components in IoT devices presents the greatest security risk due to potential vulnerabilities that may exist within the software. These vulnerabilities can be exploited if patches are not applied promptly, and the organization might not have direct control over the software's maintenance and security updates. This risk is amplified in critical manufacturing environments where compromised IoT devices can lead to operational disruptions. Physical Security (Option A):While important, theft of IoT devices generally poses less risk compared to a system-wide compromise due to software vulnerabilities. Firmware Storage Constraints (Option C):While a limitation, this is a secondary concern compared to exploitable software. Devices Not Using Wireless Connectivity (Option D):Wired devices are generally more secure, reducing this as a significant concern.

  ISACA CISA Review Manual, Job Practice Area 4: Protection of Information Assets.

• Question 873:

  A risk analysis for a new system is being performed. For which of the following is business knowledge MORE important than IT knowledge?

  A. Vulnerability analysis
  B. Cost-benefit analysis
  C. Impact analysis
  D. Balanced scorecard
  B. Cost-benefit analysis

  ---

  Explanation

• Question 874:

  An IS auditor wants to inspect recent events in a system to observe failed authentications and password changes. Which of the following is the MOST appropriate method to use for this purpose?

  A. Penetration testing
  B. Authenticated scanning
  C. Change management records
  D. System log review
  D. System log review

  ---

  Explanation

• Question 875:

  An IS auditor is asked to review an organization's technology relationships, interfaces, and data. Which of the following enterprise architecture (EA) areas is MOST appropriate this review? (Choose Correct answer and give explanation from CISA Certification - Information Systems Auditor official book)

  A. Reference architecture
  B. Infrastructure architecture
  C. Information security architecture
  D. Application architecture
  C. Information security architecture

  ---

  Explanation

  The lack of system documentation should be of most concern to an IS auditor reviewing the information systems acquisition, development, and implementation process. This is because system documentation is a vital source of information that describes the system's purpose, functionality, design, architecture, testing, deployment, operation, and maintenance. System documentation helps the IS auditor to understand and evaluate the system's quality, performance, security, compliance, and alignment with the business requirements and objectives. Without system documentation, the IS auditor may not be able to perform a thorough and effective audit of the system, as well as identify any issues or risks that may affect the system's reliability or integrity. Data owners are not trained on the use of data conversion tools is not the most concerning issue, although it may indicate a lack of user readiness or competence for the system implementation. Data conversion tools are software applications that help users to transform data from one format or structure to another, such as from legacy systems to new systems. Data owners are users who have the responsibility and authority to manage and control the data within their domain. Data owners should be trained on how to use data conversion tools to ensure that the data is accurately and securely transferred to the new system, as well as to avoid any data loss, corruption, or inconsistency. However, data owners are not the only users who need training for the system implementation, and data conversion tools are not the only tools that need training. A post-implementation lessons-learned exercise was not conducted is not the most concerning issue, although it may indicate a lack of continuous improvement or learning culture for the system development and implementation process. A post-implementation lessons-learned exercise is a meeting or a session that takes place after the completion of a system implementation project, where the project team and stakeholders discuss and document the successes and failures of the project, as well as identify any best practices or areas for improvement for future projects. A post-implementation lessons-learned exercise can help to enhance the project management skills, knowledge, and performance of the project team and stakeholders, as well as to avoid repeating the same mistakes or problems in future projects. System deployment is routinely performed by contractors is not the most concerning issue, although it may pose some challenges or risks for the system implementation process. System deployment is the final stage of the system development life cycle (SDLC), where the system is installed and configured on the target environment and made available for use by end-users. System deployment can be performed by internal staff or external contractors, depending on the availability, expertise, and cost of resources. System deployment by contractors may offer some benefits such as faster delivery, lower cost, or higher quality than internal staff. However, system deployment by contractors may also introduce some risks such as loss of control, dependency, or security breaches over the system implementation process

• Question 876:

  While evaluating the data classification process of an organization, an IS auditor's PRIMARY focus should be on whether:

  A. data classifications are automated.
  B. a data dictionary is maintained.
  C. data retention requirements are clearly defined.
  D. data is correctly classified.
  D. data is correctly classified.

  ---

  Explanation

  Data classification is the process of organizing and labeling data into categories based on file type, contents, and other metadata. Data classification helps organizations answer important questions about their data that inform how they mitigate risk and manage data governance policies. Data classification also enables appropriate protection measures, and efficient search, retrieval and use of each data category12. While evaluating the data classification process of an organization, an IS auditor's primary focus should be on whether data is correctly classified. This means that the data is assigned to the appropriate classification level based on its sensitivity, importance, integrity, availability, compliance requirements, and business value. Correct data classification ensures that the data is protected according to its risk level, and that the organization can comply with relevant laws and regulations that apply to different types of data3. The other three options are not the primary focus of an IS auditor while evaluating the data classification process, although they may be relevant or useful for certain aspects of data management. Data classifications are automated means that the organization uses software tools or algorithms to analyze and label data based on predefined rules or criteria. This can improve the efficiency and consistency of data classification, but it does not guarantee that the data is correctly classified. The IS auditor still needs to verify the accuracy and validity of the automated classifications, and check for any errors or anomalies. A data dictionary is maintained means that the organization keeps a record of the definitions, formats, sources, and relationships of the data elements in its systems or databases. This can enhance the understanding and usability of the data, but it does not ensure that the data is correctly classified. The IS auditor still needs to examine the content and context of the data, and compare it with the classification criteria and policies. Data retention requirements are clearly defined means that the organization specifies how long it will keep different types of data, and when it will delete or archive them. This can help reduce storage costs, improve performance, and comply with legal obligations, but it does not ensure that the data is correctly classified. The IS auditor still needs to assess whether the data is stored and protected according to its classification level, and whether the retention periods are appropriate for each type of data. Therefore, data is correctly classified is the best answer.

  References: Data Classification: The Basics and a 6-Step Checklist - NetApp What is Data Classification? Guidelines and Process - Varonis Data Classification and Handling Procedures Guide

• Question 877:

  A financial institution is launching a mobile banking service utilizing multi-factor authentication. This access control is an example of which of the following?

  A. Corrective control
  B. Directive control
  C. Detective control
  D. Preventive control
  D. Preventive control

  ---

  Explanation

• Question 878:

  Which of the following should be the PRIMARY objective of a migration audit?

  A. Data integrity
  B. Business continuity
  C. System performance
  D. Control adequacy
  A. Data integrity

  ---

  Explanation

• Question 879:

  During an ongoing audit, management requests a briefing on the findings to date. Which of the following is the IS auditor's BEST course of action?

  A. Review working papers with the auditee.
  B. Request the auditee provide management responses.
  C. Request management wait until a final report is ready for discussion.
  D. Present observations for discussion only.
  D. Present observations for discussion only.

  ---

  Explanation

  The IS auditor's best course of action in this situation is to present observations for discussion only. Observations are factual statements or findings that are based on the audit evidence collected and analyzed during the audit. Observations can be presented to management for discussion and feedback, but they should not be considered as final conclusions or recommendations until the audit is completed and the audit report is issued. The other options are not appropriate for presenting the findings to date, as they may compromise the audit quality or integrity. Reviewing working papers with the auditee is not advisable, as working papers are confidential documents that contain the auditor's notes, calculations, and opinions that may not be relevant or accurate for management's review. Requesting the auditee provide management responses is premature, as management responses should be obtained after the audit report is issued and the audit findings and recommendations are finalized. Requesting management wait until a final report is ready for discussion is impractical, as management may have a legitimate interest or need to know the audit progress and results as soon as possible.

  References: CISA Review Manual (Digital Version), Chapter 2, Section 2.3

• Question 880:

  Which of the following observations would an IS auditor consider the GREATEST risk when conducting an audit of a virtual server farm tor potential software vulnerabilities?

  A. Guest operating systems are updated monthly
  B. The hypervisor is updated quarterly.
  C. A variety of guest operating systems operate on one virtual server
  D. Antivirus software has been implemented on the guest operating system only.
  D. Antivirus software has been implemented on the guest operating system only.

  ---

  Explanation

  Antivirus software has been implemented on the guest operating system only is the observation that an IS auditor would consider the greatest risk when conducting an audit of a virtual server farm for potential software vulnerabilities. A virtual server farm is a collection of servers that run multiple virtual machines (VMs) on a single physical host using a software layer called a hypervisor. A guest operating system is the operating system installed on each VM. Antivirus software is a software program that detects and removes malicious software from a computer system. If antivirus software has been implemented on the guest operating system only, it means that the hypervisor and the host operating system are not protected from malware attacks, which could compromise the security and availability of all VMs running on the same host. Therefore, antivirus software should be implemented on both the guest and host operating systems as well as on the hypervisor.

  References: CISA Review Manual, 27th Edition, page 378