Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 881:

  An IS auditor has been asked to audit the proposed acquisition of new computer hardware. The auditor's PRIMARY concern Is that:

  A. the implementation plan meets user requirements.
  B. a full, visible audit trail will be Included.
  C. a dear business case has been established.
  D. the new hardware meets established security standards
  C. a dear business case has been established.

  ---

  Explanation

  The IS auditor's primary concern when auditing the proposed acquisition of new computer hardware is that a clear business case has been established. A business case is a document that justifies the need, feasibility, and benefits of a proposed project or investment. A clear business case can help to ensure that the acquisition of new computer hardware is aligned with the organization's goals, objectives, and requirements, and that it provides value for money and return on investment. The other options are not as important as establishing a clear business case, as they do not address the rationale or justification for acquiring new computer hardware.

  References: CISA Review Manual, 27th Edition, page 467

• Question 882:

  Which of the following is MOST likely to be a project deliverable of an agile software development methodology?

  A. Strictly managed software requirements baselines
  B. Extensive project documentation
  C. Automated software programming routines
  D. Rapidly created working prototypes
  D. Rapidly created working prototypes

  ---

  Explanation

  A project deliverable is a tangible or intangible product or service that is produced as a result of a project and delivered to the customer or stakeholder. A project deliverable can be either an intermediate deliverable that is part of the project process or a final deliverable that is the outcome of the project. An agile software development methodology is a project management approach that involves breaking the project into phases and emphasizes continuous collaboration and improvement. Teams follow a cycle of planning, executing, and evaluating. Agile software development methodologies value working software over comprehensive documentation and respond to change over following a plan. Rapidly created working prototypes are most likely to be a project deliverable of an agile software development methodology because they: Provide early and frequent feedback from customers and stakeholders on the functionality and usability of the software product Allow for rapid validation and verification of the software requirements and design Enable continuous improvement and adaptation of the software product based on changing customer needs and expectations Reduce the risk of delivering a software product that does not meet customer needs or expectations Increase customer satisfaction and trust by delivering working software products frequently and consistently Some examples of agile software development methodologies that use rapidly created working prototypes as project deliverables are: Scrum - a framework that organizes the work into fixed-length sprints (usually 2-4 weeks) and delivers potentially shippable increments of the software product at the end of each sprint Extreme Programming (XP) - a methodology that focuses on delivering high-quality software products through practices such as test-driven development, pair programming, continuous integration, and frequent releases Rapid Application Development (RAD) - a methodology that emphasizes rapid prototyping and user involvement throughout the software development process3 The other options are not likely to be project deliverables of an agile software development methodology. Strictly managed software requirements baselines are not likely to be project deliverables of an agile software development methodology. A software requirements baseline is a set of agreed-upon and approved software requirements that serve as the basis for the software design, development, testing, and delivery. A strictly managed software requirements baseline is a software requirements baseline that is controlled and changed only through a formal change management process. Strictly managed software requirements baselines are more suitable for traditional or waterfall software development methodologies that follow a linear and sequential process of defining, designing, developing, testing, and delivering software products. Strictly managed software requirements baselines are not compatible with agile software development methodologies that embrace change and flexibility in the software requirements based on customer feedback and evolving needs. Extensive project documentation is not likely to be project deliverables of an agile software development methodology. Project documentation is any written or electronic information that describes or records the activities, processes, results, or decisions of a project. Extensive project documentation is project documentation that covers every aspect of the project in detail and requires significant time and effort to produce and maintain. Extensive project documentation is more suitable for traditional or waterfall software development methodologies that rely on comprehensive documentation to communicate and document the project scope, requirements, design, testing, and delivery. Extensive project documentation is not compatible with agile software development methodologies that value working software over comprehensive documentation and use minimal documentation to support the communication and collaboration among the project team members. Automated software programming routines are not likely to be project deliverables of an agile software development methodology. Automated software programming routines are programs or scripts that perform repetitive or complex tasks in the software development process without human intervention. Automated software programming routines can improve the efficiency, quality, and consistency of the software development process by reducing human errors, saving time, and enforcing standards. Automated software programming routines can be used in any software development methodology, but they are not specific to agile software development methodologies. Automated software programming routines are not considered as project deliverables because they are not part of the final product that is delivered to the customer.

• Question 883:

  Which of the following provides the BEST evidence that a third-party service provider's information security controls are effective?

  A. An audit report of the controls by the service provider's external auditor
  B. Documentation of the service provider's security configuration controls
  C. An interview with the service provider's information security officer
  D. A review of the service provider's policies and procedures
  A. An audit report of the controls by the service provider's external auditor

  ---

  Explanation

  An audit report of the controls by the service provider's external auditor provides the best evidence that a third-party service provider's information security controls are effective. An external auditor is an independent and objective party that can assess the design and operating effectiveness of the service provider's information security controls based on established standards and criteria. An external auditor can also provide an opinion on the adequacy and compliance of the service provider's information security controls, as well as recommendations for improvement. Documentation of the service provider's security configuration controls is a source of evidence that a third-party service provider's information security controls are effective, but it is not the best evidence. Documentation of the security configuration controls can show the settings and parameters of the service provider's information systems and networks, but it may not reflect the actual implementation and operation of the controls. Documentation of the security configuration controls may also be outdated, incomplete, or inaccurate. An interview with the service provider's information security officer is a source of evidence that a third-party service provider's information security controls are effective, but it is not the best evidence. An interview with the information security officer can provide insights into the service provider's information security strategy, policies, and procedures, but it may not verify the actual performance and compliance of the information security controls. An interview with the information security officer may also be biased, subjective, or misleading. A review of the service provider's policies and procedures is a source of evidence that a third-party service provider's information security controls are effective, but it is not the best evidence. A review of the policies and procedures can show the service provider's information security objectives, requirements, and guidelines, but it may not demonstrate the actual execution and enforcement of the information security controls. A review of the policies and procedures may also be insufficient, inconsistent, or outdated.

  References: ISACA, CISA Review Manual, 27th Edition, 2019, p. 284 ISACA, CISA Review Questions, Answers and Explanations Database - 12 Month Subscription

• Question 884:

  Which of the following is the MOST important factor when an organization is developing information security policies and procedures?

  A. Consultation with security staff
  B. Inclusion of mission and objectives
  C. Compliance with relevant regulations
  D. Alignment with an information security framework
  D. Alignment with an information security framework

  ---

  Explanation

  Information security policies and procedures are the foundation of an organization's information security program. They define the roles, responsibilities, rules, and standards for protecting information assets from unauthorized access, use, disclosure, modification, or destruction. The most important factor when developing information security policies and procedures is to align them with an information security framework that provides a comprehensive and consistent approach to managing information security risks. An information security framework can also help ensure compliance with relevant regulations, inclusion of mission and objectives, and consultation with security staff. However, these factors are secondary to alignment with an information security framework.

  References: CISA Certification | Certified Information Systems Auditor | ISACA, CISA Review Manual (Digital Version)

• Question 885:

  When reviewing the disaster recovery strategy, IT management identified an application that requires a short recovery point objective (RPO). Which of the following data restoration strategies would BEST enable the organization to meet this objective?

  A. Snapshots
  B. Mirroring
  C. Log shipping
  D. Data backups
  B. Mirroring

  ---

  Explanation

  Explanation

  Mirroring (Option B)is the best choice for applications requiring a short Recovery Point Objective (RPO)because it provides real-time replication of data, ensuring minimal data loss. ISACA CISA

  Data replication strategies in

  disaster recovery planning emphasize mirroring for high-availability systems. Risk Implication:If mirroring is not implemented for critical systems, significant data loss may occur in the event of a failure.

  Alternative Choices:

  Option A:Snapshots capture data at specific points in time, leading to potential data loss. Option C:Log shipping has delays due to batch processing. Option D:Backups are periodic and not suitable for short RPO needs.

• Question 886:

  An IS auditor is evaluating an organization's IT strategy and plans. Which of the following would be of GREATEST concern?

  A. There is not a defined IT security policy.
  B. The business strategy meeting minutes are not distributed.
  C. IT is not engaged in business strategic planning.
  D. There is inadequate documentation of IT strategic planning.
  C. IT is not engaged in business strategic planning.

  ---

  Explanation

  The greatest concern for an IS auditor when evaluating an organization's IT strategy and plans is that IT is not engaged in business strategic planning, as this indicates a lack of alignment between IT and business objectives, which could result in inefficient and ineffective use of IT resources and capabilities. The absence of a defined IT security policy, the nondistribution of business strategy meeting minutes, and the inadequate documentation of IT strategic planning are also issues that should be addressed by an IS auditor, but they are not as significant as IT's noninvolvement in business strategic planning.

  References: CISA Review Manual (Digital Version), Chapter 3, Section 3.1

• Question 887:

  IT disaster recovery time objectives (RTOs) should be based on the:

  A. maximum tolerable loss of data.
  B. nature of the outage
  C. maximum tolerable downtime (MTD).
  D. business-defined criticality of the systems.
  D. business-defined criticality of the systems.

  ---

  Explanation

  IT disaster recovery time objectives (RTOs) are the maximum acceptable time that an IT system can be unavailable after a disaster before it causes unacceptable consequences for the business. IT RTOs should be based on the business-defined criticality of the systems, which reflects how important they are for supporting the business processes and functions. The maximum tolerable loss of data, the nature of the outage, and the maximum tolerable downtime (MTD) are also factors that affect the IT RTOs, but they are not the primary basis for determining them.

• Question 888:

  An IS auditor is reviewing an organization that performs backups on local database servers every two weeks and does not have a formal policy to govern data backup and restoration procedures. Which of the following findings presents the GREATEST risk to the organization?

  A. Lack of offsite data backups
  B. Absence of a data backup policy
  C. Lack of periodic data restoration testing
  D. Insufficient data backup frequency
  D. Insufficient data backup frequency

  ---

  Explanation

• Question 889:

  A new information security manager is charged with reviewing and revising the information security strategy. The information security manager's FIRST course of action should be to gain an understanding of the organization's:

  A. security architecture
  B. risk register
  C. internal control framework
  D. business strategy
  D. business strategy

  ---

  Explanation

• Question 890:

  Which of the following is the GREATEST risk if two users have concurrent access to the same database record?

  A. Data integrity
  B. Entity integrity
  C. Referential integrity
  D. Availability integrity
  A. Data integrity

  ---

  Explanation