Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 901:

  Which of the following MOST effectively prevents internal users from modifying sensitive data?

  A. Network segmentation
  B. Multi-factor authentication
  C. Acceptable use policies
  D. Role-based access controls
  D. Role-based access controls

  ---

  Explanation

• Question 902:

  Which of the following is an objective of data transfer controls?

  A. To ensure there are sufficient dedicated resources in place to facilitate data transfer
  B. To ensure receiving data fields have been configured according to the structure of the transmitted data
  C. To ensure the data is backed up on a regular basis
  D. To ensure access control lists are accurately and completely maintained
  B. To ensure receiving data fields have been configured according to the structure of the transmitted data

  ---

  Explanation

• Question 903:

  What is an IS auditor's BEST recommendation for management if a network vulnerability assessment confirms that critical patches have not been applied since the last assessment?

  A. Implement a process to test and apply appropriate patches.
  B. Apply available patches and continue periodic monitoring.
  C. Configure servers to automatically apply available patches.
  D. Remove unpatched devices from the network.
  A. Implement a process to test and apply appropriate patches.

  ---

  Explanation

• Question 904:

  Which of the following control fixes a component or system after an incident has occurred?

  A. Deterrent
  B. Preventive
  C. Corrective
  D. Recovery
  C. Corrective

  ---

  Explanation

  Corrective control fixes components or systems after an incident has occurred

  For your exam you should know below information about different security controls

  Deterrent Controls

  Deterrent Controls are intended to discourage a potential attacker. Access controls act as a deterrent to threats and attacks by the simple fact that the existence of the control is enough to keep some potential attackers from attempting to

  circumvent the control. This is often because the effort required to circumvent the control is far greater than the potential reward if the attacker is successful, or, conversely, the negative implications of a failed attack (or getting caught)

  outweigh the benefits of success. For example, by forcing the identification and authentication of a user, service, or application, and all that it implies, the potential for incidents associated with the system is significantly reduced because an

  attacker will fear association with the incident. If there are no controls for a given access path, the number of incidents and the potential impact become infinite. Controls inherently reduce exposure to risk by applying oversight for a process.

  This oversight acts as a deterrent, curbing an attacker's appetite in the face of probable repercussions.

  The best example of a deterrent control is demonstrated by employees and their propensity to intentionally perform unauthorized functions, leading to unwanted events.

  When users begin to understand that by authenticating into a system to perform a function, their activities are logged and monitored, and it reduces the likelihood they will attempt such an action. Many threats are based on the anonymity of

  the threat agent, and any potential for identification and association with their actions is avoided at all costs.

  It is this fundamental reason why access controls are the key target of circumvention by attackers. Deterrents also take the form of potential punishment if users do something unauthorized. For example, if the organization policy specifies that

  an employee installing an unauthorized wireless access point will be fired, that will determine most employees from installing wireless access points.

  Preventative Controls

  Preventive controls are intended to avoid an incident from occurring. Preventative access controls keep a user from performing some activity or function. Preventative controls differ from deterrent controls in that the control is not optional and

  cannot (easily) be bypassed. Deterrent controls work on the theory that it is easier to obey the control

  rather than to risk the consequences of bypassing the control. In other words, the power for action resides with the user (or the attacker). Preventative controls place the power of action with the system, obeying the control is not optional. The

  only way to bypass the control is to find a flaw in the control's implementation.

  Compensating Controls

  Compensating controls are introduced when the existing capabilities of a system do not support the requirement of a policy. Compensating controls can be technical, procedural, or managerial. Although an existing system may not support the

  required controls, there may exist other technology or processes that can supplement the existing environment, closing the gap in controls, meeting policy requirements, and reducing overall risk.

  For example, the access control policy may state that the authentication process must be encrypted when performed over the Internet. Adjusting an application to natively support encryption for authentication purposes may be too costly.

  Secure Socket Layer (SSL), an encryption protocol, can be employed and layered on top of the authentication process to support the policy statement.

  Other examples include a separation of duties environment, which offers the capability to isolate certain tasks to compensate for technical limitations in the system and ensure the security of transactions. In addition, management processes,

  such as authorization, supervision, and administration, can be used to compensate for gaps in the access control environment.

  Detective Controls

  Detective controls warn when something has happened, and are the earliest point in the post-incident timeline. Access controls are a deterrent to threats and can be aggressively utilized to prevent harmful incidents through the application of

  least privilege. However, the detective nature of access controls can provide significant visibility into the access environment and help organizations manage their access strategy and related security risk.

  As mentioned previously, strongly managed access privileges provided to an authenticated user offer the ability to reduce the risk exposure of the enterprise's assets by limiting the capabilities that authenticated user has. However, there are

  few options to control what a user can perform once privileges are provided. For example, if a user is provided write access to a file and that file is damaged, altered, or otherwise negatively impacted (either deliberately or unintentionally), the

  use of applied access controls will offer visibility into the transaction. The control environment can be established to log activity regarding the identification, authentication, authorization, and use of privileges on a system.

  This can be used to detect the occurrence of errors, the attempts to perform an unauthorized action, or to validate when provided credentials were exercised. The logging system as a detective device provides evidence of actions (both

  successful and unsuccessful) and tasks that were executed by authorized users.

  Corrective Controls

  When a security incident occurs, elements within the security infrastructure may require corrective actions. Corrective controls are actions that seek to alter the security posture of an environment to correct any deficiencies and return the

  environment to a secure state. A security incident signals the failure of one or more directive, deterrent, preventative, or compensating controls. The detective controls may have triggered an alarm or notification, but now the corrective controls

  must work to stop the incident in its tracks. Corrective controls can take many forms, all depending on the particular situation at hand or the particular security failure that needs to be dealt with.

  Recovery Controls

  Any changes to the access control environment, whether in the face of a security incident or to offer temporary compensating controls, need to be accurately reinstated and returned to normal operations. There are several situations that may

  affect access controls, their applicability, status, or management.

  Events can include system outages, attacks, project changes, technical demands, administrative gaps, and full-blown disaster situations. For example, if an application is not correctly installed or deployed, it may adversely affect controls

  placed on system files or even have default administrative accounts unknowingly implemented upon install.

  Additionally, an employee may be transferred, quit, or be on temporary leave that may affect policy requirements regarding separation of duties. An attack on systems may have resulted in the implantation of a Trojan horse program,

  potentially exposing private user information, such as credit card information and financial data. In all of these cases, an undesirable situation must be rectified as quickly as possible and controls returned to normal operations.

  The following answers are incorrect:

  Deterrent - Deterrent controls are intended to discourage a potential attacker

  Preventive - Preventive controls are intended to avoid an incident from occurring

  Recovery - Recovery controls are intended to bring the environment back to regular operations

  CISA Review Manual 2014 Page number 44

  and

  Official ISC2 CISSP guide 3rd edition Page number 50 and 51

• Question 905:

  During a physical security audit, an IS auditor was provided a proximity badge that granted access to three specific floors in a corporate office building. Which of the following issues should be of MOST concern?

  A. The proximity badge did not work for the first two days of audit fieldwork.
  B. There was no requirement for an escort during fieldwork.
  C. There was no follow-up for unsuccessful attempted access violations.
  D. The proximity badge incorrectly granted access to restricted areas.
  D. The proximity badge incorrectly granted access to restricted areas.

  ---

  Explanation

  The proximity badge incorrectly granting access to restricted areas is the most concerning issue, as it indicates a failure of the access control system to enforce the principle of least privilege and protect the sensitive or critical assets of the organization. The proximity badge should only grant access to the areas that are necessary for the IS auditor to perform the audit fieldwork, and not to any other areas that may contain confidential information, valuable equipment, or hazardous materials. The incorrect access could result in unauthorized disclosure, modification, or destruction of the assets, as well as potential safety or legal issues.

  References: ISACA CISA Review Manual, 27th Edition, page 254 Office and Workplace Physical Security Assessment Checklist Physical Security: Planning, Measures and Examples

• Question 906:

  in a controlled application development environment, the MOST important segregation of duties should be between the person who implements changes into the production environment and the:

  A. application programmer
  B. systems programmer
  C. computer operator
  D. quality assurance (QA) personnel
  A. application programmer

  ---

  Explanation

  In a controlled application development environment, the most important segregation of duties should be between the person who implements changes into the production environment and the application programmer. This segregation of duties ensures that no one person can create and deploy code without proper review, testing, and approval. This reduces the risk of errors, fraud, or malicious code being introduced into the production environment. The other options are not as important as the segregation between the application programmer and the person who implements changes into production, but they are still relevant for achieving a secure and reliable application development environment. The segregation of duties between the person who implements changes into production and the systems programmer is important to prevent unauthorized or untested changes to system software or configuration. The segregation of duties between the person who implements changes into production and the computer operator is important to prevent unauthorized or uncontrolled access to production data or resources. The segregation of duties between the person who implements changes into production and the quality assurance (QA) personnel is important to ensure independent verification and validation of code quality and functionality.

  References: ISACA CISA Review Manual 27th Edition (2019), page 247 Segregation of Duties in an Agile Environment | AKF Partners3 Separation of Duties: How to Conform in a DevOps World4

• Question 907:

  A system performance dashboard indicates several application servers are reaching the defined threshold for maximum CPU allocation. Which of the following would be the IS auditor's BEST recommendation for the IT department?

  A. Increase the defined processing threshold to reflect capacity consumption during normal operations.
  B. Notify end users of potential disruptions caused by degradation of servers.
  C. Terminate both ingress and egress connections of these servers to avoid overload.
  D. Validate the processing capacity of these servers is adequate to complete computing tasks.
  D. Validate the processing capacity of these servers is adequate to complete computing tasks.

  ---

  Explanation

• Question 908:

  Which of the following is a social engineering attack method?

  A. An unauthorized person attempts to gam access to secure premises by following an authonzed person through a secure door.
  B. An employee is induced to reveal confidential IP addresses and passwords by answering questions over the phone.
  C. A hacker walks around an office building using scanning tools to search for a wireless network to gain access.
  D. An intruder eavesdrops and collects sensitive information flowing through the network and sells it to third parties.
  B. An employee is induced to reveal confidential IP addresses and passwords by answering questions over the phone.

  ---

  Explanation

  An employee is induced to reveal confidential IP addresses and passwords by answering questions over the phone. This is a social engineering attack method that exploits the trust or curiosity of the employee to obtain sensitive information that can be used to access or compromise the network. According to the web search results, social engineering is a technique that uses psychological manipulation to trick users into making security mistakes or giving away sensitive information1. Phishing, whaling, baiting, and pretexting are some of the common forms of social engineering attacks2. Social engineering attacks are often more effective and profitable than purely technical attacks, as they rely on human error rather than system vulnerabilities

• Question 909:

  An IS auditor finds that capacity management for a key system is being performed by IT with no input from the business The auditor's PRIMARY concern would be:

  A. failure to maximize the use of equipment
  B. unanticipated increase in business s capacity needs.
  C. cost of excessive data center storage capacity
  D. impact to future business project funding.
  B. unanticipated increase in business s capacity needs.

  ---

  Explanation

  The auditor's primary concern when capacity management for a key system is being performed by IT with no input from the business would be an unanticipated increase in business's capacity needs. This could result in performance degradation, service disruption or customer dissatisfaction if IT is not able to provide sufficient capacity to meet the business demand. Failure to maximize the use of equipment, cost of excessive data center storage capacity or impact to future business project funding are secondary concerns that relate to resource optimization or budget allocation, but not to service delivery or customer satisfaction.

  References: ISACA, CISA Review Manual, 27th Edition, 2018, page 374

• Question 910:

  Which of the following methods would BEST help detect unauthorized disclosure of confidential documents sent over corporate email?

  A. Requiring all users to encrypt documents before sending
  B. Installing firewalls on the corporate network
  C. Reporting all outgoing emails that are marked as confidential
  D. Monitoring all emails based on pre-defined criteria
  D. Monitoring all emails based on pre-defined criteria

  ---

  Explanation

  To detect unauthorized disclosure of confidential documents sent over corporate email, monitoring all emails based on pre-defined criteria is the best approach. This involves setting up automated monitoring systems that analyze email content, attachments, and metadata to identify any potential unauthorized disclosures. By defining specific criteria (such as keywords related to confidential information), organizations can proactively detect and prevent leaks. Requiring encryption before sending documents (option A) is important but does not address monitoring for unauthorized disclosures. Firewalls (option B) protect the network but do not specifically focus on email content. Reporting outgoing emails marked as confidential (option C) relies on user self-reporting and may not catch all incidents.

  References: 1(https://www.isaca.org/resources/isaca-journal/past- issues/2010/data-governance-for-privacy-confidentiality-and-compliance-aholistic- approach) 2(https://www.isaca.org/resources/news-and- trends/newsletters/atisaca/2020/volume-6/best-practices-for-privacy-audits)