Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 911:

  Which of the following is the MOST effective way to maintain network integrity when using mobile devices?

  A. Implement network access control.
  B. Implement outbound firewall rules.
  C. Perform network reviews.
  D. Review access control lists.
  A. Implement network access control.

  ---

  Explanation

  The most effective way to maintain network integrity when using mobile devices is to implement network access control. Network access control is a security control that regulates and restricts access to network resources based on predefined policies and criteria, such as device type, identity, location, or security posture. Network access control can help maintain network integrity when using mobile devices by preventing unauthorized or compromised devices from accessing or affecting network systems or data. The other options are not as effective as network access control in maintaining network integrity when using mobile devices, as they do not address all aspects of network access or security. Implementing outbound firewall rules is a security control that filters and blocks network traffic based on source, destination, protocol, or port, but it does not regulate or restrict network access based on device characteristics or conditions. Performing network reviews is a monitoring activity that evaluates and reports on the performance, availability, or security of network resources, but it does not regulate or restrict network access based on device characteristics or conditions. Reviewing access control lists is a verification activity that validates and confirms the access rights and privileges of network users or devices, but it does not regulate or restrict network access based on device characteristics or conditions.

  References: CISA Review Manual (Digital Version), Chapter 5, Section 5.2.2

• Question 912:

  Which of the following is the MAIN purpose of an information security management system?

  A. To identify and eliminate the root causes of information security incidents
  B. To enhance the impact of reports used to monitor information security incidents
  C. To keep information security policies and procedures up-to-date
  D. To reduce the frequency and impact of information security incidents
  D. To reduce the frequency and impact of information security incidents

  ---

  Explanation

  The main purpose of an information security management system (ISMS) is to reduce the frequency and impact of information security incidents. An ISMS is a systematic approach to managing information security risks, policies, procedures,

  and controls within an organization. An ISMS aims to ensure the confidentiality, integrity, and availability of information assets, as well as to comply with relevant laws and regulations. The other options are not the main purpose of an ISMS,

  but rather some of its possible benefits or components.

  References:

  CISA Review Manual (Digital Version), Chapter 7, Section 7.11 CISA Review Questions, Answers and Explanations Database, Question ID 205

• Question 913:

  Which of the following MOST effectively detects transposition and transcription errors?

  A. Duplicate check
  B. Completeness check
  C. Sequence check
  D. Check digit
  D. Check digit

  ---

  Explanation

  Comprehensive and Detailed Step-by-Step Transposition and transcription errors occur when characters or numbers are accidentally swapped or misentered during data entry. Option A (Incorrect):Duplicate checks ensure that the same

  record is not entered twice but do not specifically detect transposition or transcription errors. Option B (Incorrect):Completeness checks ensure that all required data is entered but do not validate data accuracy.

  Option C (Incorrect):Sequence checks verify that records follow a logical sequence but do not catch errors within individual data entries. Option D (Correct):Acheck digitis an additional number generated through an algorithm (e.g., Luhn

  algorithm for credit cards) that helps detect errors such as transpositions (e.g., swapping digits 45 54) and transcriptions (e.g., mistyping 8 as 3).

  ISACA CISA Review Manual -Domain 3: Information Systems Acquisition,

  Development, and Implementation?Covers input validation and error detection techniques.

• Question 914:

  Which of the following is the MOST effective method of destroying sensitive data stored on electronic media?

  A. Degaussing
  B. Random character overwrite
  C. Physical destruction
  D. Low-level formatting
  C. Physical destruction

  ---

  Explanation

  The most effective method of destroying sensitive data stored on electronic media is physical destruction, which involves breaking, shredding, melting, or incinerating the media to make it unreadable and unrecoverable. Degaussing, random character overwrite, and low-level formatting are methods of sanitizing or erasing data from electronic media, but they do not guarantee complete destruction of data and may leave some traces that can be recovered by advanced techniques. Therefore, physical destruction is the most secure and reliable method of data disposal for sensitive data.

  References: CISA Review Manual (Digital Version), Chapter 5: Protection of Information Assets, Section 5.4: Data Disposal

• Question 915:

  Which of the following provides the BEST assurance of data integrity after file transfers?

  A. Check digits
  B. Monetary unit sampling
  C. Hash values
  D. Reasonableness check
  C. Hash values

  ---

  Explanation

  The best assurance of data integrity after file transfers is hash values. Hash values are unique strings that are generated by applying a mathematical function to the data. Hash values can be used to verify that the data has not been altered or corrupted during the transfer, as any change in the data would result in a different hash value. By comparing the hash values of the source and destination files, one can confirm that the data is identical and intact. The other options are not as effective as hash values for ensuring data integrity after file transfers. Check digits are digits added to a number to detect errors in data entry or transmission, but they are not reliable for detecting intentional or complex modifications of the data. Monetary unit sampling is a statistical sampling technique used for auditing financial statements, but it is not applicable for verifying data integrity after file transfers. Reasonableness check is a validation method that checks whether the data falls within an expected range or format, but it does not guarantee that the data is accurate or consistent with the source.

  References:

  5: On Windows, how to check that data is unchanged after copying? - Super User

  6: Data integrity | Cloud Storage Transfer Service Documentation | Google Cloud

  7: Checking File Integrity - HECC Knowledge Base

  8: How to setup File Transfer Integrity Checks - Progress.com

• Question 916:

  Which of the following should be the GREATEST concern to an IS auditor reviewing an organization's method to transport sensitive data between offices?

  A. The method relies exclusively on the use of asymmetric encryption algorithms.
  B. The method relies exclusively on the use of 128-bit encryption.
  C. The method relies exclusively on the use of digital signatures.
  D. The method relies exclusively on the use of public key infrastructure (PKI).
  D. The method relies exclusively on the use of public key infrastructure (PKI).

  ---

  Explanation

  The greatest concern to an IS auditor reviewing an organization's method to transport sensitive data between offices is that the method relies exclusively on the use of public key infrastructure (PKI). PKI is a set of tools and procedures that are used to create, manage, and revoke digital certificates and public keys for encryption and authentication1. PKI can provide secure and trustworthy communication over the internet, but it also has some limitations and risks that need to be considered. One of the main limitations of PKI is that it depends on the trustworthiness and security of the certificate authority (CA), which is the entity that issues and verifies the digital certificates2. If the CA is compromised or malicious, it can issue fake or fraudulent certificates that can be used to impersonate legitimate parties or intercept sensitive data. For example, in 2011, a hacker breached the CA DigiNotar and issued hundreds of rogue certificates for domains such as Google, Yahoo, and Microsoft3. This allowed the hacker to conduct man-in-the-middle attacks and spy on the online activities of users in Iran3. Another limitation of PKI is that it requires a complex and costly infrastructure to maintain and operate. PKI involves multiple components, such as servers, software, hardware, policies, and procedures, that need to be configured, updated, and monitored regularly1. PKI also requires a high level of technical expertise and coordination among different parties, such as users, administrators, CAs, and registration authorities (RAs)1. PKI can be vulnerable to human errors or negligence that can compromise its security or functionality. For example, in 2018, a software bug in Apple's macOS High Sierra caused the system to accept any certificate as valid without checking its validity period. This could have allowed attackers to use expired or revoked certificates to bypass security checks. Therefore, an IS auditor should be concerned if an organization relies exclusively on PKI for transporting sensitive data between offices. PKI can provide a high level of security and trust, but it also has some inherent risks and challenges that need to be addressed. An IS auditor should evaluate whether the organization has implemented adequate controls and measures to ensure the reliability and integrity of its PKI system. An IS auditor should also consider whether the organization has alternative or complementary methods for securing its data transmission, such as using symmetric encryption algorithms or digital signatures. Symmetric encryption algorithms use the same key for both encryption and decryption, which can offer faster performance and lower overhead than asymmetric encryption algorithms used by PKI4. Digital signatures use cryptographic techniques to verify the identity and authenticity of the sender and the integrity of the data5.

• Question 917:

  Which of the following provides the BE ST method for maintaining the security of corporate applications pushed to employee-owned mobile devices?

  A. Enabling remote data destruction capabilities
  B. Implementing mobile device management (MDM)
  C. Disabling unnecessary network connectivity options
  D. Requiring security awareness training for mobile users
  B. Implementing mobile device management (MDM)

  ---

  Explanation

  The best method for maintaining the security of corporate applications pushed to employee-owned mobile devices is implementing mobile device management (MDM). MDM is a software solution that allows an organization to remotely

  manage, configure, and secure the mobile devices that access its network and data. MDM can help protect corporate applications on employee-owned devices by:

  Enforcing security policies and settings, such as encryption, password, firewall, antivirus, and VPN.

  Controlling the installation, update, and removal of corporate applications and data. Separating corporate and personal data and applications on the device using containers or profiles. Monitoring and auditing the device's compliance status,

  activity, and location. Performing remote actions, such as lock, wipe, backup, or restore, in case of loss, theft, or compromise. MDM can provide a comprehensive and centralized approach to maintain the security of corporate applications on

  employee-owned devices, regardless of the device type, platform, or ownership. MDM can also help the organization comply with regulatory and industry standards for data protection and privacy. Enabling remote data destruction capabilities

  is a useful feature for maintaining the security of corporate applications on employee-owned devices, but it is not the best method by itself. Remote data destruction allows the organization to erase the corporate data and applications from the

  device in case of loss, theft, or compromise. However, this feature does not prevent unauthorized access or misuse of the corporate data and applications before they are destroyed. Remote data destruction is usually part of an MDM solution.

  Disabling unnecessary network connectivity options is a good practice for maintaining the security of corporate applications on employee-owned devices, but it is not the best method by itself. Network connectivity options, such as Wi-Fi,

  Bluetooth, NFC, or USB, can expose the device to potential attacks or data leakage. Disabling these options when they are not needed can reduce the attack surface and improve battery life. However, this practice does not address other

  security risks or requirements for the corporate applications on the device. Disabling network connectivity options can also be part of an MDM solution. Requiring security awareness training for mobile users is an important measure for

  maintaining the security of corporate applications on employee-owned devices, but it is not the best method by itself. Security awareness training can educate the users about the potential threats and best practices for using their devices

  securely. It can also help foster a culture of security and responsibility among the users. However, security awareness training cannot guarantee that the users will follow the security policies and guidelines consistently and correctly. Security

  awareness training should be complemented by technical controls, such as MDM.

  References:

  Protecting Corporate Data on Mobile Devices for All Companies1 Mobile Device Security: Corporate-Owned Personally-Enabled (COPE)

• Question 918:

  Which of the following is the BEST solution to minimize risk from security flaws introduced by developers using open source libraries?

  A. Dynamic application security testing tools
  B. Security business impact analysis (BIA)
  C. Checks of dependencies between code libraries
  D. Technical documentation review policies
  A. Dynamic application security testing tools

  ---

  Explanation

• Question 919:

  Which of the following is the MOST important determining factor when establishing appropriate timeframes for follow-up activities related to audit findings?

  A. Availability of IS audit resources
  B. Remediation dates included in management responses
  C. Peak activity periods for the business
  D. Complexity of business processes identified in the audit
  B. Remediation dates included in management responses

  ---

  Explanation

  The most important determining factor when establishing appropriate timeframes for follow-up activities related to audit findings is the remediation dates included in management responses. The IS auditor should ensure that the follow-up

  activities are aligned with the agreed-upon action plans and deadlines that management has committed to in response to the audit findings. The follow-up activities should verify that management has implemented the corrective actions

  effectively and in a timely manner, and that the audit findings have been resolved or mitigated.

  The other options are less important factors for establishing timeframes for follow-up activities:

  Availability of IS audit resources. This is a practical factor that may affect the scheduling and execution of follow-up activities, but it should not override the priority and urgency of verifying management's corrective actions. Peak activity periods

  for the business. This is a factor that may affect the availability and cooperation of auditees during follow-up activities, but it should not delay or postpone the verification of management's corrective actions beyond reasonable limits.

  Complexity of business processes identified in the audit. This is a factor that may affect the scope and depth of follow-up activities, but it should not affect the timeframe for verifying management's corrective actions.

• Question 920:

  Which of the following is the BEST method to safeguard data on an organization's laptop computers?

  A. Disabled USB ports
  B. Full disk encryption
  C. Biometric access control
  D. Two-factor authentication
  B. Full disk encryption

  ---

  Explanation

  The best method to safeguard data on an organization's laptop computers is full disk encryption. Full disk encryption is a technique that encrypts all the data stored on a hard drive, including the operating system, applications, files, and folders. This means that if the laptop is lost, stolen, or accessed by an unauthorized person, they will not be able to read or modify any data without knowing the encryption key or password. Full disk encryption provides a strong level of protection for data at rest, as it prevents data leakage or exposure in case of physical theft or loss of the device.

  References: How to Protect the Data on Your Laptop 6 Steps to Practice Strong Laptop Security