Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 951:

  An organization's enterprise architecture (EA) department decides to change a legacy system's components while maintaining its original functionality. Which of the following is MOST important for an IS auditor to understand when reviewing this decision?

  A. The current business capabilities delivered by the legacy system
  B. The proposed network topology to be used by the redesigned system
  C. The data flows between the components to be used by the redesigned system
  D. The database entity relationships within the legacy system
  A. The current business capabilities delivered by the legacy system

  ---

  Explanation

  When reviewing an enterprise architecture (EA) department's decision to change a legacy system's components while maintaining its original functionality, an IS auditor should understand the current business capabilities delivered by the legacy system, as this would help to evaluate whether the change is justified, feasible, and aligned with the business goals and needs. The proposed network topology to be used by the redesigned system, the data flows between the components to be used by the redesigned system, and the database entity relationships within the legacy system are technical details that are less relevant for an IS auditor to understand when reviewing this decision.

  References: CISA Review Manual (Digital Version), Chapter 3, Section 3.2

• Question 952:

  Which of the following control provides an alternative measure of control?

  A. Deterrent
  B. Preventive
  C. Detective
  D. Compensating
  D. Compensating

  ---

  Explanation

  For your exam you should know below information about different security controls

  Deterrent Controls

  Deterrent Controls are intended to discourage a potential attacker. Access controls act as a deterrent to threats and attacks by the simple fact that the existence of the control is enough to keep some potential attackers from attempting to

  circumvent the control. This is often because the effort required to circumvent the control is far greater than the potential reward if the attacker is successful, or, conversely, the negative implications of a failed attack (or getting caught)

  outweigh the benefits of success. For example, by forcing the identification and authentication of a user, service, or application, and all that it implies, the potential for incidents associated with the system is significantly reduced because an

  attacker will fear association with the incident. If there are no controls for a given access path, the number of incidents and the potential impact become infinite. Controls inherently reduce exposure to risk by applying oversight for a process.

  This oversight acts as a deterrent, curbing an attacker's appetite in the face of probable repercussions.

  The best example of a deterrent control is demonstrated by employees and their propensity to intentionally perform unauthorized functions, leading to unwanted events. When users begin to understand that by authenticating into a system to

  perform a function, their activities are logged and monitored, and it reduces the likelihood they will attempt such an action. Many threats are based on the anonymity of the threat agent, and any potential for identification and association with

  their actions is avoided at all costs. It is this fundamental reason why access controls are the key target of circumvention by attackers. Deterrents also take the form of potential punishment if users do something unauthorized. For example, if

  the organization policy specifies that an employee installing an unauthorized wireless access point will be fired, that will determine most employees from installing wireless access points.

  Preventative Controls

  Preventive controls are intended to avoid an incident from occurring. Preventative access controls keep a user from performing some activity or function. Preventative controls differ from deterrent controls in that the control is not optional and

  cannot (easily) be bypassed. Deterrent controls work on the theory that it is easier to obey the control

  rather than to risk the consequences of bypassing the control. In other words, the power for action resides with the user (or the attacker). Preventative controls place the power of action with the system, obeying the control is not optional. The

  only way to bypass the control is to

  find a flaw in the control's implementation.

  Compensating Controls

  Compensating controls are introduced when the existing capabilities of a system do not support the requirement of a policy. Compensating controls can be technical, procedural, or managerial. Although an existing system may not support the

  required controls, there may exist other

  technology or processes that can supplement the existing environment, closing the gap in controls, meeting policy requirements, and reducing overall risk. For example, the access control policy may state that the authentication process must

  be encrypted when performed over the Internet. Adjusting an application to natively support encryption for authentication purposes may be too costly. Secure Socket Layer (SSL), an encryption protocol, can be employed and layered on top of

  the authentication process to support the policy statement. Other examples include a separation of duties environment, which offers the capability to isolate certain tasks to compensate for technical limitations in the system and ensure the

  security of transactions. In addition, management processes, such as authorization, supervision, and administration, can be used to compensate for gaps in the access control environment.

  Detective Controls

  Detective controls warn when something has happened, and are the earliest point in the post-incident timeline. Access controls are a deterrent to threats and can be aggressively utilized to prevent harmful incidents through the application of

  least privilege. However, the detective

  nature of access controls can provide significant visibility into the access environment and help organizations manage their access strategy and related security risk. As mentioned previously, strongly managed access privileges provided to

  an authenticated user offer the ability to reduce the risk exposure of the enterprise's assets by limiting the capabilities that authenticated user has. However, there are few options to control what a user can perform once privileges are

  provided. For example, if a user is provided write access to a file and that file is damaged, altered, or otherwise negatively impacted (either deliberately or unintentionally), the use of applied access controls will offer visibility into the

  transaction. The control environment can be established to log activity regarding the identification, authentication, authorization, and use of privileges on a system. This can be used to detect the occurrence of errors, the attempts to perform

  an unauthorized action, or to validate when provided credentials were exercised. The logging system as a detective device provides evidence of actions (both successful and unsuccessful) and tasks that were executed by authorized users.

  Corrective Controls

  When a security incident occurs, elements within the security infrastructure may require corrective actions. Corrective controls are actions that seek to alter the security posture of an environment to correct any deficiencies and return the

  environment to a secure state. A security

  incident signals the failure of one or more directive, deterrent, preventative, or compensating controls. The detective controls may have triggered an alarm or notification, but now the corrective controls must work to stop the incident in its

  tracks. Corrective controls can take

  many forms, all depending on the particular situation at hand or the particular security failure that needs to be dealt with.

  Recovery Controls

  Any changes to the access control environment, whether in the face of a security incident or to offer temporary compensating controls, need to be accurately reinstated and returned to normal operations. There are several situations that may

  affect access controls, their applicability, status, or management. Events can include system outages, attacks, project changes, technical demands, administrative gaps, and full-blown disaster situations. For example, if an application is not

  correctly installed or deployed, it may adversely affect controls placed on system files or even have default administrative accounts unknowingly implemented upon install. Additionally, an employee may be transferred, quit, or be on temporary

  leave that may affect policy requirements regarding separation of duties. An attack on systems may have resulted in the implantation of a Trojan horse program, potentially exposing private user information, such as credit card information and

  financial data. In all of these cases, an undesirable situation must be rectified as quickly as possible and controls returned to normal operations.

  For your exam you should know below information about different security controls

  Deterrent Controls

  Deterrent Controls are intended to discourage a potential attacker. Access controls act as a deterrent to threats and attacks by the simple fact that the existence of the control is enough to keep some potential attackers from attempting to

  circumvent the control. This is often because the effort required to circumvent the control is far greater than the potential reward if the attacker is successful, or, conversely, the negative implications of a failed attack (or getting caught)

  outweigh the benefits of success. For example, by forcing the identification and authentication of a user, service, or application, and all that it implies, the potential for incidents associated with the system is significantly reduced because an

  attacker will fear association with the incident. If there are no controls for a given access path, the number of incidents and the potential impact become infinite. Controls inherently reduce exposure to risk by applying oversight for a process.

  This oversight acts as a deterrent, curbing an attacker's appetite in the face of probable repercussions.

  The best example of a deterrent control is demonstrated by employees and their propensity to intentionally perform unauthorized functions, leading to unwanted events.

  When users begin to understand that by authenticating into a system to perform a function, their activities are logged and monitored, and it reduces the likelihood they will attempt such an action. Many threats are based on the anonymity of

  the threat agent, and any potential for identification and association with their actions is avoided at all costs.

  It is this fundamental reason why access controls are the key target of circumvention by attackers. Deterrents also take the form of potential punishment if users do something unauthorized. For example, if the organization policy specifies that

  an employee installing an unauthorized wireless access point will be fired, that will determine most employees from installing wireless access points.

  Preventative Controls

  Preventive controls are intended to avoid an incident from occurring. Preventative access controls keep a user from performing some activity or function. Preventative controls differ from deterrent controls in that the control is not optional and

  cannot (easily) be bypassed. Deterrent controls work on the theory that it is easier to obey the control

  rather than to risk the consequences of bypassing the control. In other words, the power for action resides with the user (or the attacker). Preventative controls place the power of action with the system, obeying the control is not optional. The

  only way to bypass the control is to find a flaw in the control's implementation.

  Compensating Controls

  Compensating controls are introduced when the existing capabilities of a system do not support the requirement of a policy. Compensating controls can be technical, procedural, or managerial. Although an existing system may not support the

  required controls, there may exist other technology or processes that can supplement the existing environment, closing the gap in controls, meeting policy requirements, and reducing overall risk.

  For example, the access control policy may state that the authentication process must be encrypted when performed over the Internet. Adjusting an application to natively support encryption for authentication purposes may be too costly.

  Secure Socket Layer (SSL), an encryption protocol, can be employed and layered on top of the authentication process to support the policy statement.

  Other examples include a separation of duties environment, which offers the capability to isolate certain tasks to compensate for technical limitations in the system and ensure the security of transactions. In addition, management processes,

  such as authorization, supervision, and administration, can be used to compensate for gaps in the access control environment.

  Detective Controls

  Detective controls warn when something has happened, and are the earliest point in the post-incident timeline. Access controls are a deterrent to threats and can be aggressively utilized to prevent harmful incidents through the application of

  least privilege. However, the detective nature of access controls can provide significant visibility into the access environment and help organizations manage their access strategy and related security risk.

  As mentioned previously, strongly managed access privileges provided to an authenticated user offer the ability to reduce the risk exposure of the enterprise's assets by limiting the capabilities that authenticated user has. However, there are

  few options to control what a user can perform once privileges are provided. For example, if a user is provided write access to a file and that file is damaged, altered, or otherwise negatively impacted (either deliberately or unintentionally), the

  use of applied access controls will offer visibility into the transaction. The control environment can be established to log activity regarding the identification, authentication, authorization, and use of privileges on a system. This can be used to

  detect the occurrence of errors, the attempts to perform an unauthorized action, or to validate when provided credentials were exercised. The logging system as a detective device provides evidence of actions (both successful and

  unsuccessful) and tasks that were executed by authorized users.

  Corrective Controls When a security incident occurs, elements within the security infrastructure may require corrective actions. Corrective controls are actions that seek to alter the security posture of an environment to correct any deficiencies and return the environment to a secure state. A security incident signals the failure of one or more directive, deterrent, preventative, or compensating controls. The detective controls may have triggered an alarm or notification, but now the corrective controls must work to stop the incident in its tracks. Corrective controls can take many forms, all depending on the particular situation at hand or the particular security failure that needs to be dealt with.

  Recovery Controls Any changes to the access control environment, whether in the face of a security incident or to offer temporary compensating controls, need to be accurately reinstated and returned to normal operations. There are several situations that may affect access controls, their applicability, status, or management.

  Events can include system outages, attacks, project changes, technical demands, administrative gaps, and full-blown disaster situations. For example, if an application is not correctly installed or deployed, it may adversely affect controls placed on system files or even have default administrative accounts unknowingly implemented upon install.

  Additionally, an employee may be transferred, quit, or be on temporary leave that may affect policy requirements regarding separation of duties. An attack on systems may have resulted in the implantation of a Trojan horse program, potentially exposing private user information, such as credit card information and financial data. In all of these cases, an undesirable situation must be rectified as quickly as possible and controls returned to normal operations.

  The following answers are incorrect:

  Deterrent - Deterrent controls are intended to discourage a potential attacker Preventive - Preventive controls are intended to avoid an incident from occurring Detective -Detective control helps identify an incident's activities and potentially an intruder

  CISA Review Manual 2014 Page number 44 and Official ISC2 CISSP guide 3rd edition Page number 50 and 51

• Question 953:

  Which of the following is the PRIMARY purpose of conducting a control self-assessment (CSA)?

  A. To replace audit responsibilities
  B. To reduce control costs
  C. To promote control ownership
  D. To enable early detection of risks
  C. To promote control ownership

  ---

  Explanation

  Explanation

• Question 954:

  Which of the following responsibilities associated with a disaster recovery plan (DRP) can be outsourced to a Disaster Recovery as a Service (DRaaS) provider?

  A. System recovery procedures
  B. Stakeholder communications during a disaster
  C. Validation of recovered data
  D. Processes for maintaining currency of data
  A. System recovery procedures

  ---

  Explanation

  Explanation A Disaster Recovery as a Service (DRaaS) provider is responsible for system recovery procedures, including restoring systems and services in a disaster scenario. This is the core functionality of DRaaS. Stakeholder Communications (Option B):This is typically managed internally by the organization to ensure alignment with its crisis management plan. Validation of Recovered Data (Option C):The organization must verify data integrity to meet business requirements. Maintaining Currency of Data (Option D):While DRaaS may handle data backups, the organization retains responsibility for ensuring the relevance of the data being backed up.

  ISACA CISA Review Manual, Job Practice Area 4: Protection of Information Assets.

• Question 955:

  Which of the following is MOST important to include in forensic data collection and preservation procedures?

  A. Assuring the physical security of devices
  B. Preserving data integrity
  C. Maintaining chain of custody
  D. Determining tools to be used
  B. Preserving data integrity

  ---

  Explanation

  The most important thing to include in forensic data collection and preservation procedures is preserving data integrity. Data integrity is the property that ensures that data is accurate, complete, and consistent throughout its lifecycle. Preserving data integrity is essential for forensic data collection and preservation procedures because it ensures that the data can be used as valid and reliable evidence in legal proceedings or investigations. Preserving data integrity can be achieved by using methods such as hashing, checksums, digital signatures, write blockers, tamper-evident seals, or timestamps. The other options are not as important as preserving data integrity in forensic data collection and preservation procedures, as they do not affect the validity or reliability of the data. Assuring the physical security of devices is a security measure that protects devices from unauthorized access, theft, damage, or destruction, but it does not ensure that the data on the devices is accurate, complete, and consistent. Maintaining chain of custody is a documentation technique that records and tracks the handling and transfer of devices or data among different parties involved in forensic activities, but it does not ensure that the data on the devices is accurate, complete, and consistent. Determining tools to be used is a planning activity that selects and prepares the appropriate tools for forensic data collection and preservation procedures, but it does not ensure that the data collected and preserved by the tools is accurate, complete, and consistent.

  References: CISA Review Manual (Digital Version), Chapter 5, Section 5.4

• Question 956:

  An IS auditor finds that one employee has unauthorized access to confidential data. The IS auditor's BEST recommendation should be to:

  A. reclassify the data to a lower level of confidentiality
  B. require the business owner to conduct regular access reviews.
  C. implement a strong password schema for users.
  D. recommend corrective actions to be taken by the security administrator.
  B. require the business owner to conduct regular access reviews.

  ---

  Explanation

  The best recommendation for an IS auditor who finds that one employee has unauthorized access to confidential data is to require the business owner to conduct regular access reviews. Access reviews are periodic assessments of user

  access rights and permissions to ensure that they are appropriate, necessary, and aligned with the business needs and objectives. Access reviews help to identify and remediate any unauthorized, excessive, or obsolete access that could

  pose a security risk or violate compliance requirements. The business owner is responsible for defining and approving the access requirements for their data and ensuring that they are enforced and monitored.

  References:

  CISA Review Manual (Digital Version)

  CISA Questions, Answers and Explanations Database

• Question 957:

  An IS auditor has completed an audit of an organization's accounts payable system. Which of the following should be rated as the HIGHEST risk in the audit report and requires immediate remediation?

  A. Lack of segregation of duty controls for reconciliation of payment transactions
  B. Lack of segregation of duty controls for removal of vendor records
  C. Lack of segregation of duty controls for updating the vendor master file
  D. Lack of segregation of duty controls for reversing payment transactions
  A. Lack of segregation of duty controls for reconciliation of payment transactions

  ---

  Explanation

• Question 958:

  Which of the following implementation strategies for new applications presents the GREATEST risk during data conversion and migration from an old system to a new system?

  A. Pilot implementation
  B. Phased implementation
  C. Direct cutover
  D. Parallel simulation
  C. Direct cutover

  ---

  Explanation

• Question 959:

  Which of the following concerns is BEST addressed by securing production source libraries?

  A. Programs are not approved before production source libraries are updated.
  B. Production source and object libraries may not be synchronized.
  C. Changes are applied to the wrong version of production source libraries.
  D. Unauthorized changes can be moved into production.
  D. Unauthorized changes can be moved into production.

  ---

  Explanation

  Unauthorized changes can be moved into production is the best concern that is addressed by securing production source libraries. Production source libraries contain the source code of programs that are used in the production environment. Securing production source libraries means implementing access controls, change management procedures, and audit trails to prevent unauthorized or improper changes to the source code that could affect the functionality, performance, or security of the production programs. The other options are less relevant concerns that may not be directly addressed by securing production source libraries, but rather by other controls such as program approval, version control, or change testing.

  References: CISA Review Manual (Digital Version), Chapter 4, Section 4.2.3.21 CISA Review Questions, Answers and Explanations Database, Question ID 213

• Question 960:

  Which of the following statements appearing in an organization's acceptable use policy BEST demonstrates alignment with data classification standards related to the protection of information assets?

  A. Any information assets transmitted over a public network must be approved by executive management.
  B. All information assets must be encrypted when stored on the organization's systems.
  C. Information assets should only be accessed by persons with a justified need.
  D. All information assets will be assigned a clearly defined level to facilitate proper employee handling.
  B. All information assets must be encrypted when stored on the organization's systems.

  ---

  Explanation

  The statement that BEST demonstrates alignment with data classification standards related to the protection of information assets is

  D. All information assets will be assigned a clearly defined level to facilitate proper employee handling. Data

  classification involves categorizing information assets based on their sensitivity, importance, and usage. Assigning clearly defined levels (such as public, internal, confidential, etc.) to information assets ensures that appropriate security

  controls are applied based on their classification. By doing so, organizations can manage access, encryption, and other protective measures effectively.

  References:

  1.IFRC. "Information Security: Acceptable Use Policy." 1(https://www.ifrc.org/sites/default/files/2021-11/IFRC-Information-Security- Acceptable-Use-Policy.pdf)

  2.UNSW Sydney. "Data Classification Standard." 2(https://www.unsw.edu.au/content/dam/pdfs/governance/policy/2022-01- policies/datastandard.pdf)

  3.Digital Guardian. "What is a Data Classification Policy?" 3(https://www.digitalguardian.com/blog/what-data-classification-policy)

  4.Microsoft Service Trust Portal. "Data classification and sensitivity label taxonomy." 4(https://learn.microsoft.com/en-us/compliance/assurance/assurance-data- classification-and-labels)

  5.Clark University ITS Policies. "Data Classification - Data Security Policies." 5(https://www2.clarku.edu/offices/its/policies/data_classification.cfm)