Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 961:

  The PRIMARY advantage of using open-source-based solutions is that they:

  A. Have well-defined support levels.
  B. Are easily implemented.
  C. Reduce dependence on vendors.
  D. Offer better security features.
  C. Reduce dependence on vendors.

  ---

  Explanation

  Comprehensive and Detailed Step-by-Step Open-source solutions provide flexibility and reduce vendor lock-in, allowing organizations to modify, enhance, and support software independently. Option A (Incorrect):Open-source software often lacksformalizedsupport levels compared to proprietary solutions, which provide structured SLAs (Service Level Agreements). Option B (Incorrect):While some open-source solutions are user-friendly, implementation complexity depends on the software and required customization. Option C (Correct):A key benefit of open-source solutions is thefreedom from vendor dependence. Organizations can customize the software, hire independent developers, or switch providers without being locked into a specific vendor's ecosystem. Option D (Incorrect):Security in open-source software depends on the community and organization managing the solution. Some open-source tools have excellent security, while others may require additional hardening.

  ISACA CISA Review Manual -Domain 4: Information Systems Operations and Business Resilience?Covers software licensing, vendor dependency, and support considerations.

• Question 962:

  Which of the following processes BEST addresses the risk associated with the deployment of a new production system?

  A. Release management
  B. Configuration management
  C. Change management
  D. Incident management
  B. Configuration management

  ---

  Explanation

• Question 963:

  Which of the following would be MOST impacted if an IS auditor were to assist with the implementation of recommended control enhancements?

  A. Independence
  B. Integrity
  C. Materiality
  D. Accountability
  A. Independence

  ---

  Explanation

  Independence would be most impacted if an IS auditor were to assist with the implementation of recommended control enhancements, as this would create a conflict of interest and impair the objectivity and credibility of the IS auditor. Integrity, materiality, and accountability are important attributes of an IS auditor, but they are not directly affected by the involvement in the implementation of control enhancements.

  References: CISA Review Manual (Digital Version), Chapter

  1: Information Systems Auditing Process, Section 1.1: IS Audit Standards, Guidelines and Codes of Ethics

• Question 964:

  A telecommunications company has recently created a new fraud department with three employees and acquired a fraud detection system that uses artificial intelligence (AI) modules. Which of the following would be of GREATEST concern to an IS auditor reviewing the system?

  A. A very large number of true negatives
  B. A small number of false negatives
  C. A small number of true positives
  D. A large number of false positives
  B. A small number of false negatives

  ---

  Explanation

• Question 965:

  Which of the following is the PRIMARY reason for using a digital signature?

  A. Provide availability to the transmission
  B. Authenticate the sender of a message
  C. Provide confidentiality to the transmission
  D. Verify the integrity of the data and the identity of the recipient
  B. Authenticate the sender of a message

  ---

  Explanation

  A digital signature is a mathematical algorithm that validates the authenticity and integrity of a message or document by generating a unique hash of the message or document and encrypting it using the sender's private key. The primary reason for using a digital signature is to authenticate the sender of a message, as only the sender has access to their private key and can produce a valid signature. A digital signature also verifies the integrity of the data, as any modification to the message or document will result in a different hash value and invalidate the signature. However, a digital signature does not provide availability or confidentiality to the transmission, as it does not prevent denial-of- service attacks or encrypt the entire message or document.

  References:

  1: Understanding Digital Signatures | CISA

  2: Signature Verification | CISA

  3: SECFND: Digital Signatures from Skillsoft | NICCS

• Question 966:

  A vendor service level agreement (SLA) requires backups to be physically secured. An IS audit of the backup system revealed a number of the backup media were missing. Which of the following should be the auditor's NEXT step?

  A. Recommend a review of the vendor's contract.
  B. Recommend identification of the data stored on the missing media.
  C. Notify executive management.
  D. Include the missing backup media finding in the audit report.
  B. Recommend identification of the data stored on the missing media.

  ---

  Explanation

• Question 967:

  Which of the following is MOST likely to be included in a post-implementation review?

  A. Results of live processing
  B. Current sets of test data
  C. Test results
  D. Development methodology
  A. Results of live processing

  ---

  Explanation

• Question 968:

  Which of the following is MOST important to consider when developing a service level agreement (SLAP)?

  A. Description of the services from the viewpoint of the provider
  B. Detailed identification of work to be completed
  C. Provisions for regulatory requirements that impact the end users' businesses
  D. Description of the services from the viewpoint of the client organization
  D. Description of the services from the viewpoint of the client organization

  ---

  Explanation

  The most important factor to consider when developing a service level agreement (SLA) is the description of the services from the viewpoint of the client organization, because the SLA should reflect the needs and expectations of the client and specify the measurable outcomes and performance indicators that the provider must deliver34. The description of the services from the viewpoint of the provider, the detailed identification of work to be completed, and the provisions for regulatory requirements that impact the end users' businesses are also important elements of an SLA, but not as crucial as the client's perspective.

  References: 3: CISA Review Manual (Digital Version), Chapter 5, Section 5.3.1 4: CISA Online Review Course, Module 5, Lesson 3

• Question 969:

  Which of the following is MOST helpful for measuring benefits realization for a new system?

  A. Function point analysis
  B. Balanced scorecard review
  C. Post-implementation review
  D. Business impact analysis (BIA)
  C. Post-implementation review

  ---

  Explanation

  This is the most helpful method for measuring benefits realization for a new system, because it involves evaluating the actual outcomes and impacts of the system after it has been implemented and used for a certain period of time. A post-

  implementation review can compare the actual benefits with the expected benefits that were defined in the business case or the benefits realization plan, and identify any gaps, issues, or opportunities for improvement. A post-implementation

  review can also assess the effectiveness, efficiency, and satisfaction of the system's users, stakeholders, and customers, and provide feedback and recommendations for future enhancements or changes.

  The other options are not as helpful as post-implementation review for measuring benefits realization for a new system:

  Function point analysis. This is a technique that measures the size and complexity of a software system based on the number and types of functions it provides. Function point analysis can help estimate the cost, effort, and time required to

  develop, maintain, or enhance a software system, but it does not measure the actual benefits or value that the system delivers to the organization or its users. Balanced scorecard review. This is a strategic management tool that measures the

  performance of an organization or a business unit based on four perspectives:

  financial, customer, internal process, and learning and growth. A balanced scorecard review can help align the organization's vision, mission, and goals with its activities and outcomes, but it does not measure the specific benefits or impacts

  of a new system.

  Business impact analysis (BIA). This is a process that identifies and evaluates the potential effects of a disruption or disaster on the organization's critical business functions and processes. A BIA can help determine the recovery priorities,

  objectives, and strategies for the organization in case of an emergency, but it does not measure the benefits or value of a new system.

• Question 970:

  The BEST way to determine whether programmers have permission to alter data in the production environment is by reviewing:

  A. the access control system's log settings.
  B. how the latest system changes were implemented.
  C. the access control system's configuration.
  D. the access rights that have been granted.
  D. the access rights that have been granted.

  ---

  Explanation

  The best way to determine whether programmers have permission to alter data in the production environment is by reviewing the access rights that have been granted. Access rights are permissions or privileges that define what actions or operations a user can perform on an information system or resource. By reviewing the access rights that have been granted to programmers, an IS auditor can verify whether they have been authorized to modify data in the production environment, which is where live data and applications are stored and executed. The access control system's log settings are parameters that define what events or activities are recorded by the access control system, which is a system that enforces the access rights and policies of an information system or resource. The access control system's log settings are not the best way to determine whether programmers have permission to alter data in the production environment, as they do not indicate what permissions or privileges have been granted to programmers. How the latest system changes were implemented is a process that describes how software updates or modifications are deployed to the production environment. How the latest system changes were implemented is not the best way to determine whether programmers have permission to alter data in the production environment, as it does not indicate what permissions or privileges have been granted to programmers. The access control system's configuration is a set of rules or parameters that define how the access control system operates and functions. The access control system's configuration is not the best way to determine whether programmers have permission to alter data in the production environment, as it does not indicate what permissions or privileges have been granted to programmers.