Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 971:

  Which of the following would be of GREATEST concern to an IS auditor reviewing the resiliency of an organizational network that has two internet connections?

  A. Network capacity testing has not been performed.
  B. The business continuity plan (BCP) has not been tested in the past six months.
  C. Non-critical applications are also connected to both connections.
  D. Both connections are from the same provider.
  D. Both connections are from the same provider.

  ---

  Explanation

• Question 972:

  The IS auditor has recommended that management test a new system before using it in production mode. The BEST approach for management in developing a test plan is to use processing parameters that are:

  A. randomly selected by a test generator.
  B. provided by the vendor of the application.
  C. randomly selected by the user.
  D. simulated by production entities and customers.
  D. simulated by production entities and customers.

  ---

  Explanation

  The best approach for management in developing a test plan is to use processing parameters that are simulated by production entities and customers. This is because using realistic data and scenarios can help to evaluate the functionality, performance, reliability, and security of the new system under actual operating conditions and expectations. Using processing parameters that are randomly selected by a test generator, provided by the vendor of the application, or randomly selected by the user may not be sufficient or representative of the production environment and may not reveal all the potential issues or defects of the new system.

  References: [ISACA CISA Review Manual 27th Edition], page 266.

• Question 973:

  During the planning phase of a data loss prevention (DLP) audit, management expresses a concern about mobile computing. Which of the following should the IS auditor identify as the associated risk?

  A. Increased vulnerability due to anytime, anywhere accessibility
  B. Increased need for user awareness training
  C. The use of the cloud negatively impacting IT availability
  D. Lack of governance and oversight for IT infrastructure and applications
  A. Increased vulnerability due to anytime, anywhere accessibility

  ---

  Explanation

• Question 974:

  Which of the following is the MOST likely reason an organization would use Platform as a Service (PaaS)?

  A. To operate third-party hosted applications
  B. To install and manage operating systems
  C. To establish a network and security architecture
  D. To develop and integrate its applications
  D. To develop and integrate its applications

  ---

  Explanation

• Question 975:

  Which of the following practices associated with capacity planning provides the GREATEST assurance that future incidents related to server performance will be prevented?

  A. Anticipating current service level agreements (SLAs) will remain unchanged
  B. Prorating the current processing workloads
  C. Negotiating agreements to acquire required cloud services
  D. Duplicating existing disk drive systems to improve redundancy and data storage
  B. Prorating the current processing workloads

  ---

  Explanation

• Question 976:

  What is an IS auditor's BEST course of action when provided with a status update indicating audit recommendations related to segregation of duties for financial staff have been implemented?

  A. Verify sufficient segregation of duties controls are in place.
  B. Request documentation of the segregation of duties policy and procedures.
  C. Note the department's response in the audit workpapers and records.
  D. Confirm with the business that the recommendations are implemented.
  A. Verify sufficient segregation of duties controls are in place.

  ---

  Explanation

• Question 977:

  Which of the following is the GREATEST advantage of vulnerability scanning over penetration testing?

  A. The testing produces a lower number of false positive results
  B. Network bandwidth is utilized more efficiently
  C. Custom-developed applications can be tested more accurately
  D. The testing process can be automated to cover large groups of assets
  D. The testing process can be automated to cover large groups of assets

  ---

  Explanation

  The greatest advantage of vulnerability scanning over penetration testing is that the testing process can be automated to cover large groups of assets. Vulnerability scanning is an automated, high-level security test that reports its findings of known vulnerabilities in systems, networks, applications, and devices. Vulnerability scanning can be performed frequently, quickly, and efficiently to scan a large number of assets and identify potential weaknesses that need to be addressed. Vulnerability scanning can also help organizations comply with security standards and regulations, such as PCI DSS1. The other options are not as advantageous as option D, as they may not reflect the true benefits or limitations of vulnerability scanning compared to penetration testing. The testing produces a lower number of false positive results, but this is not necessarily true, as vulnerability scanning may report vulnerabilities that are not exploitable or relevant in the context of the organization. Network bandwidth is utilized more efficiently, but this may not be a significant advantage, as vulnerability scanning may still consume considerable network resources depending on the scope and frequency of the scans. Custom-developed applications can be tested more accurately, but this is also not true, as vulnerability scanning may not be able to detect complex or unknown vulnerabilities that require manual analysis or exploitation.

  References:

  1: Vulnerability scanning vs penetration testing: What's the difference? | TechRepublic

  2: Vulnerability Scanning vs. Penetration Testing - Fortinet

  3: Penetration Test Vs Vulnerability Scan | Digital Defense

  4: Penetration Testing vs. Vulnerability Scanning: What's the difference?

  5: Penetration Testing vs. Vulnerability Scanning | Secureworks

  6: PCI DSS Quick Reference Guide - PCI Security Standards Council

• Question 978:

  Labeling information according to its security classification:

  A. reduces the need to identify baseline controls for each classification.
  B. reduces the number and type of countermeasures required.
  C. enhances the likelihood of people handling information securely.
  D. affects the consequences if information is handled insecurely.
  D. affects the consequences if information is handled insecurely.

  ---

  Explanation

• Question 979:

  In an IT organization where many responsibilities are shared which of the following is the BEST control for detecting unauthorized data changes?

  A. Users are required to periodically rotate responsibilities
  B. Segregation of duties conflicts are periodically reviewed
  C. Data changes are independently reviewed by another group
  D. Data changes are logged in an outside application
  C. Data changes are independently reviewed by another group

  ---

  Explanation

  The best control for detecting unauthorized data changes in an IT organization where many responsibilities are shared is to have data changes independently reviewed by another group. This is because an independent review can provide an objective and unbiased verification of the data changes and ensure that they are authorized, accurate, and complete. An independent review can also help to detect any errors, fraud, or malicious activities that may have occurred during the data changes. An independent review can also provide assurance that the data integrity and security are maintained.

  References: CISA Review Manual (Digital Version), Chapter 4, Section 4.31 CISA Online Review Course, Domain 1, Module 4, Lesson 22

• Question 980:

  When planning an end-user computing (EUC) audit, it is MOST important for the IS auditor to:

  A. determine EUC materiality and complexity thresholds.
  B. evaluate EUC threats and vulnerabilities.
  C. obtain an inventory of EUC applications.
  D. evaluate the organization's EUC policy.
  D. evaluate the organization's EUC policy.

  ---

  Explanation