Practice Free CISA Exam Online Questions
Question #91
Which of the following provides the BEST evidence of effective IT portfolio managements?
- A . IT portfolio updates are communicated when approved.
- B . Programs in the IT portfolio are prioritized by each business function.
- C . The IT portfolio is updated as business strategy changes.
- D . The IT portfolio is updated on the basis of current industry benchmarks.
Correct Answer: C
Question #92
Which of the following should be of GREATEST concern to an IS auditor assessing an organization’s patch management program?
- A . Patches are deployed from multiple deployment servers.
- B . There is no process in place to scan the network to identify missing patches.
- C . Patches for medium- and low-risk vulnerabilities are omitted.
- D . There is no process in place to quarantine servers that have not been patched.
Correct Answer: B
Question #93
Which of the following is MOST critical for the effective implementation of IT governance?
- A . Strong risk management practices
- B . Internal auditor commitment
- C . Supportive corporate culture
- D . Documented policies
Correct Answer: C
C
Explanation:
The most critical factor for the effective implementation of IT governance is a supportive corporate culture. A supportive corporate culture is one that fosters collaboration, communication and commitment among all stakeholders involved in IT governance processes. A supportive corporate culture also promotes a shared vision, values and goals for IT governance across the organization. Strong risk management practices, internal auditor commitment or documented policies are important elements for IT governance implementation, but they are not sufficient without a supportive corporate culture.
References: ISACA, CISA Review Manual, 27th Edition, 2018, page 41
C
Explanation:
The most critical factor for the effective implementation of IT governance is a supportive corporate culture. A supportive corporate culture is one that fosters collaboration, communication and commitment among all stakeholders involved in IT governance processes. A supportive corporate culture also promotes a shared vision, values and goals for IT governance across the organization. Strong risk management practices, internal auditor commitment or documented policies are important elements for IT governance implementation, but they are not sufficient without a supportive corporate culture.
References: ISACA, CISA Review Manual, 27th Edition, 2018, page 41
Question #94
Which of the following is the MOST significant risk to an organization migrating its onsite application servers to a public cloud service provider?
- A . Service provider access to organizational data
- B . Account hacking from other clients using the same provider
- C . Increased dependency on an external provider
- D . Service provider limiting the right to audit
Correct Answer: A
A
Explanation:
Comprehensive and Detailed Step-by-Step
The biggest risk in cloud migration is data security, especially unauthorized access by the cloud provider.
Option A (Correct): The cloud provider manages and stores organizational data, meaning that a breach, insider threat, or improper access poses a major risk. Proper encryption and access controls are critical.
Option B (Incorrect): While multi-tenancy risks exist, cloud providers typically implement strong isolation mechanisms between clients.
Option C (Incorrect): Increased dependency on the provider is a concern, but the impact depends on service agreements and redundancy measures.
Option D (Incorrect): Limiting the right to audit is a compliance issue, but data security risks are more critical.
Reference: ISACA CISA Review Manual C Domain 5: Protection of Information Assets C Covers cloud computing risks and security considerations.
A
Explanation:
Comprehensive and Detailed Step-by-Step
The biggest risk in cloud migration is data security, especially unauthorized access by the cloud provider.
Option A (Correct): The cloud provider manages and stores organizational data, meaning that a breach, insider threat, or improper access poses a major risk. Proper encryption and access controls are critical.
Option B (Incorrect): While multi-tenancy risks exist, cloud providers typically implement strong isolation mechanisms between clients.
Option C (Incorrect): Increased dependency on the provider is a concern, but the impact depends on service agreements and redundancy measures.
Option D (Incorrect): Limiting the right to audit is a compliance issue, but data security risks are more critical.
Reference: ISACA CISA Review Manual C Domain 5: Protection of Information Assets C Covers cloud computing risks and security considerations.
Question #95
Which of the following is a corrective control?
- A . Separating equipment development testing and production
- B . Verifying duplicate calculations in data processing
- C . Reviewing user access rights for segregation
- D . Executing emergency response plans
Correct Answer: D
D
Explanation:
A corrective control is a control that aims to restore normal operations after a disruption or incident has occurred. Executing emergency response plans is an example of a corrective control, as it helps to mitigate the impact of an incident and resume business functions. Separating equipment development testing and production is a preventive control, as it helps to avoid errors or unauthorized changes in production systems. Verifying duplicate calculations in data processing is a detective control, as it helps to identify errors or anomalies in data processing. Reviewing user access rights for segregation is also a detective control, as it helps to detect any violations of segregation of duties principles.
References: ISACA, CISA Review Manual, 27th Edition, 2018, page 64
D
Explanation:
A corrective control is a control that aims to restore normal operations after a disruption or incident has occurred. Executing emergency response plans is an example of a corrective control, as it helps to mitigate the impact of an incident and resume business functions. Separating equipment development testing and production is a preventive control, as it helps to avoid errors or unauthorized changes in production systems. Verifying duplicate calculations in data processing is a detective control, as it helps to identify errors or anomalies in data processing. Reviewing user access rights for segregation is also a detective control, as it helps to detect any violations of segregation of duties principles.
References: ISACA, CISA Review Manual, 27th Edition, 2018, page 64
Question #96
Which of the following types of environmental equipment will MOST likely be deployed below the floor tiles of a data center?
- A . Temperature sensors
- B . Humidity sensors
- C . Water sensors
- D . Air pressure sensors
Correct Answer: C
C
Explanation:
Water sensors are devices that can detect the presence of water or moisture in a given area. They are often deployed below the floor tiles of a data center to monitor for any water leaks that may damage the equipment or cause electrical hazards. Water sensors can alert the data center staff or trigger an automatic response to prevent or mitigate the water leakage.
The other options are not likely to be deployed below the floor tiles of a data center. Temperature sensors and humidity sensors are usually deployed above the floor tiles to measure the ambient conditions of the data center and ensure optimal cooling and ventilation. Air pressure sensors are typically deployed at the air vents or ducts to monitor the airflow and pressure distribution in the data center.
References:
Data Center Environmental Monitoring
Water Detection in Data Centers
C
Explanation:
Water sensors are devices that can detect the presence of water or moisture in a given area. They are often deployed below the floor tiles of a data center to monitor for any water leaks that may damage the equipment or cause electrical hazards. Water sensors can alert the data center staff or trigger an automatic response to prevent or mitigate the water leakage.
The other options are not likely to be deployed below the floor tiles of a data center. Temperature sensors and humidity sensors are usually deployed above the floor tiles to measure the ambient conditions of the data center and ensure optimal cooling and ventilation. Air pressure sensors are typically deployed at the air vents or ducts to monitor the airflow and pressure distribution in the data center.
References:
Data Center Environmental Monitoring
Water Detection in Data Centers
Question #97
Which of the following BEST enables an organization to determine the effectiveness of its information security awareness program?
- A . Measuring user satisfaction with the quality of the training
- B . Evaluating the results of a social engineering exercise
- C . Reviewing security staff performance evaluations
- D . Performing an analysis of the number of help desk calls
Correct Answer: B
B
Explanation:
The effectiveness of an information security awareness program is best measured by assessing real-world behavior rather than subjective feedback or indirect metrics. Social engineering exercises simulate real-world attack scenarios, testing whether employees can identify and respond appropriately to security threats. This directly evaluates the program’s impact on employee behavior and awareness.
Measuring User Satisfaction (Option A): While useful for feedback, satisfaction does not measure the effectiveness of awareness in preventing security incidents.
Reviewing Security Staff Performance Evaluations (Option C): This focuses on staff capabilities rather than the awareness program’s effectiveness.
Analyzing Help Desk Calls (Option D): This might provide insight into recurring issues but does not directly measure the program’s success in changing user behavior.
Conducting social engineering exercises aligns with best practices for assessing organizational security awareness.
Reference: ISACA CISA Review Manual, Job Practice Area 2: Information Systems Audit and Assurance.
B
Explanation:
The effectiveness of an information security awareness program is best measured by assessing real-world behavior rather than subjective feedback or indirect metrics. Social engineering exercises simulate real-world attack scenarios, testing whether employees can identify and respond appropriately to security threats. This directly evaluates the program’s impact on employee behavior and awareness.
Measuring User Satisfaction (Option A): While useful for feedback, satisfaction does not measure the effectiveness of awareness in preventing security incidents.
Reviewing Security Staff Performance Evaluations (Option C): This focuses on staff capabilities rather than the awareness program’s effectiveness.
Analyzing Help Desk Calls (Option D): This might provide insight into recurring issues but does not directly measure the program’s success in changing user behavior.
Conducting social engineering exercises aligns with best practices for assessing organizational security awareness.
Reference: ISACA CISA Review Manual, Job Practice Area 2: Information Systems Audit and Assurance.
Question #98
A post-implementation review was conducted by issuing a survey to users.
Which of the following should be of GREATEST concern to an IS auditor?
- A . The survey results were not presented in detail lo management.
- B . The survey questions did not address the scope of the business case.
- C . The survey form template did not allow additional feedback to be provided.
- D . The survey was issued to employees a month after implementation.
Correct Answer: B
B
Explanation:
The greatest concern for an IS auditor when a post-implementation review was conducted by issuing a survey to users is that the survey questions did not address the scope of the business case. A post-implementation review is a process of evaluating the outcomes and benefits of a project after it has been completed and implemented. A post-implementation review can help to assess whether the project met its objectives, delivered its expected value, and satisfied its stakeholders1. A survey is a method of collecting feedback and opinions from users or other stakeholders about their experience and satisfaction with the project. A survey can help to measure the user acceptance, usability, and functionality of the project deliverables2. A business case is a document that justifies the need for a project based on its expected benefits, costs, risks, and alternatives. A business case defines the scope, objectives, and requirements of the project and provides a basis for its approval and initiation3. Therefore, an IS auditor should be concerned if the survey questions did not address the scope of the business case, as it may indicate that the post-implementation review was not comprehensive, relevant, or aligned with the project goals. The other options are less concerning or incorrect because:
B
Explanation:
The greatest concern for an IS auditor when a post-implementation review was conducted by issuing a survey to users is that the survey questions did not address the scope of the business case. A post-implementation review is a process of evaluating the outcomes and benefits of a project after it has been completed and implemented. A post-implementation review can help to assess whether the project met its objectives, delivered its expected value, and satisfied its stakeholders1. A survey is a method of collecting feedback and opinions from users or other stakeholders about their experience and satisfaction with the project. A survey can help to measure the user acceptance, usability, and functionality of the project deliverables2. A business case is a document that justifies the need for a project based on its expected benefits, costs, risks, and alternatives. A business case defines the scope, objectives, and requirements of the project and provides a basis for its approval and initiation3. Therefore, an IS auditor should be concerned if the survey questions did not address the scope of the business case, as it may indicate that the post-implementation review was not comprehensive, relevant, or aligned with the project goals. The other options are less concerning or incorrect because:
Question #99
An organization is disposing of a system containing sensitive data and has deleted all files from the hard disk. An IS auditor should be concerned because:
- A . deleted data cannot easily be retrieved.
- B . deleting the files logically does not overwrite the files’ physical data.
- C . backup copies of files were not deleted as well.
- D . deleting all files separately is not as efficient as formatting the hard disk.
Correct Answer: B
B
Explanation:
An IS auditor should be concerned because deleting the files logically does not overwrite the files’ physical data. Deleting a file from a hard disk only removes the reference or pointer to the file from the file system, but does not erase the actual data stored on the disk sectors. The deleted data can still be recovered using special tools or techniques until it is overwritten by new data. This poses a risk of data leakage, theft, or misuse if the hard disk falls into the wrong hands. To securely dispose of a system containing sensitive data, the hard disk should be wiped or sanitized using methods that overwrite or destroy the physical data beyond recovery.
References:
CISA Review Manual (Digital Version)
CISA Questions, Answers & Explanations Database
B
Explanation:
An IS auditor should be concerned because deleting the files logically does not overwrite the files’ physical data. Deleting a file from a hard disk only removes the reference or pointer to the file from the file system, but does not erase the actual data stored on the disk sectors. The deleted data can still be recovered using special tools or techniques until it is overwritten by new data. This poses a risk of data leakage, theft, or misuse if the hard disk falls into the wrong hands. To securely dispose of a system containing sensitive data, the hard disk should be wiped or sanitized using methods that overwrite or destroy the physical data beyond recovery.
References:
CISA Review Manual (Digital Version)
CISA Questions, Answers & Explanations Database
Question #99
An organization is disposing of a system containing sensitive data and has deleted all files from the hard disk. An IS auditor should be concerned because:
- A . deleted data cannot easily be retrieved.
- B . deleting the files logically does not overwrite the files’ physical data.
- C . backup copies of files were not deleted as well.
- D . deleting all files separately is not as efficient as formatting the hard disk.
Correct Answer: B
B
Explanation:
An IS auditor should be concerned because deleting the files logically does not overwrite the files’ physical data. Deleting a file from a hard disk only removes the reference or pointer to the file from the file system, but does not erase the actual data stored on the disk sectors. The deleted data can still be recovered using special tools or techniques until it is overwritten by new data. This poses a risk of data leakage, theft, or misuse if the hard disk falls into the wrong hands. To securely dispose of a system containing sensitive data, the hard disk should be wiped or sanitized using methods that overwrite or destroy the physical data beyond recovery.
References:
CISA Review Manual (Digital Version)
CISA Questions, Answers & Explanations Database
B
Explanation:
An IS auditor should be concerned because deleting the files logically does not overwrite the files’ physical data. Deleting a file from a hard disk only removes the reference or pointer to the file from the file system, but does not erase the actual data stored on the disk sectors. The deleted data can still be recovered using special tools or techniques until it is overwritten by new data. This poses a risk of data leakage, theft, or misuse if the hard disk falls into the wrong hands. To securely dispose of a system containing sensitive data, the hard disk should be wiped or sanitized using methods that overwrite or destroy the physical data beyond recovery.
References:
CISA Review Manual (Digital Version)
CISA Questions, Answers & Explanations Database