Practice Free CISA Exam Online Questions
Question #131
Which of the following is the GREATEST risk related to the use of virtualized environments?
- A . The host may be a potential single point of failure within the system.
- B . There may be insufficient processing capacity to assign to guests.
- C . There may be increased potential for session hijacking.
- D . Ability to change operating systems may be limited.
Correct Answer: A
Question #132
An IS auditor is preparing for a review of controls associated with a manufacturing plant’s implementation of industrial Internet of Things (loT) infrastructure.
Which of the following vulnerabilities would present the GREATEST security risk to the organization?
- A . Insufficient physical security around the lo I devices for theft prevention
- B . Use of open-source software components within the loT devices
- C . Constraints in loT device firmware storage space for code upgrades
- D . loT devices that are not using wireless network connectivity
Correct Answer: B
B
Explanation:
The use of open-source software components in IoT devices presents the greatest security risk due to potential vulnerabilities that may exist within the software. These vulnerabilities can be exploited if patches are not applied promptly, and the organization might not have direct control over the software’s maintenance and security updates. This risk is amplified in critical manufacturing environments where compromised IoT devices can lead to operational disruptions.
Physical Security (Option A): While important, theft of IoT devices generally poses less risk compared to a system-wide compromise due to software vulnerabilities.
Firmware Storage Constraints (Option C): While a limitation, this is a secondary concern compared to
exploitable software.
Devices Not Using Wireless Connectivity (Option D): Wired devices are generally more secure, reducing this as a significant concern.
Reference: ISACA CISA Review Manual, Job Practice Area 4: Protection of Information Assets.
B
Explanation:
The use of open-source software components in IoT devices presents the greatest security risk due to potential vulnerabilities that may exist within the software. These vulnerabilities can be exploited if patches are not applied promptly, and the organization might not have direct control over the software’s maintenance and security updates. This risk is amplified in critical manufacturing environments where compromised IoT devices can lead to operational disruptions.
Physical Security (Option A): While important, theft of IoT devices generally poses less risk compared to a system-wide compromise due to software vulnerabilities.
Firmware Storage Constraints (Option C): While a limitation, this is a secondary concern compared to
exploitable software.
Devices Not Using Wireless Connectivity (Option D): Wired devices are generally more secure, reducing this as a significant concern.
Reference: ISACA CISA Review Manual, Job Practice Area 4: Protection of Information Assets.
Question #133
Which of the following should an IS auditor consider the MOST significant risk associated with a new health records system that replaces a legacy system?
- A . Staff were not involved in the procurement process, creating user resistance to the new system.
- B . Data is not converted correctly, resulting in inaccurate patient records.
- C . The deployment project experienced significant overruns, exceeding budget projections.
- D . The new system has capacity issues, leading to slow response times for users.
Correct Answer: B
B
Explanation:
The most significant risk associated with a new health records system that replaces a legacy system is data not being converted correctly, resulting in inaccurate patient records. Data conversion is the process of transferring data from one format or system to another. Data conversion is a critical step in implementing a new health records system, as it ensures that the patient data are consistent, complete, accurate, and accessible in the new system. Data not being converted correctly may cause errors, discrepancies, or losses in patient records, which may have serious implications for patient safety, quality of care, legal compliance, and privacy protection. Staff not being involved in the procurement process, creating user resistance to the new system; the deployment project experiencing significant overruns, exceeding budget projections; and the new system having capacity issues, leading to slow response times for users are also risks associated with a new health records system implementation, but they are not as significant as data not being converted correctly.
References: [ISACA CISA Review Manual 27th Edition], page 281.
B
Explanation:
The most significant risk associated with a new health records system that replaces a legacy system is data not being converted correctly, resulting in inaccurate patient records. Data conversion is the process of transferring data from one format or system to another. Data conversion is a critical step in implementing a new health records system, as it ensures that the patient data are consistent, complete, accurate, and accessible in the new system. Data not being converted correctly may cause errors, discrepancies, or losses in patient records, which may have serious implications for patient safety, quality of care, legal compliance, and privacy protection. Staff not being involved in the procurement process, creating user resistance to the new system; the deployment project experiencing significant overruns, exceeding budget projections; and the new system having capacity issues, leading to slow response times for users are also risks associated with a new health records system implementation, but they are not as significant as data not being converted correctly.
References: [ISACA CISA Review Manual 27th Edition], page 281.
Question #134
An organization recently implemented a cloud document storage solution and removed the ability for end users to save data to their local workstation hard drives.
Which of the following findings should be the IS auditor’s GREATEST concern?
- A . Users are not required to sign updated acceptable use agreements.
- B . Users have not been trained on the new system.
- C . The business continuity plan (BCP) was not updated.
- D . Mobile devices are not encrypted.
Correct Answer: C
C
Explanation:
This should be the IS auditor’s greatest concern, because it means that the organization has not considered the potential impact of the cloud document storage solution on its ability to continue its operations in the event of a disruption or disaster. A BCP is a document that outlines the procedures and actions to be taken in order to maintain or resume critical business functions during and after a crisis. A BCP should be updated whenever there is a significant change in the organization’s IT infrastructure, systems, processes, or dependencies, such as implementing a cloud document storage solution. The IS auditor should verify that the BCP reflects the current state of the organization’s IT environment, and that it addresses the risks, challenges, and opportunities associated with the cloud document storage solution.
The other options are not as concerning as the BCP not being updated:
Users are not required to sign updated acceptable use agreements. This is a minor concern, but it does not pose a major threat to the organization’s business continuity. Acceptable use agreements are documents that define the rules and guidelines for using IT resources, such as the cloud document storage solution. Users should sign updated acceptable use agreements to acknowledge their responsibilities and obligations, and to comply with the organization’s policies and standards. However, this does not affect the organization’s ability to continue its operations in a crisis.
Users have not been trained on the new system. This is a moderate concern, but it does not
jeopardize the organization’s business continuity. Training users on the new system is important to ensure that they can use it effectively and efficiently, and to avoid errors or misuse that could compromise the security or performance of the system. However, this does not prevent the organization from accessing or restoring its data in a crisis.
Mobile devices are not encrypted. This is a serious concern, but it does not directly impact the organization’s business continuity. Encrypting mobile devices is a security measure that protects the data stored on them from unauthorized access or disclosure in case of loss or theft. However, this does not affect the availability or integrity of the data stored in the cloud document storage solution, which should have its own encryption mechanisms.
C
Explanation:
This should be the IS auditor’s greatest concern, because it means that the organization has not considered the potential impact of the cloud document storage solution on its ability to continue its operations in the event of a disruption or disaster. A BCP is a document that outlines the procedures and actions to be taken in order to maintain or resume critical business functions during and after a crisis. A BCP should be updated whenever there is a significant change in the organization’s IT infrastructure, systems, processes, or dependencies, such as implementing a cloud document storage solution. The IS auditor should verify that the BCP reflects the current state of the organization’s IT environment, and that it addresses the risks, challenges, and opportunities associated with the cloud document storage solution.
The other options are not as concerning as the BCP not being updated:
Users are not required to sign updated acceptable use agreements. This is a minor concern, but it does not pose a major threat to the organization’s business continuity. Acceptable use agreements are documents that define the rules and guidelines for using IT resources, such as the cloud document storage solution. Users should sign updated acceptable use agreements to acknowledge their responsibilities and obligations, and to comply with the organization’s policies and standards. However, this does not affect the organization’s ability to continue its operations in a crisis.
Users have not been trained on the new system. This is a moderate concern, but it does not
jeopardize the organization’s business continuity. Training users on the new system is important to ensure that they can use it effectively and efficiently, and to avoid errors or misuse that could compromise the security or performance of the system. However, this does not prevent the organization from accessing or restoring its data in a crisis.
Mobile devices are not encrypted. This is a serious concern, but it does not directly impact the organization’s business continuity. Encrypting mobile devices is a security measure that protects the data stored on them from unauthorized access or disclosure in case of loss or theft. However, this does not affect the availability or integrity of the data stored in the cloud document storage solution, which should have its own encryption mechanisms.
Question #135
Which of the following is the GREATEST advantage of vulnerability scanning over penetration testing?
- A . The testing produces a lower number of false positive results
- B . Network bandwidth is utilized more efficiently
- C . Custom-developed applications can be tested more accurately
- D . The testing process can be automated to cover large groups of assets
Correct Answer: D
D
Explanation:
The greatest advantage of vulnerability scanning over penetration testing is that the testing process can be automated to cover large groups of assets. Vulnerability scanning is an automated, high-level security test that reports its findings of known vulnerabilities in systems, networks, applications, and devices. Vulnerability scanning can be performed frequently, quickly, and efficiently to scan a large number of assets and identify potential weaknesses that need to be addressed. Vulnerability scanning can also help organizations comply with security standards and regulations, such as PCI DSS1.
The other options are not as advantageous as option D, as they may not reflect the true benefits or limitations of vulnerability scanning compared to penetration testing. The testing produces a lower number of false positive results, but this is not necessarily true, as vulnerability scanning may report vulnerabilities that are not exploitable or relevant in the context of the organization. Network bandwidth is utilized more efficiently, but this may not be a significant advantage, as vulnerability scanning may still consume considerable network resources depending on the scope and frequency of the scans. Custom-developed applications can be tested more accurately, but this is also not true, as vulnerability scanning may not be able to detect complex or unknown vulnerabilities that require manual analysis or exploitation.
References:
1: Vulnerability scanning vs penetration testing: What’s the difference? | TechRepublic
2: Vulnerability Scanning vs. Penetration Testing – Fortinet
3: Penetration Test Vs Vulnerability Scan | Digital Defense
4: Penetration Testing vs. Vulnerability Scanning: What’s the difference?
5: Penetration Testing vs. Vulnerability Scanning | Secureworks
6: PCI DSS Quick Reference Guide – PCI Security Standards Council
D
Explanation:
The greatest advantage of vulnerability scanning over penetration testing is that the testing process can be automated to cover large groups of assets. Vulnerability scanning is an automated, high-level security test that reports its findings of known vulnerabilities in systems, networks, applications, and devices. Vulnerability scanning can be performed frequently, quickly, and efficiently to scan a large number of assets and identify potential weaknesses that need to be addressed. Vulnerability scanning can also help organizations comply with security standards and regulations, such as PCI DSS1.
The other options are not as advantageous as option D, as they may not reflect the true benefits or limitations of vulnerability scanning compared to penetration testing. The testing produces a lower number of false positive results, but this is not necessarily true, as vulnerability scanning may report vulnerabilities that are not exploitable or relevant in the context of the organization. Network bandwidth is utilized more efficiently, but this may not be a significant advantage, as vulnerability scanning may still consume considerable network resources depending on the scope and frequency of the scans. Custom-developed applications can be tested more accurately, but this is also not true, as vulnerability scanning may not be able to detect complex or unknown vulnerabilities that require manual analysis or exploitation.
References:
1: Vulnerability scanning vs penetration testing: What’s the difference? | TechRepublic
2: Vulnerability Scanning vs. Penetration Testing – Fortinet
3: Penetration Test Vs Vulnerability Scan | Digital Defense
4: Penetration Testing vs. Vulnerability Scanning: What’s the difference?
5: Penetration Testing vs. Vulnerability Scanning | Secureworks
6: PCI DSS Quick Reference Guide – PCI Security Standards Council
Question #136
When reviewing an organization’s information security policies, an IS auditor should verify that the policies have been defined PRIMARILY on the basis of:
- A . a risk management process.
- B . an information security framework.
- C . past information security incidents.
- D . industry best practices.
Correct Answer: A
A
Explanation:
Information security policies are high-level statements that define the organization’s approach to protecting its information assets from threats and risks. They should be based primarily on a risk management process, which is a systematic method of identifying, analyzing, evaluating, treating, and monitoring information security risks. A risk management process can help ensure that the policies are aligned with the organization’s risk appetite, business objectives, legal and regulatory requirements, and stakeholder expectations. An information security framework is a set of standards, guidelines, and best practices that provide a structure for implementing information security policies. It can support the risk management process, but it is not the primary basis for defining the policies. Past information security incidents and industry best practices can also provide valuable inputs for defining the policies, but they are not sufficient to address the organization’s specific context and needs.
References: Insights and Expertise, CISA Review Manual (Digital Version)
A
Explanation:
Information security policies are high-level statements that define the organization’s approach to protecting its information assets from threats and risks. They should be based primarily on a risk management process, which is a systematic method of identifying, analyzing, evaluating, treating, and monitoring information security risks. A risk management process can help ensure that the policies are aligned with the organization’s risk appetite, business objectives, legal and regulatory requirements, and stakeholder expectations. An information security framework is a set of standards, guidelines, and best practices that provide a structure for implementing information security policies. It can support the risk management process, but it is not the primary basis for defining the policies. Past information security incidents and industry best practices can also provide valuable inputs for defining the policies, but they are not sufficient to address the organization’s specific context and needs.
References: Insights and Expertise, CISA Review Manual (Digital Version)
Question #137
The BEST way to provide assurance that a project is adhering to the project plan is to:
- A . require design reviews at appropriate points in the life cycle.
- B . have an IS auditor participate on the steering committee.
- C . have an IS auditor participate on the quality assurance (QA) team.
- D . conduct compliance audits at major system milestones.
Correct Answer: D
D
Explanation:
The best way to provide assurance that a project is adhering to the project plan is to conduct compliance audits at major system milestones. A compliance audit is a systematic and independent examination of the project’s activities, documents, and deliverables to determine whether they conform to the project plan and its specifications, standards, and requirements1. A major system milestone is a significant point or event in the project’s life cycle that marks the completion of a phase, stage, or deliverable2.
By conducting compliance audits at major system milestones, the auditor can provide assurance that the project is adhering to the project plan by:
Verifying that the project’s scope, schedule, budget, quality, and risks are aligned with the project plan and its objectives1
Identifying any deviations, discrepancies, or non-compliances that may affect the project’s performance or outcome1
Recommending and monitoring corrective and preventive actions to address the identified issues and improve the project’s compliance1
Reporting and communicating the audit findings, conclusions, and recommendations to the relevant stakeholders1
The other options are not as effective as conducting compliance audits at major system milestones for providing assurance that the project is adhering to the project plan. Requiring design reviews at appropriate points in the life cycle is a useful technique for ensuring that the project’s design meets the user and business requirements and follows the design standards and best practices3. However, design reviews are not sufficient for providing assurance that the project is adhering to the project plan, as they do not cover other aspects of the project such as schedule, budget, quality, or risks. Having an IS auditor participate on the steering committee is a possible way for providing assurance that the project is adhering to the project plan, as the auditor can provide independent advice and oversight to the steering committee on quality management issues and remediation efforts4. However, this may not be feasible or appropriate for every project, as it may create a conflict of interest or compromise the auditor’s objectivity and independence. Having an IS auditor participate on the quality assurance (QA) team is another possible way for providing assurance that the project is adhering to the project plan, as the auditor can assist the QA team in implementing procedures to facilitate adoption of quality management best practices5. However, this may also not be feasible or appropriate for every project, as it may create a conflict of interest or compromise the auditor’s objectivity and independence. Therefore, option D is the correct answer.
References:
What Is Compliance Audit? Definition & Process | ASQ
What Is A Project Milestone? – The Basics
Design Review – an overview | ScienceDirect Topics
Project success through project assurance – Project Management Institute
Quality Assurance Team: Roles & Responsibilities
D
Explanation:
The best way to provide assurance that a project is adhering to the project plan is to conduct compliance audits at major system milestones. A compliance audit is a systematic and independent examination of the project’s activities, documents, and deliverables to determine whether they conform to the project plan and its specifications, standards, and requirements1. A major system milestone is a significant point or event in the project’s life cycle that marks the completion of a phase, stage, or deliverable2.
By conducting compliance audits at major system milestones, the auditor can provide assurance that the project is adhering to the project plan by:
Verifying that the project’s scope, schedule, budget, quality, and risks are aligned with the project plan and its objectives1
Identifying any deviations, discrepancies, or non-compliances that may affect the project’s performance or outcome1
Recommending and monitoring corrective and preventive actions to address the identified issues and improve the project’s compliance1
Reporting and communicating the audit findings, conclusions, and recommendations to the relevant stakeholders1
The other options are not as effective as conducting compliance audits at major system milestones for providing assurance that the project is adhering to the project plan. Requiring design reviews at appropriate points in the life cycle is a useful technique for ensuring that the project’s design meets the user and business requirements and follows the design standards and best practices3. However, design reviews are not sufficient for providing assurance that the project is adhering to the project plan, as they do not cover other aspects of the project such as schedule, budget, quality, or risks. Having an IS auditor participate on the steering committee is a possible way for providing assurance that the project is adhering to the project plan, as the auditor can provide independent advice and oversight to the steering committee on quality management issues and remediation efforts4. However, this may not be feasible or appropriate for every project, as it may create a conflict of interest or compromise the auditor’s objectivity and independence. Having an IS auditor participate on the quality assurance (QA) team is another possible way for providing assurance that the project is adhering to the project plan, as the auditor can assist the QA team in implementing procedures to facilitate adoption of quality management best practices5. However, this may also not be feasible or appropriate for every project, as it may create a conflict of interest or compromise the auditor’s objectivity and independence. Therefore, option D is the correct answer.
References:
What Is Compliance Audit? Definition & Process | ASQ
What Is A Project Milestone? – The Basics
Design Review – an overview | ScienceDirect Topics
Project success through project assurance – Project Management Institute
Quality Assurance Team: Roles & Responsibilities
Question #138
Retention periods and conditions for the destruction of personal data should be determined by the.
- A . risk manager.
- B . database administrator (DBA).
- C . privacy manager.
- D . business owner.
Correct Answer: D
D
Explanation:
Explanation:
The business owner is the person or entity that has the authority and responsibility for defining the purpose and scope of the processing of personal data, as well as the expected outcomes and benefits. The business owner is also accountable for ensuring that the processing of personal data complies with the applicable laws and regulations, such as the General Data Protection Regulation (GDPR) or the Data Protection Act 2018 (DPA 2018).
One of the requirements of the GDPR and the DPA 2018 is to adhere to the principle of storage limitation, which states that personal data should be kept for no longer than is necessary for the purposes for which it is processed1. This means that the business owner should determine and justify how long they need to retain personal data, based on factors such as:
The nature and sensitivity of the personal data
The legal or contractual obligations or rights that apply to the personal data
The business or operational needs and expectations that depend on the personal data
The risks and impacts that may arise from retaining or deleting the personal data
The business owner should also establish and document the conditions and methods for the destruction of personal data, such as:
The criteria and triggers for deciding when to destroy personal data
The procedures and tools for securely erasing or anonymising personal data
The roles and responsibilities for carrying out and overseeing the destruction of personal data
The records and reports for verifying and evidencing the destruction of personal data
Therefore, retention periods and conditions for the destruction of personal data should be determined by the business owner, as they are in charge of defining and managing the processing of personal data, as well as ensuring its compliance with the law.
D
Explanation:
Explanation:
The business owner is the person or entity that has the authority and responsibility for defining the purpose and scope of the processing of personal data, as well as the expected outcomes and benefits. The business owner is also accountable for ensuring that the processing of personal data complies with the applicable laws and regulations, such as the General Data Protection Regulation (GDPR) or the Data Protection Act 2018 (DPA 2018).
One of the requirements of the GDPR and the DPA 2018 is to adhere to the principle of storage limitation, which states that personal data should be kept for no longer than is necessary for the purposes for which it is processed1. This means that the business owner should determine and justify how long they need to retain personal data, based on factors such as:
The nature and sensitivity of the personal data
The legal or contractual obligations or rights that apply to the personal data
The business or operational needs and expectations that depend on the personal data
The risks and impacts that may arise from retaining or deleting the personal data
The business owner should also establish and document the conditions and methods for the destruction of personal data, such as:
The criteria and triggers for deciding when to destroy personal data
The procedures and tools for securely erasing or anonymising personal data
The roles and responsibilities for carrying out and overseeing the destruction of personal data
The records and reports for verifying and evidencing the destruction of personal data
Therefore, retention periods and conditions for the destruction of personal data should be determined by the business owner, as they are in charge of defining and managing the processing of personal data, as well as ensuring its compliance with the law.
Question #139
What is BEST for an IS auditor to review when assessing the effectiveness of changes recently made to processes and tools related to an organization’s business continuity plan (BCP)?
- A . Full test results
- B . Completed test plans
- C . Updated inventory of systems
- D . Change management processes
Correct Answer: A
A
Explanation:
The best way to assess the effectiveness of changes made to processes and tools related to an organization’s BCP is to review the full test results of the BCP. Full test results can provide evidence of whether the changes have improved the BCP’s objectives, such as recovery time objectives (RTOs), recovery point objectives (RPOs), and business impact analysis (BIA). The other options are not as
effective as reviewing the full test results, as they do not demonstrate the actual performance of the BCP under simulated disaster scenarios. Completed test plans are only documents that outline the scope, objectives, and procedures of the BCP testing, but they do not show the outcomes or issues encountered during the testing. Updated inventory of systems is a component of the BCP that identifies the critical systems and resources required for business continuity, but it does not measure the effectiveness of the BCP changes. Change management processes are controls that ensure that changes to the BCP are authorized, documented, and communicated, but they do not evaluate the impact or benefit of the changes.
References: CISA Review Manual (Digital Version), Chapter 4, Section 4.2.3
A
Explanation:
The best way to assess the effectiveness of changes made to processes and tools related to an organization’s BCP is to review the full test results of the BCP. Full test results can provide evidence of whether the changes have improved the BCP’s objectives, such as recovery time objectives (RTOs), recovery point objectives (RPOs), and business impact analysis (BIA). The other options are not as
effective as reviewing the full test results, as they do not demonstrate the actual performance of the BCP under simulated disaster scenarios. Completed test plans are only documents that outline the scope, objectives, and procedures of the BCP testing, but they do not show the outcomes or issues encountered during the testing. Updated inventory of systems is a component of the BCP that identifies the critical systems and resources required for business continuity, but it does not measure the effectiveness of the BCP changes. Change management processes are controls that ensure that changes to the BCP are authorized, documented, and communicated, but they do not evaluate the impact or benefit of the changes.
References: CISA Review Manual (Digital Version), Chapter 4, Section 4.2.3
Question #140
Which of the following should be of GREATEST concern to an IS auditor reviewing an organization’s business continuity plan (BCP)?
- A . The BCP’s contact information needs to be updated
- B . The BCP is not version controlled.
- C . The BCP has not been approved by senior management.
- D . The BCP has not been tested since it was first issued.
Correct Answer: D
D
Explanation:
The greatest concern for an IS auditor reviewing an organization’s business continuity plan (BCP) is that the BCP has not been tested since it was first issued. A BCP is a document that describes how an organization will continue its critical business functions in the event of a disruption or disaster. A BCP should include information such as roles and responsibilities, recovery strategies, resources, procedures, communication plans, and backup arrangements3. Testing the BCP is a vital step in ensuring its validity, effectiveness, and readiness. Testing the BCP involves simulating various scenarios and executing the BCP to verify whether it meets its objectives and requirements. Testing the BCP can also help to identify and correct any gaps, errors, or weaknesses in the BCP before they become issues during a real incident4. Therefore, an IS auditor should be concerned if the BCP has not been tested since it was first issued, as it may indicate that the BCP is outdated, inaccurate, incomplete, or ineffective.
The other options are less concerning or incorrect because:
D
Explanation:
The greatest concern for an IS auditor reviewing an organization’s business continuity plan (BCP) is that the BCP has not been tested since it was first issued. A BCP is a document that describes how an organization will continue its critical business functions in the event of a disruption or disaster. A BCP should include information such as roles and responsibilities, recovery strategies, resources, procedures, communication plans, and backup arrangements3. Testing the BCP is a vital step in ensuring its validity, effectiveness, and readiness. Testing the BCP involves simulating various scenarios and executing the BCP to verify whether it meets its objectives and requirements. Testing the BCP can also help to identify and correct any gaps, errors, or weaknesses in the BCP before they become issues during a real incident4. Therefore, an IS auditor should be concerned if the BCP has not been tested since it was first issued, as it may indicate that the BCP is outdated, inaccurate, incomplete, or ineffective.
The other options are less concerning or incorrect because: