Practice Free CISA Exam Online Questions
Question #151
Which of the following is the BEST reason to implement a data retention policy?
- A . To establish a recovery point objective (RPO) for disaster recovery procedures
- B . To limit the liability associated with storing and protecting information
- C . To document business objectives for processing data within the organization
- D . To assign responsibility and ownership for data protection outside IT
Correct Answer: B
B
Explanation:
The best reason to implement a data retention policy is to limit the liability associated with storing and protecting information. A data retention policy is a business’ established protocol for maintaining information, typically defining what data needs to be retained, the format in which it should be kept, how long it should be stored for, whether it should eventually be archived or deleted, who has the authority to dispose of it, and what procedure to follow in the event of a policy violation1.
A data retention policy can help an organization to:
Comply with legal and regulatory requirements that mandate the retention and disposal of certain types of data, such as financial records, health records, or personal data
Reduce the risk of data breaches, theft, loss, or corruption by minimizing the amount of data stored and ensuring proper security measures are in place
Save costs and resources by optimizing the use of storage space and reducing the need for backup and recovery operations
Enhance operational efficiency and performance by eliminating unnecessary or outdated data and improving data quality and accessibility
Support business continuity and disaster recovery plans by ensuring critical data is available and recoverable in case of an emergency
Facilitate audit trails and investigations by providing evidence of data authenticity, integrity, and provenance
Therefore, by implementing a data retention policy, an organization can limit its liability associated with storing and protecting information, as well as improve its data governance and management practices.
References:
Data Retention Policy 101: Best Practices, Examples & More
B
Explanation:
The best reason to implement a data retention policy is to limit the liability associated with storing and protecting information. A data retention policy is a business’ established protocol for maintaining information, typically defining what data needs to be retained, the format in which it should be kept, how long it should be stored for, whether it should eventually be archived or deleted, who has the authority to dispose of it, and what procedure to follow in the event of a policy violation1.
A data retention policy can help an organization to:
Comply with legal and regulatory requirements that mandate the retention and disposal of certain types of data, such as financial records, health records, or personal data
Reduce the risk of data breaches, theft, loss, or corruption by minimizing the amount of data stored and ensuring proper security measures are in place
Save costs and resources by optimizing the use of storage space and reducing the need for backup and recovery operations
Enhance operational efficiency and performance by eliminating unnecessary or outdated data and improving data quality and accessibility
Support business continuity and disaster recovery plans by ensuring critical data is available and recoverable in case of an emergency
Facilitate audit trails and investigations by providing evidence of data authenticity, integrity, and provenance
Therefore, by implementing a data retention policy, an organization can limit its liability associated with storing and protecting information, as well as improve its data governance and management practices.
References:
Data Retention Policy 101: Best Practices, Examples & More
Question #152
Which of the following responses to risk associated with separation of duties would incur the LOWEST initial cost?
- A . Risk mitigation
- B . Risk acceptance
- C . Risk transference
- D . Risk reduction
Correct Answer: B
B
Explanation:
Comprehensive and Detailed Step-by-Step
Risk acceptance means choosing not to take immediate action to mitigate the risk, making it the lowest-cost approach in the short term.
Risk Acceptance (Correct Answer C B)
The organization acknowledges the risk and decides to accept it without implementing additional controls.
Example: A small company accepts the risk of not segregating financial duties due to limited staff. Risk Mitigation (Incorrect C A)
Requires implementing controls, which incur costs.
Risk Transference (Incorrect C C)
Involves outsourcing risk (e.g., buying insurance), which has financial costs.
Risk Reduction (Incorrect C D)
Involves applying security controls, leading to additional costs.
References:
ISACA CISA Review Manual
ISO 31000 (Risk Management Framework)
B
Explanation:
Comprehensive and Detailed Step-by-Step
Risk acceptance means choosing not to take immediate action to mitigate the risk, making it the lowest-cost approach in the short term.
Risk Acceptance (Correct Answer C B)
The organization acknowledges the risk and decides to accept it without implementing additional controls.
Example: A small company accepts the risk of not segregating financial duties due to limited staff. Risk Mitigation (Incorrect C A)
Requires implementing controls, which incur costs.
Risk Transference (Incorrect C C)
Involves outsourcing risk (e.g., buying insurance), which has financial costs.
Risk Reduction (Incorrect C D)
Involves applying security controls, leading to additional costs.
References:
ISACA CISA Review Manual
ISO 31000 (Risk Management Framework)
Question #153
As part of an audit response, an auditee has concerns with the recommendations and is hesitant to implement them.
Which of the following is the BEST course of action for the IS auditor?
- A . Accept the auditee’s response and perform additional testing.
- B . Suggest hiring a third-party consultant to perform a current state assessment.
- C . Conduct further discussions with the auditee to develop a mitigation plan.
- D . Issue a final report without including the opinion of the auditee.
Correct Answer: C
C
Explanation:
Collaborative discussions help address the auditee’s concerns, find mutually agreeable solutions, and create buy-in for implementing improvements.
References
ISACA CISA Review Manual (Current Edition) – Chapters on audit reporting and communication
Auditing Standards – Emphasize the importance of understanding and addressing auditee concerns.
C
Explanation:
Collaborative discussions help address the auditee’s concerns, find mutually agreeable solutions, and create buy-in for implementing improvements.
References
ISACA CISA Review Manual (Current Edition) – Chapters on audit reporting and communication
Auditing Standards – Emphasize the importance of understanding and addressing auditee concerns.
Question #154
Which of the following system attack methods is executed by entering malicious code into the search box of a vulnerable website, causing the server to reveal restricted information?
- A . Man-m-the-middle
- B . Denial of service (DoS)
- C . SQL injection
- D . Cross-site scripting
Correct Answer: C
C
Explanation:
SQL injection attacks exploit vulnerabilities in web applications by inserting malicious SQL code into input fields, such as a search box. This can cause the server to execute unintended commands, often
revealing restricted information.
Man-in-the-Middle (Option A): This intercepts communication but does not involve code injection.
Denial of Service (DoS) (Option B): This aims to disrupt service, not extract information.
Cross-Site Scripting (Option D): Involves injecting malicious scripts to execute in a user’s browser but does not extract server-side data.
Reference: ISACA CISA Review Manual, Job Practice Area 4: Protection of Information Assets.
C
Explanation:
SQL injection attacks exploit vulnerabilities in web applications by inserting malicious SQL code into input fields, such as a search box. This can cause the server to execute unintended commands, often
revealing restricted information.
Man-in-the-Middle (Option A): This intercepts communication but does not involve code injection.
Denial of Service (DoS) (Option B): This aims to disrupt service, not extract information.
Cross-Site Scripting (Option D): Involves injecting malicious scripts to execute in a user’s browser but does not extract server-side data.
Reference: ISACA CISA Review Manual, Job Practice Area 4: Protection of Information Assets.
Question #155
In which phase of penetration testing would host detection and domain name system (DNS) interrogation be performed?
- A . Discovery
- B . Attacks
- C . Planning
- D . Reporting
Correct Answer: A
A
Explanation:
Penetration testing is a method of evaluating the security of a system or network by simulating an attack from a malicious source. Penetration testing typically consists of four phases: planning, discovery, attacks, and reporting. In the discovery phase, penetration testers gather information about the target system or network, such as host detection, domain name system (DNS) interrogation, port scanning, service identification, operating system fingerprinting, vulnerability scanning, etc. This information can help to identify potential entry points, weaknesses, or vulnerabilities that can be exploited in the subsequent attack phase. Host detection and DNS interrogation are techniques that can be used in the discovery phase to determine the active hosts and their IP addresses and hostnames on the target network.
References: [ISACA CISA Review Manual 27th Edition], page 368.
A
Explanation:
Penetration testing is a method of evaluating the security of a system or network by simulating an attack from a malicious source. Penetration testing typically consists of four phases: planning, discovery, attacks, and reporting. In the discovery phase, penetration testers gather information about the target system or network, such as host detection, domain name system (DNS) interrogation, port scanning, service identification, operating system fingerprinting, vulnerability scanning, etc. This information can help to identify potential entry points, weaknesses, or vulnerabilities that can be exploited in the subsequent attack phase. Host detection and DNS interrogation are techniques that can be used in the discovery phase to determine the active hosts and their IP addresses and hostnames on the target network.
References: [ISACA CISA Review Manual 27th Edition], page 368.
Question #156
Which of the following audit procedures would provide the BEST assurance that an application program is functioning as designed?
- A . Using a continuous auditing module
- B . Interviewing business management
- C . Confirming accounts
- D . Reviewing program documentation
Correct Answer: A
A
Explanation:
Using a continuous auditing module is an audit procedure that would provide the best assurance that an application program is functioning as designed. A continuous auditing module is a software tool that performs automated and continuous testing and monitoring of an application program’s inputs, outputs, processes, and controls. A continuous auditing module can help to verify the accuracy, completeness, validity, reliability, and timeliness of the application program’s data and transactions. A continuous auditing module can also help to identify and report any errors, anomalies, deviations, or exceptions in the application program’s performance or compliance.
The other options are not as effective or relevant as using a continuous auditing module for providing assurance that an application program is functioning as designed. Interviewing business management is a technique for obtaining information and opinions from the users or owners of the application program, but it does not directly test or verify the functionality or quality of the application program. Confirming accounts is a technique for verifying the existence and accuracy of account balances or transactions, but it does not necessarily reflect the design or operation of the application program. Reviewing program documentation is a technique for examining the specifications, requirements, and procedures of the application program, but it does not provide evidence of the actual implementation or execution of the application program.
References:
ISACA, CISA Review Manual, 27th Edition, 2019, p. 2361
Continuous audit and monitoring – PwC2
A
Explanation:
Using a continuous auditing module is an audit procedure that would provide the best assurance that an application program is functioning as designed. A continuous auditing module is a software tool that performs automated and continuous testing and monitoring of an application program’s inputs, outputs, processes, and controls. A continuous auditing module can help to verify the accuracy, completeness, validity, reliability, and timeliness of the application program’s data and transactions. A continuous auditing module can also help to identify and report any errors, anomalies, deviations, or exceptions in the application program’s performance or compliance.
The other options are not as effective or relevant as using a continuous auditing module for providing assurance that an application program is functioning as designed. Interviewing business management is a technique for obtaining information and opinions from the users or owners of the application program, but it does not directly test or verify the functionality or quality of the application program. Confirming accounts is a technique for verifying the existence and accuracy of account balances or transactions, but it does not necessarily reflect the design or operation of the application program. Reviewing program documentation is a technique for examining the specifications, requirements, and procedures of the application program, but it does not provide evidence of the actual implementation or execution of the application program.
References:
ISACA, CISA Review Manual, 27th Edition, 2019, p. 2361
Continuous audit and monitoring – PwC2
Question #157
Which of the following should be restricted from a network administrator’s privileges in an adequately segregated IT environment?
- A . Monitoring network traffic
- B . Changing existing configurations for applications
- C . Hardening network ports
- D . Ensuring transmission protocols are functioning correctly
Correct Answer: B
Question #158
Which of the following is the GREATEST risk if two users have concurrent access to the same database record?
- A . Data integrity
- B . Entity integrity
- C . Referential integrity
- D . Availability integrity
Correct Answer: A
Question #159
Which of the following BEST enables an IS auditor to prioritize financial reporting spreadsheets for an end-user computing (EUC) audit?
- A . Understanding the purpose of each spreadsheet
- B . Identifying the spreadsheets with built-in macros
- C . Reviewing spreadsheets based on file size
- D . Ascertaining which spreadsheets are most frequently used
Correct Answer: A
Question #160
Which of the following is MOST important when implementing a data classification program?
- A . Understanding the data classification levels
- B . Formalizing data ownership
- C . Developing a privacy policy
- D . Planning for secure storage capacity
Correct Answer: B
B
Explanation:
Data classification is the process of organizing data into categories based on its sensitivity, value, and risk to the organization. Data classification helps to ensure that data is protected according to its importance and regulatory requirements. Data classification also enables data owners to make informed decisions about data access, retention, and disposal.
To implement a data classification program, it is most important to formalize data ownership. Data owners are the individuals or business units that have the authority and responsibility for the data they create or use. Data owners should be involved in defining the data classification levels, assigning the appropriate classification to their data, and ensuring that the data is handled according to the established policies and procedures. Data owners should also review and update the data classification periodically or when there are changes in the data or its usage.
The other options are not as important as formalizing data ownership when implementing a data classification program. Understanding the data classification levels is necessary, but it is not sufficient without identifying the data owners who will apply them. Developing a privacy policy is a good practice, but it is not specific to data classification. Planning for secure storage capacity is a technical consideration, but it does not address the business and legal aspects of data classification.
References:
ISACA, CISA Review Manual, 27th Edition, 2020, page 247
Data Classification: What It Is and How to Implement It
B
Explanation:
Data classification is the process of organizing data into categories based on its sensitivity, value, and risk to the organization. Data classification helps to ensure that data is protected according to its importance and regulatory requirements. Data classification also enables data owners to make informed decisions about data access, retention, and disposal.
To implement a data classification program, it is most important to formalize data ownership. Data owners are the individuals or business units that have the authority and responsibility for the data they create or use. Data owners should be involved in defining the data classification levels, assigning the appropriate classification to their data, and ensuring that the data is handled according to the established policies and procedures. Data owners should also review and update the data classification periodically or when there are changes in the data or its usage.
The other options are not as important as formalizing data ownership when implementing a data classification program. Understanding the data classification levels is necessary, but it is not sufficient without identifying the data owners who will apply them. Developing a privacy policy is a good practice, but it is not specific to data classification. Planning for secure storage capacity is a technical consideration, but it does not address the business and legal aspects of data classification.
References:
ISACA, CISA Review Manual, 27th Edition, 2020, page 247
Data Classification: What It Is and How to Implement It