Practice Free CISA Exam Online Questions
Question #11
Which of the following would be of MOST concern for an IS auditor evaluating the design of an organization’s incident management processes?
- A . Service management standards are not followed.
- B . Expected time to resolve incidents is not specified.
- C . Metrics are not reported to senior management.
- D . Prioritization criteria are not defined.
Correct Answer: D
D
Explanation:
he design of an incident management process should include prioritization criteria to ensure that incidents are handled according to their impact and urgency. Without prioritization criteria, the organization may not be able to allocate resources effectively and respond to incidents in a timely manner. Expected time to resolve incidents, service management standards, and metrics reporting are important aspects of incident management, but they are not as critical as prioritization criteria for the design of the process.
References: ISACA Journal Article: Incident Management: A Practical Approach
D
Explanation:
he design of an incident management process should include prioritization criteria to ensure that incidents are handled according to their impact and urgency. Without prioritization criteria, the organization may not be able to allocate resources effectively and respond to incidents in a timely manner. Expected time to resolve incidents, service management standards, and metrics reporting are important aspects of incident management, but they are not as critical as prioritization criteria for the design of the process.
References: ISACA Journal Article: Incident Management: A Practical Approach
Question #12
Due to limited storage capacity, an organization has decided to reduce the actual retention period for media containing completed low-value transactions.
Which of the following is MOST important for the organization to ensure?
- A . The policy includes a strong risk-based approach.
- B . The retention period allows for review during the year-end audit.
- C . The retention period complies with data owner responsibilities.
- D . The total transaction amount has no impact on financial reporting
Correct Answer: C
C
Explanation:
The most important factor for the organization to ensure when reducing the retention period for media containing completed low-value transactions is that the retention period complies with data owner responsibilities. Data owners are accountable for defining the retention and disposal requirements for the data under their custody, based on business, legal, regulatory, and contractual obligations. The policy should reflect the data owner’s decisions and obtain their approval. The policy should also include a risk-based approach, but this is not as important as complying with data owner responsibilities. The retention period should allow for review during the year-end audit, but this may not be necessary for low-value transactions that have minimal impact on financial reporting. The total transaction amount may have some impact on financial reporting, but this is not a direct consequence of reducing the retention period.
References:
CISA Review Manual, 27th Edition, pages 414-4151
CISA Review Questions, Answers & Explanations Database, Question ID: 255
C
Explanation:
The most important factor for the organization to ensure when reducing the retention period for media containing completed low-value transactions is that the retention period complies with data owner responsibilities. Data owners are accountable for defining the retention and disposal requirements for the data under their custody, based on business, legal, regulatory, and contractual obligations. The policy should reflect the data owner’s decisions and obtain their approval. The policy should also include a risk-based approach, but this is not as important as complying with data owner responsibilities. The retention period should allow for review during the year-end audit, but this may not be necessary for low-value transactions that have minimal impact on financial reporting. The total transaction amount may have some impact on financial reporting, but this is not a direct consequence of reducing the retention period.
References:
CISA Review Manual, 27th Edition, pages 414-4151
CISA Review Questions, Answers & Explanations Database, Question ID: 255
Question #13
Which of the following is the MOST appropriate and effective fire suppression method for an unstaffed computer room?
- A . Water sprinkler
- B . Fire extinguishers
- C . Carbon dioxide (CO2)
- D . Dry pipe
Correct Answer: C
C
Explanation:
The most appropriate and effective fire suppression method for an un-staffed computer room is carbon dioxide (CO2). Carbon dioxide is a gaseous clean agent that extinguishes fire by displacing oxygen and reducing the combustion process. Carbon dioxide is suitable for un-staffed computer rooms because it does not leave any residue, damage, or corrosion on the electronic equipment, and it does not require water or other chemicals that could harm the environment or human health. However, carbon dioxide can pose a risk of asphyxiation to any person who may enter the computer room during or after the discharge, so proper safety precautions and warning signs should be in place.
The other options are not as appropriate or effective as carbon dioxide for an un-staffed computer room:
Water sprinkler. This is a common fire suppression method that uses water to cool down and extinguish fire. However, water sprinkler is not suitable for un-staffed computer rooms because it can cause severe damage to the electronic equipment, such as short circuits, corrosion, or data loss. Water sprinkler can also create a risk of electric shock to any person who may enter the computer room during or after the discharge.
Fire extinguishers. These are portable devices that contain a pressurized agent that can be sprayed on a fire to put it out. However, fire extinguishers are not effective for un-staffed computer rooms because they require manual operation by a trained person who can identify the type and location of the fire, and use the appropriate extinguisher. Fire extinguishers can also cause damage to the electronic equipment if they contain water or chemical agents.
Dry pipe. This is a type of sprinkler system that uses pressurized air or nitrogen in the pipes instead of water until a fire is detected. When a fire is detected, the air or nitrogen is released and water flows into the pipes and sprinklers. However, dry pipe is not ideal for un-staffed computer rooms because it still uses water as the extinguishing agent, which can damage the electronic equipment as mentioned above. Dry pipe also has a slower response time than wet pipe sprinkler systems, which can allow the fire to spread more quickly.
C
Explanation:
The most appropriate and effective fire suppression method for an un-staffed computer room is carbon dioxide (CO2). Carbon dioxide is a gaseous clean agent that extinguishes fire by displacing oxygen and reducing the combustion process. Carbon dioxide is suitable for un-staffed computer rooms because it does not leave any residue, damage, or corrosion on the electronic equipment, and it does not require water or other chemicals that could harm the environment or human health. However, carbon dioxide can pose a risk of asphyxiation to any person who may enter the computer room during or after the discharge, so proper safety precautions and warning signs should be in place.
The other options are not as appropriate or effective as carbon dioxide for an un-staffed computer room:
Water sprinkler. This is a common fire suppression method that uses water to cool down and extinguish fire. However, water sprinkler is not suitable for un-staffed computer rooms because it can cause severe damage to the electronic equipment, such as short circuits, corrosion, or data loss. Water sprinkler can also create a risk of electric shock to any person who may enter the computer room during or after the discharge.
Fire extinguishers. These are portable devices that contain a pressurized agent that can be sprayed on a fire to put it out. However, fire extinguishers are not effective for un-staffed computer rooms because they require manual operation by a trained person who can identify the type and location of the fire, and use the appropriate extinguisher. Fire extinguishers can also cause damage to the electronic equipment if they contain water or chemical agents.
Dry pipe. This is a type of sprinkler system that uses pressurized air or nitrogen in the pipes instead of water until a fire is detected. When a fire is detected, the air or nitrogen is released and water flows into the pipes and sprinklers. However, dry pipe is not ideal for un-staffed computer rooms because it still uses water as the extinguishing agent, which can damage the electronic equipment as mentioned above. Dry pipe also has a slower response time than wet pipe sprinkler systems, which can allow the fire to spread more quickly.
Question #14
Which of the following is MOST useful to an IS auditor performing a review of access controls for a document management system?
- A . Policies and procedures for managing documents provided by department heads
- B . A system-generated list of staff and their project assignments. roles, and responsibilities
- C . Previous audit reports related to other departments’ use of the same system
- D . Information provided by the audit team lead an the authentication systems used by the department
Correct Answer: B
B
Explanation:
The answer B is correct because a system-generated list of staff and their project assignments, roles, and responsibilities is the most useful to an IS auditor performing a review of access controls for a document management system. A document management system is a software that helps organizations store, manage, and share documents electronically. Access controls are the mechanisms that restrict or allow access to the documents based on predefined criteria, such as user identity, role, or project. An IS auditor needs to verify that the access controls are properly configured and implemented to ensure the security, confidentiality, and integrity of the documents.
A system-generated list of staff and their project assignments, roles, and responsibilities can help the
IS auditor to perform the following tasks:
Identify the users who have access to the document management system and their level of access (e.g., read-only, edit, delete, etc.).
Compare the actual access rights of the users with their expected or authorized access rights based on their roles and responsibilities.
Detect any anomalies, discrepancies, or violations in the access rights of the users, such as excessive or unauthorized access, segregation of duties conflicts, or dormant or inactive accounts.
Evaluate the effectiveness and efficiency of the access control policies and procedures, such as user provisioning, deprovisioning, authentication, authorization, auditing, etc.
The other options are not as useful as option
B. Policies and procedures for managing documents provided by department heads (option A) are not reliable sources of information for an IS auditor because they may not reflect the actual practices or compliance status of the document management system. Previous audit reports related to other departments’ use of the same system (option C) are not relevant for an IS auditor because they may not address the specific issues or risks associated with the current department’s use of the document management system. Information provided by the audit team lead on the authentication systems used by the department (option D) is not sufficient for an IS auditor because authentication is only one aspect of access control and it does not provide information on the authorization or auditing of the document access.
References:
Overview of document management in SharePoint
Setting Up a Document Control System: 6 Basic Steps
Access Control Management: Purpose, Types, Tools, & Benefits
9 Best Document Management Systems of 2023
B
Explanation:
The answer B is correct because a system-generated list of staff and their project assignments, roles, and responsibilities is the most useful to an IS auditor performing a review of access controls for a document management system. A document management system is a software that helps organizations store, manage, and share documents electronically. Access controls are the mechanisms that restrict or allow access to the documents based on predefined criteria, such as user identity, role, or project. An IS auditor needs to verify that the access controls are properly configured and implemented to ensure the security, confidentiality, and integrity of the documents.
A system-generated list of staff and their project assignments, roles, and responsibilities can help the
IS auditor to perform the following tasks:
Identify the users who have access to the document management system and their level of access (e.g., read-only, edit, delete, etc.).
Compare the actual access rights of the users with their expected or authorized access rights based on their roles and responsibilities.
Detect any anomalies, discrepancies, or violations in the access rights of the users, such as excessive or unauthorized access, segregation of duties conflicts, or dormant or inactive accounts.
Evaluate the effectiveness and efficiency of the access control policies and procedures, such as user provisioning, deprovisioning, authentication, authorization, auditing, etc.
The other options are not as useful as option
B. Policies and procedures for managing documents provided by department heads (option A) are not reliable sources of information for an IS auditor because they may not reflect the actual practices or compliance status of the document management system. Previous audit reports related to other departments’ use of the same system (option C) are not relevant for an IS auditor because they may not address the specific issues or risks associated with the current department’s use of the document management system. Information provided by the audit team lead on the authentication systems used by the department (option D) is not sufficient for an IS auditor because authentication is only one aspect of access control and it does not provide information on the authorization or auditing of the document access.
References:
Overview of document management in SharePoint
Setting Up a Document Control System: 6 Basic Steps
Access Control Management: Purpose, Types, Tools, & Benefits
9 Best Document Management Systems of 2023
Question #15
Which of the following is the BEST recommendation to include in an organization’s bring your own device (BYOD)
policy to help prevent data leakage?
- A . Require employees to waive privacy rights related to data on BYOD devices.
- B . Require multi-factor authentication on BYOD devices,
- C . Specify employee responsibilities for reporting lost or stolen BYOD devices.
- D . Allow only registered BYOD devices to access the network.
Correct Answer: B
B
Explanation:
The best recommendation to include in an organization’s bring your own device (BYOD) policy to help prevent data leakage is to require multi-factor authentication on BYOD devices. BYOD is a practice that allows employees to use their own personal devices, such as smartphones, tablets, or laptops, to access the organization’s network, data, and systems. Data leakage is a risk that involves the unauthorized or accidental disclosure or transfer of sensitive or confidential data from the organization to external parties or devices. Multi-factor authentication is a security measure that requires users to provide two or more pieces of evidence to verify their identity and access rights, such as passwords, tokens, biometrics, or codes. Multi-factor authentication can help prevent data leakage by reducing the likelihood of unauthorized access to the organization’s data and systems through BYOD devices, especially if they are lost, stolen, or compromised. The other options are not as effective as requiring multi-factor authentication on BYOD devices, because they either do not prevent data leakage directly, or they are reactive rather than proactive measures.
References: CISA Review Manual (Digital Version)1, Chapter 5, Section 5.2.3
B
Explanation:
The best recommendation to include in an organization’s bring your own device (BYOD) policy to help prevent data leakage is to require multi-factor authentication on BYOD devices. BYOD is a practice that allows employees to use their own personal devices, such as smartphones, tablets, or laptops, to access the organization’s network, data, and systems. Data leakage is a risk that involves the unauthorized or accidental disclosure or transfer of sensitive or confidential data from the organization to external parties or devices. Multi-factor authentication is a security measure that requires users to provide two or more pieces of evidence to verify their identity and access rights, such as passwords, tokens, biometrics, or codes. Multi-factor authentication can help prevent data leakage by reducing the likelihood of unauthorized access to the organization’s data and systems through BYOD devices, especially if they are lost, stolen, or compromised. The other options are not as effective as requiring multi-factor authentication on BYOD devices, because they either do not prevent data leakage directly, or they are reactive rather than proactive measures.
References: CISA Review Manual (Digital Version)1, Chapter 5, Section 5.2.3
Question #16
Which of the following would be a result of utilizing a top-down maturity model process?
- A . A means of benchmarking the effectiveness of similar processes with peers
- B . A means of comparing the effectiveness of other processes within the enterprise
- C . Identification of older, more established processes to ensure timely review
- D . Identification of processes with the most improvement opportunities
Correct Answer: D
D
Explanation:
A top-down maturity model process is a method of assessing and improving the maturity level of a process or a set of processes within an organization. A maturity level is a measure of how well-defined, controlled, measured, and optimized a process is. A top-down maturity model process starts with defining the desired maturity level and then identifying the gaps and improvement opportunities for each process. This helps prioritize the processes that need the most attention and improvement. Therefore, a result of utilizing a top-down maturity model process is identification of processes with the most improvement opportunities.
A means of benchmarking the effectiveness of similar processes with peers, a means of comparing the effectiveness of other processes within the enterprise, and identification of older, more established processes to ensure timely review are not results of utilizing a top-down maturity model process. These are possible benefits or objectives of using other types of maturity models or assessment methods, but they are not specific to a top-down approach.
D
Explanation:
A top-down maturity model process is a method of assessing and improving the maturity level of a process or a set of processes within an organization. A maturity level is a measure of how well-defined, controlled, measured, and optimized a process is. A top-down maturity model process starts with defining the desired maturity level and then identifying the gaps and improvement opportunities for each process. This helps prioritize the processes that need the most attention and improvement. Therefore, a result of utilizing a top-down maturity model process is identification of processes with the most improvement opportunities.
A means of benchmarking the effectiveness of similar processes with peers, a means of comparing the effectiveness of other processes within the enterprise, and identification of older, more established processes to ensure timely review are not results of utilizing a top-down maturity model process. These are possible benefits or objectives of using other types of maturity models or assessment methods, but they are not specific to a top-down approach.
Question #17
Who is PRIMARILY responsible for the design of IT controls to meet control objectives?
- A . Risk management
- B . Business management
- C . IT manager
- D . Internal auditor
Correct Answer: B
Question #18
An organization has shifted from a bottom-up approach to a top-down approach in the development of IT policies.
This should result in:
- A . greater consistency across the organization.
- B . a synthesis of existing operational policies.
- C . a more comprehensive risk assessment plan.
- D . greater adherence to best practices.
Correct Answer: A
A
Explanation:
A top-down approach in the development of IT policies means that the policies are derived from the strategic objectives and goals of the organization, and are aligned with the business needs and expectations. This should result in greater consistency across the organization, as the policies will be coherent, integrated and applicable to all levels and functions of the organization. A bottom-up approach, on the other hand, means that the policies are developed by individual units or departments based on their operational needs and preferences, which may lead to inconsistency, duplication or conflict among different policies.
References: ISACA Frameworks: Blueprints for Success, IT Governance and Process Maturity
A
Explanation:
A top-down approach in the development of IT policies means that the policies are derived from the strategic objectives and goals of the organization, and are aligned with the business needs and expectations. This should result in greater consistency across the organization, as the policies will be coherent, integrated and applicable to all levels and functions of the organization. A bottom-up approach, on the other hand, means that the policies are developed by individual units or departments based on their operational needs and preferences, which may lead to inconsistency, duplication or conflict among different policies.
References: ISACA Frameworks: Blueprints for Success, IT Governance and Process Maturity
Question #19
Which of the following should an IS auditor be MOST concerned with when a system uses RFID?
- A . privacy
- B . Maintainability
- C . Scalability
- D . Nonrepudiation
Correct Answer: A
A
Explanation:
RFID stands for Radio Frequency Identification, and it is a technology that uses radio waves to identify or track objects that have a small chip (RFID tag) attached to them. RFID tags can store various types of information, such as serial numbers, product codes, or personal data. RFID readers can scan the tags from a distance and access the information without physical contact1.
RFID has many benefits for different applications, such as inventory management, supply chain optimization, asset tracking, and access control. However, RFID also poses some challenges and risks for information security and privacy. Some of these risks are:
Privacy: RFID tags can be read by unauthorized or malicious parties, who can collect personal or sensitive data without the knowledge or consent of the tag owners. This can lead to identity theft, profiling, tracking, or surveillance2. For example, a hacker could scan an RFID-tagged passport or credit card and steal the personal information or financial details of the owner3.
Communication attacks: RFID systems are vulnerable to various types of attacks that target the wireless communication between the tags and the readers. These include eavesdropping, jamming, spoofing, replaying, cloning, or modifying the data transmitted by the tags or the readers4. For example, an attacker could intercept the data from an RFID tag and alter it before sending it to the reader, causing false or misleading information to be recorded.
Mafia fraud: This is a type of attack where an adversary acts as a man-in-the-middle and relays the information between two legitimate parties. This can allow the adversary to bypass authentication or authorization mechanisms and gain access to restricted areas or resources. For example, an attacker could use a device to relay the signal from an RFID-tagged car key to the car’s ignition system and start the car without having the physical key.
A
Explanation:
RFID stands for Radio Frequency Identification, and it is a technology that uses radio waves to identify or track objects that have a small chip (RFID tag) attached to them. RFID tags can store various types of information, such as serial numbers, product codes, or personal data. RFID readers can scan the tags from a distance and access the information without physical contact1.
RFID has many benefits for different applications, such as inventory management, supply chain optimization, asset tracking, and access control. However, RFID also poses some challenges and risks for information security and privacy. Some of these risks are:
Privacy: RFID tags can be read by unauthorized or malicious parties, who can collect personal or sensitive data without the knowledge or consent of the tag owners. This can lead to identity theft, profiling, tracking, or surveillance2. For example, a hacker could scan an RFID-tagged passport or credit card and steal the personal information or financial details of the owner3.
Communication attacks: RFID systems are vulnerable to various types of attacks that target the wireless communication between the tags and the readers. These include eavesdropping, jamming, spoofing, replaying, cloning, or modifying the data transmitted by the tags or the readers4. For example, an attacker could intercept the data from an RFID tag and alter it before sending it to the reader, causing false or misleading information to be recorded.
Mafia fraud: This is a type of attack where an adversary acts as a man-in-the-middle and relays the information between two legitimate parties. This can allow the adversary to bypass authentication or authorization mechanisms and gain access to restricted areas or resources. For example, an attacker could use a device to relay the signal from an RFID-tagged car key to the car’s ignition system and start the car without having the physical key.
Question #20
When reviewing whether IT investments are meeting business objectives, which of the following evaluations would be MOST useful?
- A . A break-even analysis
- B . Realized return on investment (ROI) versus projected ROI
- C . Budgeted spend versus actual spend
- D . Actual return on investment (ROI) versus industry average ROI
Correct Answer: B
B
Explanation:
The best way to determine whether IT investments are meeting business objectives is to compare the realized return on investment (ROI) versus the projected ROI (Option B). This approach measures actual performance against planned expectations.
ISACA CISA
Reference: The ISACA IT Governance framework emphasizes performance measurement through ROI analysis, ensuring IT investments align with strategic objectives.
Risk Implication: If actual ROI is lower than projected, this may indicate ineffective investment decisions, poor execution, or misalignment with business goals.
Alternative Choices:
Option A: Break-even analysis only determines when an investment recoups its costs but does not measure performance against business objectives.
Option C: Budgeted versus actual spend assesses financial discipline but does not indicate business impact.
Option D: Industry average ROI provides benchmarking but does not assess internal goal achievement.
B
Explanation:
The best way to determine whether IT investments are meeting business objectives is to compare the realized return on investment (ROI) versus the projected ROI (Option B). This approach measures actual performance against planned expectations.
ISACA CISA
Reference: The ISACA IT Governance framework emphasizes performance measurement through ROI analysis, ensuring IT investments align with strategic objectives.
Risk Implication: If actual ROI is lower than projected, this may indicate ineffective investment decisions, poor execution, or misalignment with business goals.
Alternative Choices:
Option A: Break-even analysis only determines when an investment recoups its costs but does not measure performance against business objectives.
Option C: Budgeted versus actual spend assesses financial discipline but does not indicate business impact.
Option D: Industry average ROI provides benchmarking but does not assess internal goal achievement.