Practice Free CISA Exam Online Questions
Question #231
Which of the following is the MOST efficient way to identify segregation of duties violations in a new system?
- A . Review a report of security rights in the system.
- B . Observe the performance of business processes.
- C . Develop a process to identify authorization conflicts.
- D . Examine recent system access rights violations.
Correct Answer: A
A
Explanation:
The most efficient way to identify segregation of duties violations in a new system is to review a report of security rights in the system. Segregation of duties is a control principle that aims to prevent or detect errors, fraud, or abuse by ensuring that no single individual has the ability to perform incompatible or conflicting functions or activities within a system or process. A report of security rights in the system can provide a comprehensive and accurate overview of the roles, responsibilities, and access levels assigned to different users or groups in the system, and can help to identify any potential segregation of duties violations or risks. The other options are not as efficient as reviewing a report of security rights in the system, because they either rely on observation or testing rather than analysis, or they focus on existing rather than potential violations.
References: CISA Review Manual (Digital Version)1, Chapter 5, Section 5.2.2
A
Explanation:
The most efficient way to identify segregation of duties violations in a new system is to review a report of security rights in the system. Segregation of duties is a control principle that aims to prevent or detect errors, fraud, or abuse by ensuring that no single individual has the ability to perform incompatible or conflicting functions or activities within a system or process. A report of security rights in the system can provide a comprehensive and accurate overview of the roles, responsibilities, and access levels assigned to different users or groups in the system, and can help to identify any potential segregation of duties violations or risks. The other options are not as efficient as reviewing a report of security rights in the system, because they either rely on observation or testing rather than analysis, or they focus on existing rather than potential violations.
References: CISA Review Manual (Digital Version)1, Chapter 5, Section 5.2.2
Question #232
Which of the following should be an IS auditor’s GREATEST concern when reviewing an organization’s security controls for policy compliance?
- A . The security policy has not been reviewed within the past year.
- B . Security policy documents are available on a public domain website.
- C . Security policies are not applicable across all business units.
- D . End users are not required to acknowledge security policy training.
Correct Answer: B
Question #233
What is the PRIMARY benefit of using one-time passwords?
- A . An intercepted password cannot be reused
- B . Security for applications can be automated
- C . Users do not have to memorize complex passwords
- D . Users cannot be locked out of an account
Correct Answer: A
A
Explanation:
The primary benefit of using one-time passwords is that an intercepted password cannot be reused, as it is valid only for a single login session or transaction. One-time passwords enhance the security of authentication by preventing replay attacks or password guessing. The other options are not the primary benefits of using one-time passwords. Security for applications can be automated with or without one-time passwords. Users may still have to memorize complex passwords or use a device or software to generate one-time passwords. Users can still be locked out of an account if they enter an incorrect or expired one-time password.
References: CISA Review Manual (Digital Version), Chapter 6, Section 6.1
A
Explanation:
The primary benefit of using one-time passwords is that an intercepted password cannot be reused, as it is valid only for a single login session or transaction. One-time passwords enhance the security of authentication by preventing replay attacks or password guessing. The other options are not the primary benefits of using one-time passwords. Security for applications can be automated with or without one-time passwords. Users may still have to memorize complex passwords or use a device or software to generate one-time passwords. Users can still be locked out of an account if they enter an incorrect or expired one-time password.
References: CISA Review Manual (Digital Version), Chapter 6, Section 6.1
Question #234
Which of the following is the BEST recommendation to drive accountability for achieving the desired outcomes specified in a benefits realization plan for an IT project?
- A . Document the dependencies between the project and other projects within the same program.
- B . Ensure that IT takes ownership for the delivery and tracking of all aspects of the benefits realization plan.
- C . Ensure that the project manager has formal authority for managing the benefits realization plan.
- D . Assign responsibilities, measures, and timelines for each identified benefit within the plan.
Correct Answer: D
Question #235
During which phase of the software development life cycle should an IS auditor be consulted to recommend security controls?
- A . Design and development
- B . Final acceptance testing
- C . Implementation of software
- D . Requirements definition
Correct Answer: D
D
Explanation:
An IS auditor should be consulted during the requirements definition phase to recommend security controls. This ensures that security considerations are integrated from the beginning of the software development life cycle, leading to more secure software design and implementation.
References
ISACA CISA Review Manual 27th Edition, Page 240-241 (SDLC Phases)
D
Explanation:
An IS auditor should be consulted during the requirements definition phase to recommend security controls. This ensures that security considerations are integrated from the beginning of the software development life cycle, leading to more secure software design and implementation.
References
ISACA CISA Review Manual 27th Edition, Page 240-241 (SDLC Phases)
Question #236
What should an IS auditor evaluate FIRST when reviewing an organization’s response to new privacy legislation?
- A . Implementation plan for restricting the collection of personal information
- B . Privacy legislation in other countries that may contain similar requirements
- C . Operational plan for achieving compliance with the legislation
- D . Analysis of systems that contain privacy components
Correct Answer: D
D
Explanation:
The first thing that an IS auditor should evaluate when reviewing an organization’s response to new privacy legislation is the analysis of systems that contain privacy components. Privacy components are elements of a system that collect, process, store, or transmit personal information that is subject to privacy legislation. An analysis of systems that contain privacy components should identify what types of personal information are involved, where they are located, how they are used, who has access to them, and what risks or threats they face. An analysis of systems that contain privacy components is essential for determining the scope and impact of the new privacy legislation on the organization’s systems and processes.
The other options are not as important as option D. An implementation plan for restricting the collection of personal information is a possible action, but not the first thing to evaluate, when reviewing an organization’s response to new privacy legislation. An implementation plan for restricting the collection of personal information is a document that outlines how an organization will comply with the principle of data minimization, which states that personal information should be collected only for specific and legitimate purposes and only to the extent necessary for those purposes. An implementation plan for restricting the collection of personal information should be based on an analysis of systems that contain privacy components. Privacy legislation in other countries that may contain similar requirements is a possible source of reference, but not the first thing to evaluate, when reviewing an organization’s response to new privacy legislation. Privacy legislation in other countries that may contain similar requirements is a set of laws or regulations that governs the protection of personal information in other jurisdictions that may have comparable or compatible standards or expectations as the new privacy legislation. Privacy legislation in other countries that may contain similar requirements may provide guidance or best practices for complying with the new privacy legislation. However, privacy legislation in other countries that may contain similar requirements should not be used as a substitute for an analysis of systems that contain privacy components. An operational plan for achieving compliance with the legislation is a possible deliverable, but not the first thing to evaluate, when reviewing an organization’s response to new privacy legislation. An operational plan for achieving compliance with the legislation is a document that describes how an organization will implement and maintain the necessary policies, procedures, controls, and measures to comply with the new privacy legislation. An operational plan for achieving compliance with the legislation should be derived from an analysis of systems that contain privacy components.
References: Privacy law – Wikipedia, Data Protection and Privacy Legislation Worldwide | UNCTAD, Data minimization – Wikipedia
D
Explanation:
The first thing that an IS auditor should evaluate when reviewing an organization’s response to new privacy legislation is the analysis of systems that contain privacy components. Privacy components are elements of a system that collect, process, store, or transmit personal information that is subject to privacy legislation. An analysis of systems that contain privacy components should identify what types of personal information are involved, where they are located, how they are used, who has access to them, and what risks or threats they face. An analysis of systems that contain privacy components is essential for determining the scope and impact of the new privacy legislation on the organization’s systems and processes.
The other options are not as important as option D. An implementation plan for restricting the collection of personal information is a possible action, but not the first thing to evaluate, when reviewing an organization’s response to new privacy legislation. An implementation plan for restricting the collection of personal information is a document that outlines how an organization will comply with the principle of data minimization, which states that personal information should be collected only for specific and legitimate purposes and only to the extent necessary for those purposes. An implementation plan for restricting the collection of personal information should be based on an analysis of systems that contain privacy components. Privacy legislation in other countries that may contain similar requirements is a possible source of reference, but not the first thing to evaluate, when reviewing an organization’s response to new privacy legislation. Privacy legislation in other countries that may contain similar requirements is a set of laws or regulations that governs the protection of personal information in other jurisdictions that may have comparable or compatible standards or expectations as the new privacy legislation. Privacy legislation in other countries that may contain similar requirements may provide guidance or best practices for complying with the new privacy legislation. However, privacy legislation in other countries that may contain similar requirements should not be used as a substitute for an analysis of systems that contain privacy components. An operational plan for achieving compliance with the legislation is a possible deliverable, but not the first thing to evaluate, when reviewing an organization’s response to new privacy legislation. An operational plan for achieving compliance with the legislation is a document that describes how an organization will implement and maintain the necessary policies, procedures, controls, and measures to comply with the new privacy legislation. An operational plan for achieving compliance with the legislation should be derived from an analysis of systems that contain privacy components.
References: Privacy law – Wikipedia, Data Protection and Privacy Legislation Worldwide | UNCTAD, Data minimization – Wikipedia
Question #237
Which of the following key performance indicators (KPIs) provides stakeholders with the MOST useful information about whether information security risk is being managed?
- A . Time from identifying security threats to implementing solutions
- B . The number of security controls audited
- C . Time from security log capture to log analysis
- D . The number of entries in the security risk register
Correct Answer: A
A
Explanation:
Comprehensive and Detailed Step-by-Step
The speed at which security threats are mitigated is a key indicator of an organization’s risk management effectiveness.
Option A (Correct): Response time to security threats measures how efficiently security teams detect, analyze, and mitigate risks, providing clear insight into security operations.
Option B (Incorrect): The number of security controls audited does not indicate how well risk is being managed, only that reviews are taking place.
Option C (Incorrect): Log analysis speed is useful, but it does not directly measure risk mitigation effectiveness.
Option D (Incorrect): Risk register entries indicate known risks but do not provide insight into how well those risks are managed.
Reference: ISACA CISA Review Manual C Domain 5: Protection of Information Assets C Covers security metrics, KPIs, and risk management evaluation.
A
Explanation:
Comprehensive and Detailed Step-by-Step
The speed at which security threats are mitigated is a key indicator of an organization’s risk management effectiveness.
Option A (Correct): Response time to security threats measures how efficiently security teams detect, analyze, and mitigate risks, providing clear insight into security operations.
Option B (Incorrect): The number of security controls audited does not indicate how well risk is being managed, only that reviews are taking place.
Option C (Incorrect): Log analysis speed is useful, but it does not directly measure risk mitigation effectiveness.
Option D (Incorrect): Risk register entries indicate known risks but do not provide insight into how well those risks are managed.
Reference: ISACA CISA Review Manual C Domain 5: Protection of Information Assets C Covers security metrics, KPIs, and risk management evaluation.
Question #238
Which type of attack poses the GREATEST risk to an organization’s most sensitive data?
- A . Password attack
- B . Eavesdropping attack
- C . Insider attack
- D . Spear phishing attack
Correct Answer: C
C
Explanation:
An insider attack poses the greatest risk to an organization’s most sensitive data. An insider attack is a type of cyberattack that is carried out by someone who has legitimate access to the organization’s network, systems, or data, such as an employee, contractor, or business partner. An insider attack can be intentional or unintentional, malicious or negligent, and can have various motives, such as financial gain, revenge, espionage, sabotage, or curiosity.
An insider attack poses the greatest risk to an organization’s most sensitive data because:
An insider has a high level of trust and privilege within the organization, which allows them to bypass security controls and access confidential or restricted data without raising suspicion or detection.
An insider has a deep knowledge of the organization’s operations, processes, policies, and vulnerabilities, which enables them to exploit them effectively and cause maximum damage or disruption.
An insider can use various techniques and tools to conceal their identity and actions, such as encryption, steganography, deletion, or alteration of logs or evidence.
An insider can cause significant harm or loss to the organization in terms of data integrity, availability, confidentiality, reputation, compliance, and profitability.
According to the 2023 Cost of Insider Threats Global Report by Ponemon Institute and ObserveIT 1, the average annual cost of insider threats for organizations worldwide was $11.45 million in 2022, a 31% increase from 2018. The report also found that the average number of incidents per organization was 77 in 2022, a 47% increase from 2018. The report classified insider threats into three categories: careless or negligent employees or contractors, criminal or malicious insiders, and credential thieves. The report revealed that careless or negligent insiders were the most common and costly type of insider threat, accounting for 62% of all incidents and $4.58 million in costs.
The other options are not the greatest risk to an organization’s most sensitive data, although they can still pose significant threats.
A password attack is a type of cyberattack that attempts to guess or crack a user’s password to gain unauthorized access to their account or system. A password attack can use various methods, such as brute force, dictionary, rainbow table, phishing, keylogging, or social engineering. A password attack can compromise the security and privacy of the user’s data and information. However, a password attack can be prevented or mitigated by using strong and unique passwords, changing passwords frequently, enabling multi-factor authentication (MFA), and avoiding clicking on suspicious links or attachments.
An eavesdropping attack is a type of cyberattack that intercepts or monitors the communication between two parties without their knowledge or consent. An eavesdropping attack can use various techniques, such as wiretapping, packet sniffing, man-in-the-middle (MITM), or side-channel. An eavesdropping attack can expose the content and metadata of the communication, such as messages, files, voice calls, emails, etc. However, an eavesdropping attack can be prevented or mitigated by using encryption, authentication, digital signatures, VPNs (virtual private networks), or secure protocols.
A spear phishing attack is a type of phishing attack that targets a specific individual or group with personalized and convincing emails that appear to come from a trusted source. A spear phishing attack aims to trick the recipient into clicking on a malicious link or attachment that can infect their device with malware or steal their credentials or data. A spear phishing attack can compromise the security and privacy of the recipient’s data and information. However, a spear phishing attack can be prevented or mitigated by verifying the sender’s identity and email address, checking the email content for spelling and grammar errors, hovering over links before clicking on them (or not clicking at all), scanning attachments for viruses before opening them (or not opening at all), and reporting suspicious emails to IT security staff.
C
Explanation:
An insider attack poses the greatest risk to an organization’s most sensitive data. An insider attack is a type of cyberattack that is carried out by someone who has legitimate access to the organization’s network, systems, or data, such as an employee, contractor, or business partner. An insider attack can be intentional or unintentional, malicious or negligent, and can have various motives, such as financial gain, revenge, espionage, sabotage, or curiosity.
An insider attack poses the greatest risk to an organization’s most sensitive data because:
An insider has a high level of trust and privilege within the organization, which allows them to bypass security controls and access confidential or restricted data without raising suspicion or detection.
An insider has a deep knowledge of the organization’s operations, processes, policies, and vulnerabilities, which enables them to exploit them effectively and cause maximum damage or disruption.
An insider can use various techniques and tools to conceal their identity and actions, such as encryption, steganography, deletion, or alteration of logs or evidence.
An insider can cause significant harm or loss to the organization in terms of data integrity, availability, confidentiality, reputation, compliance, and profitability.
According to the 2023 Cost of Insider Threats Global Report by Ponemon Institute and ObserveIT 1, the average annual cost of insider threats for organizations worldwide was $11.45 million in 2022, a 31% increase from 2018. The report also found that the average number of incidents per organization was 77 in 2022, a 47% increase from 2018. The report classified insider threats into three categories: careless or negligent employees or contractors, criminal or malicious insiders, and credential thieves. The report revealed that careless or negligent insiders were the most common and costly type of insider threat, accounting for 62% of all incidents and $4.58 million in costs.
The other options are not the greatest risk to an organization’s most sensitive data, although they can still pose significant threats.
A password attack is a type of cyberattack that attempts to guess or crack a user’s password to gain unauthorized access to their account or system. A password attack can use various methods, such as brute force, dictionary, rainbow table, phishing, keylogging, or social engineering. A password attack can compromise the security and privacy of the user’s data and information. However, a password attack can be prevented or mitigated by using strong and unique passwords, changing passwords frequently, enabling multi-factor authentication (MFA), and avoiding clicking on suspicious links or attachments.
An eavesdropping attack is a type of cyberattack that intercepts or monitors the communication between two parties without their knowledge or consent. An eavesdropping attack can use various techniques, such as wiretapping, packet sniffing, man-in-the-middle (MITM), or side-channel. An eavesdropping attack can expose the content and metadata of the communication, such as messages, files, voice calls, emails, etc. However, an eavesdropping attack can be prevented or mitigated by using encryption, authentication, digital signatures, VPNs (virtual private networks), or secure protocols.
A spear phishing attack is a type of phishing attack that targets a specific individual or group with personalized and convincing emails that appear to come from a trusted source. A spear phishing attack aims to trick the recipient into clicking on a malicious link or attachment that can infect their device with malware or steal their credentials or data. A spear phishing attack can compromise the security and privacy of the recipient’s data and information. However, a spear phishing attack can be prevented or mitigated by verifying the sender’s identity and email address, checking the email content for spelling and grammar errors, hovering over links before clicking on them (or not clicking at all), scanning attachments for viruses before opening them (or not opening at all), and reporting suspicious emails to IT security staff.
Question #239
An organization relies on an external vendor that uses a cloud-based Software as a Service (SaaS) model to back up its data.
Which of the following is the GREATEST risk to the organization related to data backup and retrieval?
- A . The organization may be locked into an unfavorable contract with the vendor.
- B . The vendor may be unable to restore critical data.
- C . The vendor may be unable to restore data by recovery time objective (RTO) requirements.
- D . The organization may not be allowed to inspect the vendor’s data center.
Correct Answer: B
B
Explanation:
An organization relies on an external vendor that uses a cloud-based Software as a Service (SaaS) model to back up its data. SaaS is a model in which the software is centrally hosted and accessed by the user via a web browser using the internet1. The vendor owns and maintains the software and the data, and the organization pays for the use of the service on a subscription or usage basis1. The greatest risk to the organization related to data backup and retrieval is that the vendor may be unable to restore critical data.
Data backup and retrieval are essential processes for ensuring the availability, integrity, and security of data in case of loss, corruption, or damage2. Data backup is the process of creating and storing copies of data in a separate location from the original data2. Data retrieval is the process of accessing and restoring the backed-up data when needed2. Critical data are data that are vital for the operation, continuity, and recovery of the organization3.
If the vendor is unable to restore critical data, the organization may face severe consequences, such as:
Business disruption: The organization may not be able to perform its core functions, deliver its products or services, or meet its customer or stakeholder expectations3.
Revenue loss: The organization may lose income, market share, or competitive advantage due to reduced sales, customer dissatisfaction, or reputation damage3.
Legal liability: The organization may face lawsuits, fines, or penalties for breaching contractual, regulatory, or statutory obligations related to data protection, privacy, or security3.
Recovery cost: The organization may incur additional expenses for repairing or replacing the lost or corrupted data, restoring the system functionality, or compensating the affected parties3.
The other options are not as great as the vendor’s inability to restore critical data. The organization may be locked into an unfavorable contract with the vendor, which may limit its flexibility, control, or choice over the service quality, cost, or duration4. However, this risk can be mitigated by negotiating better terms and conditions, reviewing the contract periodically, or switching to another vendor if possible4. The vendor may be unable to restore data by recovery time objective (RTO) requirements, which are the maximum acceptable time frames for restoring data after a disruption5. However, this risk can be reduced by setting realistic and achievable RTOs, monitoring the vendor’s performance, or implementing alternative recovery strategies if needed5. The organization may not be allowed to inspect the vendor’s data center, which may limit its visibility, transparency, or assurance over the service provider’s infrastructure, security, or compliance. However, this risk can be overcome by requesting third-party audits, certifications, or reports from the vendor that demonstrate their adherence to industry standards and best practices. Therefore, option B is the correct answer.
References:
What is SaaS? Software as a Service | Microsoft Azure
What is Data Backup? – Definition from Techopedia
Critical Data Definition
The Risks of Cloud Computing | Cloud Academy
Recovery Time Objective (RTO) Definition
[Cloud Computing Security Risks: What You Need To Know | CloudHealth by VMware]
B
Explanation:
An organization relies on an external vendor that uses a cloud-based Software as a Service (SaaS) model to back up its data. SaaS is a model in which the software is centrally hosted and accessed by the user via a web browser using the internet1. The vendor owns and maintains the software and the data, and the organization pays for the use of the service on a subscription or usage basis1. The greatest risk to the organization related to data backup and retrieval is that the vendor may be unable to restore critical data.
Data backup and retrieval are essential processes for ensuring the availability, integrity, and security of data in case of loss, corruption, or damage2. Data backup is the process of creating and storing copies of data in a separate location from the original data2. Data retrieval is the process of accessing and restoring the backed-up data when needed2. Critical data are data that are vital for the operation, continuity, and recovery of the organization3.
If the vendor is unable to restore critical data, the organization may face severe consequences, such as:
Business disruption: The organization may not be able to perform its core functions, deliver its products or services, or meet its customer or stakeholder expectations3.
Revenue loss: The organization may lose income, market share, or competitive advantage due to reduced sales, customer dissatisfaction, or reputation damage3.
Legal liability: The organization may face lawsuits, fines, or penalties for breaching contractual, regulatory, or statutory obligations related to data protection, privacy, or security3.
Recovery cost: The organization may incur additional expenses for repairing or replacing the lost or corrupted data, restoring the system functionality, or compensating the affected parties3.
The other options are not as great as the vendor’s inability to restore critical data. The organization may be locked into an unfavorable contract with the vendor, which may limit its flexibility, control, or choice over the service quality, cost, or duration4. However, this risk can be mitigated by negotiating better terms and conditions, reviewing the contract periodically, or switching to another vendor if possible4. The vendor may be unable to restore data by recovery time objective (RTO) requirements, which are the maximum acceptable time frames for restoring data after a disruption5. However, this risk can be reduced by setting realistic and achievable RTOs, monitoring the vendor’s performance, or implementing alternative recovery strategies if needed5. The organization may not be allowed to inspect the vendor’s data center, which may limit its visibility, transparency, or assurance over the service provider’s infrastructure, security, or compliance. However, this risk can be overcome by requesting third-party audits, certifications, or reports from the vendor that demonstrate their adherence to industry standards and best practices. Therefore, option B is the correct answer.
References:
What is SaaS? Software as a Service | Microsoft Azure
What is Data Backup? – Definition from Techopedia
Critical Data Definition
The Risks of Cloud Computing | Cloud Academy
Recovery Time Objective (RTO) Definition
[Cloud Computing Security Risks: What You Need To Know | CloudHealth by VMware]
Question #240
Which of the following would minimize the risk of losing transactions as a result of a disaster?
- A . Sending a copy of the transaction logs to offsite storage on a daily basis
- B . Storing a copy of the transaction logs onsite in a fireproof vault
- C . Encrypting a copy of the transaction logs and store on a local server
- D . Signing a copy of the transaction logs and store on a local server
Correct Answer: A
A
Explanation:
Sending a copy of the transaction logs to offsite storage on a daily basis would minimize the risk of losing transactions as a result of a disaster. This is because offsite storage provides a backup of the data that can be recovered in case of a catastrophic event that destroys or damages the onsite data. Storing a copy of the transaction logs onsite in a fireproof vault (B) would not protect the data from other types of disasters, such as floods, earthquakes, or theft. Encrypting © or signing (D) a copy of the transaction logs and storing them on a local server would not prevent the loss of data if the server is affected by the disaster. Encryption and digital signatures are security measures that protect the confidentiality and integrity of the data, but not the availability.
Reference: CISA – Certified Information Systems Auditor Study Guide1, Chapter 5: Protection of
Information Assets, Section 5.2: Backup and Recovery Concepts, Page 353.
A
Explanation:
Sending a copy of the transaction logs to offsite storage on a daily basis would minimize the risk of losing transactions as a result of a disaster. This is because offsite storage provides a backup of the data that can be recovered in case of a catastrophic event that destroys or damages the onsite data. Storing a copy of the transaction logs onsite in a fireproof vault (B) would not protect the data from other types of disasters, such as floods, earthquakes, or theft. Encrypting © or signing (D) a copy of the transaction logs and storing them on a local server would not prevent the loss of data if the server is affected by the disaster. Encryption and digital signatures are security measures that protect the confidentiality and integrity of the data, but not the availability.
Reference: CISA – Certified Information Systems Auditor Study Guide1, Chapter 5: Protection of
Information Assets, Section 5.2: Backup and Recovery Concepts, Page 353.