Practice Free CISA Exam Online Questions
Question #261
A review of Internet security disclosed that users have individual user accounts with Internet service providers (ISPs) and use these accounts for downloading business data. The organization wants to ensure that only the corporate network is used. The organization should FIRST:
- A . use a proxy server to filter out Internet sites that should not be accessed.
- B . keep a manual log of Internet access.
- C . monitor remote access activities.
- D . include a statement in its security policy about Internet use.
Correct Answer: D
D
Explanation:
The first step that the organization should take to ensure that only the corporate network is used for downloading business data is to include a statement in its security policy about Internet use. A security policy is a document that defines the rules, expectations, and overall approach that an organization uses to maintain the confidentiality, integrity, and availability of its data1. A security policy should clearly state the acceptable and unacceptable use of Internet resources, such as personal accounts with ISPs, and the consequences of violating the policy. A security policy also helps to guide the implementation of technical controls, such as proxy servers, firewalls, or monitoring tools, that can enforce the policy and prevent or detect unauthorized Internet access.
The other options are not the first step that the organization should take, but rather subsequent or complementary steps that depend on the security policy. Using a proxy server to filter out Internet sites that should not be accessed is a technical control that can help implement the security policy, but it does not address the root cause of why users are using personal accounts with ISPs. Keeping a manual log of Internet access is a monitoring technique that can help audit the compliance with the security policy, but it does not prevent or deter users from using personal accounts with ISPs.
Monitoring remote access activities is another monitoring technique that can help detect unauthorized Internet access, but it does not specify what constitutes unauthorized access or how to respond to it.
References:
ISACA CISA Review Manual 27th Edition (2019), page 247
What is a Security Policy? Definition, Elements, and Examples – Varonis1
D
Explanation:
The first step that the organization should take to ensure that only the corporate network is used for downloading business data is to include a statement in its security policy about Internet use. A security policy is a document that defines the rules, expectations, and overall approach that an organization uses to maintain the confidentiality, integrity, and availability of its data1. A security policy should clearly state the acceptable and unacceptable use of Internet resources, such as personal accounts with ISPs, and the consequences of violating the policy. A security policy also helps to guide the implementation of technical controls, such as proxy servers, firewalls, or monitoring tools, that can enforce the policy and prevent or detect unauthorized Internet access.
The other options are not the first step that the organization should take, but rather subsequent or complementary steps that depend on the security policy. Using a proxy server to filter out Internet sites that should not be accessed is a technical control that can help implement the security policy, but it does not address the root cause of why users are using personal accounts with ISPs. Keeping a manual log of Internet access is a monitoring technique that can help audit the compliance with the security policy, but it does not prevent or deter users from using personal accounts with ISPs.
Monitoring remote access activities is another monitoring technique that can help detect unauthorized Internet access, but it does not specify what constitutes unauthorized access or how to respond to it.
References:
ISACA CISA Review Manual 27th Edition (2019), page 247
What is a Security Policy? Definition, Elements, and Examples – Varonis1
Question #262
An IS auditor has been asked to advise on measures to improve IT governance within the organization.
Which of the following IS the BEST recommendation?
- A . Benchmark organizational performance against industry peers
- B . Implement key performance indicators (KPIs).
- C . Require executive management to draft IT strategy
- D . Implement annual third-party audits.
Correct Answer: C
C
Explanation:
The best recommendation to improve IT governance within the organization is C. Require executive management to draft IT strategy. IT governance is the process of establishing and maintaining the policies, roles, responsibilities, and accountabilities for managing technology risks within an organization1. One of the key objectives of IT governance is to ensure alignment and integration between technology and business strategies, leading to optimal outcomes and value creation1. Therefore, it is essential that executive management, who are responsible for setting the vision, mission, and goals of the organization, are also involved in drafting the IT strategy that supports and enables them. By requiring executive management to draft IT strategy, the organization can:
Ensure that the IT strategy is consistent and coherent with the business strategy, and reflects the organization’s priorities, values, and culture2.
Enhance communication and collaboration between IT and business functions, and foster a shared understanding and commitment to the IT strategy2.
Increase accountability and transparency for IT performance and outcomes, and ensure that IT investments are aligned with the organization’s risk appetite and value proposition2.
C
Explanation:
The best recommendation to improve IT governance within the organization is C. Require executive management to draft IT strategy. IT governance is the process of establishing and maintaining the policies, roles, responsibilities, and accountabilities for managing technology risks within an organization1. One of the key objectives of IT governance is to ensure alignment and integration between technology and business strategies, leading to optimal outcomes and value creation1. Therefore, it is essential that executive management, who are responsible for setting the vision, mission, and goals of the organization, are also involved in drafting the IT strategy that supports and enables them. By requiring executive management to draft IT strategy, the organization can:
Ensure that the IT strategy is consistent and coherent with the business strategy, and reflects the organization’s priorities, values, and culture2.
Enhance communication and collaboration between IT and business functions, and foster a shared understanding and commitment to the IT strategy2.
Increase accountability and transparency for IT performance and outcomes, and ensure that IT investments are aligned with the organization’s risk appetite and value proposition2.
Question #263
Which of the following should be of GREATEST concern to an IS auditor reviewing project documentation for a client relationship management (CRM) system migration project?
- A . The technical migration is planned for a holiday weekend and end users may not be available.
- B . Five weeks prior to the target date, there are still numerous defects in the printing functionality.
- C . A single implementation phase is planned and the legacy system will be immediately decommissioned.
- D . Employees are concerned that data representation in the new system is completely different from the old system.
Correct Answer: C
Question #264
Control self-assessments (CSAs) can be used to:
- A . Determine the value of assets.
- B . Establish baselines.
- C . Evaluate strategic business goals.
- D . Replace audits.
Correct Answer: B
B
Explanation:
Control self-assessment (CSA) is a process that allows business units to evaluate the effectiveness of internal controls. It is primarily used to establish baselines (Option B) for measuring control effectiveness and risk management.
ISACA CISA
Reference: CSA is a recognized internal control mechanism that supports risk assessment and control improvement.
Risk Implication: If CSAs are not conducted properly, organizations may lack visibility into weak controls, increasing exposure to risks.
Alternative Choices:
Option A: CSA does not focus on asset valuation.
Option C: Strategic business goals are assessed separately through governance processes.
Option D: CSA complements, but does not replace, formal audits.
B
Explanation:
Control self-assessment (CSA) is a process that allows business units to evaluate the effectiveness of internal controls. It is primarily used to establish baselines (Option B) for measuring control effectiveness and risk management.
ISACA CISA
Reference: CSA is a recognized internal control mechanism that supports risk assessment and control improvement.
Risk Implication: If CSAs are not conducted properly, organizations may lack visibility into weak controls, increasing exposure to risks.
Alternative Choices:
Option A: CSA does not focus on asset valuation.
Option C: Strategic business goals are assessed separately through governance processes.
Option D: CSA complements, but does not replace, formal audits.
Question #265
Which of the following demonstrates the use of data analytics for a loan origination process?
- A . Evaluating whether loan records are included in the batch file and are validated by the servicing system
- B . Comparing a population of loans input in the origination system to loans booked on the servicing system
- C . Validating whether reconciliations between the two systems are performed and discrepancies are investigated
- D . Reviewing error handling controls to notify appropriate personnel in the event of a transmission failure
Correct Answer: B
B
Explanation:
Data analytics can be used to compare data from different sources and identify any discrepancies or anomalies. In this case, comparing a population of loans input in the origination system to loans booked on the servicing system can help detect any errors or frauds in the loan origination process. The other options are not examples of data analytics, but rather controls for data integrity, reconciliation, and error handling.
References: CISA Review Manual (Digital Version), Chapter 3, Section 3.3.2
B
Explanation:
Data analytics can be used to compare data from different sources and identify any discrepancies or anomalies. In this case, comparing a population of loans input in the origination system to loans booked on the servicing system can help detect any errors or frauds in the loan origination process. The other options are not examples of data analytics, but rather controls for data integrity, reconciliation, and error handling.
References: CISA Review Manual (Digital Version), Chapter 3, Section 3.3.2
Question #266
Which of the following is an IS auditor’s BEST recommendation to mitigate the risk of eavesdropping associated with an application programming interface (API) integration implementation?
- A . Encrypt the extensible markup language (XML) file.
- B . Implement Transport Layer Security (TLS).
- C . Mask the API endpoints.
- D . Implement Simple Object Access Protocol (SOAP).
Correct Answer: B
Question #267
The waterfall life cycle model of software development is BEST suited for which of the following situations?
- A . The project will involve the use of new technology.
- B . The project intends to apply an object-oriented design approach.
- C . The project requirements are well understood.
- D . The project is subject to time pressures.
Correct Answer: C
Question #268
Which of the following is the PRIMARY benefit of introducing business impact analyses (BIAs) to business resiliency strategies?
- A . It identifies legal obligations that may be incurred as a result of business service disruptions
- B . It provides updates on the risk level of disasters that may occur
- C . It delineates employee responsibilities that the organization must fulfill in a crisis
- D . It helps prioritize the restoration of systems and applications
Correct Answer: D
D
Explanation:
The primary purpose of a Business Impact Analysis (BIA) is to prioritize the restoration of systems and applications (D) based on their criticality to business operations. A BIA assesses the impact of disruptions, identifies critical processes, and determines recovery time objectives (RTOs) and recovery point objectives (RPOs).
Other options:
Identifying legal obligations (A) is an aspect of compliance but not the primary benefit of a BIA. Providing updates on disaster risk levels (B) falls under risk management rather than BIA objectives. Delineating employee responsibilities (C) is part of business continuity planning (BCP), not the BIA’s main goal.
Reference: ISACA CISA Review Manual, Information Systems Operations and Business Resilience
D
Explanation:
The primary purpose of a Business Impact Analysis (BIA) is to prioritize the restoration of systems and applications (D) based on their criticality to business operations. A BIA assesses the impact of disruptions, identifies critical processes, and determines recovery time objectives (RTOs) and recovery point objectives (RPOs).
Other options:
Identifying legal obligations (A) is an aspect of compliance but not the primary benefit of a BIA. Providing updates on disaster risk levels (B) falls under risk management rather than BIA objectives. Delineating employee responsibilities (C) is part of business continuity planning (BCP), not the BIA’s main goal.
Reference: ISACA CISA Review Manual, Information Systems Operations and Business Resilience
Question #269
An IS auditor finds that a new network connection allows communication between the Internet and the internal enterprise resource planning (ERP) system.
Which of the following is the PRIMARY business impact to include when presenting this observation to management?
- A . An increase to the threat landscape
- B . A decrease in data quality in the ERP system
- C . A decrease in network performance
- D . An increase in potential fines from regulators
Correct Answer: A
Question #270
During the planning phase of a data loss prevention (DLP) audit, management expresses a concern about mobile computing.
Which of the following should the IS auditor identity as the associated risk?
- A . The use of the cloud negatively impacting IT availably
- B . Increased need for user awareness training
- C . Increased vulnerability due to anytime, anywhere accessibility
- D . Lack of governance and oversight for IT infrastructure and applications
Correct Answer: C
C
Explanation:
The associated risk of mobile computing that an IS auditor should identify during the planning phase of a data loss prevention (DLP) audit is increased vulnerability due to anytime, anywhere accessibility. Mobile computing refers to the use of portable devices, such as laptops, tablets, smartphones, or wearable devices, that can access data and applications over wireless networks from any location6. Mobile computing enables greater flexibility, productivity, and convenience for users, but also poses significant security challenges for organizations. One of these challenges is increased vulnerability due to anytime, anywhere accessibility. This means that mobile devices are exposed to a higher risk of loss, theft, damage, or unauthorized access than stationary devices7. If mobile devices contain or access sensitive data without proper protection, such as encryption or authentication, they could result in data leakage or breach in case of compromise8. Therefore, an IS auditor should identify this risk as part of a DLP audit.
The other options are less relevant or incorrect because:
C
Explanation:
The associated risk of mobile computing that an IS auditor should identify during the planning phase of a data loss prevention (DLP) audit is increased vulnerability due to anytime, anywhere accessibility. Mobile computing refers to the use of portable devices, such as laptops, tablets, smartphones, or wearable devices, that can access data and applications over wireless networks from any location6. Mobile computing enables greater flexibility, productivity, and convenience for users, but also poses significant security challenges for organizations. One of these challenges is increased vulnerability due to anytime, anywhere accessibility. This means that mobile devices are exposed to a higher risk of loss, theft, damage, or unauthorized access than stationary devices7. If mobile devices contain or access sensitive data without proper protection, such as encryption or authentication, they could result in data leakage or breach in case of compromise8. Therefore, an IS auditor should identify this risk as part of a DLP audit.
The other options are less relevant or incorrect because: