Practice Free CISA Exam Online Questions
Question #311
Which of the following is the BEST way to ensure email confidentiality in transit?
- A . Encryption of corporate network traffic
- B . Complex user passwords
- C . End-to-end encryption
- D . Digital signatures
Correct Answer: C
C
Explanation:
End-to-end encryption ensures that email content is encrypted during transmission and can only be decrypted by the intended recipient. This approach provides robust protection against interception and unauthorized access.
Encryption of Corporate Network Traffic (Option A): This does not address email confidentiality once the email leaves the corporate network.
Complex User Passwords (Option B): Enhances account security but does not ensure email confidentiality in transit.
Digital Signatures (Option D): Ensures authenticity and integrity but does not encrypt the email content.
Reference: ISACA CISA Review Manual, Job Practice Area 4: Protection of Information Assets.
C
Explanation:
End-to-end encryption ensures that email content is encrypted during transmission and can only be decrypted by the intended recipient. This approach provides robust protection against interception and unauthorized access.
Encryption of Corporate Network Traffic (Option A): This does not address email confidentiality once the email leaves the corporate network.
Complex User Passwords (Option B): Enhances account security but does not ensure email confidentiality in transit.
Digital Signatures (Option D): Ensures authenticity and integrity but does not encrypt the email content.
Reference: ISACA CISA Review Manual, Job Practice Area 4: Protection of Information Assets.
Question #312
An IS auditor learns a server administration team regularly applies workarounds to address repeated failures of critical data processing services.
Which of the following would BEST enable the organization to resolve this issue?
- A . Problem management
- B . Incident management
- C . Service level management
- D . Change management
Correct Answer: A
A
Explanation:
Problem management is the best way to enable the organization to resolve the issue of repeated failures of critical data processing services, as it focuses on identifying and eliminating the root causes of incidents and preventing their recurrence. Problem management involves analyzing incidents, performing root cause analysis, finding solutions, implementing changes and documenting lessons learned. Incident management is not the best way to resolve the issue, as it focuses on restoring normal service operation as quickly as possible after an incident occurs, but does not address the underlying causes or prevent future incidents. Service level management is not the best way to resolve the issue, as it focuses on defining, monitoring and reporting on the service levels agreed upon between service providers and customers, but does not address the causes or solutions of incidents. Change management is not the best way to resolve the issue, as it focuses on ensuring that changes are implemented in a controlled and coordinated manner, but does not address the identification or elimination of incidents.
References:
: [Problem Management Definition]
: [Incident Management Definition]
: [Service Level Management Definition]
: [Change Management Definition]
: IT Service Management | ISACA
A
Explanation:
Problem management is the best way to enable the organization to resolve the issue of repeated failures of critical data processing services, as it focuses on identifying and eliminating the root causes of incidents and preventing their recurrence. Problem management involves analyzing incidents, performing root cause analysis, finding solutions, implementing changes and documenting lessons learned. Incident management is not the best way to resolve the issue, as it focuses on restoring normal service operation as quickly as possible after an incident occurs, but does not address the underlying causes or prevent future incidents. Service level management is not the best way to resolve the issue, as it focuses on defining, monitoring and reporting on the service levels agreed upon between service providers and customers, but does not address the causes or solutions of incidents. Change management is not the best way to resolve the issue, as it focuses on ensuring that changes are implemented in a controlled and coordinated manner, but does not address the identification or elimination of incidents.
References:
: [Problem Management Definition]
: [Incident Management Definition]
: [Service Level Management Definition]
: [Change Management Definition]
: IT Service Management | ISACA
Question #313
A disaster recovery plan (DRP) should include steps for:
- A . assessing and quantifying risk.
- B . negotiating contracts with disaster planning consultants.
- C . identifying application control requirements.
- D . obtaining replacement supplies.
Correct Answer: D
D
Explanation:
A disaster recovery plan (DRP) is a set of detailed, documented guidelines that outline a business’ critical assets and explain how the organization will respond to unplanned incidents. Unplanned incidents or disasters typically include cyberattacks, system failures, power outages, natural disasters, equipment failures, or infrastructure damage1. A DRP aims to minimize the impact of a disaster on the business continuity, data integrity, and service delivery of the organization. A DRP also helps the organization recover from a disaster as quickly and efficiently as possible.
A DRP should include steps for obtaining replacement supplies, as this is an essential part of restoring the normal operation of the organization after a disaster. Replacement supplies may include hardware, software, data, network components, office equipment, or other resources that are needed to resume the business functions and processes that were disrupted by the disaster. Obtaining replacement supplies may involve contacting vendors, suppliers, or partners; activating backup or alternative systems; or purchasing or renting new equipment. A DRP should identify the sources, locations, and costs of the replacement supplies, as well as the procedures and responsibilities for acquiring and installing them.
The other three options are not steps that a DRP should include, as they are either part of the pre-disaster planning process or not directly related to the disaster recovery objectives. Assessing and quantifying risk is a step that should be done before creating a DRP, as it helps identify the potential threats and vulnerabilities that could affect the organization and determine the likelihood and impact of each scenario2. Negotiating contracts with disaster planning consultants is also a pre-disaster activity that may help the organization design, implement, test, and maintain a DRP with external expertise and guidance3. Identifying application control requirements is not a step in a DRP, but rather a part of the application development and maintenance process that ensures the quality, security, and reliability of the software applications used by the organization.
Therefore, obtaining replacement supplies is the correct answer.
References:
What is a Disaster Recovery Plan? + Complete Checklist
Risk Assessment – ISACA
Disaster Recovery Planning – ISACA
[Application Controls – ISACA]
D
Explanation:
A disaster recovery plan (DRP) is a set of detailed, documented guidelines that outline a business’ critical assets and explain how the organization will respond to unplanned incidents. Unplanned incidents or disasters typically include cyberattacks, system failures, power outages, natural disasters, equipment failures, or infrastructure damage1. A DRP aims to minimize the impact of a disaster on the business continuity, data integrity, and service delivery of the organization. A DRP also helps the organization recover from a disaster as quickly and efficiently as possible.
A DRP should include steps for obtaining replacement supplies, as this is an essential part of restoring the normal operation of the organization after a disaster. Replacement supplies may include hardware, software, data, network components, office equipment, or other resources that are needed to resume the business functions and processes that were disrupted by the disaster. Obtaining replacement supplies may involve contacting vendors, suppliers, or partners; activating backup or alternative systems; or purchasing or renting new equipment. A DRP should identify the sources, locations, and costs of the replacement supplies, as well as the procedures and responsibilities for acquiring and installing them.
The other three options are not steps that a DRP should include, as they are either part of the pre-disaster planning process or not directly related to the disaster recovery objectives. Assessing and quantifying risk is a step that should be done before creating a DRP, as it helps identify the potential threats and vulnerabilities that could affect the organization and determine the likelihood and impact of each scenario2. Negotiating contracts with disaster planning consultants is also a pre-disaster activity that may help the organization design, implement, test, and maintain a DRP with external expertise and guidance3. Identifying application control requirements is not a step in a DRP, but rather a part of the application development and maintenance process that ensures the quality, security, and reliability of the software applications used by the organization.
Therefore, obtaining replacement supplies is the correct answer.
References:
What is a Disaster Recovery Plan? + Complete Checklist
Risk Assessment – ISACA
Disaster Recovery Planning – ISACA
[Application Controls – ISACA]
Question #314
An IS auditor discovers an option in a database that allows the administrator to directly modify any table. This option is necessary to overcome bugs in the software, but is rarely used. Changes to tables are automatically logged.
The IS auditor’s FIRST action should be to:
- A . recommend that the option to directly modify the database be removed immediately.
- B . recommend that the system require two persons to be involved in modifying the database.
- C . determine whether the log of changes to the tables is backed up.
- D . determine whether the audit trail is secured and reviewed.
Correct Answer: D
D
Explanation:
The IS auditor’s first action after discovering an option in a database that allows the administrator to directly modify any table should be to determine whether the audit trail is secured and reviewed. This is because direct modification of database tables can pose a significant risk to data integrity, security, and accountability. An audit trail is a record of all changes made to database tables, including who made them, when they were made, and what was changed. An audit trail can help to detect unauthorized or erroneous changes, provide evidence for investigations or audits, and support data recovery or restoration. The IS auditor should assess whether the audit trail is protected from tampering or deletion, and whether it is regularly reviewed for anomalies or exceptions.
D
Explanation:
The IS auditor’s first action after discovering an option in a database that allows the administrator to directly modify any table should be to determine whether the audit trail is secured and reviewed. This is because direct modification of database tables can pose a significant risk to data integrity, security, and accountability. An audit trail is a record of all changes made to database tables, including who made them, when they were made, and what was changed. An audit trail can help to detect unauthorized or erroneous changes, provide evidence for investigations or audits, and support data recovery or restoration. The IS auditor should assess whether the audit trail is protected from tampering or deletion, and whether it is regularly reviewed for anomalies or exceptions.
Question #315
During a database management evaluation an IS auditor discovers that some accounts with database administrator (DBA) privileges have been assigned a default password with an unlimited number of failed login attempts.
Which of the following is the auditor’s BEST course of action?
- A . Identify accounts that have had excessive failed login attempts and request they be disabled
- B . Request the IT manager to change administrator security parameters and update the finding
- C . Document the finding and explain the risk of having administrator accounts with inappropriate security settings
Correct Answer: C
C
Explanation:
The auditor’s best course of action is to document the finding and explain the risk of having administrator accounts with inappropriate security settings. This is because the auditor’s role is to identify and report the issues, not to fix them or request others to fix them. The auditor should also communicate the impact of the finding, such as the possibility of unauthorized access, data tampering, or denial of service attacks. The auditor should not assume the responsibility of the IT manager or the DBA, who are in charge of changing the security parameters or disabling the accounts.
References:
CISA Review Manual (Digital Version), Chapter 4, Section 4.2.21 CISA Online Review Course, Domain 1, Module 3, Lesson 32
C
Explanation:
The auditor’s best course of action is to document the finding and explain the risk of having administrator accounts with inappropriate security settings. This is because the auditor’s role is to identify and report the issues, not to fix them or request others to fix them. The auditor should also communicate the impact of the finding, such as the possibility of unauthorized access, data tampering, or denial of service attacks. The auditor should not assume the responsibility of the IT manager or the DBA, who are in charge of changing the security parameters or disabling the accounts.
References:
CISA Review Manual (Digital Version), Chapter 4, Section 4.2.21 CISA Online Review Course, Domain 1, Module 3, Lesson 32
Question #316
An IT balanced scorecard is the MOST effective means of monitoring:
- A . governance of enterprise IT.
- B . control effectiveness.
- C . return on investment (ROI).
- D . change management effectiveness.
Correct Answer: A
A
Explanation:
An IT balanced scorecard is a strategic management tool that aligns IT objectives with business goals and measures the performance of IT processes using key performance indicators (KPIs). It is the most effective means of monitoring governance of enterprise IT, which is the process of ensuring that IT supports the organization’s strategy and objectives. Governance of enterprise IT covers aspects such as IT value delivery, IT risk management, IT resource management, and IT performance measurement. An IT balanced scorecard can help monitor these aspects and provide feedback to improve IT governance.
References: ISACA Frameworks: Blueprints for Success, CISA Review Manual (Digital Version)
A
Explanation:
An IT balanced scorecard is a strategic management tool that aligns IT objectives with business goals and measures the performance of IT processes using key performance indicators (KPIs). It is the most effective means of monitoring governance of enterprise IT, which is the process of ensuring that IT supports the organization’s strategy and objectives. Governance of enterprise IT covers aspects such as IT value delivery, IT risk management, IT resource management, and IT performance measurement. An IT balanced scorecard can help monitor these aspects and provide feedback to improve IT governance.
References: ISACA Frameworks: Blueprints for Success, CISA Review Manual (Digital Version)
Question #317
An IS auditor is planning an audit of an organization’s accounts payable processes.
Which of the following controls is MOST important to assess in the audit?
- A . Segregation of duties between issuing purchase orders and making payments.
- B . Segregation of duties between receiving invoices and setting authorization limits
- C . Management review and approval of authorization tiers
- D . Management review and approval of purchase orders
Correct Answer: A
A
Explanation:
The most important control to assess in an audit of an organization’s accounts payable processes is segregation of duties between issuing purchase orders and making payments. Segregation of duties is a principle that requires different individuals or departments to perform different tasks or functions within a process, in order to prevent fraud, errors, or conflicts of interest. In the accounts payable process, segregation of duties between issuing purchase orders and making payments ensures that no one person can initiate and complete a transaction without proper authorization and verification. This reduces the risk of duplicate payments, overpayments, unauthorized payments, or payments to fictitious vendors.
References:
Accounts payable controls
Accounts Payable Internal Controls: A Simple Checklist
A
Explanation:
The most important control to assess in an audit of an organization’s accounts payable processes is segregation of duties between issuing purchase orders and making payments. Segregation of duties is a principle that requires different individuals or departments to perform different tasks or functions within a process, in order to prevent fraud, errors, or conflicts of interest. In the accounts payable process, segregation of duties between issuing purchase orders and making payments ensures that no one person can initiate and complete a transaction without proper authorization and verification. This reduces the risk of duplicate payments, overpayments, unauthorized payments, or payments to fictitious vendors.
References:
Accounts payable controls
Accounts Payable Internal Controls: A Simple Checklist
Question #318
An IS auditor is reviewing an organization’s cloud access security broker (CASB) solution.
Which of the following is MOST important for the auditor to verify?
- A . Cloud services are classified.
- B . Users are centrally managed.
- C . Cloud processes are resilient.
- D . Users are periodically recertified.
Correct Answer: D
D
Explanation:
Periodic recertification of users ensures that only authorized individuals retain access to cloud services and helps identify and revoke access for users who no longer require it. This is a critical control for maintaining security and compliance in a cloud environment.
Classifying Cloud Services (Option A): This is foundational but does not verify ongoing user access.
Centrally Managing Users (Option B): While useful for consistency, it does not assess whether access rights are still valid.
Ensuring Cloud Process Resilience (Option C): This focuses on operational continuity rather than access control.
Periodic recertification aligns with governance practices to ensure access rights remain appropriate over time.
Reference: ISACA CISA Review Manual, Job Practice Area 4: Protection of Information Assets.
D
Explanation:
Periodic recertification of users ensures that only authorized individuals retain access to cloud services and helps identify and revoke access for users who no longer require it. This is a critical control for maintaining security and compliance in a cloud environment.
Classifying Cloud Services (Option A): This is foundational but does not verify ongoing user access.
Centrally Managing Users (Option B): While useful for consistency, it does not assess whether access rights are still valid.
Ensuring Cloud Process Resilience (Option C): This focuses on operational continuity rather than access control.
Periodic recertification aligns with governance practices to ensure access rights remain appropriate over time.
Reference: ISACA CISA Review Manual, Job Practice Area 4: Protection of Information Assets.
Question #319
Which of the following is the BEST evidence that an organization’s IT strategy is aligned lo its business objectives?
- A . The IT strategy is modified in response to organizational change.
- B . The IT strategy is approved by executive management.
- C . The IT strategy is based on IT operational best practices.
- D . The IT strategy has significant impact on the business strategy
Correct Answer: B
B
Explanation:
The best evidence that an organization’s IT strategy is aligned to its business objectives is that the IT strategy is approved by executive management. This implies that the IT strategy has been reviewed and validated by the senior leaders of the organization, who are responsible for setting and overseeing the business objectives. The IT strategy may be modified in response to organizational change, based on IT operational best practices, or have significant impact on the business strategy, but these are not sufficient indicators of alignment without executive approval.
References: CISA Review Manual (Digital Version)1, Chapter 1, Section 1.2.1
B
Explanation:
The best evidence that an organization’s IT strategy is aligned to its business objectives is that the IT strategy is approved by executive management. This implies that the IT strategy has been reviewed and validated by the senior leaders of the organization, who are responsible for setting and overseeing the business objectives. The IT strategy may be modified in response to organizational change, based on IT operational best practices, or have significant impact on the business strategy, but these are not sufficient indicators of alignment without executive approval.
References: CISA Review Manual (Digital Version)1, Chapter 1, Section 1.2.1
Question #320
Which of the following is MOST important to include in security awareness training?
- A . How to respond to various types of suspicious activity
- B . The importance of complex passwords
- C . Descriptions of the organization’s security infrastructure
- D . Contact information for the organization’s security team
Correct Answer: A
A
Explanation:
The most important thing to include in security awareness training is how to respond to various types of suspicious activity. Security awareness training is a program that educates employees about the importance of security and how to avoid common threats and risks. One of the main objectives of security awareness training is to enable employees to recognize and report any signs of malicious or unauthorized activity, such as phishing emails, malware infections, data breaches, or social engineering attempts. By teaching employees how to respond to various types of suspicious activity, security awareness training can help to prevent or mitigate the impact of security incidents, protect the organization’s assets and reputation, and comply with legal and regulatory requirements.
The other options are not as important as option A. The importance of complex passwords is a useful topic, but not the most important thing to include in security awareness training. Complex passwords are passwords that are hard to guess or crack by using a combination of letters, numbers, symbols, and cases. Complex passwords can help to protect user accounts and data from unauthorized access, but they are not sufficient to prevent all types of security incidents. Moreover, complex passwords may be difficult to remember or manage by users, and may require additional measures such as password managers or multi-factor authentication. Descriptions of the organization’s security infrastructure is a technical topic, but not the most important thing to include in security awareness training. Security infrastructure is the set of hardware, software, policies, and procedures that provide the foundation for the organization’s security posture and capabilities. Security infrastructure may include firewalls, antivirus software, encryption tools, access control systems, backup systems, etc. Descriptions of the organization’s security infrastructure may be relevant for some employees who are involved in security operations or administration, but they may not be necessary or understandable for all employees who need security awareness training. Contact information for the organization’s security team is a practical detail, but not the most important thing to include in security awareness training. Security team is the group of people who are responsible for planning, implementing, monitoring, and improving the organization’s security strategy and activities. Contact information for the organization’s security team may be useful for employees who need to report or escalate a security issue or request a security service or support. However, contact information for the organization’s security team is not enough to ensure that employees know how to respond to various types of suspicious activity.
References: Security Awareness Training | SANS Security Awareness, Security Awareness Training | KnowBe4, Security Awareness Training Course (ISC)² | Coursera
A
Explanation:
The most important thing to include in security awareness training is how to respond to various types of suspicious activity. Security awareness training is a program that educates employees about the importance of security and how to avoid common threats and risks. One of the main objectives of security awareness training is to enable employees to recognize and report any signs of malicious or unauthorized activity, such as phishing emails, malware infections, data breaches, or social engineering attempts. By teaching employees how to respond to various types of suspicious activity, security awareness training can help to prevent or mitigate the impact of security incidents, protect the organization’s assets and reputation, and comply with legal and regulatory requirements.
The other options are not as important as option A. The importance of complex passwords is a useful topic, but not the most important thing to include in security awareness training. Complex passwords are passwords that are hard to guess or crack by using a combination of letters, numbers, symbols, and cases. Complex passwords can help to protect user accounts and data from unauthorized access, but they are not sufficient to prevent all types of security incidents. Moreover, complex passwords may be difficult to remember or manage by users, and may require additional measures such as password managers or multi-factor authentication. Descriptions of the organization’s security infrastructure is a technical topic, but not the most important thing to include in security awareness training. Security infrastructure is the set of hardware, software, policies, and procedures that provide the foundation for the organization’s security posture and capabilities. Security infrastructure may include firewalls, antivirus software, encryption tools, access control systems, backup systems, etc. Descriptions of the organization’s security infrastructure may be relevant for some employees who are involved in security operations or administration, but they may not be necessary or understandable for all employees who need security awareness training. Contact information for the organization’s security team is a practical detail, but not the most important thing to include in security awareness training. Security team is the group of people who are responsible for planning, implementing, monitoring, and improving the organization’s security strategy and activities. Contact information for the organization’s security team may be useful for employees who need to report or escalate a security issue or request a security service or support. However, contact information for the organization’s security team is not enough to ensure that employees know how to respond to various types of suspicious activity.
References: Security Awareness Training | SANS Security Awareness, Security Awareness Training | KnowBe4, Security Awareness Training Course (ISC)² | Coursera