Practice Free CISA Exam Online Questions
Question #31
An IS auditor determines elevated administrator accounts for servers that are not properly checked out and then back in after each use.
Which of the following is the MOST appropriate sampling technique to determine the scope of the problem?
- A . Haphazard sampling
- B . Random sampling
- C . Statistical sampling
- D . Stratified sampling
Correct Answer: C
Question #32
Which of the following findings would be of GREATEST concern when auditing an organization’s end-user computing (EUC)?
- A . Errors flowed through to financial statements
- B . Reduced oversight by the IT department
- C . Inconsistency of patching processes being followed
- D . Inability to monitor EUC audit logs and activities
Correct Answer: A
Question #33
Which of the following types of firewalls provides the GREATEST degree of control against hacker intrusion?
- A . Packet filtering router
- B . Circuit gateway
- C . Application-level gateway
- D . Screening router.
Correct Answer: C
Question #34
Which of the following is MOST appropriate to prevent unauthorized retrieval of confidential information stored in a business application system?
- A . Apply single sign-on for access control
- B . Implement segregation of duties.
- C . Enforce an internal data access policy.
- D . Enforce the use of digital signatures.
Correct Answer: C
C
Explanation:
The most appropriate control to prevent unauthorized retrieval of confidential information stored in a business application system is to enforce an internal data access policy. A data access policy defines who can access what data, under what conditions and for what purposes. It also specifies the roles and responsibilities of data owners, custodians and users, as well as the security measures and controls to protect data confidentiality, integrity and availability. By enforcing a data access policy, the organization can ensure that only authorized personnel can retrieve confidential information from the business application system. Applying single sign-on for access control, implementing segregation of duties and enforcing the use of digital signatures are also useful controls, but they are not sufficient to prevent unauthorized data retrieval without a clear and comprehensive data access policy.
References:
CISA Review Manual, 27th Edition, page 2301
CISA Review Questions, Answers & Explanations Database – 12 Month Subscription2
C
Explanation:
The most appropriate control to prevent unauthorized retrieval of confidential information stored in a business application system is to enforce an internal data access policy. A data access policy defines who can access what data, under what conditions and for what purposes. It also specifies the roles and responsibilities of data owners, custodians and users, as well as the security measures and controls to protect data confidentiality, integrity and availability. By enforcing a data access policy, the organization can ensure that only authorized personnel can retrieve confidential information from the business application system. Applying single sign-on for access control, implementing segregation of duties and enforcing the use of digital signatures are also useful controls, but they are not sufficient to prevent unauthorized data retrieval without a clear and comprehensive data access policy.
References:
CISA Review Manual, 27th Edition, page 2301
CISA Review Questions, Answers & Explanations Database – 12 Month Subscription2
Question #35
Management has learned the implementation of a new IT system will not be completed on time and has requested an audit.
Which of the following audit findings should be of GREATEST concern?
- A . The actual start times of some activities were later than originally scheduled.
- B . Tasks defined on the critical path do not have resources allocated.
- C . The project manager lacks formal certification.
- D . Milestones have not been defined for all project products.
Correct Answer: B
B
Explanation:
The audit finding that should be of greatest concern is that tasks defined on the critical path do not have resources allocated, as this means that the project is likely to face significant delays and cost overruns, since the critical path is the sequence of activities that determines the minimum time required to complete the project. The actual start times of some activities being later than originally scheduled may indicate some minor deviations from the project plan, but they may not necessarily affect the overall project completion time if they are not on the critical path. The project manager lacking formal certification may affect the quality and efficiency of the project management process, but it does not necessarily imply that the project manager is incompetent or unqualified. Milestones have been defined for all project products, but they may not be realistic or achievable if they do not take into account the resource constraints and dependencies of the critical path tasks.
References: CISA Review Manual (Digital Version), Chapter 2: Governance and Management of
IT, Section 2.3: IT Project Management
B
Explanation:
The audit finding that should be of greatest concern is that tasks defined on the critical path do not have resources allocated, as this means that the project is likely to face significant delays and cost overruns, since the critical path is the sequence of activities that determines the minimum time required to complete the project. The actual start times of some activities being later than originally scheduled may indicate some minor deviations from the project plan, but they may not necessarily affect the overall project completion time if they are not on the critical path. The project manager lacking formal certification may affect the quality and efficiency of the project management process, but it does not necessarily imply that the project manager is incompetent or unqualified. Milestones have been defined for all project products, but they may not be realistic or achievable if they do not take into account the resource constraints and dependencies of the critical path tasks.
References: CISA Review Manual (Digital Version), Chapter 2: Governance and Management of
IT, Section 2.3: IT Project Management
Question #36
An IS audit learn is evaluating the documentation related to the most recent application user-access review performed by IT and business management It is determined that the user list was not system-generated.
Which of the following should be the GREATEST concern?
- A . Availability of the user list reviewed
- B . Confidentiality of the user list reviewed
- C . Source of the user list reviewed
- D . Completeness of the user list reviewed
Correct Answer: C
Question #37
A white box testing method is applicable with which of the following testing processes?
- A . Integration testing
- B . Parallel testing
- C . Sociability testing
- D . User acceptance testing (UAT)
Correct Answer: A
Question #38
Which of the following BEST enables an organization to standardize its IT infrastructure to align with business goals?
- A . Enterprise architecture (EA)
- B . Operational technologies
- C . Data architecture
- D . Robotic process automation (RPA)
Correct Answer: A
Question #39
The PRIMARY purpose of an incident response plan is to:
- A . reduce the impact of an adverse event on information assets.
- B . increase the effectiveness of preventive controls.
- C . reduce the maximum tolerable downtime (MTD) of impacted systems.
- D . increase awareness of impacts from adverse events to IT systems.
Correct Answer: A
A
Explanation:
The primary purpose of an incident response plan is to reduce the impact of an adverse event on information assets. An incident response plan is a set of instructions and procedures that guide the organization’s actions in the event of a security breach, cyberattack, or other disruption that affects its information systems and data. An incident response plan aims to:
Detect and identify the incident as soon as possible.
Contain and isolate the incident to prevent further damage or spread.
Analyze and investigate the incident to determine its cause, scope, and impact.
Eradicate and eliminate the incident and its root causes from the affected systems and data.
Recover and restore the normal operations and functionality of the systems and data.
Learn and improve from the incident by documenting the lessons learned, best practices, and recommendations for future prevention and mitigation.
By following an incident response plan, the organization can minimize the negative consequences of an adverse event on its information assets, such as:
Loss or corruption of data or information.
Disclosure or theft of confidential or sensitive data or information.
Interruption or degradation of system or service availability or performance.
Legal or regulatory noncompliance or liability.
Financial or reputational loss or damage.
An incident response plan also helps the organization to demonstrate its due diligence and accountability in protecting its information assets and complying with its legal and contractual obligations.
The other options are not the primary purpose of an incident response plan, although they may be secondary benefits or outcomes of having one.
Increasing the effectiveness of preventive controls is not the primary purpose of an incident response plan. Preventive controls are controls that aim to prevent or deter incidents from occurring in the first place, such as firewalls, antivirus software, encryption, authentication, etc. An incident response plan is a reactive control that deals with incidents after they have occurred. However, an incident response plan may help to improve the effectiveness of preventive controls by identifying and addressing their weaknesses or gaps.
Reducing the maximum tolerable downtime (MTD) of impacted systems is not the primary purpose of an incident response plan. MTD is a measure of how long an organization can tolerate a system or service outage before it causes unacceptable harm or loss to its business operations or objectives. An incident response plan may help to reduce the MTD of impacted systems by facilitating a faster and smoother recovery process. However, reducing the MTD is not the main goal of an incident response plan, but rather a desired outcome.
Increasing awareness of impacts from adverse events to IT systems is not the primary purpose of an incident response plan. Awareness is a state of being informed or conscious of something. An incident response plan may help to increase awareness of impacts from adverse events to IT systems by providing information and communication channels for stakeholders, such as management, employees, customers, regulators, etc. However, increasing awareness is not the main objective of an incident response plan, but rather a means to achieve other objectives, such as reducing impact, ensuring compliance, or maintaining trust.
A
Explanation:
The primary purpose of an incident response plan is to reduce the impact of an adverse event on information assets. An incident response plan is a set of instructions and procedures that guide the organization’s actions in the event of a security breach, cyberattack, or other disruption that affects its information systems and data. An incident response plan aims to:
Detect and identify the incident as soon as possible.
Contain and isolate the incident to prevent further damage or spread.
Analyze and investigate the incident to determine its cause, scope, and impact.
Eradicate and eliminate the incident and its root causes from the affected systems and data.
Recover and restore the normal operations and functionality of the systems and data.
Learn and improve from the incident by documenting the lessons learned, best practices, and recommendations for future prevention and mitigation.
By following an incident response plan, the organization can minimize the negative consequences of an adverse event on its information assets, such as:
Loss or corruption of data or information.
Disclosure or theft of confidential or sensitive data or information.
Interruption or degradation of system or service availability or performance.
Legal or regulatory noncompliance or liability.
Financial or reputational loss or damage.
An incident response plan also helps the organization to demonstrate its due diligence and accountability in protecting its information assets and complying with its legal and contractual obligations.
The other options are not the primary purpose of an incident response plan, although they may be secondary benefits or outcomes of having one.
Increasing the effectiveness of preventive controls is not the primary purpose of an incident response plan. Preventive controls are controls that aim to prevent or deter incidents from occurring in the first place, such as firewalls, antivirus software, encryption, authentication, etc. An incident response plan is a reactive control that deals with incidents after they have occurred. However, an incident response plan may help to improve the effectiveness of preventive controls by identifying and addressing their weaknesses or gaps.
Reducing the maximum tolerable downtime (MTD) of impacted systems is not the primary purpose of an incident response plan. MTD is a measure of how long an organization can tolerate a system or service outage before it causes unacceptable harm or loss to its business operations or objectives. An incident response plan may help to reduce the MTD of impacted systems by facilitating a faster and smoother recovery process. However, reducing the MTD is not the main goal of an incident response plan, but rather a desired outcome.
Increasing awareness of impacts from adverse events to IT systems is not the primary purpose of an incident response plan. Awareness is a state of being informed or conscious of something. An incident response plan may help to increase awareness of impacts from adverse events to IT systems by providing information and communication channels for stakeholders, such as management, employees, customers, regulators, etc. However, increasing awareness is not the main objective of an incident response plan, but rather a means to achieve other objectives, such as reducing impact, ensuring compliance, or maintaining trust.
Question #40
An organization that operates an e-commerce website wants to provide continuous service to its customers and is planning to invest in a hot site due to service criticality.
Which of the following is the MOST important consideration when making this decision?
- A . Maximum tolerable downtime (MTD)
- B . Recovery time objective (RTO)
- C . Recovery point objective (RPO)
- D . Mean time to repair (MTTR)
Correct Answer: B
B
Explanation:
The recovery time objective (RTO) is the most important consideration when making a decision to invest in a hot site due to service criticality. The RTO is the maximum acceptable time that an IT service or process can be unavailable or disrupted before it causes significant damage to the business operations and objectives. A hot site is a fully equipped and operational backup facility that can be activated immediately in the event of a disaster or disruption. A hot site can help an organization achieve a very low RTO, as it can resume the service with minimal or no downtime. The maximum tolerable downtime (MTD) is the maximum acceptable time that an IT service or process can be unavailable or disrupted before it causes intolerable damage to the business operations and objectives. The MTD is usually longer than the RTO, as it represents the worst-case scenario. The recovery point objective (RPO) is the maximum acceptable amount of data loss that an IT service or process can tolerate in the event of a disaster or disruption. The RPO is measured in terms of time, such as hours or minutes, and indicates how frequently the data should be backed up or replicated. The mean time to repair (MTTR) is the average time that it takes to restore an IT service or process after a failure or disruption. The MTTR is a measure of the efficiency and effectiveness of the recovery process, but it does not reflect the service criticality or the business impact.
References: IS Audit and Assurance Tools and Techniques, CISA Certification | Certified Information Systems Auditor | ISACA
B
Explanation:
The recovery time objective (RTO) is the most important consideration when making a decision to invest in a hot site due to service criticality. The RTO is the maximum acceptable time that an IT service or process can be unavailable or disrupted before it causes significant damage to the business operations and objectives. A hot site is a fully equipped and operational backup facility that can be activated immediately in the event of a disaster or disruption. A hot site can help an organization achieve a very low RTO, as it can resume the service with minimal or no downtime. The maximum tolerable downtime (MTD) is the maximum acceptable time that an IT service or process can be unavailable or disrupted before it causes intolerable damage to the business operations and objectives. The MTD is usually longer than the RTO, as it represents the worst-case scenario. The recovery point objective (RPO) is the maximum acceptable amount of data loss that an IT service or process can tolerate in the event of a disaster or disruption. The RPO is measured in terms of time, such as hours or minutes, and indicates how frequently the data should be backed up or replicated. The mean time to repair (MTTR) is the average time that it takes to restore an IT service or process after a failure or disruption. The MTTR is a measure of the efficiency and effectiveness of the recovery process, but it does not reflect the service criticality or the business impact.
References: IS Audit and Assurance Tools and Techniques, CISA Certification | Certified Information Systems Auditor | ISACA