Practice Free CISA Exam Online Questions
Question #391
Email required for business purposes is being stored on employees’ personal devices.
Which of the following is an IS auditor’s BEST recommendation?
- A . Require employees to utilize passwords on personal devices
- B . Prohibit employees from storing company email on personal devices
- C . Ensure antivirus protection is installed on personal devices
- D . Implement an email containerization solution on personal devices
Correct Answer: D
D
Explanation:
Implementing an email containerization solution on personal devices is the best recommendation for an IS auditor, because it allows the organization to separate and secure the email data from the rest of the device data. Email containerization creates a virtual environment that encrypts and isolates the email data, preventing unauthorized access, leakage, or loss of sensitive information12. Requiring passwords or antivirus protection on personal devices may not be sufficient or enforceable, while prohibiting employees from storing company email on personal devices may not be feasible or practical.
References: 1: CISA Review Manual (Digital Version), Chapter 5, Section
D
Explanation:
Implementing an email containerization solution on personal devices is the best recommendation for an IS auditor, because it allows the organization to separate and secure the email data from the rest of the device data. Email containerization creates a virtual environment that encrypts and isolates the email data, preventing unauthorized access, leakage, or loss of sensitive information12. Requiring passwords or antivirus protection on personal devices may not be sufficient or enforceable, while prohibiting employees from storing company email on personal devices may not be feasible or practical.
References: 1: CISA Review Manual (Digital Version), Chapter 5, Section
Question #392
Which of the following is MOST important for the successful establishment of a security vulnerability management program?
- A . A robust tabletop exercise plan
- B . A comprehensive asset inventory
- C . A tested incident response plan
- D . An approved patching policy
Correct Answer: B
B
Explanation:
A comprehensive asset inventory is the most important factor for the successful establishment of a security vulnerability management program. A security vulnerability management program is a systematic process of identifying, assessing, prioritizing, and remediating vulnerabilities in the organization’s IT environment1. A comprehensive asset inventory is a complete and accurate record of all the hardware, software, and network components that the organization owns or uses2.
A comprehensive asset inventory helps the organization to:
Know what assets are in scope for vulnerability scanning and assessment3.
Identify the vulnerabilities that affect each asset and their severity level4.
Prioritize the remediation of vulnerabilities based on the criticality and value of each asset.
Track the status and progress of vulnerability remediation for each asset.
Measure the effectiveness and maturity of the vulnerability management program.
A robust tabletop exercise plan is a simulated scenario that tests the organization’s preparedness and response capabilities for a potential cyberattack or incident. A tabletop exercise plan is useful for validating and improving the organization’s incident response plan, but it is not essential for establishing a security vulnerability management program.
A tested incident response plan is a documented process that defines the roles, responsibilities, and actions of the organization’s personnel in the event of a cyberattack or incident. A tested incident response plan is important for minimizing the impact and restoring normal operations after a security breach, but it is not critical for establishing a security vulnerability management program.
An approved patching policy is a set of rules and guidelines that governs how the organization
applies patches and updates to its IT systems and applications. An approved patching policy is a key component of the remediation phase of the vulnerability management program, but it is not sufficient for establishing a security vulnerability management program.
B
Explanation:
A comprehensive asset inventory is the most important factor for the successful establishment of a security vulnerability management program. A security vulnerability management program is a systematic process of identifying, assessing, prioritizing, and remediating vulnerabilities in the organization’s IT environment1. A comprehensive asset inventory is a complete and accurate record of all the hardware, software, and network components that the organization owns or uses2.
A comprehensive asset inventory helps the organization to:
Know what assets are in scope for vulnerability scanning and assessment3.
Identify the vulnerabilities that affect each asset and their severity level4.
Prioritize the remediation of vulnerabilities based on the criticality and value of each asset.
Track the status and progress of vulnerability remediation for each asset.
Measure the effectiveness and maturity of the vulnerability management program.
A robust tabletop exercise plan is a simulated scenario that tests the organization’s preparedness and response capabilities for a potential cyberattack or incident. A tabletop exercise plan is useful for validating and improving the organization’s incident response plan, but it is not essential for establishing a security vulnerability management program.
A tested incident response plan is a documented process that defines the roles, responsibilities, and actions of the organization’s personnel in the event of a cyberattack or incident. A tested incident response plan is important for minimizing the impact and restoring normal operations after a security breach, but it is not critical for establishing a security vulnerability management program.
An approved patching policy is a set of rules and guidelines that governs how the organization
applies patches and updates to its IT systems and applications. An approved patching policy is a key component of the remediation phase of the vulnerability management program, but it is not sufficient for establishing a security vulnerability management program.
Question #393
An IS auditor is reviewing an organization’s business intelligence infrastructure. The BEST recommendation to help the organization achieve a reasonable level of data quality would be to:
- A . review data against data classification standards.
- B . outsource data cleansing to skilled service providers.
- C . consolidate data stored across separate databases into a warehouse.
- D . analyze the data against predefined specifications.
Correct Answer: D
D
Explanation:
This is because analyzing the data against predefined specifications is a method of data quality assessment that can help the organization achieve a reasonable level of data quality. Data quality assessment is the process of measuring and evaluating the accuracy, completeness, consistency, timeliness, validity, and usability of the data. Predefined specifications are the criteria or standards that define the expected or desired quality of the data. By comparing the actual data with the predefined specifications, the organization can identify and quantify any gaps, errors, or deviations in the data quality, and take corrective actions accordingly12.
Reviewing data against data classification standards (A) is not the best answer, because it is not a method of data quality assessment, but rather a method of data security management. Data classification standards are the rules or guidelines that define the level of sensitivity and confidentiality of the data, and determine the appropriate security and access controls for the data. For example, data can be classified into public, internal, confidential, or restricted
categories. Reviewing data against data classification standards can help the organization protect the data from unauthorized or inappropriate use or disclosure, but it does not directly improve the data
quality3.
Outsourcing data cleansing to skilled service providers (B) is not the best answer, because it is not a recommendation to help the organization achieve a reasonable level of data quality, but rather a decision to delegate or transfer the responsibility of data quality management to external parties. Data cleansing is the process of detecting and correcting any errors, inconsistencies, or anomalies in the data. Skilled service providers are third-party vendors or contractors that have the expertise and resources to perform data cleansing tasks. Outsourcing data cleansing to skilled service providers may have some benefits, such as cost savings, efficiency, or scalability, but it also has some risks, such as loss of control, dependency, or liability4.
Consolidating data stored across separate databases into a warehouse © is not the best answer, because it is not a method of data quality assessment, but rather a method of data integration and storage. Data integration is the process of combining and transforming data from different sources and formats into a unified and consistent view. Data warehouse is a centralized repository that stores integrated and historical data for analytical purposes. Consolidating data stored across separate databases into a warehouse can help the organization improve the availability and accessibility of the data, but it does not necessarily improve the data quality.
D
Explanation:
This is because analyzing the data against predefined specifications is a method of data quality assessment that can help the organization achieve a reasonable level of data quality. Data quality assessment is the process of measuring and evaluating the accuracy, completeness, consistency, timeliness, validity, and usability of the data. Predefined specifications are the criteria or standards that define the expected or desired quality of the data. By comparing the actual data with the predefined specifications, the organization can identify and quantify any gaps, errors, or deviations in the data quality, and take corrective actions accordingly12.
Reviewing data against data classification standards (A) is not the best answer, because it is not a method of data quality assessment, but rather a method of data security management. Data classification standards are the rules or guidelines that define the level of sensitivity and confidentiality of the data, and determine the appropriate security and access controls for the data. For example, data can be classified into public, internal, confidential, or restricted
categories. Reviewing data against data classification standards can help the organization protect the data from unauthorized or inappropriate use or disclosure, but it does not directly improve the data
quality3.
Outsourcing data cleansing to skilled service providers (B) is not the best answer, because it is not a recommendation to help the organization achieve a reasonable level of data quality, but rather a decision to delegate or transfer the responsibility of data quality management to external parties. Data cleansing is the process of detecting and correcting any errors, inconsistencies, or anomalies in the data. Skilled service providers are third-party vendors or contractors that have the expertise and resources to perform data cleansing tasks. Outsourcing data cleansing to skilled service providers may have some benefits, such as cost savings, efficiency, or scalability, but it also has some risks, such as loss of control, dependency, or liability4.
Consolidating data stored across separate databases into a warehouse © is not the best answer, because it is not a method of data quality assessment, but rather a method of data integration and storage. Data integration is the process of combining and transforming data from different sources and formats into a unified and consistent view. Data warehouse is a centralized repository that stores integrated and historical data for analytical purposes. Consolidating data stored across separate databases into a warehouse can help the organization improve the availability and accessibility of the data, but it does not necessarily improve the data quality.
Question #394
An IS auditor is reviewing the installation of a new server. The IS auditor’s PRIMARY objective is to ensure that
- A . security parameters are set in accordance with the manufacturer s standards.
- B . a detailed business case was formally approved prior to the purchase.
- C . security parameters are set in accordance with the organization’s policies.
- D . the procurement project invited lenders from at least three different suppliers.
Correct Answer: C
C
Explanation:
The primary objective of an IS auditor when reviewing the installation of a new server is to ensure that security parameters are set in accordance with the organization’s policies. Security parameters are settings or options that control the security level and behavior of the server, such as authentication methods, encryption algorithms, access rights, audit logs, firewall rules, or password policies7. The organization’s policies are documents that define the security goals, requirements, standards, and guidelines for the organization’s information systems. An IS auditor should verify that security parameters are set in accordance with the organization’s policies to ensure that the new server complies with the organization’s security expectations and regulations. The other options are less important or incorrect because:
C
Explanation:
The primary objective of an IS auditor when reviewing the installation of a new server is to ensure that security parameters are set in accordance with the organization’s policies. Security parameters are settings or options that control the security level and behavior of the server, such as authentication methods, encryption algorithms, access rights, audit logs, firewall rules, or password policies7. The organization’s policies are documents that define the security goals, requirements, standards, and guidelines for the organization’s information systems. An IS auditor should verify that security parameters are set in accordance with the organization’s policies to ensure that the new server complies with the organization’s security expectations and regulations. The other options are less important or incorrect because:
Question #395
Which of the following is the MOST important consideration for patching mission critical business application servers against known vulnerabilities?
- A . Patches are implemented in a test environment prior to rollout into production.
- B . Network vulnerability scans are conducted after patches are implemented.
- C . Vulnerability assessments are periodically conducted according to defined schedules.
- D . Roles and responsibilities for implementing patches are defined
Correct Answer: A
A
Explanation:
The most important consideration for patching mission critical business application servers against known vulnerabilities is A. Patches are implemented in a test environment prior to rollout into production. This is because patching mission critical business application servers involves a high level of risk and complexity, and requires careful planning and testing before applying the patches to the live environment. Patches may introduce new bugs, errors, or conflicts that could affect the functionality, performance, or security of the application servers, and cause system downtime, data loss, or business disruption1. Therefore, it is essential to implement patches in a test environment first, where the patches can be verified and validated for their effectiveness and compatibility, and any issues or defects can be identified and resolved before they impact the production environment2.
A
Explanation:
The most important consideration for patching mission critical business application servers against known vulnerabilities is A. Patches are implemented in a test environment prior to rollout into production. This is because patching mission critical business application servers involves a high level of risk and complexity, and requires careful planning and testing before applying the patches to the live environment. Patches may introduce new bugs, errors, or conflicts that could affect the functionality, performance, or security of the application servers, and cause system downtime, data loss, or business disruption1. Therefore, it is essential to implement patches in a test environment first, where the patches can be verified and validated for their effectiveness and compatibility, and any issues or defects can be identified and resolved before they impact the production environment2.
Question #396
The PRIMARY role of a control self-assessment (CSA) facilitator is to:
- A . conduct interviews to gain background information.
- B . focus the team on internal controls.
- C . report on the internal control weaknesses.
- D . provide solutions for control weaknesses.
Correct Answer: B
B
Explanation:
The primary role of a control self-assessment (CSA) facilitator is to focus the team on internal controls. A CSA facilitator is a person who guides the CSA process and helps the participants to identify, assess, and improve their internal controls. The facilitator does not conduct interviews, report on weaknesses, or provide solutions, as these are the responsibilities of the participants themselves1.
The other options are incorrect because they are not the primary role of a CSA facilitator.
Option A, conduct interviews to gain background information, is a preliminary step that may be done by the facilitator or the participants before the CSA session, but it is not the main purpose of the facilitator.
Option C, report on the internal control weaknesses, is an outcome of the CSA process that should be done by the participants who own and operate the controls.
Option D, provide solutions for control weaknesses, is also an outcome of the CSA process that should be done by the participants who are in charge of implementing the improvements.
References:
ISACA, CISA Review Manual, 27th Edition, 2019, page 2822
ISACA, CISA Review Questions, Answers & Explanations Database – 12 Month Subscription, QID 1066693
PwC, Control Self Assessments4
Workiva, 4 factors of an effective control self-assessment (CSA) program5
B
Explanation:
The primary role of a control self-assessment (CSA) facilitator is to focus the team on internal controls. A CSA facilitator is a person who guides the CSA process and helps the participants to identify, assess, and improve their internal controls. The facilitator does not conduct interviews, report on weaknesses, or provide solutions, as these are the responsibilities of the participants themselves1.
The other options are incorrect because they are not the primary role of a CSA facilitator.
Option A, conduct interviews to gain background information, is a preliminary step that may be done by the facilitator or the participants before the CSA session, but it is not the main purpose of the facilitator.
Option C, report on the internal control weaknesses, is an outcome of the CSA process that should be done by the participants who own and operate the controls.
Option D, provide solutions for control weaknesses, is also an outcome of the CSA process that should be done by the participants who are in charge of implementing the improvements.
References:
ISACA, CISA Review Manual, 27th Edition, 2019, page 2822
ISACA, CISA Review Questions, Answers & Explanations Database – 12 Month Subscription, QID 1066693
PwC, Control Self Assessments4
Workiva, 4 factors of an effective control self-assessment (CSA) program5
Question #397
Which of the following provides the BEST providence that outsourced provider services are being properly managed?
- A . The service level agreement (SLA) includes penalties for non-performance.
- B . Adequate action is taken for noncompliance with the service level agreement (SLA).
- C . The vendor provides historical data to demonstrate its performance.
- D . Internal performance standards align with corporate strategy.
Correct Answer: B
B
Explanation:
Adequate action taken for noncompliance with the service level agreement (SLA) provides the best evidence that outsourced provider services are being properly managed. This shows that the organization is monitoring the performance of the provider and enforcing the terms of the SLA.
The other options are not as convincing as evidence of proper management.
Option A, the SLA includes penalties for non-performance, is a good practice but does not guarantee that the penalties are actually applied or that the performance is satisfactory.
Option C, the vendor provides historical data to demonstrate its performance, is not reliable because the data may be biased or inaccurate.
Option D, internal performance standards align with corporate strategy, is irrelevant to the question of outsourced provider management.
References:
ISACA, CISA Review Manual, 27th Edition, 2019, page 2821
ISACA, CISA Review Questions, Answers & Explanations Database – 12 Month Subscription, QID 1066692
B
Explanation:
Adequate action taken for noncompliance with the service level agreement (SLA) provides the best evidence that outsourced provider services are being properly managed. This shows that the organization is monitoring the performance of the provider and enforcing the terms of the SLA.
The other options are not as convincing as evidence of proper management.
Option A, the SLA includes penalties for non-performance, is a good practice but does not guarantee that the penalties are actually applied or that the performance is satisfactory.
Option C, the vendor provides historical data to demonstrate its performance, is not reliable because the data may be biased or inaccurate.
Option D, internal performance standards align with corporate strategy, is irrelevant to the question of outsourced provider management.
References:
ISACA, CISA Review Manual, 27th Edition, 2019, page 2821
ISACA, CISA Review Questions, Answers & Explanations Database – 12 Month Subscription, QID 1066692
Question #398
Which of the following is the GREATEST advantage of maintaining an internal IS audit function within an organization?
- A . Increased independence and impartiality of recommendations
- B . Better understanding of the business and processes
- C . Ability to negotiate recommendations with management
- D . Increased IS audit staff visibility and availability throughout the year
Correct Answer: B
Question #399
To ensure confidentiality through the use of asymmetric encryption, a message is encrypted with which of the following?
- A . Recipient’s public key
- B . Sender’s private key
- C . Sender’s public key
- D . Recipient’s private key
Correct Answer: A
A
Explanation:
The best option for ensuring confidentiality through the use of asymmetric encryption is to encrypt a message with the recipient’s public key (option A).
This is because:
Asymmetric encryption, also known as public-key cryptography, is a type of encryption that uses a pair of keys to encrypt and decrypt data. The pair of keys includes a public key, which can be shared with anyone, and a private key, which is kept secret by the owner12.
In asymmetric encryption, the sender uses the recipient’s public key to encrypt the data. The recipient then uses their private key to decrypt the data. This approach allows for secure communication between two parties without the need for both parties to have the same secret key12.
Encrypting a message with the recipient’s public key ensures that only the recipient can decrypt it with their private key. This provides confidentiality, which means that the message is protected from unauthorized access or disclosure12.
Encrypting a message with the sender’s private key (option B) does not ensure confidentiality, but rather authentication, which means that the message can be verified as coming from the sender. This is because anyone can decrypt the message with the sender’s public key, but only the sender can encrypt it with their private key12.
Encrypting a message with the sender’s public key (option C) or the recipient’s private key (option D) does not make sense, as it would render the message unreadable by both parties. This is because
neither party has the corresponding key to decrypt it12.
Therefore, the best option for ensuring confidentiality through the use of asymmetric encryption is to encrypt a message with the recipient’s public key (option A), as this ensures that only the recipient can decrypt it with their private key.
References: 1: What is asymmetric encryption? | Asymmetric vs. symmetric … – Cloudflare 2: What is Asymmetric Encryption? – GeeksforGeeks
A
Explanation:
The best option for ensuring confidentiality through the use of asymmetric encryption is to encrypt a message with the recipient’s public key (option A).
This is because:
Asymmetric encryption, also known as public-key cryptography, is a type of encryption that uses a pair of keys to encrypt and decrypt data. The pair of keys includes a public key, which can be shared with anyone, and a private key, which is kept secret by the owner12.
In asymmetric encryption, the sender uses the recipient’s public key to encrypt the data. The recipient then uses their private key to decrypt the data. This approach allows for secure communication between two parties without the need for both parties to have the same secret key12.
Encrypting a message with the recipient’s public key ensures that only the recipient can decrypt it with their private key. This provides confidentiality, which means that the message is protected from unauthorized access or disclosure12.
Encrypting a message with the sender’s private key (option B) does not ensure confidentiality, but rather authentication, which means that the message can be verified as coming from the sender. This is because anyone can decrypt the message with the sender’s public key, but only the sender can encrypt it with their private key12.
Encrypting a message with the sender’s public key (option C) or the recipient’s private key (option D) does not make sense, as it would render the message unreadable by both parties. This is because
neither party has the corresponding key to decrypt it12.
Therefore, the best option for ensuring confidentiality through the use of asymmetric encryption is to encrypt a message with the recipient’s public key (option A), as this ensures that only the recipient can decrypt it with their private key.
References: 1: What is asymmetric encryption? | Asymmetric vs. symmetric … – Cloudflare 2: What is Asymmetric Encryption? – GeeksforGeeks
Question #400
Which of the following is MOST important when planning a network audit?
- A . Determination of IP range in use
- B . Analysis of traffic content
- C . Isolation of rogue access points
- D . Identification of existing nodes
Correct Answer: D
D
Explanation:
The most important factor when planning a network audit is to identify the existing nodes on the network. Nodes are devices or systems that are connected to the network and can communicate with each other. Nodes can include servers, workstations, routers, switches, firewalls, printers, scanners, cameras, etc. Identifying the existing nodes on the network will help the auditor to determine the scope, objectives, and methodology of the audit. It will also help the auditor to assess the network topology, architecture, performance, security, and compliance.
References:
CISA Review Manual (Digital Version)
CISA Questions, Answers & Explanations Database
D
Explanation:
The most important factor when planning a network audit is to identify the existing nodes on the network. Nodes are devices or systems that are connected to the network and can communicate with each other. Nodes can include servers, workstations, routers, switches, firewalls, printers, scanners, cameras, etc. Identifying the existing nodes on the network will help the auditor to determine the scope, objectives, and methodology of the audit. It will also help the auditor to assess the network topology, architecture, performance, security, and compliance.
References:
CISA Review Manual (Digital Version)
CISA Questions, Answers & Explanations Database