Practice Free CISA Exam Online Questions
Question #401
An organization wants to classify database tables according to its data classification scheme From an IS auditor’s perspective the tables should be classified based on the:
- A . specific functional contents of each single table.
- B . frequency of updates to the table.
- C . descriptions of column names in the table.
- D . number of end users with access to the table.
Correct Answer: A
Question #402
Which of the following should be the GREATEST concern to an IS auditor reviewing an organization’s job scheduling practices?
- A . Most jobs are run manually.
- B . Jobs are executed during working hours.
- C . Job dependencies are undefined.
- D . Job processing procedures are missing.
Correct Answer: C
Question #403
Which of the following can only be provided by asymmetric encryption?
- A . Information privacy
- B . 256-brt key length
- C . Data availability
- D . Nonrepudiation
Correct Answer: D
D
Explanation:
The only thing that can be provided by asymmetric encryption is nonrepudiation. Nonrepudiation is the ability to prove that a message or transaction was originated or authorized by a specific party. Asymmetric encryption uses a pair of keys: a public key and a private key. The public key can be shared with anyone, while the private key is kept secret by the owner. If a message is encrypted with the sender’s private key, only the sender’s public key can decrypt it. This proves that the message was sent by the sender and not by anyone else. This is called digital signature and it provides nonrepudiation. Asymmetric encryption can also provide information privacy by encrypting a message with the receiver’s public key, so that only the receiver’s private key can decrypt it. However, information privacy can also be provided by symmetric encryption, which uses a single key to encrypt and decrypt messages.
References:
CISA Review Manual (Digital Version), Chapter 5, Section 5.21 CISA Online Review Course, Domain 3, Module 2, Lesson 12
D
Explanation:
The only thing that can be provided by asymmetric encryption is nonrepudiation. Nonrepudiation is the ability to prove that a message or transaction was originated or authorized by a specific party. Asymmetric encryption uses a pair of keys: a public key and a private key. The public key can be shared with anyone, while the private key is kept secret by the owner. If a message is encrypted with the sender’s private key, only the sender’s public key can decrypt it. This proves that the message was sent by the sender and not by anyone else. This is called digital signature and it provides nonrepudiation. Asymmetric encryption can also provide information privacy by encrypting a message with the receiver’s public key, so that only the receiver’s private key can decrypt it. However, information privacy can also be provided by symmetric encryption, which uses a single key to encrypt and decrypt messages.
References:
CISA Review Manual (Digital Version), Chapter 5, Section 5.21 CISA Online Review Course, Domain 3, Module 2, Lesson 12
Question #404
A startup organization wants to develop a data loss prevention (DLP) program. The FIRST step should be to implement:
- A . Security awareness training
- B . Data encryption
- C . Data classification
- D . Access controls
Correct Answer: C
Question #405
Which of the following is the MOST important consideration when relying on the work of the prior auditor?
- A . Qualifications of the prior auditor
- B . Management agreement with recommendations
- C . Duration of the prior audit
- D . Number of findings identified by the prior auditor
Correct Answer: A
Question #406
A new regulation has been enacted that mandates specific information security practices for the protection of customer data.
Which of the following is MOST useful for an IS auditor to review when auditing against the regulation?
- A . Compliance gap analysis
- B . Customer data protection roles and responsibilities
- C . Customer data flow diagram
- D . Benchmarking studies of adaptation to the new regulation
Correct Answer: A
A
Explanation:
A compliance gap analysis is a detailed review of an organization’s current state of compliance against a specific regulation or standard. It helps identify the areas and controls that are not meeting the requirements, assess their risk levels, and determine the corrective actions that can be taken to achieve compliance12. A compliance gap analysis is the most useful tool for an IS auditor to review when auditing against a new regulation, as it provides a clear and comprehensive picture of the compliance status, gaps, and remediation plan of the organization.
References
1: Information Security Architecture: Gap Assessment and Prioritization – ISACA
2: How to perform Compliance Gap Analysis? – Sprinto
A
Explanation:
A compliance gap analysis is a detailed review of an organization’s current state of compliance against a specific regulation or standard. It helps identify the areas and controls that are not meeting the requirements, assess their risk levels, and determine the corrective actions that can be taken to achieve compliance12. A compliance gap analysis is the most useful tool for an IS auditor to review when auditing against a new regulation, as it provides a clear and comprehensive picture of the compliance status, gaps, and remediation plan of the organization.
References
1: Information Security Architecture: Gap Assessment and Prioritization – ISACA
2: How to perform Compliance Gap Analysis? – Sprinto
Question #407
Which of the following should be identified FIRST during the risk assessment process?
- A . Vulnerability to threats
- B . Existing controls
- C . Information assets
- D . Legal requirements
Correct Answer: C
C
Explanation:
The risk assessment process involves identifying the information assets that are at risk, analyzing the threats and vulnerabilities that could affect them, evaluating the impact and likelihood of a risk event, and determining the appropriate controls to mitigate the risk. The first step is to identify the
information assets, as they are the objects of protection and the basis for the rest of the process. Without knowing what assets are at risk, it is not possible to assess their value, exposure, or protection level.
References: ISACA Frameworks: Blueprints for Success
C
Explanation:
The risk assessment process involves identifying the information assets that are at risk, analyzing the threats and vulnerabilities that could affect them, evaluating the impact and likelihood of a risk event, and determining the appropriate controls to mitigate the risk. The first step is to identify the
information assets, as they are the objects of protection and the basis for the rest of the process. Without knowing what assets are at risk, it is not possible to assess their value, exposure, or protection level.
References: ISACA Frameworks: Blueprints for Success
Question #408
An IS auditor is reviewing enterprise governance and finds there is no defined organizational structure for technology risk governance.
Which of the following is the GREATEST concern with this lack of structure?
- A . Software developers may adopt inappropriate technology.
- B . Project managers may accept technology risks exceeding the organization’s risk appetite.
- C . Key decision-making entities for technology risk have not been identified
- D . There is no clear approval entity for organizational security standards.
Correct Answer: C
C
Explanation:
The greatest concern with the lack of structure for technology risk governance is
C. Key decision-making entities for technology risk have not been identified. Technology risk governance is the process of establishing and maintaining the policies, roles, responsibilities, and accountabilities for managing technology risks within an organization1. Technology risk governance requires a clear organizational structure that defines who has the authority and responsibility to make decisions, set objectives, allocate resources, monitor performance, and ensure compliance for technology risk management2. Without such a structure, an organization may face the following challenges:
Lack of alignment and integration between technology and business strategies, leading to suboptimal outcomes and missed opportunities.
Lack of clarity and consistency in technology risk identification, assessment, mitigation, and
reporting, leading to gaps and overlaps in risk coverage and exposure.
Lack of communication and collaboration among different stakeholders involved in technology risk management, leading to conflicts and inefficiencies.
Lack of oversight and accountability for technology risk management activities and results, leading to poor quality and reliability.
C
Explanation:
The greatest concern with the lack of structure for technology risk governance is
C. Key decision-making entities for technology risk have not been identified. Technology risk governance is the process of establishing and maintaining the policies, roles, responsibilities, and accountabilities for managing technology risks within an organization1. Technology risk governance requires a clear organizational structure that defines who has the authority and responsibility to make decisions, set objectives, allocate resources, monitor performance, and ensure compliance for technology risk management2. Without such a structure, an organization may face the following challenges:
Lack of alignment and integration between technology and business strategies, leading to suboptimal outcomes and missed opportunities.
Lack of clarity and consistency in technology risk identification, assessment, mitigation, and
reporting, leading to gaps and overlaps in risk coverage and exposure.
Lack of communication and collaboration among different stakeholders involved in technology risk management, leading to conflicts and inefficiencies.
Lack of oversight and accountability for technology risk management activities and results, leading to poor quality and reliability.
Question #409
An organization wants to use virtual desktops to deliver corporate applications to its end users.
Which of the following should an IS auditor recommend to prevent domain name system (DNS) poisoning in their cloud environment?
- A . Enable verification of administrators to protect against impersonators modifying DNS tables.
- B . Configure ONS servers to create appropriately sized responses to domain resolution requests.
- C . Ensure DNS changes are propagated across all servers in the organization’s cloud account.
- D . Provide corporate laptops to end users with built-in antivirus tools that scan for DNS vulnerabilities.
Correct Answer: A
Question #410
An IS auditor is concerned that unauthorized access to a highly sensitive data center might be gained by piggybacking or tailgating.
Which of the following is the BEST recommendation? (Choose Correct
answer and give explanation from CISA Certification – Information Systems Auditor official book)
- A . Biometrics
- B . Procedures for escorting visitors
- C . Airlock entrance
- D . Intruder alarms
Correct Answer: C
C
Explanation:
The best recommendation to prevent unauthorized access to a highly sensitive data center by piggybacking or tailgating is to use an airlock entrance. An airlock entrance is a type of access control system that consists of two doors that are interlocked, so that only one door can be opened at a time. This prevents an unauthorized person from following an authorized person into the data center without being detected. An airlock entrance can also be integrated with other security measures, such as biometrics, card readers, or PIN pads, to verify the identity and authorization of each person entering the data center.
Biometrics (option A) is a method of verifying the identity of a person based on their physical or behavioral characteristics, such as fingerprints, iris scans, or voice recognition. Biometrics can provide a high level of security, but they are not sufficient to prevent piggybacking or tailgating, as an unauthorized person can still follow an authorized person who has been authenticated by the biometric system.
Procedures for escorting visitors (option B) is a policy that requires all visitors to the data center to be accompanied by an authorized employee at all times. This can help prevent unauthorized access by visitors, but it does not address the risk of piggybacking or tailgating by other employees or contractors who may have legitimate access to the building but not to the data center.
Intruder alarms (option D) are devices that detect and alert when an unauthorized person enters a restricted area. Intruder alarms can provide a deterrent and a response mechanism for unauthorized access, but they are not effective in preventing piggybacking or tailgating, as they rely on the detection of the intruder after they have already entered the data center.
References: 1: CISA Certification | Certified Information Systems Auditor | ISACA 2: CISA Certified Information Systems Auditor Study Guide, 4th Edition 3: CISA – Certified Information Systems Auditor Study Guide [Book]
C
Explanation:
The best recommendation to prevent unauthorized access to a highly sensitive data center by piggybacking or tailgating is to use an airlock entrance. An airlock entrance is a type of access control system that consists of two doors that are interlocked, so that only one door can be opened at a time. This prevents an unauthorized person from following an authorized person into the data center without being detected. An airlock entrance can also be integrated with other security measures, such as biometrics, card readers, or PIN pads, to verify the identity and authorization of each person entering the data center.
Biometrics (option A) is a method of verifying the identity of a person based on their physical or behavioral characteristics, such as fingerprints, iris scans, or voice recognition. Biometrics can provide a high level of security, but they are not sufficient to prevent piggybacking or tailgating, as an unauthorized person can still follow an authorized person who has been authenticated by the biometric system.
Procedures for escorting visitors (option B) is a policy that requires all visitors to the data center to be accompanied by an authorized employee at all times. This can help prevent unauthorized access by visitors, but it does not address the risk of piggybacking or tailgating by other employees or contractors who may have legitimate access to the building but not to the data center.
Intruder alarms (option D) are devices that detect and alert when an unauthorized person enters a restricted area. Intruder alarms can provide a deterrent and a response mechanism for unauthorized access, but they are not effective in preventing piggybacking or tailgating, as they rely on the detection of the intruder after they have already entered the data center.
References: 1: CISA Certification | Certified Information Systems Auditor | ISACA 2: CISA Certified Information Systems Auditor Study Guide, 4th Edition 3: CISA – Certified Information Systems Auditor Study Guide [Book]