Practice Free CISA Exam Online Questions
Question #51
When a data center is attempting to restore computing facilities at an alternative site following a disaster, which of the following should be restored FIRST?
- A . Data backups
- B . Decision support system
- C . Operating system
- D . Applications
Correct Answer: C
C
Explanation:
When a data center is attempting to restore computing facilities at an alternative site following a disaster, the operating system should be restored FIRST.
Here’s why:
C
Explanation:
When a data center is attempting to restore computing facilities at an alternative site following a disaster, the operating system should be restored FIRST.
Here’s why:
Question #52
Which of the following BEST mitigates the risk associated with the deployment of a new production system?
- A . Problem management
- B . Incident management
- C . Configuration management
- D . Release management
Correct Answer: A
Question #53
Which of the following should an IS auditor be MOST concerned with when a system uses RFID?
- A . Scalability
- B . Maintainability
- C . Nonrepudiation
- D . Privacy
Correct Answer: D
Question #54
An IS auditor has been asked to review an event log aggregation system to ensure risk management practices have been applied.
Which of the following should be of MOST concern to the auditor?
- A . Log feeds are uploaded via batch process.
- B . Completeness testing has not been performed on the log data.
- C . The log data is not normalized.
- D . Data encryption standards have not been considered.
Correct Answer: B
B
Explanation:
The IS auditor should be most concerned if completeness testing has not been performed on the log data, as this could indicate that some logs are missing, corrupted, or tampered with, and that the log aggregation system is not reliable or accurate12. Completeness testing is a process of verifying that all the logs generated by the source systems are successfully collected, transferred, and stored by the log aggregation system, and that there are no gaps or inconsistencies in the log data34. Completeness testing is essential for ensuring the integrity and validity of the log data, and for supporting the risk management practices of the organization.
References
1: Log Aggregation: How it Works, Methods, and Tools – Exabeam2 2: Log Aggregation & Monitoring Relation in Cybersecurity4 3: Log Aggregation: What It Is & How It Works | Datadog3 4: Data Flow Testing – GeeksforGeeks1
B
Explanation:
The IS auditor should be most concerned if completeness testing has not been performed on the log data, as this could indicate that some logs are missing, corrupted, or tampered with, and that the log aggregation system is not reliable or accurate12. Completeness testing is a process of verifying that all the logs generated by the source systems are successfully collected, transferred, and stored by the log aggregation system, and that there are no gaps or inconsistencies in the log data34. Completeness testing is essential for ensuring the integrity and validity of the log data, and for supporting the risk management practices of the organization.
References
1: Log Aggregation: How it Works, Methods, and Tools – Exabeam2 2: Log Aggregation & Monitoring Relation in Cybersecurity4 3: Log Aggregation: What It Is & How It Works | Datadog3 4: Data Flow Testing – GeeksforGeeks1
Question #55
A company has implemented an IT segregation of duties policy.
In a role-based environment, which of the following roles may be assigned to an application developer?
- A . IT operator
- B . System administration
- C . Emergency support
- D . Database administration
Correct Answer: C
C
Explanation:
Segregation of duties (SOD) is a core internal control and an essential component of an effective risk management strategy. SOD emphasizes sharing the responsibilities of key business processes by distributing the discrete functions of these processes to multiple people and departments, helping to reduce the risk of possible errors and fraud1.
SOD is especially important in IT security, where granting excessive system access to one person or group can lead to harmful consequences, such as data breaches, identity theft, or bypassing security controls2. SOD breaks IT-related tasks into four separate function categories: authorization, custody, recordkeeping, and reconciliation1. Ideally, no one person or department holds responsibility in multiple categories.
In a role-based environment, where access privileges are granted based on predefined roles, it is important to ensure that the roles are designed and assigned in a way that supports SOD. For example, the person who develops an application should not also be the one who tests it, deploys it, or maintains it.
Therefore, an application developer should not be assigned the roles of IT operator, system administration, or database administration, as these roles may conflict with their development role and create opportunities for misuse or abuse of the system. The only role that may be assigned to an application developer without violating SOD is emergency support, which is a temporary role that allows the developer to access the system in case of a critical issue that requires immediate resolution3. However, even this role should be granted with caution and monitored closely to ensure compliance with SOD policies.
References:
ISACA, CISA Review Manual, 27th Edition, 2019, page 2824
ISACA, CISA Review Questions, Answers & Explanations Database – 12 Month Subscription, QID 1066692
Hyperproof Blog, Segregation of Duties: What it is and Why it’s Important1 Advisera Blog, Segregation of duties in your ISMS according to ISO 27001 A.6.1.23
C
Explanation:
Segregation of duties (SOD) is a core internal control and an essential component of an effective risk management strategy. SOD emphasizes sharing the responsibilities of key business processes by distributing the discrete functions of these processes to multiple people and departments, helping to reduce the risk of possible errors and fraud1.
SOD is especially important in IT security, where granting excessive system access to one person or group can lead to harmful consequences, such as data breaches, identity theft, or bypassing security controls2. SOD breaks IT-related tasks into four separate function categories: authorization, custody, recordkeeping, and reconciliation1. Ideally, no one person or department holds responsibility in multiple categories.
In a role-based environment, where access privileges are granted based on predefined roles, it is important to ensure that the roles are designed and assigned in a way that supports SOD. For example, the person who develops an application should not also be the one who tests it, deploys it, or maintains it.
Therefore, an application developer should not be assigned the roles of IT operator, system administration, or database administration, as these roles may conflict with their development role and create opportunities for misuse or abuse of the system. The only role that may be assigned to an application developer without violating SOD is emergency support, which is a temporary role that allows the developer to access the system in case of a critical issue that requires immediate resolution3. However, even this role should be granted with caution and monitored closely to ensure compliance with SOD policies.
References:
ISACA, CISA Review Manual, 27th Edition, 2019, page 2824
ISACA, CISA Review Questions, Answers & Explanations Database – 12 Month Subscription, QID 1066692
Hyperproof Blog, Segregation of Duties: What it is and Why it’s Important1 Advisera Blog, Segregation of duties in your ISMS according to ISO 27001 A.6.1.23
Question #56
Which of the following components of a risk assessment is MOST helpful to management in determining the level of risk mitigation to apply?
- A . Risk identification
- B . Risk classification
- C . Control self-assessment (CSA)
- D . Impact assessment
Correct Answer: D
Question #57
Which of the following would be MOST useful to an IS auditor when making recommendations to enable continual improvement of IT processes over time?
- A . IT incident log
- B . Benchmarking studies
- C . Maturity model
- D . IT risk register
Correct Answer: C
Question #58
An IS auditor finds ad hoc vulnerability scanning is in place with no clear alignment to the organization’s wider security threat and vulnerability management program.
Which of the following would BEST enable the organization to work toward improvement in this area?
- A . Implementing security logging to enhance threat and vulnerability management
- B . Maintaining a catalog of vulnerabilities that may impact mission-critical systems
- C . Using a capability maturity model to identify a path to an optimized program
- D . Outsourcing the threat and vulnerability management function to a third party
Correct Answer: C
C
Explanation:
The best way to enable the organization to work toward improvement in its security threat and vulnerability management program is to use a capability maturity model to identify a path to an optimized program. A capability maturity model is a framework that helps organizations assess their current level of performance and maturity in a specific domain, and provides guidance and best practices to achieve higher levels of excellence12. A capability maturity model for vulnerability management can help the organization to evaluate its current practices, identify gaps and weaknesses, and implement improvement actions based on the defined criteria and objectives34. References
1: What is a Capability Maturity Model?1 2: Capability Maturity Model – Wikipedia2 3: Vulnerability Management Maturity Model – SANS Institute4 4: 5 Stages Of Vulnerability Management Maturity Model – SecPod Blog3
C
Explanation:
The best way to enable the organization to work toward improvement in its security threat and vulnerability management program is to use a capability maturity model to identify a path to an optimized program. A capability maturity model is a framework that helps organizations assess their current level of performance and maturity in a specific domain, and provides guidance and best practices to achieve higher levels of excellence12. A capability maturity model for vulnerability management can help the organization to evaluate its current practices, identify gaps and weaknesses, and implement improvement actions based on the defined criteria and objectives34. References
1: What is a Capability Maturity Model?1 2: Capability Maturity Model – Wikipedia2 3: Vulnerability Management Maturity Model – SANS Institute4 4: 5 Stages Of Vulnerability Management Maturity Model – SecPod Blog3
Question #59
An IS auditor finds that one employee has unauthorized access to confidential data. The IS auditor’s
BEST recommendation should be to:
- A . reclassify the data to a lower level of confidentiality
- B . require the business owner to conduct regular access reviews.
- C . implement a strong password schema for users.
- D . recommend corrective actions to be taken by the security administrator.
Correct Answer: B
B
Explanation:
The best recommendation for an IS auditor who finds that one employee has unauthorized access to confidential data is to require the business owner to conduct regular access reviews. Access reviews are periodic assessments of user access rights and permissions to ensure that they are appropriate, necessary, and aligned with the business needs and objectives. Access reviews help to identify and remediate any unauthorized, excessive, or obsolete access that could pose a security risk or violate compliance requirements. The business owner is responsible for defining and approving the access requirements for their data and ensuring that they are enforced and monitored.
References:
CISA Review Manual (Digital Version)
CISA Questions, Answers & Explanations Database
B
Explanation:
The best recommendation for an IS auditor who finds that one employee has unauthorized access to confidential data is to require the business owner to conduct regular access reviews. Access reviews are periodic assessments of user access rights and permissions to ensure that they are appropriate, necessary, and aligned with the business needs and objectives. Access reviews help to identify and remediate any unauthorized, excessive, or obsolete access that could pose a security risk or violate compliance requirements. The business owner is responsible for defining and approving the access requirements for their data and ensuring that they are enforced and monitored.
References:
CISA Review Manual (Digital Version)
CISA Questions, Answers & Explanations Database
Question #60
Which of the following is the MOST important consideration when developing tabletop exercises within a cybersecurity incident response plan?
- A . Ensure participants are selected from all cross-functional units in the organization.
- B . Create exercises that are challenging enough to prove inadequacies in the current incident response plan.
- C . Ensure the incident response team will have enough distractions to simulate real-life situations.
- D . Identify the scope and scenarios that are relevant to current threats faced by the organization.
Correct Answer: D
D
Explanation:
The most important consideration when developing tabletop exercises within a cybersecurity incident response plan is to identify the scope and scenarios that are relevant to current threats faced by the organization, as this will ensure that the exercises are realistic, meaningful, and effective in testing and improving the incident response capabilities12. The scope and scenarios should reflect the organization’s risk profile, business objectives, and operational environment, and should cover a variety of potential incidents that could impact the organization’s assets, operations, and reputation34.
References
1: Cybersecurity Incident Response Exercise Guidance – ISACA 2: Cybersecurity Tabletop Exercises:
Everything You Ever Wanted to Know 3: CISA Tabletop Exercise Package 4: Boost Your Incident Response Plan with Tabletop Exercises
D
Explanation:
The most important consideration when developing tabletop exercises within a cybersecurity incident response plan is to identify the scope and scenarios that are relevant to current threats faced by the organization, as this will ensure that the exercises are realistic, meaningful, and effective in testing and improving the incident response capabilities12. The scope and scenarios should reflect the organization’s risk profile, business objectives, and operational environment, and should cover a variety of potential incidents that could impact the organization’s assets, operations, and reputation34.
References
1: Cybersecurity Incident Response Exercise Guidance – ISACA 2: Cybersecurity Tabletop Exercises:
Everything You Ever Wanted to Know 3: CISA Tabletop Exercise Package 4: Boost Your Incident Response Plan with Tabletop Exercises