Practice Free CISA Exam Online Questions
Question #1
An IS auditor is reviewing an industrial control system (ICS) that uses older unsupported technology in the scope of an upcoming audit.
What should the auditor consider the MOST significant concern?
- A . Attack vectors are evolving for industrial control systems.
- B . There is a greater risk of system exploitation.
- C . Disaster recovery plans (DRPs) are not in place.
- D . Technical specifications are not documented.
Correct Answer: B
B
Explanation:
The most significant concern for an IS auditor when reviewing an industrial control system (ICS) that uses older unsupported technology in the scope of an upcoming audit is that there is a greater risk of system exploitation. System exploitation is an attack that occurs when an unauthorized entity or individual takes advantage of a vulnerability or weakness in a system to compromise its security or functionality. System exploitation can cause harm or damage to the system or its users, such as data loss, corruption, theft, manipulation, denial of service (DoS), etc. An ICS that uses older unsupported technology poses a high risk of system exploitation, as older technology may have known or unknown vulnerabilities or defects that have not been patched or fixed by the vendor or manufacturer, and unsupported technology may not receive any updates or support from the vendor or manufacturer in case of issues or incidents. Attack vectors are evolving for industrial control systems is a possible concern for an IS auditor when reviewing an ICS that uses older unsupported technology in the scope of an upcoming audit, but it is not the most significant one. Attack vectors are methods or pathways that attackers use to gain access to or attack a system. Attack vectors are evolving for industrial control systems, as attackers are developing new techniques or tools to target ICSs that are increasingly connected and complex. However, this concern may not be specific to older unsupported technology, as it may affect any ICS regardless of its technology level. Disaster recovery plans (DRPs) are not in place is a possible concern for an IS auditor when reviewing an ICS that uses older unsupported technology in the scope of an upcoming audit, but it is not the most significant one. DRPs are documents that outline the technical and operational steps for restoring the IT systems and infrastructure that support critical functions or processes in the event of a disruption or disaster. DRPs are not in place, as they may affect the availability and continuity of the ICS and its functions or processes in case of a failure or incident. However, this concern may not be related to older unsupported technology, as it may apply to any ICS regardless of its technology level. Technical specifications are not documented is a possible concern for an IS auditor when reviewing an ICS that uses older unsupported technology in the scope of an upcoming audit, but it is not the most significant one. Technical specifications are documents that describe the technical characteristics or requirements of a system or component, such as functionality, performance, design, etc. Technical specifications are not documented, as they may affect the understanding, maintenance, and improvement of the ICS and its components. However, this concern may not beassociated with older unsupported technology, as it may affect any ICS regardless of its technology level.
B
Explanation:
The most significant concern for an IS auditor when reviewing an industrial control system (ICS) that uses older unsupported technology in the scope of an upcoming audit is that there is a greater risk of system exploitation. System exploitation is an attack that occurs when an unauthorized entity or individual takes advantage of a vulnerability or weakness in a system to compromise its security or functionality. System exploitation can cause harm or damage to the system or its users, such as data loss, corruption, theft, manipulation, denial of service (DoS), etc. An ICS that uses older unsupported technology poses a high risk of system exploitation, as older technology may have known or unknown vulnerabilities or defects that have not been patched or fixed by the vendor or manufacturer, and unsupported technology may not receive any updates or support from the vendor or manufacturer in case of issues or incidents. Attack vectors are evolving for industrial control systems is a possible concern for an IS auditor when reviewing an ICS that uses older unsupported technology in the scope of an upcoming audit, but it is not the most significant one. Attack vectors are methods or pathways that attackers use to gain access to or attack a system. Attack vectors are evolving for industrial control systems, as attackers are developing new techniques or tools to target ICSs that are increasingly connected and complex. However, this concern may not be specific to older unsupported technology, as it may affect any ICS regardless of its technology level. Disaster recovery plans (DRPs) are not in place is a possible concern for an IS auditor when reviewing an ICS that uses older unsupported technology in the scope of an upcoming audit, but it is not the most significant one. DRPs are documents that outline the technical and operational steps for restoring the IT systems and infrastructure that support critical functions or processes in the event of a disruption or disaster. DRPs are not in place, as they may affect the availability and continuity of the ICS and its functions or processes in case of a failure or incident. However, this concern may not be related to older unsupported technology, as it may apply to any ICS regardless of its technology level. Technical specifications are not documented is a possible concern for an IS auditor when reviewing an ICS that uses older unsupported technology in the scope of an upcoming audit, but it is not the most significant one. Technical specifications are documents that describe the technical characteristics or requirements of a system or component, such as functionality, performance, design, etc. Technical specifications are not documented, as they may affect the understanding, maintenance, and improvement of the ICS and its components. However, this concern may not beassociated with older unsupported technology, as it may affect any ICS regardless of its technology level.
Question #2
When determining the quality of evidence collected during an audit, it is MOST important to ensure the evidence is:
- A . Valid, complete, and accurate.
- B . Timely, reliable, and reasonable.
- C . Sufficient and comes from the source of the information.
- D . Persuasive and applicable.
Correct Answer: D
D
Explanation:
ISACA defines sufficient and appropriate evidence as the standard for audit conclusions. Appropriateness relates to relevance (applicability) and reliability (persuasiveness). Evidence that is persuasive and directly applicable to the audit objective provides stronger assurance than evidence that is merely timely, complete, or reasonable. While the other options describe desirable qualities, they do not encompass the full ISACA standard. Thus, the most complete characterization of quality evidence is that it must be persuasive and applicable to the audit’s purpose.
Reference (ISACA): ISACA Audit & Assurance Standards; ISACA ITAF Guidelines on Evidence.
D
Explanation:
ISACA defines sufficient and appropriate evidence as the standard for audit conclusions. Appropriateness relates to relevance (applicability) and reliability (persuasiveness). Evidence that is persuasive and directly applicable to the audit objective provides stronger assurance than evidence that is merely timely, complete, or reasonable. While the other options describe desirable qualities, they do not encompass the full ISACA standard. Thus, the most complete characterization of quality evidence is that it must be persuasive and applicable to the audit’s purpose.
Reference (ISACA): ISACA Audit & Assurance Standards; ISACA ITAF Guidelines on Evidence.
Question #3
When planning a review of IT governance, an IS auditor is MOST likely to:
- A . assess whether business process owner responsibilities are consistent.
- B . obtain information about the control framework adopted by management.
- C . examine audit committee minutes for IT-related controls.
- D . define key performance indicators (KPIs).
Correct Answer: B
Question #4
An IS auditor is reviewing a network diagram.
Which of the following would be the BEST location for placement of a firewall?
- A . Between each host and the local network switch/hub
- B . Between virtual local area networks (VLANs)
- C . Inside the demilitarized zone (DMZ)
- D . At borders of network segments with different security levels
Correct Answer: D
Question #5
An IS auditor reviewing incident response management processes notices that resolution times for reoccurring incidents have not shown improvement.
Which of the following is the auditor’s BEST recommendation?
- A . Harden IT system and application components based on best practices.
- B . Incorporate a security information and event management (SIEM) system into incident response
- C . Implement a survey to determine future incident response training needs.
- D . Introduce problem management into incident response.
Correct Answer: D
D
Explanation:
The auditor’s best recommendation is D. Introduce problem management into incident response. Problem management is a practice that aims to identify, analyze, and resolve the root causes of recurring incidents, and prevent or reduce their impact in the future1. Problem management can help improve the resolution times for recurring incidents by eliminating or mitigating the underlying problems that cause them, and by providing permanent solutions that can be reused or automated2. Problem management can also help improve the quality and efficiency of incident response by reducing the workload and complexity of dealing with repetitive issues2.
D
Explanation:
The auditor’s best recommendation is D. Introduce problem management into incident response. Problem management is a practice that aims to identify, analyze, and resolve the root causes of recurring incidents, and prevent or reduce their impact in the future1. Problem management can help improve the resolution times for recurring incidents by eliminating or mitigating the underlying problems that cause them, and by providing permanent solutions that can be reused or automated2. Problem management can also help improve the quality and efficiency of incident response by reducing the workload and complexity of dealing with repetitive issues2.
Question #6
An IS auditor learns that an organization did not conduct any penetration testing over one internet-facing webpage prior to of the following is the auditor’s BEST course of action?
- A . Revise IT security procedures to require penetration tests for internally developed services prior to deployment.
- B . Report a control deficiency, as no penetration test has been conducted and documented.
- C . Confirm whether vulnerability scanning was conducted after the webpage was deployed.
- D . Meet with IT and the information security team to determine why testing was not completed.
Correct Answer: D
Question #7
Which of the following is the GREATEST security risk associated with data migration from a legacy human resources (HR) system to a cloud-based system?
- A . Data from the source and target system may be intercepted.
- B . Data from the source and target system may have different data formats.
- C . Records past their retention period may not be migrated to the new system.
- D . System performance may be impacted by the migration
Correct Answer: A
A
Explanation:
The greatest security risk associated with data migration from a legacy human resources (HR) system to a cloud-based system is data from the source and target system may be intercepted. Data interception is an attack that occurs when an unauthorized entity or individual captures or accesses data that are being transmitted or stored on an information system or network. Data interception can compromise the confidentiality and integrity of data, and cause harm or damage to data owners or users. Data migration from a legacy HR system to a cloud-based system involves transferring data from one system or location to another system or location over a network connection. This poses a high risk of data interception, as data may be exposed or vulnerable during transit or storage on unsecured or untrusted networks or systems. Data from the source and target system may have different data formats is a possible challenge associated with data migration from a legacy HR system to a cloud-based system, but it is not a security risk. Data formats are specifications that define how data are structured or encoded on an information system or network. Data formats may vary depending on different systems or platforms. Data migration may require converting data from one format to another format to ensure compatibility and interoperability between systems. Records past their retention period may not be migrated to the new system is a possible outcome associated with data migration from a legacy HR system to a cloud-based system, but it is not a security risk. Retention period is a duration that defines how long data should be kept or stored on an information system or network before being deleted or destroyed. Retention period may depend on various factors such as legal requirements, business needs, storage capacity, etc. Data migration may involve deleting or destroying data that are past their retention period to reduce the volume or complexity of data to be transferred or to comply with regulations or policies. System performance may be impacted by the migration is a possible impact associated with data migration from a legacy HR system to a cloud-based system, but it is not a security risk. System performance is a measure of how well an information system or network functions or operates, such as speed, reliability, availability, etc. System performance may be affected by data migration, as data migration may consume significant resources or bandwidth, cause interruptions or delays, or introduce errors or inconsistencies.
A
Explanation:
The greatest security risk associated with data migration from a legacy human resources (HR) system to a cloud-based system is data from the source and target system may be intercepted. Data interception is an attack that occurs when an unauthorized entity or individual captures or accesses data that are being transmitted or stored on an information system or network. Data interception can compromise the confidentiality and integrity of data, and cause harm or damage to data owners or users. Data migration from a legacy HR system to a cloud-based system involves transferring data from one system or location to another system or location over a network connection. This poses a high risk of data interception, as data may be exposed or vulnerable during transit or storage on unsecured or untrusted networks or systems. Data from the source and target system may have different data formats is a possible challenge associated with data migration from a legacy HR system to a cloud-based system, but it is not a security risk. Data formats are specifications that define how data are structured or encoded on an information system or network. Data formats may vary depending on different systems or platforms. Data migration may require converting data from one format to another format to ensure compatibility and interoperability between systems. Records past their retention period may not be migrated to the new system is a possible outcome associated with data migration from a legacy HR system to a cloud-based system, but it is not a security risk. Retention period is a duration that defines how long data should be kept or stored on an information system or network before being deleted or destroyed. Retention period may depend on various factors such as legal requirements, business needs, storage capacity, etc. Data migration may involve deleting or destroying data that are past their retention period to reduce the volume or complexity of data to be transferred or to comply with regulations or policies. System performance may be impacted by the migration is a possible impact associated with data migration from a legacy HR system to a cloud-based system, but it is not a security risk. System performance is a measure of how well an information system or network functions or operates, such as speed, reliability, availability, etc. System performance may be affected by data migration, as data migration may consume significant resources or bandwidth, cause interruptions or delays, or introduce errors or inconsistencies.
Question #8
An organization has introduced a capability maturity model to the system development life cycle (SDLC) to measure improvements.
Which of the following is the BEST indication of successful process improvement?
- A . Evaluation results align with defined business goals
- B . Process maturity reaches the highest state of process optimization.
- C . Evaluation results exceed process maturity benchmarks against competitors.
- D . Processes demonstrate the mitigation of inherent business risk.
Correct Answer: A
Question #9
Which of the following physical controls provides the GREATEST assurance that only authorized individuals can access a data center?
- A . The data center is patrolled by a security guard.
- B . Access to the data center is monitored by video cameras.
- C . ID badges must be displayed before access is granted
- D . Access to the data center is controlled by a mantrap.
Correct Answer: D
D
Explanation:
Access to the data center is controlled by a mantrap provides the greatest assurance that only authorized individuals can access a data center. A mantrap is a physical security device that consists of a small space with two sets of interlocking doors, such that the first set of doors must close before the second set opens1. A mantrap prevents unauthorized entry by requiring authentication at both doors, such as biometric scanners, card readers, or PIN codes. A mantrap also prevents tailgating, which is the act of following an authorized person into a restricted area without proper authorization2. A mantrap can also detect and trap intruders who attempt to force their way through the doors.
The other options are less effective physical controls for data center access. The data center is patrolled by a security guard is a deterrent measure, but it does not prevent unauthorized access by itself. A security guard may not be able to monitor all entry points, or may be distracted, bribed, or overpowered by intruders. Access to the data center is monitored by video cameras is a detective measure, but it does not prevent unauthorized access either. Video cameras can record the activities of intruders, but they cannot stop them from entering or alert the security personnel in real time. ID badges must be displayed before access is granted is a preventive measure, but it relies on human verification, which can be prone to errors or manipulation. ID badges can also be lost, stolen, or forged by intruders.
Reference: Mantrap (access control) – Wikipedia1
Tailgating (security) – Wikipedia2
D
Explanation:
Access to the data center is controlled by a mantrap provides the greatest assurance that only authorized individuals can access a data center. A mantrap is a physical security device that consists of a small space with two sets of interlocking doors, such that the first set of doors must close before the second set opens1. A mantrap prevents unauthorized entry by requiring authentication at both doors, such as biometric scanners, card readers, or PIN codes. A mantrap also prevents tailgating, which is the act of following an authorized person into a restricted area without proper authorization2. A mantrap can also detect and trap intruders who attempt to force their way through the doors.
The other options are less effective physical controls for data center access. The data center is patrolled by a security guard is a deterrent measure, but it does not prevent unauthorized access by itself. A security guard may not be able to monitor all entry points, or may be distracted, bribed, or overpowered by intruders. Access to the data center is monitored by video cameras is a detective measure, but it does not prevent unauthorized access either. Video cameras can record the activities of intruders, but they cannot stop them from entering or alert the security personnel in real time. ID badges must be displayed before access is granted is a preventive measure, but it relies on human verification, which can be prone to errors or manipulation. ID badges can also be lost, stolen, or forged by intruders.
Reference: Mantrap (access control) – Wikipedia1
Tailgating (security) – Wikipedia2
Question #10
Which of the following is the GREATEST risk that could result from a contracted penetration tester attempting SQL injection techniques on the production system?
- A . The tester’s access could be elevated.
- B . Events could be improperly logged.
- C . Sensitive data could be exfiltrated.
- D . Production data could be altered.
Correct Answer: D