Practice Free CISA Exam Online Questions
Question #151
Which of the following BEST indicates the effectiveness of an organization’s risk management program?
- A . Inherent risk is eliminated.
- B . Residual risk is minimized.
- C . Control risk is minimized.
- D . Overall risk is quantified.
Correct Answer: B
B
Explanation:
The effectiveness of a risk management program can be measured by how well it reduces the residual risk, which is the risk that remains after applying controls, to an acceptable level. Inherent risk is the risk that exists before applying any controls, and it cannot be eliminated completely. Control risk is the risk that the controls fail to prevent or detect a risk event, and it is a component of residual risk. Overall risk is not a meaningful metric for assessing the effectiveness of a risk management program, as it does not account for the impact and likelihood of different risk events.
Reference: CISA Review Manual (Digital Version), Chapter 1, Section 1.2.2
B
Explanation:
The effectiveness of a risk management program can be measured by how well it reduces the residual risk, which is the risk that remains after applying controls, to an acceptable level. Inherent risk is the risk that exists before applying any controls, and it cannot be eliminated completely. Control risk is the risk that the controls fail to prevent or detect a risk event, and it is a component of residual risk. Overall risk is not a meaningful metric for assessing the effectiveness of a risk management program, as it does not account for the impact and likelihood of different risk events.
Reference: CISA Review Manual (Digital Version), Chapter 1, Section 1.2.2
Question #152
Which of the following is the BEST way to enforce the principle of least privilege on a server containing data with different security classifications?
- A . Limiting access to the data files based on frequency of use
- B . Obtaining formal agreement by users to comply with the data classification policy
- C . Applying access controls determined by the data owner
- D . Using scripted access control lists to prevent unauthorized access to the server
Correct Answer: C
C
Explanation:
The best way to enforce the principle of least privilege on a server containing data with different security classifications is to apply access controls determined by the data owner. The principle of least privilege states that users should only have the minimum level of access required to perform their tasks. The data owner is the person who has the authority and responsibility to classify, label, and protect the data according to its sensitivity and value. The data owner can define the access rights and permissions for each user or role based on the data classification policy and the business needs. This will ensure that only authorized and appropriate users can access the data and prevent unauthorized or excessive access that could compromise the confidentiality, integrity, or availability of the data.
Reference: CISA Review Manual (Digital Version)
CISA Questions, Answers & Explanations Database
C
Explanation:
The best way to enforce the principle of least privilege on a server containing data with different security classifications is to apply access controls determined by the data owner. The principle of least privilege states that users should only have the minimum level of access required to perform their tasks. The data owner is the person who has the authority and responsibility to classify, label, and protect the data according to its sensitivity and value. The data owner can define the access rights and permissions for each user or role based on the data classification policy and the business needs. This will ensure that only authorized and appropriate users can access the data and prevent unauthorized or excessive access that could compromise the confidentiality, integrity, or availability of the data.
Reference: CISA Review Manual (Digital Version)
CISA Questions, Answers & Explanations Database
Question #153
Which of the following should be the PRIMARY focus for any network design that deploys a Zero Trust architecture?
- A . Protecting network segments
- B . Protecting technology resources
- C . Maintaining network router operating system versions
- D . Ensuring a vendor-agnostic environment
Correct Answer: B
Question #154
Which of the following would be of GREATEST concern to an IS auditor reviewing an IT strategy document?
- A . Target architecture is defined at a technical level.
- B . The previous year’s IT strategic goals were not achieved.
- C . Strategic IT goals are derived solely from the latest market trends.
- D . Financial estimates of new initiatives are disclosed within the document.
Correct Answer: C
C
Explanation:
The most concerning thing for an IS auditor reviewing an IT strategy document is that the strategic IT goals are derived solely from the latest market trends. An IT strategy document is a blueprint that defines how an organization will use technology to achieve its goals. It should be based on a thorough analysis of the organization’s internal and external factors, such as its vision, mission, values, objectives, strengths, weaknesses, opportunities, threats, customers, competitors, regulations, and industry standards. An IT strategy document should also align with the organization’s business strategy and reflect its unique needs and capabilities. If an IT strategy document is derived solely from the latest market trends, it may not be relevant or appropriate for the organization’s specific situation. It may also lack coherence, consistency, feasibility, or sustainability.
The other options are not as concerning as option C. Target architecture is defined at a technical level is not a concern for an IS auditor reviewing an IT strategy document. Target architecture is the desired state of an organization’s IT systems in terms of their structure, functionality, performance, security, interoperability, and integration. Defining target architecture at a technical level can help an IS auditor to understand how the organization plans to achieve its strategic IT goals and what technical requirements and standards it needs to follow. The previous year’s IT strategic goals were not achieved is not a concern for an IS auditor reviewing an IT strategy document. The previous year’s IT strategic goals are the outcomes that the organization intended to accomplish with its IT initiatives in the past year. Not achieving these goals may indicate some challenges or gaps in the organization’s IT performance or execution. However, this does not necessarily affect the quality or validity of the current IT strategy document. An IS auditor should focus on evaluating whether the current IT strategy document is realistic, measurable, achievable, relevant, and time-bound. Financial estimates of new initiatives are disclosed within the document is not a concern for an IS auditor reviewing an IT strategy document. Financial estimates are projections of the costs and benefits of new initiatives that are part of the IT strategy document. Disclosing financial estimates within the document can help an IS auditor to assess whether the new initiatives are aligned with the organization’s budget and resources and whether they provide value for money.
Reference: IT Strategy Template for a Successful Strategic Plan | Gartner, Definitive Guide to Developing anIT Strategy and Roadmap – CioPages, An Example of a Well-Developed IT Strategy Plan – Resolute
C
Explanation:
The most concerning thing for an IS auditor reviewing an IT strategy document is that the strategic IT goals are derived solely from the latest market trends. An IT strategy document is a blueprint that defines how an organization will use technology to achieve its goals. It should be based on a thorough analysis of the organization’s internal and external factors, such as its vision, mission, values, objectives, strengths, weaknesses, opportunities, threats, customers, competitors, regulations, and industry standards. An IT strategy document should also align with the organization’s business strategy and reflect its unique needs and capabilities. If an IT strategy document is derived solely from the latest market trends, it may not be relevant or appropriate for the organization’s specific situation. It may also lack coherence, consistency, feasibility, or sustainability.
The other options are not as concerning as option C. Target architecture is defined at a technical level is not a concern for an IS auditor reviewing an IT strategy document. Target architecture is the desired state of an organization’s IT systems in terms of their structure, functionality, performance, security, interoperability, and integration. Defining target architecture at a technical level can help an IS auditor to understand how the organization plans to achieve its strategic IT goals and what technical requirements and standards it needs to follow. The previous year’s IT strategic goals were not achieved is not a concern for an IS auditor reviewing an IT strategy document. The previous year’s IT strategic goals are the outcomes that the organization intended to accomplish with its IT initiatives in the past year. Not achieving these goals may indicate some challenges or gaps in the organization’s IT performance or execution. However, this does not necessarily affect the quality or validity of the current IT strategy document. An IS auditor should focus on evaluating whether the current IT strategy document is realistic, measurable, achievable, relevant, and time-bound. Financial estimates of new initiatives are disclosed within the document is not a concern for an IS auditor reviewing an IT strategy document. Financial estimates are projections of the costs and benefits of new initiatives that are part of the IT strategy document. Disclosing financial estimates within the document can help an IS auditor to assess whether the new initiatives are aligned with the organization’s budget and resources and whether they provide value for money.
Reference: IT Strategy Template for a Successful Strategic Plan | Gartner, Definitive Guide to Developing anIT Strategy and Roadmap – CioPages, An Example of a Well-Developed IT Strategy Plan – Resolute
Question #155
Which of the following is the MOST effective way for an IS auditor to ensure information is preserved when conducting a forensic investigation?
- A . Harden computer hardware and software.
- B . Image residual data and deleted files.
- C . Encode system logs and intrusion detection system (IDS) logs.
- D . Document all application programming interface (API) connections with third parties.
Correct Answer: B
B
Explanation:
The forensic principle is to preserve evidence in its original state. Imaging―including capturing residual and deleted data―ensures that the full contents of a storage device are preserved for analysis while maintaining the chain of custody. Hardening (A) may alter system state. Encoding logs (C) is not preservation but transformation. Documenting APIs (D) helps investigation scope but does not preserve evidence. ISACA guidance on digital forensics stresses the importance of bit-level imaging and ensuring evidence integrity through hashing and proper custody documentation.
Reference (ISACA): ISACA Incident Response & Forensics Guidance; ISACA Journal C Forensic Readiness.
B
Explanation:
The forensic principle is to preserve evidence in its original state. Imaging―including capturing residual and deleted data―ensures that the full contents of a storage device are preserved for analysis while maintaining the chain of custody. Hardening (A) may alter system state. Encoding logs (C) is not preservation but transformation. Documenting APIs (D) helps investigation scope but does not preserve evidence. ISACA guidance on digital forensics stresses the importance of bit-level imaging and ensuring evidence integrity through hashing and proper custody documentation.
Reference (ISACA): ISACA Incident Response & Forensics Guidance; ISACA Journal C Forensic Readiness.
Question #156
A new system development project is running late against a critical implementation deadline.
Which of the following is the MOST important activity?
- A . Ensure that code has been reviewed.
- B . Perform user acceptance testing (UAT).
- C . Document last-minute enhancements.
- D . Perform a pre-implementation audit.
Correct Answer: B
Question #157
Which of the following is the BEST recommendation by an IS auditor to prevent unauthorized access to Internet of Things (loT) devices?
- A . loT devices should only be accessible from the host network.
- B . loT devices should log and alert on access attempts.
- C . IoT devices should require identification and authentication.
- D . loT devices should monitor the use of device system accounts.
Correct Answer: C
Question #158
Based on best practices, which types of accounts should be disabled for interactive login?
- A . Local accounts
- B . Administrator accounts
- C . Console accounts
- D . Service accounts
Correct Answer: D
D
Explanation:
Comprehensive and Detailed Step-by-Step
Service accounts are used by applications or systems to perform automated tasks and should not be allowed for interactive login, as they present security risks if compromised.
Service Accounts (Correct Answer C D)
Used for running background tasks (e.g., database services, scheduled jobs).
Should have minimal permissions and be denied interactive logins.
Example: A compromised service account with interactive login could allow attackers to gain system access.
Local Accounts (Incorrect C A)
Local administrator accounts should be restricted but may still be required for some systems. Administrator Accounts (Incorrect C B)
Should be restricted, but disabling them entirely could lock out system management.
Console Accounts (Incorrect C C)
Console access is sometimes needed for system recovery and troubleshooting.
Reference: ISACA CISA Review Manual
NIST 800-63B (Digital Identity Guidelines)
CIS (Center for Internet Security) Best Practices
D
Explanation:
Comprehensive and Detailed Step-by-Step
Service accounts are used by applications or systems to perform automated tasks and should not be allowed for interactive login, as they present security risks if compromised.
Service Accounts (Correct Answer C D)
Used for running background tasks (e.g., database services, scheduled jobs).
Should have minimal permissions and be denied interactive logins.
Example: A compromised service account with interactive login could allow attackers to gain system access.
Local Accounts (Incorrect C A)
Local administrator accounts should be restricted but may still be required for some systems. Administrator Accounts (Incorrect C B)
Should be restricted, but disabling them entirely could lock out system management.
Console Accounts (Incorrect C C)
Console access is sometimes needed for system recovery and troubleshooting.
Reference: ISACA CISA Review Manual
NIST 800-63B (Digital Identity Guidelines)
CIS (Center for Internet Security) Best Practices
Question #159
During a new system implementation, an IS auditor has been assigned to review risk management at each milestone. The auditor finds that several risks to project benefits have not been addressed.
Who should be accountable for managing these risks?
- A . Enterprise risk manager
- B . Project sponsor
- C . Information security officer
- D . Project manager
Correct Answer: D
D
Explanation:
The project manager should be accountable for managing the risks to project benefits. Project benefits are the expected outcomes or value that a project delivers to its stakeholders, such as improved efficiency, quality, customer satisfaction, or revenue. Project risks are uncertain events or conditions that may affect the project objectives, scope, budget, schedule, or quality. The project manager is responsible for identifying, analyzing, prioritizing, responding to, and monitoring project risks throughout the project life cycle. The other options are not accountable for managing project risks, as they have different roles and responsibilities. The enterprise risk manager is responsible for overseeing the organization’s overall risk management framework and strategy, but not for managing specific project risks. The project sponsor is responsible for initiating, approving, and supporting the project, but not for managing project risks. The information security officer is responsible for ensuring that the project complies with the organization’s information security policies and standards, but not for managing project risks.
Reference: CISA Review Manual (Digital Version), Chapter 3, Section 3.3
D
Explanation:
The project manager should be accountable for managing the risks to project benefits. Project benefits are the expected outcomes or value that a project delivers to its stakeholders, such as improved efficiency, quality, customer satisfaction, or revenue. Project risks are uncertain events or conditions that may affect the project objectives, scope, budget, schedule, or quality. The project manager is responsible for identifying, analyzing, prioritizing, responding to, and monitoring project risks throughout the project life cycle. The other options are not accountable for managing project risks, as they have different roles and responsibilities. The enterprise risk manager is responsible for overseeing the organization’s overall risk management framework and strategy, but not for managing specific project risks. The project sponsor is responsible for initiating, approving, and supporting the project, but not for managing project risks. The information security officer is responsible for ensuring that the project complies with the organization’s information security policies and standards, but not for managing project risks.
Reference: CISA Review Manual (Digital Version), Chapter 3, Section 3.3
Question #160
The use of access control lists (ACLs) is the MOST effective method to mitigate security risk for routers because they: (Identify Correct answer and related explanation/references from CISA Certification – Information Systems Auditor official Manual or book)
- A . are recommended by security standards.
- B . can limit Telnet and traffic from the open Internet.
- C . act as fitters between the world and the network.
- D . can detect cyberattacks.
Correct Answer: B
B
Explanation:
The use of access control lists (ACLs) is the most effective method to mitigate security risk for routers because they can limit Telnet and traffic from the open Internet. Telnet is a protocol that allows remote access to a device, which can pose a security threat if not properly controlled. Traffic from the open Internet can also contain malicious packets that can harm the network or the router itself. ACLs act as filters that can block or allow specific types of traffic based on predefined criteria, such as source and destination addresses, protocols, ports, and flags. By using ACLs, routers can prevent unauthorized access and reduce the exposure to potential attacks.
Reference: Protecting Your Core: Infrastructure Protection Access Control Lists Definition, purposes, benefits, and functions of ACL CISA Review Manual 27th Edition, page 336
B
Explanation:
The use of access control lists (ACLs) is the most effective method to mitigate security risk for routers because they can limit Telnet and traffic from the open Internet. Telnet is a protocol that allows remote access to a device, which can pose a security threat if not properly controlled. Traffic from the open Internet can also contain malicious packets that can harm the network or the router itself. ACLs act as filters that can block or allow specific types of traffic based on predefined criteria, such as source and destination addresses, protocols, ports, and flags. By using ACLs, routers can prevent unauthorized access and reduce the exposure to potential attacks.
Reference: Protecting Your Core: Infrastructure Protection Access Control Lists Definition, purposes, benefits, and functions of ACL CISA Review Manual 27th Edition, page 336