Practice Free CISA Exam Online Questions
Question #171
Which of the following should an organization do to anticipate the effects of a disaster?
- A . Define recovery point objectives (RPO)
- B . Simulate a disaster recovery
- C . Develop a business impact analysis (BIA)
- D . Analyze capability maturity model gaps
Correct Answer: C
C
Explanation:
A business impact analysis (BIA) is the process of identifying and assessing the potential impacts a disruption or incident could have on an organization. A BIA helps organizations understand and prepare for these potential obstacles, so they can act quickly and face challenges head-on when they arise. A BIA tells the organization what to expect when unforeseen roadblocks occur, so they can make a plan to get their business back on track as quickly as possible. Therefore, a BIA is the best option to anticipate the effects of a disaster.
Reference: 10: Business Impact Analysis (BIA): Prepare for Anything [2023] • Asana
11: Definition of Business Impact Analysis (BIA) – IT Glossary | Gartner Information Technology
12: Business impact analysis (BIA) is a method to predict the consequences of disruptions to a business, its processes and systems by collecting relevant data.
C
Explanation:
A business impact analysis (BIA) is the process of identifying and assessing the potential impacts a disruption or incident could have on an organization. A BIA helps organizations understand and prepare for these potential obstacles, so they can act quickly and face challenges head-on when they arise. A BIA tells the organization what to expect when unforeseen roadblocks occur, so they can make a plan to get their business back on track as quickly as possible. Therefore, a BIA is the best option to anticipate the effects of a disaster.
Reference: 10: Business Impact Analysis (BIA): Prepare for Anything [2023] • Asana
11: Definition of Business Impact Analysis (BIA) – IT Glossary | Gartner Information Technology
12: Business impact analysis (BIA) is a method to predict the consequences of disruptions to a business, its processes and systems by collecting relevant data.
Question #172
Using swipe cards to limit employee access to restricted areas requires implementing which additional control?
- A . Physical sign-in of all employees for access to restricted areas
- B . Implementation of additional PIN pads
- C . Periodic review of access profiles by management
- D . Installation of closed-circuit television (CCTV)
Correct Answer: C
C
Explanation:
Periodic review of access profiles by management is an additional control that is required when using swipe cards to limit employee access to restricted areas. Swipe cards are a type of physical access control that use magnetic stripes or radio frequency identification (RFID) to store and transmit information about the cardholder’s identity and access rights. Swipe cards can help to prevent unauthorized entry, protect sensitive assets and data, and monitor access activity. However, swipe cards alone are not enough to ensure effective access control.
They need to be complemented by other controls, such as:
Periodic review of access profiles by management: This is a type of logical access control that involves verifying that the access rights assigned to each cardholder are appropriate, necessary, and consistent with the organization’s policies and procedures. Periodic review of access profiles can help to detect and correct any errors, inconsistencies, or violations in the access control system, such as outdated, excessive, or redundant access rights, segregation of duties conflicts, or unauthorized changes. Periodic review of access profiles can also help to ensure compliance with internal and external audit requirements and regulations.
Implementation of additional PIN pads: This is a type of multi-factor authentication (MFA) that requires the cardholder to enter a personal identification number (PIN) in addition to swiping their card. MFA can enhance the security of the access control system by adding another layer of verification and reducing the risk of lost, stolen, or cloned cards being used by unauthorized persons.
Installation of closed-circuit television (CCTV): This is a type of surveillance system that uses cameras and monitors to record and display the images of the people and activities in the restricted areas. CCTV can deter potential intruders, provide evidence of any security incidents or breaches, and enable real-time monitoring and response by security personnel.
The other options are not as effective or relevant as periodic review of access profiles by management for an additional control when using swipe cards. Physical sign-in of all employees for access to restricted areas is a redundant and inefficient control that can be easily bypassed or manipulated. It also does not provide any assurance or verification of the identity or access rights of the cardholders. Audit hooks are software routines embedded in an application that can trigger an alert or a report when certain conditions are met. Audit hooks can help to detect anomalies or exceptions in access control lists, but they do not provide a comprehensive or integrated view of them.
Reference: ISACA, CISA Review Manual, 27th Edition, 2019, p. 236
ISACA, ITAF: A Professional Practices Framework for IS Audit/Assurance, 3rd Edition, 2014, p. 88
Data Analytics for Auditing Access Control
C
Explanation:
Periodic review of access profiles by management is an additional control that is required when using swipe cards to limit employee access to restricted areas. Swipe cards are a type of physical access control that use magnetic stripes or radio frequency identification (RFID) to store and transmit information about the cardholder’s identity and access rights. Swipe cards can help to prevent unauthorized entry, protect sensitive assets and data, and monitor access activity. However, swipe cards alone are not enough to ensure effective access control.
They need to be complemented by other controls, such as:
Periodic review of access profiles by management: This is a type of logical access control that involves verifying that the access rights assigned to each cardholder are appropriate, necessary, and consistent with the organization’s policies and procedures. Periodic review of access profiles can help to detect and correct any errors, inconsistencies, or violations in the access control system, such as outdated, excessive, or redundant access rights, segregation of duties conflicts, or unauthorized changes. Periodic review of access profiles can also help to ensure compliance with internal and external audit requirements and regulations.
Implementation of additional PIN pads: This is a type of multi-factor authentication (MFA) that requires the cardholder to enter a personal identification number (PIN) in addition to swiping their card. MFA can enhance the security of the access control system by adding another layer of verification and reducing the risk of lost, stolen, or cloned cards being used by unauthorized persons.
Installation of closed-circuit television (CCTV): This is a type of surveillance system that uses cameras and monitors to record and display the images of the people and activities in the restricted areas. CCTV can deter potential intruders, provide evidence of any security incidents or breaches, and enable real-time monitoring and response by security personnel.
The other options are not as effective or relevant as periodic review of access profiles by management for an additional control when using swipe cards. Physical sign-in of all employees for access to restricted areas is a redundant and inefficient control that can be easily bypassed or manipulated. It also does not provide any assurance or verification of the identity or access rights of the cardholders. Audit hooks are software routines embedded in an application that can trigger an alert or a report when certain conditions are met. Audit hooks can help to detect anomalies or exceptions in access control lists, but they do not provide a comprehensive or integrated view of them.
Reference: ISACA, CISA Review Manual, 27th Edition, 2019, p. 236
ISACA, ITAF: A Professional Practices Framework for IS Audit/Assurance, 3rd Edition, 2014, p. 88
Data Analytics for Auditing Access Control
Question #173
Which of the following is the MOST reliable way for an IS auditor to evaluate the operational effectiveness of an organization’s data loss prevention (DLP) controls?
- A . Verify that confidential files cannot be transmitted to a personal USB device.
- B . Conduct interviews to identify possible data protection vulnerabilities.
- C . Review data classification levels based on industry best practice.
- D . Verify that current DLP software is installed on all computer systems.
Correct Answer: A
Question #174
Which of the following should be of GREATEST concern to an IS auditor assessing an organization’s patch management program?
- A . Patches are deployed from multiple deployment servers.
- B . There is no process in place to scan the network to identify missing patches.
- C . Patches for medium- and low-risk vulnerabilities are omitted.
- D . There is no process in place to quarantine servers that have not been patched.
Correct Answer: B
Question #175
Which of the following is an IS auditor’s BEST course of action when the auditee indicates that a corrective action plan for a high-risk finding will take longer than expected?
- A . Accept the longer target date and document it in the audit system.
- B . Determine if an interim compensating control has been implemented.
- C . Escalate the overdue finding to the audit committee.
- D . Require that remediation is completed in the agreed timeframe.
Correct Answer: B
Question #176
Which of the following is the BEST disposal method for flash drives that previously stored confidential data?
- A . Destruction
- B . Degaussing
- C . Cryptographic erasure
- D . Overwriting
Correct Answer: A
Question #177
During a follow-up audit, an IS auditor learns that some key management personnel have been replaced since the original audit, and current management has decided not to implement some previously accepted recommendations.
What is the auditor’s BEST course of action?
- A . Notify the chair of the audit committee.
- B . Notify the audit manager.
- C . Retest the control.
- D . Close the audit finding.
Correct Answer: B
B
Explanation:
The auditor’s best course of action in this situation is to notify the audit manager. The audit manager is responsible for overseeing the audit follow-up process and ensuring that audit issues are resolved in a timely and satisfactory manner. The audit manager can then decide whether to escalate the matter to higher authorities, such as the chair of the audit committee, or to accept management’s decision and close the audit finding. The other options are not appropriate for the auditor to do without consulting with the audit manager first. Notifying the chair of the audit committee is a drastic step that may undermine the relationship between the auditor and management, and it should be done only after exhausting other means of resolving the issue. Retesting the control is not necessary, as management has already decided not to implement therecommendations. Closing the audit finding is premature, as management’s decision may not be aligned with the audit objectives or risk appetite.
Reference: CISA Review Manual (Digital Version), Chapter 2, Section 2.4
B
Explanation:
The auditor’s best course of action in this situation is to notify the audit manager. The audit manager is responsible for overseeing the audit follow-up process and ensuring that audit issues are resolved in a timely and satisfactory manner. The audit manager can then decide whether to escalate the matter to higher authorities, such as the chair of the audit committee, or to accept management’s decision and close the audit finding. The other options are not appropriate for the auditor to do without consulting with the audit manager first. Notifying the chair of the audit committee is a drastic step that may undermine the relationship between the auditor and management, and it should be done only after exhausting other means of resolving the issue. Retesting the control is not necessary, as management has already decided not to implement therecommendations. Closing the audit finding is premature, as management’s decision may not be aligned with the audit objectives or risk appetite.
Reference: CISA Review Manual (Digital Version), Chapter 2, Section 2.4
Question #178
An IS auditor is reviewing documentation from a change that was applied to an application.
Which of the following findings would be the GREATEST concern?
- A . Testing documentation does not show manager approval.
- B . Testing documentation is dated three weeks before the system implementation date.
- C . Testing documentation is approved prior to completion of user acceptance testing (UAT).
- D . Testing documentation is kept in hard copy format.
Correct Answer: C
Question #179
A small organization is experiencing rapid growth and plans to create a new information security policy.
Which of the following is MOST relevant to creating the policy?
- A . Business objectives
- B . Business impact analysis (BIA)
- C . Enterprise architecture (EA)
- D . Recent incident trends
Correct Answer: A
Question #180
An external attacker spoofing an internal Internet Protocol (IP) address can BEST be detected by which of the following?
- A . Comparing the source address to the domain name server (DNS) entry
- B . Using static IP addresses for identification
- C . Comparing the source address to the interface used as the entry point
- D . Using a state table to compare the message states of each packet as it enters the system
Correct Answer: D