Practice Free CISA Exam Online Questions
Question #181
Which type of attack poses the GREATEST risk to an organization’s most sensitive data?
- A . Password attack
- B . Eavesdropping attack
- C . Insider attack
- D . Spear phishing attack
Correct Answer: C
C
Explanation:
An insider attack poses the greatest risk to an organization’s most sensitive data. An insider attack is a type of cyberattack that is carried out by someone who has legitimate access to the organization’s network, systems, or data, such as an employee, contractor, or business partner. An insider attack can be intentional or unintentional, malicious or negligent, and can have various motives, such as financial gain, revenge, espionage, sabotage, or curiosity.
An insider attack poses the greatest risk to an organization’s most sensitive data because:
An insider has a high level of trust and privilege within the organization, which allows them to bypass security controls and access confidential or restricted data without raising suspicion or detection.
An insider has a deep knowledge of the organization’s operations, processes, policies, and vulnerabilities, which enables them to exploit them effectively and cause maximum damage or disruption.
An insider can use various techniques and tools to conceal their identity and actions, such as encryption, steganography, deletion, or alteration of logs or evidence.
An insider can cause significant harm or loss to the organization in terms of data integrity, availability, confidentiality, reputation, compliance, and profitability.
According to the 2023 Cost of Insider Threats Global Report by Ponemon Institute and ObserveIT 1, the average annual cost of insider threats for organizations worldwide was $11.45 million in 2022, a 31% increase from 2018. The report also found that the average number of incidents per organization was 77 in 2022, a 47% increase from 2018. The report classified insider threats into three categories: careless or negligent employees or contractors, criminal or malicious insiders, and credential thieves. The report revealed that careless or negligent insiders were the most common and costly type of insider threat, accounting for 62% of all incidents and $4.58 million in costs.
The other options are not the greatest risk to an organization’s most sensitive data, although they can still pose significant threats.
A password attack is a type of cyberattack that attempts to guess or crack a user’s password to gain unauthorized access to their account or system. A password attack can use various methods, such as brute force, dictionary, rainbow table, phishing, keylogging, or social engineering. A password attack can compromise the security and privacy of the user’s data and information. However, a password attack can be prevented or mitigated by using strong and unique passwords, changing passwords frequently, enabling multi-factor authentication (MFA), and avoiding clicking on suspicious links or attachments.
An eavesdropping attack is a type of cyberattack that intercepts or monitors the communication between two parties without their knowledge or consent. An eavesdropping attack can use various techniques, such as wiretapping, packet sniffing, man-in-the-middle (MITM), or side-channel. An eavesdropping attack can expose the content and metadata of the communication, such as messages, files, voice calls, emails, etc. However, an eavesdropping attack can be prevented or mitigated by using encryption, authentication, digital signatures, VPNs (virtual private networks), or secure protocols.
A spear phishing attack is a type of phishing attack that targets a specific individual or group with personalized and convincing emails that appear to come from a trusted source. A spear phishing attack aims to trick the recipient into clicking on a malicious link or attachment that can infect their device with malware or steal their credentials or data. A spear phishing attack can compromise the security and privacy of the recipient’s data and information. However, a spear phishing attack can be prevented or mitigated by verifying the sender’s identity and email address, checking the email content for spelling and grammar errors, hovering over links before clicking on them (or not clicking at all), scanning attachments for viruses before opening them (or not opening at all), and reporting suspicious emails to IT security staff.
C
Explanation:
An insider attack poses the greatest risk to an organization’s most sensitive data. An insider attack is a type of cyberattack that is carried out by someone who has legitimate access to the organization’s network, systems, or data, such as an employee, contractor, or business partner. An insider attack can be intentional or unintentional, malicious or negligent, and can have various motives, such as financial gain, revenge, espionage, sabotage, or curiosity.
An insider attack poses the greatest risk to an organization’s most sensitive data because:
An insider has a high level of trust and privilege within the organization, which allows them to bypass security controls and access confidential or restricted data without raising suspicion or detection.
An insider has a deep knowledge of the organization’s operations, processes, policies, and vulnerabilities, which enables them to exploit them effectively and cause maximum damage or disruption.
An insider can use various techniques and tools to conceal their identity and actions, such as encryption, steganography, deletion, or alteration of logs or evidence.
An insider can cause significant harm or loss to the organization in terms of data integrity, availability, confidentiality, reputation, compliance, and profitability.
According to the 2023 Cost of Insider Threats Global Report by Ponemon Institute and ObserveIT 1, the average annual cost of insider threats for organizations worldwide was $11.45 million in 2022, a 31% increase from 2018. The report also found that the average number of incidents per organization was 77 in 2022, a 47% increase from 2018. The report classified insider threats into three categories: careless or negligent employees or contractors, criminal or malicious insiders, and credential thieves. The report revealed that careless or negligent insiders were the most common and costly type of insider threat, accounting for 62% of all incidents and $4.58 million in costs.
The other options are not the greatest risk to an organization’s most sensitive data, although they can still pose significant threats.
A password attack is a type of cyberattack that attempts to guess or crack a user’s password to gain unauthorized access to their account or system. A password attack can use various methods, such as brute force, dictionary, rainbow table, phishing, keylogging, or social engineering. A password attack can compromise the security and privacy of the user’s data and information. However, a password attack can be prevented or mitigated by using strong and unique passwords, changing passwords frequently, enabling multi-factor authentication (MFA), and avoiding clicking on suspicious links or attachments.
An eavesdropping attack is a type of cyberattack that intercepts or monitors the communication between two parties without their knowledge or consent. An eavesdropping attack can use various techniques, such as wiretapping, packet sniffing, man-in-the-middle (MITM), or side-channel. An eavesdropping attack can expose the content and metadata of the communication, such as messages, files, voice calls, emails, etc. However, an eavesdropping attack can be prevented or mitigated by using encryption, authentication, digital signatures, VPNs (virtual private networks), or secure protocols.
A spear phishing attack is a type of phishing attack that targets a specific individual or group with personalized and convincing emails that appear to come from a trusted source. A spear phishing attack aims to trick the recipient into clicking on a malicious link or attachment that can infect their device with malware or steal their credentials or data. A spear phishing attack can compromise the security and privacy of the recipient’s data and information. However, a spear phishing attack can be prevented or mitigated by verifying the sender’s identity and email address, checking the email content for spelling and grammar errors, hovering over links before clicking on them (or not clicking at all), scanning attachments for viruses before opening them (or not opening at all), and reporting suspicious emails to IT security staff.
Question #182
Which of the following BEST demonstrates to senior management and the board that an audit function is compliant with standards and the code of ethics?
- A . Audit staff interviews
- B . Quality control reviews
- C . Control self-assessments (CSAs)
- D . Corrective action plans
Correct Answer: B
B
Explanation:
Quality control reviews are the best way to demonstrate to senior management and the board that an audit function is compliant with standards and the code of ethics. These reviews assess the efficiency and effectiveness of the audit function, ensure compliance with audit standards and ethics, and identify areas for improvement12. While audit staff interviews, control self-assessments (CSAs), and corrective action plans can provide valuable insights, they do not offer the same level of assurance as a comprehensive quality control review12.
Reference: The Institute of Internal Auditors1, AuditBoard2
B
Explanation:
Quality control reviews are the best way to demonstrate to senior management and the board that an audit function is compliant with standards and the code of ethics. These reviews assess the efficiency and effectiveness of the audit function, ensure compliance with audit standards and ethics, and identify areas for improvement12. While audit staff interviews, control self-assessments (CSAs), and corrective action plans can provide valuable insights, they do not offer the same level of assurance as a comprehensive quality control review12.
Reference: The Institute of Internal Auditors1, AuditBoard2
Question #183
An organization is migrating its HR application to an Infrastructure as a Service (laaS) model in a private cloud.
Who is PRIMARILY responsible for the security configurations of the deployed application’s operating system?
- A . The cloud provider’s external auditor
- B . The cloud provider
- C . The operating system vendor
- D . The organization
Correct Answer: D
D
Explanation:
The organization is primarily responsible for the security configurations of the deployed application’s operating system when migrating its HR application to an Infrastructure as a Service (IaaS) model in a private cloud. This is because in an IaaS model, the cloud provider is responsible for the security of the underlying infrastructure that they lease to their customers, such as servers, storage, and networks, while the customer is responsible for the security of the areas of the cloud infrastructure over which they have control, such as operating systems, middleware, and applications. Therefore, the organization needs to ensure that the operating system is properly configured, patched, hardened, and monitored to protect the HR application from unauthorized access or malicious attacks.
The other options are not primarily responsible for the security configurations of the deployed application’s operating system. The cloud provider’s external auditor is not responsible for any security configurations, but rather for verifying and reporting on the cloud provider’s compliance with relevant standards and regulations. The cloud provider is responsible for the security of the underlying infrastructure, but not for the operating system or any software installed on it by the customer. The operating system vendor is responsible for providing updates and patches for the operating system, but not for configuring or securing it according to the customer’s needs.
Reference: 11: What Is IaaS (Infrastructure As A Service)? – Forbes
12: What is Shared Responsibility Model? – Check Point Software
13: Who Is Responsible for Cloud Security? – Security Intelligence
D
Explanation:
The organization is primarily responsible for the security configurations of the deployed application’s operating system when migrating its HR application to an Infrastructure as a Service (IaaS) model in a private cloud. This is because in an IaaS model, the cloud provider is responsible for the security of the underlying infrastructure that they lease to their customers, such as servers, storage, and networks, while the customer is responsible for the security of the areas of the cloud infrastructure over which they have control, such as operating systems, middleware, and applications. Therefore, the organization needs to ensure that the operating system is properly configured, patched, hardened, and monitored to protect the HR application from unauthorized access or malicious attacks.
The other options are not primarily responsible for the security configurations of the deployed application’s operating system. The cloud provider’s external auditor is not responsible for any security configurations, but rather for verifying and reporting on the cloud provider’s compliance with relevant standards and regulations. The cloud provider is responsible for the security of the underlying infrastructure, but not for the operating system or any software installed on it by the customer. The operating system vendor is responsible for providing updates and patches for the operating system, but not for configuring or securing it according to the customer’s needs.
Reference: 11: What Is IaaS (Infrastructure As A Service)? – Forbes
12: What is Shared Responsibility Model? – Check Point Software
13: Who Is Responsible for Cloud Security? – Security Intelligence
Question #184
An IS auditor requests direct access to data required to perform audit procedures instead of asking management to provide the data.
Which of the following is the PRIMARY advantage of this approach?
- A . Audit transparency
- B . Data confidentiality
- C . Professionalism
- D . Audit efficiency
Correct Answer: D
D
Explanation:
The primary advantage of this approach is that it improves audit efficiency. Audit efficiency is the measure of how well the audit resources are used to achieve the audit objectives. Audit efficiency can be enhanced by using methods or techniques that can save time, cost, or effort without compromising the quality or scope of the audit. By requesting direct access to data required to perform audit procedures instead of asking management to provide the data, the auditor can reduce the dependency on management’s cooperation, availability, or timeliness. The auditor can also avoid potential delays, errors, or biases that may occur when management provides the data.
Reference: CISA Review Manual (Digital Version), Chapter 2, Section 2.41 CISA Online Review Course, Domain 1, Module 1, Lesson 42
D
Explanation:
The primary advantage of this approach is that it improves audit efficiency. Audit efficiency is the measure of how well the audit resources are used to achieve the audit objectives. Audit efficiency can be enhanced by using methods or techniques that can save time, cost, or effort without compromising the quality or scope of the audit. By requesting direct access to data required to perform audit procedures instead of asking management to provide the data, the auditor can reduce the dependency on management’s cooperation, availability, or timeliness. The auditor can also avoid potential delays, errors, or biases that may occur when management provides the data.
Reference: CISA Review Manual (Digital Version), Chapter 2, Section 2.41 CISA Online Review Course, Domain 1, Module 1, Lesson 42
Question #185
Which of the following data would be used when performing a business impact analysis (BIA)?
- A . Projected impact of current business on future business
- B . Cost-benefit analysis of running the current business
- C . Cost of regulatory compliance
- D . Expected costs for recovering the business
Correct Answer: D
D
Explanation:
The expected costs for recovering the business would be used when performing a business impact analysis (BIA). A BIA is a process of identifying and evaluating the potential effects ofdisruptions to critical business functions or processes. A BIA helps to determine the recovery priorities, strategies, and resources needed to resume normal operations after a disruption. One of the key outputs of a BIA is an estimate of the financial losses or costs associated with different types of disruptions, such as lost revenue, increased expenses, contractual penalties, or regulatory fines.
D
Explanation:
The expected costs for recovering the business would be used when performing a business impact analysis (BIA). A BIA is a process of identifying and evaluating the potential effects ofdisruptions to critical business functions or processes. A BIA helps to determine the recovery priorities, strategies, and resources needed to resume normal operations after a disruption. One of the key outputs of a BIA is an estimate of the financial losses or costs associated with different types of disruptions, such as lost revenue, increased expenses, contractual penalties, or regulatory fines.
Question #186
A senior auditor is reviewing work papers prepared by a junior auditor indicating that a finding was removed after the auditee said they corrected the problem.
Which of the following is the senior auditor s MOST appropriate course of action?
- A . Ask the auditee to retest
- B . Approve the work papers as written
- C . Have the finding reinstated
- D . Refer the issue to the audit director
Correct Answer: C
C
Explanation:
The senior auditor’s most appropriate course of action is to have the finding reinstated, because the auditee’s claim of correcting the problem is not sufficient evidence to support the removal of the finding. The auditor should verify that the corrective action has been implemented effectively and that it has resolved the underlying issue or risk. The auditor should also document the evidence andresults of the verification in the work papers. The other options are not appropriate, because they either accept the auditee’s claim without verification, delegate the responsibility to the auditee or escalate the issue unnecessarily.
Reference: ISACA, CISA Review Manual, 27th Edition, chapter 1, section 1.51
ISACA, IT Audit and Assurance Standards, Guidelines and Tools and Techniques for IS Audit and
Assurance Professionals, section12062
C
Explanation:
The senior auditor’s most appropriate course of action is to have the finding reinstated, because the auditee’s claim of correcting the problem is not sufficient evidence to support the removal of the finding. The auditor should verify that the corrective action has been implemented effectively and that it has resolved the underlying issue or risk. The auditor should also document the evidence andresults of the verification in the work papers. The other options are not appropriate, because they either accept the auditee’s claim without verification, delegate the responsibility to the auditee or escalate the issue unnecessarily.
Reference: ISACA, CISA Review Manual, 27th Edition, chapter 1, section 1.51
ISACA, IT Audit and Assurance Standards, Guidelines and Tools and Techniques for IS Audit and
Assurance Professionals, section12062
Question #187
Which of the following job scheduling schemes for operating system updates is MOST likely to adequately balance protection of workstations with user requirements?
- A . Automated patching jobs and immediate restart
- B . Automated patching jobs followed by a scheduled restart outside of business hours
- C . End users can initiate patching including subsequent system restarts
- D . Applying only those patches not requiring a system restart
Correct Answer: B
Question #188
Which of the following is MOST likely to be a project deliverable of an agile software development methodology?
- A . Strictly managed software requirements baselines
- B . Extensive project documentation
- C . Automated software programming routines
- D . Rapidly created working prototypes
Correct Answer: D
D
Explanation:
A project deliverable is a tangible or intangible product or service that is produced as a result of a project and delivered to the customer or stakeholder. A project deliverable can be either an intermediate deliverable that is part of the project process or a final deliverable that is the outcome of the project.
An agile software development methodology is a project management approach that involves breaking the project into phases and emphasizes continuous collaboration and improvement. Teams follow a cycle of planning, executing, and evaluating. Agile software development methodologies value working software over comprehensive documentation and respond to change over following a plan.
Rapidly created working prototypes are most likely to be a project deliverable of an agile software development methodology because they:
Provide early and frequent feedback from customers and stakeholders on the functionality and usability of the software product
Allow for rapid validation and verification of the software requirements and design
Enable continuous improvement and adaptation of the software product based on changing customer needs and expectations
Reduce the risk of delivering a software product that does not meet customer needs or expectations
Increase customer satisfaction and trust by delivering working software products frequently and consistently
Some examples of agile software development methodologies that use rapidly created working prototypes as project deliverables are:
Scrum – a framework that organizes the work into fixed-length sprints (usually 2-4 weeks) and delivers potentially shippable increments of the software product at the end of each sprint1
Extreme Programming (XP) – a methodology that focuses on delivering high-quality software products through practices such as test-driven development, pair programming, continuous integration, and frequent releases2
Rapid Application Development (RAD) – a methodology that emphasizes rapid prototyping and user involvement throughout the software development process3
The other options are not likely to be project deliverables of an agile software development methodology.
Strictly managed software requirements baselines are not likely to be project deliverables of an agile software development methodology. A software requirements baseline is a set of agreed-upon and approved software requirements that serve as the basis for the software design, development, testing, and delivery. A strictly managed software requirements baseline is a software requirements baseline that is controlled and changed only through a formal change management process. Strictly managed software requirements baselines are more suitable for traditional or waterfall software development methodologies that follow a linear and sequential process of defining, designing, developing, testing, and delivering software products. Strictly managed software requirements baselines are not compatible with agile software development methodologies that embrace change and flexibility in the software requirements based on customer feedback and evolving needs.
Extensive project documentation is not likely to be project deliverables of an agile software development methodology. Project documentation is any written or electronic information that describes or records the activities, processes, results, or decisions of a project. Extensive project documentation is project documentation that covers every aspect of the project in detail and requires significant time and effort to produce and maintain. Extensive project documentation is more suitable for traditional or waterfall software development methodologies that rely on comprehensive documentation to communicate and document the project scope, requirements, design, testing, and delivery. Extensive project documentation is not compatible with agile software development methodologies that value working software over comprehensive documentation and use minimal documentation to support the communication and collaboration among the project team members.
Automated software programming routines are not likely to be project deliverables of an agile software development methodology. Automated software programming routines are programs or
scripts that perform repetitive or complex tasks in the software development process without human intervention. Automated software programming routines can improve the efficiency, quality, and consistency of the software development process by reducing human errors, saving time, and enforcing standards. Automated software programming routines can be used in any software development methodology, but they are not specific to agile software development methodologies. Automated software programming routines are not considered as project deliverables because they are not part of the final product that is delivered to the customer.
D
Explanation:
A project deliverable is a tangible or intangible product or service that is produced as a result of a project and delivered to the customer or stakeholder. A project deliverable can be either an intermediate deliverable that is part of the project process or a final deliverable that is the outcome of the project.
An agile software development methodology is a project management approach that involves breaking the project into phases and emphasizes continuous collaboration and improvement. Teams follow a cycle of planning, executing, and evaluating. Agile software development methodologies value working software over comprehensive documentation and respond to change over following a plan.
Rapidly created working prototypes are most likely to be a project deliverable of an agile software development methodology because they:
Provide early and frequent feedback from customers and stakeholders on the functionality and usability of the software product
Allow for rapid validation and verification of the software requirements and design
Enable continuous improvement and adaptation of the software product based on changing customer needs and expectations
Reduce the risk of delivering a software product that does not meet customer needs or expectations
Increase customer satisfaction and trust by delivering working software products frequently and consistently
Some examples of agile software development methodologies that use rapidly created working prototypes as project deliverables are:
Scrum – a framework that organizes the work into fixed-length sprints (usually 2-4 weeks) and delivers potentially shippable increments of the software product at the end of each sprint1
Extreme Programming (XP) – a methodology that focuses on delivering high-quality software products through practices such as test-driven development, pair programming, continuous integration, and frequent releases2
Rapid Application Development (RAD) – a methodology that emphasizes rapid prototyping and user involvement throughout the software development process3
The other options are not likely to be project deliverables of an agile software development methodology.
Strictly managed software requirements baselines are not likely to be project deliverables of an agile software development methodology. A software requirements baseline is a set of agreed-upon and approved software requirements that serve as the basis for the software design, development, testing, and delivery. A strictly managed software requirements baseline is a software requirements baseline that is controlled and changed only through a formal change management process. Strictly managed software requirements baselines are more suitable for traditional or waterfall software development methodologies that follow a linear and sequential process of defining, designing, developing, testing, and delivering software products. Strictly managed software requirements baselines are not compatible with agile software development methodologies that embrace change and flexibility in the software requirements based on customer feedback and evolving needs.
Extensive project documentation is not likely to be project deliverables of an agile software development methodology. Project documentation is any written or electronic information that describes or records the activities, processes, results, or decisions of a project. Extensive project documentation is project documentation that covers every aspect of the project in detail and requires significant time and effort to produce and maintain. Extensive project documentation is more suitable for traditional or waterfall software development methodologies that rely on comprehensive documentation to communicate and document the project scope, requirements, design, testing, and delivery. Extensive project documentation is not compatible with agile software development methodologies that value working software over comprehensive documentation and use minimal documentation to support the communication and collaboration among the project team members.
Automated software programming routines are not likely to be project deliverables of an agile software development methodology. Automated software programming routines are programs or
scripts that perform repetitive or complex tasks in the software development process without human intervention. Automated software programming routines can improve the efficiency, quality, and consistency of the software development process by reducing human errors, saving time, and enforcing standards. Automated software programming routines can be used in any software development methodology, but they are not specific to agile software development methodologies. Automated software programming routines are not considered as project deliverables because they are not part of the final product that is delivered to the customer.
Question #189
Which type of threat can utilize a large group of automated social media accounts to steal data, send spam, or launch distributed denial of service (DDoS) attacks?
- A . Botnet attack
- B . Data mining
- C . Phishing attempt
- D . Malware sharing
Correct Answer: A
Question #190
Which of the following is the BEST approach for determining the overall IT risk appetite of an organization when business units use different methods formanaging IT risks?
- A . Average the business units’ IT risk levels
- B . Identify the highest-rated IT risk level among the business units
- C . Prioritize the organization’s IT risk scenarios
- D . Establish a global IT risk scoring criteria
Correct Answer: C
C
Explanation:
The best approach for determining the overall IT risk appetite of an organization when business units use different methods for managing IT risks is to prioritize the organization’s IT risk scenarios. IT risk appetite is the amount and type of IT risk that an organization is willing to accept in pursuit of its objectives. IT risk scenarios are hypothetical situations that describe the potential impact of IT risk events on the organization’s objectives, processes, and resources. By prioritizing the organization’s IT risk scenarios, the IS auditor can identify the most significant IT risks that affect the organization as a whole, and align them with the organization’s strategic goals, values, and culture. Prioritizing the organization’s IT risk scenarios can also help to communicate and monitor the IT risk appetite across the organization, and facilitate consistent and informed decision making. The other approaches (A, B and D) are not effective for determining the overall IT risk appetite of an organization, as they do not consider the impact and likelihood of IT risks on the organization’s objectives, nor do they account for the diversity and complexity of IT risks across different business units.
Reference: CISA Review Manual (Digital Version), Chapter 2: Governance and Management of Information Technology, Section 2.3: Information Technology Risk Management
C
Explanation:
The best approach for determining the overall IT risk appetite of an organization when business units use different methods for managing IT risks is to prioritize the organization’s IT risk scenarios. IT risk appetite is the amount and type of IT risk that an organization is willing to accept in pursuit of its objectives. IT risk scenarios are hypothetical situations that describe the potential impact of IT risk events on the organization’s objectives, processes, and resources. By prioritizing the organization’s IT risk scenarios, the IS auditor can identify the most significant IT risks that affect the organization as a whole, and align them with the organization’s strategic goals, values, and culture. Prioritizing the organization’s IT risk scenarios can also help to communicate and monitor the IT risk appetite across the organization, and facilitate consistent and informed decision making. The other approaches (A, B and D) are not effective for determining the overall IT risk appetite of an organization, as they do not consider the impact and likelihood of IT risks on the organization’s objectives, nor do they account for the diversity and complexity of IT risks across different business units.
Reference: CISA Review Manual (Digital Version), Chapter 2: Governance and Management of Information Technology, Section 2.3: Information Technology Risk Management