Practice Free CISA Exam Online Questions
Question #191
Which of the following should be given GREATEST consideration when implementing the use of an open-source product?
- A . Support
- B . Performance
- C . Confidentiality
- D . Usability
Correct Answer: A
A
Explanation:
Support should be given the greatest consideration when implementing the use of an open-source product, as open-source software may not have the same level of technical support, maintenance, and updates as proprietary software1. Open-source software users may have to rely on the community of developers and users, online forums, or third-party vendors for support, which may not be timely, reliable, or consistent2. Therefore, before implementing an open-source product, users should evaluate the availability and quality of support options, such as documentation, forums, mailing lists, bug trackers, chat channels, etc.3
A
Explanation:
Support should be given the greatest consideration when implementing the use of an open-source product, as open-source software may not have the same level of technical support, maintenance, and updates as proprietary software1. Open-source software users may have to rely on the community of developers and users, online forums, or third-party vendors for support, which may not be timely, reliable, or consistent2. Therefore, before implementing an open-source product, users should evaluate the availability and quality of support options, such as documentation, forums, mailing lists, bug trackers, chat channels, etc.3
Question #192
An IS auditor is reviewing the service management of an outsourced help desk.
Which of the following is the BEST indicator of how effectively the service provider is performing this function?
- A . Average ticket age
- B . Number of calls worked
- C . Customer satisfaction ratings
- D . Call transcript reviews
Correct Answer: C
Question #193
Which of the following BEST indicates to an IS auditor that an organization handles emergency changes appropriately and transparently?
- A . The application operations manual contains procedures to ensure emergency fixes do not compromise system integrity.
- B . Special logon IDs are used to grant programmers permanent access to the production environment.
- C . Change management controls are retroactively applied.
- D . Emergency changes are applied to production libraries immediately.
Correct Answer: A
Question #194
An IS auditor is reviewing the installation of a new server. The IS auditor’s PRIMARY objective is to ensure that
- A . security parameters are set in accordance with the manufacturer s standards.
- B . a detailed business case was formally approved prior to the purchase.
- C . security parameters are set in accordance with the organization’s policies.
- D . the procurement project invited lenders from at least three different suppliers.
Correct Answer: C
C
Explanation:
The primary objective of an IS auditor when reviewing the installation of a new server is to ensure that security parameters are set in accordance with the organization’s policies. Security parameters are settingsor options that control the security level and behavior of the server, such as authentication methods, encryption algorithms, access rights, audit logs, firewall rules, or password policies7. The organization’s policies are documents that define the security goals, requirements, standards, and guidelines for the organization’s information systems. An IS auditor should verify that security parameters are set in accordance with the organization’s policies to ensure that the new server complies with the organization’s security expectations and regulations.
The other options are less important or incorrect because:
C
Explanation:
The primary objective of an IS auditor when reviewing the installation of a new server is to ensure that security parameters are set in accordance with the organization’s policies. Security parameters are settingsor options that control the security level and behavior of the server, such as authentication methods, encryption algorithms, access rights, audit logs, firewall rules, or password policies7. The organization’s policies are documents that define the security goals, requirements, standards, and guidelines for the organization’s information systems. An IS auditor should verify that security parameters are set in accordance with the organization’s policies to ensure that the new server complies with the organization’s security expectations and regulations.
The other options are less important or incorrect because:
Question #195
What is the purpose of hashing a document?
- A . To prevent unauthorized disclosure of the contents
- B . To validate the integrity of the file contents
- C . To classify the file for internal use only
- D . To compress the size of the file
Correct Answer: D
Question #196
An organization establishes capacity utilization thresholds and monitors for instances when thresholds are exceeded.
Which of the following is BEST supported by this activity?
- A . Integrity
- B . Availability
- C . Confidentiality
- D . Nonrepudiation
Correct Answer: B
B
Explanation:
Comprehensive and Detailed Step-by-Step
Monitoringcapacity utilizationsupportsavailabilityby ensuring thatresources remain functional and do not exceed operational limits.
Option A (Incorrect): Integrityensures that data isaccurate and unaltered, but monitoring capacity thresholds primarily relates tosystem availability.
Option B (Correct): Availabilityensures that systems remainaccessible and functional, and monitoring capacity utilization helpsprevent downtimeandservice disruptions.
Option C (Incorrect): Confidentialityensures that data isprotected from unauthorized access, which is unrelated to capacity monitoring.
Option D (Incorrect): Nonrepudiationensures that actions can betraced to specific individuals, but it
does not relate tocapacity monitoring.
Reference: ISACA CISA Review Manual CDomain 4: Information Systems Operations and Business ResilienceC Coverscapacity planning and monitoring for system availability.
B
Explanation:
Comprehensive and Detailed Step-by-Step
Monitoringcapacity utilizationsupportsavailabilityby ensuring thatresources remain functional and do not exceed operational limits.
Option A (Incorrect): Integrityensures that data isaccurate and unaltered, but monitoring capacity thresholds primarily relates tosystem availability.
Option B (Correct): Availabilityensures that systems remainaccessible and functional, and monitoring capacity utilization helpsprevent downtimeandservice disruptions.
Option C (Incorrect): Confidentialityensures that data isprotected from unauthorized access, which is unrelated to capacity monitoring.
Option D (Incorrect): Nonrepudiationensures that actions can betraced to specific individuals, but it
does not relate tocapacity monitoring.
Reference: ISACA CISA Review Manual CDomain 4: Information Systems Operations and Business ResilienceC Coverscapacity planning and monitoring for system availability.
Question #197
A new system development project is running late against a critical implementation deadline.
Which of the following is the MOST important activity?
- A . Ensure that code has been reviewed.
- B . Perform user acceptance testing (UAT).
- C . Document last-minute enhancements.
- D . Perform a pre-implementation audit.
Correct Answer: B
Question #198
Cross-site scripting (XSS) attacks are BEST prevented through:
- A . application firewall policy settings.
- B . a three-tier web architecture.
- C . secure coding practices.
- D . use of common industry frameworks.
Correct Answer: C
C
Explanation:
Secure coding practices are the best way to prevent cross-site scripting (XSS) attacks, because they can ensure that the web application validates and sanitizes user input and output data to prevent malicious scripts from being executed on the web browser. XSS attacks are a type of web application vulnerability that exploit the lack of input validation or output encoding in webpages that accept user input or display dynamic content. Application firewall policy settings, a three-tier web architecture, and use of common industry frameworks are not effective controlsto prevent XSS attacks, because they do not address the root cause of the vulnerability in the web application code.
Reference: CISA Review Manual (Digital Version), Chapter 5, Section 5.4.2
C
Explanation:
Secure coding practices are the best way to prevent cross-site scripting (XSS) attacks, because they can ensure that the web application validates and sanitizes user input and output data to prevent malicious scripts from being executed on the web browser. XSS attacks are a type of web application vulnerability that exploit the lack of input validation or output encoding in webpages that accept user input or display dynamic content. Application firewall policy settings, a three-tier web architecture, and use of common industry frameworks are not effective controlsto prevent XSS attacks, because they do not address the root cause of the vulnerability in the web application code.
Reference: CISA Review Manual (Digital Version), Chapter 5, Section 5.4.2
Question #199
The due date of an audit project is approaching, and the audit manager has determined that only 60% of the audit has been completed.
Which of the following should the audit manager do FIRST?
- A . Determine where delays have occurred
- B . Assign additional resources to supplement the audit
- C . Escalate to the audit committee
- D . Extend the audit deadline
Correct Answer: A
A
Explanation:
The first thing that the audit manager should do when faced with a situation where only 60% of the audit has been completed and the due date is approaching is to determine where delays have occurred. This can help the audit manager to identify and analyze the root causes of the delays, such as unexpected issues, scope changes, resource constraints, communication problems, etc., and evaluate their impact on the audit objectives, scope, quality, and timeline. Based on this analysis, the audit manager can then decide on the best course of action to address the delays and complete the audit successfully. Assigning additional resources to supplement the audit is a possible option forresolving delays in an audit project, but it is not the first thing that the audit manager should do, as it may not be feasible or effective depending on the availability, cost, and suitability of the additional resources. Escalating to the audit committee is a possible option for communicating delays in an audit project and seeking guidance or support from senior management, but it is not the first thing that the audit manager should do, as it may not be necessary or appropriate depending on the severity and urgency of the delays. Extending the audit deadline is a possible option for accommodating delays in an audit project and ensuring sufficient time for completing the audit tasks and activities, but it is not the first thing that the audit manager should do, as it may not be possible or desirable depending on the contractual obligations, stakeholder expectations, and regulatory requirements.
A
Explanation:
The first thing that the audit manager should do when faced with a situation where only 60% of the audit has been completed and the due date is approaching is to determine where delays have occurred. This can help the audit manager to identify and analyze the root causes of the delays, such as unexpected issues, scope changes, resource constraints, communication problems, etc., and evaluate their impact on the audit objectives, scope, quality, and timeline. Based on this analysis, the audit manager can then decide on the best course of action to address the delays and complete the audit successfully. Assigning additional resources to supplement the audit is a possible option forresolving delays in an audit project, but it is not the first thing that the audit manager should do, as it may not be feasible or effective depending on the availability, cost, and suitability of the additional resources. Escalating to the audit committee is a possible option for communicating delays in an audit project and seeking guidance or support from senior management, but it is not the first thing that the audit manager should do, as it may not be necessary or appropriate depending on the severity and urgency of the delays. Extending the audit deadline is a possible option for accommodating delays in an audit project and ensuring sufficient time for completing the audit tasks and activities, but it is not the first thing that the audit manager should do, as it may not be possible or desirable depending on the contractual obligations, stakeholder expectations, and regulatory requirements.
Question #200
Which task should an IS auditor complete FIRST during the preliminary planning phase of a database security review?
- A . Perform a business impact analysis (BIA).
- B . Determine which databases will be in scope.
- C . Identify the most critical database controls.
- D . Evaluate the types of databases being used
Correct Answer: B
B
Explanation:
The first task that an IS auditor should complete during the preliminary planning phase of a database security review is to determine which databases will be in scope. The scope defines the boundaries and objectives of the audit, as well as the resources, time, and budget required. The IS auditor should identify the databases that are relevant to the audit based on factors such as their criticality, risk, complexity, size, type, location, and ownership. The IS auditor should also consider the regulatory, contractual, and organizational requirements that apply to the databases. By defining the scope clearly and accurately, the IS auditor can ensure that the audit is focused, feasible, and effective.
Reference: CISA Review Manual (Digital Version)
CISA Questions, Answers & Explanations Database
B
Explanation:
The first task that an IS auditor should complete during the preliminary planning phase of a database security review is to determine which databases will be in scope. The scope defines the boundaries and objectives of the audit, as well as the resources, time, and budget required. The IS auditor should identify the databases that are relevant to the audit based on factors such as their criticality, risk, complexity, size, type, location, and ownership. The IS auditor should also consider the regulatory, contractual, and organizational requirements that apply to the databases. By defining the scope clearly and accurately, the IS auditor can ensure that the audit is focused, feasible, and effective.
Reference: CISA Review Manual (Digital Version)
CISA Questions, Answers & Explanations Database