Practice Free CISA Exam Online Questions
Question #211
During a review of a production schedule, an IS auditor observes that a staff member is not complying with mandatory operational procedures.
The auditor’s NEXT step should be to:
- A . note the noncompliance in the audit working papers.
- B . issue an audit memorandum identifying the noncompliance.
- C . include the noncompliance in the audit report.
- D . determine why the procedures were not followed.
Correct Answer: D
Question #212
Which of the following is the MOST important consideration of any disaster response plan?
- A . Lost revenue
- B . Personnel safety
- C . IT asset protection
- D . Adequate resource capacity
Correct Answer: B
Question #213
A small IT department has embraced DevOps, which allows members of this group to deploy code to production and maintain some development access to automate releases.
Which of the following is the MOST effective control?
- A . Enforce approval prior to deployment by a member of the team who has not taken part in the development.
- B . The DevOps team provides an annual policy acknowledgment that they did not develop and deploy the same code.
- C . Annual training reinforces the need to maintain segregation between developers and deployers of code
- D . The IT compliance manager performs weekly reviews to ensure the same person did not develop and deploy code.
Correct Answer: A
A
Explanation:
The most effective control to maintain segregation of duties in a DevOps environment is A. Enforce approval prior to deployment by a member of the team who has not taken part in the development. Segregation of duties (SoD) is a principle that requires multiple actors to complete a task to reduce the risk of fraud, error, or abuse1. In a DevOps environment, where developers and operators work together to deliver software faster and more reliably, SoD may seem to be incompatible or impractical. However, SoD can still be achieved by implementing controls that ensure that no single person can develop, test, and deploy code without oversight or review2.
Enforcing approval prior to deployment by a member of the team who has not taken part in the development is an effective control that ensures that code changes are verified and validated by a peer before they are released to production. This control can help prevent or detect any unauthorized or malicious modifications, errors, or vulnerabilities in the code, and ensure that the code meets the quality and security standards3. This control can also promote collaboration and feedback among the team members, and improve the transparency and accountability of the software delivery process3.
A
Explanation:
The most effective control to maintain segregation of duties in a DevOps environment is A. Enforce approval prior to deployment by a member of the team who has not taken part in the development. Segregation of duties (SoD) is a principle that requires multiple actors to complete a task to reduce the risk of fraud, error, or abuse1. In a DevOps environment, where developers and operators work together to deliver software faster and more reliably, SoD may seem to be incompatible or impractical. However, SoD can still be achieved by implementing controls that ensure that no single person can develop, test, and deploy code without oversight or review2.
Enforcing approval prior to deployment by a member of the team who has not taken part in the development is an effective control that ensures that code changes are verified and validated by a peer before they are released to production. This control can help prevent or detect any unauthorized or malicious modifications, errors, or vulnerabilities in the code, and ensure that the code meets the quality and security standards3. This control can also promote collaboration and feedback among the team members, and improve the transparency and accountability of the software delivery process3.
Question #214
In a public key cryptographic system, which of the following is the PRIMARY requirement to address the risk of man-in-the-middle attacks through spoofing?
- A . Strong encryption algorithms
- B . Kerberos authentication
- C . Registration authority
- D . Certificate authority (CA)
Correct Answer: D
D
Explanation:
A certificate authority (CA) is critical in a public key cryptographic system for mitigating man-in-the-middle (MITM) attacks. It ensures that public keys are authentic by issuing digital certificates, which bind a public key to an entity. The CA’s role in verifying identities and providing trust anchors prevents attackers from spoofing keys.
Strong Encryption Algorithms (Option A): Encryption ensures confidentiality but does not address spoofing risks.
Kerberos Authentication (Option B): Useful for mutual authentication but not central to public key infrastructure (PKI).
Registration Authority (Option C): Supports the CA but does not directly prevent MITM attacks.
Reference: ISACA CISA Review Manual, Job Practice Area 4: Protection of Information Assets.
D
Explanation:
A certificate authority (CA) is critical in a public key cryptographic system for mitigating man-in-the-middle (MITM) attacks. It ensures that public keys are authentic by issuing digital certificates, which bind a public key to an entity. The CA’s role in verifying identities and providing trust anchors prevents attackers from spoofing keys.
Strong Encryption Algorithms (Option A): Encryption ensures confidentiality but does not address spoofing risks.
Kerberos Authentication (Option B): Useful for mutual authentication but not central to public key infrastructure (PKI).
Registration Authority (Option C): Supports the CA but does not directly prevent MITM attacks.
Reference: ISACA CISA Review Manual, Job Practice Area 4: Protection of Information Assets.
Question #215
Which of the following is the PRIMARY reason for an airline’s IT management to continuously monitor the controls for a critical integrated flight schedule and payment application?
- A . To detect and respond to possible attacks
- B . To ensure risks are effectively identified and mitigated
- C . To ensure payments for flight bookings are processed
- D . To ensure policies and procedures are followed
Correct Answer: A
Question #216
In which phase of the audit life cycle process should an IS auditor initially discuss observations with management?
- A . Planning phase
- B . Reporting phase
- C . Follow-up phase
- D . Fieldwork phase
Correct Answer: D
D
Explanation:
Comprehensive and Detailed Step-by-Step
Audit findings should be communicated as early as possible to avoid misunderstandings, provide an opportunity for corrective action, and ensure transparency.
Option A (Incorrect): The planning phase involves defining audit scope, objectives, and methodology, but findings are not yet available to discuss with management.
Option B (Incorrect): The reporting phase formalizes audit results, but discussing issue sonly at this stage may lead to delays in corrective action.
Option C (Incorrect): The follow-up phase ensures that management has implemented corrective actions, but this occurs after the initial discussion of findings.
Option D (Correct): The fieldwork phase is when auditors actively gather evidence, analyze data, and identify issues. Discussing observations during this phase allows for immediate clarification, validation, and resolution of misunderstandings before the final report.
Reference: ISACA CISA Review Manual CDomain 1: Information Systems Auditing ProcessC Discusses audit engagement, reporting, and communication best practices.
D
Explanation:
Comprehensive and Detailed Step-by-Step
Audit findings should be communicated as early as possible to avoid misunderstandings, provide an opportunity for corrective action, and ensure transparency.
Option A (Incorrect): The planning phase involves defining audit scope, objectives, and methodology, but findings are not yet available to discuss with management.
Option B (Incorrect): The reporting phase formalizes audit results, but discussing issue sonly at this stage may lead to delays in corrective action.
Option C (Incorrect): The follow-up phase ensures that management has implemented corrective actions, but this occurs after the initial discussion of findings.
Option D (Correct): The fieldwork phase is when auditors actively gather evidence, analyze data, and identify issues. Discussing observations during this phase allows for immediate clarification, validation, and resolution of misunderstandings before the final report.
Reference: ISACA CISA Review Manual CDomain 1: Information Systems Auditing ProcessC Discusses audit engagement, reporting, and communication best practices.
Question #217
Which of the following is MOST helpful in identifying system performance constraints?
- A . Security logs
- B . Directory service logs
- C . Proxy logs
- D . Operational logs
Correct Answer: D
Question #218
Which of the following MOST effectively enables consistency across high-volume software changes?
- A . The use of continuous integration and deployment pipelines
- B . Management reviews of detailed exception reports for released code
- C . Publication of a refreshed policy on development and release management
- D . An ongoing awareness campaign for software deployment best practices
Correct Answer: A
Question #219
Which of the following should be the FRST step when developing a data toes prevention (DIP) solution for a large organization?
- A . Identify approved data workflows across the enterprise.
- B . Conduct a threat analysis against sensitive data usage.
- C . Create the DLP pcJc.es and templates
- D . Conduct a data inventory and classification exercise
Correct Answer: D
D
Explanation:
The first step when developing a data loss prevention (DLP) solution for a large organization is to conduct a data inventory and classification exercise. This step is essential to identify the types, locations, owners, and sensitivity levels of the data that need to be protected by the DLP solution. A data inventory and classification exercise helps to define the scope, objectives, and requirements of the DLP solution, as well as to prioritize the data protection efforts based on the business value and risk of the data. A data inventory and classification exercise also enables the organization to comply with relevant laws and regulations regarding data privacy and security.
The other options are not the first step when developing a DLP solution, but rather subsequent steps that depend on the outcome of the data inventory and classification exercise. Identifying approved data workflows across the enterprise is a step that helps to design and implement the DLP policies and controls that match the business processes and data flows. Conducting a threat analysis against sensitive data usage is a step that helps to assess and mitigate the risks associated with data leakage, theft, or misuse. Creating the DLP policies and templates is a step that helps to enforce the data protection rules and standards across the organization.
Reference: ISACA CISA Review Manual 27th Edition (2019), page 247
Data Loss Prevention―Next Steps – ISACA1
What is data loss prevention (DLP)? | Microsoft Security
D
Explanation:
The first step when developing a data loss prevention (DLP) solution for a large organization is to conduct a data inventory and classification exercise. This step is essential to identify the types, locations, owners, and sensitivity levels of the data that need to be protected by the DLP solution. A data inventory and classification exercise helps to define the scope, objectives, and requirements of the DLP solution, as well as to prioritize the data protection efforts based on the business value and risk of the data. A data inventory and classification exercise also enables the organization to comply with relevant laws and regulations regarding data privacy and security.
The other options are not the first step when developing a DLP solution, but rather subsequent steps that depend on the outcome of the data inventory and classification exercise. Identifying approved data workflows across the enterprise is a step that helps to design and implement the DLP policies and controls that match the business processes and data flows. Conducting a threat analysis against sensitive data usage is a step that helps to assess and mitigate the risks associated with data leakage, theft, or misuse. Creating the DLP policies and templates is a step that helps to enforce the data protection rules and standards across the organization.
Reference: ISACA CISA Review Manual 27th Edition (2019), page 247
Data Loss Prevention―Next Steps – ISACA1
What is data loss prevention (DLP)? | Microsoft Security
Question #220
Which of the following is a PRIMARY benefit of using risk assessments to determine areas to be included in an audit plan?
- A . Timely audit execution
- B . Effective allocation of audit resources
- C . Reduced travel and expense costs
- D . Effective risk mitigation
Correct Answer: B
B
Explanation:
Using risk assessments to determine areas to be included in an audit plan is a primary benefit because it helps to prioritize the audit activities based on the level of risk and the potential impact of the audit findings. This way, the audit resources, such as time, staff, and budget, can be allocated more efficiently and effectively to the areas that need the most attention and provide the most value.
Reference
ISACA CISA Review Manual, 27th Edition, page 256
What is the Purpose of a Risk Assessment?
Mastering the Process of Risk Assessment
B
Explanation:
Using risk assessments to determine areas to be included in an audit plan is a primary benefit because it helps to prioritize the audit activities based on the level of risk and the potential impact of the audit findings. This way, the audit resources, such as time, staff, and budget, can be allocated more efficiently and effectively to the areas that need the most attention and provide the most value.
Reference
ISACA CISA Review Manual, 27th Edition, page 256
What is the Purpose of a Risk Assessment?
Mastering the Process of Risk Assessment