Practice Free CISA Exam Online Questions
During a physical security audit, an IS auditor was provided a proximity badge that granted access to three specific floors in a corporate office building.
Which of the following issues should be of MOST concern?
- A . The proximity badge did not work for the first two days of audit fieldwork.
- B . There was no requirement for an escort during fieldwork.
- C . There was no follow-up for unsuccessful attempted access violations.
- D . The proximity badge incorrectly granted access to restricted areas.
D
Explanation:
The proximity badge incorrectly granting access to restricted areas is the most concerning issue, as it indicates a failure of the access control system to enforce the principle of least privilege and protect the sensitive or critical assets of the organization. The proximity badge should only grant access to the areas that are necessary for the IS auditor to perform the audit fieldwork, and not to any other areas that may contain confidential information, valuable equipment, or hazardous materials. The incorrect access could result in unauthorized disclosure, modification, or destruction of the assets, as well as potential safety or legal issues.
Reference
ISACA CISA Review Manual, 27th Edition, page 254
Office & Workplace Physical Security Assessment Checklist
Physical Security: Planning, Measures & Examples
Which of the following BEST enables an organization to improve the visibility of end-user computing (EUC) applications that support regulatory reporting?
- A . EUC inventory
- B . EUC availability controls
- C . EUC access control matrix
- D . EUC tests of operational effectiveness
A
Explanation:
The best way to improve the visibility of end-user computing (EUC) applications that support regulatory reporting is to maintain an EUC inventory, as this provides a comprehensive and up-to-date list of all EUC applications, their owners, their locations, their purposes, and their dependencies. An EUC inventory can help identify and manage the risks associated with EUC applications, such as data quality, security, compliance, and continuity. EUC availability controls, EUC access control matrix, and EUC tests of operational effectiveness are important for ensuring the reliability and security of EUC applications, but they do not improve the visibility of EUC applications as much as an EUC inventory.
Reference: CISA Review Manual (Digital Version), Chapter 3: Information Systems Acquisition, Development and Implementation, Section 3.4: End-user Computing
A startup organization wants to develop a data loss prevention (DLP) program. The FIRST step should be to implement:
- A . Security awareness training
- B . Data encryption
- C . Data classification
- D . Access controls
Which of the following provides the BEST assurance that vendor-supported software remains up to date?
- A . Release and patch management
- B . Licensing agreement and escrow
- C . Software asset management
- D . Version management
Which of the following weaknesses would have the GREATEST impact on the effective operation of a perimeter firewall?
- A . Use of stateful firewalls with default configuration
- B . Ad hoc monitoring of firewall activity
- C . Misconfiguration of the firewall rules
- D . Potential back doors to the firewall software
A web application is developed in-house by an organization.
Which of the following would provide the BEST evidence to an IS auditor that the application is secure from external attack?
- A . Web application firewall (WAF) implementation
- B . Penetration test results
- C . Code review by a third party
- D . Database application monitoring logs
Which of the following is the MOST efficient way to identify segregation of duties violations in a new system?
- A . Review a report of security rights in the system.
- B . Observe the performance of business processes.
- C . Develop a process to identify authorization conflicts.
- D . Examine recent system access rights violations.
A
Explanation:
The most efficient way to identify segregation of duties violations in a new system is to review a report of security rights in the system. Segregation of duties is a control principle that aims to prevent or detect errors, fraud, or abuse by ensuring that no single individual has the ability to perform incompatible or conflicting functions or activities within a system or process. A report of security rights in the system can provide a comprehensive and accurate overview of the roles, responsibilities, and access levels assigned to different users or groups in the system, and can help to identify any potential segregation of duties violations or risks. The other options are not as efficient as reviewing a report of security rights in the system, because they either rely on observation or testing rather than analysis, or they focus on existing rather than potential violations.
Reference: CISA Review Manual (Digital Version)1, Chapter 5, Section 5.2.2
Which of the following applications should an IS auditor consider to be the HIGHEST priority when reviewing disaster recovery planning (DRP) tests for an commerce company?
- A . An application for IT performance monitoring
- B . An application for HR management
- C . An application for financial management
- D . An application for traffic load balancing
Which of the following is the BEST control to help ensure that security requirements are considered throughout the life cycle of an agile software development project?
- A . Documenting security control requirements and obtaining internal audit sign off
- B . Including project team members who can provide security expertise
- C . Reverting to traditional waterfall software development life cycle (SDLC) techniques
- D . Requiring the project to go through accreditation before release into production
The performance, risks, and capabilities of an IT infrastructure are BEST measured using a:
- A . risk management review
- B . control self-assessment (CSA).
- C . service level agreement (SLA).
- D . balanced scorecard.
C
Explanation:
A service level agreement (SLA) is a contract between a service provider and a customer that defines the expected level of performance, risks, and capabilities of an IT infrastructure. An IS auditor can use an SLA to measure how well the IT infrastructure meets the business needs and objectives, as well as to identify any gaps or issues that need to be addressed. The other options are not directly related to measuring the performance, risks, and capabilities of an IT infrastructure.
Reference: CISA Review Manual (Digital Version), Chapter 5, Section 5.2.11
CISA Review Questions, Answers & Explanations Database, Question ID 203