Practice Free CISA Exam Online Questions
Question #271
Which of the following is the MOST effective control for protecting the confidentiality and integrity of data stored unencrypted on virtual machines?
- A . Monitor access to stored images and snapshots of virtual machines.
- B . Restrict access to images and snapshots of virtual machines.
- C . Limit creation of virtual machine images and snapshots.
- D . Review logical access controls on virtual machines regularly.
Correct Answer: A
A
Explanation:
The most effective control for protecting the confidentiality and integrity of data stored unencrypted on virtual machines is to monitor access to stored images and snapshots of virtual machines. Images and snapshots are copies of virtual machines that can be used for backup, restoration, or cloning purposes. If data stored on virtual machines are unencrypted, they may be exposed or compromised if unauthorized or malicious users access or copy the images or snapshots. Therefore, monitoring access to stored images and snapshots can help detect and prevent any unauthorized or suspicious activities, and provide audit trails for accountability and investigation.
Restricting access to images and snapshots of virtual machines, limiting creation of virtual machine images and snapshots, and reviewing logical access controls on virtual machines regularly are not the most effective controls for protecting the confidentiality and integrity of data stored unencrypted on virtual machines. These controls may help reduce the risk or impact of data exposure or compromise, but they do not provide sufficient visibility or assurance of data protection. Restricting access to images and snapshots may not prevent authorized users from abusing their privileges or credentials. Limiting creation of virtual machine images and snapshots may not address the existing copies that may contain sensitive data. Reviewing logical access controls on virtual machines regularly may not reflect the actual access activities on images and snapshots.
A
Explanation:
The most effective control for protecting the confidentiality and integrity of data stored unencrypted on virtual machines is to monitor access to stored images and snapshots of virtual machines. Images and snapshots are copies of virtual machines that can be used for backup, restoration, or cloning purposes. If data stored on virtual machines are unencrypted, they may be exposed or compromised if unauthorized or malicious users access or copy the images or snapshots. Therefore, monitoring access to stored images and snapshots can help detect and prevent any unauthorized or suspicious activities, and provide audit trails for accountability and investigation.
Restricting access to images and snapshots of virtual machines, limiting creation of virtual machine images and snapshots, and reviewing logical access controls on virtual machines regularly are not the most effective controls for protecting the confidentiality and integrity of data stored unencrypted on virtual machines. These controls may help reduce the risk or impact of data exposure or compromise, but they do not provide sufficient visibility or assurance of data protection. Restricting access to images and snapshots may not prevent authorized users from abusing their privileges or credentials. Limiting creation of virtual machine images and snapshots may not address the existing copies that may contain sensitive data. Reviewing logical access controls on virtual machines regularly may not reflect the actual access activities on images and snapshots.
Question #272
An organization has alternative links in its wide area network (WAN) to provide redundancy. However, each time there is a problem with a link, network administrators have to update the configuration to divert traffic to the other link.
Which of the following would be an IS auditor’s BEST recommendation?
- A . Reduce the number of alternative links.
- B . Implement a load-balancing mechanism.
- C . Configure a non-proprietary routing protocol.
- D . Implement an exterior routing protocol.
Correct Answer: B
Question #273
Which of the following will be the MOST effective method to verify that a service vendor keeps control levels as required by the client?
- A . Conduct periodic on-site assessments using agreed-upon criteria.
- B . Periodically review the service level agreement (SLA) with the vendor.
- C . Conduct an unannounced vulnerability assessment of vendor’s IT systems.
- D . Obtain evidence of the vendor’s control self-assessment (CSA).
Correct Answer: A
A
Explanation:
The most effective method to verify that a service vendor keeps control levels as required by the client is to conduct periodic on-site assessments using agreed-upon criteria. On-site assessments can provide direct evidence of whether the vendor’s controls are operating effectively and consistently in accordance with the client’s expectations and requirements. Agreed-upon criteria can ensure that the assessments are objective, relevant, and reliable. The other options are not as effective as on-site assessments in verifying the vendor’s control levels. Periodically reviewing the SLA with the vendor can help monitor whether the vendor meets its contractual obligations and service standards, but it does not provide assurance of whether the vendor’s controls are adequate or sufficient. Conducting an unannounced vulnerability assessment of vendor’s IT systems can help identify any weaknesses or gaps in the vendor’s security controls, but it may violate the terms and conditions of the vendor-client relationship or cause operational disruptions. Obtaining evidence of the vendor’s CSA can provide some indication of whether the vendor’s controls are self-monitored and reported, but it does not verify whether the vendor’s controls are independent or accurate.
Reference: CISA Review Manual (Digital Version), Chapter 5, Section 5.4
A
Explanation:
The most effective method to verify that a service vendor keeps control levels as required by the client is to conduct periodic on-site assessments using agreed-upon criteria. On-site assessments can provide direct evidence of whether the vendor’s controls are operating effectively and consistently in accordance with the client’s expectations and requirements. Agreed-upon criteria can ensure that the assessments are objective, relevant, and reliable. The other options are not as effective as on-site assessments in verifying the vendor’s control levels. Periodically reviewing the SLA with the vendor can help monitor whether the vendor meets its contractual obligations and service standards, but it does not provide assurance of whether the vendor’s controls are adequate or sufficient. Conducting an unannounced vulnerability assessment of vendor’s IT systems can help identify any weaknesses or gaps in the vendor’s security controls, but it may violate the terms and conditions of the vendor-client relationship or cause operational disruptions. Obtaining evidence of the vendor’s CSA can provide some indication of whether the vendor’s controls are self-monitored and reported, but it does not verify whether the vendor’s controls are independent or accurate.
Reference: CISA Review Manual (Digital Version), Chapter 5, Section 5.4
Question #274
Which of the following should be the GREATEST concern to an IS auditor reviewing an organization’s job scheduling practices?
- A . Most jobs are run manually.
- B . Jobs are executed during working hours.
- C . Job dependencies are undefined.
- D . Job processing procedures are missing.
Correct Answer: C
Question #275
Which of the following provides the MOST assurance over the completeness and accuracy ol loan application processing with respect to the implementation of a new system?
- A . Comparing code between old and new systems
- B . Running historical transactions through the new system
- C . Reviewing quality assurance (QA) procedures
- D . Loading balance and transaction data to the new system
Correct Answer: B
B
Explanation:
The most assurance over the completeness and accuracy of loan application processing with respect to the implementation of a new system can be obtained by running historical transactions through the new system. Historical transactions are transactions that have been processed and recorded by the old system in the past. Running historical transactions through the new system can provide the most assurance over the completeness and accuracy of loan application processing, bycomparing the results and outputs of the new system with those of the old system, and verifying whether they match or differ. This can help identify and resolve any errors or issues that may arise from the new system, such as data conversion, functionality, compatibility, etc. Comparing code between old and new systems is a possible way to obtain some assurance over the completeness and accuracy of loan application processing with respect to the implementation of a new system, but it is not the most effective one. Code is a set of instructions or commands that define how a system operates or functions. Comparing code between old and new systems can provide some assurance over the completeness and accuracy of loan application processing, by checking whether the logic, algorithms, or functions of the new system are consistent or equivalent with those of the old system. However, this may not be sufficient or reliable, as code may not reflect the actual performance or outcomes of the system, and may not detect any errors or issues that may occur at the data or user level. Reviewing quality assurance (QA) procedures is a possible way to obtain some assurance over the completeness and accuracy of loan application processing with respect to the implementation of a new system, but it is not the most effective one. QA procedures are steps or activities that ensure that a system meets its quality standards and requirements, such as testing, verification, validation, etc. Reviewing QA procedures can provide some assurance over the completeness and accuracy of loan application processing, by evaluating whether the new system has been properly tested and verified before implementation. However, this may not be adequate or accurate, as QA procedures may not cover all aspects or scenarios of loan application processing, and may not reveal any errors or issues that may arise after implementation. Loading balance and transaction data to the new system is a possible way to obtain some assurance over the completeness and accuracy of loan application processing with respect to the implementation of a new system, but it is not the most effective one. Balance and transaction data are data that reflect the status and history of loan applications in a system, such as amounts, dates, payments, etc. Loading balance and transaction data to the new system can provide some assurance over the completeness and accuracy of loan application processing, by transferring data from the old system to the new system and ensuring that they are consistent and correct. However, this may not be enough or valid, as balance and transaction data may not represent all aspects or features of loan application processing, and may not indicate any errors or issues that may arise
B
Explanation:
The most assurance over the completeness and accuracy of loan application processing with respect to the implementation of a new system can be obtained by running historical transactions through the new system. Historical transactions are transactions that have been processed and recorded by the old system in the past. Running historical transactions through the new system can provide the most assurance over the completeness and accuracy of loan application processing, bycomparing the results and outputs of the new system with those of the old system, and verifying whether they match or differ. This can help identify and resolve any errors or issues that may arise from the new system, such as data conversion, functionality, compatibility, etc. Comparing code between old and new systems is a possible way to obtain some assurance over the completeness and accuracy of loan application processing with respect to the implementation of a new system, but it is not the most effective one. Code is a set of instructions or commands that define how a system operates or functions. Comparing code between old and new systems can provide some assurance over the completeness and accuracy of loan application processing, by checking whether the logic, algorithms, or functions of the new system are consistent or equivalent with those of the old system. However, this may not be sufficient or reliable, as code may not reflect the actual performance or outcomes of the system, and may not detect any errors or issues that may occur at the data or user level. Reviewing quality assurance (QA) procedures is a possible way to obtain some assurance over the completeness and accuracy of loan application processing with respect to the implementation of a new system, but it is not the most effective one. QA procedures are steps or activities that ensure that a system meets its quality standards and requirements, such as testing, verification, validation, etc. Reviewing QA procedures can provide some assurance over the completeness and accuracy of loan application processing, by evaluating whether the new system has been properly tested and verified before implementation. However, this may not be adequate or accurate, as QA procedures may not cover all aspects or scenarios of loan application processing, and may not reveal any errors or issues that may arise after implementation. Loading balance and transaction data to the new system is a possible way to obtain some assurance over the completeness and accuracy of loan application processing with respect to the implementation of a new system, but it is not the most effective one. Balance and transaction data are data that reflect the status and history of loan applications in a system, such as amounts, dates, payments, etc. Loading balance and transaction data to the new system can provide some assurance over the completeness and accuracy of loan application processing, by transferring data from the old system to the new system and ensuring that they are consistent and correct. However, this may not be enough or valid, as balance and transaction data may not represent all aspects or features of loan application processing, and may not indicate any errors or issues that may arise
Question #276
During an audit of a multinational bank’s disposal process, an IS auditor notes several findings.
Which of the following should be the auditor’s GREATEST concern?
- A . Backup media are not reviewed before disposal.
- B . Degaussing is used instead of physical shredding.
- C . Backup media are disposed before the end of the retention period
- D . Hardware is not destroyed by a certified vendor.
Correct Answer: C
C
Explanation:
During an audit of a multinational bank’s disposal process, an IS auditor should be most concerned about backup media being disposed before the end of the retention period. This is because backup media contain sensitive and critical data that may be required for business continuity, legal compliance, or forensic purposes. Disposing backup media prematurely may result in data loss, unavailability, or corruption, which may have severe consequences for the bank’s reputation, operations, and security. Backup media not being reviewed before disposal, degaussing being used instead of physical shredding, and hardware not being destroyed by a certified vendor are also findings that may pose some risks to the bank’s disposal process, but they are not as critical as backup media being disposed before the end of the retention period.
Reference: ISACA CISA Review Manual 27th Edition, page 302.
C
Explanation:
During an audit of a multinational bank’s disposal process, an IS auditor should be most concerned about backup media being disposed before the end of the retention period. This is because backup media contain sensitive and critical data that may be required for business continuity, legal compliance, or forensic purposes. Disposing backup media prematurely may result in data loss, unavailability, or corruption, which may have severe consequences for the bank’s reputation, operations, and security. Backup media not being reviewed before disposal, degaussing being used instead of physical shredding, and hardware not being destroyed by a certified vendor are also findings that may pose some risks to the bank’s disposal process, but they are not as critical as backup media being disposed before the end of the retention period.
Reference: ISACA CISA Review Manual 27th Edition, page 302.
Question #277
Which of the following IT service management activities is MOST likely to help with identifying the root cause of repeated instances of network latency?
- A . Change management
- B . Problem management
- C . incident management
- D . Configuration management
Correct Answer: B
B
Explanation:
Problem management is an IT service management activity that is most likely to help with identifying the root cause of repeated instances of network latency. Problem management involves analyzing incidents that affect IT services and finding solutions to prevent them from recurring or minimize their impact. Change management is an IT service management activity that involves controlling and documenting any modifications to IT services or infrastructure. Incident management is an IT service management activity that involves restoring normal service operation as quickly as possible after an incident has occurred. Configuration management is an IT service management activity that involves identifying and maintaining records of IT assets and their relationships.
Reference: ISACA, CISA Review Manual, 27th Edition, 2018, page 334
B
Explanation:
Problem management is an IT service management activity that is most likely to help with identifying the root cause of repeated instances of network latency. Problem management involves analyzing incidents that affect IT services and finding solutions to prevent them from recurring or minimize their impact. Change management is an IT service management activity that involves controlling and documenting any modifications to IT services or infrastructure. Incident management is an IT service management activity that involves restoring normal service operation as quickly as possible after an incident has occurred. Configuration management is an IT service management activity that involves identifying and maintaining records of IT assets and their relationships.
Reference: ISACA, CISA Review Manual, 27th Edition, 2018, page 334
Question #278
Which of the following areas is MOST likely to be overlooked when implementing a new data classification process?
- A . End-user computing (EUC) systems
- B . Email attachments
- C . Data sent to vendors
- D . New system applications
Correct Answer: A
A
Explanation:
The area that is most likely to be overlooked when implementing a new data classification process is end-user computing (EUC) systems. EUC systems are applications or tools that are developed or customized by end users, often without formal IT involvement or approval. EUC systems may contain sensitive or confidential data that need to be classified and protected according to the organization’s policies and standards. However, EUC systems may not be subject to the same controls, oversight, or documentation as formal IT systems, and may not be included in the scope of the data classification process. Therefore, EUC systems pose a significant risk of data leakage, unauthorized access, or noncompliance. The other areas (B, C and D) are less likely to be overlooked, as they are more visible and manageable by the IT department or the data owners.
Reference: IS Audit and Assurance Guideline 2202: Evidence Collection Techniques, CISA Review Manual (Digital Version), Chapter 5: Protection of Information Assets, Section 5.2: Data Classification
A
Explanation:
The area that is most likely to be overlooked when implementing a new data classification process is end-user computing (EUC) systems. EUC systems are applications or tools that are developed or customized by end users, often without formal IT involvement or approval. EUC systems may contain sensitive or confidential data that need to be classified and protected according to the organization’s policies and standards. However, EUC systems may not be subject to the same controls, oversight, or documentation as formal IT systems, and may not be included in the scope of the data classification process. Therefore, EUC systems pose a significant risk of data leakage, unauthorized access, or noncompliance. The other areas (B, C and D) are less likely to be overlooked, as they are more visible and manageable by the IT department or the data owners.
Reference: IS Audit and Assurance Guideline 2202: Evidence Collection Techniques, CISA Review Manual (Digital Version), Chapter 5: Protection of Information Assets, Section 5.2: Data Classification
Question #279
Which of the following types of environmental equipment will MOST likely be deployed below the floor tiles of a data center?
- A . Temperature sensors
- B . Humidity sensors
- C . Water sensors
- D . Air pressure sensors
Correct Answer: C
C
Explanation:
Water sensors are devices that can detect the presence of water or moisture in a given area. They are often deployed below the floor tiles of a data center to monitor for any water leaks that may damage the equipment or cause electrical hazards. Water sensors can alert the data center staff or trigger an automatic response to prevent or mitigate the water leakage.
The other options are not likely to be deployed below the floor tiles of a data center. Temperature sensors and humidity sensors are usually deployed above the floor tiles to measure the ambient conditions of the data center and ensure optimal cooling and ventilation. Air pressure sensors are typically deployed at the air vents or ducts to monitor the airflow and pressure distribution in the data center.
Reference: Data Center Environmental Monitoring
Water Detection in Data Centers
C
Explanation:
Water sensors are devices that can detect the presence of water or moisture in a given area. They are often deployed below the floor tiles of a data center to monitor for any water leaks that may damage the equipment or cause electrical hazards. Water sensors can alert the data center staff or trigger an automatic response to prevent or mitigate the water leakage.
The other options are not likely to be deployed below the floor tiles of a data center. Temperature sensors and humidity sensors are usually deployed above the floor tiles to measure the ambient conditions of the data center and ensure optimal cooling and ventilation. Air pressure sensors are typically deployed at the air vents or ducts to monitor the airflow and pressure distribution in the data center.
Reference: Data Center Environmental Monitoring
Water Detection in Data Centers
Question #280
Which of the following public key infrastructure (PKI) elements provides detailed descriptions for dealing with a compromised private key?
- A . Certification practice statement
- B . Certificate policy
- C . PKI disclosure statement
- D . Certificate revocation list
Correct Answer: A
A
Explanation:
Comprehensive and Detailed
A Certification Practice Statement (CPS) is a detailed document that describes the practices a Certificate Authority (CA) uses when issuing and managing digital certificates. It includes procedures for handling compromised private keys, revocation, renewal, and security controls.
Certificate policy (B): High-level rules governing certificate usage, but not operational details.
PKI disclosure statement (C): Provides users with general PKI-related information.
Certificate revocation list (D): A technical mechanism listing revoked certificates, but not the procedures for managing compromise.
ISACA
Reference: CISA Review Manual 27th Edition, Domain 5, section on PKI components and certificate lifecycle management.
A
Explanation:
Comprehensive and Detailed
A Certification Practice Statement (CPS) is a detailed document that describes the practices a Certificate Authority (CA) uses when issuing and managing digital certificates. It includes procedures for handling compromised private keys, revocation, renewal, and security controls.
Certificate policy (B): High-level rules governing certificate usage, but not operational details.
PKI disclosure statement (C): Provides users with general PKI-related information.
Certificate revocation list (D): A technical mechanism listing revoked certificates, but not the procedures for managing compromise.
ISACA
Reference: CISA Review Manual 27th Edition, Domain 5, section on PKI components and certificate lifecycle management.