Practice Free CISA Exam Online Questions
Question #291
Which of the following should be an IS auditor’s GREATEST concern when an international organization intends to roll out a global data privacy policy?
- A . Requirements may become unreasonable.
- B . The policy may conflict with existing application requirements.
- C . Local regulations may contradict the policy.
- D . Local management may not accept the policy.
Correct Answer: C
C
Explanation:
The greatest concern for an IS auditor when an international organization intends to roll out a global data privacy policy is that local regulations may contradict the policy. Data privacy regulations vary across different countries and regions, and they may impose different or conflicting requirements on how personal data can be collected, processed, stored, transferred, and disclosed. The organization should ensure that its global data privacy policy complies with the applicable local regulations in each jurisdiction where it operates, or risk facing legal sanctions or reputational damage. Requirements may become unreasonable, but this is not a major concern for an IS auditor, as it is a business decision that should be based on a cost-benefit analysis. The policy may conflict with existing application requirements, but this is not a serious concern for an IS auditor, as it can be resolved by modifying or updating the applications to align with the policy. Local management may not accept the policy, but this is not a critical concern for an IS auditor, as it can be mitigated by providing adequate training and awareness on the policy and its benefits.
Reference: CISA Review Manual, 27th Edition, pages 406-4071
CISA Review Questions, Answers & ExplanationsDatabase, Question ID: 2592
C
Explanation:
The greatest concern for an IS auditor when an international organization intends to roll out a global data privacy policy is that local regulations may contradict the policy. Data privacy regulations vary across different countries and regions, and they may impose different or conflicting requirements on how personal data can be collected, processed, stored, transferred, and disclosed. The organization should ensure that its global data privacy policy complies with the applicable local regulations in each jurisdiction where it operates, or risk facing legal sanctions or reputational damage. Requirements may become unreasonable, but this is not a major concern for an IS auditor, as it is a business decision that should be based on a cost-benefit analysis. The policy may conflict with existing application requirements, but this is not a serious concern for an IS auditor, as it can be resolved by modifying or updating the applications to align with the policy. Local management may not accept the policy, but this is not a critical concern for an IS auditor, as it can be mitigated by providing adequate training and awareness on the policy and its benefits.
Reference: CISA Review Manual, 27th Edition, pages 406-4071
CISA Review Questions, Answers & ExplanationsDatabase, Question ID: 2592
Question #292
During a project assessment, an IS auditor finds that business owners have been removed from the project initiation phase.
Which of the following should be the auditor’s GREATEST concern with this situation?
- A . Unrealistic milestones
- B . Inadequate deliverables
- C . Unclear benefits
- D . Incomplete requirements
Correct Answer: D
D
Explanation:
The answer D is correct because the greatest concern for an IS auditor with the situation of business owners being removed from the project initiation phase is that the requirements may be incomplete. The project initiation phase is the first step in starting a new project, where the project’s purpose, scope, objectives, and deliverables are defined and documented. The project initiation phase also involves identifying and engaging the key stakeholders who have an interest or influence in the project, such as sponsors, customers, users, or business owners.
Business owners are the individuals or entities who have the authority and responsibility to define the business needs and expectations for the project. They are also the primary beneficiaries of the project outcomes and benefits. Business owners play a crucial role in the project initiation phase, as they provide valuable input and feedback on the requirements and specifications of the project. Requirements are the statements that describe what the project should accomplish or deliver to meet the business needs and expectations. Requirements are essential for guiding the project planning, execution, monitoring, and closure phases.
If business owners are removed from the project initiation phase, it can result in incomplete or inaccurate requirements, which can have negative impacts on the project’s quality, scope, time, cost, and risk.
Some of the possible consequences of incomplete requirements are:
Misalignment: The project may not align with the business strategy, vision, or goals, which can reduce its value or relevance.
Confusion: The project team may not have a clear understanding of what the project should achieve or deliver, which can affect their performance or productivity.
Rework: The project may need to undergo frequent changes or revisions to accommodate new or modified requirements, which can increase the time and cost of the project.
Dissatisfaction: The project may not meet the expectations or satisfaction of the business owners or other stakeholders, which can affect their acceptance or support of the project.
Failure: The project may not deliver the expected outcomes or benefits, which can affect its success or viability.
Therefore, an IS auditor should be concerned about the involvement and participation of business owners in the project initiation phase, as it affects the completeness and quality of requirements. An
IS auditor should review the policies and procedures for stakeholder identification and engagement, verify that the business owners have adequate knowledge and skills to define their requirements, and test that the requirements are well-defined, documented, approved, and communicated.
Reference: Project Initiation: The First Step to Project Management [2023] • Asana
Everything you need to know about the project initiation phase
Project Initiation Phase – The Business Professor
Project Initiation: A Guide to Starting a Project Right Way – Kissflow
D
Explanation:
The answer D is correct because the greatest concern for an IS auditor with the situation of business owners being removed from the project initiation phase is that the requirements may be incomplete. The project initiation phase is the first step in starting a new project, where the project’s purpose, scope, objectives, and deliverables are defined and documented. The project initiation phase also involves identifying and engaging the key stakeholders who have an interest or influence in the project, such as sponsors, customers, users, or business owners.
Business owners are the individuals or entities who have the authority and responsibility to define the business needs and expectations for the project. They are also the primary beneficiaries of the project outcomes and benefits. Business owners play a crucial role in the project initiation phase, as they provide valuable input and feedback on the requirements and specifications of the project. Requirements are the statements that describe what the project should accomplish or deliver to meet the business needs and expectations. Requirements are essential for guiding the project planning, execution, monitoring, and closure phases.
If business owners are removed from the project initiation phase, it can result in incomplete or inaccurate requirements, which can have negative impacts on the project’s quality, scope, time, cost, and risk.
Some of the possible consequences of incomplete requirements are:
Misalignment: The project may not align with the business strategy, vision, or goals, which can reduce its value or relevance.
Confusion: The project team may not have a clear understanding of what the project should achieve or deliver, which can affect their performance or productivity.
Rework: The project may need to undergo frequent changes or revisions to accommodate new or modified requirements, which can increase the time and cost of the project.
Dissatisfaction: The project may not meet the expectations or satisfaction of the business owners or other stakeholders, which can affect their acceptance or support of the project.
Failure: The project may not deliver the expected outcomes or benefits, which can affect its success or viability.
Therefore, an IS auditor should be concerned about the involvement and participation of business owners in the project initiation phase, as it affects the completeness and quality of requirements. An
IS auditor should review the policies and procedures for stakeholder identification and engagement, verify that the business owners have adequate knowledge and skills to define their requirements, and test that the requirements are well-defined, documented, approved, and communicated.
Reference: Project Initiation: The First Step to Project Management [2023] • Asana
Everything you need to know about the project initiation phase
Project Initiation Phase – The Business Professor
Project Initiation: A Guide to Starting a Project Right Way – Kissflow
Question #293
Which of the following is the MOST effective control when granting access to a service provider for a ctoud-6ased application?
- A . Administrator access is provided for a limited period with an expiration date.
- B . Access has been provided on a need-to-know basis.
- C . User IDs are deleted when work is completed.
- D . Access is provided to correspond with the service level agreement (SLA).
Correct Answer: B
B
Explanation:
Granting access on a need-to-know basis ensures that a service provider only has the permissions necessary to perform their specific tasks. This principle minimizes the risk of unauthorized access or accidental misuse of the system by restricting access to essential areas only. It aligns with the least privilege principle, a cornerstone of effective access control.
Limited Administrator Access with Expiration (Option A): This is helpful but does not ensure that the access granted aligns with the specific job requirements.
Deleting User IDs After Completion (Option C): This is a good practice but applies after the task, not during access.
Access Corresponding to the SLA (Option D): While important, this focuses on timeframes and does not restrict permissions effectively.
Reference: ISACA CISA Review Manual, Job Practice Area 4: Protection of Information Assets.
B
Explanation:
Granting access on a need-to-know basis ensures that a service provider only has the permissions necessary to perform their specific tasks. This principle minimizes the risk of unauthorized access or accidental misuse of the system by restricting access to essential areas only. It aligns with the least privilege principle, a cornerstone of effective access control.
Limited Administrator Access with Expiration (Option A): This is helpful but does not ensure that the access granted aligns with the specific job requirements.
Deleting User IDs After Completion (Option C): This is a good practice but applies after the task, not during access.
Access Corresponding to the SLA (Option D): While important, this focuses on timeframes and does not restrict permissions effectively.
Reference: ISACA CISA Review Manual, Job Practice Area 4: Protection of Information Assets.
Question #294
Which of the following is the GREATEST risk if two users have concurrent access to the same database record?
- A . Availability integrity
- B . Data integrity
- C . Entity integrity
- D . Referential integrity
Correct Answer: B
B
Explanation:
The greatest risk if two users have concurrent access to the same database record is data integrity. Data integrity is the property that ensures that the data is accurate, complete, consistent, and valid throughout its lifecycle. If two users have concurrent access to the same database record, they may modify or delete the data in a conflicting or inconsistent manner, resulting in data corruption, loss, or duplication. This can affect the reliability and quality of the data, and cause errors or anomalies in the database operations and functions. The IS auditor should verify that the database has adequate controls to prevent or resolve concurrent access issues, such as locking mechanisms, transaction isolation levels, concurrency control protocols, or timestamping methods.
Reference: CISA Review Manual (Digital Version)1, Chapter 5, Section 5.2.7
B
Explanation:
The greatest risk if two users have concurrent access to the same database record is data integrity. Data integrity is the property that ensures that the data is accurate, complete, consistent, and valid throughout its lifecycle. If two users have concurrent access to the same database record, they may modify or delete the data in a conflicting or inconsistent manner, resulting in data corruption, loss, or duplication. This can affect the reliability and quality of the data, and cause errors or anomalies in the database operations and functions. The IS auditor should verify that the database has adequate controls to prevent or resolve concurrent access issues, such as locking mechanisms, transaction isolation levels, concurrency control protocols, or timestamping methods.
Reference: CISA Review Manual (Digital Version)1, Chapter 5, Section 5.2.7
Question #295
Which of the following security measures will reduce the risk of propagation when a cyberattack occurs?
- A . Perimeter firewall
- B . Data loss prevention (DLP) system
- C . Web application firewall
- D . Network segmentation
Correct Answer: D
D
Explanation:
Network segmentation is the best security measure to reduce the risk of propagation when a cyberattack occurs, because it divides the network into smaller subnetworks that are isolated from each other and have different access controls and security policies. This limits the spread of malicious traffic and prevents attackers from accessing sensitive data or systems in other segments. A perimeter firewall, a data loss prevention (DLP) system, and a web application firewall are also useful security measures, but they do not prevent propagation within the network as effectively as network segmentation does.
Reference: CISA Review Manual (Digital Version)1, Chapter 5, Section 5.2.3
D
Explanation:
Network segmentation is the best security measure to reduce the risk of propagation when a cyberattack occurs, because it divides the network into smaller subnetworks that are isolated from each other and have different access controls and security policies. This limits the spread of malicious traffic and prevents attackers from accessing sensitive data or systems in other segments. A perimeter firewall, a data loss prevention (DLP) system, and a web application firewall are also useful security measures, but they do not prevent propagation within the network as effectively as network segmentation does.
Reference: CISA Review Manual (Digital Version)1, Chapter 5, Section 5.2.3
Question #296
Which of the following is the BEST metric to measure the quality of software developed in an organization?
- A . Amount of successfully migrated software changes
- B . Reduction in the help desk budget
- C . Number of defects discovered in production
- D . Increase in quality assurance (QA) activities
Correct Answer: C
Question #297
Which of the following is the BEST control to mitigate the malware risk associated with an instant messaging (IM) system?
- A . Blocking attachments in IM
- B . Blocking external IM traffic
- C . Allowing only corporate IM solutions
- D . Encrypting IM traffic
Correct Answer: C
C
Explanation:
Allowing only corporate IM solutions is the best control to mitigate the malware risk associated with an IM system, because it can prevent unauthorized or malicious IM applications from accessing the network and infecting the system with malware. Corporate IM solutions can also enforce security policies and standards, such as encryption, authentication, and logging, to protect the IM system
from malware attacks. Blocking attachments in IM, blocking external IMtraffic, and encrypting IM traffic are also possible controls to mitigate the malware risk, but they are not as effective as allowing only corporate IM solutions.
Reference: CISA Review Manual (Digital Version), Chapter 5, Section 5.4.4
C
Explanation:
Allowing only corporate IM solutions is the best control to mitigate the malware risk associated with an IM system, because it can prevent unauthorized or malicious IM applications from accessing the network and infecting the system with malware. Corporate IM solutions can also enforce security policies and standards, such as encryption, authentication, and logging, to protect the IM system
from malware attacks. Blocking attachments in IM, blocking external IMtraffic, and encrypting IM traffic are also possible controls to mitigate the malware risk, but they are not as effective as allowing only corporate IM solutions.
Reference: CISA Review Manual (Digital Version), Chapter 5, Section 5.4.4
Question #298
What should be the PRIMARY focus during a review of a business process improvement project?
- A . Business project plan
- B . Continuous monitoring plans
- C . The cost of new controls
- D . Business impact
Correct Answer: D
Question #299
Which type of control has been established when an organization implements a security information and event management (SIEM) system?
- A . Preventive
- B . Detective
- C . Directive
- D . Corrective
Correct Answer: B
Question #300
Which of the following are examples of corrective controls?
- A . Implementing separation of duties and hash totals
- B . Performing internal audit reviews and remediation activities
- C . Applying rollback scripts and backup procedures
- D . Enforcing disciplinary action and termination procedures
Correct Answer: C
C
Explanation:
Comprehensive and Detailed
Corrective controls are measures taken to restore systems or processes after an incident or error has occurred.
Option C: Rollback scripts and backup procedures restore systems, making them corrective controls.
Option A: Separation of duties and hash totals are preventive controls.
Option B: Audit reviews are detective, while remediation may include corrective, but audits themselves aren’t corrective.
Option D: Disciplinary actions are deterrent controls.
ISACA
Reference: CISA Review Manual 27th Edition, Domain 4, section on types of IT controls (preventive, detective, corrective, deterrent).
C
Explanation:
Comprehensive and Detailed
Corrective controls are measures taken to restore systems or processes after an incident or error has occurred.
Option C: Rollback scripts and backup procedures restore systems, making them corrective controls.
Option A: Separation of duties and hash totals are preventive controls.
Option B: Audit reviews are detective, while remediation may include corrective, but audits themselves aren’t corrective.
Option D: Disciplinary actions are deterrent controls.
ISACA
Reference: CISA Review Manual 27th Edition, Domain 4, section on types of IT controls (preventive, detective, corrective, deterrent).