Practice Free CISA Exam Online Questions
Question #331
Which of the following should an IS auditor expect to see in a network vulnerability assessment?
- A . Misconfiguration and missing updates
- B . Malicious software and spyware
- C . Zero-day vulnerabilities
- D . Security design flaws
Correct Answer: A
A
Explanation:
A network vulnerability assessment is a process of identifying and evaluating the weaknesses and exposures in a network that could be exploited by attackers to compromise the confidentiality, integrity, or availability of the network or its resources. A network vulnerability assessment typically involves scanning the network devices, such as routers, switches, firewalls, servers, and workstations, using automated tools that compare the device configurations, software versions, and patch levels against a database of known vulnerabilities. A network vulnerability assessment can also include manual testing and verification of the network architecture, design, policies, and procedures. One of the main objectives of a network vulnerability assessment is to detect and report any misconfiguration and missing updates in the network devices that could pose a security risk1. Misconfiguration refers to any deviation from the recommended or best practice settings for the network devices, such as weak passwords, open ports, unnecessary services, default accounts, or incorrect permissions. Missing updates refer toany outdated or unsupported software or firmware that has not been patched with the latest security fixes or enhancements from the vendors2. Misconfiguration and missing updates are common sources of network vulnerabilities that can be exploited by attackers to gain unauthorized access, executemalicious code, causedenial of service, or escalate privileges on the network devices3. Therefore, an IS auditor should expect to see misconfiguration and missing updates in a network vulnerability assessment.
The other options are less relevant or incorrect because:
B. Malicious software and spyware are not usually detected by a network vulnerability assessment, as they are more related to the content and behavior of the network traffic rather than the configuration and patch level of the network devices. Malicious software and spyware are programs that infect or monitor the network devices or their users for malicious purposes, such as stealing data, displaying ads, or performing remote commands. Malicious software and spyware can be detected by other security tools, such as antivirus software, firewalls, or intrusion detection systems4.
C. Zero-day vulnerabilities are not usually detected by a network vulnerability assessment, as they are unknown or undisclosed vulnerabilities that have not been reported or patched by the vendors or the security community. Zero-day vulnerabilities are rare and difficult to discover, as they require advanced techniques and skills to exploit them. Zero-day vulnerabilities can be detected by other security tools, such as intrusion prevention systems, anomaly detection systems, or artificial intelligence systems5.
D. Security design flaws are not usually detected by a network vulnerability assessment, as they are more related to the logic and functionality of the network rather than the configuration and patch level of the network devices. Security design flaws are errors or weaknesses in the network architecture, design, policies, or procedures that could compromise the security objectives of the network. Securitydesign flaws can be detected by other security methods, such as security reviews, audits, or assessments6.
Reference: Network VulnerabilityAssessment – ISACA, Network
Vulnerability Scanning – NIST, Network Vulnerabilities – SANS, Malware – ISACA, Zero-Day Attacks – ISACA, Security Design Principles – NIST
A
Explanation:
A network vulnerability assessment is a process of identifying and evaluating the weaknesses and exposures in a network that could be exploited by attackers to compromise the confidentiality, integrity, or availability of the network or its resources. A network vulnerability assessment typically involves scanning the network devices, such as routers, switches, firewalls, servers, and workstations, using automated tools that compare the device configurations, software versions, and patch levels against a database of known vulnerabilities. A network vulnerability assessment can also include manual testing and verification of the network architecture, design, policies, and procedures. One of the main objectives of a network vulnerability assessment is to detect and report any misconfiguration and missing updates in the network devices that could pose a security risk1. Misconfiguration refers to any deviation from the recommended or best practice settings for the network devices, such as weak passwords, open ports, unnecessary services, default accounts, or incorrect permissions. Missing updates refer toany outdated or unsupported software or firmware that has not been patched with the latest security fixes or enhancements from the vendors2. Misconfiguration and missing updates are common sources of network vulnerabilities that can be exploited by attackers to gain unauthorized access, executemalicious code, causedenial of service, or escalate privileges on the network devices3. Therefore, an IS auditor should expect to see misconfiguration and missing updates in a network vulnerability assessment.
The other options are less relevant or incorrect because:
B. Malicious software and spyware are not usually detected by a network vulnerability assessment, as they are more related to the content and behavior of the network traffic rather than the configuration and patch level of the network devices. Malicious software and spyware are programs that infect or monitor the network devices or their users for malicious purposes, such as stealing data, displaying ads, or performing remote commands. Malicious software and spyware can be detected by other security tools, such as antivirus software, firewalls, or intrusion detection systems4.
C. Zero-day vulnerabilities are not usually detected by a network vulnerability assessment, as they are unknown or undisclosed vulnerabilities that have not been reported or patched by the vendors or the security community. Zero-day vulnerabilities are rare and difficult to discover, as they require advanced techniques and skills to exploit them. Zero-day vulnerabilities can be detected by other security tools, such as intrusion prevention systems, anomaly detection systems, or artificial intelligence systems5.
D. Security design flaws are not usually detected by a network vulnerability assessment, as they are more related to the logic and functionality of the network rather than the configuration and patch level of the network devices. Security design flaws are errors or weaknesses in the network architecture, design, policies, or procedures that could compromise the security objectives of the network. Securitydesign flaws can be detected by other security methods, such as security reviews, audits, or assessments6.
Reference: Network VulnerabilityAssessment – ISACA, Network
Vulnerability Scanning – NIST, Network Vulnerabilities – SANS, Malware – ISACA, Zero-Day Attacks – ISACA, Security Design Principles – NIST
Question #332
The FIRST step in auditing a data communication system is to determine:
- A . traffic volumes and response-time criteria
- B . physical security for network equipment
- C . the level of redundancy in the various communication paths
- D . business use and types of messages to be transmitted
Correct Answer: D
D
Explanation:
The first step in auditing a data communication system is to determine the business use and types of messages to be transmitted. This is because the auditor needs to understand the purpose, scope, and objectives of the data communication system, as well as the nature, volume, and sensitivity of the data being transmitted. This will help the auditor to identify the risks, controls, and audit criteria for the data communication system. Traffic volumes and response-time criteria, physical security for network equipment, and the level of redundancy in the various communication paths are important aspects of a data communication system, but they are not the first step in auditing it. They depend on the business use and types of messages to be transmitted, and they may vary according to different scenarios and requirements.
Reference: CISA Review Manual (Digital Version), [ISACA Auditing Standards]
D
Explanation:
The first step in auditing a data communication system is to determine the business use and types of messages to be transmitted. This is because the auditor needs to understand the purpose, scope, and objectives of the data communication system, as well as the nature, volume, and sensitivity of the data being transmitted. This will help the auditor to identify the risks, controls, and audit criteria for the data communication system. Traffic volumes and response-time criteria, physical security for network equipment, and the level of redundancy in the various communication paths are important aspects of a data communication system, but they are not the first step in auditing it. They depend on the business use and types of messages to be transmitted, and they may vary according to different scenarios and requirements.
Reference: CISA Review Manual (Digital Version), [ISACA Auditing Standards]
Question #333
During an audit, the IS auditor finds that in many cases excessive rights were not removed from a system.
Which of the following is the auditor’s BEST recommendation?
- A . System administrators should ensure consistency of assigned rights.
- B . IT security should regularly revoke excessive system rights.
- C . Human resources (HR) should delete access rights of terminated employees.
- D . Line management should regularly review and request modification of access rights
Correct Answer: D
D
Explanation:
The best recommendation for the auditor to make is D. Line management should regularly review and request modification of access rights. Access rights are the permissions and privileges granted to users to access, view, modify, or delete data or resources on a system or network1. Excessive rights are access rights that are not necessary or appropriate for a user’s role or function, and may pose a risk of unauthorized or inappropriate use of data or resources2. Therefore, it is important to ensure that access rights are aligned with the principle of least privilege, which means that users should only have the minimum level of access required to perform their duties2.
Line management is responsible for overseeing and supervising the activities and performance of their staff, and ensuring that they comply with the organization’s policies and standards3. Therefore, line management should regularly review and request modification of access rights for their staff, as they are in the best position to:
Understand the roles and functions of their staff, and determine the appropriate level of access rights needed for them to perform their duties effectively and efficiently.
Monitor and evaluate the usage and behavior of their staff, and identify any changes or anomalies that may indicate excessive or inappropriate access rights.
Communicate and collaborate with IT security or system administrators, who are responsible for granting, revoking, or modifying access rights, and request any necessary adjustments or corrections.
D
Explanation:
The best recommendation for the auditor to make is D. Line management should regularly review and request modification of access rights. Access rights are the permissions and privileges granted to users to access, view, modify, or delete data or resources on a system or network1. Excessive rights are access rights that are not necessary or appropriate for a user’s role or function, and may pose a risk of unauthorized or inappropriate use of data or resources2. Therefore, it is important to ensure that access rights are aligned with the principle of least privilege, which means that users should only have the minimum level of access required to perform their duties2.
Line management is responsible for overseeing and supervising the activities and performance of their staff, and ensuring that they comply with the organization’s policies and standards3. Therefore, line management should regularly review and request modification of access rights for their staff, as they are in the best position to:
Understand the roles and functions of their staff, and determine the appropriate level of access rights needed for them to perform their duties effectively and efficiently.
Monitor and evaluate the usage and behavior of their staff, and identify any changes or anomalies that may indicate excessive or inappropriate access rights.
Communicate and collaborate with IT security or system administrators, who are responsible for granting, revoking, or modifying access rights, and request any necessary adjustments or corrections.
Question #334
Which of the following is a challenge in developing a service level agreement (SLA) for network services?
- A . Establishing a well-designed framework for network servirces.
- B . Finding performance metrics that can be measured properly
- C . Ensuring that network components are not modified by the client
- D . Reducing the number of entry points into the network
Correct Answer: B
B
Explanation:
One of the challenges in developing a SLA for network services is finding performance metrics that can be measured properly and reflect the quality of service expected by the customer. Establishing a well-designed framework for network services is not a challenge, but a good practice. Ensuring that network components are not modified by the client or reducing the number of entry points into the network are security issues, not SLA issues.
Reference: ISACA, CISA Review Manual, 27th Edition, 2018, page 333
B
Explanation:
One of the challenges in developing a SLA for network services is finding performance metrics that can be measured properly and reflect the quality of service expected by the customer. Establishing a well-designed framework for network services is not a challenge, but a good practice. Ensuring that network components are not modified by the client or reducing the number of entry points into the network are security issues, not SLA issues.
Reference: ISACA, CISA Review Manual, 27th Edition, 2018, page 333
Question #335
In which phase of penetration testing would host detection and domain name system (DNS) interrogation be performed?
- A . Discovery
- B . Attacks
- C . Planning
- D . Reporting
Correct Answer: A
A
Explanation:
Penetration testing is a method of evaluating the security of a system or network by simulating an attack from a malicious source. Penetration testing typically consists of four phases: planning, discovery, attacks, and reporting. In the discovery phase, penetration testers gather information about the target system or network, such as host detection, domain name system (DNS) interrogation, port scanning, service identification, operating system fingerprinting, vulnerability scanning, etc. This information can help to identify potential entry points, weaknesses, or vulnerabilities that can be exploited in the subsequent attack phase. Host detection and DNS interrogation are techniques that can be used in the discovery phase to determine the active hosts and their IP addresses and hostnames on the target network.
Reference: [ISACA CISA Review Manual 27th Edition], page 368.
A
Explanation:
Penetration testing is a method of evaluating the security of a system or network by simulating an attack from a malicious source. Penetration testing typically consists of four phases: planning, discovery, attacks, and reporting. In the discovery phase, penetration testers gather information about the target system or network, such as host detection, domain name system (DNS) interrogation, port scanning, service identification, operating system fingerprinting, vulnerability scanning, etc. This information can help to identify potential entry points, weaknesses, or vulnerabilities that can be exploited in the subsequent attack phase. Host detection and DNS interrogation are techniques that can be used in the discovery phase to determine the active hosts and their IP addresses and hostnames on the target network.
Reference: [ISACA CISA Review Manual 27th Edition], page 368.
Question #336
Which of the following will provide the GREATEST assurance to IT management that a quality management system (QMS) is effective?
- A . A high percentage of stakeholders satisfied with the quality of IT
- B . A high percentage of IT processes reviewed by quality assurance (QA)
- C . A high percentage of incidents being quickly resolved
- D . A high percentage of IT employees attending quality training
Correct Answer: A
Question #337
What should an IS auditor recommend to management as the MOST important action before selecting a Software as a Service (SaaS) vendor?
- A . Determine service level requirements.
- B . Complete a risk assessment.
- C . Perform a business impact analysis (BIA)
- D . Conduct a vendor audit.
Correct Answer: B
B
Explanation:
Before selecting a SaaS vendor, the most important action is to complete a risk assessment. A risk assessment is a process of identifying, analyzing, and evaluating the potential risks associated with outsourcing software and IT infrastructure to a third-party provider. A risk assessment helps to determine the impact and likelihood of various threats, such as data breaches, service disruptions, vendor lock-in, compliance issues, and legal disputes. A risk assessment also helps to identify the mitigation strategies and controls that can reduce or eliminate the risks.
A risk assessment is more important than determining service level requirements, performing a business impact analysis (BIA), or conducting a vendor audit because it provides the basis for these other actions. Service level requirements are the expectations and obligations that define the quality and quantity of service that the vendor must provide to the customer. A BIA is a process of assessing the potential effects of an interruption or disruption of critical business functions or processes due to an incident or disaster. A vendor audit is a process of verifying the vendor’s compliance with the contract terms, service levels, security policies, and best practices.
Service level requirements, BIA, and vendor audit are all important actions for selecting a SaaS vendor, but they depend on the results of the risk assessment. For example, service level requirements should reflect the risk appetite and tolerance of the customer, which are determined by the risk assessment. A BIA should prioritize the recovery of the most critical and vulnerable business functions or processes, which are identified by the risk assessment. A vendor audit should focus on the areas of highest risk and concern, which are highlighted by the risk assessment.
Therefore, an IS auditor should recommend to management that completing a risk assessment is the most important action before selecting a SaaS vendor.
Reference: SaaS checklist: Nine factors to consider when selecting a vendor
SaaS vendor management: 10 best practices to achieve success
Best Practices for Software SaaS Vendor Selection and Negotiation
How to Evaluate SaaS Providers and Solutions by Developing … – Gartner
B
Explanation:
Before selecting a SaaS vendor, the most important action is to complete a risk assessment. A risk assessment is a process of identifying, analyzing, and evaluating the potential risks associated with outsourcing software and IT infrastructure to a third-party provider. A risk assessment helps to determine the impact and likelihood of various threats, such as data breaches, service disruptions, vendor lock-in, compliance issues, and legal disputes. A risk assessment also helps to identify the mitigation strategies and controls that can reduce or eliminate the risks.
A risk assessment is more important than determining service level requirements, performing a business impact analysis (BIA), or conducting a vendor audit because it provides the basis for these other actions. Service level requirements are the expectations and obligations that define the quality and quantity of service that the vendor must provide to the customer. A BIA is a process of assessing the potential effects of an interruption or disruption of critical business functions or processes due to an incident or disaster. A vendor audit is a process of verifying the vendor’s compliance with the contract terms, service levels, security policies, and best practices.
Service level requirements, BIA, and vendor audit are all important actions for selecting a SaaS vendor, but they depend on the results of the risk assessment. For example, service level requirements should reflect the risk appetite and tolerance of the customer, which are determined by the risk assessment. A BIA should prioritize the recovery of the most critical and vulnerable business functions or processes, which are identified by the risk assessment. A vendor audit should focus on the areas of highest risk and concern, which are highlighted by the risk assessment.
Therefore, an IS auditor should recommend to management that completing a risk assessment is the most important action before selecting a SaaS vendor.
Reference: SaaS checklist: Nine factors to consider when selecting a vendor
SaaS vendor management: 10 best practices to achieve success
Best Practices for Software SaaS Vendor Selection and Negotiation
How to Evaluate SaaS Providers and Solutions by Developing … – Gartner
Question #338
An IS auditor is evaluating the progress of a web-based customer service application development project.
Which of the following would be MOST helpful for this evaluation?
- A . Backlog consumption reports
- B . Critical path analysis reports
- C . Developer status reports
- D . Change management logs
Correct Answer: A
A
Explanation:
A backlog consumption report is a report that shows the amount of work that has been completed and the amount of work that remains to be done in a project. It is a useful tool for measuring the progress and performance of a web-based customer service application development project, as it can indicate whether the project is on track, ahead or behind schedule, and how much effort is required to finish the project. A backlog consumption report can also help identify any issues or risks that may affect the project delivery. Critical path analysis reports, developer status reports and change management logs are also helpful for evaluating a project, but they are not as helpful as a backlog consumption report, as they do not provide a clear picture of the overall project status and completion rate.
Reference: [Backlog Consumption Report Definition]
Backlog Consumption Report | ISACA
A
Explanation:
A backlog consumption report is a report that shows the amount of work that has been completed and the amount of work that remains to be done in a project. It is a useful tool for measuring the progress and performance of a web-based customer service application development project, as it can indicate whether the project is on track, ahead or behind schedule, and how much effort is required to finish the project. A backlog consumption report can also help identify any issues or risks that may affect the project delivery. Critical path analysis reports, developer status reports and change management logs are also helpful for evaluating a project, but they are not as helpful as a backlog consumption report, as they do not provide a clear picture of the overall project status and completion rate.
Reference: [Backlog Consumption Report Definition]
Backlog Consumption Report | ISACA
Question #339
Which of the following is MOST useful to an IS auditor performing a review of access controls for a document management system?
- A . Policies and procedures for managing documents provided by department heads
- B . A system-generated list of staff and their project assignments. roles, and responsibilities
- C . Previous audit reports related to other departments’ use of the same system
- D . Information provided by the audit team lead an the authentication systems used by the department
Correct Answer: B
B
Explanation:
The answer B is correct because a system-generated list of staff and their project assignments, roles, and responsibilities is the most useful to an IS auditor performing a review of access controls for a document management system. A document management system is a software that helps organizations store, manage, and share documents electronically. Access controls are the mechanisms that restrict or allow access to the documents based on predefined criteria, such as user identity, role, or project. An IS auditor needs to verify that the access controls are properly configured and implemented to ensure the security, confidentiality, and integrity of the documents.
A system-generated list of staff and their project assignments, roles, and responsibilities can help the
IS auditor to perform the following tasks:
Identify the users who have access to the document management system and their level of access
(e.g., read-only, edit, delete, etc.).
Compare the actual access rights of the users with their expected or authorized access rights based on their roles and responsibilities.
Detect any anomalies, discrepancies, or violations in the access rights of the users, such as excessive or unauthorized access, segregation of duties conflicts, or dormant or inactive accounts.
Evaluate the effectiveness and efficiency of the access control policies and procedures, such as user provisioning, deprovisioning, authentication, authorization, auditing, etc.
The other options are not as useful as option
B. Policies and procedures for managing documents provided by department heads (option A) are not reliable sources of information for an IS auditor because they may not reflect the actual practices or compliance status of the document management system. Previous audit reports related to other departments’ use of the same system (option C) are not relevant for an IS auditor because they may not address the specific issues or risks associated with the current department’s use of the document management system. Information provided by the audit team lead on the authentication systems used by the department (option D) is not sufficient for an IS auditor because authentication is only one aspect of access control and it does not provide information on the authorization or auditing of the document access.
Reference: Overview of document management in SharePoint
Setting Up a Document Control System: 6 Basic Steps
Access Control Management: Purpose, Types, Tools, & Benefits
9 Best Document Management Systems of 2023
B
Explanation:
The answer B is correct because a system-generated list of staff and their project assignments, roles, and responsibilities is the most useful to an IS auditor performing a review of access controls for a document management system. A document management system is a software that helps organizations store, manage, and share documents electronically. Access controls are the mechanisms that restrict or allow access to the documents based on predefined criteria, such as user identity, role, or project. An IS auditor needs to verify that the access controls are properly configured and implemented to ensure the security, confidentiality, and integrity of the documents.
A system-generated list of staff and their project assignments, roles, and responsibilities can help the
IS auditor to perform the following tasks:
Identify the users who have access to the document management system and their level of access
(e.g., read-only, edit, delete, etc.).
Compare the actual access rights of the users with their expected or authorized access rights based on their roles and responsibilities.
Detect any anomalies, discrepancies, or violations in the access rights of the users, such as excessive or unauthorized access, segregation of duties conflicts, or dormant or inactive accounts.
Evaluate the effectiveness and efficiency of the access control policies and procedures, such as user provisioning, deprovisioning, authentication, authorization, auditing, etc.
The other options are not as useful as option
B. Policies and procedures for managing documents provided by department heads (option A) are not reliable sources of information for an IS auditor because they may not reflect the actual practices or compliance status of the document management system. Previous audit reports related to other departments’ use of the same system (option C) are not relevant for an IS auditor because they may not address the specific issues or risks associated with the current department’s use of the document management system. Information provided by the audit team lead on the authentication systems used by the department (option D) is not sufficient for an IS auditor because authentication is only one aspect of access control and it does not provide information on the authorization or auditing of the document access.
Reference: Overview of document management in SharePoint
Setting Up a Document Control System: 6 Basic Steps
Access Control Management: Purpose, Types, Tools, & Benefits
9 Best Document Management Systems of 2023
Question #340
When building or upgrading enterprise cryptographic infrastructure, which of the following is the MOST critical requirement for growing business environments?
- A . Service discovery
- B . Backup and restoration capabilities
- C . Network throttling
- D . Scalable architectures and systems
Correct Answer: D