Practice Free CISA Exam Online Questions
Question #341
Which of the following is MOST critical to the success of an information security program?
- A . Management’s commitment to information security
- B . User accountability for information security
- C . Alignment of information security with IT objectives
- D . Integration of business and information security
Correct Answer: A
A
Explanation:
The most critical factor for the success of an information security program is management’s commitment to information security. Management’s commitment to information security means that the senior management supports, sponsors, funds, monitors and enforces the information security program within the organization. Management’s commitment to information security also demonstrates leadership, sets the tone and culture, and establishes the strategic direction and objectives for information security. User accountability for information security, alignment of information security with IT objectives, and integration of business and information security are also important factors for the success of an information security program, but they are not as critical as management’s commitment to information security, as they depend on or derive from it.
Reference: Info Technology & Systems Resources | COBIT, Risk, Governance … – ISACA, IT Governance and Process Maturity
A
Explanation:
The most critical factor for the success of an information security program is management’s commitment to information security. Management’s commitment to information security means that the senior management supports, sponsors, funds, monitors and enforces the information security program within the organization. Management’s commitment to information security also demonstrates leadership, sets the tone and culture, and establishes the strategic direction and objectives for information security. User accountability for information security, alignment of information security with IT objectives, and integration of business and information security are also important factors for the success of an information security program, but they are not as critical as management’s commitment to information security, as they depend on or derive from it.
Reference: Info Technology & Systems Resources | COBIT, Risk, Governance … – ISACA, IT Governance and Process Maturity
Question #342
Recovery facilities providing a redundant combination of Internet connections to the local communications loop is an example of which type of telecommunications continuity?
- A . Voice recovery
- B . Alternative routing
- C . Long-haul network diversity
- D . Last-mile circuit protection
Correct Answer: D
D
Explanation:
Recovery facilities providing a redundant combination of Internet connections to the local communications loop is an example of last-mile circuit protection. Last-mile circuit protection is a type of telecommunications continuity that ensures the availability and redundancy of the final segment of the network that connects the end-user to the service provider. The local communications loop, also known as the local loop or subscriber line, is the physical link between the customer premises and the nearest central office or point of presence of the service provider. By having multiple Internet connections from different providers or technologies, such as cable, DSL, fiber, wireless, or satellite, the recovery facilities can avoid losing connectivity in case one of the connections fails or is disrupted by a disaster5.
Reference: 9: Last Mile Redundancy – How to Ensure Business Continuity – Multapplied Networks
D
Explanation:
Recovery facilities providing a redundant combination of Internet connections to the local communications loop is an example of last-mile circuit protection. Last-mile circuit protection is a type of telecommunications continuity that ensures the availability and redundancy of the final segment of the network that connects the end-user to the service provider. The local communications loop, also known as the local loop or subscriber line, is the physical link between the customer premises and the nearest central office or point of presence of the service provider. By having multiple Internet connections from different providers or technologies, such as cable, DSL, fiber, wireless, or satellite, the recovery facilities can avoid losing connectivity in case one of the connections fails or is disrupted by a disaster5.
Reference: 9: Last Mile Redundancy – How to Ensure Business Continuity – Multapplied Networks
Question #343
What is the BEST control to address SQL injection vulnerabilities?
- A . Unicode translation
- B . Secure Sockets Layer (SSL) encryption
- C . Input validation
- D . Digital signatures
Correct Answer: C
C
Explanation:
Input validation is the best control to address SQL injection vulnerabilities, because it can prevent malicious users from entering SQL commands or statements into input fields that are intended for data entry, such as usernames or passwords. SQL injection is a technique that exploits a security vulnerability in an application’s software by inserting SQL code into a query string that can execute commands on a database server. Unicode translation, SSL encryption, and digital signatures are not effectivecontrols against SQL injection, because they do not prevent or detect SQL code injection into input fields.
Reference: CISA Review Manual (Digital Version), Chapter 5, Section 5.4.2
C
Explanation:
Input validation is the best control to address SQL injection vulnerabilities, because it can prevent malicious users from entering SQL commands or statements into input fields that are intended for data entry, such as usernames or passwords. SQL injection is a technique that exploits a security vulnerability in an application’s software by inserting SQL code into a query string that can execute commands on a database server. Unicode translation, SSL encryption, and digital signatures are not effectivecontrols against SQL injection, because they do not prevent or detect SQL code injection into input fields.
Reference: CISA Review Manual (Digital Version), Chapter 5, Section 5.4.2
Question #344
Which of the following should be of MOST concern to an IS auditor reviewing the information systems acquisition, development, and implementation process?
- A . Data owners are not trained on the use of data conversion tools.
- B . A post-implementation lessons-learned exercise was not conducted.
- C . There is no system documentation available for review.
- D . System deployment is routinely performed by contractors.
Correct Answer: C
Question #345
An IS auditor reviewing security incident processes realizes incidents are resolved and closed, but root causes are not investigated.
Which of the following should be the MAJOR concern with this situation?
- A . Abuses by employees have not been reported.
- B . Lessons learned have not been properly documented
- C . vulnerabilities have not been properly addressed
- D . Security incident policies are out of date.
Correct Answer: C
C
Explanation:
The major concern with the situation where security incidents are resolved and closed, but root causes are not investigated, is that vulnerabilities have not been properly addressed. Vulnerabilities are weaknesses or gaps in the security posture of an organization that can be exploited by threat actors to compromise its systems, data, or operations. If root causes are not investigated, vulnerabilities may remain undetected or unresolved, allowing attackers to exploit them again or use them asentry points for further attacks. This can result in repeated or escalated security incidents that can cause more damage or disruption to the organization.
The other options are not as major as the concern about vulnerabilities, but rather secondary or related issues that may arise from the lack of root cause analysis. Abuses by employees have not been reported is a concern that may indicate a lack of awareness, accountability, or monitoring of insider threats. Lessons learned have not been properly documented is a concern that may indicate a lack of improvement, learning, or feedback from security incidents. Security incident policies are out of date is a concern that may indicate a lack of alignment, review, or update of security incident processes.
Reference: ISACA CISA Review Manual 27th Edition (2019), page 254
Why Root Cause Analysis is Crucial to Incident Response (IR) – Avertium3
Root Cause Analysis Steps and How it Helps Incident Response …
C
Explanation:
The major concern with the situation where security incidents are resolved and closed, but root causes are not investigated, is that vulnerabilities have not been properly addressed. Vulnerabilities are weaknesses or gaps in the security posture of an organization that can be exploited by threat actors to compromise its systems, data, or operations. If root causes are not investigated, vulnerabilities may remain undetected or unresolved, allowing attackers to exploit them again or use them asentry points for further attacks. This can result in repeated or escalated security incidents that can cause more damage or disruption to the organization.
The other options are not as major as the concern about vulnerabilities, but rather secondary or related issues that may arise from the lack of root cause analysis. Abuses by employees have not been reported is a concern that may indicate a lack of awareness, accountability, or monitoring of insider threats. Lessons learned have not been properly documented is a concern that may indicate a lack of improvement, learning, or feedback from security incidents. Security incident policies are out of date is a concern that may indicate a lack of alignment, review, or update of security incident processes.
Reference: ISACA CISA Review Manual 27th Edition (2019), page 254
Why Root Cause Analysis is Crucial to Incident Response (IR) – Avertium3
Root Cause Analysis Steps and How it Helps Incident Response …
Question #346
An organization has engaged a third party to implement an application to perform business-critical calculations.
Which of the following is the MOST important process to help ensure the application provides accurate calculations?
- A . Key performance indicator (KPI) monitoring
- B . Change management
- C . Configuration management
- D . Quality assurance (QA)
Correct Answer: D
D
Explanation:
The most important process to help ensure the application provides accurate calculations is quality assurance (QA), which involves verifying that the application meets the specified requirements and standards, and testing the application for functionality, performance, reliability, security, and usability. QA helps to identify and correct any defects or errors in the application before it is deployed to the production environment. Key performance indicator (KPI) monitoring, change management, and configuration management are important processes for managing and maintaining the application after it is implemented, but they do not directly ensure the accuracy of the calculations performed by the application.
Reference: CISA Review Manual (Digital Version), Chapter 3: Information Systems Acquisition, Development & Implementation, Section 3.3: Practices for Quality Assurance
D
Explanation:
The most important process to help ensure the application provides accurate calculations is quality assurance (QA), which involves verifying that the application meets the specified requirements and standards, and testing the application for functionality, performance, reliability, security, and usability. QA helps to identify and correct any defects or errors in the application before it is deployed to the production environment. Key performance indicator (KPI) monitoring, change management, and configuration management are important processes for managing and maintaining the application after it is implemented, but they do not directly ensure the accuracy of the calculations performed by the application.
Reference: CISA Review Manual (Digital Version), Chapter 3: Information Systems Acquisition, Development & Implementation, Section 3.3: Practices for Quality Assurance
Question #347
A system administrator recently informed the IS auditor about the occurrence of several unsuccessful intrusion attempts from outside the organization.
Which of the following is MOST effective in detecting such an intrusion?
- A . Periodically reviewing log files
- B . Configuring the router as a firewall
- C . Using smart cards with one-time passwords
- D . Installing biometrics-based authentication
Correct Answer: A
A
Explanation:
The most effective way to detect an intrusion attempt is to periodically review log files, which record the activities and events on a system or network. Log files can provide evidence of unauthorized access attempts, malicious activities, or system errors. Configuring the router as a firewall, using smart cards with one-time passwords, and installing biometrics-basedauthentication are preventive controls that can reduce the likelihood of an intrusion, but they do not detect it.
Reference: ISACA CISA Review Manual 27th Edition, page 301
A
Explanation:
The most effective way to detect an intrusion attempt is to periodically review log files, which record the activities and events on a system or network. Log files can provide evidence of unauthorized access attempts, malicious activities, or system errors. Configuring the router as a firewall, using smart cards with one-time passwords, and installing biometrics-basedauthentication are preventive controls that can reduce the likelihood of an intrusion, but they do not detect it.
Reference: ISACA CISA Review Manual 27th Edition, page 301
Question #348
Which of the following is the GREATEST benefit of adopting an international IT governance framework rather than establishing a new framework based on the actual situation of a specific organization1?
- A . Readily available resources such as domains and risk and control methodologies
- B . Comprehensive coverage of fundamental and critical risk and control areas for IT governance
- C . Fewer resources expended on trial-and-error attempts to fine-tune implementation methodologies
- D . Wide acceptance by different business and support units with IT governance objectives
Correct Answer: D
D
Explanation:
The greatest benefit of adopting an international IT governance framework rather than establishing a new framework based on the actual situation of a specific organization is wide acceptance by different business and support units with IT governance objectives. An international IT governance framework, such as COBIT, provides a common language and understanding for IT governance among various stakeholders, such as management, users, auditors and regulators. This facilitates alignment, communication and collaboration among them. Readily available resources, comprehensive coverage and fewer resources expended are also benefits of adopting an international IT governance framework, but they are not the greatest benefit.
Reference: CISA Review Manual (Digital Version), Chapter 1, Section 1.3.1.
D
Explanation:
The greatest benefit of adopting an international IT governance framework rather than establishing a new framework based on the actual situation of a specific organization is wide acceptance by different business and support units with IT governance objectives. An international IT governance framework, such as COBIT, provides a common language and understanding for IT governance among various stakeholders, such as management, users, auditors and regulators. This facilitates alignment, communication and collaboration among them. Readily available resources, comprehensive coverage and fewer resources expended are also benefits of adopting an international IT governance framework, but they are not the greatest benefit.
Reference: CISA Review Manual (Digital Version), Chapter 1, Section 1.3.1.
Question #349
When reviewing an organization’s information security policies, an IS auditor should verify that the policies have been defined PRIMARILY on the basis of:
- A . a risk management process.
- B . an information security framework.
- C . past information security incidents.
- D . industry best practices.
Correct Answer: A
A
Explanation:
Information security policies are high-level statements that define the organization’s approach to protecting its information assets from threats and risks. They should be based primarily on a risk management process, which is a systematic method of identifying, analyzing, evaluating, treating, and monitoring information security risks. A risk management process can help ensure that the policies are aligned with the organization’s risk appetite, business objectives, legal and regulatory requirements, and stakeholder expectations. An information security framework is a set of standards, guidelines, and best practices that provide a structure for implementing information security policies. It can support the risk management process, but it is not the primary basis for defining the policies. Past information security incidents and industry best practices can also provide valuable inputs for defining the policies, but they are not sufficient to address the organization’s specific context and needs.
Reference: Insights and Expertise, CISA Review Manual (Digital Version)
A
Explanation:
Information security policies are high-level statements that define the organization’s approach to protecting its information assets from threats and risks. They should be based primarily on a risk management process, which is a systematic method of identifying, analyzing, evaluating, treating, and monitoring information security risks. A risk management process can help ensure that the policies are aligned with the organization’s risk appetite, business objectives, legal and regulatory requirements, and stakeholder expectations. An information security framework is a set of standards, guidelines, and best practices that provide a structure for implementing information security policies. It can support the risk management process, but it is not the primary basis for defining the policies. Past information security incidents and industry best practices can also provide valuable inputs for defining the policies, but they are not sufficient to address the organization’s specific context and needs.
Reference: Insights and Expertise, CISA Review Manual (Digital Version)
Question #350
An IS auditor noted a recent production incident in which a teller transaction system incorrectly charged fees to customers due to a defect from a recent release.
Which of the following should be the auditor’s NEXT step?
- A . Evaluate developer training.
- B . Evaluate the incident management process.
- C . Evaluate the change management process.
- D . Evaluate secure code practices.
Correct Answer: C
C
Explanation:
The change management process is the set of procedures and activities that ensure that changes to the information system are authorized, tested, documented, and implemented in a controlled manner12. A defect in a recent release indicates that there may be issues with the quality assurance, testing, or approval of the changes, which could affect the reliability, security, and performance of the system3. Therefore, the auditor’s next step should be to evaluate the change management process and identify the root cause of the defect, as well as the impact and remediation of the incident.
Reference
1: Change Management – CISA
2: What is Change Management? – Definition from Techopedia
3: How to Audit Change Management – ISACA Journal
The Business Case for Security | CISA
C
Explanation:
The change management process is the set of procedures and activities that ensure that changes to the information system are authorized, tested, documented, and implemented in a controlled manner12. A defect in a recent release indicates that there may be issues with the quality assurance, testing, or approval of the changes, which could affect the reliability, security, and performance of the system3. Therefore, the auditor’s next step should be to evaluate the change management process and identify the root cause of the defect, as well as the impact and remediation of the incident.
Reference
1: Change Management – CISA
2: What is Change Management? – Definition from Techopedia
3: How to Audit Change Management – ISACA Journal
The Business Case for Security | CISA