Practice Free CISA Exam Online Questions
Question #351
Which of the following is the BEST disposal method for flash drives that previously stored confidential data?
- A . Destruction
- B . Degaussing
- C . Cryptographic erasure
- D . Overwriting
Correct Answer: A
Question #352
Which of the following is MOST helpful for measuring benefits realization for a new system?
- A . Function point analysis
- B . Balanced scorecard review
- C . Post-implementation review
- D . Business impact analysis (BIA)
Correct Answer: C
C
Explanation:
This is the most helpful method for measuring benefits realization for a new system, because it involves evaluating the actual outcomes and impacts of the system after it has been implemented and used for a certain period of time. A post-implementation review can compare the actual benefits with the expected benefits that were defined in the business case or the benefits realization plan, and identify any gaps, issues, or opportunities for improvement. A post-implementation review can also assess the effectiveness, efficiency, and satisfaction of the system’s users, stakeholders, and customers, and provide feedback and recommendations for future enhancements or changes.
The other options are not as helpful as post-implementation review for measuring benefits realization for a new system:
Function point analysis. This is a technique that measures the size and complexity of a software system based on the number and types of functions it provides. Function point analysiscan help estimate the cost, effort, and time required to develop, maintain, or enhance a software system, but it does not measure the actual benefits or value that the system delivers to the organization or its users.
Balanced scorecard review. This is a strategic management tool that measures the performance of an organization or a business unit based on four perspectives: financial, customer, internal process, and learning and growth. A balanced scorecard review can help align the organization’s vision, mission, and goals with its activities and outcomes, but it does not measure the specific benefits or impacts of a new system.
Business impact analysis (BIA). This is a process that identifies and evaluates the potential effects of a disruption or disaster on the organization’s critical business functions and processes. A BIA can help determine the recovery priorities, objectives, and strategies for the organization in case of an emergency, but it does not measure the benefits or value of a new system.
C
Explanation:
This is the most helpful method for measuring benefits realization for a new system, because it involves evaluating the actual outcomes and impacts of the system after it has been implemented and used for a certain period of time. A post-implementation review can compare the actual benefits with the expected benefits that were defined in the business case or the benefits realization plan, and identify any gaps, issues, or opportunities for improvement. A post-implementation review can also assess the effectiveness, efficiency, and satisfaction of the system’s users, stakeholders, and customers, and provide feedback and recommendations for future enhancements or changes.
The other options are not as helpful as post-implementation review for measuring benefits realization for a new system:
Function point analysis. This is a technique that measures the size and complexity of a software system based on the number and types of functions it provides. Function point analysiscan help estimate the cost, effort, and time required to develop, maintain, or enhance a software system, but it does not measure the actual benefits or value that the system delivers to the organization or its users.
Balanced scorecard review. This is a strategic management tool that measures the performance of an organization or a business unit based on four perspectives: financial, customer, internal process, and learning and growth. A balanced scorecard review can help align the organization’s vision, mission, and goals with its activities and outcomes, but it does not measure the specific benefits or impacts of a new system.
Business impact analysis (BIA). This is a process that identifies and evaluates the potential effects of a disruption or disaster on the organization’s critical business functions and processes. A BIA can help determine the recovery priorities, objectives, and strategies for the organization in case of an emergency, but it does not measure the benefits or value of a new system.
Question #353
Which of the following is MOST useful for determining the strategy for IT portfolio management?
- A . IT metrics dashboards
- B . IT roadmap
- C . Capability maturity model
- D . Life cycle cost-benefit analysis
Correct Answer: B
Question #354
Which of the following should be used to evaluate an IT development project before an investment is committed?
- A . Earned value analysis (EVA)
- B . Rapid application development
- C . Function point analysis
- D . Feasibility study
Correct Answer: D
Question #355
An IS auditor discovers that validation controls in a web application have been moved from the server side into the browser to boost performance.
This would MOST likely increase the risk of a successful attack by:
- A . structured query language (SQL) injection
- B . buffer overflow.
- C . denial of service (DoS).
- D . phishing.
Correct Answer: A
A
Explanation:
Validation controls are used to check the input data from the user before processing it on the server. If the validation controls are moved from the server side to the browser, it means that the user can modify or bypass them using tools such as browser developer tools, JavaScript console, or proxy tools. This would increase the risk of a successful attack by structured query language (SQL) injection, which is a technique that exploits a security vulnerability in an application’s software layer that allows an attacker to execute arbitrary SQL commands on the underlying database. SQL injection can result in data theft, data corruption, or unauthorized access to the system.
Buffer overflow, denial of service (DoS), and phishing are not directly related to the validation controls in a web application. Buffer overflow is a type of attack that exploits a memory management flaw in an application or system that allows an attacker to write data beyond the allocated buffer size and overwrite adjacent memory locations. DoS is a type of attack that prevents legitimate users from accessing a service or resource by overwhelming it with requests or traffic. Phishing is a type of attack that uses fraudulent emails or websites to trick users into revealing sensitive information or installing malware.
Reference: Client-side form validation – Learn web development | MDN
JavaScript: client-side vs. server-side validation – Stack Overflow
SQL Injection – OWASP
A
Explanation:
Validation controls are used to check the input data from the user before processing it on the server. If the validation controls are moved from the server side to the browser, it means that the user can modify or bypass them using tools such as browser developer tools, JavaScript console, or proxy tools. This would increase the risk of a successful attack by structured query language (SQL) injection, which is a technique that exploits a security vulnerability in an application’s software layer that allows an attacker to execute arbitrary SQL commands on the underlying database. SQL injection can result in data theft, data corruption, or unauthorized access to the system.
Buffer overflow, denial of service (DoS), and phishing are not directly related to the validation controls in a web application. Buffer overflow is a type of attack that exploits a memory management flaw in an application or system that allows an attacker to write data beyond the allocated buffer size and overwrite adjacent memory locations. DoS is a type of attack that prevents legitimate users from accessing a service or resource by overwhelming it with requests or traffic. Phishing is a type of attack that uses fraudulent emails or websites to trick users into revealing sensitive information or installing malware.
Reference: Client-side form validation – Learn web development | MDN
JavaScript: client-side vs. server-side validation – Stack Overflow
SQL Injection – OWASP
Question #356
A financial group recently implemented new technologies and processes.
Which type of IS audit would provide the GREATEST level of assurance that the department’s objectives have been met?
- A . Performance audit
- B . Integrated audit
- C . Cyber audit
- D . Financial audit
Correct Answer: B
B
Explanation:
The type of IS audit that would provide the greatest level of assurance that the department’s objectives have been met after implementing new technologies and processes is an integrated audit. An integrated audit is an audit that combines financial, operational, compliance, and IT auditing aspects to provide a holistic view of the organization’s performance and risks. An integrated audit can evaluate whether the new technologies and processes are aligned with the organization’s goals, strategies, policies, and controls, and whether they are delivering value, efficiency, effectiveness, and reliability. The other types of IS audits (A, C and D) would not provide the same level of assurance, as they would only focus on specific aspects of the organization’s activities, such as performance, cyber security, or financial reporting, which may not capture the full impact of the new technologies and processes.
Reference: CISA Certification | Certified Information Systems Auditor | ISACA, CISA Review Manual (Digital Version), Chapter 1: The Process of Auditing Information Systems, Section 1.2: Types of IS Audit Engagements
B
Explanation:
The type of IS audit that would provide the greatest level of assurance that the department’s objectives have been met after implementing new technologies and processes is an integrated audit. An integrated audit is an audit that combines financial, operational, compliance, and IT auditing aspects to provide a holistic view of the organization’s performance and risks. An integrated audit can evaluate whether the new technologies and processes are aligned with the organization’s goals, strategies, policies, and controls, and whether they are delivering value, efficiency, effectiveness, and reliability. The other types of IS audits (A, C and D) would not provide the same level of assurance, as they would only focus on specific aspects of the organization’s activities, such as performance, cyber security, or financial reporting, which may not capture the full impact of the new technologies and processes.
Reference: CISA Certification | Certified Information Systems Auditor | ISACA, CISA Review Manual (Digital Version), Chapter 1: The Process of Auditing Information Systems, Section 1.2: Types of IS Audit Engagements
Question #357
Which of the following access rights presents the GREATEST risk when granted to a new member of the system development staff?
- A . Write access to production program libraries
- B . Write access to development data libraries
- C . Execute access to production program libraries
- D . Execute access to development program libraries
Correct Answer: A
A
Explanation:
Write access to production program libraries presents the greatest risk when granted to a new member of the system development staff. Production program libraries contain executable code that runs on live systems and supports critical business functions. Write access allows a user to modify or delete existing programs, or add new programs to the library. If a user were to make unauthorized or erroneous changes to production programs, it could cause serious disruptions, errors, or security breaches in the organization’s operations. Therefore, writeaccess to production program libraries should be restricted to authorized personnel only, and subject to strict change management controls.
A
Explanation:
Write access to production program libraries presents the greatest risk when granted to a new member of the system development staff. Production program libraries contain executable code that runs on live systems and supports critical business functions. Write access allows a user to modify or delete existing programs, or add new programs to the library. If a user were to make unauthorized or erroneous changes to production programs, it could cause serious disruptions, errors, or security breaches in the organization’s operations. Therefore, writeaccess to production program libraries should be restricted to authorized personnel only, and subject to strict change management controls.
Question #358
When determining the quality of evidence collected during an audit, it is MOST important to ensure the evidence is:
- A . Valid, complete, and accurate.
- B . Timely, reliable, and reasonable.
- C . Sufficient and comes from the source of the information.
- D . Persuasive and applicable.
Correct Answer: D
D
Explanation:
ISACA defines sufficient and appropriate evidence as the standard for audit conclusions. Appropriateness relates to relevance (applicability) and reliability (persuasiveness). Evidence that is persuasive and directly applicable to the audit objective provides stronger assurance than evidence that is merely timely, complete, or reasonable. While the other options describe desirable qualities, they do not encompass the full ISACA standard. Thus, the most complete characterization of quality evidence is that it must be persuasive and applicable to the audit’s purpose.
Reference (ISACA): ISACA Audit & Assurance Standards; ISACA ITAF Guidelines on Evidence.
D
Explanation:
ISACA defines sufficient and appropriate evidence as the standard for audit conclusions. Appropriateness relates to relevance (applicability) and reliability (persuasiveness). Evidence that is persuasive and directly applicable to the audit objective provides stronger assurance than evidence that is merely timely, complete, or reasonable. While the other options describe desirable qualities, they do not encompass the full ISACA standard. Thus, the most complete characterization of quality evidence is that it must be persuasive and applicable to the audit’s purpose.
Reference (ISACA): ISACA Audit & Assurance Standards; ISACA ITAF Guidelines on Evidence.
Question #359
Which of the following is the PRIMARY advantage of using an automated security log monitoring tool over a manual review to monitor the use of privileged access?
- A . Increased likelihood of detecting suspicious activity
- B . Reduced costs associated with automating the review
- C . Improved incident response time
- D . Reduced manual effort of reviewing logs
Correct Answer: A
A
Explanation:
Automated monitoring tools increase the likelihood of detecting suspicious activity (Option A) by
continuously analyzing security logs for anomalies.
ISACA CISA
Reference: Security Information and Event Management (SIEM) solutions are recommended for privileged access monitoring.
A
Explanation:
Automated monitoring tools increase the likelihood of detecting suspicious activity (Option A) by
continuously analyzing security logs for anomalies.
ISACA CISA
Reference: Security Information and Event Management (SIEM) solutions are recommended for privileged access monitoring.
Question #360
The waterfall life cycle model of software development is BEST suited for which of the following situations?
- A . The project will involve the use of new technology.
- B . The project intends to apply an object-oriented design approach.
- C . The project requirements are well understood.
- D . The project is subject to time pressures.
Correct Answer: C