Practice Free CISA Exam Online Questions
Question #381
Following a breach, what is the BEST source to determine the maximum amount of time before customers must be notified that their personal information may have been compromised?
- A . Industry regulations
- B . Industry standards
- C . Incident response plan
- D . Information security policy
Correct Answer: A
A
Explanation:
Following a breach, the maximum amount of time before customers must be notified that their personal information may have been compromised depends on the industry regulations that apply to the organization. Different industries and jurisdictions may have different legal and regulatory requirements for breach notification, such as the General Data Protection Regulation (GDPR) in the European Union, the Health Insurance Portability and Accountability Act (HIPAA) in the United States, or the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada. Industry standards, incident response plans, and information security policies are not as authoritative as industry regulations in determining the breach notification time frame.
Reference: CISA Review Manual (Digital Version), [ISACA Privacy Principles and Program Management Guide]
A
Explanation:
Following a breach, the maximum amount of time before customers must be notified that their personal information may have been compromised depends on the industry regulations that apply to the organization. Different industries and jurisdictions may have different legal and regulatory requirements for breach notification, such as the General Data Protection Regulation (GDPR) in the European Union, the Health Insurance Portability and Accountability Act (HIPAA) in the United States, or the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada. Industry standards, incident response plans, and information security policies are not as authoritative as industry regulations in determining the breach notification time frame.
Reference: CISA Review Manual (Digital Version), [ISACA Privacy Principles and Program Management Guide]
Question #382
During the implementation of an upgraded enterprise resource planning (ERP) system, which of the following is the MOST important consideration for a go-live decision?
- A . Rollback strategy
- B . Test cases
- C . Post-implementation review objectives
- D . Business case
Correct Answer: D
D
Explanation:
The most important consideration for a go-live decision when implementing an upgraded enterprise resource planning (ERP) system is the business case. The business case is the document that defines and justifies the need, value, feasibility, and risks of the project. It also outlines the expected costs, benefits, outcomes, and impacts of the project. The business case provides the basis for measuring and evaluating the success of the project. Therefore, before deciding to go live with an upgraded ERP system, it is essential to review and validate the business case to ensure that it is still relevant, accurate, realistic, and achievable.
A rollback strategy, test cases, and post-implementation review objectives are not the most important considerations for a go-live decision when implementing an upgraded ERP system. These are important elements of project planning, execution, and evaluation, but they are not sufficient to determine whether the project is worth pursuing or delivering. These elements should be aligned with and derived from the business case.
D
Explanation:
The most important consideration for a go-live decision when implementing an upgraded enterprise resource planning (ERP) system is the business case. The business case is the document that defines and justifies the need, value, feasibility, and risks of the project. It also outlines the expected costs, benefits, outcomes, and impacts of the project. The business case provides the basis for measuring and evaluating the success of the project. Therefore, before deciding to go live with an upgraded ERP system, it is essential to review and validate the business case to ensure that it is still relevant, accurate, realistic, and achievable.
A rollback strategy, test cases, and post-implementation review objectives are not the most important considerations for a go-live decision when implementing an upgraded ERP system. These are important elements of project planning, execution, and evaluation, but they are not sufficient to determine whether the project is worth pursuing or delivering. These elements should be aligned with and derived from the business case.
Question #383
Which of the following observations would an IS auditor consider the GREATEST risk when conducting an audit of a virtual server farm tor potential software vulnerabilities?
- A . Guest operating systems are updated monthly
- B . The hypervisor is updated quarterly.
- C . A variety of guest operating systems operate on one virtual server
- D . Antivirus software has been implemented on the guest operating system only.
Correct Answer: D
D
Explanation:
Antivirus software has been implemented on the guest operating system only is the observation that an IS auditor would consider the greatest risk when conducting an audit of a virtual server farm for potential software vulnerabilities. A virtual server farm is a collection of servers that run multiple virtual machines (VMs) on a single physical host using a software layer called a hypervisor. A guest operating system is the operating system installed on each VM. Antivirus software is a software program that detects and removes malicious software from a computer system. If antivirus software has been implemented on the guest operating system only, it means that the hypervisor and the host operating system are not protected from malware attacks, which could compromise the security and availability of all VMs running on the same host. Therefore, antivirus software should be implemented on both the guest and host operating systems as well as on the hypervisor.
Reference: CISA Review Manual, 27th Edition, page 378
D
Explanation:
Antivirus software has been implemented on the guest operating system only is the observation that an IS auditor would consider the greatest risk when conducting an audit of a virtual server farm for potential software vulnerabilities. A virtual server farm is a collection of servers that run multiple virtual machines (VMs) on a single physical host using a software layer called a hypervisor. A guest operating system is the operating system installed on each VM. Antivirus software is a software program that detects and removes malicious software from a computer system. If antivirus software has been implemented on the guest operating system only, it means that the hypervisor and the host operating system are not protected from malware attacks, which could compromise the security and availability of all VMs running on the same host. Therefore, antivirus software should be implemented on both the guest and host operating systems as well as on the hypervisor.
Reference: CISA Review Manual, 27th Edition, page 378
Question #384
Which of the following should be of GREATEST concern to an IS auditor reviewing an organization’s business continuity plan (BCP)?
- A . The BCP’s contact information needs to be updated
- B . The BCP is not version controlled.
- C . The BCP has not been approved by senior management.
- D . The BCP has not been tested since it was first issued.
Correct Answer: D
D
Explanation:
The greatest concern for an IS auditor reviewing an organization’s business continuity plan (BCP) is that the BCP has not been tested since it was first issued. A BCP is a document that describes how an organization will continue its critical business functions in the event of a disruption or disaster. A BCP should include information such as roles and responsibilities, recovery strategies, resources, procedures, communication plans, and backup arrangements3. Testing the BCP is a vital step in ensuring its validity, effectiveness, and readiness. Testing the BCP involves simulating various scenarios and executing the BCP to verify whether it meets its objectives and requirements. Testing the BCP can also help to identify and correct any gaps, errors, or weaknesses in the BCP before they become issues during a real incident4. Therefore, an IS auditor should be concerned if the BCP has not been tested since it was first issued, as it may indicate that the BCP is outdated, inaccurate, incomplete, or ineffective.
The other options are less concerning or incorrect because:
D
Explanation:
The greatest concern for an IS auditor reviewing an organization’s business continuity plan (BCP) is that the BCP has not been tested since it was first issued. A BCP is a document that describes how an organization will continue its critical business functions in the event of a disruption or disaster. A BCP should include information such as roles and responsibilities, recovery strategies, resources, procedures, communication plans, and backup arrangements3. Testing the BCP is a vital step in ensuring its validity, effectiveness, and readiness. Testing the BCP involves simulating various scenarios and executing the BCP to verify whether it meets its objectives and requirements. Testing the BCP can also help to identify and correct any gaps, errors, or weaknesses in the BCP before they become issues during a real incident4. Therefore, an IS auditor should be concerned if the BCP has not been tested since it was first issued, as it may indicate that the BCP is outdated, inaccurate, incomplete, or ineffective.
The other options are less concerning or incorrect because:
Question #385
Which of the following should be the GREATEST concern for an IS auditor assessing an organization’s disaster recovery plan (DRP)?
- A . The DRP was developed by the IT department.
- B . The DRP has not been tested during the past three years.
- C . The DRP has not been updated for two years.
- D . The DRP does not include the recovery the time objective (RTO) for a key system.
Correct Answer: B
B
Explanation:
The DRP is a set of procedures and resources that enable an organization to restore its critical IT functions and operations in the event of a disaster or disruption. The DRP should be tested regularly to ensure its effectiveness, validity, and readiness. Testing the DRP can help to identify and resolve any gaps, issues, or weaknesses in the plan, as well as to evaluate the performance and capability of the recovery team and resources. If the DRP has not been tested during the past three years, it may not reflect the current IT environment, business requirements, or recovery objectives, and it may fail to meet the expectations and needs of the stakeholders.
Reference
ISACA CISA Review Manual, 27th Edition, page 255
Disaster Recovery Plan Testing: The Ultimate Checklist
What is a Disaster Recovery Plan (DRP) and How Do You Write One?
B
Explanation:
The DRP is a set of procedures and resources that enable an organization to restore its critical IT functions and operations in the event of a disaster or disruption. The DRP should be tested regularly to ensure its effectiveness, validity, and readiness. Testing the DRP can help to identify and resolve any gaps, issues, or weaknesses in the plan, as well as to evaluate the performance and capability of the recovery team and resources. If the DRP has not been tested during the past three years, it may not reflect the current IT environment, business requirements, or recovery objectives, and it may fail to meet the expectations and needs of the stakeholders.
Reference
ISACA CISA Review Manual, 27th Edition, page 255
Disaster Recovery Plan Testing: The Ultimate Checklist
What is a Disaster Recovery Plan (DRP) and How Do You Write One?
Question #386
An organization used robotic process automation (RPA) technology to develop software bots that extract data from various sources for input into a legacy financial application.
Which of the following should be of GREATEST concern to an IS auditor when reviewing the software bot job scheduling and production process automation?
- A . Minor overrides were not authorized by the business
- B . Software bots were incapable of learning from training data
- C . Software bots were programmed to record all user interactions, including mouse tracking
- D . Unauthorized modifications were made to the scripts to improve performance
Correct Answer: D
D
Explanation:
Unauthorized modifications to scripts (D) pose the greatest risk because they can lead to unintended processing errors, security vulnerabilities, or fraudulent activities. Change management controls should be in place to prevent unauthorized script changes.
Other options:
Minor overrides not authorized (A) is a concern but does not pose as much risk as unauthorized script changes.
Bots incapable of learning (B) is a limitation but not a security risk.
Recording user interactions (C) raises privacy concerns but is not as critical as unauthorized script modifications.
Reference: ISACA CISA Review Manual, Information Systems Operations and Business Resilience
D
Explanation:
Unauthorized modifications to scripts (D) pose the greatest risk because they can lead to unintended processing errors, security vulnerabilities, or fraudulent activities. Change management controls should be in place to prevent unauthorized script changes.
Other options:
Minor overrides not authorized (A) is a concern but does not pose as much risk as unauthorized script changes.
Bots incapable of learning (B) is a limitation but not a security risk.
Recording user interactions (C) raises privacy concerns but is not as critical as unauthorized script modifications.
Reference: ISACA CISA Review Manual, Information Systems Operations and Business Resilience
Question #387
An IS audit manager is reviewing workpapers for a recently completed audit of the corporate disaster recovery test.
Which of the following should the IS audit manager specifically review to substantiate the conclusions?
- A . Overviews of interviews between data center personnel and the auditor
- B . Prior audit reports involving other corporate disaster recovery audits
- C . Summary memos reflecting audit opinions regarding noted weaknesses
- D . Detailed evidence of the successes and weaknesses of all contingency testing
Correct Answer: D
D
Explanation:
The IS audit manager should specifically review the detailed evidence of the successes and weaknesses of all contingency testing to substantiate the conclusions of the audit of the corporate disaster recovery test. This is because the detailed evidence can provide the audit manager with a clear and objective picture of how well the disaster recovery plan was executed, what issues or gaps were encountered, and what recommendations or actions were taken to address them. The detailed evidence can also help the audit manager to verify the accuracy, completeness, and validity of the audit findings, as well as to evaluate the adequacy and effectiveness of the disaster recovery controls.
The other options are not as specific or relevant as the detailed evidence of all contingency testing. Overviews of interviews between data center personnel and the auditor may provide some useful information, but they are not sufficient to substantiate the conclusions without supporting evidence from the actual testing. Prior audit reports involving other corporate disaster recovery audits may provide some benchmarking or comparison data, but they are not directly related to the current audit scope and objectives. Summary memos reflecting audit opinions regarding noted weaknesses may provide some high-level insights, but they are not enough to substantiate the conclusions without detailed evidence to back them up.
Reference: ISACA, CISA Review Manual, 27th Edition, 2019, p. 2411
Disaster Recovery Audit Work Program2
D
Explanation:
The IS audit manager should specifically review the detailed evidence of the successes and weaknesses of all contingency testing to substantiate the conclusions of the audit of the corporate disaster recovery test. This is because the detailed evidence can provide the audit manager with a clear and objective picture of how well the disaster recovery plan was executed, what issues or gaps were encountered, and what recommendations or actions were taken to address them. The detailed evidence can also help the audit manager to verify the accuracy, completeness, and validity of the audit findings, as well as to evaluate the adequacy and effectiveness of the disaster recovery controls.
The other options are not as specific or relevant as the detailed evidence of all contingency testing. Overviews of interviews between data center personnel and the auditor may provide some useful information, but they are not sufficient to substantiate the conclusions without supporting evidence from the actual testing. Prior audit reports involving other corporate disaster recovery audits may provide some benchmarking or comparison data, but they are not directly related to the current audit scope and objectives. Summary memos reflecting audit opinions regarding noted weaknesses may provide some high-level insights, but they are not enough to substantiate the conclusions without detailed evidence to back them up.
Reference: ISACA, CISA Review Manual, 27th Edition, 2019, p. 2411
Disaster Recovery Audit Work Program2
Question #388
The PRIMARY benefit lo using a dry-pipe fire-suppression system rather than a wet-pipe system is that a dry-pipe system:
- A . is more effective at suppressing flames.
- B . allows more time to abort release of the suppressant.
- C . has a decreased risk of leakage.
- D . disperses dry chemical suppressants exclusively.
Correct Answer: C
C
Explanation:
The primary benefit of using a dry-pipe fire-suppression system rather than a wet-pipe system is that a dry-pipe system has a decreased risk of leakage, as the pipes are filled with pressurized air or nitrogen instead of water until the system is activated. A wet-pipe system has a higher risk of leakage, corrosion, and freezing. A dry-pipe system is not more effective at suppressing flames, as it uses the same water-based suppressant as a wet-pipe system. A dry-pipe system does not allow more time to abort release of the suppressant, as it has a delay of only a few seconds before the water is released. A dry-pipe system does not disperse dry chemical suppressants exclusively, as it uses water as the primary suppressant.
Reference: CISA Review Manual (Digital Version), Chapter 5, Section 5.2.3
C
Explanation:
The primary benefit of using a dry-pipe fire-suppression system rather than a wet-pipe system is that a dry-pipe system has a decreased risk of leakage, as the pipes are filled with pressurized air or nitrogen instead of water until the system is activated. A wet-pipe system has a higher risk of leakage, corrosion, and freezing. A dry-pipe system is not more effective at suppressing flames, as it uses the same water-based suppressant as a wet-pipe system. A dry-pipe system does not allow more time to abort release of the suppressant, as it has a delay of only a few seconds before the water is released. A dry-pipe system does not disperse dry chemical suppressants exclusively, as it uses water as the primary suppressant.
Reference: CISA Review Manual (Digital Version), Chapter 5, Section 5.2.3
Question #389
The BEST way to determine whether programmers have permission to alter data in the production environment is by reviewing:
- A . the access control system’s log settings.
- B . how the latest system changes were implemented.
- C . the access control system’s configuration.
- D . the access rights that have been granted.
Correct Answer: D
D
Explanation:
The best way to determine whether programmers have permission to alter data in the production environment is by reviewing the access rights that have been granted. Access rights are permissions or privileges that define what actions or operations a user can perform on an information system or resource. By reviewing the access rights that have been granted to programmers, an IS auditor can verify whether they have been authorized to modify data in the production environment, which is where live data and applications are stored and executed. The access control system’s log settings are parameters that define what events or activities are recorded by the access control system, which is a system that enforces the access rights and policies of an information system or resource. The access control system’s log settings are not the best way to determine whether programmers have permission to alter data in the production environment, as they do not indicate what permissions or privileges have been granted to programmers.
How the latest system changes were implemented is a process that describes how software updates or modifications are deployed to the production environment.
How the latest system changes were implemented is not the best way to determine whether programmers have permission to alter data in the production environment, as it does not indicate what permissions or privileges have been granted to programmers. The access control system’s configuration is a set of rules or parameters that define how the access control system operates and functions. The access control system’s configuration is not the best way to determine whether programmers have permission to alter data in the production environment, as it does not indicate what permissions or privileges have been granted to programmers.
D
Explanation:
The best way to determine whether programmers have permission to alter data in the production environment is by reviewing the access rights that have been granted. Access rights are permissions or privileges that define what actions or operations a user can perform on an information system or resource. By reviewing the access rights that have been granted to programmers, an IS auditor can verify whether they have been authorized to modify data in the production environment, which is where live data and applications are stored and executed. The access control system’s log settings are parameters that define what events or activities are recorded by the access control system, which is a system that enforces the access rights and policies of an information system or resource. The access control system’s log settings are not the best way to determine whether programmers have permission to alter data in the production environment, as they do not indicate what permissions or privileges have been granted to programmers.
How the latest system changes were implemented is a process that describes how software updates or modifications are deployed to the production environment.
How the latest system changes were implemented is not the best way to determine whether programmers have permission to alter data in the production environment, as it does not indicate what permissions or privileges have been granted to programmers. The access control system’s configuration is a set of rules or parameters that define how the access control system operates and functions. The access control system’s configuration is not the best way to determine whether programmers have permission to alter data in the production environment, as it does not indicate what permissions or privileges have been granted to programmers.
Question #390
During an audit of a financial application, it was determined that many terminated users’ accounts were not disabled.
Which of the following should be the IS auditor’s NEXT step?
- A . Perform substantive testing of terminated users’ access rights.
- B . Perform a review of terminated users’ account activity
- C . Communicate risks to the application owner.
- D . Conclude that IT general controls ate ineffective.
Correct Answer: B
B
Explanation:
The IS auditor’s next step after determining that many terminated users’ accounts were not disabled is to perform a review of terminated users’ account activity. This means that the IS auditor should check whether any of the terminated users’ accounts were accessed or used after their termination date, which could indicate unauthorized or fraudulent activity. The IS auditor should also assess the impact and risk of such activity on the confidentiality, integrity, and availability of IT resources and data. The other options are not as appropriate as performing a review of terminated users’ account activity, as they do not provide sufficient evidence or assurance of the extent and effect of the problem.
Reference: CISA Review Manual, 27th Edition, page 240
B
Explanation:
The IS auditor’s next step after determining that many terminated users’ accounts were not disabled is to perform a review of terminated users’ account activity. This means that the IS auditor should check whether any of the terminated users’ accounts were accessed or used after their termination date, which could indicate unauthorized or fraudulent activity. The IS auditor should also assess the impact and risk of such activity on the confidentiality, integrity, and availability of IT resources and data. The other options are not as appropriate as performing a review of terminated users’ account activity, as they do not provide sufficient evidence or assurance of the extent and effect of the problem.
Reference: CISA Review Manual, 27th Edition, page 240