Practice Free CISA Exam Online Questions
Question #31
Which of the following should be of GREATEST concern to an IS auditor for work-from-anywhere scenarios as compared to work from home or work from office?
- A . Inadequate physical security practices in public places
- B . Susceptibility to targeted phishing attacks
- C . Use of insecurely configured wireless networks
- D . Use of weak passwords and authentication methods
Correct Answer: C
Question #32
An organization allows employees to retain confidential data on personal mobile devices.
Which of the following is the BEST recommendation to mitigate the risk of data leakage from lost or stolen devices?
- A . Require employees to attend security awareness training.
- B . Password protect critical data files.
- C . Configure to auto-wipe after multiple failed access attempts.
- D . Enable device auto-lock function.
Correct Answer: C
C
Explanation:
The best recommendation to mitigate the risk of data leakage from lost or stolen devices that contain confidential data is to configure them to auto-wipe after multiple failed access attempts, as this would prevent unauthorized access and erase sensitive information from the device. Requiring employees to attend security awareness training, password protecting critical data files, or enabling device auto-lockfunction are also good practices, but they may not be sufficient oreffective in preventing data leakage from lost or stolen devices.
Reference: CISA Review Manual (Digital Version), Chapter 5, Section 5.3
C
Explanation:
The best recommendation to mitigate the risk of data leakage from lost or stolen devices that contain confidential data is to configure them to auto-wipe after multiple failed access attempts, as this would prevent unauthorized access and erase sensitive information from the device. Requiring employees to attend security awareness training, password protecting critical data files, or enabling device auto-lockfunction are also good practices, but they may not be sufficient oreffective in preventing data leakage from lost or stolen devices.
Reference: CISA Review Manual (Digital Version), Chapter 5, Section 5.3
Question #33
When physical destruction IS not practical, which of the following is the MOST effective means of disposing of sensitive data on a hard disk?
- A . Overwriting multiple times
- B . Encrypting the disk
- C . Reformatting
- D . Deleting files sequentially
Correct Answer: A
A
Explanation:
The correct answer is A. Overwriting multiple times. Overwriting is a method of securely erasing data from a hard disk by replacing the existing data with random or meaningless data, making it difficult or impossible to recover the original data1. Overwriting multiple times, also known as multiple-pass overwriting, is a more effective way of disposing of sensitive data than overwriting once, as it reduces the possibility of residual traces of data that could be recovered by advanced techniques2. Overwriting multiple times can be done by using specialized software tools that follow certain standards or algorithms, such as the US Department of Defense’s DoD 5220.22-M or the Gutmann method3.
A
Explanation:
The correct answer is A. Overwriting multiple times. Overwriting is a method of securely erasing data from a hard disk by replacing the existing data with random or meaningless data, making it difficult or impossible to recover the original data1. Overwriting multiple times, also known as multiple-pass overwriting, is a more effective way of disposing of sensitive data than overwriting once, as it reduces the possibility of residual traces of data that could be recovered by advanced techniques2. Overwriting multiple times can be done by using specialized software tools that follow certain standards or algorithms, such as the US Department of Defense’s DoD 5220.22-M or the Gutmann method3.
Question #34
Which of the following should be of GREATEST concern to an |$ auditor reviewing data conversion and migration during the implementation of a newapplication system?
- A . The change management process was not formally documented
- B . Backups of the old system and data are not available online
- C . Unauthorized data modifications occurred during conversion.
- D . Data conversion was performed using manual processes
Correct Answer: C
C
Explanation:
The finding that should be of greatest concern to an IS auditor reviewing data conversion and migration during the implementation of a new application system is that unauthorized data modificationsoccurred during conversion. Data conversion and migration is a process that involves transferring data from one system to another, ensuring its accuracy, completeness, integrity, and usability. Unauthorized data modifications during conversion can result in data loss, corruption, inconsistency, or duplication, which can affect the functionality, performance, reliability, and security of the new system. Unauthorized data modifications can also have serious business implications, such as affecting decision making, reporting, compliance, customer service, and revenue. The IS auditor should verify that adequate controls are in place to prevent, detect, and correct unauthorized data modifications during conversion, such as access control, data validation, reconciliation, audit trail, and backup and recovery. The other findings (A, B and D) are less concerning, as they can be mitigated by documenting the change management process, restoring the backups of the old system and data from offline storage, or automating the data conversion process.
Reference: CISA Review
Manual (Digital Version), Chapter 3: Information Systems Acquisition, Development &
Implementation, Section 3.4: System Implementation
C
Explanation:
The finding that should be of greatest concern to an IS auditor reviewing data conversion and migration during the implementation of a new application system is that unauthorized data modificationsoccurred during conversion. Data conversion and migration is a process that involves transferring data from one system to another, ensuring its accuracy, completeness, integrity, and usability. Unauthorized data modifications during conversion can result in data loss, corruption, inconsistency, or duplication, which can affect the functionality, performance, reliability, and security of the new system. Unauthorized data modifications can also have serious business implications, such as affecting decision making, reporting, compliance, customer service, and revenue. The IS auditor should verify that adequate controls are in place to prevent, detect, and correct unauthorized data modifications during conversion, such as access control, data validation, reconciliation, audit trail, and backup and recovery. The other findings (A, B and D) are less concerning, as they can be mitigated by documenting the change management process, restoring the backups of the old system and data from offline storage, or automating the data conversion process.
Reference: CISA Review
Manual (Digital Version), Chapter 3: Information Systems Acquisition, Development &
Implementation, Section 3.4: System Implementation
Question #35
Which of the following techniques BEST mitigates the risk of pervasive network attacks?
- A . Segmentation
- B . Configuration assessment
- C . Encryption
- D . Demilitarized zone (DMZ)
Correct Answer: A
Question #36
Which of the following protocols should be used when transferring data via the internet?
- A . User Datagram Protocol (UDP)
- B . Hypertext Transfer Protocol (HTTP)
- C . Secure File Transfer Protocol (SFTP)
- D . Remote Desktop Protocol (RDP)
Correct Answer: C
C
Explanation:
Comprehensive and Detailed Step-by-Step
SFTP (Secure File Transfer Protocol) is the most secure option for transferring data over the internet, as it encrypts both commands and data, ensuring confidentiality and integrity.
SFTP (Correct Answer C C)
Uses SSH (Secure Shell) for encryption.
Provides authentication and encryption for secure data transfers.
Example: A company uses SFTP to securely transmit payroll files to a third-party processor.
UDP (Incorrect C A)
Faster but lacks encryption and data integrity checks.
HTTP (Incorrect C B)
Transfers data in plaintext and is vulnerable to interception.
RDP (Incorrect C D)
Used for remote desktop access, not secure file transfers.
Reference: ISACA CISA Review Manual
NIST 800-52 (Guidelines for Transport Layer Security)
C
Explanation:
Comprehensive and Detailed Step-by-Step
SFTP (Secure File Transfer Protocol) is the most secure option for transferring data over the internet, as it encrypts both commands and data, ensuring confidentiality and integrity.
SFTP (Correct Answer C C)
Uses SSH (Secure Shell) for encryption.
Provides authentication and encryption for secure data transfers.
Example: A company uses SFTP to securely transmit payroll files to a third-party processor.
UDP (Incorrect C A)
Faster but lacks encryption and data integrity checks.
HTTP (Incorrect C B)
Transfers data in plaintext and is vulnerable to interception.
RDP (Incorrect C D)
Used for remote desktop access, not secure file transfers.
Reference: ISACA CISA Review Manual
NIST 800-52 (Guidelines for Transport Layer Security)
Question #37
Which of the following is the PRIMARY purpose of conducting a control self-assessment (CSA)?
- A . To replace audit responsibilities
- B . To reduce control costs
- C . To promote control ownership
- D . To enable early detection of risks
Correct Answer: C
Question #38
Which of the following is the GREATEST risk associated with hypervisors in virtual environments?
- A . Availability issues
- B . Virtual sprawl
- C . Single point of failure
- D . Lack of patches
Correct Answer: C
C
Explanation:
A single point of failure is a component or system that, if it fails, will cause the entire system to stop functioning. In virtual environments, the hypervisor is the software layer that enables multiple virtual machines to run on a single physical host. If the hypervisor is compromised, corrupted, or unavailable, all the virtual machines running on that host will be affected. This can result in data loss, downtime, or security breaches.
Reference
ISACA CISA Review Manual, 27th Edition, page 254
Virtualization: What are the security risks?
What Is a Hypervisor? (Definition, Types, Risks)
C
Explanation:
A single point of failure is a component or system that, if it fails, will cause the entire system to stop functioning. In virtual environments, the hypervisor is the software layer that enables multiple virtual machines to run on a single physical host. If the hypervisor is compromised, corrupted, or unavailable, all the virtual machines running on that host will be affected. This can result in data loss, downtime, or security breaches.
Reference
ISACA CISA Review Manual, 27th Edition, page 254
Virtualization: What are the security risks?
What Is a Hypervisor? (Definition, Types, Risks)
Question #39
Which of the following is MOST important for an IS auditor to verify when reviewing the use of an outsourcer for disposal of storage media?
- A . The vendor’s process appropriately sanitizes the media before disposal
- B . The contract includes issuance of a certificate of destruction by the vendor
- C . The vendor has not experienced security incidents in the past.
- D . The disposal transportation vehicle is fully secure
Correct Answer: A
A
Explanation:
The most important thing for an IS auditor to verify when reviewing the use of an outsourcer for disposal of storage media is that the vendor’s process appropriately sanitizes the media before disposal. As explained in the previous question, storage media may contain sensitive or confidential information that needs to be protected from unauthorized access, disclosure, or misuse. The IS auditor should verify that the vendor has a process that appropriately sanitizes the media before disposal, such as wiping, degaussing, shredding, or incinerating, and that the process is effective and compliant with the organization’s policies and standards. The other options are not as important as verifying the vendor’s process, because they either do not ensure the security and privacy of the information on the media, or they aresecondary to the vendor’s process.
Reference: CISA Review Manual (Digital Version)1, Chapter 5, Section 5.2.7
A
Explanation:
The most important thing for an IS auditor to verify when reviewing the use of an outsourcer for disposal of storage media is that the vendor’s process appropriately sanitizes the media before disposal. As explained in the previous question, storage media may contain sensitive or confidential information that needs to be protected from unauthorized access, disclosure, or misuse. The IS auditor should verify that the vendor has a process that appropriately sanitizes the media before disposal, such as wiping, degaussing, shredding, or incinerating, and that the process is effective and compliant with the organization’s policies and standards. The other options are not as important as verifying the vendor’s process, because they either do not ensure the security and privacy of the information on the media, or they aresecondary to the vendor’s process.
Reference: CISA Review Manual (Digital Version)1, Chapter 5, Section 5.2.7
Question #40
Which of the following would provide the MOST important input during the planning phase for an audit on the implementation of a bring your own device (BYOD) program?
- A . Findings from prior audits
- B . Results of a risk assessment
- C . An inventory of personal devices to be connected to the corporate network
- D . Policies including BYOD acceptable user statements
Correct Answer: D
D
Explanation:
The most important input during the planning phase for an audit on the implementation of a bring your own device (BYOD) program is policies including BYOD acceptable user statements. Policies are documents that define the organization’s objectives, requirements, expectations, and responsibilities regarding a specific topic or area. BYOD policies should include acceptable user statements that specify what types of personal devices are allowed to connect to the corporate network, what security measures must be implemented on those devices, what data can be accessed or stored on those devices, what actions must be taken in case of device loss or theft, and what consequences will apply for non-compliance. Policies including BYOD acceptable user statements can provide an IS auditor with a clear understanding of the scope, criteria, and objectives of the BYOD program audit. Findings from prior audits, results of a risk assessment, and an inventory of personal devices to be connected to the corporate network are also useful inputs for planning a BYOD program audit, but they are not as important as policies including BYOD acceptable user statements.
Reference: ISACA CISA Review Manual 27th Edition, page 381.
D
Explanation:
The most important input during the planning phase for an audit on the implementation of a bring your own device (BYOD) program is policies including BYOD acceptable user statements. Policies are documents that define the organization’s objectives, requirements, expectations, and responsibilities regarding a specific topic or area. BYOD policies should include acceptable user statements that specify what types of personal devices are allowed to connect to the corporate network, what security measures must be implemented on those devices, what data can be accessed or stored on those devices, what actions must be taken in case of device loss or theft, and what consequences will apply for non-compliance. Policies including BYOD acceptable user statements can provide an IS auditor with a clear understanding of the scope, criteria, and objectives of the BYOD program audit. Findings from prior audits, results of a risk assessment, and an inventory of personal devices to be connected to the corporate network are also useful inputs for planning a BYOD program audit, but they are not as important as policies including BYOD acceptable user statements.
Reference: ISACA CISA Review Manual 27th Edition, page 381.