Practice Free CISA Exam Online Questions
Question #401
Which of the following is the BEST way to address potential data privacy concerns associated with inadvertent disclosure of machine identifier information contained within security logs?
- A . Unit the use of logs to only those purposes for which they were collected
- B . Restrict the transfer of log files from host machine to online storage
- C . Only collect logs from servers classified as business critical
- D . Limit log collection to only periods of increased security activity
Correct Answer: A
Question #402
Which of the following is the BEST compensating control against separation of duties conflicts in new code development?
- A . Post-implementation change review
- B . Adding the developers to the change approval board
- C . Creation of staging environments
- D . A small number of people have access to deploy code
Correct Answer: A
A
Explanation:
If SoD cannot be fully implemented, an independent review of changes after deployment provides assurance that inappropriate or unauthorized code has not been introduced. Other options either weaken controls or fail to provide adequate oversight.
Reference (ISACA): COBIT® BAI06 (Managed IT Changes).
A
Explanation:
If SoD cannot be fully implemented, an independent review of changes after deployment provides assurance that inappropriate or unauthorized code has not been introduced. Other options either weaken controls or fail to provide adequate oversight.
Reference (ISACA): COBIT® BAI06 (Managed IT Changes).
Question #403
Which of the following poses the GREATEST risk to an organization when employees use public social networking sites?
- A . Cross-site scripting (XSS)
- B . Copyright violations
- C . Social engineering
- D . Adverse posts about the organization
Correct Answer: C
C
Explanation:
Social engineering is the manipulation of people to perform actions or divulge confidential information. It is a common technique used by attackers to gain unauthorized access to systems or data. Employees who use public social networking sites may be vulnerable to social engineering attacks, such as phishing, baiting, or pretexting, which pose the greatest risk to the organization’s security. The other options are not as serious as social engineering, as they relate to web application vulnerabilities, intellectual property rights, and reputation management, which are less likely to compromise the organization’s assets or operations.
Reference: CISA Review Manual (Digital Version), Domain 5: Protection of Information Assets, Section 5.3 Security Awareness Training1
C
Explanation:
Social engineering is the manipulation of people to perform actions or divulge confidential information. It is a common technique used by attackers to gain unauthorized access to systems or data. Employees who use public social networking sites may be vulnerable to social engineering attacks, such as phishing, baiting, or pretexting, which pose the greatest risk to the organization’s security. The other options are not as serious as social engineering, as they relate to web application vulnerabilities, intellectual property rights, and reputation management, which are less likely to compromise the organization’s assets or operations.
Reference: CISA Review Manual (Digital Version), Domain 5: Protection of Information Assets, Section 5.3 Security Awareness Training1
Question #404
In which of the following system development life cycle (SDLC) phases would an IS auditor expect to find that controls have been incorporated into system specifications?
- A . Implementation
- B . Development
- C . Feasibility
- D . Design
Correct Answer: D
D
Explanation:
The design phase of the system development life cycle (SDLC) is where an IS auditor would expect to find that controls have been incorporated into system specifications, because this is where the system requirements are translated into detailed design specifications that include the technical, functional, and security aspects of the system34. The implementation phase is where the system is deployed and tested, the development phase is where the system is coded and unit tested, and the feasibility phase is where the system objectives and scope are defined.
Reference: 3: CISA Review Manual (Digital Version), Chapter 4, Section 4.2.2 4: CISA Online Review Course, Module 4, Lesson 2
D
Explanation:
The design phase of the system development life cycle (SDLC) is where an IS auditor would expect to find that controls have been incorporated into system specifications, because this is where the system requirements are translated into detailed design specifications that include the technical, functional, and security aspects of the system34. The implementation phase is where the system is deployed and tested, the development phase is where the system is coded and unit tested, and the feasibility phase is where the system objectives and scope are defined.
Reference: 3: CISA Review Manual (Digital Version), Chapter 4, Section 4.2.2 4: CISA Online Review Course, Module 4, Lesson 2
Question #405
An IS auditor Is reviewing a recent security incident and is seeking information about me approval of a recent modification to a database system’s security settings.
Where would the auditor MOST likely find this information?
- A . System event correlation report
- B . Database log
- C . Change log
- D . Security incident and event management (SIEM) report
Correct Answer: C
C
Explanation:
A change log is a record of all changes made to a system or application, including the date, time, description, and approval of each change. A change log can help an IS auditor to trace the source and authorization of a modification to a system’s security settings. A system event correlation report is a tool that analyzes data from multiple sources to identify patterns and anomalies that indicate potential security incidents. A database log is a record of all transactions and activities performed on a database, such as queries, updates, and backups. A security incident and event management (SIEM) report is a tool that collects, analyzes, and reports on data from various sources to detect and respond to security incidents.
C
Explanation:
A change log is a record of all changes made to a system or application, including the date, time, description, and approval of each change. A change log can help an IS auditor to trace the source and authorization of a modification to a system’s security settings. A system event correlation report is a tool that analyzes data from multiple sources to identify patterns and anomalies that indicate potential security incidents. A database log is a record of all transactions and activities performed on a database, such as queries, updates, and backups. A security incident and event management (SIEM) report is a tool that collects, analyzes, and reports on data from various sources to detect and respond to security incidents.
Question #406
Who should be the FIRST to evaluate an audit report prior to issuing it to the project steering committee?
- A . IS audit manager
- B . Audit committee
- C . Business owner
- D . Project sponsor
Correct Answer: A
Question #407
An IS auditor concludes that an organization has a quality security policy.
Which of the following is
MOST important to determine next? The policy must be:
- A . well understood by all employees.
- B . based on industry standards.
- C . developed by process owners.
- D . updated frequently.
Correct Answer: A
A
Explanation:
The most important thing to determine next after concluding that an organization has a quality security policy is whether the policy is well understood by all employees. A security policy is a document that defines the objectives, scope, roles, responsibilities, and rules for information security within an organization. A quality security policy is one that is clear, concise, consistent, comprehensive, and aligned with business goals and requirements. However, a quality security policy is useless if it is not well understood by all employees who are expected to comply with it.Therefore, the IS auditor should assess the level of awareness and understanding of the security policy among employees and identify any gaps or issues that need to be addressed. The other options are not as important as ensuring that the security policy is well understood by all employees, as they do not directly affect the implementation and effectiveness of the security policy.
Reference: CISA Review Manual, 27th Edition, page 317
A
Explanation:
The most important thing to determine next after concluding that an organization has a quality security policy is whether the policy is well understood by all employees. A security policy is a document that defines the objectives, scope, roles, responsibilities, and rules for information security within an organization. A quality security policy is one that is clear, concise, consistent, comprehensive, and aligned with business goals and requirements. However, a quality security policy is useless if it is not well understood by all employees who are expected to comply with it.Therefore, the IS auditor should assess the level of awareness and understanding of the security policy among employees and identify any gaps or issues that need to be addressed. The other options are not as important as ensuring that the security policy is well understood by all employees, as they do not directly affect the implementation and effectiveness of the security policy.
Reference: CISA Review Manual, 27th Edition, page 317
Question #408
Which of the following findings related to segregation of duties should be of GREATEST concern to an IS auditor?
- A . The person who tests source code also approves changes.
- B . The person who administers servers is also part of the infrastructure management team.
- C . The person who creates new user accounts also modifies user access levels.
- D . The person who edits source code also has write access to production.
Correct Answer: D
Question #409
An organization implemented a cybersecurity policy last year.
Which of the following is the GREATE ST indicator that the policy may need to be revised?
- A . A significant increase in authorized connections to third parties
- B . A significant increase in cybersecurity audit findings
- C . A significant increase in approved exceptions
- D . A significant increase in external attack attempts
Correct Answer: C
C
Explanation:
The greatest indicator that the cybersecurity policy may need to be revised is a significant increase in approved exceptions. This implies that the policy is not aligned with the current business needs and risks, and that it may be too restrictive or outdated. The other options are not necessarily indicators of a need for policy revision, as they may be due to other factors such as changes in the external environment, audit scope or methodology.
Reference: CISA Review Manual (Digital Version), Chapter 5, Section 5.21
C
Explanation:
The greatest indicator that the cybersecurity policy may need to be revised is a significant increase in approved exceptions. This implies that the policy is not aligned with the current business needs and risks, and that it may be too restrictive or outdated. The other options are not necessarily indicators of a need for policy revision, as they may be due to other factors such as changes in the external environment, audit scope or methodology.
Reference: CISA Review Manual (Digital Version), Chapter 5, Section 5.21
Question #410
Which of the following is MOST important to review during the project initiation phase of developing and deploying a new application?
- A . User requirements
- B . User acceptance testing (UAT) plans
- C . Deployment plans
- D . Architectural design
Correct Answer: A
A
Explanation:
User requirements are the foundation of any successful application. Properly defining what the application needs to do and how it should serve users is critical before moving into design or development.
Reference: Project Management Methodologies (Agile, Waterfall, etc.): All major methodologies emphasize the criticality of understanding user requirements during the initial project phases.
Software Development Lifecycle (SDLC): Requirements gathering is a cornerstone of the initiation phase within the SDLC.
ISACA Resources: While not explicitly tied to a CISA document, ISACA’s emphasis on governance and aligning IT with business objectives reinforces the importance of starting with clear user requirements.
A
Explanation:
User requirements are the foundation of any successful application. Properly defining what the application needs to do and how it should serve users is critical before moving into design or development.
Reference: Project Management Methodologies (Agile, Waterfall, etc.): All major methodologies emphasize the criticality of understanding user requirements during the initial project phases.
Software Development Lifecycle (SDLC): Requirements gathering is a cornerstone of the initiation phase within the SDLC.
ISACA Resources: While not explicitly tied to a CISA document, ISACA’s emphasis on governance and aligning IT with business objectives reinforces the importance of starting with clear user requirements.