Practice Free CISA Exam Online Questions
Question #411
An organization wants to classify database tables according to its data classification scheme From an IS auditor’s perspective the tables should be classified based on the:
- A . specific functional contents of each single table.
- B . frequency of updates to the table.
- C . descriptions of column names in the table.
- D . number of end users with access to the table.
Correct Answer: A
Question #412
Which of the following will invalidate the authenticity of digital evidence in a forensic investigation?
- A . The investigator installed forensic software on the original drive that contained the evidence.
- B . A software write blocker was used in the collection of the evidence.
- C . The investigator collected the evidence while the machine was still powered on.
- D . The evidence was collected from analysis of a copy of the disk data.
Correct Answer: A
Question #413
Which of the following is the MOST important consideration for patching mission critical business application servers against known vulnerabilities?
- A . Patches are implemented in a test environment prior to rollout into production.
- B . Network vulnerability scans are conducted after patches are implemented.
- C . Vulnerability assessments are periodically conducted according to defined schedules.
- D . Roles and responsibilities for implementing patches are defined
Correct Answer: A
A
Explanation:
The most important consideration for patching mission critical business application servers against known vulnerabilities is A. Patches are implemented in a test environment prior to rollout into production. This is because patching mission critical business application servers involves a high level of risk and complexity, and requires careful planning and testing before applying the patches to the live environment. Patches may introduce new bugs, errors, or conflicts that could affect the functionality, performance, or security of the application servers, and cause system downtime, data loss, or business disruption1. Therefore, it is essential to implement patches in atest environment first, where the patches can be verified and validated for their effectiveness and compatibility, and any issues or defects can be identified and resolved before they impact the production environment2.
A
Explanation:
The most important consideration for patching mission critical business application servers against known vulnerabilities is A. Patches are implemented in a test environment prior to rollout into production. This is because patching mission critical business application servers involves a high level of risk and complexity, and requires careful planning and testing before applying the patches to the live environment. Patches may introduce new bugs, errors, or conflicts that could affect the functionality, performance, or security of the application servers, and cause system downtime, data loss, or business disruption1. Therefore, it is essential to implement patches in atest environment first, where the patches can be verified and validated for their effectiveness and compatibility, and any issues or defects can be identified and resolved before they impact the production environment2.
Question #414
Which of the following is the PRIMARY benefit of implementing an IT capacity management process?
- A . Ensuring infrastructure meets current performance requirements
- B . Enabling rapid deployment of new software applications
- C . Helping resolve significant security concerns
- D . Reducing the cost and time to implement IT services
Correct Answer: A
A
Explanation:
Comprehensive and Detailed
The primary purpose of IT capacity management is to ensure that IT infrastructure can meet current and future performance requirements in a cost-effective manner.
Option A is correct because it directly relates to capacity management goals.
Option B (rapid deployment) relates more to change management.
Option C (security concerns) is outside the scope of capacity management.
Option D (reducing cost/time) may be a secondary benefit but not the primary objective.
ISACA
Reference: CISA Review Manual 27th Edition, Domain 2, section on capacity management and IT service performance.
A
Explanation:
Comprehensive and Detailed
The primary purpose of IT capacity management is to ensure that IT infrastructure can meet current and future performance requirements in a cost-effective manner.
Option A is correct because it directly relates to capacity management goals.
Option B (rapid deployment) relates more to change management.
Option C (security concerns) is outside the scope of capacity management.
Option D (reducing cost/time) may be a secondary benefit but not the primary objective.
ISACA
Reference: CISA Review Manual 27th Edition, Domain 2, section on capacity management and IT service performance.
Question #415
An IS auditor is reviewing the system development practices of an organization that is about to move from a Waterfall to an Agile approach.
Which of the following is MOST important for the auditor to focus on as a result of this move?
- A . Secure code review
- B . Release management
- C . Capacity planning
- D . Code documentation
Correct Answer: B
Question #416
Which of the following BEST contributes to the quality of an audit of a business-critical application?
- A . Assigning the audit to independent external auditors
- B . Reviewing previous findings reported by the application owner
- C . Identifying common coding errors made by the development team
- D . Involving the application owner early in the audit planning process
Correct Answer: D
D
Explanation:
Involving the application owner early in the audit planning process is the best way to contribute to the quality of an audit of a business-critical application. The application owner has a deep understanding of the application and its business context, which can provide valuable insights for the audit. Early involvement can also help ensure that the audit is aligned with the business objectives and risks, and that any potential issues are identified and addressed promptly12.
Reference: Business Critical Applications: An In-Depth Look
Framework for Audit Quality – IFAC
D
Explanation:
Involving the application owner early in the audit planning process is the best way to contribute to the quality of an audit of a business-critical application. The application owner has a deep understanding of the application and its business context, which can provide valuable insights for the audit. Early involvement can also help ensure that the audit is aligned with the business objectives and risks, and that any potential issues are identified and addressed promptly12.
Reference: Business Critical Applications: An In-Depth Look
Framework for Audit Quality – IFAC
Question #417
Which of the following testing methods is MOST appropriate for assessing whether system integrity has been maintained after changes have been made?
- A . Regression testing
- B . Unit testing
- C . Integration testing
- D . Acceptance testing
Correct Answer: A
A
Explanation:
Regression testing is the most appropriate testing method for assessing whether system integrity has been maintained after changes have been made. Regression testing is a type of software testing that ensures that previously developed and tested software still performs as expected after a change1 Regression testing helps to detect any defects or errors that may have been introduced or uncovered due to the change2 Regression testing can be performed at different levels of testing, such as unit, integration, system, and acceptance3
Unit testing is a type of software testing that verifies the functionality of individual components or units of code. Unit testing is usually performed by developers before integrating the code with other components. Unit testing helps to identify and fix errors at an early stage of development, but it does not ensure that the system as a whole works as expected after a change.
Integration testing is a type of software testing that verifies the functionality, performance, and reliability of the interactions between different components or units of code. Integration testing is usually performed after unit testing and before system testing. Integration testing helps to identify and fix errors that may occur when different components are integrated, but it does not ensure that the system as a whole works as expected after a change.
Acceptance testing is a type of software testing that verifies whether the system meets the user requirements and expectations. Acceptance testing is usually performed by end-users or customers after system testing and before deploying the system to production. Acceptance testing helps to ensure that the system delivers the desired value and quality to the users, but it does not ensure that the system as a whole works as expected after a change.
Reference: 1:
What is Regression Testing? Test Cases (Example) – Guru99 2:
What is Regression
Testing? Definition, Tools, Examples – Katalon 3: Regression testing – Wikipedia:
What is Unit Testing?
Definition, Types, Tools & Examples – Guru99:
What is Integration Testing? Definition, Types, Tools &
Examples – Guru99:
What is Acceptance Testing? Definition, Types, Tools & Examples – Guru99
A
Explanation:
Regression testing is the most appropriate testing method for assessing whether system integrity has been maintained after changes have been made. Regression testing is a type of software testing that ensures that previously developed and tested software still performs as expected after a change1 Regression testing helps to detect any defects or errors that may have been introduced or uncovered due to the change2 Regression testing can be performed at different levels of testing, such as unit, integration, system, and acceptance3
Unit testing is a type of software testing that verifies the functionality of individual components or units of code. Unit testing is usually performed by developers before integrating the code with other components. Unit testing helps to identify and fix errors at an early stage of development, but it does not ensure that the system as a whole works as expected after a change.
Integration testing is a type of software testing that verifies the functionality, performance, and reliability of the interactions between different components or units of code. Integration testing is usually performed after unit testing and before system testing. Integration testing helps to identify and fix errors that may occur when different components are integrated, but it does not ensure that the system as a whole works as expected after a change.
Acceptance testing is a type of software testing that verifies whether the system meets the user requirements and expectations. Acceptance testing is usually performed by end-users or customers after system testing and before deploying the system to production. Acceptance testing helps to ensure that the system delivers the desired value and quality to the users, but it does not ensure that the system as a whole works as expected after a change.
Reference: 1:
What is Regression Testing? Test Cases (Example) – Guru99 2:
What is Regression
Testing? Definition, Tools, Examples – Katalon 3: Regression testing – Wikipedia:
What is Unit Testing?
Definition, Types, Tools & Examples – Guru99:
What is Integration Testing? Definition, Types, Tools &
Examples – Guru99:
What is Acceptance Testing? Definition, Types, Tools & Examples – Guru99
Question #418
Which of the following threats is mitigated by a firewall?
- A . Intrusion attack
- B . Asynchronous attack
- C . Passive assault
- D . Trojan horse
Correct Answer: A
Question #419
Which type of attack targets security vulnerabilities in web applications to gain access to data sets?
- A . Denial of service (DOS)
- B . SQL injection
- C . Phishing attacks
- D . Rootkits
Correct Answer: B
B
Explanation:
A SQL injection attack is a type of attack that targets security vulnerabilities in web applications to gain access to data sets. A SQL injection attack exploits a flaw in the web application code that allows an attacker to inject malicious SQL statements into the input fields or parameters of the web application. These SQL statements can then execute on the underlying database server and manipulate or retrieve sensitive data from the database. A SQL injection attack can result in data theft, data corruption, unauthorized access, denial of service or even complete takeover of the database server. A denial of service (DOS) attack is a type of attack that aims to disrupt the availability or functionality of a web application or a network service by overwhelming it with excessive requests or traffic. A phishing attack is a type of attack that uses deceptive emails or websites to trick users into revealing their personal or financial information or credentials. A rootkit is a type of malware that hides itself from detection and grants unauthorized access or control over a compromised system.
Reference: IS Audit and Assurance Tools and Techniques, CISA Certification | Certified Information Systems Auditor | ISACA
B
Explanation:
A SQL injection attack is a type of attack that targets security vulnerabilities in web applications to gain access to data sets. A SQL injection attack exploits a flaw in the web application code that allows an attacker to inject malicious SQL statements into the input fields or parameters of the web application. These SQL statements can then execute on the underlying database server and manipulate or retrieve sensitive data from the database. A SQL injection attack can result in data theft, data corruption, unauthorized access, denial of service or even complete takeover of the database server. A denial of service (DOS) attack is a type of attack that aims to disrupt the availability or functionality of a web application or a network service by overwhelming it with excessive requests or traffic. A phishing attack is a type of attack that uses deceptive emails or websites to trick users into revealing their personal or financial information or credentials. A rootkit is a type of malware that hides itself from detection and grants unauthorized access or control over a compromised system.
Reference: IS Audit and Assurance Tools and Techniques, CISA Certification | Certified Information Systems Auditor | ISACA
Question #420
Which of the following is the MOST important responsibility of user departments associated with program changes?
- A . Providing unit test data
- B . Analyzing change requests
- C . Updating documentation lo reflect latest changes
- D . Approving changes before implementation
Correct Answer: D
D
Explanation:
The most important responsibility of user departments associated with program changes is approving changes before implementation. This is because user departments are the primary stakeholders and beneficiaries of the program changes, and they need to ensure that the changes meet their requirements, expectations, and objectives. User departments also need to approve the changes before implementation to avoid unauthorized, unnecessary, or erroneous changes that could affect the functionality, performance, or security of the program.
Providing unit test data is a responsibility of user departments associated with program changes, but it is not the most important one. Unit test data is used to verify that the individual components of the program work as expected after the changes. However, unit test data alone cannot guarantee that the program as a whole works correctly, or that the changes are aligned with the user departments’ needs.
Analyzing change requests is a responsibility of user departments associated with program changes, but it is not the most important one. Analyzing change requests is the process of evaluating the feasibility, necessity, and impact of the proposed changes. However, analyzing change requests does not ensure that the changes are implemented correctly, or that they are acceptable to the user departments.
Updating documentation to reflect latest changes is a responsibility of user departments associated with program changes, but it is not the most important one. Updating documentation is the process of maintaining accurate and complete records of the program’s specifications, features, and functionsafter the changes. However, updating documentation does not ensure that the changes are effective, or that they are approved by the user departments.
Reference: ISACA, CISA Review Manual, 27th Edition, 2019, p. 281
ISACA, CISA Review Questions, Answers & Explanations Database – 12 Month Subscription
D
Explanation:
The most important responsibility of user departments associated with program changes is approving changes before implementation. This is because user departments are the primary stakeholders and beneficiaries of the program changes, and they need to ensure that the changes meet their requirements, expectations, and objectives. User departments also need to approve the changes before implementation to avoid unauthorized, unnecessary, or erroneous changes that could affect the functionality, performance, or security of the program.
Providing unit test data is a responsibility of user departments associated with program changes, but it is not the most important one. Unit test data is used to verify that the individual components of the program work as expected after the changes. However, unit test data alone cannot guarantee that the program as a whole works correctly, or that the changes are aligned with the user departments’ needs.
Analyzing change requests is a responsibility of user departments associated with program changes, but it is not the most important one. Analyzing change requests is the process of evaluating the feasibility, necessity, and impact of the proposed changes. However, analyzing change requests does not ensure that the changes are implemented correctly, or that they are acceptable to the user departments.
Updating documentation to reflect latest changes is a responsibility of user departments associated with program changes, but it is not the most important one. Updating documentation is the process of maintaining accurate and complete records of the program’s specifications, features, and functionsafter the changes. However, updating documentation does not ensure that the changes are effective, or that they are approved by the user departments.
Reference: ISACA, CISA Review Manual, 27th Edition, 2019, p. 281
ISACA, CISA Review Questions, Answers & Explanations Database – 12 Month Subscription