Practice Free CISA Exam Online Questions
Question #431
Which of the following is the MOST significant risk to an organization migrating its onsite application servers to a public cloud service provider?
- A . Service provider access to organizational data
- B . Account hacking from other clients using the same provider
- C . Increased dependency on an external provider
- D . Service provider limiting the right to audit
Correct Answer: A
A
Explanation:
Comprehensive and Detailed Step-by-Step
Thebiggest riskin cloud migration isdata security, especially unauthorized access by the cloud provider.
Option A (Correct): The cloud providermanages and stores organizational data, meaning that abreach, insider threat, or improper accessposes amajor risk. Properencryption and access controlsare critical.
Option B (Incorrect): Whilemulti-tenancy risks exist, cloud providers typically implement strongisolation mechanismsbetween clients.
Option C (Incorrect): Increased dependency on the provider is aconcern, but the impact depends onservice agreements and redundancy measures.
Option D (Incorrect): Limiting the right to audit is acompliance issue, butdata security risksare more critical.
Reference: ISACA CISA Review Manual CDomain 5: Protection of Information AssetsC Covers cloud computing risks and security considerations.
A
Explanation:
Comprehensive and Detailed Step-by-Step
Thebiggest riskin cloud migration isdata security, especially unauthorized access by the cloud provider.
Option A (Correct): The cloud providermanages and stores organizational data, meaning that abreach, insider threat, or improper accessposes amajor risk. Properencryption and access controlsare critical.
Option B (Incorrect): Whilemulti-tenancy risks exist, cloud providers typically implement strongisolation mechanismsbetween clients.
Option C (Incorrect): Increased dependency on the provider is aconcern, but the impact depends onservice agreements and redundancy measures.
Option D (Incorrect): Limiting the right to audit is acompliance issue, butdata security risksare more critical.
Reference: ISACA CISA Review Manual CDomain 5: Protection of Information AssetsC Covers cloud computing risks and security considerations.
Question #432
Which of the following is the PRIMARY function of a data loss prevention (DLP) policy when implemented in an organization’s DLP solution?
- A . To encrypt sensitive data at rest and in transit
- B . To define rules for monitoring and protecting sensitive data
- C . To define rules and baselines for network performance
- D . To detect and block incoming network traffic
Correct Answer: B
Question #433
While reviewing the effectiveness of an incident response program, an IS auditor notices a high number of reported incidents involving malware originating from removable media found by employees.
Which of the following is the MOST appropriate recommendation to management?
- A . Restrict access to removable media ports on company devices.
- B . Install an additional antivirus program to increase protection.
- C . Ensure the antivirus program contains up-to-date signature files for all company devices.
- D . Implement an organization-wide removable media policy.
Correct Answer: D
Question #434
Which of the following is the MOST important outcome of an information security program?
- A . Operating system weaknesses are more easily identified.
- B . Emerging security technologies are better understood and accepted.
- C . The cost to mitigate information security risk is reduced.
- D . Organizational awareness of security responsibilities is improved.
Correct Answer: D
D
Explanation:
The most important outcome of an information security program is to improve the organizational awareness of security responsibilities, as this will foster a culture of security and ensure that all stakeholders are aware of their roles and obligations in protecting the information assets of the organization. An information security program should also aim to achieve other outcomes, such as identifying operating system weaknesses, understanding and accepting emerging security technologies, and reducing the cost to mitigate information security risk, but these are not as important as improving the awareness of security responsibilities, which is the foundation of any effective information security program. *Reference: According to the ISACA IT Audit and Assurance Standards, Guidelines and Tools and Techniques for IS Audit and Assurance Professionals, section 2402 Planning, “The IS audit and assurance professional should identify and assess risk relevant to the area under review.” 1 One of the risk factors to consider is “the level of awareness of management and staff regarding IT risk management” 1. According to the ISACAIT Audit and Assurance Guideline G13 Information Security Management, “The objective of an information security management audit/assurance review is to provide management with an independent
assessment relating to the effectiveness of information security management within the enterprise.” The guideline also states that “the audit/assurance professional should evaluate whether there is an appropriate level of awareness throughout the enterprise regarding information security policies, standards, procedures and guidelines.” According to a web search result from Microsoft Security, “Information security programs need to: … Support the execution of decisions.” 2 One of the ways to support the execution of decisions is to ensure that everyone in the organization understands their security responsibilities and follows the security policies and procedures.
D
Explanation:
The most important outcome of an information security program is to improve the organizational awareness of security responsibilities, as this will foster a culture of security and ensure that all stakeholders are aware of their roles and obligations in protecting the information assets of the organization. An information security program should also aim to achieve other outcomes, such as identifying operating system weaknesses, understanding and accepting emerging security technologies, and reducing the cost to mitigate information security risk, but these are not as important as improving the awareness of security responsibilities, which is the foundation of any effective information security program. *Reference: According to the ISACA IT Audit and Assurance Standards, Guidelines and Tools and Techniques for IS Audit and Assurance Professionals, section 2402 Planning, “The IS audit and assurance professional should identify and assess risk relevant to the area under review.” 1 One of the risk factors to consider is “the level of awareness of management and staff regarding IT risk management” 1. According to the ISACAIT Audit and Assurance Guideline G13 Information Security Management, “The objective of an information security management audit/assurance review is to provide management with an independent
assessment relating to the effectiveness of information security management within the enterprise.” The guideline also states that “the audit/assurance professional should evaluate whether there is an appropriate level of awareness throughout the enterprise regarding information security policies, standards, procedures and guidelines.” According to a web search result from Microsoft Security, “Information security programs need to: … Support the execution of decisions.” 2 One of the ways to support the execution of decisions is to ensure that everyone in the organization understands their security responsibilities and follows the security policies and procedures.
Question #435
While conducting a follow-up on an asset management audit, the IS auditor finds paid invoices for IT devices not recorded in the organization’s inventory.
Which of the following is the auditor’s BEST course of action?
- A . Ask the asset management staff where the devices are.
- B . Alert both audit and operations management about the discrepancy.
- C . Ignore the invoices since they are not part of the follow-up.
- D . Make a note of the evidence to include it in the scope of a future audit.
Correct Answer: B
Question #436
A global organization’s policy states that all workstations must be scanned for malware each day.
Which of the following would provide an IS auditor with the BEST evidence of continuous compliance with this policy?
- A . Penetration testing results
- B . Management attestation
- C . Anti-malware tool audit logs
- D . Recent malware scan reports
Correct Answer: C
C
Explanation:
Anti-malware tool audit logs would provide an IS auditor with the best evidence of continuous compliance with the global organization’s policy that states that all workstations must be scanned for malware each day. Anti-malware tool audit logs are records that capture the activities and events related to the anti-malware software installed on the workstations, such as scan schedules, scan results, updates, alerts, and actions taken1. These logs can help the IS auditor to verify that the anti-malware software is functioning properly, that the scans are performed regularly and effectively, and that any malware incidents are detected and resolved in a timely manner2. Anti-malware tool audit logs can also help the IS auditor to identify any gaps or weaknesses in the anti-malware policy or implementation, and to provide recommendations for improvement3.
The other options are not the best evidence of continuous compliance with the anti-malware policy. Penetration testing results are reports that show the vulnerabilities and risks of the workstations and network from an external or internal attacker’s perspective4. While penetration testing can help to assess the security posture and resilience of the organization, it does not provide information on the daily anti-malware scans or their outcomes. Management attestation is a statement or declaration from the management that they have complied with the anti-malware policy5. While management attestation can demonstrate commitment and accountability, it does not provide objective or verifiable evidence of compliance. Recent malware scan reports are documents that show the summary or details of the latest anti-malware scans performed on the workstations. While recent malware scan reports can indicate the current status and performance of the anti-malware software, they do not provide historical or comprehensive evidence of compliance.
Reference: Malwarebytes Anti-Malware (MBAM) log collection and threat reports …
Malicious Behavior Detection using Windows Audit Logs
PCI Requirement 5.2 C Ensure all Anti-Virus Mechanisms are Current …
Management Attestation – an overview | ScienceDirect Topics
How to Read a Malware Scan Report | Techwalla
C
Explanation:
Anti-malware tool audit logs would provide an IS auditor with the best evidence of continuous compliance with the global organization’s policy that states that all workstations must be scanned for malware each day. Anti-malware tool audit logs are records that capture the activities and events related to the anti-malware software installed on the workstations, such as scan schedules, scan results, updates, alerts, and actions taken1. These logs can help the IS auditor to verify that the anti-malware software is functioning properly, that the scans are performed regularly and effectively, and that any malware incidents are detected and resolved in a timely manner2. Anti-malware tool audit logs can also help the IS auditor to identify any gaps or weaknesses in the anti-malware policy or implementation, and to provide recommendations for improvement3.
The other options are not the best evidence of continuous compliance with the anti-malware policy. Penetration testing results are reports that show the vulnerabilities and risks of the workstations and network from an external or internal attacker’s perspective4. While penetration testing can help to assess the security posture and resilience of the organization, it does not provide information on the daily anti-malware scans or their outcomes. Management attestation is a statement or declaration from the management that they have complied with the anti-malware policy5. While management attestation can demonstrate commitment and accountability, it does not provide objective or verifiable evidence of compliance. Recent malware scan reports are documents that show the summary or details of the latest anti-malware scans performed on the workstations. While recent malware scan reports can indicate the current status and performance of the anti-malware software, they do not provide historical or comprehensive evidence of compliance.
Reference: Malwarebytes Anti-Malware (MBAM) log collection and threat reports …
Malicious Behavior Detection using Windows Audit Logs
PCI Requirement 5.2 C Ensure all Anti-Virus Mechanisms are Current …
Management Attestation – an overview | ScienceDirect Topics
How to Read a Malware Scan Report | Techwalla
Question #437
One advantage of managing an entire collection of projects as a portfolio is that it highlights the need to:
- A . Inform users about all ongoing projects.
- B . Manage the quality of each project.
- C . Identify dependencies between projects.
- D . Manage the risk of each individual project.
Correct Answer: C
C
Explanation:
Managing projects as a portfolio allows an organization to oversee and coordinate multiple projects collectively. This approach provides a holistic view, enabling the identification of interdependencies among projects. Recognizing these dependencies is crucial for resource allocation, scheduling, and achieving strategic objectives. While informing users, managing quality, and addressing individual project risks are important, they are typically handled within the scope of each project. The unique advantage of portfolio management lies in its ability to identify and manage relationships and dependencies across multiple projects, ensuring that the portfolio aligns with the organization’s strategic goals.
Reference: ISACA CISA Review Manual, 28th Edition, Chapter 3: Information Systems Acquisition, Development, and Implementation.
C
Explanation:
Managing projects as a portfolio allows an organization to oversee and coordinate multiple projects collectively. This approach provides a holistic view, enabling the identification of interdependencies among projects. Recognizing these dependencies is crucial for resource allocation, scheduling, and achieving strategic objectives. While informing users, managing quality, and addressing individual project risks are important, they are typically handled within the scope of each project. The unique advantage of portfolio management lies in its ability to identify and manage relationships and dependencies across multiple projects, ensuring that the portfolio aligns with the organization’s strategic goals.
Reference: ISACA CISA Review Manual, 28th Edition, Chapter 3: Information Systems Acquisition, Development, and Implementation.
Question #438
Which of the following would be MOST effective to protect information assets in a data center from theft by a vendor?
- A . Monitor and restrict vendor activities
- B . Issues an access card to the vendor.
- C . Conceal data devices and information labels
- D . Restrict use of portable and wireless devices.
Correct Answer: A
A
Explanation:
The most effective control to protect information assets in a data center from theft by a vendor is to monitor and restrict vendor activities. A vendor may have legitimate access to the data center for maintenance or support purposes, but they may also have malicious intentions or be compromised by an attacker. By monitoring and restricting vendor activities, the organization can ensure that the vendor only performs authorized tasks and does not access or tamper with sensitive data or equipment. Issuing an access card to the vendor, concealing data devices and information labels, and restricting use of portable and wireless devices are also useful controls, but they are not as effective as monitoring and restricting vendor activities in preventing theft by a vendor.
Reference: CISA Review Manual, 27th Edition, page 3381
CISA Review Questions, Answers & Explanations Database – 12 Month Subscription
A
Explanation:
The most effective control to protect information assets in a data center from theft by a vendor is to monitor and restrict vendor activities. A vendor may have legitimate access to the data center for maintenance or support purposes, but they may also have malicious intentions or be compromised by an attacker. By monitoring and restricting vendor activities, the organization can ensure that the vendor only performs authorized tasks and does not access or tamper with sensitive data or equipment. Issuing an access card to the vendor, concealing data devices and information labels, and restricting use of portable and wireless devices are also useful controls, but they are not as effective as monitoring and restricting vendor activities in preventing theft by a vendor.
Reference: CISA Review Manual, 27th Edition, page 3381
CISA Review Questions, Answers & Explanations Database – 12 Month Subscription
Question #439
Which of the following is the MOST important consideration when defining an operational log management strategy?
- A . Audit recommendations
- B . Industry benchmarking
- C . Event response procedures
- D . Stakeholder requirements
Correct Answer: D
D
Explanation:
The most important consideration when defining an operational log management strategy is understanding and meeting stakeholder requirements. This ensures that the strategy aligns with organizational needs and regulatory requirements, providing relevant and actionable information for security and compliance.
Reference
ISACA CISA Review Manual 27th Edition, Page 273-274 (Log Management)
D
Explanation:
The most important consideration when defining an operational log management strategy is understanding and meeting stakeholder requirements. This ensures that the strategy aligns with organizational needs and regulatory requirements, providing relevant and actionable information for security and compliance.
Reference
ISACA CISA Review Manual 27th Edition, Page 273-274 (Log Management)