Practice Free CISA Exam Online Questions
Question #51
An IS auditor is evaluating an organization’s IT strategy and plans.
Which of the following would be of GREATEST concern?
- A . There is not a defined IT security policy.
- B . The business strategy meeting minutes are not distributed.
- C . IT is not engaged in business strategic planning.
- D . There is inadequate documentation of IT strategic planning.
Correct Answer: C
C
Explanation:
The greatest concern for an IS auditor when evaluating an organization’s IT strategy and plans is that IT is not engaged in business strategic planning, as this indicates a lack of alignment between IT and business objectives, which could result in inefficient and ineffective use of IT resources and capabilities. The absence of a defined IT security policy, the nondistribution of business strategy meeting minutes, and the inadequate documentation of IT strategic planning are also issues that should be addressed by an IS auditor, but they are not as significant as IT’s noninvolvement in business strategic planning.
Reference: CISA Review Manual (Digital Version), Chapter 3, Section 3.1
C
Explanation:
The greatest concern for an IS auditor when evaluating an organization’s IT strategy and plans is that IT is not engaged in business strategic planning, as this indicates a lack of alignment between IT and business objectives, which could result in inefficient and ineffective use of IT resources and capabilities. The absence of a defined IT security policy, the nondistribution of business strategy meeting minutes, and the inadequate documentation of IT strategic planning are also issues that should be addressed by an IS auditor, but they are not as significant as IT’s noninvolvement in business strategic planning.
Reference: CISA Review Manual (Digital Version), Chapter 3, Section 3.1
Question #52
Which of the following BEST protects evidence in a forensic investigation?
- A . imaging the affected system
- B . Powering down the affected system
- C . Protecting the hardware of the affected system
- D . Rebooting the affected system
Correct Answer: A
A
Explanation:
Imaging the affected system is the best way to protect evidence in a forensic investigation, because it creates a bit-by-bit copy of the original data that can be analyzed without altering or compromising the original source. Imaging preserves the integrity and authenticity of the evidence and allows for verification and validation of the results34. Powering down or rebooting the affected system can cause data loss or corruption, while protecting the hardware does not prevent unauthorized access or tampering with the software or data.
Reference: 3: CISA Review Manual (Digital Version), Chapter 6, Section 6.4.1 4: CISA Online Review Course, Module 6, Lesson 4
A
Explanation:
Imaging the affected system is the best way to protect evidence in a forensic investigation, because it creates a bit-by-bit copy of the original data that can be analyzed without altering or compromising the original source. Imaging preserves the integrity and authenticity of the evidence and allows for verification and validation of the results34. Powering down or rebooting the affected system can cause data loss or corruption, while protecting the hardware does not prevent unauthorized access or tampering with the software or data.
Reference: 3: CISA Review Manual (Digital Version), Chapter 6, Section 6.4.1 4: CISA Online Review Course, Module 6, Lesson 4
Question #53
A senior auditor is reviewing work papers prepared by a junior auditor indicating that a finding was removed after the auditee said they corrected the problem.
Which of the following is the senior auditor s MOST appropriate course of action?
- A . Ask the auditee to retest
- B . Approve the work papers as written
- C . Have the finding reinstated
- D . Refer the issue to the audit director
Correct Answer: C
C
Explanation:
The senior auditor’s most appropriate course of action is to have the finding reinstated, because the auditee’s claim of correcting the problem is not sufficient evidence to support the removal of the finding. The auditor should verify that the corrective action has been implemented effectively and that it has resolved the underlying issue or risk. The auditor should also document the evidence andresults of the verification in the work papers. The other options are not appropriate, because they either accept the auditee’s claim without verification, delegate the responsibility to the auditee or escalate the issue unnecessarily.
Reference: ISACA, CISA Review Manual, 27th Edition, chapter 1, section 1.51
ISACA, IT Audit and Assurance Standards, Guidelines and Tools and Techniques for IS Audit and
Assurance Professionals, section12062
C
Explanation:
The senior auditor’s most appropriate course of action is to have the finding reinstated, because the auditee’s claim of correcting the problem is not sufficient evidence to support the removal of the finding. The auditor should verify that the corrective action has been implemented effectively and that it has resolved the underlying issue or risk. The auditor should also document the evidence andresults of the verification in the work papers. The other options are not appropriate, because they either accept the auditee’s claim without verification, delegate the responsibility to the auditee or escalate the issue unnecessarily.
Reference: ISACA, CISA Review Manual, 27th Edition, chapter 1, section 1.51
ISACA, IT Audit and Assurance Standards, Guidelines and Tools and Techniques for IS Audit and
Assurance Professionals, section12062
Question #54
An IS auditor discovers a box of hard drives in a secured location that are overdue for physical destruction. The vendor responsible for this task was never made aware of these hard drives.
Which of the following is the BEST course of action to address this issue?
- A . Examine the workflow to identify gaps in asset-handling responsibilities.
- B . Escalate the finding to the asset owner for remediation.
- C . Recommend the drives be sent to the vendor for destruction.
- D . Evaluate the corporate asset-handling policy for potential gaps.
Correct Answer: A
A
Explanation:
The issue seems to stem from a breakdown in the workflow or process for handling assets that are due for destruction12. By examining the workflow, the IS auditor can identify where the process failed, such as why the vendor was not notified about the hard drives12. This could involve reviewing procedures for inventory management, communication with vendors, and tracking of assets due for destruction12. The findings can then be used to improve the workflow and prevent similar issues in the future12.
Reference: How To Properly Destroy A Hard Drive – Tech News Today
How to safely and securely destroy hard disk data – iFixit
A
Explanation:
The issue seems to stem from a breakdown in the workflow or process for handling assets that are due for destruction12. By examining the workflow, the IS auditor can identify where the process failed, such as why the vendor was not notified about the hard drives12. This could involve reviewing procedures for inventory management, communication with vendors, and tracking of assets due for destruction12. The findings can then be used to improve the workflow and prevent similar issues in the future12.
Reference: How To Properly Destroy A Hard Drive – Tech News Today
How to safely and securely destroy hard disk data – iFixit
Question #55
Which of the following is the MOST important reason for an organization to automate data purging?
- A . Protection against privacy breaches
- B . Storage cost reduction
- C . Disaster recovery planning
- D . Ransomware protection
Correct Answer: A
Question #56
Which of the following will MOST likely compromise the control provided By a digital signature created using RSA encryption?
- A . Reversing the hash function using the digest
- B . Altering the plaintext message
- C . Deciphering the receiver’s public key
- D . Obtaining the sender’s private key
Correct Answer: D
D
Explanation:
A digital signature is a cryptographic technique that verifies the authenticity and integrity of a message or document, by using a hash function and an asymmetric encryption algorithm. A hash function is a mathematical function that transforms any input data into a fixed-length output value called a digest, which is unique for each input. An asymmetric encryption algorithm uses two keys: a public key and a private key. The public key can be shared with anyone, while the private key must be kept secret by the owner. To create a digital signature, the sender first applies a hash function to the plaintext message to generate a digest. Then, the sender encrypts the digest with their private key to produce the digital signature. To verify the digital signature, the receiver decrypts the digital signature with the sender’s public key to obtain the digest. Then, the receiver applies the same hash function to the plaintext message to generate another digest. If the two digests match, it means that the message has not been altered and that it came from the sender. The security of a digital signature depends on the secrecy of the sender’s private key. If an attacker obtains the sender’s private key, they can create fake digital signatures for any message they want, thus compromising the control provided by the digital signature. Reversing the hash function using the digest is not possible, as hash functions are designed to be one-way functions that cannot be inverted. Altering the plaintext message will result in a different digest after applying the hash function, which will not match with the decrypted digest from the digital signature, thus invalidating the digital signature. Deciphering the receiver’s public key is not relevant, as public keys are meant to be publicly available and do not affect the security of digital signatures.
D
Explanation:
A digital signature is a cryptographic technique that verifies the authenticity and integrity of a message or document, by using a hash function and an asymmetric encryption algorithm. A hash function is a mathematical function that transforms any input data into a fixed-length output value called a digest, which is unique for each input. An asymmetric encryption algorithm uses two keys: a public key and a private key. The public key can be shared with anyone, while the private key must be kept secret by the owner. To create a digital signature, the sender first applies a hash function to the plaintext message to generate a digest. Then, the sender encrypts the digest with their private key to produce the digital signature. To verify the digital signature, the receiver decrypts the digital signature with the sender’s public key to obtain the digest. Then, the receiver applies the same hash function to the plaintext message to generate another digest. If the two digests match, it means that the message has not been altered and that it came from the sender. The security of a digital signature depends on the secrecy of the sender’s private key. If an attacker obtains the sender’s private key, they can create fake digital signatures for any message they want, thus compromising the control provided by the digital signature. Reversing the hash function using the digest is not possible, as hash functions are designed to be one-way functions that cannot be inverted. Altering the plaintext message will result in a different digest after applying the hash function, which will not match with the decrypted digest from the digital signature, thus invalidating the digital signature. Deciphering the receiver’s public key is not relevant, as public keys are meant to be publicly available and do not affect the security of digital signatures.
Question #57
What is the PRIMARY reason for an organization to classify the data stored on its internal networks?
- A . To determine data retention policy
- B . To implement data protection requirements
- C . To comply with the organization’s data policies
- D . To follow industry best practices
Correct Answer: B
B
Explanation:
The primary reason for an organization to classify the data stored on its internal networks is to implement data protection requirements1234. Data classification helps organizations understand what data they have, its characteristics, and what security and privacy requirements it needs to meet so that the necessary protections can be achieved3. While determining data retention policy56, complying with the organization’s data policies27, and following industry best practices891011 are important aspects of data classification, they are secondary to the fundamental requirement of implementing data protection requirements.
Reference: What Is Data Classification & Why Is It Important? ― RiskOptics
Data Classification Policy: Definition, Examples, & Free Template – Hyperproof
Data Classification Policy: Benefits, Examples, and Techniques – Satori
What is a Data Classification Policy? – Digital Guardian
Data Classification and Practices – NIST
Data Classification as a Catalyst for Data Retention and Archiving …
What is data classification? – Cloud Adoption Framework
Data Classification – Data Security Policies | ITS Policies …
IMPLEMENTING DATA CLASSIFICATION PRACTICES – NIST
Best Practices for Data Classification | Forcepoint
B
Explanation:
The primary reason for an organization to classify the data stored on its internal networks is to implement data protection requirements1234. Data classification helps organizations understand what data they have, its characteristics, and what security and privacy requirements it needs to meet so that the necessary protections can be achieved3. While determining data retention policy56, complying with the organization’s data policies27, and following industry best practices891011 are important aspects of data classification, they are secondary to the fundamental requirement of implementing data protection requirements.
Reference: What Is Data Classification & Why Is It Important? ― RiskOptics
Data Classification Policy: Definition, Examples, & Free Template – Hyperproof
Data Classification Policy: Benefits, Examples, and Techniques – Satori
What is a Data Classification Policy? – Digital Guardian
Data Classification and Practices – NIST
Data Classification as a Catalyst for Data Retention and Archiving …
What is data classification? – Cloud Adoption Framework
Data Classification – Data Security Policies | ITS Policies …
IMPLEMENTING DATA CLASSIFICATION PRACTICES – NIST
Best Practices for Data Classification | Forcepoint
Question #58
An IS auditor learns that an in-house system development life cycle (SDLC) project has not met user specifications.
The auditor should FIRST examine requirements from which of the following phases?
- A . Configuration phase
- B . User training phase
- C . Quality assurance (QA) phase
- D . Development phase
Correct Answer: C
C
Explanation:
The quality assurance (QA) phase is the phase where the IS auditor should first examine requirements from an in-house SDLC project that has not met user specifications. This is because the QA phase is the phase where the system is tested and verified against the user specifications and the design specifications to ensure that it meets the functional and non-functional requirements, as well as the quality standards and expectations. The QA phase involves various testing activities, such as unit testing, integration testing, system testing, acceptance testing, performance testing, security testing, etc., to identify and resolve any defects, errors, or deviations from the specifications12.
The configuration phase is not the phase where the IS auditor should first examine requirements from an in-house SDLC project that has not met user specifications. The configuration phase is the phase where the system is installed and configured on the target environment, such as hardware, software, network, etc., to prepare it for deployment and operation. The configuration phase may involve activities such as installation, customization, migration, integration, etc., to ensure that the system is compatible and interoperable with the existing infrastructure and systems34.
The user training phase is not the phase where the IS auditor should first examine requirements from an in-house SDLC project that has not met user specifications. The user training phase is the phase where the end-users are trained and educated on how to use the system effectively and efficiently. The user training phase may involve activities such as developing training materials, conducting training sessions, providing feedback and support, etc., to ensure that the users are familiar and comfortable with the system features and functions56.
The development phase is not the phase where the IS auditor should first examine requirements from an in-house SDLC project that has not met user specifications. The development phase is the phase where the system is coded and built based on the design specifications and the user specifications. The development phase may involve activities such as programming, debugging, documenting, etc., to create a working prototype or a final product of the system
C
Explanation:
The quality assurance (QA) phase is the phase where the IS auditor should first examine requirements from an in-house SDLC project that has not met user specifications. This is because the QA phase is the phase where the system is tested and verified against the user specifications and the design specifications to ensure that it meets the functional and non-functional requirements, as well as the quality standards and expectations. The QA phase involves various testing activities, such as unit testing, integration testing, system testing, acceptance testing, performance testing, security testing, etc., to identify and resolve any defects, errors, or deviations from the specifications12.
The configuration phase is not the phase where the IS auditor should first examine requirements from an in-house SDLC project that has not met user specifications. The configuration phase is the phase where the system is installed and configured on the target environment, such as hardware, software, network, etc., to prepare it for deployment and operation. The configuration phase may involve activities such as installation, customization, migration, integration, etc., to ensure that the system is compatible and interoperable with the existing infrastructure and systems34.
The user training phase is not the phase where the IS auditor should first examine requirements from an in-house SDLC project that has not met user specifications. The user training phase is the phase where the end-users are trained and educated on how to use the system effectively and efficiently. The user training phase may involve activities such as developing training materials, conducting training sessions, providing feedback and support, etc., to ensure that the users are familiar and comfortable with the system features and functions56.
The development phase is not the phase where the IS auditor should first examine requirements from an in-house SDLC project that has not met user specifications. The development phase is the phase where the system is coded and built based on the design specifications and the user specifications. The development phase may involve activities such as programming, debugging, documenting, etc., to create a working prototype or a final product of the system
Question #59
Which of the following BEST enables an organization to improve the visibility of end-user computing (EUC) applications that support regulatory reporting?
- A . EUC inventory
- B . EUC availability controls
- C . EUC access control matrix
- D . EUC tests of operational effectiveness
Correct Answer: A
A
Explanation:
The best way to improve the visibility of end-user computing (EUC) applications that support regulatory reporting is to maintain an EUC inventory, as this provides a comprehensive and up-to-date list of all EUC applications, their owners, their locations, their purposes, and their dependencies. An EUC inventory can help identify and manage the risks associated with EUC applications, such as data quality, security, compliance, and continuity. EUC availability controls, EUC access control matrix, and EUC tests of operational effectiveness are important for ensuring the reliability and security of EUC applications, but they do not improve the visibility of EUC applications as much as an EUC inventory.
Reference: CISA Review Manual (Digital Version), Chapter 3: Information Systems Acquisition, Development and Implementation, Section 3.4: End-user Computing
A
Explanation:
The best way to improve the visibility of end-user computing (EUC) applications that support regulatory reporting is to maintain an EUC inventory, as this provides a comprehensive and up-to-date list of all EUC applications, their owners, their locations, their purposes, and their dependencies. An EUC inventory can help identify and manage the risks associated with EUC applications, such as data quality, security, compliance, and continuity. EUC availability controls, EUC access control matrix, and EUC tests of operational effectiveness are important for ensuring the reliability and security of EUC applications, but they do not improve the visibility of EUC applications as much as an EUC inventory.
Reference: CISA Review Manual (Digital Version), Chapter 3: Information Systems Acquisition, Development and Implementation, Section 3.4: End-user Computing
Question #60
Which of the following issues associated with a data center’s closed-circuit television (CCTV) surveillance cameras should be of MOST concern to an IS auditor?
- A . CCTV recordings are not regularly reviewed.
- B . CCTV cameras are not installed in break rooms
- C . CCTV records are deleted after one year.
- D . CCTV footage is not recorded 24 x 7.
Correct Answer: A
A
Explanation:
The most concerning issue associated with a data center’s CCTV surveillance cameras is that the recordings are not regularly reviewed. This means that any unauthorized access, theft, vandalism, or other security incidents may go unnoticed and unreported. CCTV recordings are a valuable source of evidence and deterrence for data center security, and they should be monitored and audited periodically to ensure compliance with policies and regulations. If the recordings are not reviewed, the data center may face legal, financial, or reputational risks in case of a security breach or an audit failure.
The other options are less concerning because they do not directly affect the security of the data center. CCTV cameras are not required to be installed in break rooms, as they are not critical areas for data protection. CCTV records can be deleted after one year, as long as they comply with the data retention policy of the organization and the applicable laws. CCTV footage does not need to be recorded 24 x 7, as long as there is sufficient coverage of the data center during operational hours and when access is granted to authorized personnel.
Reference: ISACA Journal Article: Physical security of a data center1
Data Center Security: Checklist and Best Practices | Kisi2
Video Surveillance Best Practices | Taylored Systems
A
Explanation:
The most concerning issue associated with a data center’s CCTV surveillance cameras is that the recordings are not regularly reviewed. This means that any unauthorized access, theft, vandalism, or other security incidents may go unnoticed and unreported. CCTV recordings are a valuable source of evidence and deterrence for data center security, and they should be monitored and audited periodically to ensure compliance with policies and regulations. If the recordings are not reviewed, the data center may face legal, financial, or reputational risks in case of a security breach or an audit failure.
The other options are less concerning because they do not directly affect the security of the data center. CCTV cameras are not required to be installed in break rooms, as they are not critical areas for data protection. CCTV records can be deleted after one year, as long as they comply with the data retention policy of the organization and the applicable laws. CCTV footage does not need to be recorded 24 x 7, as long as there is sufficient coverage of the data center during operational hours and when access is granted to authorized personnel.
Reference: ISACA Journal Article: Physical security of a data center1
Data Center Security: Checklist and Best Practices | Kisi2
Video Surveillance Best Practices | Taylored Systems