Practice Free CISA Exam Online Questions
Question #81
The PRIMARY objective of the disaster recovery planning process is to:
- A . comply with regulatory requirements.
- B . ensure data can be recovered completely.
- C . minimize the operational interruption.
- D . align incident response time with industry best practices.
Correct Answer: C
Question #82
An IS auditor is conducting a post-implementation review of an enterprise resource planning (ERP)
system. End users indicated concerns with the accuracy of critical automatic calculations made by the system.
The auditor’s FIRST course of action should be to:
- A . review recent changes to the system.
- B . verify completeness of user acceptance testing (UAT).
- C . verify results to determine validity of user concerns.
- D . review initial business requirements.
Correct Answer: C
C
Explanation:
The IS auditor’s first course of action should be to verify the results of the critical automatic calculations made by the system to determine the validity of user concerns. This is because the IS auditor needs to obtain sufficient and appropriate audit evidence to support the audit findings and conclusions. By verifying the results, the IS auditor can assess whether there are any errors or discrepancies in the system’s calculations that could affect the accuracy and reliability of the financial data. The IS auditor can use various techniques to verify the results, such as re-performing the calculations, comparing them with expected values, or tracing them to source documents.
C
Explanation:
The IS auditor’s first course of action should be to verify the results of the critical automatic calculations made by the system to determine the validity of user concerns. This is because the IS auditor needs to obtain sufficient and appropriate audit evidence to support the audit findings and conclusions. By verifying the results, the IS auditor can assess whether there are any errors or discrepancies in the system’s calculations that could affect the accuracy and reliability of the financial data. The IS auditor can use various techniques to verify the results, such as re-performing the calculations, comparing them with expected values, or tracing them to source documents.
Question #83
Which of the following is the MOST important consideration when developing tabletop exercises
within a cybersecurity incident response plan?
- A . Ensure participants are selected from all cross-functional units in the organization.
- B . Create exercises that are challenging enough to prove inadequacies in the current incident response plan.
- C . Ensure the incident response team will have enough distractions to simulate real-life situations.
- D . Identify the scope and scenarios that are relevant to current threats faced by the organization.
Correct Answer: D
Question #84
Which of the following is the BEST way to verify the effectiveness of a data restoration process?
- A . Performing periodic reviews of physical access to backup media
- B . Performing periodic complete data restorations
- C . Validating off ne backups using software utilities
- D . Reviewing and updating data restoration policies annually
Correct Answer: B
B
Explanation:
The best way to verify the effectiveness of a data restoration process is to perform periodic complete data restorations. This is the process of transferring backup data to the primary system or data center and verifying that the restored data is accurate, complete, and functional. By performing periodic complete data restorations, the auditee can test the reliability and validity of the backup data, the functionality and performance of the restoration tools and procedures, and the compatibility and integrity of the restored data with the primary system. This will also help identify and resolve any issues or errors that may occur during the restoration process, such as corrupted or missing files, incompatible formats, or configuration problems.
Performing periodic reviews of physical access to backup media (option A) is not the best way to verify the effectiveness of a data restoration process, as it only ensures the security and availability of the backup media, not the quality or usability of the backup data. Physical access reviews are important for preventing unauthorized access, theft, damage, or loss of backup media, but they do not test the actual restoration process or verify that the backup data can be successfully restored.
Validating offline backups using software utilities (option C) is also not the best way to verify the effectiveness of a data restoration process, as it only checks the integrity and consistency of the backup data, not the functionality or compatibility of the restored data. Software utilities can help detect and correct any errors or inconsistencies in the backup data, such as checksum errors, duplicate files, or incomplete backups, but they do not test the actual restoration process or verify that the restored data can work with the primary system.
Reviewing and updating data restoration policies annually (option D) is also not the best way to verify the effectiveness of a data restoration process, as it only ensures that the policies are current and relevant, not that they are implemented and followed. Data restoration policies are important for defining roles and responsibilities, objectives and scope, standards and procedures, and metrics and reporting for the restoration process, but they do not test the actual restoration process or verify that it meets the expected outcomes.
Therefore, option B is the correct answer.
Reference: Whatis backup and disaster recovery? | IBM
Backup and Recovery of Data: The Essential Guide | Veritas
Database Backup and Recovery Best Practices – ISACA
B
Explanation:
The best way to verify the effectiveness of a data restoration process is to perform periodic complete data restorations. This is the process of transferring backup data to the primary system or data center and verifying that the restored data is accurate, complete, and functional. By performing periodic complete data restorations, the auditee can test the reliability and validity of the backup data, the functionality and performance of the restoration tools and procedures, and the compatibility and integrity of the restored data with the primary system. This will also help identify and resolve any issues or errors that may occur during the restoration process, such as corrupted or missing files, incompatible formats, or configuration problems.
Performing periodic reviews of physical access to backup media (option A) is not the best way to verify the effectiveness of a data restoration process, as it only ensures the security and availability of the backup media, not the quality or usability of the backup data. Physical access reviews are important for preventing unauthorized access, theft, damage, or loss of backup media, but they do not test the actual restoration process or verify that the backup data can be successfully restored.
Validating offline backups using software utilities (option C) is also not the best way to verify the effectiveness of a data restoration process, as it only checks the integrity and consistency of the backup data, not the functionality or compatibility of the restored data. Software utilities can help detect and correct any errors or inconsistencies in the backup data, such as checksum errors, duplicate files, or incomplete backups, but they do not test the actual restoration process or verify that the restored data can work with the primary system.
Reviewing and updating data restoration policies annually (option D) is also not the best way to verify the effectiveness of a data restoration process, as it only ensures that the policies are current and relevant, not that they are implemented and followed. Data restoration policies are important for defining roles and responsibilities, objectives and scope, standards and procedures, and metrics and reporting for the restoration process, but they do not test the actual restoration process or verify that it meets the expected outcomes.
Therefore, option B is the correct answer.
Reference: Whatis backup and disaster recovery? | IBM
Backup and Recovery of Data: The Essential Guide | Veritas
Database Backup and Recovery Best Practices – ISACA
Question #85
The PRIMARY purpose of a vulnerability assessment in a cybersecurity program is to:
- A . Enhance the security awareness of employees and other internal stakeholders.
- B . Identify known security exposures before attackers find them.
- C . Improve the overall security posture of the organization.
- D . Protect the organization’s IT assets against external cyberthreats.
Correct Answer: B
B
Explanation:
Comprehensive and Detailed
The primary purpose of vulnerability assessments is to identify known weaknesses before they can be exploited by attackers.
Option A: Security awareness is a benefit but not the main purpose.
Option C: Improving posture is an outcome, not the direct purpose.
Option D: Protection against threats is broader than vulnerability assessment.
ISACA
Reference: CISA Review Manual 27th Edition, Domain 5, section on vulnerability management and assessments.
B
Explanation:
Comprehensive and Detailed
The primary purpose of vulnerability assessments is to identify known weaknesses before they can be exploited by attackers.
Option A: Security awareness is a benefit but not the main purpose.
Option C: Improving posture is an outcome, not the direct purpose.
Option D: Protection against threats is broader than vulnerability assessment.
ISACA
Reference: CISA Review Manual 27th Edition, Domain 5, section on vulnerability management and assessments.
Question #86
Which of the following is the MOST important consideration when establishing operational log management?
- A . Types of data
- B . Log processing efficiency
- C . IT organizational structure
- D . Log retention period
Correct Answer: D
Question #87
Who is responsible for defining data access permissions?
- A . IT operations manager
- B . Data owner
- C . Database administrator (DBA)
- D . Information security manager
Correct Answer: B
B
Explanation:
Comprehensive and Detailed Step-by-Step
The data owneris the individual or entity responsible for classifying, protecting, and defining access permissions to data. They ensure that only authorized personnel can access, modify, or distribute data based on business needs and regulatory requirements.
Data Owner (Correct Answer C B)
The data owner is responsible forsetting user permissionsbased on job roles and business requirements.
According toISACA’s CISA Review Manual and COBIT 2019, the data owner determines access levels while IT personnel enforce them.
Example: A finance department head (data owner) determines that only certain accountants should access sensitive payroll data.
IT Operations Manager (Incorrect C A)
Oversees IT infrastructure but does not define data access controls.
Database Administrator (DBA) (Incorrect C C)
Implements and enforces security settings but follows rules set by the data owner.
Information Security Manager (Incorrect C D)
Provides security guidance but does not decide specific access permissions.
Reference: ISACA CISA Review Manual
COBIT 2019 Framework
NIST 800-53 (Security and Privacy Controls for Federal Information Systems)
B
Explanation:
Comprehensive and Detailed Step-by-Step
The data owneris the individual or entity responsible for classifying, protecting, and defining access permissions to data. They ensure that only authorized personnel can access, modify, or distribute data based on business needs and regulatory requirements.
Data Owner (Correct Answer C B)
The data owner is responsible forsetting user permissionsbased on job roles and business requirements.
According toISACA’s CISA Review Manual and COBIT 2019, the data owner determines access levels while IT personnel enforce them.
Example: A finance department head (data owner) determines that only certain accountants should access sensitive payroll data.
IT Operations Manager (Incorrect C A)
Oversees IT infrastructure but does not define data access controls.
Database Administrator (DBA) (Incorrect C C)
Implements and enforces security settings but follows rules set by the data owner.
Information Security Manager (Incorrect C D)
Provides security guidance but does not decide specific access permissions.
Reference: ISACA CISA Review Manual
COBIT 2019 Framework
NIST 800-53 (Security and Privacy Controls for Federal Information Systems)
Question #88
A new system development project is running late against a critical implementation deadline.
Which of the following is the MOST important activity?
- A . Document last-minute enhancements
- B . Perform a pre-implementation audit
- C . Perform user acceptance testing (UAT)
- D . Ensure that code has been reviewed
Correct Answer: A
A
Explanation:
Performing user acceptance testing (UAT) is the most important activity before implementing a new system, as it ensures that the system meets the user requirements and expectations, and that it is free of major defects. Documenting last-minute enhancements, performing a pre-implementation audit, and ensuring that code has been reviewed are also important activities, but they are not as critical as UAT.
Reference: CISA Review Manual (Digital Version), Chapter 4, Section 4.2.2
A
Explanation:
Performing user acceptance testing (UAT) is the most important activity before implementing a new system, as it ensures that the system meets the user requirements and expectations, and that it is free of major defects. Documenting last-minute enhancements, performing a pre-implementation audit, and ensuring that code has been reviewed are also important activities, but they are not as critical as UAT.
Reference: CISA Review Manual (Digital Version), Chapter 4, Section 4.2.2
Question #89
What would be an IS auditor’s BEST recommendation upon finding that a third-party IT service provider hosts the organization’s human resources (HR) system in a foreign country?
- A . Perform background verification checks.
- B . Review third-party audit reports.
- C . Implement change management review.
- D . Conduct a privacy impact analysis.
Correct Answer: D
D
Explanation:
The best recommendation for an IS auditor when finding that a third-party IT service provider hosts the organization’s HR system in a foreign country is to conduct a privacy impact analysis. A privacy impact analysis is a systematic process that identifies and evaluates the potential risks and impacts of collecting, using, disclosing, and storing personal information. A privacy impact analysis will help the IS auditor to assess the legal, regulatory, contractual, and ethical obligations of the organization and the service provider regarding the protection of personal information. A privacy impact analysis will also help to identify and mitigate any privacy risks and gaps in the service level agreement.
Reference: CISA Certification | CertifiedInformation Systems Auditor | ISACA CISA Questions, Answers & Explanations Database
D
Explanation:
The best recommendation for an IS auditor when finding that a third-party IT service provider hosts the organization’s HR system in a foreign country is to conduct a privacy impact analysis. A privacy impact analysis is a systematic process that identifies and evaluates the potential risks and impacts of collecting, using, disclosing, and storing personal information. A privacy impact analysis will help the IS auditor to assess the legal, regulatory, contractual, and ethical obligations of the organization and the service provider regarding the protection of personal information. A privacy impact analysis will also help to identify and mitigate any privacy risks and gaps in the service level agreement.
Reference: CISA Certification | CertifiedInformation Systems Auditor | ISACA CISA Questions, Answers & Explanations Database
Question #90
Which of the following should be the FIRST step when developing a data loss prevention (DLP) solution for a large organization?
- A . Conduct a data inventory and classification exercise.
- B . Identify approved data workflows across the enterprise_
- C . Conduct a threat analysis against sensitive data usage.
- D . Create the DLP policies and templates
Correct Answer: A
A
Explanation:
The first step when developing a DLP solution for a large organization is to conduct a data inventory and classification exercise. This step involves identifying and locating all the data assets that the organization owns, generates, or handles, and assigning them to different categories based on their sensitivity, value, and regulatory requirements1. Data inventory and classification is essential for DLP because it helps to determine the scope and objectives of the DLP solution, as well as the appropriate level of protection and monitoring for each data category2. Data inventory and classification also enables the organization to prioritize its DLP efforts based on the risk and impact of data loss or leakage3.
Option B is not correct because identifying approved data workflows across the enterprise is a subsequent step after conducting data inventory and classification. Data workflows are the processes and channels through which data are created, stored, accessed, shared, or transmitted within or outside the organization4. Identifying approved data workflows helps to define the normal and legitimate use of data, as well as to detect and prevent unauthorized or anomalous data activities5. However, before identifying approved data workflows, the organization needs to know what data it has and how it should be classified.
Option C is not correct because conducting a threat analysis against sensitive data usage is another subsequent step after conducting data inventory and classification. Threat analysis is the process of identifying and assessing the potential sources, methods, and impacts of data loss or leakage incidents. Threat analysis helps to design and implement effective DLP controls and countermeasures based on the risk profile of each data category. However, before conducting threat analysis, the organization needs to know what data it has and how it should be classified.
Option D is not correct because creating the DLP policies and templates is the final step after conducting data inventory and classification, identifying approved data workflows, and conducting threat analysis. DLP policies and templates are the rules and configurations that specify how the DLP solution should monitor, detect, report, and respond to data loss or leakage events. DLP policies and templates should be aligned with the organization’s business needs, regulatory obligations, and risk appetite. However, before creating the DLP policies and templates, the organization needs to know what data it has, how it should be classified, how it should be used, and what threats it faces.
Reference: Data Inventory & Classification: The First Step in Data Protection1
Data Classification: What It Is And Why You Need It2
How to Prioritize Your Data Loss Prevention Strategy in 20203
What Is Data Workflow? Definition & Examples4
How to Identify Data Workflows for Your Business5
Threat Analysis: A Comprehensive Guide for Beginners
How to Conduct a Threat Assessment for Your Business
What Is Data Loss Prevention (DLP)? Definition & Examples
How to Create Effective Data Loss Prevention Policies
A
Explanation:
The first step when developing a DLP solution for a large organization is to conduct a data inventory and classification exercise. This step involves identifying and locating all the data assets that the organization owns, generates, or handles, and assigning them to different categories based on their sensitivity, value, and regulatory requirements1. Data inventory and classification is essential for DLP because it helps to determine the scope and objectives of the DLP solution, as well as the appropriate level of protection and monitoring for each data category2. Data inventory and classification also enables the organization to prioritize its DLP efforts based on the risk and impact of data loss or leakage3.
Option B is not correct because identifying approved data workflows across the enterprise is a subsequent step after conducting data inventory and classification. Data workflows are the processes and channels through which data are created, stored, accessed, shared, or transmitted within or outside the organization4. Identifying approved data workflows helps to define the normal and legitimate use of data, as well as to detect and prevent unauthorized or anomalous data activities5. However, before identifying approved data workflows, the organization needs to know what data it has and how it should be classified.
Option C is not correct because conducting a threat analysis against sensitive data usage is another subsequent step after conducting data inventory and classification. Threat analysis is the process of identifying and assessing the potential sources, methods, and impacts of data loss or leakage incidents. Threat analysis helps to design and implement effective DLP controls and countermeasures based on the risk profile of each data category. However, before conducting threat analysis, the organization needs to know what data it has and how it should be classified.
Option D is not correct because creating the DLP policies and templates is the final step after conducting data inventory and classification, identifying approved data workflows, and conducting threat analysis. DLP policies and templates are the rules and configurations that specify how the DLP solution should monitor, detect, report, and respond to data loss or leakage events. DLP policies and templates should be aligned with the organization’s business needs, regulatory obligations, and risk appetite. However, before creating the DLP policies and templates, the organization needs to know what data it has, how it should be classified, how it should be used, and what threats it faces.
Reference: Data Inventory & Classification: The First Step in Data Protection1
Data Classification: What It Is And Why You Need It2
How to Prioritize Your Data Loss Prevention Strategy in 20203
What Is Data Workflow? Definition & Examples4
How to Identify Data Workflows for Your Business5
Threat Analysis: A Comprehensive Guide for Beginners
How to Conduct a Threat Assessment for Your Business
What Is Data Loss Prevention (DLP)? Definition & Examples
How to Create Effective Data Loss Prevention Policies