CISA Practice Exam Questions and Answers

A.  

Risk acceptance

B.  

Risk mitigation

C.  

Risk transference

D.  

Risk reduction

A.  

It increases an organization's ability to retain staff who prefer to work with new technology.

B.  

It improves vendor support and training.

C.  

It enhances security and confidentiality.

D.  

It enables an organization to gain familiarity with new products and their functionality.

A.  

Source code review

B.  

Parallel simulation using audit software

C.  

Manual verification of a sample of the results

D.  

Review of the quality assurance (QA) test results

A.  

Perform correlation analysis between incidents and investments.

B.  

Downgrade security controls on low-risk systems.

C.  

Introduce automated security monitoring tools.

D.  

Re-evaluate the organization's risk and control framework.

A.  

Interview the application developer.

B.  

Obtain management attestation and sign-off.

C.  

Review the application implementation documents.

D.  

Review system configuration parameters and output.

A.  

posting to the wrong record.

B.  

incomplete processing.

C.  

improper backup.

D.  

improper authorization.

A.  

System interface testing

B.  

user acceptance testing (IJAT)

C.  

Validation checks

D.  

Audit logs

A.  

Percentage of new hires that have completed the training.

B.  

Number of new hires who have violated enterprise security policies.

C.  

Number of reported incidents by new hires.

D.  

Percentage of new hires who report incidents

A.  

Business interruption due to remediation

B.  

IT budgeting constraints

C.  

Availability of responsible IT personnel

D.  

Risk rating of original findings

A.  

There is no change management process defined in the contract.

B.  

There are no procedures for incident escalation.

C.  

There is no dispute resolution process defined in the contract.

D.  

There is no right-to-audit clause defined in the contract.

A.  

Compliance costs are reduced.

B.  

Risks are detected earlier.

C.  

Business owners can focus more on their core roles.

D.  

Line management is more motivated to avoid control exceptions.

A.  

Implementation plan for restricting the collection of personal information

B.  

Privacy legislation in other countries that may contain similar requirements

C.  

Operational plan for achieving compliance with the legislation

D.  

Analysis of systems that contain privacy components

A.  

Audit risk

B.  

Consideration of risks

C.  

Assessment of prior audits

D.  

Business strategy

A.  

Demilitarized zone (DMZ)

B.  

Heuristic intrusion detection system (IDS)

C.  

Real-time updating of antivirus software

D.  

Signature-based intrusion detection system (IDS)

A.  

It demonstrates the maturity of the incident response program.

B.  

It reduces the likelihood of an incident occurring.

C.  

It identifies deficiencies in the operating environment.

D.  

It increases confidence in the team's response readiness.

A.  

Reviewing and assisting with IT strategy integration efforts

B.  

Developing and assessing the IT security strategy

C.  

Implementing processes to integrate security with business objectives

D.  

Developing and implementing the secure system development framework

A.  

A lessons-learned session was never conducted.

B.  

The projects 10% budget overrun was not reported to senior management.

C.  

Measurable benefits were not defined.

D.  

Monthly dashboards did not always contain deliverables.

A.  

Assurance that the new system meets functional requirements

B.  

More time for users to complete training for the new system

C.  

Significant cost savings over other system implemental or approaches

D.  

Assurance that the new system meets performance requirements

A.  

incident management.

B.  

quality assurance (QA).

C.  

change management.

D.  

project management.

A.  

Document the finding and present it to management.

B.  

Determine if a root cause analysis was conducted.

C.  

Confirm the resolution time of the incidents.

D.  

Validate whether all incidents have been actioned.

A.  

Implement network access control.

B.  

Implement outbound firewall rules.

C.  

Perform network reviews.

D.  

Review access control lists.

A.  

Visitors are required to be escorted by authorized personnel.

B.  

Visitors are required to use biometric authentication.

C.  

Visitors are monitored online by security cameras

D.  

Visitors are required to enter through dead-man doors.

A.  

Recovery point objective (RPO)

B.  

Maximum allowable downtime (MAD)

C.  

Mean time to restore (MTTR)

D.  

Key performance indicators (KPls)

A.  

recommend a control to automatically update access rights.

B.  

determine the reason why access rights have not been revoked.

C.  

direct management to revoke current access rights.

D.  

determine if access rights are in violation of software licenses.

A.  

It helps to identify areas with a relatively high probability of material problems.

B.  

It provides a basis for the formulation of corrective action plans.

C.  

It increases awareness of the types of management actions that may be inappropriate

D.  

It helps to identify areas that are most sensitive to fraudulent or inaccurate practices

A.  

Reviewing decisions on how business processes should be conducted in the new system

B.  

Completing data cleanup in the current database to eliminate inconsistencies

C.  

Understanding the new system's data structure

D.  

Creating data conversion scripts

A.  

hire another person to perform migration to production.

B.  

implement continuous monitoring controls.

C.  

remove production access from the developers.

D.  

perform a user access review for the development team

A.  

Misconfiguration and missing updates

B.  

Malicious software and spyware

C.  

Zero-day vulnerabilities

D.  

Security design flaws

A.  

business impact analysis (BIA).

B.  

threat and risk assessment.

C.  

business continuity plan (BCP).

D.  

disaster recovery plan (DRP).

A.  

Environment segregation

B.  

Reconciliation

C.  

System backups

D.  

Access controls

A.  

Alarm system with CCTV

B.  

Access control log

C.  

Security incident log

D.  

Access card allocation records

A.  

Phased approach

B.  

Direct cutover

C.  

Pilot study

D.  

Parallel run

A.  

Detective

B.  

Logical

C.  

Preventive

D.  

Corrective

A.  

Increase the capacity of existing systems.

B.  

Upgrade hardware to newer technology.

C.  

Hire temporary contract workers for the IT function.

D.  

Build a virtual environment.

A.  

Evaluating whether loan records are included in the batch file and are validated by the servicing system

B.  

Comparing a population of loans input in the origination system to loans booked on the servicing system

C.  

Validating whether reconciliations between the two systems are performed and discrepancies are investigated

D.  

Reviewing error handling controls to notify appropriate personnel in the event of a transmission failure

A.  

Blocking attachments in IM

B.  

Blocking external IM traffic

C.  

Allowing only corporate IM solutions

D.  

Encrypting IM traffic

A.  

Senior management's request

B.  

Prior year's audit findings

C.  

Organizational risk assessment

D.  

Previous audit coverage and scope

A.  

Disabled USB ports

B.  

Full disk encryption

C.  

Biometric access control

D.  

Two-factor authentication

A.  

IT operator

B.  

System administration

C.  

Emergency support

D.  

Database administration

A.  

the provider has alternate service locations.

B.  

the contract includes compensation for deficient service levels.

C.  

the provider's information security controls are aligned with the company's.

D.  

the provider adheres to the company's data retention policies.

A.  

Real-time backup

B.  

Virtual backup

C.  

Differential backup

D.  

Full backup

A.  

Analysis of industry benchmarks

B.  

Identification of organizational goals

C.  

Analysis of quantitative benefits

D.  

Implementation of a balanced scorecard

A.  

Prepare detailed plans for each business function.

B.  

Involve staff at all levels in periodic paper walk-through exercises.

C.  

Regularly update business impact assessments.

D.  

Make senior managers responsible for their plan sections.

A.  

deleted data cannot easily be retrieved.

B.  

deleting the files logically does not overwrite the files' physical data.

C.  

backup copies of files were not deleted as well.

D.  

deleting all files separately is not as efficient as formatting the hard disk.

A.  

An assessment of whether requirements will be fully met

B.  

An assessment indicating security controls will operateeffectively

C.  

An assessment of whether the expected benefits can beachieved

D.  

An assessment indicating the benefits will exceed the implement

A.  

it facilitates easier audit follow-up

B.  

it enforces action plan consensus between auditors and auditees

C.  

it establishes accountability for the action plans

D.  

it helps to ensure factual accuracy of findings

A.  

Media recycling policy

B.  

Media sanitization policy

C.  

Media labeling policy

D.  

Media shredding policy

A.  

Change management

B.  

Problem management

C.  

incident management

D.  

Configuration management

A.  

The cost of outsourcing is lower than in-house development.

B.  

The vendor development team is located overseas.

C.  

A training plan for business users has not been developed.

D.  

The data model is not clearly documented.

A.  

Incident monitoring togs

B.  

The ISP service level agreement

C.  

Reports of network traffic analysis

D.  

Network topology diagrams