CISA Practice Exam Questions and Answers

A.  

Target architecture is defined at a technical level.

B.  

The previous year's IT strategic goals were not achieved.

C.  

Strategic IT goals are derived solely from the latest market trends.

D.  

Financial estimates of new initiatives are disclosed within the document.

A.  

Percentage of new hires that have completed the training.

B.  

Number of new hires who have violated enterprise security policies.

C.  

Number of reported incidents by new hires.

D.  

Percentage of new hires who report incidents

A.  

Disabled USB ports

B.  

Full disk encryption

C.  

Biometric access control

D.  

Two-factor authentication

A.  

governance of enterprise IT.

B.  

control effectiveness.

C.  

return on investment (ROI).

D.  

change management effectiveness.

A.  

subsystem structure.

B.  

program execution.

C.  

security control options.

D.  

operator overrides.

A.  

Full test results

B.  

Completed test plans

C.  

Updated inventory of systems

D.  

Change management processes

A.  

SQL injection attacks

B.  

Denial of service (DoS) attacks

C.  

Phishing attacks

D.  

Insider attacks

A.  

The number of users deleting the email without reporting because it is a phishing email

B.  

The number of users clicking on the link to learn more about the sender of the email

C.  

The number of users forwarding the email to their business unit managers

D.  

The number of users reporting receipt of the email to the information security team

A.  

Limit employee internet access.

B.  

Implement data classification procedures.

C.  

Review firewall logs for anomalies.

D.  

Conduct periodic security awareness training.

A.  

Assessment of the personnel training processes of the provider

B.  

Adequacy of the service provider's insurance

C.  

Review of performance against service level agreements (SLAs)

D.  

Periodic audits of controls by an independent auditor

A.  

Senior management's request

B.  

Prior year's audit findings

C.  

Organizational risk assessment

D.  

Previous audit coverage and scope

A.  

Implementation plan

B.  

Project budget provisions

C.  

Requirements analysis

D.  

Project plan

A.  

To determine whether project objectives in the business case have been achieved

B.  

To ensure key stakeholder sign-off has been obtained

C.  

To align project objectives with business needs

D.  

To document lessons learned to improve future project delivery

A.  

The current business capabilities delivered by the legacy system

B.  

The proposed network topology to be used by the redesigned system

C.  

The data flows between the components to be used by the redesigned system

D.  

The database entity relationships within the legacy system

A.  

basis for allocating indirect costs.

B.  

cost of replacing equipment.

C.  

estimated cost of ownership.

D.  

basis for allocating financial resources.

A.  

Increase the capacity of existing systems.

B.  

Upgrade hardware to newer technology.

C.  

Hire temporary contract workers for the IT function.

D.  

Build a virtual environment.

A.  

Data masking

B.  

Data tokenization

C.  

Data encryption

D.  

Data abstraction

A.  

Tunneling

B.  

Encryption

C.  

Message validation

D.  

Firewalls

A.  

The auditor who conducted the audit and agreed with the timeline has left the organization.

B.  

Management's planned actions are sufficient given the relative importance of the observations.

C.  

Auditee management has accepted all observations reported by the auditor.

D.  

The audit environment has changed significantly.

A.  

File level encryption

B.  

File Transfer Protocol (FTP)

C.  

Instant messaging policy

D.  

Application level firewalls

A.  

The process does not require specifying the physical locations of assets.

B.  

Process ownership has not been established.

C.  

The process does not include asset review.

D.  

Identification of asset value is not included in the process.

A.  

Segregation of duties between issuing purchase orders and making payments.

B.  

Segregation of duties between receiving invoices and setting authorization limits

C.  

Management review and approval of authorization tiers

D.  

Management review and approval of purchase orders

A.  

Future compatibility of the application.

B.  

Proposed functionality of the application.

C.  

Controls incorporated into the system specifications.

D.  

Development methodology employed.

A.  

Whether there is explicit permission from regulators to collect personal data

B.  

The organization's legitimate purpose for collecting personal data

C.  

Whether sharing of personal information with third-party service providers is prohibited

D.  

The encryption mechanism selected by the organization for protecting personal data

A.  

Aligning the framework to industry best practices

B.  

Establishing committees to support and oversee framework activities

C.  

Involving appropriate business representation within the framework

D.  

Documenting IT-related policies and procedures

A.  

Program documentation

B.  

Access control tables

C.  

Data flow diagrams

D.  

Field naming conventions

A.  

Users are not required to change their passwords on a regular basis

B.  

Management does not review application user activity logs

C.  

User accounts are shared between users

D.  

Password length is set to eight characters

A.  

Manual sign-in and sign-out log

B.  

System electronic log

C.  

Alarm system with CCTV

D.  

Security incident log

A.  

Prepare detailed plans for each business function.

B.  

Involve staff at all levels in periodic paper walk-through exercises.

C.  

Regularly update business impact assessments.

D.  

Make senior managers responsible for their plan sections.

A.  

Perform background verification checks.

B.  

Review third-party audit reports.

C.  

Implement change management review.

D.  

Conduct a privacy impact analysis.

A.  

To limit the liability associated with storing and protecting information

B.  

To document business objectives for processing data within the organization

C.  

To assign responsibility and ownership for data protection outside IT

D.  

To establish a recovery point detective (RPO) for (toaster recovery procedures

A.  

deleted data cannot easily be retrieved.

B.  

deleting the files logically does not overwrite the files' physical data.

C.  

backup copies of files were not deleted as well.

D.  

deleting all files separately is not as efficient as formatting the hard disk.

A.  

Ensure that paper documents arc disposed security.

B.  

Implement an intrusion detection system (IDS).

C.  

Verify that application logs capture any changes made.

D.  

Validate that all data files contain digital watermarks

A.  

The cost of outsourcing is lower than in-house development.

B.  

The vendor development team is located overseas.

C.  

A training plan for business users has not been developed.

D.  

The data model is not clearly documented.

A.  

The IT strategy is modified in response to organizational change.

B.  

The IT strategy is approved by executive management.

C.  

The IT strategy is based on IT operational best practices.

D.  

The IT strategy has significant impact on the business strategy

A.  

IT steering committee minutes

B.  

Business objectives

C.  

Alignment with the IT tactical plan

D.  

Compliance with industry best practice

A.  

Approved test scripts and results prior to implementation

B.  

Written procedures defining processes and controls

C.  

Approved project scope document

D.  

A review of tabletop exercise results

A.  

Have an independent party review the source calculations

B.  

Execute copies of EUC programs out of a secure library

C.  

implement complex password controls

D.  

Verify EUC results through manual calculations

A.  

Procedures may not align with best practices

B.  

Human resources (HR) records may not match system access.

C.  

Unauthorized access cannot he identified.

D.  

Access rights may not be removed in a timely manner.

A.  

Disposal policies and procedures are not consistently implemented

B.  

Evidence is not available to verify printer hard drives have been sanitized prior to disposal.

C.  

Business units are allowed to dispose printers directly to

D.  

Inoperable printers are stored in an unsecured area.

A.  

Installing security software on the devices

B.  

Partitioning the work environment from personal space on devices

C.  

Preventing users from adding applications

D.  

Restricting the use of devices for personal purposes during working hours

A.  

The contract does not contain a right-to-audit clause.

B.  

An operational level agreement (OLA) was not negotiated.

C.  

Several vendor deliverables missed the commitment date.

D.  

Software escrow was not negotiated.

A.  

Right to perform e-discovery

B.  

Advice from legal counsel

C.  

Preserving the chain of custody

D.  

Results of a root cause analysis

A.  

Strong risk management practices

B.  

Internal auditor commitment

C.  

Supportive corporate culture

D.  

Documented policies

A.  

Required approvals at each life cycle step

B.  

Date and time stamping of source and object code

C.  

Access controls for source libraries

D.  

Release-to-release comparison of source code

A.  

Rotating backup copies of transaction files offsite

B.  

Using a database management system (DBMS) to dynamically back-out partially processed transactions

C.  

Maintaining system console logs in electronic formal

D.  

Ensuring bisynchronous capabilities on all transmission lines

A.  

Require the auditee to address the recommendations in full.

B.  

Adjust the annual risk assessment accordingly.

C.  

Evaluate senior management's acceptance of the risk.

D.  

Update the audit program based on management's acceptance of risk.

A.  

Establishing a well-designed framework for network servirces.

B.  

Finding performance metrics that can be measured properly

C.  

Ensuring that network components are not modified by the client

D.  

Reducing the number of entry points into the network

A.  

CCTV recordings are not regularly reviewed.

B.  

CCTV cameras are not installed in break rooms

C.  

CCTV records are deleted after one year.

D.  

CCTV footage is not recorded 24 x 7.

A.  

An assessment of whether requirements will be fully met

B.  

An assessment indicating security controls will operate

effectively

C.  

An assessment of whether the expected benefits can be

achieved

D.  

An assessment indicating the benefits will exceed the implement

A.  

Temperature sensors

B.  

Humidity sensors

C.  

Water sensors

D.  

Air pressure sensors

A.  

Inform potentially affected customers of the security breach

B.  

Notify business management of the security breach.

C.  

Research the validity of the alerted breach

D.  

Engage a third party to independently evaluate the alerted breach.

A.  

Data retention

B.  

Data minimization

C.  

Data quality

D.  

Data integrity

A.  

Continuity of service

B.  

Identity management

C.  

Homogeneity of the network

D.  

Nonrepudiation

A.  

Source code version control

B.  

Project change management controls

C.  

Existence of an architecture review board

D.  

Configuration management

A.  

stakeholder expectations were identified

B.  

vendor product offered a viable solution.

C.  

user requirements were met.

D.  

test scenarios reflected operating activities.

A.  

Availability integrity

B.  

Data integrity

C.  

Entity integrity

D.  

Referential integrity

A.  

Recommend the utilization of software licensing monitoring tools

B.  

Recommend the purchase of additional software license keys

C.  

Validate user need for shared software licenses

D.  

Verify whether the licensing agreement allows shared use

A.  

Security procedures may be inadequate to support the change

B.  

A distributed security system is inherently a weak security system

C.  

End-user acceptance of the new system may be difficult to obtain

D.  

The new system will require additional resources

A.  

Data classification policy and procedures

B.  

Access rights of similar file servers

C.  

Previous data breach incident reports

D.  

Acceptable use policy and privacy statements

A.  

Performance audit

B.  

Integrated audit

C.  

Cyber audit

D.  

Financial audit

A.  

The change management process was not formally documented

B.  

Backups of the old system and data are not available online

C.  

Unauthorized data modifications occurred during conversion,

D.  

Data conversion was performed using manual processes

A.  

Align the IT strategy will business objectives

B.  

Review priorities in the IT portfolio

C.  

Change the IT strategy to focus on operational excellence.

D.  

Align the IT portfolio with the IT strategy.

A.  

Approval processes for new system implementations

B.  

Procedures for adding a new user to the invoice processing system

C.  

Approval processes for updating the corporate website

D.  

Procedures for regression testing system changes

A.  

Control requirements

B.  

Rollback procedures

C.  

Functional requirements documentation

D.  

User acceptance lest (UAT) results

A.  

Report the variance immediately to the audit committee

B.  

Request an explanation of the variance from the auditee

C.  

Increase the sample size to 100% of the population

D.  

Exclude the transaction from the sample population

A.  

Auditors are responsible for performing operational duties or activities.

B.  

The internal audit manager reports functionally to a senior management official.

C.  

The internal audit manager has a reporting line to the audit committee.

D.  

Auditors are responsible for assessing and operating a system of internal controls.

A.  

tracing modifications from the original request for change forward to the executable program.

B.  

tracing modifications from the executable program back to the original request for change.

C.  

testing only the authorizations to implement the new program.

D.  

reviewing only the actual lines of source code changed in the program.

A.  

Less funding required overall

B.  

Quicker deliverables

C.  

Quicker end user acceptance

D.  

Clearly defined business expectations

A.  

The programmer did not involve the user in testing

B.  

The user requirements were not documented

C.  

The programmer has access to the production programs

D.  

Payroll files were not under the control of a librarian

A.  

End-user computing (EUC) systems

B.  

Email attachments

C.  

Data sent to vendors

D.  

New system applications

A.  

inventory of relevant business processes

B.  

Policies for business procurement

C.  

Documentation of application configurations

D.  

Results of business resumption planning efforts

A.  

Come to an agreement prior to issuing the final report.

B.  

Include the position supported by senior management in the final engagement report

C.  

Ensure the auditee's comments are included in the working papers

D.  

Exclude the disputed recommendation from the final engagement report

A.  

Operating system weaknesses are more easily identified.

B.  

Emerging security technologies are better understood and accepted.

C.  

The cost to mitigate information security risk is reduced.

D.  

Organizational awareness of security responsibilities is improved.

A.  

the patches were updated.

B.  

The logs were monitored.

C.  

The network traffic was being monitored.

D.  

The domain controller was classified for high availability.

A.  

attributes for system passwords.

B.  

security training prior to implementation.

C.  

security requirements for the new application.

D.  

the firewall configuration for the web server.

A.  

Gap analysis

B.  

Audit reports

C.  

Risk profile

D.  

Risk register

A.  

The log is reviewed on a monthly basis.

B.  

Authorized access is required to view the log.

C.  

The log cannot be modified.

D.  

The log is retained per policy.

A.  

Monitoring access rights on a regular basis

B.  

Referencing a standard user-access matrix

C.  

Granting user access using a role-based model

D.  

Correcting the segregation of duties conflicts

A.  

Review sign-off documentation

B.  

Review the source code related to the calculation

C.  

Re-perform the calculation with audit software

D.  

Inspect user acceptance lest (UAT) results

A.  

reflect current practices.

B.  

include new systems and corresponding process changes.

C.  

incorporate changes to relevant laws.

D.  

be subject to adequate quality assurance (QA).

A.  

A single point of failure for both voice and data communications

B.  

Inability to use virtual private networks (VPNs) for internal traffic

C.  

Lack of integration of voice and data communications

D.  

Voice quality degradation due to packet toss

A.  

Labeling the data appropriately

B.  

Identifying risk associated with the data

C.  

Determining accountability of data owners

D.  

Determining the adequacy of privacy controls

A.  

The efforts required for independent verification with new auditors

B.  

The impact if corrective actions are not taken

C.  

The amount of time the auditee has agreed to spend with auditors

D.  

Controls and detection risks related to the observations

A.  

violation reports may not be reviewed in a timely manner.

B.  

a significant number of false positive violations may be reported.

C.  

violations may not be categorized according to the organization's risk profile.

D.  

violation reports may not be retained according to the organization's risk profile.

A.  

Staff were not involved in the procurement process, creating user resistance to the new system.

B.  

Data is not converted correctly, resulting in inaccurate patient records.

C.  

The deployment project experienced significant overruns, exceeding budget projections.

D.  

The new system has capacity issues, leading to slow response times for users.

A.  

allocation of resources during an emergency.

B.  

frequency of system testing.

C.  

differences in IS policies and procedures.

D.  

maintenance of hardware and software compatibility.

A.  

Developing an inventory of all business entities that exchange personal data with the affected jurisdiction

B.  

Identifying data security threats in the affected jurisdiction

C.  

Reviewing data classification procedures associated with the affected jurisdiction

D.  

Identifying business processes associated with personal data exchange with the affected jurisdiction

A.  

risk management review

B.  

control self-assessment (CSA).

C.  

service level agreement (SLA).

D.  

balanced scorecard.

A.  

authorize secured emergency access

B.  

approve the organization's security policy

C.  

ensure access rules agree with policies

D.  

create role-based rules for each business process

A.  

There are conflicting permit and deny rules for the IT group.

B.  

The network security group can change network address translation (NAT).

C.  

Individual permissions are overriding group permissions.

D.  

There is only one rule per group with access privileges.

A.  

well understand by all employees.

B.  

based on industry standards.

C.  

developed by process owners.

D.  

updated frequently.

A.  

Analyzing risks posed by new regulations

B.  

Designing controls to protect personal data

C.  

Defining roles within the organization related to privacy

D.  

Developing procedures to monitor the use of personal data

A.  

Historical privacy breaches and related root causes

B.  

Globally accepted privacy best practices

C.  

Local privacy standards and regulations

D.  

Benchmark studies of similar organizations

A.  

Water sprinkler

B.  

Fire extinguishers

C.  

Carbon dioxide (CO2)

D.  

Dry pipe

A.  

Availability of the user list reviewed

B.  

Confidentiality of the user list reviewed

C.  

Source of the user list reviewed

D.  

Completeness of the user list reviewed

A.  

Function point analysis

B.  

Balanced scorecard review

C.  

Post-implementation review

D.  

Business impact analysis (BIA)

A.  

An employee is induced to reveal confidential IP addresses and passwords by answering questions over the phone.

B.  

A hacker walks around an office building using scanning tools to search for a wireless network to gain access.

C.  

An intruder eavesdrops and collects sensitive information flowing through the network and sells it to third parties.

D.  

An unauthorized person attempts to gain access to secure premises by following an authorized person through a secure door.

A.  

has adequate security.

B.  

logs ail database records.

C.  

Is accessible online

D.  

does not impact operational efficiency

A.  

The organization's security policy

B.  

The number of remote nodes

C.  

The firewalls' default settings

D.  

The physical location of the firewalls

A.  

The design of controls

B.  

Industry standards and best practices

C.  

The results of the previous audit

D.  

The amount of time since the previous audit

A.  

Preserving the same data classifications

B.  

Preserving the same data inputs

C.  

Preserving the same data structure

D.  

Preserving the same data interfaces

A.  

Data encryption on the mobile device

B.  

Complex password policy for mobile devices

C.  

The triggering of remote data wipe capabilities

D.  

Awareness training for mobile device users