CISA Practice Questions

A.  

Testing

B.  

Replication

C.  

Staging

D.  

Development

A.  

maximum tolerable loss of data.

B.  

nature of the outage

C.  

maximum tolerable downtime (MTD).

D.  

business-defined criticality of the systems.

A.  

To improve key availability metrics

B.  

To reduce costs associates with backups

C.  

To increase backup resiliency and redundancy

D.  

To minimize the backup time and resources

A.  

Data migration is not part of the contracted activities.

B.  

The replacement is occurring near year-end reporting

C.  

The user department will manage access rights.

D.  

Testing was performed by the third-party consultant

A.  

Programmed edit checks for data entry

B.  

Backup procedures

C.  

Use of pass cards to gain access to physical facilities

D.  

Verification of hash totals

A.  

The design of controls

B.  

Industry standards and best practices

C.  

The results of the previous audit

D.  

The amount of time since the previous audit

A.  

Availability of the user list reviewed

B.  

Confidentiality of the user list reviewed

C.  

Source of the user list reviewed

D.  

Completeness of the user list reviewed

A.  

the organization's web server.

B.  

the demilitarized zone (DMZ).

C.  

the organization's network.

D.  

the Internet

A.  

authorize secured emergency access

B.  

approve the organization's security policy

C.  

ensure access rules agree with policies

D.  

create role-based rules for each business process

A.  

Service management standards are not followed.

B.  

Expected time to resolve incidents is not specified.

C.  

Metrics are not reported to senior management.

D.  

Prioritization criteria are not defined.

A.  

Message encryption

B.  

Certificate authority (CA)

C.  

Steganography

D.  

Message digest

A.  

The system only allows payments to vendors who are included In the system's master vendor list.

B.  

Backups of the system and its data are performed on a nightly basis and tested periodically.

C.  

The system produces daily payment summary reports that staff use to compare against invoice totals.

D.  

Policies and procedures are clearly communicated to all members of the accounts payable department

A.  

The standard is met as long as one member has a globally recognized audit certification.

B.  

Technical co-sourcing must be used to help the new staff.

C.  

Team member assignments must be based on individual competencies.

D.  

The standard is met as long as a supervisor reviews the new auditors' work.

A.  

Water sprinkler

B.  

Fire extinguishers

C.  

Carbon dioxide (CO2)

D.  

Dry pipe

A.  

Discovery

B.  

Attacks

C.  

Planning

D.  

Reporting

A.  

has adequate security.

B.  

logs ail database records.

C.  

Is accessible online

D.  

does not impact operational efficiency

A.  

Reviewing vacation patterns

B.  

Reviewing user activity logs

C.  

Interviewing senior IT management

D.  

Mapping IT processes to roles

A.  

the implementation plan meets user requirements.

B.  

a full, visible audit trail will be Included.

C.  

a dear business case has been established.

D.  

the new hardware meets established security standards

A.  

Revise the assessment based on senior management's objections.

B.  

Escalate the issue to audit management.

C.  

Finalize the draft audit report without changes.

D.  

Gather evidence to analyze senior management's objections

A.  

To decrease system response time

B.  

To Improve the recovery lime objective (RTO)

C.  

To facilitate faster backups

D.  

To improve system resiliency

A.  

The organization's systems inventory is kept up to date.

B.  

Vulnerability scanning results are reported to the CISO.

C.  

The organization is using a cloud-hosted scanning tool for Identification of vulnerabilities

D.  

Access to the vulnerability scanning tool is periodically reviewed

A.  

Data availability

B.  

Data confidentiality

C.  

Data integrity

D.  

Data redundancy

A.  

risk management review

B.  

control self-assessment (CSA).

C.  

service level agreement (SLA).

D.  

balanced scorecard.

A.  

Analyzing risks posed by new regulations

B.  

Designing controls to protect personal data

C.  

Defining roles within the organization related to privacy

D.  

Developing procedures to monitor the use of personal data

A.  

Redundant pathways

B.  

Clustering

C.  

Failover power

D.  

Parallel testing

A.  

The protect requirements are wall understood.

B.  

The project is subject to time pressures.

C.  

The project intends to apply an object-oriented design approach.

D.  

The project will involve the use of new technology.

A.  

Responsible

B.  

Informed

C.  

Consulted

D.  

Accountable

A.  

The certificate revocation list has not been updated.

B.  

The PKI policy has not been updated within the last year.

C.  

The private key certificate has not been updated.

D.  

The certificate practice statement has not been published

A.  

Review IT staff job descriptions for alignment

B.  

Develop quarterly training for each IT staff member.

C.  

Identify required IT skill sets that support key business processes

D.  

Include strategic objectives m IT staff performance objectives

A.  

Comparing code between old and new systems

B.  

Running historical transactions through the new system

C.  

Reviewing quality assurance (QA) procedures

D.  

Loading balance and transaction data to the new system

A.  

Perimeter firewall

B.  

Data loss prevention (DLP) system

C.  

Network segmentation

D.  

Web application firewall (WAF)

A.  

CAATs are easily developed

B.  

Improved regression testing

C.  

Ease of maintaining automated test scripts

D.  

Reduces the scope of acceptance testing

A.  

Evaluating business investment opportunities for the organization

B.  

Identifying critical business processes to effectively prioritize recovery efforts

C.  

Ensuring compliance with regulations through regular audits

D.  

Conducting vulnerability assessments to enhance network security measures

A.  

Establishing dedicated servers for incoming API requests

B.  

Implementing a continuous integration and deployment process

C.  

Conducting periodic stress testing

D.  

Limiting the rate of incoming requests

A.  

Reviewing SIEM reports of suspicious events in a timely manner

B.  

Reviewing business application logs on a regular basis

C.  

Troubleshooting connectivity issues routinely

D.  

Installing a packet filtering firewall to block malicious traffic

A.  

Performing independent reviews of responsible parties engaged in the project

B.  

Shortlisting vendors to perform renovations

C.  

Ensuring the project progresses as scheduled and milestones are achieved

D.  

Implementing data center operational controls

A.  

Release and patch management

B.  

Licensing agreement and escrow

C.  

Software asset management

D.  

Version management

A.  

There is no software used to track change management.

B.  

The change is not approved by the business owners.

C.  

The change is deployed two weeks after approval.

D.  

The development of the change is not cost-effective.

A.  

Backup testing schedule

B.  

Data retention policy

C.  

Transfer frequency

D.  

Data confidentiality

A.  

Query the database.

B.  

Develop an integrated test facility (ITF).

C.  

Use generalized audit software.

D.  

Leverage a random number generator.

A.  

Time from identifying security threats to implementing solutions

B.  

The number of security controls audited

C.  

Time from security log capture to log analysis

D.  

The number of entries in the security risk register

A.  

specific functional contents of each single table.

B.  

frequency of updates to the table.

C.  

descriptions of column names in the table.

D.  

number of end users with access to the table.

A.  

Inadequate physical security practices in public places

B.  

Susceptibility to targeted phishing attacks

C.  

Use of insecurely configured wireless networks

D.  

Use of weak passwords and authentication methods

A.  

Backups of the old system and data are not available online

B.  

The change management process was not formally documented

C.  

Data conversion was performed using manual processes

D.  

Unauthorized data modifications occurred during conversion

A.  

Ownership of the system quality management plan

B.  

Utilization of standards in the system development processes and procedures

C.  

Validation that system development processes adhere to quality standards

D.  

Definition of quality attributes to be associated with the system

A.  

Log file size has grown year over year.

B.  

Critical events are being logged to immutable log files.

C.  

Applications are logging events into multiple log files.

D.  

Data formats have not been standardized across all logs.

A.  

Conducted once per year just before system audits are scheduled.

B.  

Conducted by the internal technical team instead of external experts.

C.  

Performed for critical systems, not for the entire infrastructure.

D.  

Performed using open-source testing tools.

A.  

Reprioritize further testing of the anomalies and refocus on issues with higher risk

B.  

Update the audit plan to include the information collected during the audit

C.  

Ask auditees to promptly remediate the anomalies

D.  

Document the anomalies in audit workpapers

A.  

Observations not reported as findings due to inadequate evidence

B.  

The roadmap for addressing the various risk areas

C.  

The level of unmitigated risk along with business impact

D.  

Specific technology solutions for each audit observation

A.  

Require personal devices to be reviewed by IT staff.

B.  

Enable port security on all network switches.

C.  

Implement a network access control system.

D.  

Ensure the policy requires antivirus software on devices.