CISA Practice Questions

A.  

Intrusion prevention system (IPS) and firewalls

B.  

Data loss prevention (DLP) technologies

C.  

Cryptographic protection

D.  

Email phishing simulation exercises

A.  

Define the population for sampling.

B.  

Determine the sampling method.

C.  

Calculate the sample size.

D.  

Pull the sample.

A.  

prevent changes from being incorporated into existing code.

B.  

prevent developers from accessing secure source code.

C.  

provide secure versioning and backup capabilities for existing code.

D.  

provide automatic incorporation and distribution of modified code.

A.  

Changes are promoted to production by the development group.

B.  

Object code can be accessed by the development group.

C.  

Developers have access to the testing environment.

D.  

Change approvals are not formally documented.

A.  

Lost revenue

B.  

Personnel safety

C.  

IT asset protection

D.  

Adequate resource capacity

A.  

Business strategies may not align with IT capabilities.

B.  

Business strategies may not consider emerging technologies.

C.  

IT strategies may not align with business strategies.

D.  

IT strategic goals may not be considered by the business.

A.  

IS audit manager

B.  

Audit committee

C.  

Business owner

D.  

Project sponsor

A.  

Interactive application security testing (IAST)

B.  

Runtime application self-protection (RASP)

C.  

Dynamic analysis security testing (DAST)

D.  

Static analysis security testing (SAST)

A.  

Maximum tolerable downtime (MTD)

B.  

Mean time to restore (MTTR)

C.  

Mean time to acknowledge

D.  

Maximum time between failures (MTBF)

A.  

Data loss prevention (DLP) system

B.  

Network access controls (NAC)

C.  

Perimeter firewall

D.  

Hashing of sensitive data

A.  

Analysis of IT department functionality

B.  

Biweekly reporting to senior management

C.  

Annual board meetings

D.  

Quarterly steering committee meetings

A.  

Evaluate key performance indicators (KPIs).

B.  

Conduct a gap analysis.

C.  

Develop a maturity model.

D.  

Implement a control self-assessment (CSA).

A.  

Physical sign-in of all employees for access to restricted areas

B.  

Implementation of additional PIN pads

C.  

Periodic review of access profiles by management

D.  

Installation of closed-circuit television (CCTV)

A.  

Critical path methodology

B.  

Agile development approach

C.  

Function point analysis

D.  

Rapid application development

A.  

digital certificates.

B.  

digital signatures.

C.  

public key infrastructure (PKI).

D.  

authentication.

A.  

Cloud computing

B.  

Robotic process automation (RPA)

C.  

Internet of Things (IoT)

D.  

Machine learning algorithms

A.  

The CASB logs the access request as a service record that is reviewed after granting access.

B.  

The CASB verifies the access request from a named customer contact before granting access.

C.  

The CASB manages secure access to the federated directory service used by the SaaS application.

D.  

The CASB conducts periodic audits of access requests to ensure compliance with customer policy.

A.  

a risk management process.

B.  

an information security framework.

C.  

past information security incidents.

D.  

industry best practices.

A.  

application firewall policy settings.

B.  

a three-tier web architecture.

C.  

secure coding practices.

D.  

use of common industry frameworks.

A.  

Enterprise risk manager

B.  

Project sponsor

C.  

Information security officer

D.  

Project manager

A.  

A means of benchmarking the effectiveness of similar processes with peers

B.  

A means of comparing the effectiveness of other processes within the enterprise

C.  

Identification of older, more established processes to ensure timely review

D.  

Identification of processes with the most improvement opportunities

A.  

The data is taken directly from the system.

B.  

There is no privacy information in the data.

C.  

The data can be obtained in a timely manner.

D.  

The data analysis tools have been recently updated.

A.  

Integration testing

B.  

End-user training

C.  

Full unit testing

D.  

Parallel testing

A.  

Implementing security logging to enhance threat and vulnerability management

B.  

Maintaining a catalog of vulnerabilities that may impact mission-critical systems

C.  

Using a capability maturity model to identify a path to an optimized program

D.  

Outsourcing the threat and vulnerability management function to a third party

A.  

User Datagram Protocol (UDP)

B.  

Hypertext Transfer Protocol (HTTP)

C.  

Secure File Transfer Protocol (SFTP)

D.  

Remote Desktop Protocol (RDP)

A.  

To provide efficiencies for alignment with incident response test scenarios

B.  

To determine process improvement options for the incident response plan

C.  

To gather documentation for responding to security audit inquiries

D.  

To confirm that technology is in place to support the incident response plan

A.  

Lack of password protection

B.  

Lack of processing integrity

C.  

Increase in regulatory violations

D.  

Increase in operational incidents

A.  

Security requirements have not been defined.

B.  

Conditions under which the system will operate are unclear.

C.  

The business case does not include well-defined strategic benefits.

D.  

System requirements and expectations have not been clarified.

A.  

Automated patching jobs and immediate restart

B.  

Automated patching jobs followed by a scheduled restart outside of business hours

C.  

End users can initiate patching including subsequent system restarts

D.  

Applying only those patches not requiring a system restart

A.  

Rolling forward of transactions when a production server fails

B.  

Ad hoc batch reporting jobs from the replication server

C.  

Analysis of application performance degradation

D.  

Hardware replacement work involving databases

A.  

User acceptance testing (UAT)

B.  

Black box testing

C.  

White box testing

D.  

Penetration testing

A.  

Judgmental sampling

B.  

Data analytics testing

C.  

Variable sampling

D.  

Compliance testing

A.  

To identify omissions made in the completed risk assessment

B.  

To identify new risks the organization may have to address

C.  

To recommend control enhancements for further risk reduction

D.  

To advise management on risk appetite levels

A.  

Enhance the firewall at the network perimeter.

B.  

Implement a file system scanner to discover data stored in the cloud.

C.  

Employ a cloud access security broker (CASB).

D.  

Utilize a DLP tool on desktops to monitor user activities.

A.  

Periodic vendor reviews

B.  

Dual control

C.  

Independent reconciliation

D.  

Re-keying of monetary amounts

E.  

Engage an external security incident response expert for incident handling.

A.  

Real-time audit software

B.  

Performance data

C.  

Quality assurance (QA) reviews

D.  

Participative management techniques

A.  

IT portfolio management.

B.  

IT resource management.

C.  

system support documentation.

D.  

change management.

A.  

Ability to meet business requirements

B.  

Assurance that sensitive data is encrypted

C.  

Increased accuracy of sensitive data

D.  

Management of business risk to sensitive data

A.  

Negotiating a nondisclosure agreement (NDA) with the provider

B.  

Conducting periodic system stress testing

C.  

Creating restore points for critical applications

D.  

Using a monitoring tool to assess uptime

A.  

Systems may not be supported by the vendor.

B.  

Known security vulnerabilities may not be mitigated.

C.  

Different systems may not be compatible.

D.  

The systems may not meet user requirements.

A.  

An employee is sending company documents to an external email to increase productivity.

B.  

A former employee retains access to an application that authenticates via single sign-on

C.  

An employee uses production data in a test environment.

D.  

An employee selects the incorrect data classification on documents.

A.  

Risk assessments of information assets are not periodically performed.

B.  

All Control Panel Items

C.  

The information security policy does not extend to service providers.

D.  

There is no process to measure information security performance.

E.  

The information security policy is not reviewed by executive management.

A.  

Protection against privacy breaches

B.  

Storage cost reduction

C.  

Disaster recovery planning

D.  

Ransomware protection

A.  

Disable operational logging to enhance the processing speed and save storage.

B.  

Adopt a service delivery model based on insights from peer organizations.

C.  

Delegate business decisions to the chief risk officer (CRO).

D.  

Eliminate certain reports and key performance indicators (KPIs)

A.  

Increased vulnerability due to anytime, anywhere accessibility

B.  

Increased need for user awareness training

C.  

The use of the cloud negatively impacting IT availability

D.  

Lack of governance and oversight for IT infrastructure and applications

A.  

Multi-factor authentication (MFA)

B.  

Security awareness programs for employees

C.  

Access history log review by the business manager

D.  

File encryption along with password protection

A.  

More frequent data backups

B.  

Periodic table link checks

C.  

Concurrent access controls

D.  

Performance monitoring tools

A.  

The IS auditor provided consulting advice concerning application system best practices.

B.  

The IS auditor participated as a member of the application system project team, but did not have operational responsibilities.

C.  

The IS auditor designed an embedded audit module exclusively for auditing the application system.

D.  

The IS auditor implemented a specific control during the development of the application system.

A.  

recommend that the option to directly modify the database be removed immediately.

B.  

recommend that the system require two persons to be involved in modifying the database.

C.  

determine whether the log of changes to the tables is backed up.

D.  

determine whether the audit trail is secured and reviewed.

A.  

Report the mitigating controls.

B.  

Report the security posture of the organization.

C.  

Determine the value of the firewall.

D.  

Determine the risk of not replacing the firewall.