CISA Practice Questions

A.  

unit testing

B.  

Network performance

C.  

User acceptance testing (UAT)

D.  

Regression testing

A.  

Determine whether another DBA could make the changes

B.  

Report a potential segregation of duties violation

C.  

identify whether any compensating controls exist

D.  

Ensure a change management process is followed prior to implementation

A.  

Difference estimation sampling

B.  

Stratified mean per unit sampling

C.  

Customer unit sampling

D.  

Unstratified mean per unit sampling

A.  

Require employees to utilize passwords on personal devices

B.  

Prohibit employees from storing company email on personal devices

C.  

Ensure antivirus protection is installed on personal devices

D.  

Implement an email containerization solution on personal devices

A.  

available resources are used efficiently and effectively

B.  

computer systems are used to their maximum capacity most of the time

C.  

concurrent use by a large number of users is enabled

D.  

proposed hardware acquisitions meet capacity requirements

A.  

Problem management

B.  

Incident management

C.  

Service level management

D.  

Change management

A.  

control design.

B.  

feasibility study.

C.  

application design.

D.  

system test.

A.  

business risk

B.  

security policy

C.  

data retention requirements

D.  

industry standards

A.  

Monitoring tools are configured to alert in case of downtime

B.  

A comprehensive security review is performed every quarter.

C.  

Data for different tenants is segregated by database schema

D.  

Tenants are required to implement data classification polices

A.  

Insufficient processes to track ownership of each EUC application?

B.  

Insufficient processes to lest for version control

C.  

Lack of awareness training for EUC users

D.  

Lack of defined criteria for EUC applications

A.  

Biometrics

B.  

Procedures for escorting visitors

C.  

Airlock entrance

D.  

Intruder alarms

A.  

Independence

B.  

Integrity

C.  

Materiality

D.  

Accountability

A.  

Increased number of false negatives in security logs

B.  

Decreased effectiveness of roof cause analysis

C.  

Decreased overall recovery time

D.  

Increased demand for storage space for logs

A.  

Require employees to waive privacy rights related to data on BYOD devices.

B.  

Require multi-factor authentication on BYOD devices,

C.  

Specify employee responsibilities for reporting lost or stolen BYOD devices.

D.  

Allow only registered BYOD devices to access the network.

A.  

Wi-Fi

B.  

Bluetooth

C.  

Long-term evolution (LTE)

D.  

Near-field communication (NFC)

A.  

Directive

B.  

Corrective

C.  

Detective

D.  

Compensating

A.  

Lessons learned were documented and applied.

B.  

Business and IT stakeholders participated in the post-implementation review.

C.  

Post-implementation review is a formal phase in the system development life cycle (SDLC).

D.  

Internal audit follow-up was completed without any findings.

A.  

specific charges that can be tied back to specific usage.

B.  

total utilization to achieve full operating capacity.

C.  

residual income in excess of actual incurred costs.

D.  

allocations based on the ability to absorb charges.

A.  

Whether the solution architecture compiles with IT standards

B.  

Whether success criteria have been achieved

C.  

Whether the project has been delivered within the approved budget

D.  

Whether lessons teamed have been documented

A.  

Single sign-on is not enabled

B.  

Audit logging is not enabled

C.  

Security baseline is not consistently applied

D.  

Complex passwords are not required

A.  

Unit the use of logs to only those purposes for which they were collected

B.  

Restrict the transfer of log files from host machine to online storage

C.  

Only collect logs from servers classified as business critical

D.  

Limit log collection to only periods of increased security activity

A.  

Allocate audit resources.

B.  

Prioritize risks.

C.  

Review prior audit reports.

D.  

Determine the audit universe.

A.  

IT value analysis

B.  

Prior audit reports

C.  

IT balanced scorecard

D.  

Vulnerability assessment report

A.  

Establishing a risk appetite

B.  

Establishing a risk management framework

C.  

Validating enterprise risk management (ERM)

D.  

Operating the risk management framework

A.  

Check digits

B.  

Monetary unit sampling

C.  

Hash values

D.  

Reasonableness check

A.  

To enable the review of large value transactions

B.  

To efficiently test large volumes of data

C.  

To help identity transactions with no segregation of duties

D.  

To assist in performing analytical reviews

A.  

Cross-site scripting (XSS)

B.  

Copyright violations

C.  

Social engineering

D.  

Adverse posts about the organization

A.  

Devices cannot be accessed through service accounts.

B.  

Backup policies include device configuration files.

C.  

All devices have current security patches assessed.

D.  

All devices are located within a protected network segment.

A.  

The policy aligns with corporate policies and practices.

B.  

The policy aligns with global best practices.

C.  

The policy aligns with business goals and objectives.

D.  

The policy aligns with local laws and regulations.

A.  

Users are required to periodically rotate responsibilities

B.  

Segregation of duties conflicts are periodically reviewed

C.  

Data changes are independently reviewed by another group

D.  

Data changes are logged in an outside application

A.  

track software updates.

B.  

define baselines for software.

C.  

support the release procedure.

D.  

standardize change approval.

A.  

stakeholder expectations were identified

B.  

vendor product offered a viable solution.

C.  

user requirements were met.

D.  

test scenarios reflected operating activities.

A.  

A significant increase in authorized connections to third parties

B.  

A significant increase in cybersecurity audit findings

C.  

A significant increase in approved exceptions

D.  

A significant increase in external attack attempts

A.  

Notify the chair of the audit committee.

B.  

Notify the audit manager.

C.  

Retest the control.

D.  

Close the audit finding.

A.  

Reconciliation of total amounts by project

B.  

Validity checks, preventing entry of character data

C.  

Reasonableness checks for each cost type

D.  

Display the back of the project detail after the entry

A.  

Execute nondisclosure agreements (NDAs).

B.  

Determine reporting requirements for vulnerabilities.

C.  

Define the testing scope.

D.  

Obtain management consent for the testing.

A.  

The process does not require specifying the physical locations of assets.

B.  

Process ownership has not been established.

C.  

The process does not include asset review.

D.  

Identification of asset value is not included in the process.

A.  

Unicode translation

B.  

Secure Sockets Layer (SSL) encryption

C.  

Input validation

D.  

Digital signatures

A.  

Projected impact of current business on future business

B.  

Cost-benefit analysis of running the current business

C.  

Cost of regulatory compliance

D.  

Expected costs for recovering the business

A.  

The system does not have a maintenance plan.

B.  

The system contains several minor defects.

C.  

The system deployment was delayed by three weeks.

D.  

The system was over budget by 15%.

A.  

efficiency due to the re-use of elements of logic.

B.  

management of sequential program execution for data access.

C.  

grouping of objects into methods for data access.

D.  

management of a restricted variety of data types for a data object.

A.  

Modify applications to no longer require direct access to the database.

B.  

Introduce database access monitoring into the environment

C.  

Modify the access management policy to make allowances for application accounts.

D.  

Schedule downtime to implement password changes.

A.  

The default configurations have been changed.

B.  

All tables in the database are normalized.

C.  

The service port used by the database server has been changed.

D.  

The default administration account is used after changing the account password.

A.  

Update of security information event management (SIEM) rules

B.  

Regular review of the network security policy

C.  

Completeness of network asset inventory

D.  

Location of intrusion detection systems (IDS)

A.  

Capacity management plan

B.  

Training plans

C.  

Database conversion results

D.  

Stress testing results

A.  

basis for allocating indirect costs.

B.  

cost of replacing equipment.

C.  

estimated cost of ownership.

D.  

basis for allocating financial resources.

A.  

Lack of appropriate labelling

B.  

Lack of recent awareness training.

C.  

Lack of password protection

D.  

Lack of appropriate data classification

A.  

Inability to close unused ports on critical servers

B.  

Inability to identify unused licenses within the organization

C.  

Inability to deploy updated security patches

D.  

Inability to determine the cost of deployed software

A.  

Double-posting of a single journal entry

B.  

Inability to support new business transactions

C.  

Unauthorized alteration of account attributes

D.  

Inaccuracy of financial reporting

A.  

Key performance indicators (KPIs)

B.  

Maximum allowable downtime (MAD)

C.  

Recovery point objective (RPO)

D.  

Mean time to restore (MTTR)