CISA Practice Questions

A.  

Data conversion was performed using manual processes.

B.  

Backups of the old system and data are not available online.

C.  

Unauthorized data modifications occurred during conversion.

D.  

The change management process was not formally documented

A.  

An unauthorized person attempts to gam access to secure premises by following an authonzed person through a secure door.

B.  

An employee is induced to reveal confidential IP addresses and passwords by answering questions over the phone.

C.  

A hacker walks around an office building using scanning tools to search for a wireless network to gain access.

D.  

An intruder eavesdrops and collects sensitive information flowing through the network and sells it to third parties.

A.  

subsystem structure.

B.  

program execution.

C.  

security control options.

D.  

operator overrides.

A.  

Segregation of duties between issuing purchase orders and making payments.

B.  

Segregation of duties between receiving invoices and setting authorization limits

C.  

Management review and approval of authorization tiers

D.  

Management review and approval of purchase orders

A.  

Availability of the site in the event of multiple disaster declarations

B.  

Coordination with the site staff in the event of multiple disaster declarations

C.  

Reciprocal agreements with other organizations

D.  

Complete testing of the recovery plan

A.  

To determine whether project objectives in the business case have been achieved

B.  

To ensure key stakeholder sign-off has been obtained

C.  

To align project objectives with business needs

D.  

To document lessons learned to improve future project delivery

A.  

Verify the disaster recovery plan (DRP) has been tested.

B.  

Ensure the intrusion prevention system (IPS) is effective.

C.  

Assess the security risks to the business.

D.  

Confirm the incident response team understands the issue.

A.  

Periodically reviewing log files

B.  

Configuring the router as a firewall

C.  

Using smart cards with one-time passwords

D.  

Installing biometrics-based authentication

A.  

note the noncompliance in the audit working papers.

B.  

issue an audit memorandum identifying the noncompliance.

C.  

include the noncompliance in the audit report.

D.  

determine why the procedures were not followed.

A.  

Notify the cyber insurance company.

B.  

Shut down the affected systems.

C.  

Quarantine the impacted systems.

D.  

Notify customers of the breach.

A.  

Purchasing guidelines and policies

B.  

Implementation methodology

C.  

Results of line processing

D.  

Test results

A.  

Lessons learned were implemented.

B.  

Management approved the PIR report.

C.  

The review was performed by an external provider.

D.  

Project outcomes have been realized.

A.  

The policy includes a strong risk-based approach.

B.  

The retention period allows for review during the year-end audit.

C.  

The total transaction amount has no impact on financial reporting.

D.  

The retention period complies with data owner responsibilities.

A.  

Whether there is explicit permission from regulators to collect personal data

B.  

The organization's legitimate purpose for collecting personal data

C.  

Whether sharing of personal information with third-party service providers is prohibited

D.  

The encryption mechanism selected by the organization for protecting personal data

A.  

re-prioritize the original issue as high risk and escalate to senior management.

B.  

schedule a follow-up audit in the next audit cycle.

C.  

postpone follow-up activities and escalate the alternative controls to senior audit management.

D.  

determine whether the alternative controls sufficiently mitigate the risk.

A.  

Require employees to attend security awareness training.

B.  

Password protect critical data files.

C.  

Configure to auto-wipe after multiple failed access attempts.

D.  

Enable device auto-lock function.

A.  

Assignment of responsibility for each project to an IT team member

B.  

Adherence to best practice and industry approved methodologies

C.  

Controls to minimize risk and maximize value for the IT portfolio

D.  

Frequency of meetings where the business discusses the IT portfolio

A.  

Walk-through reviews

B.  

Substantive testing

C.  

Compliance testing

D.  

Design documentation reviews

A.  

Frequent testing of backups

B.  

Annual walk-through testing

C.  

Periodic risk assessment

D.  

Full operational test

A.  

Examine the computer to search for evidence supporting the suspicions.

B.  

Advise management of the crime after the investigation.

C.  

Contact the incident response team to conduct an investigation.

D.  

Notify local law enforcement of the potential crime before further investigation.

A.  

Encryption of the spreadsheet

B.  

Version history

C.  

Formulas within macros

D.  

Reconciliation of key calculations

A.  

the same hashing algorithm as the sender's to create a binary image of the file.

B.  

a different hashing algorithm from the sender's to create a binary image of the file.

C.  

the same hashing algorithm as the sender's to create a numerical representation of the file.

D.  

a different hashing algorithm from the sender's to create a numerical representation of the file.

A.  

communicate via Transport Layer Security (TLS),

B.  

block authorized users from unauthorized activities.

C.  

channel access only through the public-facing firewall.

D.  

channel access through authentication.

A.  

Compliance with action plans resulting from recent audits

B.  

Compliance with local laws and regulations

C.  

Compliance with industry standards and best practice

D.  

Compliance with the organization's policies and procedures

A.  

Rollback strategy

B.  

Test cases

C.  

Post-implementation review objectives

D.  

Business case

A.  

Integrating data requirements into the system development life cycle (SDLC)

B.  

Appointing data stewards to provide effective data governance

C.  

Classifying data quality issues by the severity of their impact to the organization

D.  

Facilitating effective communication between management and developers

A.  

Verify whether IT management monitors the effectiveness of the environment.

B.  

Verify whether a right-to-audit clause exists.

C.  

Verify whether a third-party security attestation exists.

D.  

Verify whether service level agreements (SLAs) are defined and monitored.

A.  

Recipient's public key

B.  

Sender's private key

C.  

Sender's public key

D.  

Recipient's private key

A.  

The recovery plan does not contain the process and application dependencies.

B.  

The duration of tabletop exercises is longer than the recovery point objective (RPO).

C.  

The duration of tabletop exercises is longer than the recovery time objective (RTO).

D.  

The recovery point objective (RPO) and recovery time objective (R TO) are not the same.

A.  

Embed details within source code.

B.  

Standardize file naming conventions.

C.  

Utilize automated version control.

D.  

Document details on a change register.

A.  

Documentation of exit routines

B.  

System initialization logs

C.  

Change control log

D.  

Security system parameters

A.  

Outsource low-risk audits to external audit service providers.

B.  

Conduct limited-scope audits of low-risk business entities.

C.  

Validate the low-risk entity ratings and apply professional judgment.

D.  

Challenge the risk rating and include the low-risk entities in the plan.

A.  

require design reviews at appropriate points in the life cycle.

B.  

have an IS auditor participate on the steering committee.

C.  

have an IS auditor participate on the quality assurance (QA) team.

D.  

conduct compliance audits at major system milestones.

A.  

test environment with production workloads.

B.  

test environment with test data.

C.  

production environment with production workloads.

D.  

production environment with test data.

A.  

Computer-assisted technique

B.  

Stratified sampling

C.  

Statistical sampling

D.  

Process walk-through

A.  

Preventive

B.  

Deterrent

C.  

Corrective

D.  

Detective

A.  

integrated test facility (ITF).

B.  

parallel simulation.

C.  

transaction tagging.

D.  

embedded audit modules.

A.  

Version control software

B.  

Audit hooks

C.  

Utility software

D.  

Audit analytics tool

A.  

Source code version control

B.  

Project change management controls

C.  

Existence of an architecture review board

D.  

Configuration management

A.  

a comparison of future needs against current capabilities.

B.  

a risk-based ranking of projects.

C.  

enterprise architecture (EA) impacts.

D.  

IT budgets linked to the organization's budget.

A.  

System administrators should ensure consistency of assigned rights.

B.  

IT security should regularly revoke excessive system rights.

C.  

Human resources (HR) should delete access rights of terminated employees.

D.  

Line management should regularly review and request modification of access rights

A.  

Map data classification controls to data sets.

B.  

Control access to extract, transform, and load (ETL) tools.

C.  

Conduct a data discovery exercise across all business applications.

D.  

Implement classification labels in metadata during data creation.

A.  

Legacy data has not been purged.

B.  

Admin account passwords are not set to expire.

C.  

Default settings have not been changed.

D.  

Database activity logging is not complete.

A.  

Metrics for the project have been selected before the project begins.

B.  

Project budget includes costs to execute the project and costs associated with the solution.

C.  

Estimates of business benefits are backed by similar previously completed projects.

D.  

Metrics are evaluated immediately after the project has been implemented.

A.  

Administrator passwords do not meet organizational security and complexity requirements.

B.  

The number of support staff responsible for job scheduling has been reduced.

C.  

The scheduling tool was not classified as business-critical by the IT department.

D.  

Maintenance patches and the latest enhancement upgrades are missing.

A.  

sign off on the final build document.

B.  

ensure that each project deadline is met.

C.  

ensure that developed systems meet business needs.

D.  

provide regular project updates and oversight.

A.  

Inherent

B.  

Residual

C.  

Control

D.  

Detection

A.  

an IT strategy committee has not been created

B.  

the plan does not support relevant organizational goals.

C.  

there are no key performance indicators (KPls).

D.  

the plan was not formally approved by the board of directors

A.  

The scanning will be performed during non-peak hours.

B.  

The scanning will be followed by penetration testing.

C.  

The scanning will be cost-effective.

D.  

The scanning will not degrade system performance.

A.  

eliminated

B.  

unchanged

C.  

increased

D.  

reduced