CISA Practice examination questions, Exams of Business Administration

CISA Practice examination questions

Typology: Exams

2024/2025

Available from 05/21/2025

locaz-turus-1
locaz-turus-1 🇺🇸

5

(1)

13K documents

1 / 31

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
CISA Practice exam questions
1. In a risk-based audit approach, the IS auditor must consider the inherent risk as well as
considering:
A. how to eliminate the risk through the application of controls.
B. the balance of loss potential vs. the cost to implement controls.
C. whether the risk is material, regardless of management's tolerance for risk. D. whether the
residual risk is higher than the insurance coverage purchased. correct answer B Determining the
correct balance between the loss potential and the cost to implement controls is a very
important part of an effective risk mitigation strategy. The best internal control is one where
the benefit of implementing the control at least matches the cost. Eliminating risk is very
difficult to achieve and often impossible to attain. Hence, the IS auditor should not recommend
that risk be eliminated since this is not likely to be cost-effective for the organization. Whether
the risk is material is not the correct answer since the risk tolerance of management
determines what is material. Insurance coverage is not necessarily the only control to consider
for mitigating residual risk
2. Which of the following is the PRIMARY safeguard for securing software and data within an
information processing facility?
A. Security awareness
B. Reading the security policy
C. Security committee
D. Logical access controls correct answer D To retain a competitive advantage and meet basic
business requirements, organizations must ensure that the integrity of the information stored
on their computer systems preserves the confidentiality of sensitive data and ensures that the
continued availability of their information systems. To meet these goals, logical access controls
must be in place. Awareness (choice A) does not, in itself, protect against unauthorized access
or disclosure of information. Knowledge of an information systems security policy (choice B),
which should be known by the organization's employees, would help to protect information but
would not prevent the unauthorized access of information. A security committee (choice C) is
key to the protection of information assets but would address security issues within a broader
perspective.
3. When an organization is outsourcing their information security function, which of the
following should be kept in the organization?
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f

Partial preview of the text

Download CISA Practice examination questions and more Exams Business Administration in PDF only on Docsity!

CISA Practice exam questions

  1. In a risk-based audit approach, the IS auditor must consider the inherent risk as well as considering: A. how to eliminate the risk through the application of controls. B. the balance of loss potential vs. the cost to implement controls. C. whether the risk is material, regardless of management's tolerance for risk. D. whether the residual risk is higher than the insurance coverage purchased. correct answer B Determining the correct balance between the loss potential and the cost to implement controls is a very important part of an effective risk mitigation strategy. The best internal control is one where the benefit of implementing the control at least matches the cost. Eliminating risk is very difficult to achieve and often impossible to attain. Hence, the IS auditor should not recommend that risk be eliminated since this is not likely to be cost-effective for the organization. Whether the risk is material is not the correct answer since the risk tolerance of management determines what is material. Insurance coverage is not necessarily the only control to consider for mitigating residual risk
  2. Which of the following is the PRIMARY safeguard for securing software and data within an information processing facility? A. Security awareness B. Reading the security policy C. Security committee D. Logical access controls correct answer D To retain a competitive advantage and meet basic business requirements, organizations must ensure that the integrity of the information stored on their computer systems preserves the confidentiality of sensitive data and ensures that the continued availability of their information systems. To meet these goals, logical access controls must be in place. Awareness (choice A) does not, in itself, protect against unauthorized access or disclosure of information. Knowledge of an information systems security policy (choice B), which should be known by the organization's employees, would help to protect information but would not prevent the unauthorized access of information. A security committee (choice C) is key to the protection of information assets but would address security issues within a broader perspective.
  3. When an organization is outsourcing their information security function, which of the following should be kept in the organization?

A. Accountability for the corporate security policy B. Defining the corporate security policy C. Implementing the corporate security policy D. Defining security procedures and guidelines correct answer A Accountability cannot be transferred to external parties. Choices B, C and D can be performed by outside entities as long as accountability remains within the organization.

  1. Naming conventions for system resources are important for access control because they: A. ensure that resource names are not ambiguous. B. reduce the number of rules required to adequately protect resources. C. ensure that user access to resources is clearly and uniquely identified. D. ensure that internationally recognized names are used to protect resources. correct answer B Naming conventions for system resources are important for the efficient administration of security controls. The conventions can be structured so resources beginning with the same high-level qualifier can be governed by one or more generic rules. This reduces the number of rules required to adequately protect resources which, in turn, facilitates security administration and maintenance efforts. Reducing the number of rules required to protect resources allows for the grouping of resources and files by application, which makes it easier to provide access. Ensuring that resource names are not ambiguous cannot be achieved through the use of naming conventions. Ensuring the clear and unique identification of user access to resources is handled by access control rules, not naming conventions. Internationally recognized names are not required to control access to resources. Naming conventions tend to be based on how each organization wants to identify its resources.
  2. When auditing the proposed acquisition of a new computer system, an IS auditor should FIRST ensure that: A. a clear business case has been approved by management. B. corporate security standards will be met. C. users will be involved in the implementation plan. D. the new system will meet all required user functionality. correct answer A The first concern of an IS auditor should be to ensure that the proposal meets the needs of the business, and this should be established by a clear business case. Although compliance with security standards is essential, as is meeting the needs of the users and having users involved in the implementation process, it is too early in the procurement process for these to be an IS auditor's first concern.

C. Trapdoors D. Traffic analysis correct answer A Honeypots are computer systems that are expressly set up to attract and trap individuals who attempt to penetrate other individuals' computer systems. The concept of a honeypot is to learn from intruder's actions. A properly designed and configured honeypot provides data on methods used to attack systems. The data are then used to improve measures that could curb future attacks. A firewall is basically a preventive measure. Trapdoors create a vulnerability that provides an opportunity for the insertion of unauthorized code into a system. Traffic analysis is a type of passive attack.

  1. Which of the following sampling methods is MOST useful when testing for compliance? A. Attribute sampling B. Variable sampling C. Stratified mean per unit D. Difference estimation correct answer A Attribute sampling is the primary sampling method used for compliance testing. Attribute sampling is a sampling model that is used to estimate the rate of occurrence of a specific quality (attribute) in a population and is used in compliance testing to confirm whether the quality exists. The other choices are used in substantive testing, which involves testing of details or quantity.
  2. Which of the following is MOST critical for the successful implementation and maintenance of a security policy? A. Assimilation of the framework and intent of a written security policy by all appropriate parties B. Management support and approval for the implementation and maintenance of a security policy C. Enforcement of security rules by providing punitive actions for any violation of security rules D. Stringent implementation, monitoring and enforcing of rules by the security officer thr correct answer A Assimilation of the framework and intent of a written security policy by the users of the system is critical to the successful implementation and maintenance of the security policy. A good password system may exist, but if the users of the system keep passwords written on their desk, the passwords are of little value. Management support and commitment is, no doubt, important, but for successful implementation and maintenance of a security policy, educating the users on the importance of security is paramount. The stringent implementation, monitoring and enforcing of rules by the security officer through access

control software, and provision for punitive actions for violation of security rules, is also required along with the user's education on the importance of security.

  1. When auditing the IT governance framework and IT risk management practices that exist within an organization, the IS auditor identified some undefined responsibilities regarding IT management and governance roles. Which of the following recommendations is the MOST appropriate? A. Review the strategic alignment of IT with the business. B. Implement accountability rules within the organization. C. Ensure that independent IT audits are conducted periodically. D. Create a chief risk officer (CRO correct answer B IT risks are managed by embedding accountability into the enterprise. The IS auditor should recommend the implementation of accountability rules to ensure that all responsibilities are defined within the organization. While the strategic alignment of IT with business is important, it is not directly related to the gap identified in this scenario. Similarly, performing more frequent IS audits or recommending the creation of a new role (CRO) is not helpful if the accountability rules are not clearly defined and implemented.
  2. Which of the following would be of MOST concern to an IS auditor reviewing a virtual private network (VPN) implementation? Computers on the network that are located: A. on the enterprise's internal network. B. at the backup site. C. in employees' homes. D. at the enterprise's remote offices. correct answer C One risk of a virtual private network (VPN) implementation is the chance of allowing high-risk computers onto the enterprise's network. All machines that are allowed onto the virtual network should be subject to the same security policy. Home computers are least subject to the corporate security policies and, therefore, are high risk computers. Once a computer is hacked and "owned," any network that trusts that computer is at risk. Implementation and adherence to corporate security policy is easier when all computers on the network are on the enterprise's campus. On an enterprise's internal network, there should be security policies in place to detect and halt an outside attack that uses an internal machine as a staging platform.
  1. During the audit of a database server, which of the following would be considered the GREATEST exposure? A. The password does not expire on the administrator account. B. Default global security settings for the database remain unchanged. C. Old data have not been purged. D. Database activity is not fully logged. correct answer B Default security settings for the database could allow issues like blank user passwords or passwords that were the same as the username. Logging all database activity is not practical. Failure to purge old data may present a performance issue but is not an immediate security concern. Choice A is an exposure but not as serious as B.
  2. An IS auditor finds that conference rooms have active network ports. Which of the following is MOST important to ensure? A. The corporate network is using an intrusion prevention system (IPS) B. This part of the network is isolated from the corporate network C. A single sign-on has been implemented in the corporate network D. Antivirus software is in place to protect the corporate network correct answer B If the conference rooms have access to the corporate network, unauthorized users may be able to connect to the corporate network; therefore, both networks should be isolated either via a firewall or being physically separated. An IPS would detect possible attacks, but only after they have occurred. A single-sign on would ease authentication management. Antivirus software would reduce the impact of possible viruses; however, unauthorized users would still be able to access the corporate network, which is the biggest risk.
  3. Which of the following is the MOST critical step to perform when planning an IS audit? A. Review findings from prior audits. B. Develop plans to conduct a physical security review of the data center facility. C. Review IS security policies and procedures. D. Perform a risk assessment. correct answer D Of all the steps listed, performing a risk assessment is the most critical. Risk assessment is required by ISACA IT Audit and Assurance Standard S11 (Use of Risk Assessment in Audit Planning). In addition to the standards requirement, if a risk assessment is not performed, then high-risk areas of the auditee systems or operations may not be identified for evaluation. Detection risk (the risk that a material error

is not detected by the IS auditor) is increased for the IS auditor if a risk assessment is not conducted. The review of findings from prior audits is a necessary part of the engagement, but this step is not as critical as conducting a risk assessment. A physical security review of the data center facility is important, but not as critical as performing a risk assessment. Reviewing IS security policies and procedures would normally be conducted during fieldwork, not planning

  1. Effective IT governance requires organizational structures and processes to ensure that: A. the organization's strategies and objectives extend the IT strategy. B. the business strategy is derived from an IT strategy. C. IT governance is separate and distinct from the overall governance. D. the IT strategy extends the organization's strategies and objectives. correct answer D Effective IT governance requires that board and executive management extend governance to IT and provide the leadership, organizational structures and processes that ensure that the organization's IT sustains and extends the organization's strategies and objectives, and that the strategy is aligned with business strategy. Choice A is incorrect because it is the IT strategy that extends the organizational objectives, not the opposite. IT governance is not an isolated discipline; it must become an integral part of the overall enterprise governance.
  2. An organization is using an enterprise resource management (ERP) application. Which of the following would be an effective access control? A. User-level permissions B. Role-based C. Fine-grained D. Discretionary correct answer B Role-based access controls the system access by defining roles for a group of users. Users are assigned to the various roles and the access is granted based on the user's role. User-level permissions for an ERP system would create a larger administrative overhead. Fine-grained access control is very difficult to implement and maintain in the context of a large enterprise. Discretionary access control may be configured or modified by the users or data owners, and therefore may create inconsistencies in the access control management.
  3. An IS auditor reviewing a proposed application software acquisition should ensure that the: A. operating system (OS) being used is compatible with the existing hardware platform.

D. Identify and test suitable patches before applying them. correct answer D Suitable patches from the existing developers should be selected and tested before applying them. Rewriting the patches and applying them is not a correct answer because it would require skilled resources and time to rewrite the patches. Code review could be possible but tests need to be performed before applying the patches. Since the system was developed outside the organization, the IT department may not have the necessary skills and resources to develop patches. correct answer A The user's digital signature is only protected by a password. Compromise of the password would enable access to the signature. This is the most significant risk. Choice B would require subversion of the public key infrastructure mechanism which is very difficult and least likely. Choice C would require that the message appear to have come from a different person and therefore the true user's credentials would not be forged. Choice D has the same consequence as choice C.

  1. While planning an audit, an assessment of risk should be made to provide: A. reasonable assurance that the audit will cover material items. B. definite assurance that material items will be covered during the audit work. C. reasonable assurance that all items will be covered by the audit. D. sufficient assurance that all items will be covered during the audit work. correct answer A The ISACA IS Auditing Guideline G15 on planning the IS audit states, "An assessment of risk should be made to provide reasonable assurance that material items will be adequately covered during the audit work. This assessment should identify areas with a relatively high risk of the existence of material problems." Definite assurance that material items will be covered during the audit work is an impractical proposition. Reasonable assurance that all items will be covered during the audit work is not the correct answer, as material items need to be covered, not all items.
  2. Which of the following will help detect changes made by an intruder to the system log of a server? A. Mirroring the system log on another server

B. Simultaneously duplicating the system log on a write-once disk C. Write-protecting the directory containing the system log D. Storing the backup of the system log offsite correct answer B A write-once CD cannot be overwritten. Therefore, the system log duplicated on the disk could be compared to the original log to detect differences, which could be the result of changes made by an intruder. Write- protecting the system log does not prevent deletion or modification since the superuser can override the write protection. Backup and mirroring may overwrite earlier files and may not be current.

  1. When implementing an application software package, which of the following presents the GREATEST risk? A. Uncontrolled multiple software versions B. Source programs that are not synchronized with object code C. Incorrectly set parameters D. Programming errors correct answer C Parameters that are not set correctly would be the greatest concern when implementing an application software package. The other choices, though important, are a concern of the provider, not the organization that is implementing the software itself.
  2. An IS auditor doing penetration testing during an audit of Internet connections would: A. evaluate configurations. B. examine security settings. C. ensure virus-scanning software is in use. D. use tools and techniques available to a hacker. correct answer D Penetration testing is a technique used to mimic an experienced hacker attacking a live site by using tools and techniques available to a hacker. The other choices are procedures that an IS auditor would consider undertaking during an audit of Internet connections, but are not aspects of penetration testing techniques.
  3. During a review of a business continuity plan, an IS auditor noticed that the point at which a situation is declared to be a crisis has not been defined. The MAJOR risk associated with this is that:

information on changes made, but would not limit changes to only those that were authorized. Hence, logging coupled with review form an appropriate set of compensating controls.

  1. An Internet-based attack using password sniffing can: A. enable one party to act as if they are another party. B. cause modification to the contents of certain transactions. C. be used to gain access to systems containing proprietary information. D. result in major problems with billing systems and transaction processing agreements. correct answer C Password sniffing attacks can be used to gain access to systems on which proprietary information is stored. Spoofing attacks can be used to enable one party to act as if they are another party. Data modification attacks can be used to modify the contents of certain transactions. Repudiation of transactions can cause major problems with billing systems and transaction processing agreements.
  2. Which of the following audit techniques would BEST aid an auditor in determining whether there have been unauthorized program changes since the last authorized program update? A. Test data run B. Code review C. Automated code comparison D. Review of code migration procedures correct answer C An automated code comparison is the process of comparing two versions of the same program to determine whether the two correspond. It is an efficient technique because it is an automated procedure. Test data runs permit the auditor to verify the processing of preselected transactions, but provide no evidence about unexercised portions of a program. Code review is the process of reading program source code listings to determine whether the code contains potential errors or inefficient statements. A code review can be used as a means of code comparison but it is inefficient. The review of code migration procedures would not detect program changes
  3. Documentation of a business case used in an IT development project should be retained until: A. the end of the system's life cycle. B. the project is approved.

C. user acceptance of the system. D. the system is in production. correct answer A A business case can and should be used throughout the life cycle of the product. It serves as an anchor for new (management) personnel, helps to maintain focus and provides valuable information on estimates vs. actuals. Questions like, "why do we do that," "what was the original intent" and "how did we perform against the plan" can be answered, and lessons for developing future business cases can be learned. During the development phase of a project, one should always validate the business case since it is a good management instrument. After finishing a project and entering production, the business case and all the completed research are valuable sources of information that should be kept for further reference.

  1. An organization is considering connecting a critical PC-based system to the Internet. Which of the following would provide the BEST protection against hacking? A. An application-level gateway B. A remote access server C. A proxy server D. Port scanning correct answer A An application-level gateway is the best way to protect against hacking because it can define with detail rules that describe the type of user or connection that is or is not permitted. It analyzes, in detail, each package—not only in layers one through four of the Open System Interconnection (OSI) model but also layers five through seven, which means that it reviews the commands of each higher-level protocol (Hypertext Transmission Protocol [HTTP], File Transfer Protocol [FTP], Simple Network Management Protocol [SNMP], etc.).
  2. During the collection of forensic evidence, which of the following actions would MOST likely result in the destruction or corruption of evidence on a compromised system? A. Dumping the memory content to a file B. Generating disk images of the compromised system C. Rebooting the system D. Removing the system from the network correct answer C Rebooting the system may result in a change in the system state and the loss of files and important evidence stored in memory. The other choices are appropriate actions for preserving evidence.

D. Periodic testing correct answer C Mirroring of critical elements is a tool that facilitates immediate recoverability. Daily backup implies that it is reasonable for restoration to take place within a number of hours but not immediately. Offsite storage and periodic testing of systems do not, of themselves, support continuous availability.

  1. Which of the following would have the HIGHEST priority in a business continuity plan? A. Resuming critical processes B. Recovering sensitive processes C. Restoring the site D. Relocating operations to an alternative site correct answer A The resumption of critical processes has the highest priority since it enables business processes to begin immediately after the interruption and not later than the declared mean time between failure (MTBF). Recovery of sensitive processes refers to recovering the vital and sensitive processes that can be performed manually at a tolerable cost for an extended period of time and those that are not marked as high priority. Repairing and restoring the site to original status and resuming the business operations are time-consuming operations and are not the highest priority. Relocating operations to an alternative site, either temporarily or permanently depending on the interruption, is a time-consuming process; moreover, relocation may not be required
  2. Which of the following disaster recovery/continuity plan components provides the GREATEST assurance of recovery after a disaster? A. The alternate facility will be available until the original information processing facility is restored. B. User management is involved in the identification of critical systems and their associated critical recovery times. C. Copies of the plan are kept at the homes of key decision-making personnel. D. Feedback is provided to management, assuring them that the correct answer A The alternate facility should be made available until the original site is restored to provide the greatest assurance of recovery after a disaster. Without this assurance, the plan will not be successful. All other choices ensure prioritization or the execution of the plan.
  3. Which of the following should an IS auditor review to gain an understanding of the effectiveness of controls over the management of multiple projects?

A. Project database B. Policy documents C. Project portfolio database D. Program organization correct answer C A project portfolio database is the basis for project portfolio management. It includes project data such as owner, schedules, objectives, project type, status and cost. Project portfolio management requires specific project portfolio reports. A project database may contain the above for one specific project and updates to various parameters pertaining to the current status of that single project. Policy documents on project management set direction for the design, development, implementation and monitoring of the project. Program organization is the team required (steering committee, quality assurance, systems personnel, analyst, programmer, hardware support, etc.) to meet the delivery objective of the project.

  1. To protect a VoIP infrastructure against a denial-of-service (DoS) attack, it is MOST important to secure the: A. access control servers. B. session border controllers. C. backbone gateways. D. intrusion detection system (IDS). correct answer B Session border controllers enhance the security in the access network and in the core. In the access network, they hide a user's real address and provide a managed public address. This public address can be monitored, minimizing the opportunities for scanning and denial-of-service (DoS) attacks. Session border controllers permit access to clients behind firewalls while maintaining the firewall's effectiveness. In the core, session border controllers protect the users and the network. They hide network topology and users' real addresses. They can also monitor bandwidth and quality of service. Securing the access control server, backbone gateways and intrusion detection systems (IDSs) does not effectively protect against DoS attacks.
  2. The success of control self-assessment (CSA) depends highly on: A. having line managers assume a portion of the responsibility for control monitoring. B. assigning staff managers the responsibility for building, but not monitoring, controls. C. the implementation of a stringent control policy and rule-driven controls. D. the implementation of supervision and the monitoring of controls of assigned duties. correct

A. War dialing B. Social engineering C. War driving D. Password cracking correct answer C War driving is a technique for locating and gaining access to wireless networks by driving or walking with a wireless equipped computer around a building. War dialing is a technique for gaining access to a computer or a network through the dialing of defined blocks of telephone numbers, with the hope of getting an answer from a modem. Social engineering is a technique used to gather information that can assist an attacker in gaining logical or physical access to data or resources. Social engineering exploits human weaknesses. Password crackers are tools used to guess users' passwords by trying combinations and dictionary words.

  1. Which of the following controls would an IS auditor look for in an environment where duties cannot be appropriately segregated? A. Overlapping controls B. Boundary controls C. Access controls D. Compensating controls correct answer D Compensating controls are internal controls that are intended to reduce the risk of an existing or potential control weakness that may arise when duties cannot be appropriately segregated. Overlapping controls are two controls addressing the same control objective or exposure. Since primary controls cannot be achieved when duties cannot or are not appropriately segregated, it is difficult to install overlapping controls. Boundary controls establish the interface between the would-be user of a computer system and the computer system itself, and are individual-based, not role-based, controls. Access controls for resources are based on individuals and not on roles.
  2. An IS auditor issues an audit report pointing out the lack of firewall protection features at the perimeter network gateway and recommends a vendor product to address this vulnerability. The IS auditor has failed to exercise: A. professional independence. B. organizational independence. C. technical competence.

D. professional competence. correct answer A When an IS auditor recommends a specific vendor, that compromises the auditor's professional independence. Organizational independence has no relevance to the content of an audit report and should be considered at the time of accepting the engagement. Technical and professional competence is not relevant to the requirement of independence.

  1. When reviewing an implementation of a VoIP system over a corporate WAN, an IS auditor should expect to find: A. an integrated services digital network (ISDN) data link. B. traffic engineering. C. wired equivalent privacy (WEP) encryption of data. D. analog phone terminals. correct answer B To ensure that quality of service requirements are achieved, the Voice-over IP (VoIP) service over the wide area network (WAN) should be protected from packet losses, latency or jitter. To reach this objective, the network performance can be managed using statistical techniques such as traffic engineering. The standard bandwidth of an integrated services digital network (ISDN) data link would not provide the quality of services required for corporate VoIP services. WEP is an encryption scheme related to wireless networking. The VoIP phones are usually connected to a corporate local area network (LAN) and are not analog.
  2. Confidentiality of the data transmitted in a wireless local area network (LAN) is BEST protected if the session is: A. restricted to predefined Media Access Control (MAC) addresses. B. encrypted using static keys. C. encrypted using dynamic keys. D. initiated from devices that have encrypted storage. correct answer C When using dynamic keys, the encryption key is changed frequently, thus reducing the risk of the key being compromised and the message being decrypted. Limiting the number of devices that can access the network does not address the issue of encrypting the session. Encryption with static keys— using the same key for a long period of time—risks that the key would be compromised. Encryption of the data on the connected device (laptop, personal digital assistant [PDA], etc.) addresses the confidentiality of the data on the device, not the wireless session.