CISA Exam Practice Questions and Answers, Exams of Business Systems

A practice exam for the certified information systems auditor (cisa) certification. It includes multiple-choice questions covering various topics such as information security policy, disaster recovery planning, risk management, digital signatures, and quality assurance. Each question is followed by the correct answer and a brief explanation. This practice exam is designed to help candidates prepare for the cisa exam by testing their knowledge and understanding of key concepts in information systems auditing and security. It covers topics like asset identification, risk evaluation, and the importance of segregation of duties. The questions are structured to simulate the actual exam format, providing valuable practice for aspiring cisa professionals. The document emphasizes the importance of understanding security policies, risk management processes, and the role of auditors in ensuring system integrity and security.

Typology: Exams

2024/2025

Available from 05/24/2025

locaz-turus-1
locaz-turus-1 🇺🇸

5

(1)

13K documents

1 / 138

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
CISA Practice Exam
Identify the most critical element from the following for the successful implementation and ongoing
regular maintenance of an information security policy. [BAC]
A.Management support and approval for the information security policy
B. Understanding of the information security policy by all appropriate parties
C. Punitive actions for any violation of information security rules
D. Stringent access control monitoring of information security rules correct answer B. An information
security policy comprises of processes, procedures, and rules in an organization. The most important
aspect of a successful implementation of an information security policy is the assimilation by all
appropriate parties such as employees, service providers, and business partners. Punitive actions for any
violations are related to the education and awareness of the policy.
Fair Lending has implemented a disaster recovery plan. Andrew, CFO of Fair Lending, wants to ensure
that the implemented plan is adequate. Identify the immediate next step from the following.
Initiate the Full Operational Test
Initiate the Desk-based Evaluation
Initiate the Preparedness Test
Socialize with the Senior Management and Obtain Sponsorship correct answer B. The immediate next
step to evaluate the adequacy of a disaster recovery plan once it has been implemented is to conduct a
desk-based evaluation which is also known as a paper test. The paper test involves walking through the
plan and discussion on what might happen in a particular type of service disruption with the major
stakeholders. As per the best practice, the paper test precedes the preparedness test.
There are various methods of suppressing a data center fire. Identify the MOST effective and
environmentally friendly method from the following.
Water-based systems (sprinkler systems)
Argonite systems
Carbon dioxide systems
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58
pf59
pf5a
pf5b
pf5c
pf5d
pf5e
pf5f
pf60
pf61
pf62
pf63
pf64

Partial preview of the text

Download CISA Exam Practice Questions and Answers and more Exams Business Systems in PDF only on Docsity!

CISA Practice Exam

Identify the most critical element from the following for the successful implementation and ongoing regular maintenance of an information security policy. [BAC] A.Management support and approval for the information security policy B. Understanding of the information security policy by all appropriate parties C. Punitive actions for any violation of information security rules D. Stringent access control monitoring of information security rules correct answer B. An information security policy comprises of processes, procedures, and rules in an organization. The most important aspect of a successful implementation of an information security policy is the assimilation by all appropriate parties such as employees, service providers, and business partners. Punitive actions for any violations are related to the education and awareness of the policy. Fair Lending has implemented a disaster recovery plan. Andrew, CFO of Fair Lending, wants to ensure that the implemented plan is adequate. Identify the immediate next step from the following. Initiate the Full Operational Test Initiate the Desk-based Evaluation Initiate the Preparedness Test Socialize with the Senior Management and Obtain Sponsorship correct answer B. The immediate next step to evaluate the adequacy of a disaster recovery plan once it has been implemented is to conduct a desk-based evaluation which is also known as a paper test. The paper test involves walking through the plan and discussion on what might happen in a particular type of service disruption with the major stakeholders. As per the best practice, the paper test precedes the preparedness test. There are various methods of suppressing a data center fire. Identify the MOST effective and environmentally friendly method from the following. Water-based systems (sprinkler systems) Argonite systems Carbon dioxide systems

Dry-pipe sprinkling systems correct answer D, Dry-pipe sprinkling systems are the most effective and environmentally friendly from the available options. In this system, the water does not flow until the fire alarm activates a pump. Water-based systems (sprinkler systems) are environmentally friendly but may not present the most effective option. In this system, the water is always present in the piping, which can potentially leak, causing damage to equipment. IT risk management process comprises of following 5 steps listed in no particular sequence. (b) Asset Identification (e) Evaluation of Threats and Vulnerabilities to Assets (a) Evaluation of the Impact (c) Calculation of Risk (d) Evaluation of and Response to Risk Identify the correct sequence from the following b, a, e, c, d b, e, a, c, d b, e, a, d, c a, b, c, d, e correct answer B. IT risk management process comprises of following 5 steps: Step 1: Asset Identification Step 2: Evaluation of Threats and Vulnerabilities to Assets Step 3: Evaluation of the Impact Step 4: Calculation of Risk Step 5: Evaluation of and Response to Risk Palm Trading Company has implemented digital signatures to protect email communication with their customers. Identify the benefit of using a digital signature from the following. Protects email content from unauthorized reading Protects email content from data theft Ensure timely delivery of email content Ensures integrity of the email content correct answer D. The digital signature is used for verifying the identity of the sender and the integrity of the content. Merlin, head of information systems audit at Cocoa Payroll Services, was invited to a development project meeting. During the meeting, Merlin noted that no project risks were documented and raised this issue with the head of IT. The IT project manager opined that it was too early to identify risks and that they intend to hire a risk manager if risks do start impacting the project. Identify the likely response from Merlin from the following. Express the willingness to work with the risk manager when one is appointed

Lorena, an information systems auditor with the Town Bank, observed an inadequate coverage of potential risks in the security policy likely arising from an inadequate security policy development process. Lorena should recommend the following. Asset identification be ensured as part of security policy development Business objectives are considered while developing the security policy The outcome of the risk management process be considered while developing the security policy The software design decisions are made based on the security policy and guidelines correct answer C The outcome of the risk management process is considered while developing the security policy to ensure adequate coverage to underlying risks. Julio, IT Head at Quick Micropayments, wants to ensure the independence of a quality assurance (QA) team. Identify an activity to be avoided to achieve the objective. Ensure compliance with software development methodology Check the testing assumptions Perform code review to ensure proper documentation Correct coding errors during the testing process correct answer D Quality assurance (QA) team should not be made responsible for correcting coding errors during the testing / QA process as correction of code is not the responsibility of the QA team. Doing so would result in a violation of segregation of duties principles and would impair the team's independence. Andrew, CFO of Palm Trading Company, a relatively smaller organization, wants to implement segregation of duties for information processing facility (IPF) roles. Considering this requirement, identify a false statement from the following A network administrator normally would be restricted from reporting to the end-user manager A network administrator normally would be restricted from having additional end-user responsibilities A network administrator normally would be restricted from being responsible for network security administration A network administrator normally would be restricted from having programming responsibilities correct answer D. The computer room and support areas in any organization usually make up the information

processing facility (IPF). many organizations have widely dispersed IPFs in addition to a central IPF. The dispersed IPFs include the management of network at branches and geographically remote locations. Under these circumstances, a network administrator may have additional network security administration and end-user responsibilities and may report to an end-user manager. However, a network administrator is not allowed to have programming responsibilities to ensure objectives of segregation of duties are met. An information systems auditor with Super Systems wants review arrangements to protect against non- privileged users be able to escalate their access level to enter supervisory state. Identify the artifact that is useful to review for the identification of such arrangement/controls. Access control violations logs System access logs Access control software parameters System configuration files for control options used correct answer D, The information systems auditor should review system configuration files for control options used to protect the supervisory state. These options, if uncontrolled, provide a nonprivileged user a way to gain access to the OS's supervisory state. A review of systems access logs and access violations logs is a detective control in nature. Access control software is run under the operating system. Lorena, an information systems auditor with the Town Bank, is conducting a review of a business application. She requested a data flow diagram (DFD) from the auditee. How does a DFD assist Lorena in her work? Establish a summary graphical view of data paths and storage Establish a step-by-step data generation flow Establish a hierarchical data model Establish high-level data definitions correct answer A Data flow diagrams (DFD) provide a view of data flow between upstream and downstream systems. The DFD also provides an understanding of where the data gets stored. Using this information a useful summary of data flow paths and storage can be established that helps to provide an easy to understand the succinct view of systems being audited. Julio, head of information technology architecture with the Palm Trading Company, thinks that transaction audit trails are essential for a well-designed system. Identify the main consideration of Julio in this case.

Improvement of operational controls at transaction origination systems Improvement of project management and change control procedures Improvement of authentication mechanism for sending and receiving transactional messages Review of operational and service level agreements between transaction origination systems and consuming systems correct answer C Since the observation is related to unauthorized transactions, information systems auditor is most likely concerned about weak authentication mechanism for sending and receiving transactional messages. Review of operational and service level agreements between transaction origination systems and consuming systems can also be conducted - however that could only be an additional recommendation. Blue Xylo Systems, a software development startup, intends to implement a suitable testing method to test the functional operating effectiveness of the information system without regard to any specific internal program structure. Identify from following the right testing method to meet this objective. Alpha test Beta test Black box test White box test correct answer C, Black box testing is a test type that does not require knowledge of internal working or program logic and is usually a tool-driven testing form. It is a testing method to focus on the information system's functional operating effectiveness without regard to any specific internal program structure. Dave, CFO at Herman Foundry, expresses his concern over the risky nature of the implementation approach proposed by the IT Head to replace a legacy system with the new system. Identify an implementation/conversion approach from following that carries the greatest risk Parallel Run Phased Approach Direct Cutover Pilot Run correct answer C Direct cutover, also known as the big bang approach, implies shorter time- window but carries the greatest risk. It means shutting down the legacy system and going live with the new system immediately. Shutting down the legacy system is usually irreversible. Other listed approaches are less risky.

Parallel testing is testing multiple applications or subcomponents of one application concurrently to reduce the test time. Phased implementation is a method of System Changeover from an existing system to a new one that takes place in stages. PILOT TESTING is defined as a type of Software Testing that verifies a component of the system or the entire system under a real-time operating condition. Lisa, an information systems auditor at a non-profit charitable organization, is reviewing the perimeter security controls. Lisa wants to verify if the firewall is configured in compliance with an organization's security policy. Identify the most effective method from the following to verify Review of firewall log files Review of firewall administration procedures Attestation by the firewall administrator Review of firewall parameter settings correct answer D Perimeter security plays a vital role in effectively preventing and detecting most attacks on their networks. The proper implementation and maintenance of firewalls are of paramount importance for having a robust and effective perimeter security mechanism and compliance with the organization's security policy. Therefore, a review of firewall parameter settings is the best method to determine if the firewall is configured in compliance with an organization's security policy. Lorena, an information systems auditor with the Town Bank, is planning for an audit. Lorena requests an organizational chart from the auditee. Identify the main purpose of the auditor's request. Understand the business workflows Understand the roles, responsibilities, and authority of key individuals Understand the available communication channels Understand the organizational networked systems correct answer B Information systems auditors would usually request an organizational chart during the audit planning process to develop an understanding of roles, responsibilities, and authority of key people in the auditee organization. The auditor may also develop an understanding of the segregation of duties controls at this stage and will identify the potential control objectives for the audit.

dynamic allocation. Enabling DHCP at all wireless access points is the complete opposite of the best option. Selective enable/disable still has the risk. Completely removing wireless access points is not a feasible solution since it affects functionality. The primary control objective of classifying information assets is to assist management and auditors in risk assessment establish guidelines for the level of access controls to be assigned ensure access controls are assigned to all information assets identification of assets for insurance against losses correct answer B In order to establish guidelines for the level of access controls to be assigned, information assets must be classified. Frank, an information security analyst at Micro Lending Inc, has been tasked to handle a windows web server compromise incident. Identify from following the first task for Frank to perform Isolate the compromised server from the network Restart the compromised server in a fail-safe mode Take a dump of server memory and volatile storage data to a disk Power down the compromised server correct answer A As part of incident handling procedures, isolation of the compromised server from the network is the immediate first step to contain the damage. Identify control from following to help address a referential integrity issue a relational database management system Key constraints Database backup Real application cluster Domain constraints correct answer A Referential integrity issues result in orphan records in child tables also known as dangling tuples. These are records in the referencing relation that do not have "counterparts" in the referenced relation i.e. parent table. Referential integrity issues can be addressed by establishing foreign key constraints. A key constraint limits the values that an attribute or a set of attributes can take. A foreign key constraint ensures that all child records do have a valid parent record.

Domain constraints operate at the database schema level and do not help in referential integrity issues. Clustering and backups are important - however, not useful in this situation. Lawrence, an information security architect with the Quick Micropayments, is tasked to identify a suitable biometric system that has a very high-security requirement. Identify a useful performance indicator from the following to help in this case. Equal Error Rate (EER) False Acceptance Rate (FAR) False Identification Rate (FIR) False Rejection Rate (FRR) correct answer B Since the biometric system has a very high-security requirement, protection against false acceptance is paramount. The performance indicator of FAR is useful in measuring the false acceptance rate. Identify from the following the best technique to assist in project duration estimation. Component-based development Program evaluation and review technique (PERT) chart Artificial intelligence (AI) Software cost estimation correct answer B Program Evaluation and Review Technique (PERT) is a project management technique used in the planning and control of system projects. A PERT chart helps in identifying the duration of the project once all the activities and the work involved are known. Jim, an information security architect with the Cocoa Exports Company, is overseeing the implementation of an intrusion detection system (IDS) in the organization. Identify the most important aspect of IDS implementation from the following. The resilience of the IDS system Placement within the enterprise network Adequate threat intelligence Protection against DDoS attacks correct answer B An intrusion detection system (IDS) secures networks and complements firewalls by monitoring network usage anomalies on routers and firewalls. Placement of the intrusion detection systems (IDS) within the enterprise network is most crucial amongst the

Identification badges containing biometric data in a smart-chip in addition to the name and photo of the bearer Access controls via the use of electronic badges and strong system password correct answer Overlapping control is when more than one control in place and either of the control is adequate to achieve the objective. For example, if a facility controls physical access via the use of electronic badges followed by the visual verification by a security guard. Cocoa Exports is exploring an online business model to boost their revenue. Jim, an information security architect, is tasked to adequately protect the online platform's confidentiality, authentication, non- repudiation, and integrity. Identify the best control mechanism from the following Virtual Private Network (VPN) Transport Layer Security (TLS) Public Key Infrastructure (PKI) Secure Sockets Layer (SSL) correct answer C Public key infrastructure (PKI) provides the best overall protection ensuring confidentiality, integrity, and reliability Easy Micropayments has an online payment platform for customers to on-demand initiate payments during business hours. As the new payments are processed, the transactions are recorded on the disk as well as on the tape. The payment files at the end of the day are backed up on the tape. However, it was observed that during the backup process the files in hard disk as well as in the tape were corrupted due to the malfunction of the backup mechanism. Identify from following the best option to quickly and accurately restore the payment data to resume the online payment operations. The previous day's payment file from the disk and the today's transactions from tape The previous day's payment file from tape and today's payment transaction from the disk Today's payment transactions from the disk and the previous day's payment file from the tape Today's payment file from tape and the today's payment transactions from the dis correct answer Restoring the previous day's payment files from the tape is the latest reliable backup on the tape. Today's transactions are easily and reliably retrievable from the disk. These two together will provide the best option to reliably and quickly re-create the most up to date and accurate data set for the system to resume operations. Johnson, Head of the Audit Department at Guava Trading Company, intends to implement a suitable tool/mechanism to store, correlate and aggregate logs and events. The tool/mechanism be able to

provide regular reports to auditors to assist in their work. Identify the best tool/mechanism from the following to achieve Lisa's objectives. An extract, transform, load (ETL) system A security information event management (SIEM) product An industry-standard big data warehouse A log management tool correct answer D Lisa is most likely to choose a log management tool to achieve her objectives of log processing and reporting. All other options, while having similar sounding capabilities, may not be the best fit for the given purpose. The sender A sends a message to the receiver B. The message hash and the message itself is encrypted by A's private key. Identify from the following the purpose of this encryption arrangement. Authenticity and Integrity Authenticity and Privacy Integrity and Privacy Privacy and Nonrepudiation correct answer A Since the message can be decrypted by the sender's public key. this method won't ensure the privacy of the message. However, this encryption arrangement is helpful in ensuring the authenticity of the sender and the message integrity. "Their security responsibilities include authorizing access, ensuring that access rules are updated when personnel changes occur, and regularly review access rules for the data for which they are responsible." Identify the appropriate role for the above mentioned responsibility. Data Users Data Custodians Data Owners Security Administrator correct answer C The mentioned responsibility falls under the remit of data owners. Data owners are usually business leaders responsible for using information for running and controlling the business. Data custodians are people responsible for storing and safeguarding the data and include IT personnel. Data users include the user communities with access levels authorized by the data owners. Security administrators have the responsibility to provide physical and logical security for data, software, and hardware.

Sniffed passwords can be successfully exploited to impact transaction initiation system availability correct answer C A sniffed password could "first" be used to gain unauthorized access to systems and data. Once the access is established, further malicious actions to affect confidentiality, integrity or availability of system/data can be carried out. Using a sniffed password, the malicious attacker could also log in as another user and also clean the audit trail to hide its identity. Guava Trading Company is running a variety of access points. These include a mix of access points with an obsolete security algorithm that does not have any upgrades available from the vendor, and the newer access points having advanced wireless security. Lisa, an information systems auditor with the organization, wants to recommend IT to replace the obsolete access points. Identify the best justification from following to support Lisa's recommendation. Centralize and easier management of new access points Performance concerns with the old access points The security chain is only as strong as its weakest link New access points have become more affordable recently correct answer C The security chain is only as strong as its weakest link is probably the best justification to support Lisa's recommendation to replace the access points. Performance concerns, easier management, and affordability are secondary in this situation. Manuel, CFO at Evergreen Bank, has requested reviewing and updating business continuity plans (BCP) that also require gaining/re-validating the understanding of organizational business processes. Identify from following the tools for doing so. Structured walk-through Risk assessment Full interruption test Business process re-engineering correct answer B Risk assessment, together with the business impact analysis (BIA), is used to gain an understanding of organizational business processes in order to develop an adequate business continuity plan (BCP). Structured walk-through and full interruption tests are methods to test the effectiveness of a BCP. Business process re-engineering (BPR) is about changing existing business processes to suit the changing business needs and the environment. Guava Trading Company has implemented an access card entry system for the physical security of its data center. Identify the most important control from the following.

Failed and successful access card entry attempts are logged and protected Access card entry system installed in locations in most risk-prone places Promptly deactivate lost/stolen access cards and cards belonging to leavers System data backed up frequently to ensure continuity of the access card entry system correct answer C Promptly deactivating lost/stolen access cards and the cards that belong to an employee who has left the organization is the most important control in the list. Logging of all access attempts and back up of system data are important as well - however not as important as preventing unauthorized entry. Access card entry system would generally cover the perimeter i.e. main entry into the facility, and also the other more critical areas within the facility. Identify from following a relevant parameter corresponding business appetite for the data loss. Service delivery objective Recovery time objective Maximum tolerable outages Recovery point objective correct answer D The recovery point objective (RPO) is determined based on business acceptable data loss appetite in an operational disruption event. RPO indicates the earliest point in time in which it is acceptable to recover the data. Recovery Time Objective (RTO) is the amount of time allowed for the recovery of a business function or resource to an acceptable level after a disaster occurs. Service Delivery Objective (SDO) is the minimal level of services to be reached during the alternate process mode until the normal situation is restored. It is directly related to business needs. Maximum Tolerable Outage (MTO) is the maximum time the organization can support processing in alternate mode. Computer forensics comprises of four major considerations as below: (a) Preserve (b) Identify (c) Present (d) Analyze Identify the correct sequence from the following

Technology auditors perform a functional walk-through during the preliminary phase of an audit assignment. Identify the primary reason: Comply with audit methodology and standards Identify potential control weaknesses Plan substantive testing Develop and validate the business process understanding correct answer D Auditors need to understand the business process and/or validate their understanding by performing a walk-through at the early stage of an audit assignment. Lisa, an information systems auditor at a non-profit charitable organization, is reviewing organizational preparedness to effectively fight against social engineering attempts. Identify the right protection from following for Lisa to recommend as the most effective measure against such attacks. Security Awareness Training Social Media Monitoring Policy Intrusion Detection Systems (IDS) Anti-SPAM Digital Controls correct answer A Security Awareness Training is the best defense against social engineering attempts. Social engineering thrives on weakness in human behavior and exploits the weaknesses. Other controls provide limited defense against such attack attempts but may not be comprehensive. Amongst the available options, security education and awareness provide the best coverage against attacks. Identify the correct answer from the following to be included in an organization's information systems security policy? Relevant software security features Criteria for access authorization Inventory of key IT resources to be secured Identity of sensitive security features correct answer B The security policy provides the broad framework of security including a definition of those authorized to grant access and the basis for granting the access. Other choices are more detailed and are likely candidates for inclusion in standards/procedures.

Identify the correct feature of a digital signature from below that confirms the authorizer of a transaction or sender of a message unrefutable Nonrepudiation Confidentiality Encryption Authorization Integrity Authentication correct answer A The feature that ensures undeniability is called nonrepudiation. Digital signatures are used to sign the transactions to confirm the authorization which cannot be denied later. Identify from the following an invalid software testing method. Alpha testing Gama testing Black-box testing Pilot testing Beta testing White-box testing correct answer B All but gama testing are valid software testing methods. Alpha testing is the first end-to-end testing of a product to ensure it meets the business requirements and functions correctly. It is typically performed by internal employees and conducted in a lab/stage environment. An alpha test ensures the product really works and does everything it's supposed to do. Beta testing is a type of user acceptance testing where the product team gives a nearly finished product to a group of target users to evaluate product performance in the real world. There is no standard for what a beta test should look like and how to set up beta testing. Black box testing is the Software testing method which is used to test the software without knowing the internal structure of code or program. White box testing is the software testing method in which internal structure is being known to tester who is going to test the software.