CISA Practice Exam Questions and Answers

A.  

Integrated test facility (ITF)

B.  

Snapshots

C.  

Data analytics

D.  

Audit hooks

A.  

Document the dependencies between the project and other projects within the same program.

B.  

Ensure that IT takes ownership for the delivery and tracking of all aspects of the benefits realization plan.

C.  

Ensure that the project manager has formal authority for managing the benefits realization plan.

D.  

Assign responsibilities, measures, and timelines for each identified benefit within the plan.

A.  

Transmission Control Protocol/Internet Protocol (TCP/IP)

B.  

Internet Control Message Protocol

C.  

Multipurpose Transaction Protocol

D.  

Point-to-Point Tunneling Protocol

A.  

Encrypt the extensible markup language (XML) file.

B.  

Implement Transport Layer Security (TLS).

C.  

Mask the API endpoints.

D.  

Implement Simple Object Access Protocol (SOAP).

A.  

Detective

B.  

Preventive

C.  

Compensating

D.  

Corrective

A.  

Increased vulnerability due to anytime, anywhere accessibility

B.  

Increased need for user awareness training

C.  

The use of the cloud negatively impacting IT availability

D.  

Lack of governance and oversight for IT infrastructure and applications

A.  

Backup testing schedule

B.  

Data retention policy

C.  

Transfer frequency

D.  

Data confidentiality

A.  

Decreased effectiveness of root cause analysis

B.  

Decreased overall recovery time

C.  

Increased number of false negatives in security logs

D.  

Increased demand for storage space for logs

A.  

The process of developing the annual audit plan

B.  

The authority given to the audit function

C.  

Required training for audit staff

D.  

Audit objectives and scope

A.  

Implement data loss prevention (DLP) controls.

B.  

Perform classification based on standards.

C.  

Deploy intrusion detection systems (IDS).

D.  

Test logical access controls for effectiveness.

A.  

Lack of offsite data backups

B.  

Absence of a data backup policy

C.  

Lack of periodic data restoration testing

D.  

Insufficient data backup frequency

A.  

minimize data storage needs across the organization.

B.  

provide necessary IT resources to meet business requirements.

C.  

minimize system idle time to optimize cost.

D.  

ensure that IT teams have sufficient personnel.

A.  

Service level agreements (SLAs)

B.  

Project steering committee charter

C.  

IT audit reports

D.  

Enterprise architecture (EA)

A.  

The person who tests source code also approves changes.

B.  

The person who administers servers is also part of the infrastructure management team.

C.  

The person who creates new user accounts also modifies user access levels.

D.  

The person who edits source code also has write access to production.

A.  

Detective

B.  

Preventive

C.  

Corrective

D.  

Deterrent

A.  

Business objectives

B.  

Business impact analysis (BIA)

C.  

Enterprise architecture (EA)

D.  

Recent incident trends

A.  

Ensure new employees read and sign acknowledgment of the acceptable use policy.

B.  

Revise the policy to include security training during onboarding.

C.  

Revise the policy to require security training every six months for all employees.

D.  

Require management of new employees to provide an overview of security awareness.

A.  

Technical architect

B.  

Enterprise architect

C.  

Program manager

D.  

Solution architect

A.  

Notify senior management.

B.  

Block all compromised network nodes.

C.  

Identify nodes that have been compromised.

D.  

Contact law enforcement.

A.  

Reviewing whether all changes have been implemented

B.  

Validating whether baselines have been established

C.  

Confirming whether multi-factor authentication (MFA) is deployed as part of the operational enhancements

D.  

Determining whether there is a process for annual review of the maintenance manual

A.  

Transfer the assignment to a different audit manager despite lack of IT project management experience.

B.  

Outsource the audit to independent and qualified resources.

C.  

Manage the audit since there is no one else with the appropriate experience.

D.  

Have a senior IS auditor manage the project with the IS audit manager performing final review.

A.  

IT incident log

B.  

Benchmarking studies

C.  

Maturity model

D.  

IT risk register

A.  

Schedule a follow-up audit in the next year to confirm whether IT processes have matured.

B.  

Create an interdisciplinary IT steering committee to oversee IT prioritization and spending.

C.  

Document and track all IT decisions in a project management tool.

D.  

Discontinue all current IT projects until formal approval is obtained and documented.

A.  

There is no process documentation for some system interfaces.

B.  

Notifications of data transfers through the interfaces are not retained.

C.  

Parts of the data transfer process are performed manually.

D.  

There is no reliable inventory of system interfaces.

A.  

assessing user satisfaction levels.

B.  

interviewing the security administrator.

C.  

analyzing equipment maintenance logs.

D.  

reviewing system-generated logs.

A.  

Risk assessments of information assets are not periodically performed.

B.  

All Control Panel Items

C.  

The information security policy does not extend to service providers.

D.  

There is no process to measure information security performance.

E.  

The information security policy is not reviewed by executive management.

A.  

Mobile device tracking program

B.  

Mobile device upgrade program

C.  

Mobile device testing program

D.  

Mobile device awareness program

A.  

Leverage the work performed by external audit for the internal audit testing.

B.  

Ensure both the internal and external auditors perform the work simultaneously.

C.  

Request that the external audit team leverage the internal audit work.

D.  

Roll forward the general controls audit to the subsequent audit year.

A.  

Testing incident response plans with a wide range of scenarios

B.  

Prioritizing incidents after impact assessment.

C.  

Linking incidents to problem management activities

D.  

Training incident management teams on current incident trends

A.  

Loss of application support

B.  

Lack of system integrity

C.  

Outdated system documentation

D.  

Developer access 1o production

A.  

Required approvals at each life cycle step

B.  

Date and time stamping of source and object code

C.  

Access controls for source libraries

D.  

Release-to-release comparison of source code

A.  

some of the identified throats are unlikely to occur.

B.  

all identified throats relate to external entities.

C.  

the exercise was completed by local management.

D.  

neighboring organizations operations have been included.

A.  

Process and resource inefficiencies

B.  

Irregularities and illegal acts

C.  

Noncompliance with organizational policies

D.  

Misalignment with business objectives

A.  

Notify law enforcement of the finding.

B.  

Require the third party to notify customers.

C.  

The audit report with a significant finding.

D.  

Notify audit management of the finding.

A.  

Server room access history

B.  

Emergency change records

C.  

IT security incidents

D.  

Penetration test results

A.  

There are documented compensating controls over the business processes.

B.  

The risk acceptances were previously reviewed and approved by appropriate senior management

C.  

The business environment has not significantly changed since the risk acceptances were approved.

D.  

The risk acceptances with issues reflect a small percentage of the total population

A.  

The company is being sued for false accusations.

B.  

The financial report may contain undetected material errors.

C.  

Employees have been misappropriating funds.

D.  

Key employees have not taken vacation for 2 years.

A.  

the provider has alternate service locations.

B.  

the contract includes compensation for deficient service levels.

C.  

the provider's information security controls are aligned with the company's.

D.  

the provider adheres to the company's data retention policies.

A.  

The applications are not included in business continuity plans (BCFs)

B.  

The applications may not reasonably protect data.

C.  

The application purchases did not follow procurement policy.

D.  

The applications could be modified without advanced notice.

A.  

Sampling risk

B.  

Detection risk

C.  

Control risk

D.  

Inherent risk

A.  

Project management

B.  

Risk assessment results

C.  

IT governance framework

D.  

Portfolio management

A.  

Simple mail transfer protocol (SMTP)

B.  

Simple object access protocol (SOAP)

C.  

Hypertext transfer protocol (HTTP)

D.  

File transfer protocol (FTP)

A.  

Installing security software on the devices

B.  

Partitioning the work environment from personal space on devices

C.  

Preventing users from adding applications

D.  

Restricting the use of devices for personal purposes during working hours

A.  

promote best practices

B.  

increase efficiency.

C.  

optimize investments.

D.  

ensure compliance.

A.  

deleted data cannot easily be retrieved.

B.  

deleting the files logically does not overwrite the files' physical data.

C.  

backup copies of files were not deleted as well.

D.  

deleting all files separately is not as efficient as formatting the hard disk.

A.  

Real-time backup

B.  

Virtual backup

C.  

Differential backup

D.  

Full backup

A.  

Change management

B.  

Problem management

C.  

incident management

D.  

Configuration management

A.  

The use of the cloud negatively impacting IT availably

B.  

Increased need for user awareness training

C.  

Increased vulnerability due to anytime, anywhere accessibility

D.  

Lack of governance and oversight for IT infrastructure and applications

A.  

reclassify the data to a lower level of confidentiality

B.  

require the business owner to conduct regular access reviews.

C.  

implement a strong password schema for users.

D.  

recommend corrective actions to be taken by the security administrator.

A.  

Inability to utilize the site when required

B.  

Inability to test the recovery plans onsite

C.  

Equipment compatibility issues at the site

D.  

Mismatched organizational security policies