Certified Information Systems Auditor CISA (CISA) — Questions 175

509 questions total · 7pages · All types, answers revealed

Page 1 of 7

Page 2
1
MCQhard

A multinational company must comply with GDPR and local data protection laws when transferring personal data from the EU to a subsidiary in the US. Which transfer mechanism is most commonly accepted as providing adequate protection?

A.A data protection impact assessment (DPIA) approved by the local supervisory authority.
B.Standard Contractual Clauses (SCCs) adopted by the European Commission.
C.Explicit consent from each data subject for the transfer.
D.Binding Corporate Rules (BCRs) for intra-group transfers.
AnswerB

SCCs are a ready-to-use mechanism that provides contractual guarantees of adequate protection for cross-border data transfers.

Why this answer

Standard Contractual Clauses (SCCs) are pre-approved model contracts issued by the European Commission that provide a legally recognized mechanism for transferring personal data from the EU to a third country, such as the US, without requiring additional authorization. They are the most commonly accepted transfer mechanism because they impose contractual obligations on both the data exporter and importer to ensure adequate data protection, aligning with GDPR Article 46 requirements.

Exam trap

The trap here is that candidates often confuse Binding Corporate Rules (BCRs) as the default intra-group mechanism, but SCCs are more commonly used because they are pre-approved, faster to implement, and do not require supervisory authority approval, making them the practical choice for most multinational transfers.

How to eliminate wrong answers

Option A is wrong because a Data Protection Impact Assessment (DPIA) is a risk assessment tool required under GDPR Article 35 for high-risk processing, not a transfer mechanism that provides adequate protection for cross-border data transfers. Option C is wrong because explicit consent under GDPR Article 49 is an exception for specific, occasional transfers and is not considered a reliable, ongoing adequate protection mechanism due to issues of revocability and power imbalance. Option D is wrong because Binding Corporate Rules (BCRs) are a valid intra-group transfer mechanism, but they require approval from the relevant supervisory authority and are less commonly used than SCCs due to the lengthy approval process and complexity of implementation.

2
MCQhard

An online retail company runs its e-commerce platform on a virtualized infrastructure with 50 virtual servers. The platform experiences intermittent slowdowns during peak hours, and recent monitoring reports show that disk I/O latency on the storage area network (SAN) frequently exceeds 50 ms during these periods. The SAN has two fabric switches and a single storage array with 12 TB of usable capacity, currently at 80% utilization. The company’s disaster recovery plan requires recovery point objective (RPO) of 1 hour and recovery time objective (RTO) of 4 hours for the e-commerce platform. During a recent test failover to the disaster recovery site, the IT team discovered that the replication link between primary and DR sites is saturated, causing replication lag of up to 3 hours. The team also noted that the DR site storage has only 6 TB of usable capacity, now at 60% utilization. The IT manager is concerned about meeting the RPO and RTO. Which course of action should the IT team take first?

A.Upgrade the SAN fabric switches to support higher throughput and reduce disk I/O latency
B.Add additional storage capacity to the DR site to reduce storage utilization
C.Implement more frequent incremental backups and reduce retention period to free up storage
D.Upgrade the replication link between primary and DR sites to a higher bandwidth connection
AnswerD

This directly addresses the replication lag, reducing it to meet the 1-hour RPO, and is the most urgent action to ensure disaster recovery objectives.

Why this answer

The immediate issue preventing the organization from meeting its RPO of 1 hour is the saturated replication link, which causes replication lag of up to 3 hours. Upgrading the link to a higher bandwidth connection directly addresses the bottleneck, reducing replication time and enabling the RPO to be met. Other options, while potentially beneficial, do not resolve the primary cause of the RPO failure.

Exam trap

The trap here is that candidates focus on the disk I/O latency or storage utilization issues, which are performance concerns, rather than recognizing that the saturated replication link is the direct cause of the RPO failure and must be addressed first.

How to eliminate wrong answers

Option A is wrong because upgrading the SAN fabric switches addresses disk I/O latency, which is a performance issue, not the replication lag that causes the RPO violation. Option B is wrong because adding storage capacity to the DR site does not reduce replication lag; it may even increase the amount of data that needs to be replicated. Option C is wrong because implementing more frequent incremental backups does not solve the replication link saturation; it could increase the load on the link and worsen the lag, and backups are not the same as synchronous or asynchronous replication used for RPO.

3
MCQmedium

A company is using an agile development methodology for a critical business application. The IS auditor is concerned about the lack of formal documentation. What is the BEST approach to mitigate this risk?

A.Require the project to switch to a waterfall methodology.
B.Accept the lack of documentation because agile emphasizes working software.
C.Perform a detailed code review to compensate for missing documentation.
D.Ask the team to maintain a lightweight document of important decisions and changes.
AnswerD

This balances agile flexibility with audit requirements.

Why this answer

Option D is the best approach because it balances agile principles with the need for auditability. In agile, lightweight documentation (e.g., architecture decision records, user story acceptance criteria) captures key decisions and changes without the overhead of full waterfall documentation. This mitigates the risk of knowledge loss while preserving the team's velocity.

Exam trap

The trap here is that candidates may confuse agile's 'working software over comprehensive documentation' with 'no documentation at all,' leading them to choose Option B, while the correct answer recognizes that lightweight documentation is both agile-compliant and risk-mitigating.

How to eliminate wrong answers

Option A is wrong because forcing a switch to waterfall would disrupt the existing agile workflow, likely causing delays and team resistance, and is not a proportionate response to a documentation gap. Option B is wrong because accepting the lack of documentation ignores the auditor's responsibility to ensure that critical business applications have sufficient records for maintenance, compliance, and knowledge transfer; agile emphasizes working software but does not prohibit necessary documentation. Option C is wrong because code review, while valuable for quality, does not capture design decisions, rationale, or change history that documentation provides; it is a complementary practice, not a substitute for documentation.

4
MCQmedium

A large organization is implementing a new HR management system to handle payroll and employee data. The project is currently in the build phase with a planned go-live in three months. Recently, the vendor notified the project team that a critical security patch will be released in two months that addresses a data leakage vulnerability present in the current version. The patch includes new features that are not in the contract. The project manager estimates that integrating the patch and re-testing will delay the project by at least four months. Business stakeholders insist on meeting the original go-live date because the legacy system is being decommissioned. The organization has a strict policy that all systems processing sensitive data must have the latest security patches within 30 days of release. What should the project team do?

A.Proceed with go-live but apply a compensating control to mitigate the vulnerability until the patch is applied
B.Continue with the current version, go live as planned, and schedule the security patch installation after go-live within the 30-day window
C.Delay the go-live and integrate the security patch before going live
D.Negotiate with the vendor to obtain an early fix for the vulnerability without the new features to minimize delay
AnswerC

This ensures compliance with the patching policy and protects sensitive data from the vulnerability.

Why this answer

Option D is correct because the organization's policy requires the patch within 30 days; going live without the patch would violate policy. Delaying go-live ensures compliance and avoids risk of data leakage. Option A is wrong even if compensating control is applied, the policy requires patching, and the vulnerability remains.

Option B is wrong negotiations may not succeed and would still cause delay. Option C is wrong even if patch is applied after go-live, the system would be vulnerable for up to 30 days, violating policy.

5
MCQhard

An IS auditor reviews the exhibit from a cloud access policy. Which of the following is a potential security concern?

A.The policy does not require encryption in transit
B.The policy grants access to all objects in the bucket
C.The policy allows access from any IP in the 10.0.0.0/8 range
D.The condition uses a private IP range which is not routable from the internet
AnswerA

Without requiring HTTPS (aws:SecureTransport), data can be transmitted in plaintext.

Why this answer

Option A is correct because the cloud access policy does not specify encryption in transit (e.g., HTTPS, TLS), leaving data vulnerable to interception over the network. Without a condition like `aws:SecureTransport` set to `true`, the policy allows HTTP requests, exposing sensitive data to man-in-the-middle attacks. This is a fundamental security gap in cloud access policies.

Exam trap

The trap here is that candidates often overlook the absence of encryption in transit as a critical security control, focusing instead on IP ranges or object-level access, which are less risky when properly configured.

How to eliminate wrong answers

Option B is wrong because granting access to all objects in a bucket is not inherently a security concern if the policy is properly scoped with least privilege and combined with other controls like authentication and encryption. Option C is wrong because allowing access from any IP in the 10.0.0.0/8 range is a private IP range (RFC 1918) and is not directly routable from the internet, so it does not represent a security concern by itself; it is a common practice for internal network access. Option D is wrong because the condition using a private IP range is actually a security best practice—it restricts access to internal networks, which are not directly reachable from the internet, reducing exposure.

6
MCQmedium

An IS auditor is reviewing the audit follow-up process. The auditor notes that management has implemented corrective actions for 80% of previous audit findings. What should the auditor conclude?

A.The audit scope was too narrow
B.Further investigation of outstanding findings is needed
C.The audit process is effective
D.Management is compliant with all recommendations
AnswerB

Unresolved findings must be assessed for risks and followed up.

Why this answer

An 80% closure rate indicates that 20% of findings remain unresolved. ISACA standards require auditors to verify that all high-risk findings are remediated before concluding on control effectiveness. Without evidence that the outstanding 20% are low-risk or have an accepted risk, the auditor must investigate further to ensure residual risk is within the organization's appetite.

Exam trap

The trap here is that candidates assume a high percentage (80%) implies overall effectiveness, but CISA requires verification that all findings, especially high-risk ones, are resolved or formally accepted, not just a majority.

How to eliminate wrong answers

Option A is wrong because a narrow scope would typically result in missing findings, not in a specific closure percentage; the 80% figure does not indicate scope deficiency. Option C is wrong because an effective audit process requires not only corrective actions but also timely closure of all findings; 80% closure alone does not prove the overall process is effective, as the remaining 20% may represent critical gaps. Option D is wrong because management implementing 80% of recommendations explicitly means they are not compliant with all recommendations; the remaining 20% are outstanding.

7
MCQeasy

A company is developing a mobile banking application. Which test phase is MOST critical to ensure that the application functions correctly from the end user's perspective?

A.System testing.
B.User acceptance testing (UAT).
C.Unit testing.
D.Integration testing.
AnswerB

UAT ensures the system meets user needs.

Why this answer

User acceptance testing (UAT) is the most critical phase for verifying that the mobile banking application meets end-user requirements and functions correctly from their perspective. Unlike other testing phases that focus on technical correctness, UAT involves real users performing actual banking transactions (e.g., fund transfers, balance inquiries) in a production-like environment to validate usability, workflow accuracy, and compliance with business rules. This ensures the application is ready for deployment and will be accepted by its intended audience.

Exam trap

The trap here is that candidates often confuse system testing with user acceptance testing, mistakenly thinking that verifying all system functions technically is equivalent to ensuring the application works correctly from the end user's perspective.

How to eliminate wrong answers

Option A is wrong because system testing validates the complete integrated system against functional and non-functional requirements but does not involve end users; it focuses on technical correctness rather than user perspective. Option C is wrong because unit testing verifies individual components or modules in isolation, typically by developers, and cannot assess end-to-end user workflows or usability. Option D is wrong because integration testing checks the interactions between integrated modules or external systems (e.g., APIs, databases) but does not evaluate the application from an end user's viewpoint or validate business processes.

8
MCQhard

Refer to the exhibit. A CISA is analyzing these logs. What is the MOST likely security incident?

A.Legitimate system maintenance activity
B.Brute force attack on the administrator account
C.Unauthorized installation of a critical update
D.Compromised administrator account used to establish a command and control channel
AnswerD

The attacker disabled a key process and set up a backdoor.

Why this answer

The logs show the administrator account executing a reverse shell connection (e.g., using PowerShell or netcat) to an external IP address on a non-standard port (e.g., 4444 or 8080). This outbound connection initiated by the admin account is a classic indicator of a command and control (C2) channel, where an attacker who has compromised the account uses it to maintain persistent remote access. Legitimate administrative activity would not typically involve establishing a reverse shell to an unknown external host.

Exam trap

The trap here is that candidates may mistake the single successful admin login as a brute force success (option B), but the subsequent reverse shell activity is the definitive indicator of a compromised account used for C2, not just credential guessing.

How to eliminate wrong answers

Option A is wrong because legitimate system maintenance activity would not involve an outbound reverse shell to an external IP on a non-standard port; maintenance tasks use standard protocols like SSH (port 22) or RDP (port 3389) to known internal servers. Option B is wrong because a brute force attack would show multiple failed login attempts from various IPs or usernames, not a single successful login followed by a reverse shell connection. Option C is wrong because unauthorized installation of a critical update would typically involve file downloads or execution of installer binaries, not the establishment of a persistent outbound reverse shell channel.

9
MCQmedium

An IS auditor is evaluating the security of the architecture. Which of the following is the MOST critical finding?

A.The web server has a public IP address
B.SQL traffic from the web server to the database server is allowed
C.No encryption for SQL traffic between web and database servers
D.The database server is not placed in the DMZ
AnswerC

Unencrypted SQL can be intercepted, compromising data confidentiality.

Why this answer

Option C is the most critical finding because unencrypted SQL traffic between the web and database servers exposes sensitive data to interception via man-in-the-middle attacks. Even if the traffic is confined to an internal network, an attacker who compromises the web server can sniff credentials or query results in plaintext. Encrypting SQL traffic with TLS or IPSec is a fundamental security control to protect data in transit.

Exam trap

The trap here is that candidates often focus on network placement (DMZ vs. internal) or the mere existence of SQL traffic, rather than recognizing that unencrypted data in transit is a far more critical vulnerability than architectural placement issues.

How to eliminate wrong answers

Option A is wrong because a web server typically requires a public IP address to serve external clients; this is a design choice, not a security finding. Option B is wrong because SQL traffic from the web server to the database server is expected and necessary for application functionality; the issue is not the existence of the traffic but its lack of encryption. Option D is wrong because placing the database server in the DMZ would expose it directly to external threats; best practice is to place the database server on a separate internal network segment behind the DMZ, not inside it.

10
Matchingmedium

Match each regulatory standard to its focus area.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Financial reporting controls

Payment card data security

Health information privacy

Personal data protection

Why these pairings

Compliance requirements vary by industry.

11
MCQeasy

An IS auditor is conducting an audit of a small manufacturing company's IT operations. The company has 50 employees and uses a single server running Windows Server 2019 for file sharing and print services. There is no formal change management process. The IT manager, who also doubles as the system administrator, has full administrative rights and is the only person who can make changes to the server. During the audit, the auditor notices that the server's local security policy is configured to allow unlimited password attempts and no account lockout. The IT manager states that this is to avoid locking out users who forget their passwords. The auditor also finds that the guest account is enabled on the server. What should the auditor recommend as the HIGHEST priority action?

A.Train employees on password security.
B.Implement a formal change management process.
C.Disable the guest account and enforce account lockout policy.
D.Separate the roles of IT manager and system administrator.
AnswerC

These are direct security vulnerabilities that must be addressed immediately.

Why this answer

Option A is correct because the most immediate vulnerabilities are the enabled guest account and lack of lockout, which increase risk of unauthorized access. Option B is important but less urgent. Option C is a broader governance issue.

Option D is too general.

12
MCQmedium

A financial institution operates a critical payment processing system that must maintain 99.999% availability. The system is deployed across two data centers in active-active mode with load balancing. During a routine maintenance window, a network misconfiguration caused all traffic to be directed to one data center, which then became overloaded and crashed, resulting in 30 minutes of downtime. The incident response team wants to prevent recurrence. Which of the following is the BEST action?

A.Configure health checks on the load balancers to detect and isolate unhealthy nodes.
B.Schedule all maintenance during non-peak hours only.
C.Increase the capacity of each data center to handle full traffic load.
D.Implement automatic failover to the backup data center when a threshold is exceeded.
AnswerA

Health checks can automatically remove an overloaded node from the pool, preventing cascading failure.

Why this answer

Option B is correct because health checks on load balancers can automatically detect an overloaded node and redirect traffic to the healthy one. Option A assumes a failover mechanism that is not needed in active-active. Option C is costly and does not prevent similar misconfigurations.

Option D does not address the technical root cause.

13
MCQmedium

An organization uses a hot site for disaster recovery. During a recent test, the hot site did not have the latest version of the application software. What is the MOST likely cause?

A.Inadequate change management procedures
B.Failure to synchronize data
C.Lack of backup media
D.Insufficient bandwidth
AnswerA

Without proper change management, software updates may not be applied to the hot site.

Why this answer

Option D is correct because inadequate change management procedures fail to ensure that updates are replicated to the hot site. Options A, B, and C are less likely.

14
MCQeasy

Which is the MOST likely cause?

A.Network connectivity lost
B.Backup software license expired
C.Backup media is full
D.Backup media is not connected
AnswerD

The error indicates the device is not ready, often due to disconnection or power off.

Why this answer

Option B is correct because 'The device is not ready' indicates the backup media is not available. Option A would give a different error; C typically shows license; D shows network.

15
MCQhard

An IS auditor is reviewing the balanced scorecard for IT. Which of the following metrics BEST aligns with the 'customer perspective'?

A.Average system uptime for critical applications
B.Percentage of IT projects under budget
C.Number of change requests completed on time
D.Percentage of staff with ITIL certification
AnswerA

Uptime reflects customer-facing service levels.

Why this answer

Option B is correct because system uptime directly measures service delivery to customers. Option A aligns with financial perspective. Option C aligns with internal processes.

Option D aligns with learning and growth.

16
MCQmedium

Based on the exhibit, which user account poses the HIGHEST security risk?

A.root
B.admin
C.test
D.None of the accounts are risky
AnswerB

The '!' indicates a locked password, but account may still exist.

Why this answer

The 'admin' account poses the highest security risk because it typically has elevated privileges (e.g., sudo or administrator group membership) and is often configured with a default or weak password. Unlike 'root', which can be locked or disabled for direct SSH login, the 'admin' account is commonly used for day-to-day administrative tasks and may have password-based authentication enabled, making it a prime target for brute-force attacks. In many Linux/Unix systems, 'admin' is a standard user with UID 0 or sudo rights, and its compromise grants full system control.

Exam trap

The trap here is that candidates assume 'root' is always the highest risk due to its name, but CISA tests the understanding that a disabled or locked root account is less risky than an active, privileged 'admin' account with password-based authentication.

How to eliminate wrong answers

Option A is wrong because 'root' is often locked for direct login (e.g., PermitRootLogin no in sshd_config) or has a strong password enforced by policy, reducing its immediate risk compared to an active admin account. Option C is wrong because 'test' accounts are typically non-privileged, have limited access, and are often disabled or have expired passwords, making them lower risk. Option D is wrong because the 'admin' account clearly presents a higher risk due to its privileged nature and common weak configurations, so it is incorrect to say none are risky.

17
MCQhard

An IS auditor reviews the log entry above. Which of the following is the MOST likely cause of the authentication failure?

A.The user's account is locked.
B.The user's password is incorrect.
C.The client certificate presented has a common name that does not match the configured expected name.
D.The RADIUS server is unavailable.
AnswerC

Error message states 'Invalid certificate CN'.

Why this answer

The log entry indicates an authentication failure with a client certificate. The error 'CN mismatch' or similar certificate validation failure occurs when the Common Name (CN) in the client certificate does not match the expected name configured on the server (e.g., in a RADIUS or TLS mutual authentication context). This is a specific certificate-level issue, not a password or account lockout problem.

Exam trap

ISACA often tests the distinction between certificate validation errors (like CN mismatch) and other authentication failures (like wrong password or account lockout), expecting candidates to recognize that certificate-based authentication failures are tied to the certificate's attributes, not user credentials or server availability.

How to eliminate wrong answers

Option A is wrong because an account lockout would typically generate a different error, such as 'account disabled' or 'account locked', not a certificate CN mismatch. Option B is wrong because an incorrect password would produce a 'bad password' or 'invalid credentials' error, not a certificate validation failure. Option D is wrong because a RADIUS server being unavailable would result in a timeout or 'no server available' error, not a certificate CN mismatch.

18
Multi-Selectmedium

Which TWO of the following are primary objectives of capacity management? (Select exactly 2.)

Select 2 answers
A.To ensure adequate IT resources to meet current and future business demands
B.To monitor and report on system performance against SLAs
C.To minimize the total cost of ownership of IT resources
D.To procure hardware and software at the lowest possible cost
E.To optimize the use of existing resources to support business growth
AnswersA, E

This is the core purpose of capacity management.

Why this answer

Options B and E are correct. Capacity management aims to ensure that current and future business requirements are met cost-effectively. Option A is about financial management; Option C is performance monitoring but not the primary objective; Option D is procurement.

19
MCQeasy

Which of the following is the PRIMARY purpose of conducting a penetration test?

A.To test incident response capabilities
B.To exploit vulnerabilities to assess real-world impact
C.To meet compliance requirements
D.To identify vulnerabilities in a system
AnswerB

The primary purpose of a penetration test is to determine the extent of damage possible from exploitation.

Why this answer

The primary purpose of a penetration test is to exploit vulnerabilities in a controlled manner to assess the real-world impact and business risk, not merely to list them. While vulnerability scanning identifies weaknesses, penetration testing goes further by simulating an attacker's actions to determine if and how a vulnerability can be leveraged to compromise systems, data, or operations. This aligns with the CISA focus on evaluating the effectiveness of security controls under realistic attack conditions.

Exam trap

The trap here is confusing a vulnerability assessment (option D) with a penetration test, as many candidates think the primary goal is simply finding flaws, but CISA emphasizes that the real purpose is to exploit them to measure impact.

How to eliminate wrong answers

Option A is wrong because testing incident response capabilities is a secondary benefit, not the primary purpose; a penetration test may trigger IR processes, but its core objective is to validate security controls through exploitation. Option C is wrong because meeting compliance requirements (e.g., PCI DSS 11.4) is a driver for conducting a test, but the primary purpose remains the technical assessment of real-world exploitability and impact. Option D is wrong because identifying vulnerabilities is the goal of a vulnerability assessment, not a penetration test; a penetration test assumes vulnerabilities exist and focuses on exploiting them to measure actual risk.

20
MCQhard

An organization has implemented a role-based access control (RBAC) system. A user complains that they cannot access a file needed to complete a critical task. The file's permission indicates that only the 'Manager' role has read access. The user is assigned to the 'Analyst' role. Which of the following is the BEST course of action?

A.Assign the user to the Manager role temporarily
B.Submit a request for temporary access approval via change management
C.Create a new role with only read access to that file
D.Change the file permissions to include Analyst role
AnswerB

This follows proper authorization and maintains security.

Why this answer

Option B is correct because in a properly implemented RBAC system, access changes must follow the principle of least privilege and be formally approved through change management to maintain audit trails and security controls. Granting temporary access via a documented change request ensures that the access is justified, time-bound, and reviewed, preventing unauthorized privilege escalation. This aligns with the CISA domain of Protection of Information Assets, where access control changes must be controlled and monitored.

Exam trap

The trap here is that candidates often choose to change file permissions or create a new role (options C or D) because they focus on the immediate technical fix, ignoring the governance and audit requirements that mandate formal change management for any access control modification.

How to eliminate wrong answers

Option A is wrong because temporarily assigning the user to the Manager role violates the principle of least privilege by granting excessive permissions (e.g., write, delete, or administrative rights) beyond the single file read access needed, increasing the risk of unauthorized actions. Option C is wrong because creating a new role with only read access to that file introduces role proliferation and administrative overhead, bypassing the established RBAC role hierarchy and potentially violating segregation of duties. Option D is wrong because directly changing file permissions to include the Analyst role circumvents the RBAC role-based assignment model, undermining the centralized access control policy and making audit trails inconsistent.

21
MCQhard

A multinational manufacturing company with operations in 20 countries has historically allowed each regional division to manage its own IT systems independently. Recently, the company experienced a significant data breach originating from a region with weaker security controls, leading to financial losses and reputational damage. The board has mandated stronger IT governance to prevent future incidents. The CIO proposes implementing a global IT governance framework with centralized policy enforcement. However, regional directors argue that local regulations and business needs require autonomy. The governance committee must decide on a course of action that balances risk and business flexibility. Which of the following approaches is the MOST appropriate?

A.Adopt a federated governance model with global policies and local flexibility within defined tolerances.
B.Allow each region to continue independently but require quarterly reporting to the committee.
C.Implement a fully centralized IT governance model with no regional deviations.
D.Maintain the status quo but enforce minimum security standards across all regions.
AnswerA

Federated governance balances consistency with local adaptation.

Why this answer

Option C is correct because a federated model allows consistent governance at the top while permitting regional adaptations within defined boundaries, balancing control and flexibility. Option A is wrong because a fully centralized model may ignore local constraints and hinder business. Option B is wrong because the committee should not delegate entirely; the board expects governance.

Option D is wrong because minimum standards are insufficient; a stronger framework is needed after a breach.

22
MCQmedium

Given this configuration, which is the PRIMARY concern?

A.Data change rate exceeds bandwidth
B.RTO may not be achievable
C.Synchronous replication may impact application performance
D.Bandwidth may be insufficient to meet RPO
AnswerD

The required replication bandwidth exceeds available bandwidth, risking RPO violations.

Why this answer

Option A is correct because the data change rate of 50 GB per hour (~112 Mbps sustained) exceeds the 100 Mbps bandwidth, causing replication lag that may exceed the RPO. Option B is less direct; C is a concern but not primary; D is the same as A.

23
MCQhard

An organization is evaluating a cloud-based identity as a service (IDaaS) for single sign-on (SSO). Which of the following security concerns is MOST critical to address?

A.Lack of encryption for SAML assertions
B.Incompatibility with legacy applications
C.Downtime of the IDaaS provider
D.Compromise of the identity provider's credentials
AnswerD

A compromise of the IdP would grant attackers access to all federated applications, making it the most critical security concern.

Why this answer

The compromise of the identity provider's (IdP) credentials is the most critical security concern because the IdP acts as the central trust anchor for all SSO transactions. If an attacker gains control of the IdP's signing key or administrative credentials, they can forge SAML assertions for any user, bypassing all downstream authentication and gaining unauthorized access to every connected service provider (SP). This represents a single point of failure that undermines the entire SSO trust model.

Exam trap

The trap here is that candidates often focus on technical protocol details like encryption (Option A) or operational risks like downtime (Option C), but the CISA exam emphasizes that the most critical security concern in any federated identity system is the protection of the identity provider's root of trust—its credentials—because a compromise there negates all other controls.

How to eliminate wrong answers

Option A is wrong because SAML assertions are inherently signed and often encrypted end-to-end using XML Signature and XML Encryption standards; the lack of encryption for the assertion body does not expose the authentication token if the transport layer (TLS) is used, and the critical security control is the digital signature, not encryption. Option B is wrong because incompatibility with legacy applications is an integration or migration concern, not a security concern; it can be addressed through federation gateways or protocol translation without compromising the security posture of the SSO system. Option C is wrong because downtime of the IDaaS provider is an availability and business continuity issue, not a security concern; while it impacts access, it does not directly lead to unauthorized data disclosure or system compromise.

24
MCQmedium

A company has multiple business units with conflicting IT priorities. Which governance body should resolve this?

A.IT steering committee
B.Board of directors
C.IT management
D.Audit committee
AnswerA

This committee is designed to align and prioritize IT investments.

Why this answer

An IT steering committee, comprising business and IT leadership, is responsible for prioritizing IT initiatives and resolving conflicts. IT management may lack authority; board and audit committee have broader oversight roles.

25
MCQhard

Based on the exhibit, what should the IS auditor MOST likely recommend?

A.Investigate whether any changes are missing from the log
B.Immediately block all direct production access for developers
C.Require all changes to go through the standard approval process
D.Review the criteria for emergency changes and enforce proper classification
AnswerD

The high number of post-approved emergency changes suggests the process is being bypassed.

Why this answer

The exhibit shows changes classified as 'emergency' bypassing the standard approval process. The IS auditor's primary concern is that emergency changes may be misclassified to avoid proper review, increasing risk. Option D is correct because it addresses the root cause: reviewing the criteria for emergency changes and enforcing proper classification ensures that only truly urgent changes bypass standard controls, while all others follow the required approval path.

Exam trap

ISACA often tests the misconception that the IS auditor should immediately block all direct production access or require all changes to go through standard approval, when the real issue is ensuring proper classification and enforcement of the emergency change process.

How to eliminate wrong answers

Option A is wrong because the log may be complete; the issue is not missing entries but the classification and approval process for changes that are logged. Option B is wrong because blocking all direct production access for developers is an overly restrictive measure that may hinder legitimate emergency fixes; the focus should be on proper change classification and approval, not blanket access denial. Option C is wrong because requiring all changes to go through the standard approval process would eliminate the emergency change process entirely, which is not practical for urgent fixes; the correct approach is to ensure emergency changes are properly classified and justified, not to eliminate the process.

26
Multi-Selecteasy

Which TWO of the following are primary objectives of an information system audit?

Select 2 answers
A.Ensure optimal performance of IT systems
B.Implement security patches and updates
C.Identify areas for improvement in IT processes
D.Evaluate the effectiveness of internal controls
E.Prepare financial statements for external reporting
AnswersC, D

Correct: IS audits aim to recommend improvements.

Why this answer

Option C is correct because identifying areas for improvement in IT processes is a primary objective of an information system audit. The audit evaluates the design and operational effectiveness of controls, then recommends enhancements to align IT processes with business goals, risk appetite, and regulatory requirements. This goes beyond mere compliance to drive continuous improvement in governance and control frameworks.

Exam trap

The trap here is confusing operational or management responsibilities (like performance tuning or patch implementation) with the auditor's role of evaluating controls and identifying process improvements, leading candidates to select options that describe IT tasks rather than audit objectives.

27
MCQhard

Refer to the exhibit. A security administrator is troubleshooting why external users cannot reach the web server at 203.0.113.10 from the internet. Based on the configuration, what is the MOST likely issue?

A.No NAT rule is configured for the web server
B.The 'no-proxy-arp' option prevents the ASA from responding to ARP requests for the public IP
C.The source address is not translated
D.The access list denies incoming web traffic
AnswerB

Without proxy ARP, the ASA does not claim the public IP, so traffic is not received.

Why this answer

The 'no-proxy-arp' command disables proxy ARP on the ASA interface for the public IP address 203.0.113.10. Without proxy ARP, the ASA will not respond to ARP requests from upstream routers for that IP, so traffic destined to the web server is never delivered to the ASA for NAT processing. This is the most likely cause because the NAT rule exists but the ASA cannot intercept the traffic at Layer 2.

Exam trap

The trap here is that candidates assume a NAT rule alone is sufficient for inbound traffic, overlooking the Layer 2 requirement that the ASA must respond to ARP for the public IP via proxy ARP.

How to eliminate wrong answers

Option A is wrong because a NAT rule is shown in the exhibit (static NAT from 203.0.113.10 to the internal server), so the issue is not a missing NAT rule. Option B is correct as explained. Option C is wrong because the source address translation (PAT) is configured via the 'global' and 'nat' commands, and the problem is with destination reachability, not source translation.

Option D is wrong because the access list (ACL) shown permits inbound HTTP traffic to 203.0.113.10, so it does not deny web traffic.

28
MCQeasy

A medium-sized retail company relies on an ERP system for order processing and inventory management. The system is hosted on-premises with daily backups stored on tape. The company's business continuity plan specifies an RTO of 4 hours and an RPO of 1 hour for the ERP system. During a recent fire drill, it was discovered that restoring the ERP system from tape took over 6 hours, and the most recent backup was from the previous day. Which of the following is the BEST course of action to meet the RTO and RPO goals?

A.Increase the frequency of tape backups to every 30 minutes.
B.Conduct quarterly fire drills instead of annually.
C.Implement a hot standby site with real-time replication.
D.Replace tape backups with weekly cloud backups.
AnswerC

Hot standby with replication meets both RTO and RPO requirements.

Why this answer

Option A is correct because a hot standby site with real-time replication can achieve an RPO near zero and an RTO within 4 hours. Option B reduces RPO but does not improve the long restore time. Option C increases RPO to days, which is worse.

Option D does not address the recovery capability.

29
MCQmedium

An organization uses role-based access control (RBAC) for its enterprise resource planning (ERP) system. What is the greatest risk if user role assignments are not reviewed regularly?

A.Inconsistent application of password policies across roles.
B.Privilege creep, where users retain permissions no longer needed.
C.Increased authentication failures due to expired passwords.
D.Inability to track audit logs for user activity.
AnswerB

Privilege creep increases the attack surface and risk of unauthorized access.

Why this answer

In RBAC, permissions are assigned to roles, and users inherit those permissions through role membership. Without regular reviews, users may retain roles (and thus permissions) long after their job functions change, leading to privilege creep. This violates the principle of least privilege and increases the risk of unauthorized access or data breaches within the ERP system.

Exam trap

The trap here is that candidates confuse the operational impact of role reviews (privilege creep) with other access control issues like password policies or logging, which are separate concerns in the Protection of Information Assets domain.

How to eliminate wrong answers

Option A is wrong because password policies are typically set at the system or domain level, not tied to individual RBAC roles; inconsistent application would stem from policy configuration issues, not role review frequency. Option C is wrong because authentication failures due to expired passwords are managed by password expiration policies and account lockout mechanisms, not by the review of role assignments. Option D is wrong because audit log tracking is a function of the logging and monitoring infrastructure (e.g., SIEM, audit trails), not directly dependent on whether role assignments are reviewed; even with stale roles, logs can still be captured and tracked.

30
MCQmedium

During a security audit, it is discovered that a database containing customer credit card numbers is not encrypted at rest. The database is used by a legacy application that cannot be modified. Which compensating control most effectively reduces the risk?

A.Isolating the database server on a separate network segment with strict firewall rules
B.Enabling detailed audit logging for all database access
C.Requiring all users to sign a nondisclosure agreement (NDA)
D.Implementing dynamic data masking at the application level
AnswerA

Segmentation reduces the attack surface and limits access.

Why this answer

Isolating the database server on a separate network segment with strict firewall rules (e.g., using VLANs and ACLs to restrict traffic to only the legacy application’s IP and port) prevents unauthorized network-level access to the unencrypted data. This compensating control reduces the attack surface by ensuring that even if the database lacks encryption at rest, an attacker cannot reach it without first compromising the network segmentation, which is a critical defense-in-depth layer.

Exam trap

The trap here is that candidates often choose audit logging or masking because they seem technical, but they fail to recognize that only network segmentation actively prevents direct access to the unencrypted data at rest, while the others are either detective or require application changes that are impossible in this scenario.

How to eliminate wrong answers

Option B is wrong because enabling detailed audit logging only provides detective control—it logs who accessed the data but does not prevent unauthorized access or protect the unencrypted credit card numbers at rest. Option C is wrong because requiring NDAs is an administrative control that does not address the technical vulnerability of unencrypted data; it cannot stop an attacker who gains network access from reading the plaintext data. Option D is wrong because dynamic data masking at the application level would require modifying the legacy application (which cannot be changed) to implement masking logic, and it only obfuscates data in query results, not the underlying stored data, leaving the physical database files exposed.

31
Multi-Selecteasy

Which TWO of the following are common objectives of an IT balanced scorecard? (Choose two.)

Select 2 answers
A.Deploying a new ERP system
B.Reducing the number of help desk tickets
C.Enhancing IT staff skills and knowledge
D.Implementing a new firewall
E.Improving customer satisfaction with IT services
AnswersC, E

Learning and growth perspective.

Why this answer

Correct answers: B and D. The balanced scorecard typically includes customer, financial, internal process, and learning/growth perspectives. Option A is a metric, not an objective.

Option C is operational. Option E is security-specific.

32
MCQmedium

During the requirements gathering phase for a new financial system, stakeholders disagree on the priority of security controls versus user convenience. Which of the following is the BEST approach?

A.Postpone security decisions to later phases
B.Let the project team decide based on development ease
C.Conduct a risk assessment to balance security and usability
D.Implement all security controls regardless of convenience
AnswerC

A risk assessment identifies and evaluates threats, allowing the organization to make a balanced decision that aligns security controls with business needs.

Why this answer

Option C is correct because a risk assessment provides a structured, evidence-based framework for balancing security controls against user convenience during requirements gathering. By evaluating the likelihood and impact of threats specific to financial systems (e.g., transaction fraud, data breaches) against usability needs, the organization can prioritize controls that mitigate high-risk exposures without unnecessarily impeding legitimate business processes. This aligns with the COBIT 5 principle of balancing benefits, risk, and resource optimization.

Exam trap

The trap here is that candidates may choose Option A, mistakenly believing that security can be 'bolted on' later, but CISA emphasizes that security must be integrated from the requirements phase to avoid costly redesigns and compliance violations.

How to eliminate wrong answers

Option A is wrong because postponing security decisions to later phases introduces significant rework costs and integration challenges, as security requirements must be baked into system architecture from the start (e.g., secure coding practices, access control design). Option B is wrong because letting the project team decide based on development ease ignores stakeholder priorities and regulatory compliance (e.g., PCI DSS, SOX), leading to potential audit failures and security gaps. Option D is wrong because implementing all security controls regardless of convenience can cripple user productivity and lead to shadow IT, where users bypass controls (e.g., using unapproved cloud storage), increasing overall risk.

33
MCQeasy

An organization has implemented role-based access control (RBAC). Which of the following is the PRIMARY benefit of RBAC?

A.Simplified user permission management
B.Encryption of sensitive data at rest
C.Elimination of compliance requirements
D.Improved protection against malware
AnswerA

RBAC streamlines access control administration.

Why this answer

RBAC simplifies user permission management by assigning permissions to roles rather than individuals, allowing administrators to grant or revoke access by modifying role memberships. This reduces administrative overhead and the risk of permission errors, as changes propagate automatically to all users in a role. The primary benefit is operational efficiency in access control, not direct security features like encryption or malware protection.

Exam trap

The trap here is that candidates may confuse RBAC's administrative benefit with other security controls, assuming it directly provides encryption or malware defense, when in fact RBAC is purely an access management model.

How to eliminate wrong answers

Option B is wrong because encryption of sensitive data at rest is a data protection mechanism, not a benefit of RBAC; RBAC controls access to data but does not encrypt it. Option C is wrong because RBAC does not eliminate compliance requirements; it can help meet compliance (e.g., least privilege) but regulations still mandate audits, logging, and other controls. Option D is wrong because RBAC does not directly protect against malware; malware protection relies on endpoint security, antivirus, and network controls, not role-based access.

34
MCQmedium

A hospital is implementing a new electronic health records (EHR) system. The system will be used by doctors, nurses, and administrative staff. During the user acceptance testing (UAT) phase, the nursing staff reports that the interface for entering patient vitals is too slow and requires many clicks, which slows down their workflow. The project team has already completed system testing and is preparing for go-live in two weeks. The development team can make a quick fix to streamline the vital signs entry by adding a shortcut, but this change has not been tested. The IT director is concerned about patient safety and wants to ensure the system is usable. What is the BEST course of action?

A.Implement the quick fix immediately and go live as scheduled
B.Proceed with go-live as planned and address usability issues in a future release
C.Assess the risk, develop the fix, fast-track testing, and if successful, include it in the go-live
D.Delay go-live by one month to fully test the fix
AnswerC

Enables safe improvement.

Why this answer

Option C is correct because it balances patient safety with project timelines by formally assessing the risk of the untested fix, developing it, and then fast-tracking a targeted regression test. This approach ensures the usability issue is resolved without bypassing necessary quality controls, which is critical for a clinical system where data entry errors could directly impact patient care. The IT director's concern about patient safety is addressed by the risk assessment and focused testing, while the go-live date is preserved if the fix passes.

Exam trap

The trap here is that candidates may choose Option B (defer usability) thinking it is safer, but they fail to recognize that a usability issue in a clinical workflow directly threatens patient safety by increasing the likelihood of data entry errors, making risk assessment and targeted remediation the correct approach.

How to eliminate wrong answers

Option A is wrong because implementing an untested change immediately before go-live violates change management best practices and could introduce critical defects that compromise patient safety, such as data corruption or loss of vital signs. Option B is wrong because proceeding with a known usability flaw that slows down vital signs entry increases the risk of data entry errors or omissions, which in a clinical setting can lead to incorrect treatment decisions and patient harm. Option D is wrong because delaying go-live by a full month is unnecessarily conservative for a targeted fix that can be validated through fast-tracked regression testing, and it introduces project delays and costs without proportional risk reduction.

35
Multi-Selectmedium

Which TWO of the following are essential components of an effective incident response plan? (Select exactly 2.)

Select 2 answers
A.Root cause analysis procedures
B.Detailed vulnerability scanning schedules
C.Clearly defined roles and responsibilities
D.List of all hardware vendors and support contacts
E.Communication and escalation procedures
AnswersC, E

Essential for coordinated response.

Why this answer

Clearly defined roles and responsibilities (C) are essential because they ensure that during a security incident, every team member knows their specific tasks, such as who leads the investigation, who communicates with stakeholders, and who executes containment actions. Without this clarity, response efforts become chaotic, leading to delays and missed containment windows, which directly impacts the organization's ability to minimize damage and recover quickly.

Exam trap

ISACA often tests the distinction between proactive security activities (like vulnerability scanning or vendor lists) and the reactive, operational components of an incident response plan, leading candidates to mistakenly include non-essential items that are important for general IT management but not for immediate incident handling.

36
MCQhard

A multinational corporation is deploying a data loss prevention (DLP) solution across its network. The DLP system must be configured to prevent the exfiltration of personally identifiable information (PII) while minimizing false positives. Which approach is most effective?

A.Block all outbound email containing keywords such as 'SSN' or 'credit card'
B.Require all users to complete annual data handling training and rely on self-reporting
C.Implement full disk encryption on all endpoints and encrypt all outbound traffic
D.Use regex patterns for PII combined with context-aware policies (e.g., user role, destination domain)
AnswerD

Regex with context reduces false positives and accurately detects PII.

Why this answer

Option B is correct because using a combination of content-based rules and contextual analysis (e.g., destination, user role) reduces false positives while effectively detecting PII. Option A is too simplistic and may have high false positives. Option C relies heavily on user training, which is not a technical DLP control.

Option D is incorrect because encrypting all traffic would break functionality and is not a DLP method.

37
MCQmedium

A large enterprise recently experienced a data breach due to an insider threat. The IT governance committee is reviewing the incident and considering measures to prevent recurrence. Which of the following is the BEST course of action to address the root cause?

A.Implement a privileged access management (PAM) solution to control and monitor elevated access.
B.Increase logging and auditing of all user activities.
C.Deploy a security information and event management (SIEM) tool.
D.Terminate the employment of the insider who caused the breach.
AnswerA

PAM directly prevents and controls unauthorized privileged access, addressing the root cause.

Why this answer

A privileged access management (PAM) solution directly addresses the root cause of an insider threat by controlling, monitoring, and auditing elevated access rights. Since the breach was caused by an insider, limiting and tracking privileged accounts prevents unauthorized or excessive use of administrative credentials, which is the most effective preventive measure against recurrence.

Exam trap

The trap here is that candidates often confuse detective controls (logging, SIEM) with preventive controls (PAM), or they mistakenly view termination as a root-cause fix rather than a reactive measure, failing to recognize that the root cause is the lack of access governance.

How to eliminate wrong answers

Option B is wrong because increasing logging and auditing of all user activities is a detective control, not a preventive one; it helps identify breaches after they occur but does not stop an insider from abusing elevated access. Option C is wrong because deploying a SIEM tool aggregates and correlates logs for detection and analysis, but it does not prevent an insider from using privileged access to cause a breach. Option D is wrong because terminating the insider is a reactive disciplinary action that addresses the specific individual but does not fix the underlying lack of access controls, leaving the enterprise vulnerable to future insider threats.

38
MCQeasy

A systems analyst is gathering requirements for a new customer relationship management (CRM) system. Which of the following is the MOST important activity to ensure that the final system meets user needs?

A.Creating a prototype and asking for feedback after development.
B.Conducting a joint requirements validation session with stakeholders.
C.Developing a detailed technical specification before user sign-off.
D.Documenting all requirements in a formal specification.
AnswerB

Direct stakeholder involvement ensures alignment.

Why this answer

Conducting a joint requirements validation session with stakeholders (Option B) is the most important activity because it ensures that the requirements are accurate, complete, and agreed upon before development begins. This collaborative review process directly involves end users and business owners, allowing for immediate clarification and correction of misunderstandings, which is critical for aligning the CRM system with actual business processes. Without this validation, even a perfectly built system may fail to meet user needs, leading to costly rework.

Exam trap

The trap here is that candidates often confuse 'documenting requirements' (Option D) with 'validating requirements,' assuming that formal documentation alone is sufficient to ensure user needs are met, whereas the CISA exam emphasizes that validation through stakeholder interaction is the critical step to prevent costly rework.

How to eliminate wrong answers

Option A is wrong because creating a prototype and asking for feedback after development violates the iterative validation principle; feedback should be gathered during development, not after, to avoid rework and misalignment with user expectations. Option C is wrong because developing a detailed technical specification before user sign-off assumes that technical details can be finalized without user validation, which often leads to a system that meets technical specs but fails to satisfy business requirements. Option D is wrong because documenting all requirements in a formal specification alone does not ensure that the requirements are correct or understood by stakeholders; it is a passive activity that lacks the interactive validation needed to confirm user needs.

39
MCQhard

An organization plan to integrate a third-party payment gateway into its e-commerce platform. Which of the following is the MOST critical security control to implement before going live?

A.Perform a penetration test on the integration
B.Ensure all data is encrypted in transit and at rest
C.Implement detailed logging of payment transactions
D.Configure network firewalls to restrict traffic
AnswerA

Pen testing proactively identifies vulnerabilities in the integration.

Why this answer

A penetration test on the integration is the most critical control because it actively validates the security of the API endpoints, data flows, and authentication mechanisms between the e-commerce platform and the third-party gateway. Unlike passive controls like encryption or logging, a penetration test can uncover exploitable vulnerabilities such as injection flaws, broken authentication, or insecure direct object references that could lead to financial fraud or data breach before the system is exposed to live transactions.

Exam trap

The trap here is that candidates often choose encryption (Option B) as the most critical control because it is a fundamental security requirement, but the question specifically asks for the control that validates the integration's security before going live, which only a penetration test can achieve.

How to eliminate wrong answers

Option B is wrong because encryption in transit and at rest is a necessary baseline control but does not address logic flaws or misconfigurations in the integration code that could allow an attacker to bypass payment validation or steal tokens. Option C is wrong because detailed logging is a detective control that helps after an incident occurs; it does not prevent or identify exploitable vulnerabilities before going live. Option D is wrong because network firewalls restrict traffic at the network layer but cannot protect against application-layer attacks such as API parameter tampering or session hijacking that target the payment gateway integration.

40
Drag & Dropmedium

Arrange the steps to implement a password policy in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Password policy implementation: define requirements, set expiration, lockout, communicate, and enforce.

41
MCQhard

During a third-party software vendor audit, the IS auditor discovers that the vendor uses a common shared database for multiple clients and relies on application-level access controls. Which of the following is the GREATEST concern?

A.Data from different clients may be commingled and accessible.
B.The database does not encrypt data at rest.
C.The vendor does not perform regular penetration testing.
D.The vendor lacks segregation of duties among administrators.
AnswerA

Application-level access controls can be circumvented, causing data leakage between clients.

Why this answer

Option D is correct because application-level controls can be bypassed if there are vulnerabilities, leading to data exposure. Option A is less critical as segregation of duties can be managed. Option B is not a direct control issue.

Option C is not the primary concern.

42
MCQmedium

An IS auditor reviews the exhibit during an audit of database controls. What is the most appropriate recommendation?

A.Review the application code for missing commit statements
B.Enable automatic retry for failed transactions
C.Implement a locking strategy to prevent resource contention
D.Increase the database timeout parameter
AnswerC

A proper locking strategy, such as using row-level locks or scheduling, reduces contention.

Why this answer

Option C is correct because the exhibit (not shown here, but implied by the context) likely depicts a deadlock graph or lock-wait chain, indicating that concurrent transactions are blocking each other. The most appropriate recommendation is to implement a locking strategy (e.g., row-level locking, lock ordering, or using snapshot isolation) to prevent resource contention and avoid deadlocks. This directly addresses the root cause of the observed performance or failure issues.

Exam trap

The trap here is that candidates often confuse a deadlock or lock contention issue with a timeout or missing COMMIT problem, and choose to increase timeouts or add retries instead of addressing the fundamental locking strategy.

How to eliminate wrong answers

Option A is wrong because missing COMMIT statements would cause uncommitted transactions to hold locks indefinitely, but the exhibit shows contention, not missing commits; reviewing application code for missing COMMITs is a generic guess that does not solve the locking conflict. Option B is wrong because enabling automatic retry for failed transactions treats the symptom (deadlock retries) rather than preventing the underlying contention; it can lead to livelock or excessive retry overhead. Option D is wrong because increasing the database timeout parameter only delays the failure or extends lock waits, making contention worse; it does not resolve the root cause of resource contention.

43
Multi-Selectmedium

Which TWO of the following are key components of an IT governance framework?

Select 2 answers
A.Resource management
B.Strategic alignment
C.Performance measurement
D.Risk management
E.Value delivery
AnswersB, E

Strategic alignment ensures IT goals are in line with business goals, a core governance component.

Why this answer

Strategic alignment (B) is a key component of an IT governance framework because it ensures that IT strategies, investments, and operations are directly linked to business goals and objectives. This alignment is achieved through mechanisms such as balanced scorecards, IT steering committees, and portfolio management, which translate business strategy into IT priorities. Without strategic alignment, IT may operate in a silo, leading to wasted resources and missed opportunities for business value.

Exam trap

The trap here is that candidates often confuse the five focus areas of COBIT (strategic alignment, value delivery, risk management, resource management, performance measurement) with the two core components of an IT governance framework, leading them to select all five or pick risk management as a core component.

44
Multi-Selecteasy

Which TWO of the following are key components of an IT governance framework? (Choose two.)

Select 2 answers
A.Network topology diagram
B.Help desk procedures
C.Hardware inventory
D.IT strategy
E.IT steering committee
AnswersD, E

Correct. Defines alignment with business goals.

Why this answer

Options A and B are correct because an IT steering committee and an IT strategy are fundamental governance components. Option C is incorrect as hardware inventory is operational. Option D is incorrect as help desk procedures are operational.

Option E is incorrect as network topology is technical.

45
Multi-Selectmedium

An organization is implementing COBIT 2019. Which TWO of the following are governance enablers? (Choose two.)

Select 2 answers
A.Hardware configuration
B.Project schedule
C.Organizational structures
D.Network performance
E.Culture, ethics and behavior
AnswersC, E

Correct. A COBIT enabler for governance.

Why this answer

Options A and D are correct because organizational structures and culture, ethics, and behavior are COBIT enablers. Option B is incorrect as hardware configuration is an implementation detail. Option C is incorrect as project schedule is a project management artifact.

Option E is incorrect as network performance is operational.

46
MCQmedium

A financial institution is evaluating its IT governance structure. Which of the following roles is BEST suited to ensure independent oversight of IT investments?

A.Chief Information Officer (CIO)
B.Project Management Office (PMO) director
C.IT Audit Committee
D.Chief Information Security Officer (CISO)
AnswerC

An independent audit committee provides objective oversight.

Why this answer

The IT Audit Committee is the correct answer because it provides independent oversight of IT investments by operating outside of management's direct reporting structure. Unlike the CIO, PMO director, or CISO, who are all part of management and may have vested interests in project approvals or resource allocation, the IT Audit Committee reports to the board of directors and ensures that IT investments align with enterprise strategy, risk appetite, and regulatory requirements without bias.

Exam trap

The trap here is that candidates often confuse operational management roles (CIO, PMO director, CISO) with governance roles, mistakenly believing that a senior IT manager can provide independent oversight when they are actually part of the management chain being overseen.

How to eliminate wrong answers

Option A is wrong because the Chief Information Officer (CIO) is a senior management role responsible for the day-to-day operation and strategic planning of IT, which inherently lacks the independence required for oversight of IT investments. Option B is wrong because the Project Management Office (PMO) director is focused on project execution, resource management, and delivery metrics, not on independent governance or strategic alignment of IT investments. Option D is wrong because the Chief Information Security Officer (CISO) is primarily concerned with information security risk management and compliance, not with the broader financial and strategic oversight of IT investments.

47
MCQeasy

Based on the exhibit, what is the security risk of this bucket policy?

A.The bucket is publicly readable
B.The bucket allows public write access
C.The bucket policy restricts access to a specific IAM role
D.The bucket policy is not encrypted
AnswerA

Principal: * allows anonymous access.

Why this answer

The bucket policy grants public read access by setting `"Principal": "*"` and `"Effect": "Allow"` with `"Action": "s3:GetObject"`. This means any unauthenticated user on the internet can list and retrieve objects in the bucket, making it publicly readable. The policy does not require any authentication or authorization checks, which is a common misconfiguration leading to data exposure.

Exam trap

ISACA often tests the distinction between read and write permissions in bucket policies, and the trap here is that candidates see `"Principal": "*"` and assume it means full public access (both read and write), but the specific `Action` determines the actual risk—only read access is granted in this case.

How to eliminate wrong answers

Option B is wrong because the policy only allows `s3:GetObject` (read) actions, not `s3:PutObject` or `s3:DeleteObject` (write) actions, so public write access is not granted. Option C is wrong because the policy sets `"Principal": "*"`, which applies to all principals, not restricting access to a specific IAM role; a restricted policy would specify an ARN like `"AWS": "arn:aws:iam::123456789012:role/MyRole"`. Option D is wrong because S3 bucket policies are not individually encrypted; they are stored as JSON documents within AWS IAM and are protected by AWS's infrastructure encryption at rest, and the question asks about a security risk, not a missing encryption feature that does not exist for policies.

48
MCQeasy

An IS auditor is evaluating the effectiveness of an organization's business continuity plan (BCP). Which of the following findings would be of GREATEST concern?

A.The backup tapes are stored in a locked cabinet in the server room
B.The BCP contact list has not been updated in six months
C.The BCP has not been tested in over two years
D.The BCP relies on manual workarounds for critical systems
AnswerC

Lack of testing means the plan may fail in a disaster.

Why this answer

The BCP has not been tested in over two years is the greatest concern because testing is the only way to validate that the plan works under real-world conditions. Without recent testing, the organization cannot be confident that recovery time objectives (RTOs) and recovery point objectives (RPOs) are achievable, and any gaps or assumptions in the plan remain undiscovered. ISACA standards recommend testing at least annually, and a two-year gap significantly increases the risk of plan failure during an actual disaster.

Exam trap

The trap here is that candidates often focus on obvious physical security or documentation issues (like tape storage or outdated contact lists) and underestimate that the absence of testing renders all other BCP components unvalidated, making it the most critical finding from an audit perspective.

How to eliminate wrong answers

Option A is wrong because storing backup tapes in a locked cabinet in the server room, while not ideal (they should be offsite for geographic redundancy), is a physical security control that does not directly invalidate the BCP's effectiveness; the greater risk is the lack of testing. Option B is wrong because a BCP contact list that has not been updated in six months is a maintenance issue, but it can be corrected quickly and does not indicate that the plan itself is unworkable; the lack of testing is a more fundamental flaw. Option D is wrong because relying on manual workarounds for critical systems is a design choice that may be acceptable if the manual procedures are documented, trained, and tested; the absence of testing is what makes this reliance dangerous.

49
MCQeasy

An organization wants to ensure that IT performance is measured against strategic goals. Which tool is BEST suited?

A.Balanced scorecard
B.Pareto chart
C.SWOT analysis
D.Gantt chart
AnswerA

BSC aligns IT metrics with strategic goals.

Why this answer

A balanced scorecard translates strategic goals into performance metrics across financial, customer, internal process, and learning perspectives. Gantt charts, SWOT analysis, and Pareto charts are not designed for this purpose.

50
MCQmedium

An IT auditor is reviewing the change management process for a financial application. The auditor finds that emergency changes are frequently implemented without post-implementation review. What is the MOST significant risk?

A.The change may not be documented properly
B.The change may cause an outage during the next backup cycle
C.Security vulnerabilities may be introduced and remain undetected
D.Users may not be notified of the change
AnswerC

Emergency changes bypass normal controls, and lack of review means any flaws are not corrected promptly.

Why this answer

Option A is correct because without review, emergency changes may introduce security vulnerabilities or instability that go unnoticed. Option B is a lesser risk; Option C is a consequence but not the most significant; Option D is operational risk but less critical than security.

51
MCQhard

An organization's IT governance committee is reviewing a proposal to use a public cloud provider that does not meet the organization's data encryption standards. The board has set a low risk appetite for data privacy. What is the BEST action?

A.Accept the proposal with additional monitoring
B.Delegate the decision to the security team
C.Accept the proposal but require the provider to sign a waiver
D.Reject the proposal until encryption requirements are met
AnswerD

Correct. The proposal does not align with risk appetite.

Why this answer

Option A is correct because the proposal violates the board's risk appetite, so it should be rejected until requirements are met. Option B is incorrect because additional monitoring does not address the encryption gap. Option C is incorrect because waivers do not reduce the risk.

Option D is incorrect because the committee should not delegate a decision that contradicts risk appetite.

52
MCQhard

An auditor finds that access reviews have not been completed for two quarters. What is the MOST significant risk?

A.Data integrity may be compromised
B.Unauthorized access may be granted and persist
C.System performance may degrade
D.Audit findings may be reported to management
AnswerB

Correct. Incomplete reviews allow inappropriate access to continue.

Why this answer

Option A is correct because without regular reviews, unauthorized or inappropriate access may go undetected, increasing the risk of data breaches. Option B is incorrect because while audit findings will be reported, that is a consequence, not the primary risk. Option C is incorrect as system performance is unrelated.

Option D is incorrect because data integrity may be at risk but is less direct than unauthorized access.

53
Multi-Selectmedium

An IS auditor is selecting an appropriate audit sample. Which THREE of the following are factors that affect the sample size?

Select 3 answers
A.Tolerable error rate
B.Confidence level
C.Sampling interval
D.Expected error rate
E.Population standard deviation
AnswersA, B, D

Lower tolerable error rates require larger samples.

Why this answer

Sample size is influenced by the expected error rate, tolerable error rate, and confidence level.

54
MCQmedium

A company is implementing a new procurement system. The project team is considering using a rapid application development (RAD) methodology. Which of the following is a potential risk of using RAD?

A.Inadequate documentation
B.Reduced stakeholder involvement
C.Longer development time
D.Difficulty in prototyping
AnswerA

Speed can compromise documentation.

Why this answer

RAD prioritizes speed and iterative prototyping over formal documentation. Because the focus is on quickly delivering working software through user feedback and short development cycles, comprehensive documentation is often neglected or produced after the fact, leading to inadequate records for maintenance, auditing, and compliance.

Exam trap

The trap here is that candidates may assume RAD reduces stakeholder involvement due to its fast pace, but in reality RAD demands more frequent and active stakeholder participation to validate prototypes and provide feedback.

How to eliminate wrong answers

Option B is wrong because RAD actually increases stakeholder involvement through continuous user feedback and prototyping, not reduces it. Option C is wrong because RAD is specifically designed to shorten development time through iterative cycles and time-boxed delivery, not lengthen it. Option D is wrong because prototyping is a core strength of RAD, not a difficulty; RAD relies on rapid prototyping to refine requirements and validate functionality.

55
Multi-Selecthard

Which THREE of the following are components of the COBIT 2019 governance system?

Select 3 answers
A.Organizational structures
B.Information items
C.Processes
D.Service desk
E.Project management office
AnswersA, B, C

Organizational structures are a governance component.

Why this answer

Options A, C, and E are correct because COBIT 2019 includes governance components: Processes, Organizational Structures, and Information Items. Option B (Service Desk) is an operational process not a governance component. Option D (Project Management Office) is a management structure, not a governance component as defined in COBIT 2019.

56
Matchingmedium

Match each encryption key type to its usage.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Same key for encrypt and decrypt

Public/private key pair

Temporary key for a session

Kept secret by owner

Why these pairings

Key types are central to cryptography.

57
MCQmedium

A financial institution recently experienced a data breach where an attacker exfiltrated customer data through an SQL injection vulnerability in a web application. The IS auditor has been asked to review the application security controls. The web application is developed in-house and runs on an application server behind a web application firewall (WAF). The auditor reviews the WAF logs and finds that no SQL injection attacks were detected before the breach, but the logs show many blocked XSS attempts. The developer states that all input validation is performed on the client side using JavaScript. During the audit, the auditor also finds that the application uses a shared database account with DBA privileges for all connections. What is the MOST significant weakness that directly contributed to the breach?

A.Client-side input validation is insufficient and server-side validation is missing.
B.The use of a shared DBA database account violates the principle of least privilege.
C.The WAF is misconfigured to detect only XSS attacks but not SQL injection.
D.The application server is not patched against known SQL injection vulnerabilities.
AnswerA

Without server-side validation, the application is vulnerable to SQL injection.

Why this answer

Option B is correct because client-side validation is easily bypassed, and lack of server-side validation allowed SQL injection. Option A is possible but not confirmed. Option C is a weakness but not the direct cause of SQLi.

Option D is not supported by evidence.

58
MCQhard

During an information systems audit, the IS auditor finds that data classification labels are not consistently applied across the organization. What is the most likely root cause of this issue?

A.The data classification policy is too complex and has too many levels.
B.Insufficient training and awareness programs on data classification.
C.The organization does not enforce consequences for misclassification.
D.Lack of automated classification tools integrated with the document management system.
AnswerB

Users must be trained to classify data correctly; lack of awareness leads to inconsistent application.

Why this answer

Inconsistent application of data classification labels is most commonly caused by insufficient training and awareness programs. Without proper education, users do not understand how to correctly classify data according to the policy, leading to inconsistent labeling across the organization.

Exam trap

The trap here is that candidates may focus on technical solutions (automated tools) or enforcement mechanisms, but the ISACA CISA exam emphasizes that the most common root cause of policy non-compliance is inadequate training and awareness, not technology or enforcement gaps.

How to eliminate wrong answers

Option A is wrong because while a complex policy with too many levels can contribute to confusion, the root cause is typically a lack of understanding of the existing policy, not the number of levels. Option C is wrong because lack of enforcement is a secondary issue; even with enforcement, users cannot comply if they do not know how to classify correctly. Option D is wrong because automated classification tools can help but are not the root cause; the primary issue is human error due to insufficient training, not the absence of technology.

59
MCQeasy

During a disaster recovery test, the recovery time objective (RTO) for a critical application was not met. Which of the following is the MOST likely cause?

A.The backup media was stored offsite
B.The standby server had insufficient storage capacity
C.The network connectivity was tested beforehand
D.The recovery procedures were documented
AnswerB

Correct: Lack of storage can prevent or delay data restoration.

Why this answer

Insufficient storage on the standby server delays data restoration, directly impacting RTO. Other options are good practices that would not cause failure.

60
MCQmedium

A large financial institution is evaluating the effectiveness of its IT governance framework. The board has requested a review to ensure alignment with business objectives and regulatory requirements. Which of the following is the MOST important factor for the board to consider when assessing the IT governance framework?

A.The framework is integrated with enterprise governance and supports strategic objectives.
B.The framework includes a detailed incident response plan.
C.The framework focuses on achieving high technical efficiency.
D.The framework minimizes overall IT costs.
AnswerA

Integration with enterprise governance ensures IT supports business goals and regulatory compliance.

Why this answer

Option B is correct because a well-defined IT governance framework must integrate with enterprise governance to ensure alignment with business objectives and regulatory requirements. Option A is wrong because focusing solely on cost reduction may conflict with strategic priorities. Option C is wrong because incident response is operational, not governance-level.

Option D is wrong because technical efficiency is a management concern, not board-level governance.

61
MCQeasy

Refer to the exhibit. An auditor finds that the file 'sensitive.txt' has world-writable permissions. Which of the following is the most appropriate remediation action?

A.Remove world-writable permissions using chmod 644.
B.Encrypt the file using GnuPG to protect its contents.
C.Apply an ACL to restrict access only to specific users.
D.Change the file owner to a different user using chown.
AnswerA

chmod 644 sets the file to rw-r--r--, removing world-writable and providing proper access.

Why this answer

The file 'sensitive.txt' has world-writable permissions, meaning any user on the system can modify or delete it. The most direct and appropriate remediation is to remove the world-writable permission using `chmod 644`, which sets the file to owner read-write, group read, and others read. This eliminates the security risk while preserving necessary access for the owner and group.

Exam trap

The trap here is that candidates may overcomplicate the solution by choosing encryption or ACLs, when the simplest and most direct fix is to adjust the file permissions using `chmod`.

How to eliminate wrong answers

Option B is wrong because encrypting the file with GnuPG protects its confidentiality but does not address the world-writable permission; the file remains modifiable by anyone, which could lead to data corruption or unauthorized changes. Option C is wrong because applying an ACL to restrict access to specific users is an alternative approach, but it is not the most appropriate remediation; the simplest and most direct fix is to remove the world-writable bit, and ACLs add complexity without necessity when a simple permission change suffices. Option D is wrong because changing the file owner using `chown` does not remove the world-writable permission; the new owner would still have the same permission issue unless the permissions are also modified.

62
MCQhard

Based on the exhibit, what is the MOST likely compliance issue requiring immediate remediation?

A.Access is not properly restricted.
B.Compliance checks are not being performed.
C.Backup media lacks encryption.
D.Retention period is too short.
AnswerC

Status explicitly states backup media not encrypted.

Why this answer

The exhibit shows backup tapes stored in an unsecured cabinet without any indication of encryption. Since backup media often contains sensitive data, the lack of encryption exposes the organization to data breaches if the media is lost or stolen. This is a direct violation of data protection requirements and requires immediate remediation.

Exam trap

ISACA often tests the distinction between operational issues (e.g., retention period) and security controls (e.g., encryption), and the trap here is that candidates may focus on the visible retention label rather than the missing encryption safeguard.

How to eliminate wrong answers

Option A is wrong because the exhibit does not provide any evidence of access control mechanisms (e.g., ACLs, authentication logs) to conclude that access is improperly restricted. Option B is wrong because the exhibit does not show whether compliance checks are scheduled or performed; the issue is about the physical security of backup media, not the frequency of checks. Option D is wrong because the retention period is not indicated in the exhibit; the problem is the lack of encryption on backup media, not how long it is kept.

63
MCQeasy

Refer to the exhibit. Based on the governance status report, which component should be addressed as a priority?

A.Strategy Alignment
B.Performance Measurement
C.Resource Optimization
D.Risk Management
AnswerC

Red status requires urgent action.

Why this answer

Resource Optimization has a Red status, indicating critical risk or non-compliance, requiring immediate attention. Green and Yellow components are less urgent.

64
MCQmedium

An organization's online transaction processing system experienced a sudden performance degradation. The database administrator checked system resources and found excessive I/O wait time on the storage subsystem. Which of the following is the MOST likely root cause?

A.An inefficient SQL query causing table scans
B.Inadequate disk spindles or a storage area network (SAN) bottleneck
C.Insufficient memory allocated to the database server
D.Network latency between the application and database servers
AnswerB

I/O wait is a clear indicator of storage subsystem saturation, often due to insufficient disk spindles or SAN performance issues.

Why this answer

Option C is correct because excessive I/O wait time typically indicates that the storage system cannot keep up with the demand, often due to insufficient disk spindles or a storage bottleneck. Option A is wrong because insufficient memory usually causes high CPU usage or swapping, not directly I/O wait. Option B is wrong because network latency affects network I/O, not disk I/O.

Option D is wrong because application code bugs might cause logical errors but not necessarily storage I/O issues.

65
Multi-Selecthard

Which THREE of the following are common techniques for ensuring business resilience?

Select 3 answers
A.Insurance policies
B.Regular data backups
C.Annual employee training
D.Redundant hardware
E.Single point of failure analysis
AnswersA, B, D

Insurance provides financial resilience to recover from losses.

Why this answer

Correct answers are A, B, and D: redundant hardware, regular data backups, and insurance policies. C and E are not resilience techniques; C is a risk analysis step, E is training which is supportive but not a core resilience technique.

66
MCQeasy

A healthcare organization must comply with HIPAA regulations regarding patient data privacy. The IT department has implemented technical controls, but the compliance officer discovers that some employees are sharing passwords. What is the BEST governance response?

A.Implement multi-factor authentication to prevent password sharing.
B.Enforce the existing policy through disciplinary actions and additional training.
C.Report the incident to the regulatory authority as a data breach.
D.Revise the password policy to require more complex passwords.
AnswerB

Enforcement and training are key governance controls.

Why this answer

Option D is correct because enforcing policy through disciplinary action and training addresses the root cause. Option A is wrong because over-reliance on technical controls may not prevent deliberate sharing. Option B is wrong because policy revision alone may not change behavior.

Option C is wrong because reporting to regulator is premature.

67
MCQmedium

A company is integrating a third-party payment gateway into its e-commerce platform. Which of the following is the MOST important security control to implement?

A.Implement role-based access control
B.Log all transactions
C.Validate all input from the payment gateway
D.Encrypt all data with SSL
AnswerC

Prevents injection and data corruption.

Why this answer

Option C is correct because input validation from the payment gateway is the most critical security control. The payment gateway returns data (e.g., transaction status, amount, token) that is consumed by the e-commerce platform. Without strict validation, an attacker could inject malicious payloads (e.g., SQL injection, XSS) via manipulated gateway responses, leading to data breaches or unauthorized transactions.

This control directly prevents injection attacks at the integration boundary.

Exam trap

The trap here is that candidates often choose encryption (SSL/TLS) as the most important control because it is a well-known security measure, but they overlook that encryption does not validate the trustworthiness of the decrypted data, which is the primary risk when integrating with an external system.

How to eliminate wrong answers

Option A is wrong because role-based access control (RBAC) manages internal user permissions but does not protect against malicious data arriving from the external payment gateway. Option B is wrong because logging transactions is a detective control that records events after they occur; it does not prevent an attack from exploiting unvalidated input. Option D is wrong because encrypting data with SSL/TLS protects data in transit between the e-commerce platform and the payment gateway, but it does not validate the content of the data received; an encrypted malicious payload is still malicious.

68
MCQeasy

A medium-sized manufacturing company has recently deployed an ERP system to integrate its financial, supply chain, and HR processes. The IT department is small (5 staff) and reports to the CFO. The company has no formal IT governance committee; IT decisions are made by the CFO and CEO informally. During a recent audit, it was found that several critical security patches for the ERP system have not been applied, and there are no documented procedures for change management. The IT manager states that patches are applied when time permits, and changes are discussed via email. The CFO argues that the ERP is running fine and the audit findings are low risk. The IS auditor needs to recommend a course of action to improve IT governance. Which of the following is the MOST appropriate initial step?

A.Elevate the issue to the board of directors with a recommendation to outsource IT management
B.Recommend the formation of an IT steering committee comprising key business stakeholders to oversee IT strategy, risk, and resource allocation
C.Develop a comprehensive patch management policy and present it to the CFO for approval
D.Insist that the IT manager immediately apply all missing patches within one week
AnswerB

Correct. This addresses the root cause of lack of governance and oversight.

Why this answer

Option A is correct because the fundamental issue is the lack of governance structure; establishing an IT steering committee with business representation ensures that IT decisions are aligned with business needs and risks are properly evaluated. Option B is premature because without governance, there is no process to prioritize patches. Option C is too narrow; it addresses only patches, not the underlying governance gap.

Option D is incorrect because pushing the auditor's own opinion may create conflict and does not establish a sustainable governance process.

69
Matchingmedium

Match each COBIT 5 domain to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Evaluate, Direct, and Monitor

Align, Plan, and Organize

Build, Acquire, and Implement

Deliver, Service, and Support

Monitor, Evaluate, and Assess

Why these pairings

COBIT 5 process domains are key for IT governance.

70
MCQmedium

Refer to the exhibit. An IS auditor finds this bucket policy attached to an S3 bucket storing sensitive customer data. What should the auditor recommend?

A.Change the Resource to a different bucket.
B.Remove the Action "s3:GetObject and add "s3:PutObject".
C.Encrypt the bucket at rest.
D.Restrict the principal to specific IAM roles or users.
AnswerD

The policy grants public read access; principal should be limited.

Why this answer

The bucket policy grants access to any principal ("Principal": "*"), meaning any AWS user or anonymous user can perform the allowed actions on the bucket. For a bucket storing sensitive customer data, this is a critical security risk. Restricting the principal to specific IAM roles or users (Option D) ensures only authorized identities can access the bucket, aligning with the principle of least privilege.

Exam trap

The trap here is that candidates often focus on the actions or resource fields, overlooking the fact that the "Principal": "*" is the most critical security flaw, as it allows any entity to invoke the permitted actions.

How to eliminate wrong answers

Option A is wrong because changing the Resource to a different bucket does not address the overly permissive principal; it merely moves the vulnerability to another bucket. Option B is wrong because removing 's3:GetObject' and adding 's3:PutObject' would still leave the bucket open to any principal, and it would also remove read access while introducing write access, which could lead to data corruption or unauthorized uploads. Option C is wrong because encrypting the bucket at rest protects data confidentiality if the data is accessed, but it does not prevent unauthorized access; encryption is a defense-in-depth measure, not a substitute for access control.

71
MCQmedium

Refer to the exhibit. An IS auditor is reviewing firewall logs and notices repeated denied SSH attempts from an internal host (10.0.1.50) to a server (172.16.0.1). After the denied attempts, the host initiates permitted HTTPS connections to another server (172.16.0.5). Which of the following is the BEST interpretation of this pattern?

A.The host may be attempting to bypass security controls by using different protocols
B.The firewall rule 101 is misconfigured and blocking legitimate traffic
C.The host is performing reconnaissance and has mapped allowed services
D.The host successfully accessed server 172.16.0.1 via SSH
AnswerA

The pattern indicates probing blocked service then using permitted service, possibly to evade detection.

Why this answer

The pattern of denied SSH attempts followed by successful HTTPS connections suggests the internal host is probing for an open SSH service and, when blocked, switches to an allowed protocol (HTTPS) to communicate with a different server. This behavior indicates an attempt to bypass security controls by leveraging a permitted protocol after initial reconnaissance or direct access attempts fail. The firewall logs show the host adapts its method, which is a classic indicator of protocol hopping or tunneling attempts.

Exam trap

The trap here is that candidates may focus on the reconnaissance aspect (option C) and overlook the deliberate protocol switch, which is the key indicator of an attempt to bypass security controls rather than just map services.

How to eliminate wrong answers

Option B is wrong because there is no evidence of misconfiguration; the firewall correctly denies SSH (rule 101 likely blocks SSH to 172.16.0.1) and permits HTTPS to 172.16.0.5, which is expected behavior. Option C is wrong because while the host may be performing reconnaissance, the key observation is the shift from a denied protocol to a permitted one, which is more indicative of bypassing controls than simple mapping of allowed services. Option D is wrong because the logs explicitly show denied SSH attempts, meaning the host did not successfully access server 172.16.0.1 via SSH; the subsequent HTTPS connections are to a different server (172.16.0.5).

72
MCQeasy

A small e-commerce company uses a cloud-based e-commerce platform with automatic scaling. The company's business continuity plan relies on the cloud provider's promise of 99.99% uptime. During a regional outage affecting the cloud provider's primary availability zone, the company's website became unavailable for 2 hours, resulting in lost sales. The IT manager wants to improve resilience. Which of the following is the BEST action?

A.Maintain a secondary on-premises server for failover.
B.Increase the reserved capacity in the cloud to handle spikes.
C.Negotiate a higher service-level agreement (SLA) with the provider.
D.Implement a multi-cloud strategy with active-active deployment.
AnswerD

Multi-cloud reduces dependency on a single provider and improves availability.

Why this answer

Option B is correct because deploying across multiple cloud providers (multi-cloud) with active-active configuration can withstand a single provider's regional outage. Option A only improves compensation, not availability. Option C is less scalable and may not integrate well.

Option D helps with scaling but not with provider failure.

73
MCQmedium

During an audit of a financial application, the IS auditor discovers that user access reviews are performed quarterly instead of monthly as required by policy. Which of the following is the BEST initial action for the auditor?

A.Recommend that the policy be changed to allow quarterly reviews
B.Report the noncompliance with the policy as a finding immediately
C.Escalate the issue to senior management for immediate resolution
D.Determine if compensating controls mitigate the risk of less frequent reviews
AnswerD

Compensating controls may make quarterly reviews acceptable.

Why this answer

The IS auditor's primary role is to assess risk, not to enforce policy blindly. Quarterly reviews may still be acceptable if compensating controls (e.g., automated provisioning/deprovisioning, real-time monitoring, or role-based access controls) effectively reduce the risk of unauthorized access between reviews. Determining the presence and effectiveness of such controls is the best initial action before deciding whether to report noncompliance.

Exam trap

The trap here is that candidates assume policy noncompliance must always be reported immediately as a finding, but the CISA exam emphasizes risk-based auditing where the auditor first evaluates whether compensating controls mitigate the risk before concluding on the finding's significance.

How to eliminate wrong answers

Option A is wrong because recommending a policy change without first assessing the risk impact of the deviation could weaken security posture and is premature. Option B is wrong because immediately reporting noncompliance as a finding without evaluating compensating controls may result in an incomplete or misleading audit report, failing to consider the actual risk. Option C is wrong because escalating to senior management without first gathering evidence on compensating controls bypasses the auditor's responsibility to perform due diligence and risk assessment.

74
MCQhard

Which of the following is the BEST indicator that an organization's data security governance is effective?

A.Number of security incidents.
B.Percentage of employees trained.
C.Audit findings show compliance with data protection policies.
D.Number of encryption keys managed.
AnswerC

Compliance indicates governance is effective.

Why this answer

Option C is correct because audit findings showing compliance with data protection policies directly indicate that governance controls are working. Option A is incorrect because incident count is a lagging indicator. Option B is incorrect because training alone does not ensure compliance.

Option D is incorrect because key count is not a measure of effectiveness.

75
MCQmedium

An organization's IT governance framework includes a policy that all system access must be reviewed quarterly. The internal audit finds that reviews are incomplete. What is the BEST action?

A.Implement an automated access review tool
B.Reinforce accountability with managers
C.Disable all non-compliant accounts
D.Update the policy to require monthly reviews
AnswerB

Correct. Holding managers responsible ensures reviews are completed.

Why this answer

Option B is correct because reinforcing accountability with managers directly addresses the root cause of incomplete reviews. Option A is incorrect because increasing frequency does not solve the underlying issue. Option C is incorrect because automation may help but is a long-term solution.

Option D is incorrect because disabling accounts may disrupt business operations without fixing the process.

Page 1 of 7

Page 2

All pages