Certified Information Systems Auditor CISA (CISA) — Questions 826900

984 questions total · 14pages · All types, answers revealed

Page 11

Page 12 of 14

Page 13
826
MCQmedium

An organization is planning to outsource its data center operations. Which of the following governance practices should be implemented to ensure proper oversight?

A.Conduct annual financial audits of the outsourcer.
B.Require the outsourcer to obtain ISO 27001 certification.
C.Establish a service level agreement (SLA) with key performance indicators (KPIs).
D.Allow the outsourcer to manage all security controls independently.
AnswerC

SLA with KPIs enables ongoing performance monitoring.

Why this answer

Option B is correct because an SLA with KPIs provides measurable performance targets and accountability. Option A is a certification but not a governance practice for oversight. Option C abdicates control.

Option D is financial, not operational oversight.

827
MCQmedium

During an operational audit, the auditor uses ratio analysis to compare current year expenses to prior years and industry benchmarks. This is an example of which type of audit evidence?

A.Analytical procedures
B.Inquiry
C.Observation
D.Inspection
AnswerA

Analytical procedures include ratio and trend analysis.

Why this answer

Analytical procedures involve evaluations of financial information through analysis of plausible relationships.

828
Multi-Selectmedium

Which TWO of the following are key elements of an effective incident response plan? (Select exactly 2.)

Select 2 answers
A.A schedule for post-incident reviews
B.A detailed inventory of software licenses
C.A clear escalation path with contact information
D.A list of all hardware serial numbers
E.Predefined communication templates for internal and external stakeholders
AnswersC, E

Escalation ensures that incidents are routed to the appropriate response teams.

Why this answer

Options B and D are correct. A clear escalation path ensures proper reporting and decision-making; predefined communication templates speed up notification. Option A is not essential; Option C is part of strategy but not directly incident response; Option E is after-action, not during.

829
MCQmedium

Which of the following is the BEST method to ensure that a system development project is completed on time?

A.Regular status meetings
B.A realistic project schedule with milestones
C.Frequent scope changes
D.Use of a project management software
AnswerB

A realistic schedule with milestones provides a clear plan and tracking.

Why this answer

A realistic project schedule with milestones (Option B) is the best method because it establishes a time-phased plan with measurable checkpoints, enabling early detection of delays and facilitating proactive corrective actions. Without a realistic baseline, even the best tracking tools or meetings cannot prevent schedule overruns, as the schedule itself is the foundation for monitoring and controlling project progress.

Exam trap

The trap here is that candidates often confuse project management tools or meetings with the fundamental planning artifact (the schedule) that actually drives on-time delivery, leading them to select a supporting activity (like status meetings or software) instead of the core control mechanism.

How to eliminate wrong answers

Option A is wrong because regular status meetings are a communication tool, not a method to ensure on-time completion; they can identify issues but do not prevent schedule overruns without a realistic schedule to compare against. Option C is wrong because frequent scope changes directly increase project risk and often lead to schedule delays, scope creep, and resource reallocation, making on-time delivery less likely. Option D is wrong because project management software is an enabling tool that can help track progress but does not guarantee on-time completion; its effectiveness depends entirely on having a realistic schedule and disciplined change control.

830
MCQhard

An organization is implementing an enterprise resource planning (ERP) system. The project team plans to migrate legacy data without performing a full reconciliation between source and target systems. As an IS auditor, which of the following should be your PRIMARY concern?

A.The legacy system may be decommissioned prematurely
B.User acceptance testing may be delayed
C.The data migration may exceed the planned timeline
D.Incomplete or inaccurate data may be loaded into the new system
AnswerD

Without reconciliation, errors go unnoticed, leading to unreliable data.

Why this answer

Data migration without reconciliation can cause undetected data corruption or loss, impacting financial reporting and operations.

831
Multi-Selectmedium

An organization is performing software asset management (SAM) to ensure license compliance. Which two activities should the auditor verify?

Select 2 answers
A.Reconciling installed software with purchase records
B.Performing vulnerability scans
C.Conducting regular license compliance audits
D.Monitoring network bandwidth usage
E.Tracking hardware depreciation
AnswersA, C

Correct: Reconciliation helps identify discrepancies.

Why this answer

Regular license compliance audits ensure proper licensing. Reconciliation of installed software with purchased licenses identifies gaps or over-licensing.

832
MCQhard

An organization is developing a mobile app that will handle personal health information (PHI). The security team mandates that data must be encrypted both in transit and at rest. Which of the following implementation strategies BEST ensures compliance?

A.Use HTTPS for all network communication and store data in plaintext
B.Use SSL and encrypt all data with a simple XOR cipher
C.Rely on platform-level encryption provided by the mobile OS
D.Implement TLS for data in transit and AES-256 encryption for data at rest
AnswerD

Covers both requirements.

Why this answer

Option D is correct because it uses TLS (the modern, secure successor to SSL) to encrypt data in transit, ensuring confidentiality and integrity during network communication, and AES-256, a strong symmetric encryption standard, to encrypt data at rest. This combination directly satisfies the mandate for encryption both in transit and at rest, as TLS protects against eavesdropping and tampering on the wire, while AES-256 protects stored PHI from unauthorized access if the device is lost or compromised.

Exam trap

The trap here is that candidates may confuse 'platform-level encryption' (Option C) as sufficient, but the CISA exam tests the understanding that platform encryption does not cover data in transit and may not meet specific regulatory requirements for application-layer encryption at rest.

How to eliminate wrong answers

Option A is wrong because storing data in plaintext violates the mandate for encryption at rest, leaving PHI exposed if the device is lost or the storage is accessed. Option B is wrong because SSL (deprecated in favor of TLS) is insecure, and a simple XOR cipher is trivially breakable with known-plaintext attacks, providing no real cryptographic protection. Option C is wrong because relying solely on platform-level encryption (e.g., iOS Data Protection or Android File-Based Encryption) does not guarantee the app's data is encrypted in transit, and the platform may not encrypt app-specific data at rest with sufficient granularity or key management for PHI compliance.

833
Multi-Selecthard

Which THREE of the following are common risks associated with outsourcing software development?

Select 3 answers
A.Quality issues due to lack of oversight
B.Loss of intellectual property
C.Communication barriers
D.Faster time to market
E.Increased internal control
AnswersA, B, C

Common risk.

Why this answer

Option A is correct because outsourcing software development often results in quality issues due to the client's limited visibility into the vendor's development processes, testing rigor, and adherence to coding standards. Without direct oversight, defects may go undetected until later stages, increasing rework costs and project delays.

Exam trap

The trap here is that candidates confuse potential benefits (faster time to market, increased internal control) with risks, failing to distinguish between advantages and the inherent vulnerabilities of outsourcing.

834
MCQmedium

During a review of encryption practices, the IS auditor finds that an organization uses the same encryption key for all customer data at rest. What is the PRIMARY concern?

A.Performance degradation due to key reuse
B.Inability to revoke access to specific data
C.Non-compliance with GDPR pseudonymization requirements
D.Increased risk of data exposure if the key is compromised
AnswerD

A single key compromise exposes all encrypted data.

Why this answer

Using a single key for all data increases the impact of key compromise. If the key is compromised, all data becomes accessible. Key management should include key rotation and different keys for different data sets.

835
MCQmedium

An organization uses a hot site as its disaster recovery alternative. Which of the following is the MOST critical consideration when selecting a hot site?

A.Compatibility of hardware and software with the production environment
B.Distance from the primary site
C.Cost of the hot site contract
D.Availability of staff at the hot site
AnswerA

Without compatibility, the hot site cannot be used effectively.

Why this answer

The hot site must be compatible with the production environment to enable quick recovery.

836
MCQhard

In the context of IT governance, what is the PRIMARY purpose of an exception management process for IT policies?

A.To automatically update policies based on changing business needs
B.To provide a mechanism for employees to bypass security controls
C.To eliminate the need for policy compliance monitoring
D.To allow temporary deviations from policy under controlled conditions with appropriate approvals
AnswerD

Exceptions are approved temporary departures from policy, managed to minimize risk.

Why this answer

Exception management allows controlled deviations from policy when required, while ensuring accountability and documentation.

837
Multi-Selecthard

Which THREE of the following are commonly recognized benefits of implementing a formal IT service management (ITSM) framework such as ITIL?

Select 3 answers
A.Better alignment between IT services and business needs
B.Guaranteed zero downtime for critical services
C.Elimination of the need for external IT audits
D.Improved service quality and availability
E.Increased efficiency and cost savings through standardized processes
AnswersA, D, E

ITSM incorporates business requirements into service design and delivery.

Why this answer

Option A is correct because a formal ITSM framework like ITIL explicitly focuses on aligning IT service delivery with business objectives through defined processes like service strategy and service design. This alignment ensures that IT investments and operations directly support business outcomes, such as improving customer satisfaction or enabling new revenue streams, rather than operating in a silo.

Exam trap

The trap here is that candidates may confuse the risk-reduction benefits of ITSM (like improved availability) with an absolute guarantee, or assume that a framework replaces independent verification, when in reality ITSM improves processes but does not eliminate the need for external audits or guarantee perfect uptime.

838
MCQmedium

During an audit of an organization's information security programme, the IS auditor finds that the security awareness training completion rate is 95% but phishing simulation tests show a 30% failure rate. What should the auditor recommend?

A.Increase the frequency of phishing simulations to quarterly
B.Disciplinary action for employees who fail phishing tests
C.Mandate that all employees repeat the training annually
D.Revise the security awareness program content to focus on practical phishing recognition
AnswerD

Improving the content to be more practical and scenario-based can lead to better outcomes.

Why this answer

The gap between high training completion and poor phishing test results indicates that the training content is not effective in changing behavior. The auditor should recommend reviewing and improving the training to address weaknesses.

839
MCQeasy

An IT manager is developing a governance policy for change management. Which element is MOST important to include?

A.Project management methodology
B.Detailed technical procedures
C.List of all applications
D.Roles and responsibilities
AnswerD

Correct. Governance policies define who is responsible for what.

Why this answer

Option D is correct because clearly defined roles and responsibilities ensure accountability in the change process. Option A is incorrect as technical procedures are part of implementation, not governance. Option B is incorrect because listing applications is operational.

Option C is incorrect because methodology is separate from governance.

840
MCQeasy

An organization uses a chargeback model for IT services. What is the PRIMARY benefit of this approach?

A.Simplifies IT budgeting
B.Reduces total IT costs
C.Improves IT service quality
D.Increases business unit accountability for IT spending
AnswerD

Chargeback makes business units aware of their IT consumption and encourages cost-effective behavior.

Why this answer

The primary benefit of a chargeback model is that it increases business unit accountability for IT spending. By directly allocating IT costs to the consuming departments based on actual usage (e.g., compute hours, storage GB, network bandwidth), business units are incentivized to optimize their consumption and make cost-conscious decisions. This aligns IT expenditure with business value and promotes transparency, rather than treating IT as a sunk cost.

Exam trap

The trap here is that candidates confuse the benefit of cost visibility (which chargeback provides) with cost reduction, but the primary benefit is accountability, not necessarily lower spending.

How to eliminate wrong answers

Option A is wrong because chargeback models often complicate IT budgeting due to the need for detailed usage tracking, metering, and cost allocation mechanisms, rather than simplifying it. Option B is wrong because chargeback does not inherently reduce total IT costs; it may shift cost visibility and drive efficiency, but total costs can remain the same or even increase with metering overhead. Option C is wrong because chargeback focuses on cost accountability, not service quality; improvements in quality depend on service level agreements (SLAs) and IT operations, not the billing model itself.

841
Multi-Selecteasy

Which TWO of the following are key components of an effective information security awareness program?

Select 2 answers
A.Periodic review of security logs
B.Annual password change policy
C.Mandatory training for all employees
D.Regular vulnerability scans
E.Phishing simulation exercises
AnswersC, E

Correct. Training is the foundation of an awareness program.

Why this answer

Option C is correct because mandatory training for all employees ensures that every user understands their security responsibilities, recognizes threats like phishing, and follows organizational policies. This is a foundational element of an awareness program as defined by frameworks such as NIST SP 800-50, which emphasizes that awareness and training must be tailored to roles and delivered to all personnel. Without mandatory participation, coverage gaps leave the organization vulnerable to social engineering and policy violations.

Exam trap

The trap here is that candidates confuse operational security controls (like log reviews and vulnerability scans) with awareness program components, but the exam specifically tests the distinction between technical controls and human-focused training activities.

842
MCQhard

In a risk-based audit approach, which of the following BEST describes how an IS auditor should prioritize audit coverage?

A.Focus on areas where management has requested review
B.Allocate more audit resources to areas with higher risk and lower control effectiveness
C.Concentrate solely on areas with the highest inherent risk
D.Focus equally on all areas of the audited entity
AnswerB

High risk and weak controls warrant more attention.

Why this answer

A risk-based approach focuses on areas with higher inherent risk and weaker controls to maximize effectiveness.

843
MCQhard

In a DevOps environment, which practice BEST supports auditability?

A.Use of configuration management tools
B.Manual approval gates
C.Separate development and production environments
D.Automated logging of all code changes
AnswerD

Automated logging provides a complete and verifiable audit trail.

Why this answer

Automated logging of all code changes (D) best supports auditability in a DevOps environment because it provides an immutable, timestamped record of every change made to the codebase, including who made the change, what was changed, and when. This aligns with the principle of continuous audit, where every deployment artifact is traceable through the CI/CD pipeline, enabling compliance with standards like SOC 2 or ISO 27001. Unlike manual processes, automated logging ensures no change goes unrecorded, which is critical for forensic analysis and regulatory audits.

Exam trap

The trap here is that candidates confuse 'configuration management' (Option A) with 'change management' or 'audit logging,' assuming that tools like Chef or Terraform inherently provide auditability, when in fact they only track infrastructure state, not the full code change lifecycle including commits, approvals, and deployments.

How to eliminate wrong answers

Option A is wrong because configuration management tools (e.g., Ansible, Puppet) focus on maintaining desired state and consistency across environments, but they do not inherently provide a complete, auditable log of all code changes—they track infrastructure changes, not the code commits or pipeline events themselves. Option B is wrong because manual approval gates introduce human delay and potential for bypass, undermining the continuous audit trail; they are a control, not a logging mechanism, and can be overridden or forgotten, breaking auditability. Option C is wrong because separate development and production environments are a security best practice to prevent accidental changes to production, but they do not directly support auditability—auditability requires recording changes across all environments, not just separating them.

844
MCQhard

An IS auditor is planning an audit of a small organization with limited IT staff. Which of the following is a key consideration for the audit approach?

A.Reduced audit scope because of limited staff
B.Greater reliance on detective and compensating controls
C.Increased reliance on preventive controls due to limited staff
D.Use of extensive substantive testing to compensate for weak controls
AnswerB

Correct; when segregation is limited, detective controls become more important.

Why this answer

In small organizations, segregation of duties may be limited, so the auditor should place greater reliance on detective and compensating controls.

845
MCQeasy

An organization is implementing a new IT governance framework to align IT with business objectives. Which framework focuses on the principles of evaluate-direct-monitor?

A.PMBOK
B.ITIL 4
C.ISO/IEC 38500
D.COBIT 2019
AnswerD

COBIT 2019 defines governance objectives as evaluate-direct-monitor (EDM).

Why this answer

COBIT 2019 uses the evaluate-direct-monitor (EDM) governance objective for governance of enterprise IT.

846
MCQmedium

Which of the following is a key difference between an internal audit and an external audit?

A.External audits are always required by law, while internal audits are voluntary.
B.Internal auditors are employees of the organization, which may affect independence.
C.External auditors issue a report to management, while internal auditors report to the board.
D.Internal audits focus only on financial controls.
AnswerB

Independence is a key concern for internal auditors.

Why this answer

Internal auditors are employees of the organization, which may create independence concerns, while external auditors are independent third parties.

847
MCQmedium

An IS auditor is reviewing the availability management process. The auditor calculates that the mean time between failures (MTBF) is 200 hours and the mean time to repair (MTTR) is 20 hours. What is the availability percentage?

A.90.91%
B.99.00%
C.95.00%
D.80.00%
AnswerA

Correct calculation.

Why this answer

Availability = MTBF / (MTBF + MTTR) = 200 / 220 ≈ 0.9091, or 90.91%.

848
Multi-Selecthard

Which THREE of the following are components of a typical IT governance framework?

Select 3 answers
A.Network troubleshooting procedures
B.Strategic alignment of IT with business
C.Risk management and compliance
D.Performance measurement and reporting
E.Vendor contract management
AnswersB, C, D

Core governance component.

Why this answer

Strategic alignment of IT with business is a core component of an IT governance framework because it ensures that IT initiatives directly support and enable the organization's business objectives and strategies. This alignment is achieved through mechanisms like balanced scorecards and IT steering committees, which prioritize IT investments based on business value. Without this component, IT may operate in a silo, leading to wasted resources and missed opportunities.

Exam trap

The trap here is that candidates often confuse operational IT activities (like troubleshooting or contract management) with the strategic, oversight-oriented components of governance, leading them to select options that describe 'doing IT' rather than 'governing IT'.

849
MCQhard

During the design phase of a waterfall project, the development team discovers that a key security requirement was omitted from the functional specification. The design has already been partially completed based on the flawed specification. What is the MOST appropriate action?

A.Proceed with design and add the requirement as an enhancement in the next release
B.Continue design and incorporate the security requirement during testing
C.Implement the security requirement as a change request through the formal change control process
D.Halt design activities and revisit the requirements phase to add the security requirement
AnswerD

Waterfall requires revisiting the earlier phase to correct the specification.

Why this answer

Option B is correct because in waterfall, each phase should be completed before moving on; missing requirements require returning to the earlier phase. Option A is wrong because continuing design ignores the gap. Option C is wrong because change requests are for scope changes after baselines, but the requirement was omitted, not changed.

Option D is wrong because deferring a critical security requirement is unacceptable.

850
MCQmedium

An IT auditor is reviewing the release management process. Which of the following is the MOST important control to ensure that new releases do not negatively impact production systems?

A.Testing in a pre-production environment
B.Rollback plan
C.Communication to users
D.Approval from the change advisory board
AnswerA

Testing reduces the risk of negative impacts.

Why this answer

Testing in a pre-production environment is essential to identify issues before deployment.

851
Multi-Selecteasy

Which TWO of the following are types of audit evidence recognized in IS audit practice?

Select 2 answers
A.Assumption
B.Observation
C.Conjecture
D.Re-performance
E.Hypothesis
AnswersB, D

Observing a process being performed is direct evidence.

Why this answer

Observation and re-performance are both types of evidence; inquiry is also a type, but the question asks for TWO. The correct pair is observation and re-performance.

852
MCQhard

An IS auditor is reviewing the disaster recovery plan (DRP) for an e-commerce company that generates 90% of its revenue online. The DRP states that the recovery time objective (RTO) for the transactional database is 4 hours, and the recovery point objective (RPO) is 1 hour. The current backup strategy includes nightly full backups and hourly transaction log backups stored on a local disk array. The backups are then copied to a remote datacenter via a WAN link with an average transfer speed of 10 Mbps. The database size is 500 GB. The auditor calculates that the time to transfer the full backup over the WAN is approximately 12 hours. The organization's management is confident that the DRP is adequate because they have never had to invoke it. What is the auditor's MOST critical finding?

A.The DRP has never been tested, so its feasibility is unknown.
B.The backup strategy does not include encryption for data in transit.
C.The RTO of 4 hours is not achievable given the backup transfer time.
D.The RPO of 1 hour is not achievable because transaction logs are only taken hourly.
AnswerC

The 12-hour transfer time far exceeds the 4-hour RTO, making the DRP infeasible.

Why this answer

The DRP states an RTO of 4 hours for the transactional database, but the full backup transfer time over the 10 Mbps WAN link is approximately 12 hours. Since the backup must be restored before the database can be made available, the RTO cannot be met. This is the most critical finding because it directly invalidates a core recovery objective, regardless of whether the plan has been tested.

Exam trap

The trap here is that candidates focus on the lack of testing (Option A) as the most critical finding, but the question is designed to test whether you can identify a quantitative, objective failure to meet a stated recovery objective over a qualitative process concern.

How to eliminate wrong answers

Option A is wrong because while testing is important, the fundamental technical constraint of backup transfer time exceeding the RTO is a more immediate and critical issue; even a tested plan cannot overcome a physical bandwidth limitation. Option B is wrong because encryption of data in transit, though a security best practice, is not the most critical finding when the core recovery objective (RTO) is mathematically unachievable. Option D is wrong because the RPO of 1 hour is actually achievable with hourly transaction log backups; the issue is with the RTO, not the RPO.

853
MCQhard

An IS auditor is reviewing a contract with a vendor for a new financial system. Which of the following clauses is MOST critical to ensure auditability?

A.Penalties for non-performance
B.Service level agreements (SLAs) for system uptime
C.Right to audit the vendor's operations and controls
D.Data ownership and confidentiality provisions
AnswerC

This ensures the organization can verify compliance and controls.

Why this answer

Audit rights allow the organization to review the vendor's controls and operations, which is essential for assurance.

854
Multi-Selectmedium

An IS auditor is evaluating the privacy controls of an e-commerce company that collects and processes personal data from customers in multiple jurisdictions, including the European Union (GDPR). The company has a data inventory but has not conducted a privacy impact assessment (PIA) for a new customer analytics platform that processes sensitive data. Which THREE of the following are the MOST critical deficiencies that the auditor should report?

Select 3 answers
A.Inadequate data minimization practices in the platform design
B.Lack of a privacy impact assessment (PIA) for the new platform
C.Lack of an up-to-date privacy notice on the website
D.Absence of cross-border data transfer mechanisms such as Standard Contractual Clauses (SCCs)
E.Insufficient consent management processes for data processing
AnswersB, D, E

PIA is mandatory for high-risk processing under GDPR.

Why this answer

Under GDPR, a PIA is required for high-risk processing. Cross-border transfers without safeguards violate GDPR. Consent management is also a key requirement.

Data minimization is a principle, but not necessarily a critical deficiency without context.

855
MCQhard

During an audit, an IS auditor finds that the organization uses a cloud-based identity provider (IdP) for single sign-on (SSO) but does not enforce multi-factor authentication (MFA) for all users. Which of the following is the BEST recommendation to reduce risk?

A.Require MFA only for external-facing applications
B.Disable SSO and require separate passwords for each application
C.Reduce session timeout to 15 minutes
D.Enforce MFA for all users accessing any application
AnswerD

Comprehensive MFA reduces risk of unauthorized access.

Why this answer

Enforcing MFA for all users accessing any application is the best recommendation because it directly addresses the lack of a second authentication factor, which is the primary control to mitigate credential theft and unauthorized access. In a cloud-based IdP SSO environment, a single compromised password grants access to all integrated applications, so MFA must be applied universally to protect the entire trust boundary, not just external-facing apps. This aligns with NIST SP 800-63B and zero-trust principles, ensuring that every authentication request is verified with something the user knows and something they have.

Exam trap

The trap here is that candidates often choose Option A (MFA only for external-facing apps) because they mistakenly believe internal apps are safe behind a corporate network perimeter, failing to recognize that cloud-based SSO eliminates network boundaries and that the IdP is the single point of authentication for all apps.

How to eliminate wrong answers

Option A is wrong because requiring MFA only for external-facing applications leaves internal applications vulnerable to lateral movement if an attacker gains access via a compromised credential, as the IdP does not differentiate between internal and external apps in its SSO token issuance. Option B is wrong because disabling SSO and requiring separate passwords for each application increases password fatigue, encourages weak password reuse, and eliminates the security benefits of centralized identity management, such as consistent policy enforcement and automated deprovisioning. Option C is wrong because reducing session timeout to 15 minutes only limits the window of exposure for an active session but does not prevent an attacker from authenticating with a stolen password; it is a compensating control, not a preventive one, and does not address the root cause of missing MFA.

856
Multi-Selecthard

Which THREE of the following are characteristics of SMART recommendations in an audit report? (Select three.)

Select 3 answers
A.Measurable
B.Vague
C.Specific
D.Rigid
E.Time-bound
AnswersA, C, E

Progress should be quantifiable.

Why this answer

SMART stands for Specific, Measurable, Achievable, Relevant, Time-bound. Vague and rigid are not desirable.

857
Multi-Selectmedium

An IS auditor is reviewing the vendor management program for a critical outsourced service. The vendor has recently been acquired by another company. Which TWO factors should the auditor be most concerned about regarding the acquisition?

Select 2 answers
A.The vendor's new owner may have different security standards.
B.The vendor's new owner may increase prices.
C.The vendor's new owner may have a different organizational culture.
D.The vendor's new owner may lay off key personnel.
E.The contract may not have a clause requiring consent for change of control.
AnswersA, E

Security standards may change, affecting the organization's risk posture.

Why this answer

A change in vendor ownership can affect the contractual relationship and service delivery. The auditor should focus on whether the contract allows assignment (without consent) and whether the new owner's financial stability poses a risk.

858
MCQhard

During system implementation, a critical defect is found in the production environment. The project manager wants to apply an emergency patch without full testing. Which of the following is the BEST course of action?

A.Apply the patch immediately without testing
B.Delay deployment until full testing can be completed
C.Revert to the previous version of the system
D.Conduct a risk assessment and obtain approval from the change control board
AnswerD

A risk-based approach ensures that the urgency is balanced with proper oversight, allowing a controlled emergency change.

Why this answer

Option A is correct because a risk assessment should be performed to evaluate the potential impact of the patch versus the risk of not applying it, and then obtain proper change approval. Applying the patch without testing (D) bypasses controls; reverting (B) may not address the defect; delaying (C) may not be feasible for critical defects.

859
MCQeasy

Which type of audit is primarily concerned with evaluating the efficiency and effectiveness of operations?

A.Financial audit
B.Compliance audit
C.Operational audit
D.IS audit
AnswerC

Correct type.

Why this answer

An operational audit focuses on efficiency and effectiveness of operations.

860
MCQhard

A company is designing a public cloud-based application that processes highly sensitive personal data. Which of the following data protection strategies provides the STRONGEST assurance that data remains confidential even if the cloud provider's infrastructure is compromised?

A.Use server-side encryption with cloud provider managed keys
B.Implement client-side encryption with customer managed keys
C.Enable encryption in transit using TLS 1.3
D.Apply data masking at the application layer
AnswerB

Data encrypted before leaving client; provider never has keys, ensuring confidentiality even if provider breached.

Why this answer

Client-side encryption with customer managed keys ensures that data is encrypted before it leaves the client environment, and the cloud provider never has access to the plaintext data or the encryption keys. Even if the cloud provider's infrastructure is fully compromised, the attacker cannot decrypt the data because the keys are never stored or processed by the provider. This provides the strongest assurance of confidentiality because the data remains encrypted end-to-end, independent of the provider's security controls.

Exam trap

The trap here is that candidates often confuse 'encryption at rest' (server-side) with 'end-to-end confidentiality' and assume that any encryption managed by the cloud provider is sufficient, failing to recognize that provider-managed keys are still accessible to the provider and thus vulnerable in a provider compromise scenario.

How to eliminate wrong answers

Option A is wrong because server-side encryption with cloud provider managed keys means the cloud provider holds the encryption keys and performs the encryption/decryption on its infrastructure; if the provider's infrastructure is compromised, an attacker could access both the encrypted data and the keys, breaking confidentiality. Option C is wrong because encryption in transit (TLS 1.3) only protects data while it is moving between the client and the cloud, not at rest; once the data reaches the provider's storage, it is no longer protected by TLS, and a compromise of the provider's infrastructure would expose the plaintext data. Option D is wrong because data masking at the application layer only obscures data for display or processing within the application but does not encrypt the underlying stored data; if the provider's infrastructure is compromised, the actual sensitive data stored in the database remains in plaintext and can be exfiltrated.

861
MCQmedium

An organization uses RAID 5 for its database server. Which of the following is the PRIMARY advantage of RAID 5?

A.Simplified backup process
B.Increased storage capacity without parity overhead
C.Fault tolerance with one disk failure
D.Improved read performance
AnswerC

This is the primary advantage.

Why this answer

RAID 5 provides fault tolerance with parity, allowing recovery from a single disk failure.

862
MCQhard

An IS auditor is reviewing an organization's change management process. The auditor notes that all emergency changes are approved post-implementation by the change advisory board (CAB) within 48 hours. Which of the following is the auditor's BEST course of action?

A.Escalate the issue to senior management as a control weakness
B.Verify that all emergency changes are tested before implementation
C.Assess whether the emergency change policy includes proper justification and post-approval controls
D.Recommend that emergency changes be approved prior to implementation
AnswerC

The auditor should evaluate the adequacy of controls around the process.

Why this answer

Option D is correct because the auditor should assess whether emergency changes are properly authorized, but the post-approval within 48 hours is acceptable if controls are adequate. Option A is incorrect because immediate escalation is not warranted without evidence of a problem. Option B is wrong because testing is important but the issue is authorization.

Option C is incorrect because there is no inherent violation; the auditor should evaluate the control design.

863
MCQmedium

During a change management review, an IS auditor discovers that a recent database upgrade was implemented without prior approval from the Change Advisory Board (CAB) because it was classified as a 'standard change.' However, the change involved migrating to a new database version that required application code modifications. What should concern the auditor most?

A.The change was implemented without CAB approval.
B.The change did not include a backout plan.
C.The change was implemented during business hours.
D.The change was implemented without testing.
AnswerA

The change required code modifications, so it should not have been standard; thus CAB approval was needed.

Why this answer

The core issue is that the change was misclassified as a 'standard change' to bypass CAB approval, but it required application code modifications, which means it was not pre-authorized and should have been treated as a normal or emergency change. Standard changes are low-risk, pre-approved, and typically involve no application code changes (e.g., applying a routine patch to a database that does not alter the schema or API). By bypassing CAB review, the organization lost the opportunity to assess risks, dependencies, and rollback procedures, which is a critical control failure in change management.

Exam trap

The trap here is that candidates focus on the operational details (missing backout plan, business hours, testing) instead of recognizing that the misclassification of the change type is the fundamental control weakness that undermines the entire change management process.

How to eliminate wrong answers

Option B is wrong because while a missing backout plan is a concern, it is a symptom of the larger governance failure; the lack of CAB approval is the root cause that allowed the change to proceed without proper planning. Option C is wrong because implementing during business hours is not inherently a control issue—many standard changes are designed for business hours—and the real problem is the unauthorized nature of the change. Option D is wrong because although testing may have been inadequate, the question does not state that testing was skipped; the primary red flag is the misclassification that circumvented the approval process, which is the auditor's top concern.

864
MCQhard

During a system development project, the project manager notices that the actual cost is significantly higher than the planned cost at the 50% completion point. The earned value (EV) is $500,000, the actual cost (AC) is $600,000, and the planned value (PV) is $550,000. Which of the following is the MOST appropriate action?

A.Request additional budget from senior management
B.Reduce the project scope to align with the budget
C.Conduct a root cause analysis to identify the reasons for cost overrun
D.Crash the project schedule to make up for lost time
AnswerC

Understanding the cause is the first step before taking corrective action.

Why this answer

Option C is correct because the project is over budget (EV $500K vs AC $600K) and behind schedule (EV $500K vs PV $550K). Before taking corrective action, the project manager must first perform a root cause analysis to understand why costs are exceeding planned values. This aligns with the CISA’s emphasis on identifying the underlying cause of variances before implementing changes to scope, budget, or schedule.

Exam trap

The trap here is that candidates often jump to a corrective action (like crashing or requesting more budget) without first diagnosing the root cause, but the CISA exam emphasizes that analysis must precede action in project management.

How to eliminate wrong answers

Option A is wrong because requesting additional budget without understanding the root cause of the cost overrun is premature and could mask systemic issues such as poor estimation or scope creep. Option B is wrong because reducing project scope without first analyzing the cause of the variance may eliminate necessary functionality and does not address whether the overrun is due to inefficiency, rework, or external factors. Option D is wrong because crashing the schedule (adding resources to compress time) typically increases costs further and does not solve the existing cost overrun; it may even worsen the budget variance.

865
MCQeasy

Which of the following is the MOST important objective of system testing?

A.Verify that the system meets specified requirements
B.Confirm that end users are satisfied
C.Ensure the code is free of defects
D.Validate system performance under load
AnswerA

System testing checks the overall system against requirements.

Why this answer

System testing is a formal, structured process that validates the entire integrated system against its specified requirements. The primary goal is to confirm that the system behaves as defined in the functional and technical specifications, ensuring that all requirements are correctly implemented before user acceptance testing. While user satisfaction and defect removal are important, they are secondary to verifying requirement compliance, which is the core objective of system testing.

Exam trap

The trap here is confusing the objective of system testing with that of user acceptance testing (UAT) or unit testing, leading candidates to select user satisfaction or defect-free code as the primary goal.

How to eliminate wrong answers

Option B is wrong because end-user satisfaction is validated during User Acceptance Testing (UAT), not system testing; system testing focuses on technical compliance, not subjective user feedback. Option C is wrong because ensuring code is free of defects is the primary objective of unit testing and code reviews, not system testing, which tests integrated functionality against requirements. Option D is wrong because validating system performance under load is a specific type of non-functional testing (performance/load testing), not the overarching objective of system testing, which covers both functional and non-functional requirements.

866
MCQeasy

A financial institution is implementing a data classification policy. Which of the following is the most important factor in determining the classification level of a data asset?

A.The sensitivity and criticality to business operations
B.The cost of acquiring the data
C.The format of the data (structured vs unstructured)
D.The storage location of the data
AnswerA

Correct. Sensitivity and criticality determine the required level of protection.

Why this answer

The classification level of a data asset is determined by its sensitivity and criticality to business operations because these factors directly drive the required confidentiality, integrity, and availability controls. For example, personally identifiable information (PII) or financial transaction records require higher classification due to regulatory mandates (e.g., GDPR, PCI DSS) and the potential for severe business impact if compromised. Cost, format, or location are secondary attributes that do not inherently define the risk profile or protection needs of the data.

Exam trap

The trap here is that candidates confuse operational attributes (cost, format, location) with the foundational risk-based criteria (sensitivity and criticality) that actually define classification levels in information security governance.

How to eliminate wrong answers

Option B is wrong because the cost of acquiring data is a financial metric unrelated to its inherent risk or the controls needed; data can be cheap to acquire yet highly sensitive (e.g., a leaked password list). Option C is wrong because the format (structured vs unstructured) affects storage and processing methods but does not dictate classification level; both formats can contain equally sensitive information (e.g., structured credit card numbers vs unstructured email containing trade secrets). Option D is wrong because storage location (e.g., on-premises vs cloud) influences security architecture but is a deployment decision, not a determinant of the data's inherent sensitivity or criticality to business operations.

867
Multi-Selectmedium

In the audit follow-up phase, which TWO actions are essential? (Select two.)

Select 2 answers
A.Assess the effectiveness of the corrective actions
B.Expand the scope of the original audit
C.Re-issue the audit report
D.Update the audit program for next year
E.Verify that management has implemented corrective actions
AnswersA, E

Follow-up evaluates whether actions resolved the finding.

Why this answer

Follow-up includes verifying that management has implemented corrective actions and assessing their effectiveness.

868
Multi-Selecthard

An organization is implementing a new CRM system using an iterative development methodology. The IS auditor wants to verify that appropriate controls are in place. Which THREE of the following are essential controls for iterative development? (Select THREE.)

Select 3 answers
A.Formal sign-off on a complete requirements document before development begins
B.Risk assessment at the start of each iteration
C.Version control and configuration management
D.A mandatory change control board for every change
E.Frequent stakeholder reviews and feedback after each iteration
AnswersB, C, E

Iterative risk assessment helps identify and mitigate new risks.

Why this answer

Iterative development requires continuous stakeholder involvement, version control, and risk assessment each iteration. These controls ensure the evolving system meets requirements and manages risks.

869
Multi-Selectmedium

Which TWO of the following are primary objectives of a business continuity plan (BCP)?

Select 2 answers
A.Replace the disaster recovery plan
B.Minimize financial loss
C.Guarantee 100% system uptime
D.Maintain regulatory compliance during disruptions
E.Ensure critical business functions continue during a disruption
AnswersD, E

Compliance with regulations is a primary objective of BCP.

Why this answer

Option D is correct because a primary objective of a BCP is to ensure that the organization can continue to meet legal and regulatory obligations during a disruption. This includes maintaining required data protection, reporting, and operational standards as mandated by regulations such as GDPR, HIPAA, or SOX, even when normal operations are impaired.

Exam trap

The trap here is that candidates often confuse the BCP's primary objectives with secondary benefits like cost savings or uptime guarantees, or mistakenly think the BCP replaces the DRP, when in fact the BCP is a broader plan that includes the DRP as a component.

870
MCQeasy

An IS auditor is reviewing the logical access controls of a system. Which of the following is the BEST evidence that access rights are appropriately assigned?

A.An audit log showing all successful and failed login attempts
B.A password policy requiring complex passwords
C.An access control matrix defining roles and permissions
D.A recent user access review report signed by department managers
AnswerD

Management sign-off confirms proper assignment.

Why this answer

Option D is the best evidence because a user access review report signed by department managers provides documented confirmation that the assigned access rights have been explicitly verified and approved by the data owners. This is a detective control that directly validates the appropriateness of access assignments, whereas the other options are either preventive or detective controls that do not confirm the correctness of the rights themselves.

Exam trap

The trap here is that candidates confuse a control design document (access control matrix) with evidence of control effectiveness, failing to recognize that only a recent, signed user access review provides proof that the assigned rights have been validated by the data owner.

How to eliminate wrong answers

Option A is wrong because an audit log of login attempts only records authentication events, not the authorization levels or appropriateness of assigned access rights. Option B is wrong because a password policy addresses authentication strength, not the correctness of which users have which permissions. Option C is wrong because an access control matrix is a design document that defines intended roles and permissions, but it does not provide evidence that those definitions have been correctly implemented or that the actual assigned rights are appropriate.

871
MCQmedium

A company outsources its IT help desk to a third-party vendor. The service level agreement (SLA) specifies that all P1 incidents must be resolved within 2 hours. During an audit, the auditor finds that the vendor’s average resolution time for P1 incidents is 3 hours. What is the most appropriate recommendation?

A.Terminate the contract immediately
B.Renegotiate the SLA to 3 hours
C.Issue a non-compliance notice and require a remediation plan
D.Accept the performance as within acceptable variance
AnswerC

This holds the vendor accountable and drives improvement.

Why this answer

The correct action is to monitor SLA compliance and enforce penalties or require corrective action. This ensures the vendor meets contractual obligations.

872
MCQmedium

A company's IT governance policy requires that all critical systems have a documented business continuity plan (BCP). During an audit, an IT auditor finds that the BCP for a critical financial system has not been updated in three years. Which of the following is the BEST recommendation?

A.Archive the outdated BCP and develop a new one from scratch.
B.Update the BCP to reflect current processes and conduct a test.
C.Accept the risk because the system has been stable.
D.Implement a new system with built-in redundancy.
AnswerB

Updating and testing ensures the plan is viable and aligns with governance requirements.

Why this answer

Option B is correct because IT governance policies require that BCPs remain current to reflect actual operational processes. An outdated BCP (three years stale) may contain obsolete recovery procedures, contact information, or dependencies, rendering it ineffective during a real incident. Updating the BCP and then testing it validates that the documented steps align with the current system architecture and can be executed successfully, which is a core requirement of the BCP lifecycle per ISACA guidelines.

Exam trap

The trap here is that candidates may assume a stable system means the BCP remains valid, but CISA tests the principle that BCPs must be living documents reviewed and tested at regular intervals (typically annually) regardless of system stability.

How to eliminate wrong answers

Option A is wrong because archiving and rewriting from scratch is unnecessarily disruptive and time-consuming; the existing BCP likely contains valuable baseline information that should be reviewed and updated rather than discarded. Option C is wrong because accepting risk based on system stability ignores the fact that processes, personnel, and dependencies change over time; a stable system does not guarantee that the BCP's recovery steps, contact lists, or resource allocations are still valid. Option D is wrong because implementing a new system with built-in redundancy is a disproportionate and costly response to an outdated BCP; it does not address the immediate compliance gap and may introduce new risks without proper BCP documentation.

873
Multi-Selecteasy

An IS auditor is reviewing physical security controls at a data center. The data center hosts critical servers and uses a badge access system with PINs, CCTV cameras, and a mantrap entry. The auditor observes that employees sometimes hold the door open for others without badging. Which TWO of the following are the MOST effective controls to address this tailgating risk?

Select 2 answers
A.Conducting security awareness training on tailgating risks
B.Requiring longer and more complex PINs
C.Installing additional access points
D.Increasing the number of CCTV cameras
E.Implementing a mantrap with biometric authentication
AnswersA, E

Training reduces the likelihood of employees allowing tailgating.

Why this answer

Mantraps are specifically designed to prevent tailgating by allowing only one person at a time. Security awareness training educates employees on the risks of tailgating. Increasing camera coverage and PIN complexity do not directly prevent tailgating.

874
MCQeasy

During an IT audit, the auditor finds that a system administrator has local administrator rights on multiple production servers and uses a shared service account for routine maintenance. What is the PRIMARY risk associated with this practice?

A.Audit trails cannot attribute actions to a specific individual
B.Password changes become more difficult to manage
C.The administrator may accidentally delete critical files
D.The shared account may be used by unauthorized personnel
AnswerA

Shared accounts break the link between an action and an individual, violating the principle of accountability.

Why this answer

Option B is correct because a shared account obscures individual accountability, making it impossible to determine who performed specific actions. Option A is a general risk but less specific; Option C is not the primary risk; Option D is the opposite.

875
MCQmedium

During a change management process review, an IS auditor finds that the change advisory board (CAB) approved a change that subsequently caused a major service outage. The change was classified as 'normal' with no emergency. What is the auditor's primary concern?

A.The service desk was not notified of the change.
B.The CAB did not adequately assess the potential impact of the change.
C.The change should have been classified as emergency.
D.The change was not tested in a pre-production environment.
AnswerB

The outage suggests the CAB failed to identify risks.

Why this answer

The primary concern is that the CAB approved a 'normal' change without adequately assessing its potential impact, leading to a major service outage. In ITIL-based change management, the CAB is responsible for evaluating the risk, impact, and resource requirements of a change before approval. A failure in this assessment indicates a breakdown in the change management process, which is the core issue an IS auditor must address.

Exam trap

The trap here is that candidates may focus on operational details (like testing or classification) rather than the governance failure of the CAB's impact assessment, which is the core audit concern in change management.

How to eliminate wrong answers

Option A is wrong because while notifying the service desk is a good practice, it is not the primary concern; the outage occurred due to the change itself, not a lack of notification. Option C is wrong because the change was classified as 'normal' with no emergency, and reclassifying it as emergency would not address the root cause—the CAB's inadequate impact assessment. Option D is wrong because testing in a pre-production environment is a control to reduce risk, but the auditor's primary concern is the CAB's failure to assess impact, which should have identified the need for testing or other mitigations.

876
Multi-Selectmedium

An organization is implementing a new IT service management system based on ITIL 4. Which TWO of the following are guiding principles of ITIL 4?

Select 2 answers
A.Focus on value
B.Responsibility, strategy, acquisition
C.Evaluate, direct, monitor
D.Align, plan, organize
E.Start where you are
AnswersA, E

This is one of the ITIL 4 guiding principles.

Why this answer

ITIL 4 has seven guiding principles, including 'Focus on value' and 'Start where you are'.

877
MCQmedium

According to COBIT 2019, which design factor is MOST critical for tailoring a governance system?

A.Regulatory environment
B.Technology complexity
C.Organizational size
D.Enterprise strategy
AnswerD

Correct. Strategy sets the direction for governance design.

Why this answer

Option D is correct because enterprise strategy determines the governance objectives and risk appetite, making it the most critical design factor. Options A, B, and C are all important but secondary; they influence the system but are driven by strategy.

878
MCQeasy

An organization's IT strategy must be aligned with business strategy. Which of the following is the PRIMARY benefit of this alignment?

A.Faster adoption of new technologies
B.Enhanced security posture
C.Reduced IT operational costs
D.Increased value of IT investments to business objectives
AnswerD

Alignment ensures IT delivers value that supports business strategy.

Why this answer

When IT strategy is aligned with business strategy, every IT investment is directly tied to achieving specific business objectives, such as increasing revenue, improving customer experience, or enabling new business models. This alignment ensures that resources are allocated to projects that deliver measurable business value, rather than being spent on technology for its own sake. The primary benefit is therefore the increased value of IT investments to business objectives, as misalignment often leads to wasted expenditure on systems that do not support core business goals.

Exam trap

The trap here is that candidates often confuse operational benefits (like cost reduction or faster tech adoption) with the strategic primary benefit, failing to recognize that alignment is fundamentally about ensuring IT investments deliver value to the business, not about efficiency or security alone.

How to eliminate wrong answers

Option A is wrong because faster adoption of new technologies is a potential operational benefit, but it is not the primary benefit of alignment; rapid adoption without business context can actually lead to misalignment and wasted resources. Option B is wrong because enhanced security posture is a critical outcome of good IT governance, but it is a secondary benefit that results from aligning security controls with business risk appetite, not the primary reason for aligning IT and business strategy. Option C is wrong because reduced IT operational costs can be a byproduct of alignment (e.g., eliminating redundant systems), but cost reduction is not the primary goal; the primary goal is ensuring IT spending directly supports business value creation, which may sometimes require increased investment.

879
MCQhard

During an audit of IT asset management, the IS auditor finds that several servers are running an operating system that has reached end-of-life (EOL). The organization has not deployed any compensating controls. Which of the following is the GREATEST risk?

A.Incompatibility with new applications
B.Increased licensing costs
C.Lack of vendor support
D.Unpatched security vulnerabilities
AnswerD

This is the greatest risk as it can lead to exploitation.

Why this answer

An operating system that has reached end-of-life (EOL) no longer receives security patches from the vendor. Without compensating controls, any newly discovered vulnerabilities remain unpatched, exposing the organization to exploitation, data breaches, and system compromise. This directly undermines the confidentiality, integrity, and availability of the IT assets, making unpatched security vulnerabilities the greatest risk.

Exam trap

The trap here is that candidates may confuse 'lack of vendor support' (Option C) as the greatest risk, but the actual risk is the resulting unpatched security vulnerabilities that directly threaten the organization's security posture.

How to eliminate wrong answers

Option A is wrong because incompatibility with new applications is an operational inconvenience, not a security or compliance risk; it can often be mitigated through virtualization or containerization. Option B is wrong because EOL operating systems typically do not incur increased licensing costs—in fact, licensing may cease or become unsupported, but cost is not the primary risk. Option C is wrong because lack of vendor support is a contributing factor to the risk, not the risk itself; the absence of patches and updates is the direct consequence that creates the security exposure.

880
MCQeasy

Which of the following audit types is most likely to be conducted by an employee of the organization being audited, potentially raising independence concerns?

A.IS audit
B.Internal audit
C.Compliance audit
D.External audit
AnswerB

Internal audits are conducted by employees of the organization.

Why this answer

Internal audits are performed by employees of the organization, which can create independence issues. External audits are conducted by third parties.

881
Multi-Selecteasy

Which TWO of the following are examples of administrative controls for information security? (Choose two.)

Select 2 answers
A.Encryption of data at rest
B.Biometric access controls
C.Incident response policy
D.Security awareness training
E.Firewall configuration
AnswersC, D

Policy is an administrative control.

Why this answer

Option C is correct because an incident response policy is a documented set of procedures that defines roles, responsibilities, and steps to be taken when a security incident occurs. This is an administrative control as it governs human behavior and organizational processes, not technology. It aligns with the CISA domain of Protection of Information Assets by establishing a framework for detecting, responding to, and recovering from security events.

Exam trap

The trap here is that candidates often confuse administrative controls with technical or physical controls, mistakenly selecting encryption or firewall configuration because they are common security measures, but the CISA exam specifically tests the distinction that administrative controls are policy-based and people-focused, not technology-based.

882
MCQeasy

During an audit, the IS auditor identifies that the audit team lacks the technical expertise to evaluate a specific system. According to ISACA standards, the auditor should:

A.Engage a subject matter expert with the required skills
B.Skip the evaluation of that system
C.Request management to provide training
D.Proceed with the audit and document the limitation
AnswerA

Correct; engaging a specialist is appropriate.

Why this answer

If the audit team lacks necessary expertise, the auditor should engage a specialist or subject matter expert to ensure audit quality.

883
Multi-Selecthard

An organization is planning to purchase a cloud-based HR system. Which THREE of the following should be included in the vendor contract to ensure adequate control and oversight? (Select three.)

Select 3 answers
A.A list of all subprocessors
B.Right to audit the vendor's controls
C.Service-level agreement (SLA) specifying uptime and response times
D.A fixed-price payment schedule
E.Data ownership and data protection clauses
AnswersB, C, E

Audit rights allow the organization to verify controls.

Why this answer

A right to audit the vendor's controls (Option B) is essential for ensuring that the cloud-based HR system's security and operational controls are functioning as agreed. This contractual clause allows the organization to verify compliance with policies, regulations, and the vendor's own security assertions, such as SOC 2 Type II reports or ISO 27001 certifications, through direct examination or independent third-party assessments.

Exam trap

Cisco often tests the distinction between operational requirements (like a list of subprocessors) and actual control/oversight mechanisms (like audit rights and SLAs), leading candidates to select transparency items instead of enforceable governance clauses.

884
MCQmedium

A company is migrating its applications to a public IaaS cloud. What is the primary concern for protecting data in this environment?

A.Regularly patching the operating system and applications.
B.Using only hardened virtual machine images from the provider.
C.Ensuring encryption keys are stored in the cloud provider's key management service.
D.Properly configuring security groups and access control lists (ACLs) to limit network access.
AnswerD

Misconfigured security groups can expose resources to the internet, leading to unauthorized access. This is the top risk in IaaS.

Why this answer

In an IaaS public cloud, the customer retains responsibility for securing the network layer, including virtual firewalls. Security groups (stateful) and ACLs (stateless) are the primary mechanisms to enforce least-privilege network access, which directly protects data from unauthorized exposure over the network. This aligns with the shared responsibility model where the provider secures the physical infrastructure, but the customer must control traffic to their instances.

Exam trap

The trap here is that candidates often focus on encryption or patching as the universal answer for data protection, but in an IaaS shared responsibility model, the primary concern is controlling network access because the cloud provider does not manage the customer's virtual network boundaries.

How to eliminate wrong answers

Option A is wrong because patching the OS and applications is a critical security practice but it addresses vulnerability management, not the primary concern for protecting data in transit or at rest from network-based attacks in a shared IaaS environment. Option B is wrong because using hardened VM images is a good baseline for reducing initial attack surface, but it does not control ongoing network access or data flow, which is the primary data protection concern. Option C is wrong because storing encryption keys in the provider's KMS can be part of a data-at-rest protection strategy, but it does not address the primary concern of controlling network access to the data; moreover, key management is a shared responsibility and storing keys in the provider's KMS may introduce trust and availability risks if not combined with proper access controls.

885
MCQeasy

What is the PRIMARY purpose of conducting a static application security testing (SAST) during the development phase?

A.To identify security vulnerabilities in the source code
B.To ensure the application is free of logic errors
C.To test the application's functionality
D.To validate that security requirements are met
AnswerA

This is the primary purpose of SAST.

Why this answer

SAST analyzes source code for vulnerabilities early in the SDLC, allowing remediation before deployment.

886
MCQhard

An organization is implementing a new ERP system. The project sponsor requests a change that will significantly increase project scope without additional budget. Which of the following is the BEST action for the project manager?

A.Accept the change and adjust the project timeline accordingly.
B.Initiate the formal change control process and escalate to the steering committee.
C.Implement the change and inform the steering committee later.
D.Reject the change because it is outside the original scope.
AnswerB

Proper change control ensures governance and stakeholder involvement.

Why this answer

The project manager must follow the formal change control process to evaluate the impact of a scope change that lacks additional budget. Escalating to the steering committee is appropriate because they have the authority to approve or reject changes that affect project constraints, ensuring alignment with organizational governance and IT strategy.

Exam trap

The trap here is that candidates may choose to reject the change outright (Option D) thinking it protects the baseline, but the CISA exam emphasizes following the formal change control process and escalating to the appropriate governance body rather than making unilateral decisions.

How to eliminate wrong answers

Option A is wrong because accepting the change without budget or formal approval violates project governance and may lead to resource overallocation and timeline failure. Option C is wrong because implementing the change before informing the steering committee bypasses the required change control process and risks unauthorized scope creep. Option D is wrong because outright rejection without following the change control process denies the steering committee the opportunity to assess the change's strategic value or reallocate priorities.

887
MCQmedium

An IT auditor is reviewing backup procedures. The organization performs daily full backups and retains them for 30 days. Additionally, weekly backups are retained for 12 months. Which of the following is the MOST likely risk associated with this backup strategy?

A.Backup data may not be recoverable
B.Inability to meet recovery point objectives
C.Backup encryption may be weak
D.Excessive storage consumption and longer backup windows
AnswerD

Daily full backups are inefficient.

Why this answer

Full backups every day consume large amounts of storage and time; incremental backups are more efficient.

888
MCQhard

An organization stores sensitive research data in a cloud storage service. The data must be encrypted at rest and in transit, and the organization wants to maintain control over encryption keys. Which solution best meets these requirements?

A.Use a cloud hardware security module (HSM) to generate keys
B.Implement client-side encryption using a customer-managed key vault
C.Enable HTTPS for all data transfers
D.Use server-side encryption with AWS S3 managed keys (SSE-S3)
AnswerB

Client-side encryption ensures data is encrypted before reaching the cloud, and keys are controlled by the organization.

Why this answer

Client-side encryption with a customer-managed key vault ensures data is encrypted before it leaves the client environment, so the cloud provider never has access to plaintext or the encryption keys. This satisfies both at-rest and in-transit encryption requirements while giving the organization full control over key management, unlike server-side options where the provider manages at least part of the key lifecycle.

Exam trap

The trap here is that candidates often confuse server-side encryption with customer-managed keys (e.g., SSE-KMS or SSE-C) as giving full control, but those still allow the cloud provider to process the data server-side, whereas client-side encryption ensures the provider never has access to plaintext.

How to eliminate wrong answers

Option A is wrong because a cloud HSM generates and stores keys within the cloud provider's infrastructure; while the customer controls the keys, the provider still has physical access to the HSM, and the data is typically encrypted server-side, meaning the provider could theoretically access plaintext. Option C is wrong because HTTPS only protects data in transit; it does not address encryption at rest, leaving stored data vulnerable if the cloud storage bucket is compromised. Option D is wrong because SSE-S3 uses AWS-managed keys, meaning the cloud provider controls key management and can decrypt the data, violating the requirement for the organization to maintain control over encryption keys.

889
MCQhard

An organization wants to implement an exception management process for IT policies. Which of the following is the most important step to ensure effective control?

A.Automatically renew exceptions every year unless revoked
B.Allow any exception to be granted by the IT manager
C.Require a formal request with approval from an appropriate authority and a defined expiration date
D.Log all exceptions but do not set expiration dates
AnswerC

Formal approval and expiration ensure temporary exceptions are reviewed and expired.

Why this answer

Exceptions must be approved by appropriate management and documented with a defined expiration date to prevent permanent deviations.

890
Multi-Selectmedium

An IS auditor is evaluating the encryption key management program of a healthcare organization that processes protected health information (PHI). The organization uses a mix of symmetric and asymmetric keys. Which TWO of the following are key management practices that should be addressed to ensure effective protection of PHI?

Select 2 answers
A.Storing encryption keys in a hardware security module (HSM)
B.Implementing a key escrow mechanism for all keys
C.Using the same key to encrypt all PHI for simplicity
D.Distributing keys to authorized users along with encrypted data
E.Rotating keys on a periodic basis or after a security incident
AnswersA, E

HSMs provide tamper-resistant storage for keys.

Why this answer

Effective key management includes secure key storage (e.g., HSM) and regular key rotation to limit exposure. Key escrow is not a standard requirement, and distributing keys with data increases risk. Using a single key for all data violates best practices.

891
MCQmedium

An IS auditor is reviewing an agile software development project. Which of the following practices would BEST help ensure that security controls are adequately addressed?

A.Requiring sign-off from the project sponsor before each sprint review
B.Performing a single comprehensive security test after all sprints are complete
C.Conducting a formal design review at the end of each sprint
D.Including security acceptance criteria in user stories
AnswerD

Security criteria in user stories ensure that security is tested and verified during the sprint.

Why this answer

In agile, security requirements should be included in user stories and tested during the sprint. Accepting a user story only after successful testing ensures security is validated.

892
MCQeasy

Which of the following is a requirement for effective segregation of duties in IT?

A.All IT staff should have access to production data for troubleshooting.
B.System administrators should also perform internal audits to maintain expertise.
C.The same person should develop, test, and deploy code to ensure consistency.
D.Different individuals should be responsible for authorizing, executing, and reconciling transactions.
AnswerD

This is a classic example of segregation of duties to prevent and detect errors or fraud.

Why this answer

Segregation of duties ensures that no single individual has control over conflicting tasks, reducing fraud risk.

893
Multi-Selecthard

An IS auditor is reviewing a project that uses an iterative SDLC approach. Which THREE controls should the auditor expect to see in place during the development iterations? (Select THREE)

Select 3 answers
A.Formal sign-off on requirements before each iteration
B.Code reviews
C.User acceptance testing (UAT) before each iteration
D.Static application security testing (SAST)
E.Unit testing
AnswersB, D, E

Code reviews are a key control for ensuring code quality and security in each iteration.

Why this answer

Code reviews ensure code quality and security. Static application security testing (SAST) identifies vulnerabilities in source code. Unit testing validates individual components.

These are key controls in iterative development.

894
MCQhard

An organization's data classification policy defines 'Confidential' data as requiring encryption at rest. An IS auditor discovers that a database containing customer personal information is not encrypted. What is the auditor's BEST course of action?

A.Encrypt the database immediately
B.Report the finding to the data owner and IT management
C.Recommend a compensating control
D.Verify the classification of the data
AnswerB

Reporting ensures accountability for remediation.

Why this answer

Option D is correct because reporting the non-compliance to management is the auditor's responsibility. Option A is not an audit action. Option B may be outside scope.

Option C is after reporting.

895
MCQeasy

An IS auditor is planning an audit of a newly implemented ERP system. The auditor wants to ensure that the audit covers critical controls. Which of the following is the most appropriate first step in the audit planning process?

A.Interview the system administrator.
B.Review prior audit workpapers.
C.Conduct a risk assessment of the ERP implementation.
D.Develop a detailed audit program.
AnswerC

Risk assessment is the foundational step to identify risks and prioritize audit work.

Why this answer

C is correct because the IS auditor must first conduct a risk assessment of the ERP implementation to identify and prioritize the critical controls specific to the new system. This step ensures that the audit scope is aligned with the highest risks, such as segregation of duties conflicts, interface integrity, and configuration vulnerabilities, before any detailed planning occurs.

Exam trap

The trap here is that candidates often jump to developing the audit program (Option D) or interviewing the system administrator (Option A) because they seem like logical starting points, but the CISA exam emphasizes that risk assessment must precede all other audit planning activities to ensure the audit is risk-based and efficient.

How to eliminate wrong answers

Option A is wrong because interviewing the system administrator is a data-gathering technique that should follow the risk assessment; starting with an interview may bias the audit toward operational concerns rather than risk-based priorities. Option B is wrong because reviewing prior audit workpapers is useful for historical context but is not the first step for a newly implemented system where no prior audit exists or where the risk profile has fundamentally changed. Option D is wrong because developing a detailed audit program is a later step that depends on the results of the risk assessment to define specific test procedures and control objectives.

896
Multi-Selecteasy

Which THREE of the following are essential components of a change management process?

Select 3 answers
A.Immediate implementation without review
B.Impact analysis
C.Rollback plan
D.Bypassing testing for urgent changes
E.Change request approval
AnswersB, C, E

Impact analysis identifies potential effects on systems and processes.

Why this answer

Impact analysis (B) is essential because it evaluates the potential effects of a proposed change on system functionality, security, and performance before implementation. This ensures that risks are identified and mitigated, preventing unintended disruptions to production environments. Without impact analysis, changes could introduce vulnerabilities or cause system outages, violating IT governance principles.

Exam trap

The trap here is that candidates confuse 'urgent change' with 'no testing,' but even emergency changes require a documented risk assessment and a rollback plan, not a complete bypass of testing and review.

897
Multi-Selecthard

An organization is adopting a DevOps approach for system development. Which THREE controls should an IS auditor expect to see in place to maintain security and compliance?

Select 3 answers
A.Annual penetration testing after the release
B.Automated security scanning integrated into the CI/CD pipeline
C.Version control and change tracking for infrastructure as code
D.Manual code review for every change before deployment
E.Real-time monitoring and logging of production systems
AnswersB, C, E

Ensures security checks are performed with every build.

Why this answer

In DevOps, automated security scanning, infrastructure as code with security review, and continuous monitoring are key controls to integrate security into the pipeline.

898
MCQhard

An organization uses a COTS (commercial off-the-shelf) ERP system with significant customizations. The IS auditor is reviewing the system's configuration management. Which of the following findings would MOST indicate a weakness?

A.The vendor releases quarterly patches but the organization only applies critical security patches.
B.The system administrator has the ability to modify both configuration and production data.
C.Customizations are not tracked in a separate change management system.
D.The organization does not have a formal testing environment for customizations.
AnswerB

This is a direct violation of segregation of duties, significantly increasing risk of unauthorized changes.

Why this answer

Option B is correct because in a COTS ERP system with significant customizations, allowing the system administrator to modify both configuration and production data violates the principle of segregation of duties (SoD). This creates a risk of unauthorized or undetected changes, as the same individual can alter system configurations and then manipulate production data to conceal the impact, bypassing audit trails and controls.

Exam trap

The trap here is that candidates often focus on patch management or testing environments as the most critical weakness, but the CISA exam prioritizes segregation of duties as a fundamental control, especially in customized COTS systems where configuration changes can directly impact data integrity.

How to eliminate wrong answers

Option A is wrong because while applying only critical security patches is not ideal, it is a common risk-acceptance strategy for stability in heavily customized ERP systems; the question asks for the MOST indicative weakness, and patch management is less critical than SoD. Option C is wrong because customizations not tracked in a separate change management system is a procedural weakness, but it is secondary to the direct control risk of SoD; the primary concern is the ability to modify both configuration and data, not just the tracking method. Option D is wrong because lacking a formal testing environment is a risk for quality assurance, but it does not directly enable unauthorized data manipulation like the SoD violation in B does.

899
MCQhard

An IS auditor is performing a review of an organization's IT governance framework. Which of the following findings would be of MOST concern?

A.No documented IT strategy aligned with business strategy
B.Incomplete IT project portfolio management
C.Lack of an IT steering committee
D.Absence of an enterprise-wide information security policy
AnswerA

Governance requires IT to support business objectives; without alignment, the framework fails.

Why this answer

Option D is correct because absence of IT strategy alignment with business strategy undermines governance, making IT decisions misaligned. Option A is incorrect while a steering committee is important, its absence is not as critical as lack of strategic alignment. Option B is wrong because portfolio management is a tactic; without strategic alignment, it may be ineffective.

Option C is incorrect because security policies are operational, not strategic governance.

900
MCQmedium

An organization's IT department is structured with a central unit that provides infrastructure and support, while individual business units have their own application development teams. This structure is BEST described as:

A.Outsourced IT
B.Centralized IT
C.Decentralized IT
D.Federated (hybrid) IT
AnswerD

A federated structure combines centralized infrastructure with decentralized application development.

Why this answer

A centralized IT structure consolidates IT functions in a central unit, while a decentralized structure distributes IT across business units. A hybrid (federated) structure combines aspects of both, with some functions centralized and others decentralized.

Page 11

Page 12 of 14

Page 13
Certified Information Systems Auditor CISA CISA Questions 826–900 | Page 12/14 | Courseiva