Certified Information Systems Auditor CISA (CISA) — Questions 901975

984 questions total · 14pages · All types, answers revealed

Page 12

Page 13 of 14

Page 14
901
MCQmedium

An IT auditor is reviewing the system development life cycle (SDLC) process for a critical application. Which of the following findings would be of MOST concern?

A.Test data is refreshed from production monthly
B.Developers use local development environments
C.Developers have production database access
D.Code reviews are performed by senior developers
AnswerC

Violates segregation of duties.

Why this answer

Developers having direct production database access violates the principle of segregation of duties and poses a significant risk of unauthorized data modification, deletion, or exfiltration. In a well-controlled SDLC, production access should be restricted to operations or DBA teams, with changes promoted through automated deployment pipelines. This finding directly undermines data integrity and confidentiality controls.

Exam trap

The trap here is that candidates may dismiss local development environments or monthly test data refreshes as risky, while overlooking the critical segregation of duties violation inherent in granting developers direct production database access.

How to eliminate wrong answers

Option A is wrong because refreshing test data from production monthly is a common practice to ensure test environments reflect realistic data, though it requires proper masking to protect sensitive information. Option B is wrong because developers using local development environments is standard for coding and unit testing, as long as code is version-controlled and integrated into a shared repository. Option D is wrong because code reviews performed by senior developers are a positive control that helps identify defects and security vulnerabilities before deployment.

902
MCQhard

An IS auditor is reviewing the privileged access management (PAM) process. The auditor finds that shared administrative accounts are used for critical system maintenance and that passwords are changed quarterly. Which of the following is the BEST recommendation to mitigate the risk of audit trail loss?

A.Implement a password vault with automatic checkout and check-in
B.Increase the frequency of password changes to monthly
C.Implement individual accounts with privilege escalation for administrative tasks
D.Require two-factor authentication for shared account usage
AnswerC

Individual accounts ensure each action is tied to a specific user, providing a complete audit trail.

Why this answer

Shared accounts make it impossible to attribute actions to specific individuals. Implementing individual accounts with privilege escalation (e.g., sudo) allows for accountability and detailed audit trails.

903
MCQmedium

A company's backup policy requires that backup tapes be stored offsite for at least one year. During an audit, the auditor finds that the offsite storage facility is not access-controlled and backup tapes are not encrypted. Which of the following is the auditor's BEST recommendation?

A.Negotiate a new contract with a different offsite storage provider
B.Move the tapes back to the primary site until the offsite facility is secured
C.Implement a check-in/check-out log for the offsite facility
D.Encrypt all backup tapes before sending them offsite
AnswerD

Encryption mitigates the risk of unauthorized access to data on the tapes.

Why this answer

The core issue is that backup tapes contain sensitive data and are stored in an uncontrolled environment. Encrypting the tapes before transport ensures that even if the physical security of the offsite facility is compromised, the data remains confidential. This directly addresses the risk of unauthorized access to the data, which is the primary concern, and is a cost-effective, immediate control that does not disrupt operations.

Exam trap

The trap here is that candidates often focus on physical security controls (like logs or moving tapes) rather than recognizing that data confidentiality is the paramount risk, and encryption is the only option that directly protects the data itself regardless of physical security failures.

How to eliminate wrong answers

Option A is wrong because negotiating a new contract is a long-term administrative solution that does not address the immediate data exposure risk; the current tapes are still unencrypted and vulnerable. Option B is wrong because moving tapes back to the primary site violates the backup policy requirement for offsite storage and increases the risk of a single point of failure (e.g., fire or theft at the primary site). Option C is wrong because a check-in/check-out log only provides accountability for physical access but does not protect the data on the tapes if the facility is breached or a tape is stolen; it does not mitigate the confidentiality risk.

904
MCQmedium

A company is deciding whether to centralize or decentralize its IT function. Which of the following is an advantage of a centralized IT structure?

A.Standardized technology and processes across the enterprise
B.Faster decision-making at the business unit level
C.Better alignment with individual department goals
D.Increased responsiveness to local business needs
AnswerA

Centralization promotes consistency and reduces duplication.

Why this answer

Centralized IT allows for greater control, standardization, and economies of scale.

905
MCQeasy

During an IT audit, the auditor discovers that the IT strategy is not formally documented. Which of the following is the MOST significant risk associated with this finding?

A.Difficulty in recruiting qualified IT staff.
B.Inability to measure the performance of IT systems.
C.Lack of alignment between IT investments and business goals.
D.Increased operational costs due to unplanned IT initiatives.
AnswerC

Undocumented strategy leads to misalignment, the most significant risk.

Why this answer

Option D is correct because without a documented strategy, IT investments may not support business goals, leading to misalignment. Option A is possible but less direct. Option B is a consequence but not the most significant.

Option C is unrelated.

906
Multi-Selecthard

During a disaster recovery planning audit, the IS auditor notes that the organization's plan includes a hot standby site. However, the plan has not been updated in two years, and the last test was a tabletop exercise 18 months ago. The organization has recently implemented a new ERP system. Which THREE findings should the auditor report as most significant?

Select 3 answers
A.The DR plan has not been tested in over a year.
B.The DR plan is outdated; it was last updated two years ago.
C.The hot standby site is located too far from the primary site.
D.The DR plan has not been reviewed and approved by senior management in the last year.
E.The DR plan has not been updated to reflect the new ERP system.
AnswersA, B, E

Regular testing is critical; a tabletop test is insufficient for a hot site.

Why this answer

The plan is outdated (two years), the last test was only tabletop (not sufficient for a hot site), and the new ERP system is not reflected in the plan. These three issues directly impact the ability to recover effectively.

907
MCQhard

An organization's backup strategy includes daily incremental backups and weekly full backups. During a disaster recovery test, the restoration of a critical server fails because a required incremental backup is corrupt. Which control should the organization implement to verify the integrity of backups?

A.Implement backup encryption
B.Use a different backup software
C.Perform periodic restore verification tests
D.Increase the frequency of full backups
AnswerC

Restore verification tests validate that backups are usable and complete.

Why this answer

Regular restore verification tests confirm that backups can be successfully restored. This is a key control to ensure backup integrity.

908
Multi-Selectmedium

During a change management audit, which TWO of the following are essential elements of a normal change request? (Select two.)

Select 2 answers
A.The name of the developer who will implement the change
B.Justification for the change
C.The project manager's approval
D.Impact analysis
E.A list of all users affected
AnswersB, D

Justification explains why the change is needed.

Why this answer

A change request should include justification and an impact analysis to assess risks and benefits before approval.

909
MCQmedium

A company's security policy requires that all laptops have full-disk encryption. During an audit, 10% of laptops are found without encryption. Which of the following is the MOST effective corrective action?

A.Require users to manually enable encryption
B.Distribute encryption keys to users
C.Conduct security awareness training on encryption
D.Deploy centralized endpoint management to enforce encryption
AnswerD

Automated enforcement ensures all laptops comply with policy.

Why this answer

Centralized endpoint management (e.g., Microsoft Intune, SCCM, or a third-party MDM) allows administrators to enforce full-disk encryption (such as BitLocker or FileVault) via policy, automatically encrypting non-compliant laptops and preventing users from disabling encryption. This is the most effective corrective action because it addresses the root cause—lack of enforcement—rather than relying on user action or manual processes.

Exam trap

The trap here is that candidates may choose security awareness training (Option C) as a 'best practice' for policy compliance, but the CISA exam emphasizes that technical controls (enforcement via endpoint management) are more effective than administrative controls for ensuring consistent security configuration.

How to eliminate wrong answers

Option A is wrong because requiring users to manually enable encryption relies on user compliance, which has already failed (10% non-compliance), and provides no mechanism to verify or enforce the action. Option B is wrong because distributing encryption keys to users does not ensure encryption is enabled; keys are only useful after encryption is applied, and this action could introduce security risks if keys are mishandled. Option C is wrong because security awareness training, while beneficial for education, does not enforce technical controls and is unlikely to remediate existing non-compliant laptops; it addresses behavior rather than the technical gap.

910
MCQmedium

An organization is implementing a new CRM system using an agile methodology. The IS auditor wants to assess whether security requirements are being addressed. What is the best evidence for the auditor to review?

A.The security policy
B.The sprint retrospective minutes
C.The system architecture document
D.The product backlog
AnswerD

The backlog captures all requirements, including security, as user stories.

Why this answer

The product backlog contains user stories, including security-related stories. Reviewing them shows whether security requirements are explicitly included.

911
MCQhard

A company uses role-based access control (RBAC). An employee moves from one department to another but retains some previous access due to overlapping role permissions. This condition is known as:

A.Access aggregation
B.Privilege creep
C.Segregation of duties conflict
D.Entitlement explosion
AnswerB

Privilege creep is the gradual accumulation of access rights beyond what is needed, often due to role changes.

Why this answer

Privilege creep occurs when an employee accumulates access rights over time, often due to role changes or lateral moves, without corresponding removal of previous permissions. In RBAC, overlapping role permissions can cause this condition when old role memberships are not revoked, leading to excessive entitlements that violate the principle of least privilege.

Exam trap

The trap here is confusing privilege creep with access aggregation, as both involve excessive permissions, but privilege creep specifically results from role changes over time rather than combining separate low-level privileges into a high-risk action.

How to eliminate wrong answers

Option A is wrong because access aggregation refers to combining multiple low-level privileges to perform a high-risk action, not the gradual accumulation of permissions from role changes. Option C is wrong because segregation of duties conflict involves a single user having incompatible roles that could enable fraud, not simply retaining previous access due to overlapping permissions. Option D is wrong because entitlement explosion describes a rapid, uncontrolled increase in permissions across many users, often due to misconfigured role hierarchies or automated provisioning, not the gradual creep from individual role changes.

912
Multi-Selecthard

Which THREE factors should an IS auditor consider when determining the sample size for a compliance test? (Select three.)

Select 3 answers
A.The tolerable error rate
B.The confidence level desired
C.The expected error rate in the population
D.The audit budget
E.The population size
AnswersA, B, C

Lower tolerable error rate needs larger sample.

Why this answer

Sample size is influenced by desired confidence, tolerable error rate, and expected error rate.

913
MCQhard

During a nightly batch job, the above error appears in the application logs. The transaction table ACCT_TRANS has a unique constraint on the REF_NUM column. Which of the following is the MOST likely root cause?

A.The batch job lacks sufficient privileges to insert into the ACCT_TRANS table
B.There is a mismatch between the number of columns in the INSERT statement and the table definition
C.The batch job is missing an index on the REF_NUM column
D.The batch job is not idempotent and is re-processing previously successful transactions
AnswerD

Duplicate REF_NUM suggests reprocessing of already inserted records.

Why this answer

The unique constraint violation on REF_NUM indicates that the batch job is attempting to insert a row with a REF_NUM value that already exists in the ACCT_TRANS table. This occurs when the job is not idempotent—meaning it does not check for or handle previously processed transactions—and re-processes the same data, leading to duplicate key errors.

Exam trap

The trap here is that candidates often confuse a unique constraint violation with a permissions or schema mismatch error, but the specific error message (unique constraint on REF_NUM) directly points to duplicate data from non-idempotent processing, not structural or privilege issues.

How to eliminate wrong answers

Option A is wrong because insufficient privileges would typically result in an 'access denied' or 'insufficient privileges' error, not a unique constraint violation. Option B is wrong because a column mismatch would cause a syntax or data type error (e.g., 'column count doesn't match value count'), not a constraint violation on a specific column. Option C is wrong because missing an index does not prevent inserts; indexes improve query performance but do not enforce uniqueness or cause constraint violations—the unique constraint itself is enforced by the database regardless of index existence.

914
MCQhard

An organization is using a spiral model for a high-risk project. The IS auditor wants to ensure that risk assessment is performed at each iteration. Which of the following is the BEST evidence that this control is effective?

A.The project schedule shows spiral iterations
B.Each spiral iteration includes a risk analysis document
C.The project manager has a risk management plan
D.The system has passed user acceptance testing
AnswerB

Documented risk analysis is direct evidence of the control.

Why this answer

In the spiral model, each cycle includes risk analysis; documented risk assessments in iteration artifacts demonstrate this.

915
MCQeasy

During a security assessment, an auditor discovers that employees are sharing passwords to access a critical system. Which of the following controls would BEST mitigate this risk?

A.Provide security awareness training
B.Implement multi-factor authentication
C.Log all authentication attempts
D.Enforce complex password policies
AnswerB

MFA requires additional factors, reducing the effectiveness of shared passwords.

Why this answer

Multi-factor authentication (MFA) mitigates the risk of password sharing because even if credentials are shared, an attacker cannot authenticate without the second factor (e.g., a one-time passcode from a hardware token or authenticator app). MFA decouples authentication from a single shared secret, making shared passwords insufficient for access. This directly addresses the root cause—reliance on passwords alone—rather than attempting to prevent sharing behavior.

Exam trap

The trap here is that candidates confuse 'preventing password sharing' with 'detecting or discouraging it,' and choose awareness training or logging, when the only control that technically renders shared passwords useless is multi-factor authentication.

How to eliminate wrong answers

Option A is wrong because security awareness training relies on voluntary compliance and does not technically prevent password sharing; it only educates users, leaving the vulnerability intact. Option C is wrong because logging authentication attempts is a detective control that records incidents after they occur, not a preventive control that stops password sharing from granting access. Option D is wrong because enforcing complex password policies does not prevent sharing; users can still share a complex password, and the policy does not verify the identity of the person entering it.

916
MCQmedium

An IS auditor is planning an audit of a financial system. The auditor identifies that the inherent risk is high due to the complexity of transactions, but control risk is low because of strong automated controls. Which component of audit risk will be MOST affected by the auditor's testing strategy?

A.Inherent risk
B.Detection risk
C.Control risk
D.Audit risk
AnswerB

Detection risk is managed by the extent of testing.

Why this answer

Detection risk is the risk that audit procedures fail to detect material misstatements. With low control risk, the auditor may rely on controls and reduce substantive testing, affecting detection risk.

917
MCQeasy

A small manufacturing company decides to acquire an off-the-shelf inventory management system. The purchasing manager selects a vendor based solely on the lowest price, ignoring the vendor's financial stability and support history. After purchase, the vendor declares bankruptcy, leaving the company without support. The system has a critical bug that halts inventory tracking. The IT manager considers hiring a consultant to fix the bug. As an IS auditor, what should the auditor's PRIMARY concern be?

A.There is no backup system for inventory management.
B.The company may have legal recourse against the vendor.
C.The critical bug disrupts inventory tracking.
D.The vendor selection process lacked due diligence.
AnswerD

Root cause is process failure.

Why this answer

The primary concern for an IS auditor is that the vendor selection process lacked due diligence, as this directly violates the principle of proper acquisition governance. By selecting a vendor based solely on lowest price without evaluating financial stability and support history, the company exposed itself to significant operational risk, which materialized when the vendor declared bankruptcy. This oversight is a root cause failure in the information systems acquisition and implementation process, making it the most critical audit finding.

Exam trap

The trap here is that candidates focus on the immediate operational impact (the bug or lack of backup) rather than the root cause governance failure in the acquisition process, which is the auditor's primary concern per CISA's emphasis on preventive controls.

How to eliminate wrong answers

Option A is wrong because while having no backup system is a risk, it is a secondary operational concern; the auditor's primary focus should be on the flawed acquisition process that led to the current situation. Option B is wrong because legal recourse against a bankrupt vendor is typically impractical and unlikely to recover costs or restore support, so it is not a primary audit concern. Option C is wrong because the critical bug disrupting inventory tracking is a symptom of the underlying problem, not the root cause; the auditor must address the systemic failure in vendor selection.

918
Multi-Selectmedium

Which TWO of the following are key responsibilities of an IT steering committee?

Select 2 answers
A.Monitoring IT performance and value delivery
B.Managing day-to-day IT operations
C.Writing and testing application code
D.Prioritizing IT projects and allocating resources
E.Conducting IT audit engagements
AnswersA, D

Steering committee oversees performance.

Why this answer

The IT steering committee is a senior-level governance body responsible for aligning IT strategy with business objectives. Monitoring IT performance and value delivery (A) is a key responsibility because the committee must ensure that IT investments generate the expected business benefits and that service levels meet agreed targets. Prioritizing IT projects and allocating resources (D) is also a core duty, as the committee decides which initiatives receive funding and staffing based on strategic importance and risk, rather than operational urgency.

Exam trap

The trap here is confusing governance responsibilities (steering committee) with management or execution tasks (operations, coding, auditing), leading candidates to select options that sound plausible but belong to lower-level roles.

919
Multi-Selectmedium

Which THREE are commonly used techniques to protect sensitive data in a cloud environment? (Select exactly 3.)

Select 3 answers
A.Code obfuscation for application logic.
B.Network segmentation between tiers.
C.Tokenization of sensitive fields.
D.Encryption at rest and in transit.
E.Data masking for non-production environments.
AnswersC, D, E

Replaces sensitive data with tokens.

Why this answer

Tokenization replaces sensitive data (e.g., credit card numbers) with a non-sensitive placeholder (token) that has no exploitable value. This technique is commonly used in cloud environments to reduce the scope of compliance (e.g., PCI DSS) because the token can be stored and processed without exposing the original sensitive value, even if the cloud storage is compromised.

Exam trap

ISACA often tests the distinction between data protection techniques (like encryption, tokenization, and masking) and general security controls (like network segmentation or code obfuscation), leading candidates to mistakenly select network segmentation as a data protection method.

920
Multi-Selecthard

During an audit of incident management processes, the IS auditor reviews past incident reports and conducts interviews. The organization recently experienced a ransomware attack that encrypted critical systems. The incident response team was able to contain the attack but struggled with forensic collection due to lack of pre-defined procedures. Which TWO of the following should the auditor recommend as the HIGHEST priority improvements?

Select 2 answers
A.Conducting tabletop exercises with the incident response team
B.Acquiring advanced malware analysis tools
C.Implementing a more frequent backup schedule
D.Establishing a formal chain of custody process
E.Developing and documenting forensic investigation procedures
AnswersA, E

Tabletop exercises test and improve the team's ability to respond effectively.

Why this answer

Developing forensic procedures ensures proper evidence collection, and regular tabletop exercises improve team readiness. While backup restoration and malware analysis are important, the highest priority is to address the identified gaps in forensics and preparedness.

921
MCQeasy

An organization is implementing a new incident management process based on ITIL. An incident classified as P1 (Priority 1) occurs. According to ITIL best practices, what is the most appropriate initial action?

A.Escalate the incident to problem management for root cause analysis.
B.Immediately assign the incident to the appropriate support team for resolution.
C.Update the known error database with a workaround.
D.Log the incident and inform the user that it will be handled within the next business day.
AnswerB

Correct for a P1 incident requiring immediate action.

Why this answer

P1 incidents are critical and require immediate response to restore service. The service desk should assign the incident to the appropriate support team without delay.

922
MCQeasy

Refer to the exhibit. An auditor reviews the log shipping configuration for a critical database. Based on the information provided, what is the MOST significant finding?

A.The current latency of 18 minutes exceeds the 15-minute log shipping interval
B.The alert threshold of 30 minutes is too high
C.The secondary server is not being used for reporting
D.The last backup was created at 06:00, but it is now later in the day
AnswerA

This indicates a potential data loss if a failover occurs, as the secondary may not have the latest data.

Why this answer

Option B is correct because the latency (18 minutes) exceeds the log shipping interval (15 minutes), indicating that the secondary server is falling behind. Option A is not a finding; Option C is not indicated; Option D is about alerting but latency is the core issue.

923
MCQmedium

An organization outsources its data center operations to a third-party vendor. The contract includes a right-to-audit clause. During a scheduled audit, the vendor refuses to provide access to logs from a subcontractor managing network security. What is the IS auditor's best course of action?

A.Escalate the issue to the vendor management team to enforce the contractual right.
B.Accept the vendor's refusal to avoid conflict.
C.Request the vendor to include a clause in its subcontractor agreement allowing audits.
D.Report the refusal to senior management and recommend terminating the contract.
AnswerA

The vendor management team can use contractual remedies to obtain access.

Why this answer

The right-to-audit clause in the contract gives the organization legal authority to examine all relevant records, including those from subcontractors. Escalating to the vendor management team is the correct first step because they can enforce the contractual obligation without prematurely escalating to termination. This preserves the business relationship while asserting the organization's audit rights over the entire outsourced environment, including subcontracted network security operations.

Exam trap

The trap here is that candidates may prematurely choose termination (Option D) or accept the refusal (Option B) without recognizing that the right-to-audit clause is a contractual lever that should be enforced through escalation before considering contract termination.

How to eliminate wrong answers

Option B is wrong because accepting the refusal without action would violate the audit clause and create an unmanaged risk, potentially masking security incidents in the subcontractor's logs. Option C is wrong because the contract already exists; requesting a new clause after the fact is reactive and does not address the immediate refusal, and the vendor is already contractually obligated to provide access. Option D is wrong because recommending termination is premature; the contract provides a right-to-audit, and escalation to enforce that right should be attempted before considering such a drastic step.

924
MCQmedium

After issuing the final audit report, the IS auditor should perform follow-up procedures. What is the PRIMARY purpose of follow-up?

A.To update the permanent audit file
B.To close the audit engagement
C.To identify new risks for the next audit
D.To verify that corrective actions have been implemented effectively
AnswerD

Correct; the main purpose is to verify remediation.

Why this answer

Follow-up ensures that management has taken corrective actions to address the findings and that the risks have been mitigated.

925
Multi-Selecthard

An organization is evaluating its business continuity plan (BCP) to ensure alignment with the IT disaster recovery plan. Which TWO of the following are critical elements that should be included in the BCP to support effective business resilience?

Select 2 answers
A.A list of all critical IT applications with their recovery priorities.
B.Procedures for manual operations during system unavailability.
C.A complete inventory of hardware and software licenses.
D.Contact information for key stakeholders and emergency response teams.
E.Detailed step-by-step procedures for restoring network connectivity.
AnswersB, D

Manual workarounds are essential for business continuity when systems are down.

Why this answer

Option C (contact information for stakeholders) and Option E (procedures for manual operations) are essential BCP elements. Option A and B are more aligned with IT disaster recovery, and Option D is an asset inventory detail, not a critical BCP element.

926
Multi-Selecthard

Which THREE of the following are indicators of mature IT governance?

Select 3 answers
A.The IT department has high staff retention.
B.IT risks are formally assessed and managed.
C.IT projects are completed on time and within budget.
D.IT decisions are aligned with business strategy.
E.The board receives regular IT performance reports.
AnswersB, D, E

Risk management is a hallmark of mature governance.

Why this answer

Options A, C, and E are correct. Mature governance ensures alignment with business strategy (A), formal risk management (C), and board reporting (E). B (on-time projects) is a project management metric, not governance.

D (staff retention) is an HR metric.

927
MCQhard

An organization is implementing an agile methodology for a new software project. Which of the following is the MOST effective control to ensure that security requirements are addressed?

A.Conducting a single security requirements review at the start of the project
B.Including security requirements in the product backlog
C.Requiring a separate security sprint after development
D.Performing a security audit only at the end of the project
AnswerB

This integrates security into the iterative process.

Why this answer

In agile, including security requirements in the product backlog ensures they are prioritized and addressed in each sprint.

928
MCQhard

An IS auditor is reviewing the termination procedure for IT employees. Which of the following is the most critical control to ensure immediate effectiveness?

A.Collecting company property
B.Notifying the IT department within 24 hours
C.Conducting an exit interview
D.Revoking physical and logical access immediately
AnswerD

This prevents the former employee from accessing systems.

Why this answer

Immediate revocation of access rights upon termination is the most critical control to prevent unauthorized access.

929
MCQmedium

An organization implemented a business continuity plan (BCP) that includes manual workarounds. Which of the following is the PRIMARY risk of relying on manual processes during a disruption?

A.Higher probability of human error under stress
B.Longer recovery time for automated systems
C.Higher cost of implementation
D.Increased dependency on technology
AnswerA

Correct: Stress increases error likelihood, jeopardizing continuity.

Why this answer

Human error is significantly higher under stress, which can cause delays and mistakes. Other options are not primary risks.

930
MCQeasy

A university's research department stores sensitive research data on a file server that is shared among faculty and graduate students. The server is accessible from the campus network and via VPN for remote access. Recently, a student downloaded a large dataset containing personally identifiable information (PII) of research subjects to a personal laptop. The laptop was later stolen. The university's incident response team determines that the student had legitimate access to the data for research purposes. Which control would have most effectively prevented the data exposure?

A.Require full-disk encryption on all laptops
B.Restrict VPN access to only university-issued devices
C.Conduct annual access reviews for the file server
D.Implement a DLP solution that restricts downloads of sensitive data to unmanaged devices
AnswerD

DLP can block transfer of sensitive data to unauthorized devices.

Why this answer

Option C is correct because data loss prevention (DLP) can detect and block the transfer of sensitive data to unapproved devices, such as a personal laptop. Option A (laptop encryption) would protect data on the stolen laptop but did not prevent the download. Option B (firewall) might block the connection but the student used VPN.

Option D (access review) is periodic and would not prevent the action.

931
Multi-Selecthard

Which THREE of the following are key elements that should be included in a risk assessment report for information systems?

Select 3 answers
A.Identification of critical assets and their vulnerabilities
B.Recommendations for risk mitigation or acceptance
C.List of all vendors and their contract terms
D.Evaluation of current controls and their effectiveness
E.Detailed budget for implementing security controls
AnswersA, B, D

Needed to understand what is at risk.

Why this answer

A is correct because a risk assessment report must identify critical assets and their vulnerabilities to establish the scope and basis for risk analysis. Without this, the report cannot prioritize which systems require immediate attention or justify subsequent control recommendations.

Exam trap

The trap here is that candidates confuse operational or financial details (vendor lists, budgets) with the core risk assessment deliverables, which must focus on assets, vulnerabilities, controls, and risk treatment decisions.

932
MCQmedium

During a recent audit, the IT auditor found that the problem management process does not include a known error database (KEDB). Which of the following is the MOST significant risk associated with this finding?

A.Higher likelihood of unauthorized changes
B.Increased backup failure rates
C.Increased time to resolve incidents
D.Inaccurate SLA reporting
AnswerC

Without a KEDB, incidents that could be resolved quickly using known workarounds will take longer, increasing resolution times.

Why this answer

Without a known error database (KEDB), incident resolution relies on ad-hoc troubleshooting rather than leveraging documented root causes and workarounds. This directly increases the mean time to resolve (MTTR) incidents because support teams cannot quickly identify and apply previously identified fixes, leading to longer outages and reduced operational efficiency.

Exam trap

The trap here is that candidates confuse the KEDB with the change management process or SLA metrics, assuming that missing documentation leads to unauthorized changes or reporting inaccuracies, when the direct operational impact is prolonged incident resolution time.

How to eliminate wrong answers

Option A is wrong because unauthorized changes are primarily controlled by the change management process (e.g., CAB approval, segregation of duties), not by the problem management process or the existence of a KEDB. Option B is wrong because backup failure rates are influenced by backup software configuration, storage health, and monitoring alerts, not by the presence or absence of a KEDB. Option D is wrong because SLA reporting accuracy depends on proper incident classification, timestamp capture, and automated ticketing system data, not on the problem management process's KEDB.

933
MCQmedium

An organization is implementing COBIT 2019 to improve IT governance. Which of the following is a key component of the governance system according to COBIT 2019?

A.Processes
B.Service level agreements
C.Organizational structures
D.Principles, policies, and frameworks
AnswerD

COBIT 2019 identifies principles, policies, and frameworks as components of the governance system.

Why this answer

COBIT 2019 defines governance system components including principles, policies, and frameworks as essential elements. Processes are part of management objectives, not governance system components.

934
MCQhard

An organization is evaluating its business continuity plan (BCP) for a critical application with a recovery time objective (RTO) of 4 hours and a recovery point objective (RPO) of 1 hour. The current backup strategy involves daily full backups and hourly transaction log backups. Which of the following is the MOST significant risk?

A.The backup media is stored in the same building as the primary system
B.The recovery process requires manual intervention to apply logs
C.The backups are not tested regularly
D.The hourly logs cover only the last 24 hours
AnswerA

If the building is destroyed, both primary and backup data are lost, violating basic business continuity principles.

Why this answer

Option D is correct because if the backups are stored at the same site, a disaster destroying the primary site would also destroy the backups, making recovery impossible. Options A, B, and C are less critical: A is a procedural issue, B is a minor gap, C is about recovery method but not as fundamental as off-site storage.

935
MCQmedium

An organization is implementing a new CRM system and has chosen a build (in-house development) approach over buying a COTS product. Which of the following is the most significant risk of this decision?

A.Inability to customize the system to meet user requirements
B.Higher likelihood of project delays and budget overruns
C.Reduced control over security and data privacy
D.Vendor lock-in due to proprietary technology
AnswerB

In-house projects often face delays and cost overruns due to complexity and changing requirements.

Why this answer

In-house development carries a higher risk of project delays and budget overruns due to unforeseen technical challenges, scope creep, and resource constraints. This is a well-known risk in custom development projects.

936
MCQhard

An IS auditor is evaluating the effectiveness of an organization's information security awareness program. Which of the following is the BEST indicator of program effectiveness?

A.Percentage of employees who completed the training
B.Number of employees who acknowledged the security policy
C.Average score on the post-training quiz
D.Trend in security incidents attributed to human error
AnswerD

A downward trend indicates improved behavior due to awareness.

Why this answer

Option D is the best indicator because it directly measures the program's outcome: a reduction in security incidents caused by human error. While training completion, policy acknowledgment, and quiz scores measure activity or knowledge, they do not confirm that employees have changed their behavior. A downward trend in human-error-related incidents provides empirical evidence that the awareness program is effectively influencing employee actions in real-world scenarios.

Exam trap

The trap here is that candidates confuse activity metrics (completion, acknowledgment, quiz scores) with outcome metrics (actual behavior change and incident reduction), leading them to choose a proxy for effectiveness rather than the direct measure of program impact.

How to eliminate wrong answers

Option A is wrong because completion rates only measure attendance, not learning or behavior change; an employee can complete training without retaining or applying the material. Option B is wrong because acknowledging a policy is a procedural checkbox that does not verify understanding or compliance; it merely confirms receipt of information. Option C is wrong because post-training quiz scores measure short-term knowledge retention under test conditions, not the sustained application of secure practices in daily operations, and can be inflated by memorization or easy questions.

937
MCQmedium

In the context of ITIL change management, which change type requires approval from the Change Advisory Board (CAB)?

A.Emergency change
B.Normal change
C.Minor change
D.Standard change
AnswerB

Correct. Normal changes require CAB approval.

Why this answer

Normal changes require CAB approval because they have a higher risk and impact, unlike pre-approved standard changes or emergency fast-track changes.

938
Multi-Selecthard

Which THREE of the following are key considerations when selecting a software development methodology for a project?

Select 3 answers
A.Availability of project management software
B.Regulatory compliance requirements
C.Project size and complexity
D.Level of stakeholder involvement
E.Programming language preferences
AnswersB, C, D

May dictate waterfall.

Why this answer

Regulatory compliance requirements (Option B) are a key consideration because the chosen methodology must support necessary audit trails, documentation, and control frameworks (e.g., SOX, HIPAA, PCI DSS). A methodology like Waterfall provides rigid phase-gate documentation, while Agile may require adaptation (e.g., SAFe) to satisfy compliance evidence demands. Failure to align methodology with regulatory needs can lead to non-compliance findings during a CISA audit.

Exam trap

The trap here is that candidates confuse operational preferences (like tooling or language) with structural project characteristics (size, complexity, stakeholder involvement, and compliance) that truly constrain methodology choice.

939
Multi-Selecteasy

Which TWO are primary criteria for classifying information assets within an organization? (Choose two.)

Select 2 answers
A.The format of the data (structured vs. unstructured)
B.The age of the data
C.Business impact if the data is lost or disclosed
D.Physical storage location of the data
E.Legal and regulatory requirements
AnswersC, E

Impact determines sensitivity level.

Why this answer

Business impact if the data is lost or disclosed (Option C) is a primary criterion because classification directly depends on the potential harm to the organization—confidentiality, integrity, and availability breaches drive the classification level (e.g., public, internal, confidential, restricted). Legal and regulatory requirements (Option E) are also primary because they mandate specific classification labels and handling controls (e.g., GDPR for PII, HIPAA for PHI, PCI DSS for cardholder data) that override internal business impact assessments. These two factors form the core of any information classification policy, as they dictate the protective measures required.

Exam trap

The trap here is that candidates confuse operational attributes (format, age, location) with the foundational drivers of classification (business impact and legal/regulatory requirements), leading them to select options that describe how data is stored rather than why it needs protection.

940
MCQmedium

An IT department is struggling with project delays and budget overruns. Which governance practice would be MOST effective?

A.Establishing a project management office (PMO)
B.Outsourcing projects
C.Increasing IT staff
D.Adopting agile methodology
AnswerA

PMO provides governance, standards, and oversight.

Why this answer

Establishing a Project Management Office (PMO) provides standardized project management practices, oversight, and governance, addressing delays and overruns. Agile methodology alone may not provide governance; increasing staff or outsourcing may not solve underlying issues.

941
Multi-Selectmedium

Which TWO of the following are typical controls in the testing phase of the SDLC? (Select two.)

Select 2 answers
A.Rollback plan testing
B.Code reviews
C.Security testing (DAST/pen test)
D.Threat modeling
E.User acceptance testing (UAT)
AnswersC, E

Security testing is part of testing phase.

Why this answer

UAT ensures user acceptance, and security testing (e.g., DAST) identifies vulnerabilities before deployment.

942
Multi-Selecthard

Which THREE of the following are key metrics to include in a disaster recovery test report? (Select exactly 3.)

Select 3 answers
A.Amount of data lost (actual vs. RPO)
B.Cost per incident
C.Time taken to recover each critical system
D.Number of personnel involved
E.Percentage of successful restores
AnswersA, C, E

Measures data loss.

Why this answer

Option A is correct because the amount of data lost (actual vs. RPO) directly measures whether the recovery process met the Recovery Point Objective. This metric validates the effectiveness of backup frequency and replication lag, which is critical for determining if the DR plan preserved data integrity within acceptable loss limits.

Exam trap

The trap here is that candidates often confuse operational metrics (like cost or personnel count) with technical DR success metrics, leading them to select B or D instead of focusing on RPO, RTO, and restore integrity.

943
MCQhard

During a systems audit, the auditor finds that the project did not follow the organization's systems development methodology. What should the auditor do FIRST?

A.Accept if the project is on schedule
B.Recommend that the project be stopped
C.Report the deviation and assess the impact on controls
D.Interview the project team to understand why
AnswerC

The auditor must report and evaluate the risk.

Why this answer

The auditor's first responsibility upon discovering a deviation from the organization's systems development methodology is to report the finding and assess the impact on internal controls. This aligns with ISACA's audit standards, which require auditors to evaluate whether the deviation introduces risks to data integrity, security, or project governance. Without this assessment, the auditor cannot determine the severity of the non-compliance or recommend appropriate corrective actions.

Exam trap

The trap here is that candidates confuse the auditor's investigative curiosity (interviewing the team) with the required procedural first step (reporting and assessing control impact), leading them to select Option D instead of the correct audit response.

How to eliminate wrong answers

Option A is wrong because accepting a deviation solely because the project is on schedule ignores the potential for compromised controls, security vulnerabilities, or regulatory non-compliance that could arise from skipping methodology steps. Option B is wrong because recommending the project be stopped is a premature, high-impact action that should only be considered after assessing the control impact and discussing with management; the auditor's role is to evaluate, not unilaterally halt operations. Option D is wrong because while interviewing the project team may provide context, it is not the first step—the auditor must first formally document the deviation and evaluate its effect on controls to maintain audit trail integrity and objectivity.

944
MCQeasy

An organization is selecting a vendor for a new enterprise resource planning (ERP) system. Which of the following is the MOST critical factor in the vendor selection process?

A.Negotiate service level agreements (SLAs) in the contract.
B.Check vendor references for similar projects.
C.Clearly define business requirements before issuing the request for proposal (RFP).
D.Evaluate vendor financial stability.
AnswerC

Defining requirements ensures the RFP elicits relevant vendor responses.

Why this answer

Clearly defining business requirements before issuing the RFP is the most critical factor because it ensures that the ERP system will align with the organization's operational needs, processes, and data flows. Without a precise requirements definition, the RFP will lack the necessary evaluation criteria, leading to mismatched vendor proposals, scope creep, and potential project failure. This step directly impacts the success of the acquisition, as it forms the foundation for all subsequent vendor evaluation and contract negotiations.

Exam trap

The trap here is that candidates often prioritize contractual or due diligence activities (like SLAs or financial checks) over the foundational step of requirements definition, mistakenly believing that vendor evaluation can proceed without a clear, documented baseline of what the system must accomplish.

How to eliminate wrong answers

Option A is wrong because negotiating SLAs is a contractual activity that occurs after vendor selection; while important for performance monitoring, it is not the most critical factor in the selection process itself. Option B is wrong because checking vendor references, though useful for validating past performance, is a secondary validation step that cannot compensate for a poorly defined requirements baseline. Option D is wrong because evaluating vendor financial stability, while relevant for long-term viability, is a risk assessment factor that should be considered after ensuring the vendor can meet the defined business needs; it does not address the core alignment of the ERP system with organizational requirements.

945
Matchingmedium

Match each security control to its category.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Preventive

Detective

Corrective

Administrative

Technical

Why these pairings

Controls are classified by function.

946
MCQhard

A financial services company is developing a new customer-facing web application for account management. The project is using a waterfall methodology. The initial requirements were gathered six months ago, and the coding phase is nearly complete. The business sponsor now requests a new feature that allows customers to view transaction receipts online. The project manager is concerned that this change will delay the project by two months and exceed the budget. The sponsor insists that the feature is critical for customer satisfaction and that the project must adapt. The development team estimates it will take 200 hours to implement. The steering committee is divided. As an IS auditor, what would be the BEST recommendation to resolve this?

A.Formally submit a change request, assess the impact on cost and schedule, and obtain approval from the change control board before proceeding.
B.Terminate the current project and launch a new project incorporating the new feature.
C.Advise the sponsor to postpone the feature until the next release and continue as planned.
D.Instruct the development team to implement the feature immediately to satisfy the sponsor.
AnswerA

Change control manages scope creep.

Why this answer

In a waterfall methodology, changes after the coding phase require a formal change control process to assess impact on cost, schedule, and scope. The correct answer is A because submitting a change request to the change control board (CCB) ensures that the 200-hour effort, two-month delay, and budget overrun are evaluated against business priorities, maintaining project governance and auditability. This aligns with ISACA’s guidance on managing scope creep in systems development.

Exam trap

The trap here is that candidates may choose Option C (postpone) thinking it avoids delay, but the question explicitly states the sponsor insists the feature is critical, so ignoring it fails to address the business need and can lead to project failure despite staying on schedule.

How to eliminate wrong answers

Option B is wrong because terminating the current project and launching a new one is an extreme, inefficient response that wastes completed coding work and introduces unnecessary risk, failing to leverage the existing investment. Option C is wrong because it unilaterally overrides the sponsor’s business-critical requirement without formal evaluation, which can lead to stakeholder dissatisfaction and missed market needs, violating the principle of balanced governance. Option D is wrong because instructing the team to implement immediately bypasses change control, budget approval, and impact analysis, creating uncontrolled scope creep and potential audit findings for unauthorized changes.

947
MCQhard

An IS auditor is reviewing the release management process for a critical application. The release strategy includes a phased rollout to 10% of users initially, then 50%, then 100%. The first phase revealed a data integrity issue that affected a subset of transactions. The release manager decided to continue with the next phase while a patch was being developed. What should the auditor most recommend?

A.Document the issue as a known error and proceed.
B.Accelerate the rollout to quickly identify all issues.
C.Increase testing in the next phase to catch issues earlier.
D.Halt the rollout until the data integrity issue is resolved.
AnswerD

Halting prevents further damage and ensures the fix is applied before broader deployment.

Why this answer

Continuing the rollout while a data integrity issue exists could affect more users. Best practice is to halt the rollout until the issue is resolved and patched, to prevent further impact and ensure the fix is effective.

948
MCQhard

A multinational corporation is designing its disaster recovery strategy to meet a recovery point objective (RPO) of 15 minutes for its critical database. Which replication method is MOST appropriate?

A.Asynchronous replication over WAN
B.Daily incremental backups to tape
C.Synchronous replication with write-back caching
D.Periodic snapshot every hour
AnswerC

Correct: Synchronous replication ensures transactions are committed at both sites, meeting RPO.

Why this answer

Synchronous replication with write-back caching provides near-zero data loss while managing performance impact. Asynchronous replication may have higher latency, daily backups exceed RPO, and hourly snapshots are insufficient.

949
Multi-Selectmedium

An IS auditor is reviewing vendor management practices for a cloud-based SaaS solution. Which TWO of the following are critical elements to include in the contract's service level agreement (SLA)? (Select TWO.)

Select 2 answers
A.Guaranteed uptime percentage with penalties for non-compliance
B.The vendor's marketing plan for the solution
C.Data ownership and portability rights
D.The vendor's employee training program details
E.The vendor's disaster recovery testing schedule
AnswersA, C

Uptime guarantees are a key performance indicator in SLAs.

Why this answer

The SLA should define performance metrics (uptime) and data ownership/portability to ensure business continuity and data control. Audit rights are also important but are often in a separate clause.

950
MCQhard

An organization has configured HSRP as shown. During a failover test, the primary router (G0/1) is shut down, but the DR site router does not become active. What is the MOST likely reason?

A.The default route on the primary router points to the wrong next-hop
B.The preempt command is missing on the DR router
C.The OSPF routing protocol is not redistributing the default route
D.The HSRP group numbers on the two interfaces do not match
AnswerD

HSRP group 1 is on G0/1 and group 2 on G0/2; they should be the same group to provide redundancy for the same virtual IP.

Why this answer

HSRP requires that both routers participating in the same virtual IP address use the same group number to form a single HSRP group. If the group numbers on the two interfaces do not match, each router will form its own separate HSRP group, and neither will recognize the other as a peer. Consequently, when the primary router fails, the DR router does not assume the active role because it is not part of the same HSRP group.

Exam trap

The trap here is that candidates often confuse HSRP group number mismatch with missing preempt or routing issues, but The CISA exam specifically tests the fundamental requirement that HSRP group numbers must match for the protocol to establish adjacency.

How to eliminate wrong answers

Option A is wrong because the default route on the primary router pointing to the wrong next-hop would affect traffic forwarding but does not prevent HSRP failover; HSRP operates independently of routing table entries. Option B is wrong because the preempt command is only needed if you want a higher-priority router to reclaim the active role after it recovers; it is not required for the DR router to become active during a failover when the primary is shut down. Option C is wrong because OSPF redistribution of a default route is unrelated to HSRP state transitions; HSRP uses its own hello messages and timers to determine active/standby status, not OSPF routing updates.

951
Multi-Selectmedium

An IS auditor is evaluating an organization's SDLC controls for a new system. Which TWO of the following are key controls that should be in place during the design phase? (Select TWO.)

Select 2 answers
A.Architecture review by a senior architect
B.Static application security testing (SAST)
C.User acceptance testing (UAT)
D.Regression testing
E.Threat modeling to identify security threats
AnswersA, E

Architecture review validates the design against requirements and best practices.

Why this answer

Architecture review by a senior architect is a key control during the design phase because it ensures the system's high-level structure aligns with security, scalability, and business requirements before development begins. This review catches design flaws early, reducing costly rework and preventing architectural weaknesses that could be exploited later. It is a formal gate in the SDLC that validates the design against established patterns and standards.

Exam trap

The trap here is that candidates confuse security testing techniques like SAST with design-phase controls, or they mistakenly think UAT or regression testing occur early in the SDLC, when in fact they belong to later phases.

952
MCQmedium

An organization is selecting a vendor for a new procurement system. Which of the following is the MOST important factor to include in the contract?

A.A clause limiting vendor liability
B.Fixed price for the entire contract term
C.Detailed service level agreements (SLAs)
D.Right to audit the vendor's security controls
AnswerD

This allows the organization to assess vendor compliance.

Why this answer

Audit rights ensure the organization can verify vendor controls and compliance, which is critical for outsourcing.

953
MCQeasy

During an audit of the information security program, the IS auditor reviews the organization's information security policy. Which of the following is the PRIMARY purpose of an information security policy?

A.To provide detailed step-by-step instructions for implementing security controls
B.To specify the technical configurations for security devices
C.To define the roles and responsibilities for information security
D.To communicate management's commitment and direction for information security
AnswerD

The policy is a high-level statement of management's intent and sets the tone for the security program.

Why this answer

An information security policy sets the high-level direction and principles for the security program, outlining management's commitment and expectations.

954
MCQmedium

Which of the following is the MOST effective control to prevent unauthorized USB devices from connecting to corporate workstations?

A.Device control software that blocks non-approved USB devices.
B.User awareness training.
C.Physical security guards.
D.Encrypting all USB devices.
AnswerA

Technical enforcement is most effective.

Why this answer

Device control software (e.g., endpoint DLP or USB whitelisting tools) operates at the OS kernel or driver level to enforce a hardware ID or vendor ID allowlist, blocking any USB device not explicitly approved. This is the only option that provides a preventive, automated, and continuous control against unauthorized USB connections, regardless of user behavior or physical access.

Exam trap

The trap here is that candidates often confuse encryption (which protects data confidentiality) with access control (which prevents connection), or overestimate the effectiveness of training and physical security against a technical bypass like USB autorun or BadUSB.

How to eliminate wrong answers

Option B is wrong because user awareness training is a detective/deterrent control that relies on human compliance and does not technically prevent a USB device from being recognized by the operating system. Option C is wrong because physical security guards control physical access to the facility but cannot prevent an insider from plugging an unauthorized USB device into a workstation already inside the perimeter. Option D is wrong because encrypting USB devices protects data at rest on the device but does nothing to prevent the device from being connected to a corporate workstation in the first place.

955
Multi-Selectmedium

An IS auditor is reviewing a business continuity plan (BCP). Which TWO of the following are key components of the business continuity strategy? (Select two.)

Select 2 answers
A.Incident management procedures
B.Data backup and recovery
C.Alternate facilities
D.Service desk procedures
E.Change management process
AnswersB, C

Data backup and recovery are critical for continuity.

Why this answer

Alternate facilities and data backup and recovery are essential components of BC strategy.

956
Multi-Selecthard

An IS auditor is assessing the backup and recovery procedures for a critical database. Which TWO of the following are the MOST important controls to ensure recoverability?

Select 2 answers
A.Backup media is encrypted.
B.Full backups are performed weekly.
C.Restore tests are conducted quarterly.
D.Backup logs are reviewed daily.
E.Backups are stored offsite.
AnswersC, E

Restore tests verify that backups can actually be recovered.

Why this answer

Option C is correct because regular restore tests (e.g., quarterly) are the only way to validate that backup data can actually be recovered and that the recovery procedures work as intended, which directly ensures recoverability. Option E is correct because storing backups offsite protects against site-level disasters (fire, flood, physical theft) that could destroy both primary data and on-site backups, ensuring data can be recovered from a separate location.

Exam trap

The trap here is that candidates often confuse backup existence or frequency (e.g., weekly full backups) with recoverability, failing to recognize that only actual restore testing proves a backup is usable, and that offsite storage is critical for disaster recovery, not just for data protection.

957
Multi-Selectmedium

Which THREE of the following are acceptable methods for gathering audit evidence? (Select THREE.)

Select 3 answers
A.Accepting management's assertions without corroboration
B.Observation of processes being performed
C.Reperformance of control procedures
D.Inquiry of personnel
E.Obtaining hearsay from third parties
AnswersB, C, D

Observation provides direct evidence of control performance.

Why this answer

Observation of processes being performed (Option B) is an acceptable audit evidence-gathering technique because the auditor directly witnesses the execution of controls or procedures, providing firsthand evidence of their operation. This method is particularly valuable for assessing the effectiveness of manual controls or physical security measures, as it allows the auditor to verify that the process is performed as documented and to identify any deviations in real-time.

Exam trap

The trap here is that candidates may mistakenly believe that inquiry alone (Option D) is insufficient, but inquiry is a valid evidence-gathering method when combined with other procedures, while accepting unsupported assertions (Option A) and hearsay (Option E) are never acceptable as primary evidence.

958
Multi-Selectmedium

An IS auditor is assessing the effectiveness of controls over a critical financial system. Which TWO types of evidence provide the highest level of assurance? (Select TWO.)

Select 2 answers
A.Re-performance
B.Inquiry
C.Inspection of documentation
D.Observation
E.Analytical procedures
AnswersA, D

Re-performance provides direct evidence of control effectiveness.

Why this answer

Re-performance and observation provide direct evidence; re-performance shows the control works, and observation provides witness of execution.

959
MCQmedium

An IS auditor is using analytical procedures during the planning phase. Which of the following is an example of an analytical procedure?

A.Comparing current-year expenses to prior-year expenses
B.Observing the inventory count
C.Inspecting authorization forms for signatures
D.Confirming account balances with third parties
AnswerA

Correct; this is a trend analysis, a type of analytical procedure.

Why this answer

Analytical procedures involve comparisons of data to expectations, such as comparing current-year data to prior-year data to identify unusual fluctuations.

960
MCQeasy

An organization's backup strategy involves weekly full backups and daily incremental backups. After a system failure, the restoration takes longer than expected. What is the most likely cause?

A.Incremental backups not stored offsite
B.Full backup frequency too low
C.Restoration process not tested
D.Tape rotation failure
AnswerC

Without testing, the actual time required for restoration is unknown, leading to unrealistic expectations.

Why this answer

Option D is correct because without periodic testing, the recovery time may be underestimated. Option A is plausible but not the most likely cause given the time issue; B and C are incorrect because they are not directly related to the restoration time.

961
Multi-Selecteasy

According to ISACA audit standards, which TWO of the following are phases of the audit process? (Select two.)

Select 2 answers
A.Reporting
B.Documentation
C.Planning
D.Testing
E.Risk assessment
AnswersA, C

Reporting is a distinct phase.

Why this answer

The standard audit process phases are planning, fieldwork, reporting, and follow-up. Risk assessment is part of planning, and testing is part of fieldwork.

962
MCQmedium

An IS auditor is reviewing the logical access controls of a financial application. Which of the following is the BEST way to verify that user access rights are appropriate?

A.Interview the IT security manager about the access control process.
B.Review the access control list for each user.
C.Re-perform a sample of transactions to detect unauthorized access.
D.Compare the user access rights with the job descriptions and responsibilities.
AnswerD

This directly validates whether access aligns with job functions.

Why this answer

Option D is correct because comparing user access rights directly against job descriptions and responsibilities is the most effective method to verify that access is appropriate based on the principle of least privilege. This approach ensures that each user's permissions align with their actual job functions, which is the core objective of a logical access control review. Interviewing or reviewing lists alone does not validate the appropriateness of access against business roles.

Exam trap

The trap here is that candidates often choose Option C (re-performing transactions) because it sounds like a direct test of control effectiveness, but it only detects unauthorized access after the fact and does not verify the appropriateness of the access rights themselves.

How to eliminate wrong answers

Option A is wrong because interviewing the IT security manager only provides a subjective, second-hand description of the process, not objective evidence that actual user access rights are appropriate. Option B is wrong because reviewing the access control list for each user shows what rights exist but does not compare them against any baseline (e.g., job roles) to determine if those rights are appropriate. Option C is wrong because re-performing a sample of transactions detects unauthorized access attempts but does not verify that the current access rights assigned to users are appropriate; it tests operational effectiveness, not the design of access provisioning.

963
MCQeasy

An organization is developing its IT strategy to align with the overall business strategy. The business strategy emphasizes rapid market expansion through digital products. Which of the following IT strategies would BEST support this business goal?

A.Standardize all IT systems to reduce complexity.
B.Adopt agile development methods and scalable cloud infrastructure.
C.Outsource all IT operations to a low-cost provider.
D.Minimize IT investment to preserve capital for business growth.
AnswerB

Agile and cloud enable rapid, scalable deployment of digital products.

Why this answer

Option C is correct because rapid market expansion requires agility and speed. Option A is wrong because strict standardization may slow down innovation. Option B is wrong because minimizing IT investment would hinder digital product development.

Option D is wrong because outsourcing to the lowest-cost provider may compromise quality and speed.

964
MCQeasy

An IS auditor is preparing the audit report. According to ISACA standards, which of the following should be included in the final audit report?

A.Only the audit findings
B.Only the recommendations
C.Findings, recommendations, and management action plans
D.The audit program and procedures
AnswerC

Correct; this is the standard content of an audit report.

Why this answer

The final audit report should include findings, recommendations, and management's action plans to provide a complete picture and enable follow-up.

965
MCQmedium

A company is considering restructuring its IT department from a centralized to a decentralized model to give business units more autonomy. What is a PRIMARY governance risk associated with this move?

A.Difficulty in managing vendor contracts due to decentralization.
B.Reduced innovation due to lack of central coordination.
C.Increased risk of project cost overruns.
D.Inconsistent IT policies and security controls across business units.
AnswerD

Decentralization often leads to divergence in standards and controls.

Why this answer

Option A is correct because decentralized IT can lead to inconsistent policies and standards across units. Option B is wrong because cost overruns can occur in any model. Option C is wrong because innovation may increase with autonomy.

Option D is wrong because vendor management can be decentralized but still controlled.

966
MCQeasy

Refer to the exhibit. An auditor reviews the ACL and notes that it allows traffic from a specific host while blocking other IPs in the same subnet. What is the most likely security issue?

A.The ACL blocks all traffic from the subnet except the host, which is desired.
B.The ACL is misconfigured because the permit any at the end bypasses the deny.
C.The ACL allows all traffic from the specific host, which is a risk.
D.The ACL should be reversed to deny first.
AnswerB

Correct. The permit any at the end makes the deny rule redundant, allowing all traffic from the subnet.

Why this answer

Option B is correct because the ACL has a 'permit any' statement at the end, which overrides the preceding 'deny' statements. In Cisco ACLs, packets are processed sequentially from top to bottom; once a match is found, no further rules are evaluated. Therefore, the 'deny' for the subnet is never reached, and all traffic (including from the blocked subnet) is permitted, defeating the intended restriction.

Exam trap

The trap here is that candidates assume that a 'deny' statement earlier in the ACL will block traffic regardless of later 'permit any' statements, but Cisco ACLs process rules sequentially and the first match wins, so the 'permit any' overrides the deny.

How to eliminate wrong answers

Option A is wrong because the ACL does not block all traffic from the subnet except the host; the 'permit any' at the end permits all traffic, including from the subnet, so the desired behavior is not achieved. Option C is wrong because allowing traffic from the specific host is the intended function, not a risk; the real issue is that the 'permit any' allows unintended traffic. Option D is wrong because reversing the order (deny first) is not the core problem; the issue is the presence of the 'permit any' statement that bypasses the deny, not the sequence of existing rules.

967
MCQmedium

An organization has experienced several security incidents due to unauthorized changes to production systems. Which governance mechanism should be strengthened?

A.IT asset management
B.Configuration management database
C.Incident response plan
D.Change management process
AnswerD

This controls the approval and implementation of changes.

Why this answer

A change management process ensures that all changes are authorized, tested, and approved, directly addressing unauthorized changes. Asset management, CMDB, and incident response are supportive but not the primary control.

968
MCQmedium

Refer to the exhibit. The IAM policy is intended to allow only requests originating from account 123456789012 to perform any S3 actions. Why does the policy NOT achieve this objective?

A.The Resource element is set to "*", which allows all actions on all resources regardless of the condition.
B.The condition key 'aws:SourceAccount' only applies when the request is made from another account; it does not restrict access to resources owned by the same account.
C.The policy should include a Deny statement for all other accounts to be effective.
D.The Version element is incorrect and should be updated to the latest version.
AnswerB

The condition key is misapplied; it does not limit the S3 resources to those in the specified account.

Why this answer

Option B is correct because the 'aws:SourceAccount' condition key is designed for use in resource-based policies (like S3 bucket policies) to prevent cross-account confusion of resources. It does not restrict access within the same account; it only validates the source account when the request originates from a different account. Since the policy is an IAM identity-based policy (attached to a user/role), the 'aws:SourceAccount' condition is not evaluated for same-account requests, so any principal in account 123456789012 can still perform S3 actions without being restricted by this condition.

Exam trap

The trap here is that candidates assume 'aws:SourceAccount' works identically in both identity-based and resource-based policies, but it only restricts cross-account access and has no effect on same-account requests, leading to a false sense of security.

How to eliminate wrong answers

Option A is wrong because the Resource element set to '*' is valid in an IAM identity-based policy and does not inherently cause the policy to fail; the issue is with the condition key, not the resource wildcard. Option C is wrong because adding a Deny statement for other accounts is unnecessary and would not fix the core problem—the condition key 'aws:SourceAccount' is already intended to restrict access, but it does not apply to same-account requests. Option D is wrong because the Version element (e.g., '2012-10-17') is correct and does not affect the policy's logic; the latest version is not required for functionality.

969
MCQeasy

An IT steering committee is reviewing a proposal for a new customer relationship management (CRM) system. Which of the following BEST demonstrates that the proposal aligns with the organization's strategic goals?

A.The business case includes a clear link to the organization's five-year strategic plan.
B.The project manager has extensive experience with CRM implementations.
C.The proposed system includes advanced analytics capabilities.
D.The vendor offers discounted licensing for the first year.
AnswerA

Direct reference to the strategic plan demonstrates alignment.

Why this answer

Option C is correct because a clear link to the organization's strategic plan demonstrates alignment. Option A is about PM experience, not alignment. Option B is a feature that may not be strategic.

Option D is a cost-saving tactic, not evidence of strategic alignment.

970
MCQmedium

An IS auditor is reviewing the capacity management process for a server hosting a critical application. The server's CPU utilization has been consistently above 90% for the past three months, and memory usage is at 85%. There are no threshold alerts configured. The capacity plan shows that additional resources are scheduled to be added in six months. What should the auditor most recommend?

A.Review the capacity plan and adjust the forecast.
B.Accept the risk as the server has not failed yet.
C.Request immediate addition of resources to meet current demand.
D.Implement threshold alerts to monitor the situation.
AnswerC

Given sustained high utilization, immediate action is needed.

Why this answer

The high utilization indicates a need for immediate capacity expansion. The existing plan is too far in the future, risking performance degradation or outages. The auditor should recommend expediting the addition of resources.

971
MCQhard

An IT auditor is reviewing the business continuity plan (BCP) for a financial services firm. The plan includes a hot site that is shared with another organization under a reciprocal agreement. Which of the following findings should be of MOST concern to the auditor?

A.The hot site uses a different internet service provider than the primary site
B.The hot site has not been tested in the past 12 months
C.The reciprocal agreement does not guarantee exclusive use of the hot site during a disaster
D.The hot site is located in the same seismic zone as the primary site
AnswerC

If both organizations activate simultaneously, the hot site may not have sufficient capacity for both.

Why this answer

Option C is correct because a reciprocal agreement for a shared hot site does not guarantee exclusive access during a disaster. If both organizations declare a disaster simultaneously, the site may become oversubscribed, leading to resource contention and potential failure of the BCP. This directly undermines the recovery capability, making it the most critical finding.

Exam trap

The trap here is that candidates may focus on technical details like ISP diversity or testing frequency, but the core BCP principle is that a shared resource without guaranteed exclusive access is a fundamental design flaw that can render the entire plan ineffective during a concurrent disaster.

How to eliminate wrong answers

Option A is wrong because using a different ISP for the hot site is actually a best practice to avoid single points of failure and is not a concern. Option B is wrong because while annual testing is recommended, the lack of a test in 12 months is a finding but not as critical as the lack of guaranteed exclusive access; the plan could still be viable with more frequent testing scheduled. Option D is wrong because being in the same seismic zone is a risk, but it is less immediate than the operational risk of resource contention; many organizations accept this risk with geographic separation within the same region.

972
MCQhard

An organization is implementing a COTS application. The project team plans to heavily customize the application to meet unique business processes. Which of the following is the most significant risk?

A.Vendor lock-in
B.Incompatibility with future releases
C.Difficulties in applying future vendor upgrades
D.High implementation cost
AnswerC

Customizations break compatibility with standard upgrades, jeopardizing future support.

Why this answer

Option B is correct because heavy customization makes it difficult to apply vendor upgrades, potentially leading to unsupported software. Option A is incorrect while vendor lock-in is a risk, upgrade difficulties are more direct. Option C is incorrect because incompatibility is a symptom of upgrade difficulties.

Option D is incorrect because high cost is a secondary concern.

973
MCQmedium

A software development company uses a cloud-based source code repository (e.g., GitHub) to store proprietary code. The company has two-factor authentication (2FA) enabled for all accounts. A developer's personal computer was infected with malware that stole the developer's session cookies and local credentials. The attacker used the stolen session to access the code repository and exfiltrated the entire codebase. The company's security team reviews the incident and notes that the repository has audit logging, but the logs were not monitored in real time. The team wants to implement additional controls to prevent a similar incident. Which control would have been most effective in preventing the exfiltration?

A.Use a SIEM to alert on unusual access patterns in real time
B.Enforce code signing for all commits
C.Require access to the code repository only from company-managed IP addresses
D.Implement a shorter session timeout for the code repository
AnswerC

IP whitelisting prevents access from unauthorized locations.

Why this answer

Option C is correct because restricting access to the code repository to only company-managed IP addresses (e.g., via a VPN or a corporate NAT gateway) would have prevented the attacker from using the stolen session cookies from an external, non-corporate IP. Even though the attacker had valid session tokens, the repository's access control list (ACL) would have blocked the connection at the network layer, stopping the exfiltration before it could begin. This control addresses the root cause—unauthorized network origin—rather than relying on detection or session management alone.

Exam trap

The trap here is that candidates often choose a detective or session-management control (like SIEM or shorter timeout) because they focus on the stolen session cookies, but the most effective preventive control is one that restricts the network origin of access, which the attacker cannot bypass without a corporate IP.

How to eliminate wrong answers

Option A is wrong because a SIEM alerting on unusual access patterns is a detective control, not a preventive one; it would not stop the exfiltration in real time, especially if the attacker mimicked normal developer behavior. Option B is wrong because code signing ensures the integrity and authenticity of commits but does not prevent an attacker from cloning or exfiltrating the repository; it protects against tampered code, not unauthorized access. Option D is wrong because a shorter session timeout would only reduce the window of opportunity for an attacker using stolen cookies, but it would not prevent the exfiltration if the attacker acted within the valid session window; the session was already compromised.

974
MCQhard

An IS auditor is evaluating the patch management process. The auditor notes that critical security patches are applied within 30 days, but the policy requires 7 days. The IT manager states that the delay is due to testing requirements. What should the auditor recommend?

A.Implement a risk-based patching process that allows faster deployment for critical patches
B.Require automated patching without testing
C.Accept the current practice as a compensating control
D.Modify the policy to align with the actual patching timeline
AnswerA

This balances the need for testing and timely patching.

Why this answer

The auditor should recommend a risk-based approach that allows expedited patching for critical vulnerabilities while maintaining testing for less critical ones. The process should be reviewed to balance security and stability.

975
Multi-Selectmedium

Which TWO of the following are considered essential components of an information security policy framework? (Choose two.)

Select 2 answers
A.Data classification policy
B.Business continuity plan
C.Incident response plan
D.Network architecture diagram
E.Acceptable use policy
AnswersA, E

Establishes data sensitivity categories.

Why this answer

A data classification policy is essential because it defines how information assets are categorized based on sensitivity and criticality (e.g., public, internal, confidential, restricted). This classification directly drives the selection and enforcement of appropriate security controls, such as encryption standards (e.g., AES-256 for confidential data) and access control mechanisms (e.g., role-based access control). Without it, security measures cannot be consistently applied across the organization, leading to gaps in protection.

Exam trap

ISACA often tests the distinction between policies (high-level rules) and operational plans or technical artifacts, so candidates mistakenly select BCP or incident response plans as policy components because they are security-related, but they are not part of the policy framework itself.

Page 12

Page 13 of 14

Page 14
Certified Information Systems Auditor CISA CISA Questions 901–975 | Page 13/14 | Courseiva