Certified Information Systems Auditor CISA (CISA) — Questions 976984

984 questions total · 14pages · All types, answers revealed

Page 13

Page 14 of 14

976
MCQmedium

An organization is adopting a decentralized IT structure to better meet the needs of its business units. Which of the following is a potential risk of this approach?

A.Increased duplication of IT resources and inconsistent standards
B.Slower response to business unit needs
C.Higher initial setup costs for central services
D.Reduced alignment with corporate strategy
AnswerA

Without central coordination, business units may implement redundant systems and diverge in standards.

Why this answer

Decentralized IT can lead to duplication of efforts and inconsistent standards across units, increasing complexity and cost.

977
MCQmedium

An IT auditor is reviewing the change management process for a financial institution. The auditor finds that emergency changes are frequently approved by the change manager without CAB review. Which risk is most associated with this practice?

A.Increase in unauthorized changes
B.Excessive documentation overhead
C.Delayed incident resolution
D.Inadequate backup procedures
AnswerA

Lack of CAB oversight for emergency changes can lead to unauthorized modifications.

Why this answer

Emergency changes bypass normal review, increasing the risk of unauthorized or poorly tested changes that could disrupt operations or introduce security vulnerabilities.

978
MCQhard

A company plans to implement a commercial off-the-shelf (COTS) application and requires significant customization to match its unique business processes. The vendor advises against extensive customization because it may complicate future upgrades. What is the BEST course of action?

A.Use the vendor's customization module to minimize upgrade risks
B.Customize but maintain detailed documentation for upgrade impact analysis
C.Proceed with extensive customization to meet business needs
D.Avoid customization and re-engineer business processes to match the COTS application
AnswerD

Minimizing customization is best practice to ensure smooth upgrades.

Why this answer

The best course of action is to avoid customization and re-engineer business processes to match the COTS application. This approach preserves the integrity of the vendor's standard codebase, ensuring that future upgrades and patches can be applied with minimal friction. Extensive customization creates a fork from the vendor's baseline, leading to costly regression testing, potential security gaps, and upgrade incompatibilities that undermine the long-term value of the COTS investment.

Exam trap

The trap here is that candidates often choose 'customize but document' (Option B) because it sounds like a balanced, pragmatic approach, but the CISA exam emphasizes that any customization that deviates from the vendor's standard configuration introduces unacceptable upgrade and maintenance risks, making process re-engineering the only truly sustainable choice.

How to eliminate wrong answers

Option A is wrong because using a vendor's customization module does not eliminate upgrade risks; it only provides a structured way to apply customizations, but those customizations still create dependencies on specific API versions or hooks that can break during major version upgrades. Option B is wrong because maintaining detailed documentation for upgrade impact analysis is a mitigation tactic, not a solution—it does not prevent the underlying technical debt, code conflicts, or the need for extensive rework when the vendor releases a new version. Option C is wrong because proceeding with extensive customization directly contradicts the vendor's guidance and industry best practices, leading to a 'customized fork' that makes future upgrades prohibitively expensive or impossible without re-implementing all custom logic.

979
MCQeasy

A financial institution is deploying a data loss prevention (DLP) solution. Which of the following is the MOST important prerequisite to ensure the DLP can effectively detect sensitive data?

A.Configuring incident response procedures
B.Installing endpoint agents on all devices
C.Implementing network segmentation
D.Performing a data classification exercise
AnswerD

Data classification identifies and labels sensitive data, allowing DLP to detect it accurately.

Why this answer

A DLP solution detects sensitive data by matching content against predefined patterns or rules. Without a data classification exercise, the organization cannot define what constitutes 'sensitive data' (e.g., PII, PCI, IP), making the DLP blind to what it should monitor. Classification provides the taxonomy and metadata (e.g., labels, tags) that the DLP engine uses to trigger alerts or blocks, ensuring detection is both accurate and aligned with policy.

Exam trap

ISACA often tests the misconception that deploying agents or configuring network controls is the first step, but the trap here is that technical controls are useless without first defining what data is sensitive through classification.

How to eliminate wrong answers

Option A is wrong because incident response procedures are reactive steps taken after a DLP alert is generated, not a prerequisite for detection itself; configuring them before classification would leave the DLP without a detection baseline. Option B is wrong because endpoint agents are a deployment method for DLP, but without knowing what data is sensitive, agents cannot be configured to scan for the correct content or patterns. Option C is wrong because network segmentation controls data flow between zones but does not define what data is sensitive; a DLP can still fail to detect sensitive data crossing segments if it lacks classification rules.

980
MCQhard

An IT auditor is evaluating the capacity management process. Which of the following findings would be of MOST concern?

A.Alert thresholds are set at 80% utilization
B.Resource utilization trends are not monitored
C.Capacity thresholds are reviewed annually
D.Capacity reports are generated monthly
AnswerB

Without monitoring trends, the organization cannot proactively plan for capacity needs, leading to increased risk of outages.

Why this answer

The most concerning finding is that capacity planning is reactive, leading to performance degradation and potential outages before thresholds are raised. This indicates a lack of proactive management.

981
Multi-Selecthard

An organization is implementing a change management process based on ITIL. Which THREE change types should be included in the policy?

Select 3 answers
A.Planned change – scheduled during maintenance windows with no approval needed.
B.Emergency change – requires immediate implementation to resolve a major incident.
C.Standard change – pre-approved, low risk, follows a defined procedure.
D.Major change – requires executive approval and a separate risk assessment.
E.Normal change – requires approval from the Change Advisory Board (CAB).
AnswersB, C, E

Correct definition of emergency change.

Why this answer

Option B is correct because ITIL defines an Emergency change as one that must be implemented as soon as possible—often to resolve a major incident or security vulnerability. This change type bypasses the normal CAB approval cycle and uses a dedicated Emergency CAB (ECAB) process to authorize and implement the fix rapidly while still maintaining control.

Exam trap

The trap here is that candidates confuse 'Planned change' (a scheduling concept) with a formal ITIL change type, leading them to select Option A, but ITIL only recognizes Standard, Emergency, and Normal changes.

982
MCQeasy

Which of the following is a key performance indicator (KPI) for IT service management?

A.Revenue growth
B.Percentage of employees trained
C.Number of security incidents
D.Help desk first-call resolution rate
AnswerD

This measures how often issues are resolved on the first contact.

Why this answer

Help desk first-call resolution rate is a common KPI measuring efficiency and effectiveness of support services.

983
MCQhard

A company's availability monitoring shows that a critical application has an average MTBF of 720 hours and an average MTTR of 4 hours. What is the availability percentage?

A.99.72%
B.99.17%
C.99.95%
D.99.45%
AnswerD

Calculated as 720/(720+4)=0.9945.

Why this answer

Availability = MTBF / (MTBF + MTTR) = 720 / (720 + 4) = 720 / 724 ≈ 0.994475, or 99.45%.

984
Multi-Selectmedium

Which TWO of the following are key benefits of using a system development life cycle (SDLC) methodology? (Select exactly two.)

Select 2 answers
A.It provides a structured approach to system development
B.It ensures user requirements are captured and validated
C.It prevents any scope changes during development
D.It eliminates the need for security testing
E.It reduces the overall cost of development
AnswersA, B

SDLC defines phases and deliverables.

Why this answer

Options A and C are correct. A: SDLC provides structure and phases. C: SDLC includes user involvement.

B is wrong because SDLC does not guarantee reduced cost; it may increase upfront cost. D is wrong because SDLC is not primarily for security testing. E is wrong because SDLC may not eliminate scope creep, but helps manage it.

Page 13

Page 14 of 14