Certified Information Systems Auditor CISA (CISA) — Questions 76150

509 questions total · 7pages · All types, answers revealed

Page 1

Page 2 of 7

Page 3
76
MCQeasy

A project manager is selecting a development methodology for a project with well-defined requirements and low uncertainty. Which methodology is most appropriate?

A.Waterfall
B.Agile
C.Rapid Application Development (RAD)
D.Spiral
AnswerA

Waterfall works well with well-defined, stable requirements and low uncertainty.

Why this answer

Waterfall is the most appropriate methodology for projects with well-defined requirements and low uncertainty because it follows a linear, sequential approach where each phase (requirements, design, implementation, verification, maintenance) must be completed before the next begins. This structure minimizes risk when requirements are stable and unlikely to change, ensuring thorough documentation and predictable outcomes. In contrast, iterative or adaptive methods would introduce unnecessary complexity and overhead for such a deterministic project.

Exam trap

The trap here is that candidates often assume Agile is always the 'modern' or 'best' choice, but the CISA exam tests the principle that methodology selection must match project characteristics—specifically, Waterfall is optimal when requirements are fixed and uncertainty is low, not when adaptability is needed.

How to eliminate wrong answers

Option B (Agile) is wrong because Agile is designed for projects with high uncertainty and evolving requirements, emphasizing iterative development and customer collaboration, which would be inefficient and over-engineered for well-defined, low-uncertainty projects. Option C (Rapid Application Development) is wrong because RAD relies on prototyping and iterative user feedback, which is suited for projects with unclear requirements or high user involvement, not for those with already stable and clear specifications. Option D (Spiral) is wrong because Spiral is a risk-driven model that incorporates iterative prototyping and risk analysis, making it ideal for large, complex, or high-risk projects, but unnecessary and overly complex for low-uncertainty, well-defined projects.

77
MCQmedium

An organization is implementing a custom ERP system. During user acceptance testing (UAT), critical bugs are found that affect core financial processing. The project sponsor suggests deploying the system on schedule and fixing bugs after go-live. What is the BEST course of action?

A.Delay go-live until all critical bugs are resolved and UAT is successfully completed
B.Go live as planned and fix bugs post-implementation
C.Accept the bugs with documented risk acceptance from management
D.Go live but include a rollback plan and deploy fixes immediately
AnswerA

UAT must be successfully completed before go-live for critical systems.

Why this answer

The correct answer is A because deploying an ERP system with unresolved critical bugs in core financial processing violates the fundamental principle of system integrity and accuracy. UAT must be successfully completed to validate that the system meets business requirements and processes financial transactions correctly; going live with known critical defects introduces unacceptable risk of financial misstatement, regulatory non-compliance, and data corruption. Delaying go-live ensures that all critical bugs are resolved and retested, preserving the reliability of financial data and audit trails.

Exam trap

The trap here is that candidates may confuse 'risk acceptance' (Option C) as a valid management decision, but in the context of critical financial processing bugs, ISACA standards require resolution before go-live because accepted risks cannot ensure the integrity of financial data and auditability.

How to eliminate wrong answers

Option B is wrong because going live as planned with known critical bugs in core financial processing directly contradicts the ISACA requirement that UAT must be successfully completed before production deployment; post-implementation fixes cannot guarantee data integrity for transactions processed in the interim. Option C is wrong because risk acceptance from management does not override the technical necessity of resolving critical bugs that affect financial processing accuracy; accepted risks still expose the organization to potential financial loss, audit failures, and regulatory penalties. Option D is wrong because including a rollback plan and deploying fixes immediately does not address the fact that critical bugs will corrupt financial data from the moment of go-live; rollback only restores the previous state, it does not prevent the initial corruption, and immediate fixes cannot retroactively correct already-processed transactions.

78
MCQmedium

During a system deployment, the above error occurs. What is the MOST likely cause?

A.Incorrect server name in connection string
B.Invalid password
C.Database service not running on the server
D.Firewall blocking the database port
AnswerD

A firewall may be blocking the default SQL Server port (1433), preventing the connection.

Why this answer

The error message (not shown but implied from context) typically indicates a network-level connectivity failure, such as 'cannot connect to server' or 'connection timed out'. A firewall blocking the database port (e.g., TCP 1433 for SQL Server, 3306 for MySQL, 1521 for Oracle) is the most likely cause because it prevents the application from establishing a TCP handshake with the database server, even if the server name, password, and database service are all correct.

Exam trap

The trap here is that candidates confuse a 'connection refused' error (service not running) with a 'timeout' error (firewall block), but CISA expects you to recognize that a firewall block produces no response, leading to a timeout, whereas a stopped service produces an immediate RST.

How to eliminate wrong answers

Option A is wrong because an incorrect server name in the connection string would produce a 'hostname not found' or 'unknown server' error, not a generic connectivity failure. Option B is wrong because an invalid password would result in an 'authentication failed' or 'login failed' error after the TCP connection is successfully established. Option C is wrong because if the database service is not running, the client would receive a 'connection refused' (RST) response from the server's TCP stack, which is a distinct error from a firewall block (no response or timeout).

79
Multi-Selecteasy

Which TWO of the following are essential components of a disaster recovery plan (DRP)?

Select 2 answers
A.Steps for restoring IT systems
B.Detailed financial audit procedures
C.Employee performance reviews
D.List of critical contacts
E.Backup media rotation schedule
AnswersA, D

Restoration procedures are a core component of DRP.

Why this answer

Option A is correct because the primary purpose of a DRP is to restore IT systems and operations after a disaster. The plan must include step-by-step recovery procedures for critical systems, applications, and data to ensure business continuity. Without these steps, the DRP cannot guide the recovery team through the technical restoration process.

Exam trap

The trap here is that candidates often confuse operational procedures like backup rotation schedules (Option E) with the essential recovery-focused components of a DRP, but the DRP itself does not include the rotation schedule—it only references the use of backups.

80
MCQmedium

An organization is implementing a data loss prevention (DLP) solution. Which of the following is the BEST approach to minimize false positives while ensuring sensitive data is protected?

A.Encrypt all outbound emails containing any attachment.
B.Deploy exact file matching against a database of known sensitive documents.
C.Use contextual analysis including user roles and data classification.
D.Apply keyword matching to all outbound emails.
AnswerC

Contextual analysis reduces false positives by considering behavior and data sensitivity.

Why this answer

Contextual analysis (Option C) is the best approach because it reduces false positives by considering user roles, data classification, and behavioral patterns, ensuring that only genuinely risky data transfers are flagged. Unlike static methods, this dynamic analysis adapts to the organization's data governance policies, allowing legitimate business communications to proceed while still protecting sensitive information.

Exam trap

The trap here is that candidates often choose exact file matching (Option B) thinking it is the most precise, but they overlook its inability to handle data variations and its reliance on a static database, which leads to both false positives and false negatives in dynamic environments.

How to eliminate wrong answers

Option A is wrong because encrypting all outbound emails with attachments does not prevent data loss—it only protects data in transit, and it would generate massive false positives by treating all attachments as sensitive, including benign files. Option B is wrong because exact file matching against a database of known sensitive documents is too rigid; it cannot detect variations of sensitive data (e.g., modified versions or partial leaks) and would miss many real threats while still causing false positives if the database is incomplete. Option D is wrong because keyword matching to all outbound emails is prone to high false positives, as common words or phrases (e.g., 'confidential' in a non-sensitive context) trigger alerts, and it lacks the nuance to distinguish between legitimate and malicious use of sensitive terms.

81
MCQmedium

A business continuity plan (BCP) includes a tabletop exercise once a year. An IS auditor finds that the exercise only involves IT staff. Which of the following is the BEST recommendation?

A.Perform a failover test of the production environment
B.Increase the frequency of IT-only exercises
C.Invite business process owners to participate in future exercises
D.Include a data restoration test in the exercise
AnswerC

Business involvement is key for BCP effectiveness.

Why this answer

Option C is correct because exercises should include business units to validate integrated response. Option A is too narrow. Option B focuses on data, not participation.

Option D tests technical skills but not coordination.

82
Multi-Selecthard

Which TWO of the following are indicators that an IS auditor may need to adjust the audit approach during fieldwork? (Select TWO.)

Select 2 answers
A.Inability to obtain sufficient appropriate audit evidence
B.Completion of the initial risk assessment
C.Audit team members are behind schedule
D.Management requests a change in audit scope
E.Higher than expected error rates in sample testing
AnswersA, E

May require alternative procedures or audit approach.

Why this answer

Option A is correct because if the IS auditor cannot obtain sufficient appropriate audit evidence, the audit approach must be adjusted—for example, by expanding sample sizes, using alternative procedures, or re-evaluating the reliance on controls. This directly impacts the ability to form an audit opinion and is a key fieldwork trigger per ISACA audit standards.

Exam trap

ISACA often tests the distinction between project management issues (like being behind schedule) and substantive audit evidence issues; candidates mistakenly select 'behind schedule' as a reason to adjust the audit approach, but it is a resource or timing problem, not a validity-of-evidence trigger.

83
MCQmedium

An organization is evaluating a vendor for a custom application development. The vendor states they are assessed at CMMI Level 2 (Managed). Which of the following best describes the implication of this rating?

A.The vendor's processes are defined and tailored from organization-wide standards.
B.The vendor's processes are continuously improved through quantitative feedback.
C.The vendor has a quantitatively managed process with statistical control.
D.The vendor's projects have a basic project management process that is planned and executed.
AnswerD

CMMI Level 2 (Managed) indicates that projects have established basic project management processes that are planned, performed, measured, and controlled.

Why this answer

CMMI Level 2 (Managed) indicates that the vendor has established basic project management processes to plan, execute, monitor, and control projects. This means projects are managed according to documented plans, with defined requirements, project planning, and configuration management, but processes are not yet standardized across the organization. Option D correctly captures this foundational level of process maturity.

Exam trap

The trap here is confusing CMMI Level 2 (Managed) with Level 3 (Defined) or Level 4 (Quantitatively Managed), leading candidates to select options that describe higher maturity levels where processes are standardized or statistically controlled.

How to eliminate wrong answers

Option A is wrong because it describes CMMI Level 3 (Defined), where processes are standardized and tailored from organization-wide standards, not Level 2. Option B is wrong because it describes CMMI Level 5 (Optimizing), where processes are continuously improved through quantitative feedback and innovation. Option C is wrong because it describes CMMI Level 4 (Quantitatively Managed), where processes are measured and controlled using statistical and quantitative techniques.

84
MCQhard

An organization is adopting agile development methodology. Which control is MOST critical to ensure security is integrated?

A.Penetration testing before release
B.Including security stories in the product backlog
C.Code reviews after each sprint
D.Security requirements defined at project initiation
AnswerB

Security stories ensure security is addressed in each iteration.

Why this answer

In agile development, security must be continuously integrated into each iteration. Including security stories in the product backlog ensures that security tasks are prioritized, estimated, and addressed during each sprint, making security an inherent part of the development lifecycle rather than an afterthought. This aligns with the principle of 'shifting left' on security, where controls are applied as early as possible.

Exam trap

The trap here is that candidates often choose 'Security requirements defined at project initiation' (Option D) because it sounds like early planning, but in agile, requirements must be continuously refined and added to the backlog, not locked in at the start.

How to eliminate wrong answers

Option A is wrong because penetration testing before release is a point-in-time validation that occurs late in the cycle and does not ensure security is integrated throughout development; it can miss vulnerabilities introduced after the test. Option C is wrong because code reviews after each sprint, while valuable for quality, are reactive and may not cover all security aspects (e.g., architecture, threat modeling) that need to be planned as backlog items. Option D is wrong because security requirements defined only at project initiation are static and do not adapt to evolving threats or changes in agile iterations; they must be continuously refined and added as backlog items.

85
MCQeasy

A company is developing a custom application. During the requirements phase, the project manager documents that the system must encrypt all sensitive data at rest. Which of the following is the BEST control to ensure this requirement is met throughout the development lifecycle?

A.Perform static code analysis on the final code.
B.Create a requirements traceability matrix (RTM).
C.Conduct a post-implementation security review.
D.Deploy a database activity monitoring tool.
AnswerB

RTM ensures encryption requirement is addressed in design, testing, and deployment.

Why this answer

A requirements traceability matrix (RTM) links each requirement to corresponding design, development, and testing artifacts. By mapping the encryption-at-rest requirement to specific code modules, configuration settings, and test cases, the RTM ensures that the control is implemented and verified at every stage of the lifecycle, not just at the end. This makes it the best proactive control for continuous compliance throughout development.

Exam trap

The trap here is that candidates often choose static code analysis (A) because it seems technical and security-focused, but they overlook that it only checks the final code and cannot enforce lifecycle-wide traceability of requirements.

How to eliminate wrong answers

Option A is wrong because static code analysis only checks the final source code for vulnerabilities, but it cannot verify that the encryption requirement was consistently addressed during design, implementation, and testing phases; it is a point-in-time check. Option C is wrong because a post-implementation security review occurs after deployment, which is too late to ensure the requirement was met throughout the development lifecycle; it is reactive, not preventive. Option D is wrong because a database activity monitoring tool monitors runtime access and queries, but it does not enforce or verify that encryption-at-rest is implemented correctly in the application code or database schema during development.

86
MCQeasy

Which of the following is the BEST control to ensure that system changes are authorized?

A.Change advisory board approval
B.Audit trail of all changes
C.Segregation of duties between developers and operators
D.Version control system
AnswerA

The CAB formally authorizes changes based on impact assessment.

Why this answer

The change advisory board (CAB) is the primary control for authorizing system changes because it provides a formal, documented approval process before any change is implemented. This ensures that changes are reviewed by stakeholders with appropriate authority, reducing the risk of unauthorized or poorly planned modifications. Without CAB approval, there is no definitive authorization step, making it the best control for ensuring authorization.

Exam trap

The trap here is that candidates often confuse detective controls (audit trails) or technical controls (version control) with the governance-based authorization control (CAB approval), leading them to select a control that records or manages changes rather than one that formally authorizes them.

How to eliminate wrong answers

Option B is wrong because an audit trail of all changes is a detective control that records changes after they occur, not a preventive control that ensures authorization beforehand. Option C is wrong because segregation of duties between developers and operators is a control to prevent unauthorized changes from being implemented without oversight, but it does not directly ensure that changes are authorized by a governing body. Option D is wrong because a version control system is a technical tool for managing code versions and tracking changes, but it does not enforce or verify that a change has been formally authorized by a decision-making group like the CAB.

87
MCQmedium

Based on the exhibit, what is the MOST likely security risk?

A.The web server is fully protected
B.Traffic to port 80 is not encrypted
C.Unrestricted traffic is allowed after the specific deny
D.The host 192.168.1.100 is exposed to denial-of-service attacks
AnswerC

The permit any any allows all traffic, making the deny ineffective.

Why this answer

Option C is correct because the 'permit ip any any' at the end allows all traffic, bypassing earlier specific denials. Option A is not correct because the deny line only blocks other traffic, but the permit any any overrides it. Option B is not directly indicated.

Option D is a risk but less direct than the rule order issue.

88
MCQhard

Scenario: A mid-sized manufacturing company has recently experienced a significant IT outage that halted production for 8 hours. The root cause was a failed firmware update on a core switch that was performed outside the change management process by a senior network engineer who claimed the update was urgent to patch a critical vulnerability. The company has a well-documented change management policy that requires all changes to be reviewed by the change advisory board (CAB) before implementation, except for emergency changes which require post-implementation review within 48 hours. The engineer did not follow the emergency change process; he implemented the update directly. The IT director wants to prevent such incidents in the future. Which of the following is the BEST action?

A.Implement automatic firmware updates to eliminate human error.
B.Increase the frequency of CAB meetings to weekly to expedite change approvals.
C.Enforce the change management policy by implementing stricter controls and disciplinary measures for non-compliance.
D.Remove the network engineer's administrative access to all network devices.
AnswerC

Enforcing existing policy with consequences ensures adherence.

Why this answer

Option C is correct because the root cause was a deliberate bypass of the existing change management policy, not a flaw in the policy itself. Enforcing stricter controls and disciplinary measures directly addresses the human factor by reinforcing accountability and deterring unauthorized changes, which is the most effective way to prevent recurrence when a well-documented process is already in place but ignored.

Exam trap

The trap here is that candidates often choose technical controls (like automatic updates or removing access) instead of recognizing that the fundamental issue is a governance failure—the policy exists but was not enforced, so the best action is to strengthen enforcement and accountability, not to add or remove technical capabilities.

How to eliminate wrong answers

Option A is wrong because implementing automatic firmware updates would remove human oversight entirely, potentially causing widespread outages if a faulty update is pushed without testing or CAB review, and it does not address the policy violation. Option B is wrong because increasing CAB meeting frequency does not solve the core issue of an engineer bypassing the process; the emergency change process already exists for urgent patches, so the problem is non-compliance, not approval speed. Option D is wrong because removing the network engineer's administrative access is an overly punitive and impractical measure that could hinder legitimate emergency responses; it does not enforce the existing change management process and may violate the principle of least privilege by eliminating necessary access for a qualified engineer.

89
MCQmedium

You are an IS auditor for a financial institution that processes credit card payments. The organization uses a key management system (KMS) to store encryption keys for point-of-sale (POS) data. The KMS is a hardware security module (HSM) located in a secured data center. The audit reveals that the HSM is administered by two individuals who both have full access to the HSM, including the ability to export keys. The organization has a policy requiring split knowledge and dual control for key management, but in practice, the two administrators often perform key ceremonies alone due to scheduling conflicts. The logs show that one administrator exported a key last month without the other present, and the export was approved via email by the other administrator after the fact. Which of the following is the BEST corrective action?

A.Reduce the number of administrators to one to simplify accountability
B.Configure the HSM to require two administrators to be physically present for key exports
C.Provide training to administrators on the importance of dual control
D.Implement automated key rotation every 90 days
AnswerB

Technical enforcement ensures dual control.

Why this answer

The HSM must enforce split knowledge and dual control at the technical level, not rely on procedural compliance. By configuring the HSM to require two administrators to be physically present for key exports, the organization ensures that no single individual can export keys, directly addressing the policy violation and the log evidence of a solo export. This technical control is the most effective corrective action because it prevents the bypass of dual control even if administrators attempt to circumvent procedures.

Exam trap

The trap here is that candidates may choose training (Option C) as a quick fix, overlooking that the root cause is a lack of technical enforcement, not a lack of awareness.

How to eliminate wrong answers

Option A is wrong because reducing to one administrator eliminates split knowledge entirely, violating the core security principle and increasing the risk of key compromise. Option C is wrong because training alone does not enforce compliance; the administrators already know the policy but bypass it due to scheduling conflicts, so a technical control is needed. Option D is wrong because automated key rotation does not address the lack of dual control during key exports; it only changes keys periodically, leaving the export vulnerability unmitigated.

90
MCQhard

A company is migrating its customer database to a public cloud provider. Which of the following encryption strategies best protects data while minimizing performance impact on queries?

A.Encrypt the entire database at rest using AES-256, and decrypt for each query.
B.Encrypt the database at the application layer before storage.
C.Use column-level encryption and tokenization for sensitive fields.
D.Rely on the cloud provider's default encryption for the storage.
AnswerC

Correct. This minimizes performance impact by encrypting only sensitive columns and using tokens for efficient lookups.

Why this answer

Option C is correct because column-level encryption and tokenization allow sensitive fields (e.g., SSNs, credit card numbers) to be protected while leaving non-sensitive columns unencrypted, preserving query performance on indexed and frequently queried data. Tokenization replaces sensitive values with non-sensitive placeholders, enabling joins and lookups without decryption overhead, and column-level encryption limits decryption to only the required fields per query.

Exam trap

The trap here is that candidates assume full-database encryption (Option A) is the most secure and thus the best choice, overlooking the critical requirement to minimize performance impact on queries, which column-level encryption and tokenization directly address by avoiding unnecessary decryption of non-sensitive data.

How to eliminate wrong answers

Option A is wrong because encrypting the entire database at rest and decrypting for each query would impose massive decryption overhead on every read operation, severely degrading query performance and defeating the purpose of a production database. Option B is wrong because application-layer encryption before storage means the database cannot index or query the encrypted data efficiently; any search or filter on encrypted fields would require full table scans and client-side decryption, making queries impractical. Option D is wrong because relying solely on the cloud provider's default encryption (typically server-side encryption at rest) protects data on disk but does not protect data in use or in transit, and it does not address the need to minimize performance impact on queries—default encryption adds no query-time overhead but also provides no granular control over sensitive fields.

91
MCQmedium

A healthcare organization is required to comply with HIPAA regulations for protecting electronic protected health information (ePHI). The organization uses a cloud-based electronic health record (EHR) system. During a compliance audit, it is discovered that some employees are accessing patient records without a legitimate business need. The EHR system logs all access, but there is no automated process to review logs or detect anomalous behavior. The organization has implemented role-based access control (RBAC) and requires strong passwords, but unauthorized access continues. The IT manager proposes implementing a security information and event management (SIEM) system to collect and correlate logs. However, the budget is limited. Which additional control would be most cost-effective to reduce unauthorized access to patient records?

A.Conducting a quarterly review of user access rights and removing unnecessary privileges
B.Encrypting all ePHI at rest and in transit
C.Increasing the logging level to capture every keystroke
D.Implementing user behavior analytics (UBA) on the EHR access logs
AnswerD

UBA detects anomalous behavior without manual review.

Why this answer

User behavior analytics (UBA) is the most cost-effective control because it directly addresses the core issue: unauthorized access by insiders. UBA applies machine learning to EHR access logs to establish baselines of normal user behavior and detect anomalous patterns (e.g., accessing records outside work hours or from unusual locations) without requiring manual log review. This provides automated, real-time detection of the specific unauthorized access incidents that are occurring, which the current logging system alone cannot provide.

Exam trap

The trap here is that candidates often choose encryption (Option B) as a catch-all security control, but encryption does not address the insider threat of authorized users abusing their access—it only protects data from external interception or theft.

How to eliminate wrong answers

Option A is wrong because a quarterly review of user access rights is a periodic, manual process that cannot detect or prevent unauthorized access in real time; it only addresses privilege creep, not the immediate misuse of valid credentials. Option B is wrong because encryption protects data confidentiality during storage and transmission but does nothing to prevent authenticated users from accessing records they are not authorized to view; it is a perimeter control, not an insider threat control. Option C is wrong because increasing logging to capture every keystroke would generate massive volumes of data, overwhelm storage and analysis capabilities, and still require manual review or automated analysis to detect anomalies—it does not solve the detection gap and is not cost-effective.

92
MCQeasy

A company's security policy requires that all laptops have full disk encryption. During an audit, it is discovered that several laptops have encryption enabled but the recovery keys are stored on the local drive. What is the MOST significant risk?

A.Performance degradation due to encryption overhead.
B.Unauthorized access to encrypted data.
C.Recovery keys can be used to bypass encryption.
D.Data corruption during encryption process.
AnswerC

Local storage of keys allows attackers to decrypt data easily.

Why this answer

Storing recovery keys on the local drive defeats the purpose of full disk encryption (FDE). If an attacker gains physical access to the laptop, they can simply boot an alternate OS or mount the drive and read the recovery key file, then use it to unlock the encrypted volume. This bypasses the encryption entirely, making the data vulnerable to unauthorized access despite encryption being enabled.

Exam trap

The trap here is that candidates confuse 'encryption enabled' with 'data protected' and pick Option B (unauthorized access) without recognizing that the recovery key on the local drive is the direct mechanism that enables that access, making Option C the root cause and most significant risk.

How to eliminate wrong answers

Option A is wrong because modern FDE solutions (e.g., BitLocker with AES-NI hardware acceleration) have negligible performance impact; encryption overhead is not the primary risk. Option B is wrong because unauthorized access to encrypted data is the ultimate consequence, but the direct risk is that the recovery key itself enables that access; the question asks for the most significant risk, which is the key exposure. Option D is wrong because data corruption during encryption is rare and typically mitigated by pre-encryption checks and journaling; it is not the most significant risk compared to key compromise.

93
MCQmedium

During an audit of an organization's disaster recovery plan (DRP), the IS auditor finds that the plan was last tested 18 months ago and no test results were documented. What should the auditor recommend?

A.Test the DRP semiannually
B.Document the results of all past tests
C.Conduct a DRP test and document the results within the next quarter
D.Assign responsibility for DRP testing to the IT manager
AnswerC

Immediate testing and documentation address the gap.

Why this answer

Option C is correct because a recent test with documented results provides assurance. Option A is incorrect because testing frequency should be based on risk, not necessarily semiannual. Option B is wrong because the recommendation should address the lack of testing and documentation.

Option D is incorrect because that is management's role; the auditor recommends.

94
MCQhard

A multinational corporation has implemented a hot site disaster recovery solution for its critical financial applications. Which of the following is the MOST important consideration to ensure the effectiveness of the hot site?

A.Data replication latency is less than 15 minutes
B.The hot site is located in a different seismic zone
C.The hot site complies with regional data privacy regulations
D.Regular, documented testing of the failover process is performed
AnswerD

Testing is the only way to verify that the hot site will work when needed, including all technical and procedural aspects.

Why this answer

Option D is correct because without regular testing, the hot site may not function as expected. Options A, B, and C are important but secondary: A is part of planning, B is operational, C is compliance but not the most critical for effectiveness.

95
Drag & Dropmedium

Arrange the steps to set up a virtual private network (VPN) for remote access in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

VPN setup: server configuration, user provisioning, client installation, connection testing, and monitoring.

96
MCQeasy

An organization is implementing a data loss prevention (DLP) solution. Which of the following is the MOST important step to ensure the DLP rules are effective?

A.Classify data based on sensitivity
B.Encrypt all data at rest
C.Establish an incident response team
D.Create user awareness training
AnswerA

Classification allows DLP to accurately identify and protect sensitive data.

Why this answer

Data classification is the foundational step for effective DLP rules because it defines which data is sensitive and how it should be handled. Without classification, DLP policies cannot accurately identify or enforce rules on sensitive content, leading to false positives or missed detections. Classification enables the DLP system to apply context-aware rules (e.g., regex patterns for PII, keywords for confidential documents) that align with the organization's data governance requirements.

Exam trap

The trap here is that candidates often choose user awareness training (Option D) as the most important step, confusing human behavior controls with the technical prerequisite of data classification for DLP rule accuracy.

How to eliminate wrong answers

Option B is wrong because encrypting all data at rest protects confidentiality but does not control data in use or in motion, and DLP rules require visibility into content to detect policy violations; encryption can actually blind DLP inspection if not implemented with decryption capabilities. Option C is wrong because an incident response team handles post-event remediation, not the proactive enforcement of DLP rules; it is a supporting function, not the most important step for rule effectiveness. Option D is wrong because user awareness training reduces accidental data leaks but does not define the technical criteria (e.g., data patterns, tags) that DLP rules need to operate; training complements but cannot replace data classification.

97
MCQmedium

An IT governance framework has been implemented, but the board is not receiving regular reports on IT performance. Which of the following is the BEST course of action?

A.Conduct an IT risk assessment to identify critical areas.
B.Develop a dashboard that presents key IT metrics to the board.
C.Implement an IT balanced scorecard that aligns with corporate strategy.
D.Assign a chief information officer (CIO) to report directly to the board.
AnswerB

A dashboard facilitates regular reporting and board oversight.

Why this answer

Option A is correct because a dashboard provides a concise, regular view of key metrics for the board. Option B may help but does not directly address reporting. Option C is a broader initiative.

Option D focuses on risk, not reporting.

98
MCQeasy

During a security audit, which rule poses the greatest risk?

A.Rule 20
B.Rule 30
C.None of the rules pose a risk
D.Rule 10
AnswerB

Rule 30 allows SSH from any source, posing a high risk.

Why this answer

Rule 30 is the correct answer because it is a default Cisco IOS access control list (ACL) entry that implicitly denies all IP traffic. In a security audit, an implicit deny rule at the end of an ACL poses the greatest risk if it is not explicitly configured, as it can block legitimate traffic without the administrator's awareness, leading to unintended network outages or security gaps. This risk is highest when the ACL is applied to a critical interface without a preceding permit statement for required services.

Exam trap

The trap here is that candidates often focus on the explicit rules (Rule 10 or Rule 20) and overlook the hidden implicit deny rule, which is the most dangerous because it can silently block all traffic if not accounted for.

How to eliminate wrong answers

Option A is wrong because Rule 20, if it exists in the ACL, is typically a permit or deny statement for a specific protocol or host; while it could be misconfigured, it does not inherently pose the greatest risk as it is explicit and can be reviewed. Option C is wrong because ACL rules, especially implicit deny, always pose a risk if not properly managed; stating 'none pose a risk' ignores the fundamental security principle of least privilege and the potential for blocking critical traffic. Option D is wrong because Rule 10, like Rule 20, is an explicit entry; its risk is limited to its specific match criteria and does not represent the systemic risk of an unmonitored implicit deny at the end of the ACL.

99
Multi-Selecthard

A company is developing a new financial application. Which THREE of the following are valid reasons to involve internal audit during the development phase?

Select 3 answers
A.To ensure compliance with regulatory requirements
B.To design the application architecture
C.To validate that security controls are built in
D.To approve all user requirements
E.To provide guidance on internal controls
AnswersA, C, E

Audit can review regulatory requirements and confirm they are addressed.

Why this answer

Options A, C, and E are correct because internal audit can provide assurance on compliance, internal controls, and security. Option B is incorrect because designing architecture is not an audit function. Option D is incorrect because approving requirements is a management responsibility.

100
Multi-Selecteasy

During the system development life cycle (SDLC), which THREE of the following are recognized benefits of involving internal audit early in the process?

Select 3 answers
A.Reduced need for future independent audits.
B.Lower cost of implementing controls due to early design changes.
C.Reduction in the number of system tests required.
D.Identification of potential control weaknesses before they are ingrained.
E.Enhanced assurance that controls are embedded in the system design.
AnswersB, D, E

Early changes are cheaper.

Why this answer

Option B is correct because involving internal audit early in the SDLC allows control requirements to be identified and designed into the system from the start, avoiding costly retrofits. Implementing controls during the design phase is significantly cheaper than adding them after development or deployment, as changes to code, architecture, or configuration are less disruptive and require less rework.

Exam trap

The trap here is that candidates may confuse 'reduced need for future audits' (a false benefit) with 'enhanced assurance' (a real benefit), or assume that early audit involvement reduces testing effort, when in fact it may increase the scope of validation to ensure controls are properly designed and implemented.

101
MCQeasy

A company is designing its backup strategy for a critical database that must be available 24/7. The database experiences high transaction volumes. Which backup method minimizes data loss while allowing continuous operations?

A.Offline full backup performed weekly
B.Differential backup performed daily
C.Online backup with transaction log backups
D.Full backup performed during low-usage periods
AnswerC

Online backups run while the database is active, and transaction logs allow point-in-time recovery with minimal data loss.

Why this answer

Online backup with transaction log backups (Option C) is correct because it allows the database to remain fully operational (24/7 availability) while capturing every committed transaction in the transaction log. In the event of a failure, you can restore the most recent full backup and then apply all subsequent transaction log backups to recover to the exact point of failure, minimizing data loss to only uncommitted transactions.

Exam trap

The trap here is that candidates often confuse 'differential backup' with 'transaction log backup,' assuming differential backups provide the same granularity of recovery, when in fact differentials only capture cumulative changes since the last full backup and cannot restore to an arbitrary point in time.

How to eliminate wrong answers

Option A is wrong because an offline full backup performed weekly requires taking the database offline, which violates the 24/7 availability requirement, and a weekly full backup alone would result in up to a week of potential data loss. Option B is wrong because a differential backup captures all changes since the last full backup but does not capture every individual transaction; it still requires a full backup and can lose all changes made since the last differential backup, which could be up to 24 hours of data. Option D is wrong because a full backup performed during low-usage periods still requires taking the database offline (or at least putting it in a consistent state), which disrupts continuous operations, and it does not provide point-in-time recovery granularity.

102
MCQhard

During an incident, the IT team identifies that a critical patch was not applied due to an expired software maintenance contract. Which of the following is the BEST long-term remediation?

A.Renew the maintenance contract
B.Apply the patch immediately
C.Isolate the affected system
D.Implement a vulnerability management program
AnswerD

Correct: A formal program ensures patches are timely and contracts are monitored.

Why this answer

A vulnerability management program ensures systematic identification and remediation of missing patches, addressing the root cause. Immediate patching and isolation are tactical; renewing the contract is necessary but not a process improvement.

103
MCQhard

An organization is implementing a business continuity plan (BCP) and needs to determine the maximum acceptable downtime for a critical system. Which metric should be defined FIRST?

A.Recovery Time Objective (RTO)
B.Mean Time to Repair (MTTR)
C.Recovery Point Objective (RPO)
D.Service Level Agreement (SLA)
AnswerA

Correct: RTO is the primary metric for downtime tolerance.

Why this answer

RTO defines the maximum acceptable downtime; it is the foundational metric for recovery planning. RPO, MTTR, and SLA are defined later or are contractual.

104
MCQmedium

A company's backup policy requires daily full backups to tape and offsite storage. After a ransomware attack, the IT team discovers that the latest backup set is corrupted. Which of the following controls would have BEST prevented this?

A.Implementation of immutable backup storage
B.Encryption of backup tapes
C.Periodic restoration testing
D.Journaling of backup logs
AnswerA

Correct: Immutability prevents alteration, protecting backup integrity.

Why this answer

Immutable backup storage ensures backups cannot be altered or deleted, preventing corruption from ransomware. Encryption protects confidentiality, not integrity; logging detects but does not prevent; restoration testing detects corruption after the fact.

105
MCQeasy

An organization has implemented a balanced scorecard (BSC) for IT performance measurement. Which of the following is the PRIMARY benefit of using a BSC?

A.It simplifies the IT budgeting process.
B.It ensures IT metrics are aligned with business strategy.
C.It automates data collection for IT metrics.
D.It provides a single financial metric for IT performance.
AnswerB

BSC translates strategy into operational metrics.

Why this answer

Option B is correct because the balanced scorecard aligns IT metrics with business strategy across multiple perspectives. Option A is incorrect because BSC includes non-financial metrics. Option C is not the primary benefit; BSC does not simplify budgeting.

Option D is not correct; data collection is not automated by BSC.

106
Multi-Selectmedium

Which TWO of the following are key activities in the system design phase of the SDLC?

Select 2 answers
A.Defining system architecture
B.Writing unit tests
C.Performing user acceptance testing
D.Developing data flow diagrams
E.Gathering business requirements
AnswersA, D

A design activity.

Why this answer

Defining system architecture is a key activity in the system design phase because it establishes the high-level structure of the system, including hardware, software, network components, and their interactions. This blueprint guides subsequent detailed design and implementation, ensuring alignment with functional and non-functional requirements. Without a defined architecture, the system risks integration failures and scalability issues.

Exam trap

The trap here is that candidates often confuse the system design phase with later phases like testing or earlier phases like requirements gathering, leading them to select activities such as writing unit tests or gathering business requirements as design-phase tasks.

107
MCQeasy

During a security audit, it was found that users in the finance department have unnecessary access to HR payroll data. Which access control principle has been violated?

A.Mandatory access control
B.Least privilege
C.Separation of duties
D.Need to know
AnswerB

Least privilege requires that users have only the minimum access necessary to perform their job functions.

Why this answer

The least privilege principle dictates that users should be granted only the minimum permissions necessary to perform their job functions. In this scenario, finance department users have unnecessary access to HR payroll data, directly violating this principle by providing more access than required.

Exam trap

The trap here is confusing 'least privilege' with 'need to know' — need to know is a subset of least privilege that focuses on data classification, but the question explicitly describes unnecessary access to a different department's data, making least privilege the broader and correct violation.

How to eliminate wrong answers

Option A is wrong because mandatory access control (MAC) is a system-enforced policy based on labels and clearances, not a principle about minimizing user permissions; the violation here is about excessive access, not label mismatches. Option C is wrong because separation of duties ensures no single user can complete a critical task alone (e.g., initiating and approving a payment), which is unrelated to having unnecessary access to another department's data. Option D is wrong because need to know restricts access to specific data required for a task, but it is a subset of least privilege; the core principle violated here is least privilege, as the users have access they do not need at all.

108
MCQmedium

A company decides to outsource the development of a customer portal. Which of the following is the MOST critical control to include in the contract?

A.Service level agreements
B.Fixed price clause
C.Non-disclosure agreement
D.Termination for convenience clause
AnswerA

SLAs specify measurable performance targets and remedies for non-compliance, directly impacting business operations.

Why this answer

Service level agreements (SLAs) are the most critical control because they define measurable performance targets (e.g., uptime, response time, throughput) for the outsourced customer portal. Without enforceable SLAs, the company has no contractual mechanism to ensure the portal meets availability and responsiveness requirements, directly impacting customer experience and business operations.

Exam trap

The trap here is that candidates often choose the non-disclosure agreement (NDA) thinking data protection is paramount, but the question asks for the MOST critical control in a development contract, where performance and availability (via SLAs) are more directly tied to project success.

How to eliminate wrong answers

Option B (Fixed price clause) is wrong because it only controls cost, not quality, security, or performance; a fixed price can incentivize the vendor to cut corners on development and testing. Option C (Non-disclosure agreement) is wrong because while it protects confidential information, it does not address the operational performance or delivery of the portal itself. Option D (Termination for convenience clause) is wrong because it allows the company to exit the contract but does not ensure the portal is built correctly or meets requirements during the development lifecycle.

109
MCQmedium

A company is replacing its legacy on-premises ERP system with a cloud-based SaaS solution. The project manager is concerned about data migration risks. Which of the following is the BEST approach to mitigate data integrity issues during migration?

A.Perform data validation after migration
B.Use data transformation tools to convert formats
C.Implement data reconciliation reports post-migration
D.Run parallel processing and compare outputs
AnswerD

Enables side-by-side verification.

Why this answer

Option D is correct because running parallel processing allows the legacy and new SaaS systems to operate simultaneously, enabling real-time comparison of outputs. This approach directly validates data integrity by detecting discrepancies during migration, not after, which is critical for ERP systems where transactional accuracy is paramount.

Exam trap

The trap here is that candidates often choose post-migration validation or reconciliation (options A or C) because they seem practical, but the CISA exam emphasizes proactive controls during migration (parallel processing) over detective controls after the fact.

How to eliminate wrong answers

Option A is wrong because performing data validation only after migration introduces a delay in detecting errors, potentially allowing corrupted data to propagate into the new system without immediate correction. Option B is wrong because data transformation tools address format conversion but do not inherently verify that the transformed data retains its original meaning, relationships, or business rules, which is the core of integrity. Option C is wrong because reconciliation reports generated post-migration are reactive; they identify discrepancies after the fact but do not prevent or catch errors during the migration process itself, unlike parallel processing which provides continuous validation.

110
MCQhard

During an incident response exercise, the IT team discovers that the failover to the disaster recovery (DR) site failed because the DR site's storage area network (SAN) was not zoned correctly for the replicated data. Which of the following controls would BEST prevent this issue?

A.Maintaining a configuration management database (CMDB)
B.Implementing a change management process for SAN configurations
C.Using automated replication monitoring tools
D.Conducting regular disaster recovery testing including full failover
AnswerD

Regular testing validates that all components work together, including SAN zoning.

Why this answer

Option D is correct because regular disaster recovery testing that includes a full failover is the only control that directly validates that the DR site's SAN zoning is correctly configured to accept replicated data. Without such testing, misconfigurations like incorrect zone sets or missing WWPN (World Wide Port Name) mappings in the SAN fabric remain undetected until an actual failover is attempted. This aligns with the CISA emphasis on testing recovery procedures to ensure business continuity.

Exam trap

The trap here is that candidates often choose 'implementing a change management process' (Option B) because they assume process controls prevent misconfigurations, but they overlook that change management does not validate the actual technical correctness of the configuration—only testing (Option D) can confirm that the DR site's SAN zoning works under failover conditions.

How to eliminate wrong answers

Option A is wrong because a CMDB is a repository for configuration items and their relationships; it does not actively prevent SAN zoning misconfigurations or validate that the DR site's SAN is correctly zoned for replication. Option B is wrong because a change management process for SAN configurations ensures changes are authorized and documented, but it does not guarantee that the resulting zoning is correct for replication or that the DR site's SAN will accept replicated data during failover. Option C is wrong because automated replication monitoring tools can detect replication failures or latency, but they cannot identify a zoning misconfiguration that prevents the DR site from accepting replicated data; they only report on the replication status, not the underlying SAN fabric configuration.

111
MCQhard

Refer to the exhibit. During a penetration test, a security analyst captures this SAML response. Which of the following security weaknesses is most evident?

A.The name identifier format is inappropriate
B.The session is too short
C.The assertion is not encrypted
D.The authentication context is weak
AnswerC

Correct. The assertion is in plaintext, which could allow an attacker to read or modify the SAML response if not protected by TLS.

Why this answer

The SAML response shows the assertion is sent in plaintext (no xenc:EncryptedData element), meaning the authentication assertion is not encrypted. This allows an attacker who intercepts the SAML response to extract the assertion and reuse it in a replay or impersonation attack, violating the confidentiality requirement for sensitive authentication tokens.

Exam trap

The trap here is that candidates focus on the authentication context or session duration as potential weaknesses, but the most evident vulnerability is the complete lack of assertion encryption, which is a direct violation of SAML security best practices and a common finding in penetration tests.

How to eliminate wrong answers

Option A is wrong because the NameID format (urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress) is a standard and appropriate format for identifying the user by email; there is no evidence of a mismatch or misuse. Option B is wrong because the session duration (SessionNotOnOrAfter) is set to 2025-10-22T14:21:38Z, which is a reasonable length (e.g., 8 hours from issuance) and not inherently a security weakness; the issue is lack of encryption, not session length. Option D is wrong because the authentication context (AuthnContextClassRef) references a password-based mechanism (urn:oasis:names:tc:SAML:2.0:ac:classes:Password), which is a valid and common strength; the weakness is not in the authentication method but in the unprotected assertion.

112
Multi-Selectmedium

Which TWO of the following are key controls for ensuring data privacy during system development?

Select 2 answers
A.Using real customer data for testing
B.Encrypting stored data
C.Disabling audit logs during development
D.Allowing developers unlimited access to production data
E.Data masking in test environments
AnswersB, E

Encryption provides a strong control to protect sensitive data at rest.

Why this answer

Encrypting stored data (Option B) is a key control for ensuring data privacy because it renders the data unreadable without the correct decryption key, protecting it from unauthorized access even if the storage medium is compromised. This aligns with data-at-rest protection requirements under regulations like GDPR and PCI DSS, and is a fundamental security control during system development to prevent exposure of sensitive information.

Exam trap

The trap here is that candidates may confuse 'data masking' with 'anonymization' and overlook its role as a key privacy control, or mistakenly think that using real data in test environments is acceptable if it is 'just for testing,' ignoring regulatory and ethical requirements.

113
MCQhard

An organization is implementing a data retention policy for personally identifiable information (PII) to comply with GDPR. Which of the following is the MOST appropriate approach?

A.Delete PII as soon as it is collected
B.Anonymize PII after a fixed period and retain indefinitely
C.Retain PII indefinitely for historical analysis
D.Define retention periods based on legal and business requirements and securely delete after
AnswerD

GDPR mandates that data be kept no longer than necessary; defined retention periods with secure deletion ensure compliance.

Why this answer

Option D is correct because GDPR mandates that PII must not be kept longer than necessary for the purpose for which it was collected. Defining retention periods based on legal and business requirements ensures compliance with the storage limitation principle (Article 5(1)(e)), and secure deletion (e.g., using cryptographic erasure or overwriting with tools like shred on Linux) prevents unauthorized recovery. This approach balances regulatory compliance with operational needs.

Exam trap

The trap here is that candidates may confuse 'anonymization' (Option B) as a safe harbor for indefinite retention, but GDPR requires that anonymization be irreversible and that the retained data serve a legitimate purpose, not just be kept indefinitely without justification.

How to eliminate wrong answers

Option A is wrong because deleting PII immediately upon collection would violate legitimate business and legal requirements (e.g., tax records or contractual obligations) that necessitate retention for a defined period. Option B is wrong because anonymization after a fixed period may comply with GDPR if irreversible, but retaining anonymized data indefinitely still poses re-identification risks (e.g., via linkage attacks) and violates the principle of data minimization if no business need exists. Option C is wrong because retaining PII indefinitely for historical analysis violates GDPR's storage limitation principle unless the data is anonymized and the purpose is compatible with the original collection; indefinite retention of PII without a legal basis exposes the organization to fines and breach risks.

114
Multi-Selectmedium

Which TWO of the following are key components of an IT governance framework? (Choose two.)

Select 2 answers
A.Configuration management database
B.Performance measurement
C.Vulnerability assessment results
D.Strategic alignment of IT with business
E.Firewall rules
AnswersB, D

Measuring IT performance is essential for governance.

Why this answer

Correct answers: A and D. Both are core governance elements. Option B is operational, not governance.

Option C is a specific control. Option E is risk management, which is part of governance but not a framework component itself; frameworks include processes like risk management.

115
MCQeasy

During user acceptance testing, a user with the above permission set cannot execute a fund transfer. What is the MOST likely reason?

A.Incorrect username
B.Missing Write permission for transfers
C.Network connectivity issue
D.Database connection error
AnswerB

The policy grants ReadOnly on transfers, which is insufficient to execute a transfer.

Why this answer

The user can authenticate and access the system (since they are in user acceptance testing with the given permission set), but cannot execute a fund transfer. This indicates that the user lacks the necessary Write permission for the transfer operation, which is required to modify the database record or initiate the transaction. Without Write access, the application can read data but cannot commit the transfer, causing the operation to fail.

Exam trap

The trap here is that candidates often confuse authentication (username/password) with authorization (permissions), assuming any failure to execute a function must be a network or database issue, rather than recognizing that the user is already authenticated and the problem is a missing Write permission for the specific transaction.

How to eliminate wrong answers

Option A is wrong because an incorrect username would prevent authentication entirely, not just block the transfer execution after login. Option C is wrong because a network connectivity issue would cause a broader failure (e.g., timeout or inability to load pages), not a specific permission error on a single function. Option D is wrong because a database connection error would affect all database-dependent operations, not just the transfer, and would typically produce a connection timeout or server error message.

116
MCQhard

A large financial institution is developing a new online banking platform using an Agile methodology. The development team has implemented continuous integration and continuous deployment (CI/CD) pipeline. During a routine security scan, the IS auditor discovers that a developer accidentally committed a configuration file containing database credentials into the public-facing code repository. The credentials were exposed for 48 hours before being detected. Which of the following is the most critical control failure that allowed this incident to occur?

A.The code review process did not catch the sensitive data in the commit
B.The CI/CD pipeline lacked automated secrets scanning and static application security testing (SAST)
C.The repository access permissions were too permissive
D.The security awareness training for developers was inadequate
AnswerB

Automated scanning would have detected the credentials immediately and blocked the commit or alerted the team.

Why this answer

The most critical failure is the absence of automated secret scanning and SAST in the CI/CD pipeline. Such tools would have detected the credentials immediately upon commit and prevented their exposure. While code review, training, and access controls are important, automated scanning is a preventive detective control that operates at the speed of development.

Without it, human errors can go unnoticed. Option A (code review) is a manual process that can miss subtle commits. Option C (training) is a soft control and does not prevent the act.

Option D (permissions) might reduce the scope but does not catch the initial mistake.

117
MCQhard

A company is implementing IT governance based on COBIT 2019. Which of the following design factors would have the GREATEST impact on the governance system design?

A.The IT infrastructure complexity.
B.The size of the organization.
C.The number of IT staff.
D.The industry and regulatory environment.
AnswerD

Industry and regulations impose compliance requirements that shape governance.

Why this answer

Option B is correct because according to COBIT 2019, the enterprise strategy and regulatory environment are key design factors that drive governance requirements. Option A (size) is a factor but less impactful than industry/regulatory. Options C and D are operational details.

118
MCQhard

An organization is developing a critical application using an agile methodology. The project sponsor demands frequent deliveries but the development team is concerned about insufficient testing. Which of the following BEST mitigates this risk?

A.Deploy with known defects and fix them in the next sprint
B.Increase manual testing effort at the end of each sprint
C.Extend the release cycle to allow more time for testing
D.Implement continuous integration and automated testing
AnswerD

CI and automated testing enable fast feedback and maintain quality, supporting frequent releases.

Why this answer

Option D is correct because continuous integration (CI) and automated testing enable frequent, reliable code integration and immediate feedback on defects, directly addressing the tension between rapid delivery and insufficient testing. Automated tests run on every commit, catching regressions early without manual overhead, which is essential for agile sprints where manual testing alone cannot scale to match delivery velocity.

Exam trap

The trap here is that candidates may choose Option B (increase manual testing) because they equate 'more testing' with 'better quality,' failing to recognize that manual testing cannot keep pace with agile's rapid delivery cycles and that automation is the only scalable solution to integrate testing into every iteration.

How to eliminate wrong answers

Option A is wrong because deploying known defects increases technical debt and risk in production, violating the principle of maintaining a shippable increment in agile and potentially causing cascading failures. Option B is wrong because increasing manual testing at the end of each sprint creates a bottleneck, contradicts the agile goal of continuous testing, and does not scale with frequent deliveries, leading to delayed feedback and incomplete coverage. Option C is wrong because extending the release cycle undermines the project sponsor's demand for frequent deliveries and does not solve the root cause of insufficient testing; it merely postpones risk rather than mitigating it through automation.

119
MCQmedium

An IT auditor is evaluating the change management process for a financial trading system. Which of the following is the BEST indicator of a mature change management process?

A.Changes are documented after deployment
B.All changes are logged and require automated approval workflows
C.Developers can deploy changes directly to production if urgent
D.Changes are approved verbally by the IT manager
AnswerB

Provides control and traceability.

Why this answer

Option B is correct because a mature change management process requires that all changes be formally logged and subjected to automated approval workflows. This ensures traceability, segregation of duties, and auditability, which are critical for a financial trading system where unauthorized or untracked changes could lead to financial loss or regulatory non-compliance.

Exam trap

The trap here is that candidates may confuse 'efficiency' (e.g., allowing direct deployment for urgent changes) with 'maturity,' but mature processes prioritize control and auditability over speed, especially in high-risk systems like financial trading platforms.

How to eliminate wrong answers

Option A is wrong because documenting changes after deployment violates the principle of proactive control; changes should be approved and documented before deployment to prevent unauthorized or untested modifications. Option C is wrong because allowing developers to deploy changes directly to production bypasses all change control gates, increasing the risk of introducing errors or security vulnerabilities without review. Option D is wrong because verbal approvals lack an audit trail and are not verifiable, making them unsuitable for a regulated financial environment where every change must be recorded and traceable.

120
Multi-Selecthard

Which THREE of the following are responsibilities of the board of directors regarding IT governance? (Choose three.)

Select 3 answers
A.Implementing IT security controls
B.Approving the IT strategy
C.Reviewing and approving IT policies
D.Monitoring daily IT operations
E.Ensuring that IT risks are managed within acceptable levels
AnswersB, C, E

Board approves strategic direction.

Why this answer

Correct answers: A, C, E. The board is responsible for strategy oversight, risk acceptance, and policy approval. Option B is a management duty.

Option D is operational.

121
Multi-Selecthard

Which TWO are primary objectives of an identity and access management (IAM) program? (Select exactly 2.)

Select 2 answers
A.Ensuring appropriate access to resources.
B.Enforcing least privilege principle.
C.Encrypting data at rest and in transit.
D.Patching software vulnerabilities.
E.Monitoring network traffic for anomalies.
AnswersA, B

Core IAM objective.

Why this answer

Option A is correct because the primary objective of an IAM program is to ensure that the right individuals have access to the appropriate resources at the right time for the right reasons. This is achieved through authentication, authorization, and access control mechanisms such as Role-Based Access Control (RBAC) or Attribute-Based Access Control (ABAC). Without this, the organization cannot enforce security policies or maintain audit trails.

Exam trap

The trap here is that candidates often confuse IAM with general security controls like encryption or network monitoring, but IAM strictly deals with identity lifecycle, authentication, authorization, and access governance, not data protection or network-level defenses.

122
MCQmedium

A company is implementing a cloud-based identity and access management (IAM) system. Which of the following best describes the principle of least privilege in this context?

A.Users should have administrative rights for troubleshooting.
B.Permissions should be revoked only when an employee leaves the company.
C.All users should have the same level of access for consistency.
D.Permissions should be granted based on the user's role and need-to-know.
AnswerD

Correct. Least privilege aligns with role-based access and minimum necessary permissions.

Why this answer

Option D is correct because the principle of least privilege dictates that users should be granted only the permissions necessary to perform their job functions, based on their role and need-to-know. In a cloud-based IAM system, this is typically implemented through role-based access control (RBAC) or attribute-based access control (ABAC), ensuring minimal exposure to sensitive resources and reducing the attack surface.

Exam trap

The trap here is that candidates often confuse 'least privilege' with 'administrative convenience' or 'consistency,' mistakenly thinking that granting admin rights for troubleshooting (Option A) or uniform access (Option C) simplifies management, when in fact these practices directly violate the core security principle.

How to eliminate wrong answers

Option A is wrong because granting administrative rights for troubleshooting violates least privilege by providing excessive, often permanent, elevated privileges that can be exploited or misused; instead, temporary just-in-time (JIT) access or privileged access management (PAM) should be used. Option B is wrong because permissions should be reviewed and revoked promptly when no longer needed, not only upon employee departure; failure to do so leads to privilege creep and increased risk of unauthorized access. Option C is wrong because uniform access for all users contradicts least privilege, as it ignores the varying job functions and data sensitivity levels, leading to over-privileged users and potential data breaches.

123
Multi-Selecthard

A large enterprise is assessing its IT governance maturity. Which THREE of the following are indicators of a mature governance process? (Select exactly three.)

Select 3 answers
A.IT decisions are made in silos
B.IT budget is allocated based on historical spending
C.There is a formal IT governance committee
D.IT performance metrics are linked to business outcomes
E.IT strategy is reviewed quarterly by the board
AnswersC, D, E

Formal committee is a hallmark of maturity.

Why this answer

Mature governance involves board-level review of IT strategy, linking IT metrics to business outcomes, and having a formal governance committee. Decisions in silos and historical budget allocation are signs of low maturity.

124
MCQmedium

An organization is transitioning from a waterfall to an agile development methodology. Which of the following is a key risk that the IS auditor should highlight?

A.User requirements may be incomplete at the start.
B.Testing is deferred until the end of the project.
C.Stakeholder involvement may decrease.
D.Scope creep may increase without proper controls.
AnswerD

Agile's iterative nature can lead to uncontrolled scope expansion if not managed.

Why this answer

In agile development, iterative cycles and continuous feedback can lead to scope creep if changes are not managed through a disciplined backlog prioritization process. Unlike waterfall, where scope is fixed early, agile's flexibility requires robust controls (e.g., sprint boundaries, product owner authority) to prevent uncontrolled expansion. An IS auditor should highlight this risk because without proper governance, the project may exceed budget and timeline despite agile's adaptive nature.

Exam trap

The trap here is that candidates mistakenly think agile eliminates scope creep entirely, when in fact its flexibility requires even stronger controls to prevent uncontrolled expansion, especially during the transition from waterfall.

How to eliminate wrong answers

Option A is wrong because incomplete user requirements at the start are an accepted characteristic of agile, not a key risk; agile embraces evolving requirements through iterative refinement. Option B is wrong because agile integrates testing continuously throughout each sprint (e.g., test-driven development), not deferred to the end. Option C is wrong because agile explicitly requires high stakeholder involvement (e.g., daily stand-ups, sprint reviews, product owner role), so decreased involvement would violate core agile principles.

125
MCQmedium

A database administrator accidentally deleted a critical table. The last full backup was taken 24 hours ago, and transaction logs are archived every 15 minutes. Which recovery method will minimize data loss?

A.Use a standby database
B.Point-in-time recovery using transaction logs
C.Restore from full backup only
D.Restore from full backup and apply transaction logs up to the time of deletion
AnswerD

This recovery method recovers most data, limited only by the log archive interval.

Why this answer

Option C is correct because restoring the full backup and applying transaction logs up to the deletion point recovers all data except the very last transactions. Option A is incomplete; B loses 24 hours; D is not applicable.

126
MCQeasy

Which of the following is the BEST indicator that an organization's incident management process is effective?

A.The average time to resolve incidents is under 1 hour
B.The number of incidents reported per month is increasing
C.All incidents are logged within 10 minutes of detection
D.The percentage of recurring incidents is decreasing over time
AnswerD

A reduction in recurrence shows that the process is identifying and eliminating root causes.

Why this answer

Option C is correct because a decreasing number of recurring incidents indicates that root causes are being identified and resolved. Option A is about recovery time, not effectiveness; Option B is about volume, which could increase; Option D is reactive, not proactive effectiveness.

127
MCQmedium

A company is outsourcing software development. What is the IS auditor's PRIMARY concern?

A.The vendor's development methodology
B.Protection of intellectual property and data
C.The vendor's financial stability
D.Compliance with service level agreements
AnswerB

Data protection is the highest risk in outsourcing.

Why this answer

Option D is correct because protection of intellectual property and data is a critical risk when outsourcing. Financial stability, methodology, and SLA compliance are important but secondary to data protection.

128
MCQmedium

An organization uses continuous auditing techniques to monitor transactions. The IS auditor is evaluating the effectiveness of these techniques. Which of the following is the PRIMARY benefit of continuous auditing over traditional periodic auditing?

A.Reduced cost of audit resources
B.More timely identification of control weaknesses
C.Increased sample size for transaction testing
D.Early detection of anomalies and potential fraud
AnswerD

Continuous monitoring enables prompt detection and intervention.

Why this answer

Continuous auditing enables real-time or near-real-time monitoring of transactions, allowing the IS auditor to detect anomalies and potential fraud as they occur. This is the primary benefit because it shifts the audit function from retrospective review to proactive identification, which is critical for timely risk mitigation.

Exam trap

The trap here is that candidates often confuse the secondary benefit of timely control weakness identification (Option B) with the primary benefit of early anomaly and fraud detection, which is the core purpose of continuous auditing over periodic methods.

How to eliminate wrong answers

Option A is wrong because continuous auditing often requires significant investment in automated tools and infrastructure, which can increase rather than reduce the cost of audit resources. Option B is wrong because while continuous auditing does improve timeliness, the identification of control weaknesses is a secondary benefit; the primary advantage is the detection of anomalies and fraud at the transaction level. Option C is wrong because continuous auditing typically analyzes 100% of transactions, not just an increased sample size, making sample size irrelevant to its primary benefit.

129
MCQmedium

What is the primary control weakness in this IAM policy?

A.Over-privileged access
B.No encryption requirement
C.MFA not required
D.Lack of logging
AnswerA

The role has broad access to all objects without conditions.

Why this answer

The IAM policy grants broad permissions (e.g., `"Effect": "Allow", "Action": "*", "Resource": "*"`) without scoping to specific actions or resources, violating the principle of least privilege. This over-privileged access allows any authenticated principal to perform any operation (including destructive actions like `iam:DeleteRole` or `s3:DeleteBucket`) across all resources, creating a severe security risk. The primary weakness is the lack of fine-grained access control, not the absence of encryption, MFA, or logging.

Exam trap

The trap here is that candidates often focus on missing security features like encryption or MFA, but the CISA exam emphasizes that the most critical IAM weakness is granting excessive permissions (over-privileged access) rather than missing optional controls.

How to eliminate wrong answers

Option B is wrong because encryption requirements (e.g., `s3:x-amz-server-side-encryption` condition key) are data protection controls, not identity-based access controls; the policy's core flaw is excessive permissions, not missing encryption. Option C is wrong because MFA (multi-factor authentication) is an additional authentication layer enforced via `aws:MultiFactorAuthPresent` condition keys, but the policy's primary weakness is the overly permissive `Action: *` and `Resource: *`, not the lack of MFA. Option D is wrong because logging (e.g., AWS CloudTrail) is an audit control that records actions after they occur, but it does not prevent the underlying over-privileged access; the policy itself lacks proper authorization boundaries.

130
Multi-Selecthard

Which THREE are core components of a comprehensive identity and access management (IAM) system? (Choose three.)

Select 3 answers
A.Virtual private network (VPN) for remote network access.
B.Data loss prevention (DLP) to prevent data exfiltration.
C.Single sign-on (SSO) for simplified authentication.
D.Privileged access management (PAM) for managing administrative accounts.
E.Role-based access control (RBAC) for assigning permissions based on job roles.
AnswersC, D, E

SSO provides a unified authentication platform across applications.

Why this answer

Single sign-on (SSO) is a core IAM component because it centralizes authentication, allowing users to log in once and access multiple applications without re-entering credentials. This reduces password fatigue, improves user productivity, and simplifies identity lifecycle management by relying on a single identity provider (IdP) to enforce authentication policies across the enterprise.

Exam trap

ISACA often tests the distinction between infrastructure security tools (VPN, DLP) and core IAM functions (authentication, authorization, administration), so the trap here is confusing network-level or data-level controls with identity-centric components that directly manage user access rights and authentication workflows.

131
MCQmedium

An organization is considering outsourcing its IT infrastructure management. Which of the following is the MOST important factor to include in the service level agreement (SLA)?

A.Definition of key performance indicators (KPIs) and reporting frequency.
B.List of hardware and software to be managed.
C.Staffing levels and qualifications of vendor personnel.
D.Price reduction clauses for non-compliance.
AnswerA

KPIs provide objective measures for performance evaluation.

Why this answer

Option B is correct because clear metrics and reporting are essential to measure vendor performance. Option A is important but not the most critical; C and D are operational details that can be addressed separately.

132
MCQeasy

An organization's mobile device management (MDM) policy requires that all corporate data on employee-owned smartphones be protected. Which control best ensures that corporate data can be remotely wiped without affecting personal data?

A.Disabling the ability to copy/paste between corporate and personal apps
B.Implementing a containerization solution that separates work and personal profiles
C.Requiring a strong password and biometric authentication
D.Enforcing a full device encryption policy
AnswerB

Containerization enables selective wipe of corporate data.

Why this answer

Containerization (also known as dual-persona or sandboxing) creates a separate, encrypted container on the device for corporate apps and data. This allows the MDM to issue a selective wipe command that destroys only the container and its contents, leaving the user's personal apps, photos, and settings untouched. Without containerization, a remote wipe would typically erase the entire device, including all personal data.

Exam trap

The trap here is that candidates often confuse 'full device encryption' (Option D) with selective wipe capability, assuming encryption alone allows granular data removal, when in fact encryption without containerization still requires wiping the entire encrypted volume.

How to eliminate wrong answers

Option A is wrong because disabling copy/paste between corporate and personal apps prevents data leakage but does not enable selective remote wipe; it is a data loss prevention (DLP) control, not a wipe mechanism. Option C is wrong because requiring a strong password and biometric authentication controls device access but has no effect on the scope of a remote wipe; it is an authentication control, not a data separation or wipe control. Option D is wrong because enforcing full device encryption protects data at rest but does not differentiate between corporate and personal data; a remote wipe under full encryption would still erase the entire device, including personal data.

133
Multi-Selecteasy

An IT governance framework should include which TWO key components? (Select exactly two.)

Select 2 answers
A.User training
B.Vendor lock-in
C.Strategic alignment
D.Network firewall rules
E.Performance measurement
AnswersC, E

Aligns IT with business objectives.

Why this answer

Strategic alignment ensures IT supports business goals; performance measurement tracks achievement. Network firewall rules, user training, and vendor lock-in are operational or tactical, not core governance components.

134
MCQmedium

An organization experiences a ransomware attack that encrypts critical files. Which of the following is the BEST recovery strategy to minimize data loss?

A.Disconnect the network and rebuild systems from scratch
B.Pay the ransom to decrypt files
C.Restore from offline backups taken before the attack
D.Use system restore points on the same network
AnswerC

Offline backups (e.g., tape or immutable cloud) are not accessible to ransomware, enabling clean recovery.

Why this answer

Restoring from offline backups taken before the attack ensures that the recovered data is clean and free from encryption, as the ransomware cannot modify backups that are not connected to the network. This strategy minimizes data loss by reverting to the most recent known-good state without relying on potentially compromised or incomplete system restore points.

Exam trap

The trap here is that candidates may choose Option D (system restore points) because they seem convenient and built-in, but they fail to realize that ransomware specifically targets and deletes these snapshots, making them unreliable for recovery.

How to eliminate wrong answers

Option A is wrong because rebuilding systems from scratch without backups results in complete data loss, as no user or application data is preserved. Option B is wrong because paying the ransom does not guarantee decryption, encourages further attacks, and may leave backdoors or incomplete file recovery. Option D is wrong because system restore points on the same network are often encrypted by the ransomware, as they reside on accessible storage, and they typically only restore system files, not user data.

135
MCQeasy

An organization wants to ensure that data is not retained longer than necessary. Which of the following is the BEST control to implement?

A.Encrypt all data at rest
B.Implement a backup retention policy
C.Use role-based access controls
D.Define and enforce data retention schedules
AnswerD

Retention schedules ensure data is deleted when no longer needed.

Why this answer

Defining and enforcing data retention schedules directly addresses the requirement to not retain data longer than necessary by specifying precise timeframes for data deletion or archival. This control ensures compliance with legal, regulatory, and business needs by automating the lifecycle management of data, such as through expiration policies in object storage (e.g., S3 Lifecycle rules) or database TTL (time-to-live) settings. Without such schedules, data may persist indefinitely, increasing storage costs and regulatory risk.

Exam trap

The trap here is that candidates confuse data retention (how long data is kept) with data protection mechanisms like encryption or access control, or they mistakenly think backup retention policies are sufficient for primary data lifecycle management.

How to eliminate wrong answers

Option A is wrong because encrypting data at rest protects confidentiality but does not control how long data is stored; it can even hinder deletion if encryption keys are not properly managed. Option B is wrong because a backup retention policy governs copies of data for recovery purposes, not the primary data itself; it may inadvertently retain data longer than necessary if not aligned with the primary retention schedule. Option C is wrong because role-based access controls (RBAC) restrict who can access or modify data but do not enforce time-based deletion or retention limits.

136
MCQeasy

An organization has a policy requiring all employees to complete annual information security awareness training. Which of the following is the BEST way to verify compliance with this policy?

A.Conduct phishing simulation tests
B.Survey employees about their satisfaction with training
C.Interview HR about training content
D.Review training completion records from the learning management system
AnswerD

Records provide direct evidence of completion.

Why this answer

Option C is correct because reviewing training completion records directly confirms compliance. Option A assumes training content is known. Option B tests knowledge but not compliance.

Option D measures satisfaction, not completion.

137
MCQhard

A large financial institution is implementing a new core banking system to replace a legacy system. The project has been underway for 18 months and is behind schedule. User acceptance testing (UAT) has revealed significant data integrity issues, including missing customer records and incorrect interest calculations. The project manager, under pressure from senior management to meet a regulatory deadline, proposes going live with a promise to fix the issues in a post-implementation phase. The development team has been making ad hoc code changes directly in the test environment without version control or proper testing. Additionally, the IS auditor discovers that the business requirements were never formally signed off by the user community; only verbal approvals were obtained. The project has consumed 90% of the budget but only 60% of the functionality is tested. Which of the following is the BEST course of action for the IS auditor to recommend?

A.Allow the go-live with a formal post-implementation support plan and a dedicated team to address defects.
B.Recommend halting the go-live until the business requirements are formally signed off and UAT is completed successfully with all critical defects resolved.
C.Suggest a phased go-live, releasing the tested modules to production while continuing development on the remaining modules.
D.Escalate the issues to the board of directors and recommend immediate termination of the project.
AnswerB

This addresses root causes: lack of formal sign-off and unresolved defects, ensuring a controlled implementation.

Why this answer

Option B is correct because the project lacks formal sign-off on business requirements, has unresolved critical data integrity issues, and has been making uncontrolled code changes without version control. Going live under these conditions would violate ISACA's IS acquisition and implementation standards, which require that all critical defects be resolved and UAT be successfully completed before production deployment. The regulatory deadline does not justify bypassing these fundamental controls, as post-implementation fixes cannot guarantee data integrity and could lead to regulatory penalties.

Exam trap

The trap here is that candidates may choose Option A because they think a post-implementation support plan is a pragmatic compromise, but the CISA exam emphasizes that going live with unresolved critical defects and uncontrolled code changes violates fundamental SDLC controls and ISACA's IS acquisition and implementation standards.

How to eliminate wrong answers

Option A is wrong because allowing go-live with a post-implementation support plan ignores the fact that the project has already consumed 90% of the budget with only 60% functionality tested, and the ad hoc code changes without version control indicate a lack of configuration management that would likely cause more defects in production. Option C is wrong because a phased go-live assumes that some modules are fully tested and stable, but the UAT has revealed systemic data integrity issues (missing records, incorrect interest calculations) that affect the entire system, not just untested modules, and the lack of formal requirements sign-off means even tested modules may not meet user needs. Option D is wrong because immediate termination is too drastic given that the project is 60% tested and the regulatory deadline is a real constraint; the auditor should first recommend corrective actions (formal sign-off, controlled testing, defect resolution) before considering termination.

138
Multi-Selecthard

Which TWO of the following are indicators of poor project governance that an IS auditor should identify?

Select 2 answers
A.Scope changes are frequently requested and approved verbally.
B.Project progress reports are inconsistent and lack key metrics.
C.Project team uses an agile methodology.
D.Project status meetings are held weekly.
E.The project budget is reallocated across phases.
AnswersA, B

Lack of formal change control leads to scope creep.

Why this answer

Option A is correct because verbal approval of scope changes bypasses formal change control processes, leading to undocumented scope creep, loss of audit trail, and increased risk of project failure. An IS auditor should identify this as a governance weakness because it violates the principle of documented authorization and traceability required for effective project oversight.

Exam trap

The trap here is that candidates may confuse agile methodology with poor governance, but agile includes its own governance mechanisms (e.g., sprint reviews, backlog grooming, definition of done) that, when followed, do not indicate weak oversight.

139
Multi-Selecteasy

Which TWO of the following are benefits of implementing an IT governance framework?

Select 2 answers
A.Improved risk management and mitigation
B.Reduction in IT staff headcount
C.Enhanced regulatory compliance
D.Reduced IT operational costs
E.Elimination of all IT project failures
AnswersA, C

Frameworks like COBIT emphasize risk management.

Why this answer

Implementing an IT governance framework, such as COBIT or ISO/IEC 38500, establishes structured policies, procedures, and controls that directly improve risk management and mitigation. By defining clear roles, accountability, and risk appetite, the framework ensures that risks are systematically identified, assessed, and treated, rather than being managed ad hoc. This aligns IT strategy with business objectives and embeds risk management into daily operations.

Exam trap

The trap here is that candidates often confuse the benefits of an IT governance framework with operational cost-cutting or headcount reduction, when in fact the framework's core value is in aligning IT with business goals, improving risk management, and ensuring compliance, not in directly reducing expenses or eliminating failures.

140
MCQhard

A company's endpoint protection solution alerts on a file that is digitally signed by a trusted software vendor but exhibits malicious behavior on execution. What type of threat does this scenario most likely depict?

A.A Trojan horse disguised as legitimate software.
B.Signed malware, indicating the certificate may have been compromised.
C.A zero-day exploit targeting an unpatched vulnerability.
D.A fileless attack that never writes to disk.
AnswerB

The file has a trusted digital signature but performs malicious actions, suggesting the signing key was stolen or misused.

Why this answer

The scenario describes a file that is digitally signed by a trusted vendor yet exhibits malicious behavior. This is the classic definition of signed malware, where the digital certificate used to sign the file has likely been stolen, misused, or issued fraudulently. The trusted signature bypasses reputation-based and allowlist controls, making the threat particularly dangerous because the file appears legitimate to security tools that trust the vendor's certificate.

Exam trap

The trap here is that candidates confuse 'signed malware' with a 'Trojan horse,' but the critical differentiator is the presence of a valid digital signature from a trusted vendor, which is not inherent to Trojans and is the specific mechanism that makes this threat unique.

How to eliminate wrong answers

Option A is wrong because a Trojan horse is malware that disguises itself as a legitimate program, but it does not necessarily carry a valid digital signature from a trusted vendor; the key detail here is the presence of a trusted digital signature, which is not a requirement for a Trojan. Option C is wrong because a zero-day exploit targets an unpatched vulnerability in software or the OS, not a signed file; the threat is not about exploiting a vulnerability but about abusing a trusted certificate to bypass security controls. Option D is wrong because a fileless attack operates in memory without writing files to disk, whereas this scenario explicitly involves a file that is alerted on by endpoint protection, meaning it exists on disk and is signed.

141
MCQmedium

Refer to the exhibit. An application log shows an error. What is the MOST likely cause of this error?

A.The database server is offline
B.The user does not have insert privileges
C.The data type of the username field is incorrect
D.A duplicate username was inserted into the USERS table
AnswerD

Unique constraint violation indicates duplicate value.

Why this answer

The error message 'Duplicate entry 'admin' for key 'PRIMARY'' indicates a violation of the PRIMARY KEY constraint on the USERS table. Since the username field is the primary key, inserting a second row with the same username (e.g., 'admin') causes MySQL to reject the INSERT operation with error code 1062. This is a unique constraint violation, not a connectivity or privilege issue.

Exam trap

The trap here is that candidates may confuse a duplicate key error with a privilege or connectivity issue, but the specific error code 1062 and the phrase 'Duplicate entry' directly point to a unique constraint violation, not a server or permission problem.

How to eliminate wrong answers

Option A is wrong because a database server being offline would produce a connection timeout or 'Can't connect to MySQL server' error (e.g., error 2003), not a duplicate key error. Option B is wrong because insufficient INSERT privileges would generate an 'Access denied for user' error (e.g., error 1142), not a duplicate entry error. Option C is wrong because an incorrect data type for the username field would cause a type mismatch or truncation error (e.g., error 1366 or 1406), not a duplicate key violation.

142
MCQmedium

An organization uses role-based access control (RBAC). An employee is transferred to a new department. According to best practices, what should be done regarding the employee's access rights?

A.Remove access to the previous department's resources after a grace period.
B.Keep all access but log usage.
C.Immediately revoke all previous access and assign new role permissions.
D.Keep previous access and grant new role permissions.
AnswerC

Correct. This follows least privilege and prevents unauthorized access during transition.

Why this answer

Option C is correct because RBAC mandates that access rights are strictly tied to job functions. When an employee changes departments, their previous role permissions are no longer applicable and must be immediately revoked to prevent unauthorized access, while new role permissions are granted to align with their new responsibilities. This follows the principle of least privilege and ensures that access rights are always current with the employee's role.

Exam trap

The trap here is that candidates may think a grace period or logging is acceptable, but CISA emphasizes immediate revocation to maintain least privilege and prevent unauthorized access during role transitions.

How to eliminate wrong answers

Option A is wrong because a grace period introduces a window of unauthorized access, violating the principle of least privilege and RBAC's requirement for immediate role alignment. Option B is wrong because keeping all access with logging does not prevent the employee from accessing resources they no longer need, which is a security risk and non-compliant with RBAC's role-based assignment. Option D is wrong because retaining previous access while granting new permissions results in excessive privileges, violating the segregation of duties and least privilege principles.

143
MCQmedium

A company is developing a mobile application that processes credit card payments. During the testing phase, which of the following types of testing is MOST critical to ensure security?

A.Interface testing.
B.Usability testing.
C.Penetration testing.
D.Regression testing.
AnswerC

Penetration testing identifies exploitable security weaknesses.

Why this answer

Penetration testing is the most critical testing type for a mobile application processing credit card payments because it simulates real-world attacks to identify exploitable vulnerabilities in the payment data flow, authentication mechanisms, and API endpoints. This directly addresses PCI DSS requirements for security testing of cardholder data environments, unlike other testing types that focus on functionality or user experience.

Exam trap

The trap here is that candidates confuse 'regression testing' or 'interface testing' with security validation, overlooking that only penetration testing actively attempts to exploit vulnerabilities in the payment processing logic and data handling.

How to eliminate wrong answers

Option A is wrong because interface testing verifies correct data exchange between system components (e.g., API request/response formats) but does not actively probe for security weaknesses like SQL injection or insecure direct object references. Option B is wrong because usability testing evaluates user experience and workflow efficiency, not the security of payment data transmission or storage. Option D is wrong because regression testing ensures new code changes do not break existing functionality, but it does not include adversarial testing to uncover new vulnerabilities introduced in the payment processing logic.

144
Multi-Selecthard

Which THREE of the following are key components of an effective information security awareness program? (Choose three.)

Select 3 answers
A.Phishing simulation exercises
B.Reward program for reporting incidents
C.Annual one-time training for all employees
D.Support from top management
E.Regularly scheduled training sessions on security policies
AnswersA, D, E

Simulations test and improve behavior.

Why this answer

Phishing simulation exercises are a key component of an effective information security awareness program because they provide hands-on, practical experience in identifying and responding to real-world phishing attempts. By simulating attacks, organizations can measure employee susceptibility, reinforce training, and reduce the risk of successful social engineering attacks. This proactive approach helps build a security-conscious culture and directly addresses the human factor in cybersecurity.

Exam trap

The trap here is that candidates may confuse a reward program for reporting incidents as a core component of awareness, when in fact it is a supplementary measure, not a foundational element like management support or regular training.

145
MCQeasy

A company is implementing a new IT governance framework. Which of the following is the PRIMARY benefit of aligning IT strategy with business strategy?

A.Simplifies IT architecture
B.Improves IT staff morale
C.Ensures IT investments support business objectives
D.Reduces IT costs
AnswerC

This is the core purpose of alignment: IT enables business goals.

Why this answer

Aligning IT strategy with business strategy ensures that IT investments support business objectives, delivering value and reducing waste. Reducing costs, improving morale, or simplifying architecture are secondary benefits.

146
MCQhard

During a post-implementation review, an IS auditor identifies that the system's actual transaction processing time is significantly higher than the benchmark specified in the service level agreement (SLA). The vendor claims it is due to inadequate network bandwidth provided by the client. What should the auditor do first?

A.Review the SLA to determine responsibility for network performance
B.Recommend increasing network bandwidth
C.Escalate the issue to senior management
D.Perform independent performance testing
AnswerA

The SLA should specify who is responsible for network bandwidth.

Why this answer

Option C is correct because the auditor should review the SLA terms to determine responsibility for network bandwidth and clarify performance expectations. Option A is incorrect because recommending bandwidth increase without analysis is premature. Option B is incorrect (but it's D in list? Actually options: A Review SLA, B Recommend bandwidth increase, C Escalate to management, D Perform independent tests.

I set A as Review SLA, correct. So explanation: Option A is correct because the SLA defines responsibilities. Option B is incorrect because it assumes vendor claim is correct.

Option C is incorrect but escalation is not first step. Option D is incorrect because independent testing may be unnecessary if SLA clarifies responsibility.

147
Multi-Selectmedium

Which TWO of the following are recommended practices for aligning IT strategy with business goals, according to COBIT 2019?

Select 2 answers
A.Implementing a continuous monitoring system for IT operational metrics
B.Conducting monthly IT steering committee meetings to review project status
C.Adopting a governance framework that covers all IT-related activities and stakeholder needs
D.Defining IT investment portfolios based on business value contribution
E.Using agile development methodologies for all IT projects
AnswersC, D

Correct. A holistic governance framework like COBIT 2019 ensures alignment.

Why this answer

Option C is correct because COBIT 2019 explicitly requires a governance framework that covers all IT-related activities and stakeholder needs to ensure alignment with business goals. This framework integrates enterprise governance principles, such as the Governance System and Governance Framework components, to bridge IT and business strategy through policies, structures, and processes.

Exam trap

The trap here is that candidates confuse operational or tactical activities (like monitoring metrics or project reviews) with strategic governance practices, which COBIT 2019 defines as framework-level alignment, not day-to-day management tasks.

148
MCQhard

A multinational corporation is implementing a new enterprise resource planning (ERP) system across multiple regions. The project uses a phased roll-out. After the first phase in Asia, the system experiences intermittent synchronization errors between the central database and regional servers. The IT team suspects network latency but cannot reproduce the issue consistently. The project sponsor wants to proceed with the next phase in Europe to avoid further delays. The IS auditor is performing a post-implementation review. What is the MOST appropriate recommendation?

A.Proceed with the European roll-out and monitor for similar issues.
B.Switch to a different ERP vendor that offers better cloud capabilities.
C.Conduct a thorough root cause analysis of the synchronization issue before any further roll-out.
D.Document the synchronization error as a known issue and accept the operational risk.
AnswerC

Prevent recurrence and identify systemic issues.

Why this answer

Option C is correct because the intermittent synchronization errors indicate a potential data integrity or consistency issue that must be fully understood before expanding the system's footprint. Proceeding without root cause analysis risks propagating the defect to the European phase, which could lead to widespread data corruption, increased remediation costs, and regulatory non-compliance. A thorough root cause analysis (e.g., examining network latency, transaction log replication, or database conflict resolution) is essential to ensure the ERP's distributed architecture is reliable.

Exam trap

The trap here is that candidates may choose Option A (proceed and monitor) because it seems pragmatic and avoids project delays, but the CISA exam emphasizes that unresolved control weaknesses in a post-implementation review must be addressed before expanding the system to prevent cascading failures.

How to eliminate wrong answers

Option A is wrong because proceeding with the European roll-out while only monitoring for similar issues ignores the fundamental need to resolve the existing synchronization defect; it assumes the problem is isolated to Asia, but the same network latency or configuration flaw could affect Europe. Option B is wrong because switching to a different ERP vendor is a drastic, costly, and premature response that does not address the specific technical root cause (e.g., network latency, replication protocol misconfiguration, or timeout settings) and introduces new integration risks. Option D is wrong because documenting the error as a known issue and accepting operational risk violates the principle of preventing data integrity failures; synchronization errors can cause inconsistent data across regions, leading to financial reporting errors or transaction failures, which are unacceptable in a post-implementation review.

149
MCQeasy

A small business wants to protect customer data collected through its e-commerce website. Which control is most appropriate for protecting the data at rest and in transit?

A.Implement a network firewall to block unauthorized access.
B.Perform regular backups of the database to ensure data availability.
C.Deploy an intrusion detection system (IDS) to monitor for threats.
D.Use encryption for data at rest and in transit.
AnswerD

Encryption directly protects data confidentiality by making it unreadable without the decryption key, applicable both at rest and in transit.

Why this answer

Encryption is the only control that directly protects the confidentiality and integrity of data both at rest (e.g., AES-256 for database files) and in transit (e.g., TLS 1.3 for HTTPS). It renders data unreadable without the proper decryption key, ensuring that even if storage media or network traffic is intercepted, the customer data remains secure.

Exam trap

The trap here is that candidates often confuse preventive controls like firewalls or IDS with data protection mechanisms, failing to recognize that encryption is the only direct safeguard for data confidentiality both at rest and in transit.

How to eliminate wrong answers

Option A is wrong because a network firewall controls access at the network layer but does not protect data at rest (e.g., stored database files) or data in transit from eavesdropping or decryption after interception. Option B is wrong because regular backups ensure data availability and recovery, not confidentiality or integrity; backups themselves must be encrypted to protect data at rest. Option C is wrong because an IDS monitors and alerts on suspicious activity but does not prevent data exposure; it cannot encrypt data or protect it from being read if intercepted.

150
MCQhard

During the user acceptance testing (UAT) phase of a new financial application, the business users report that the system calculates interest incorrectly for certain loan types. The project manager wants to fix this quickly. Which of the following is the BEST course of action?

A.Instruct the business to work around the issue until the next release
B.Authorize the development team to fix the bug immediately and re-deploy
C.Roll back to the previous version of the application
D.Log the defect and perform impact analysis before approving a fix
AnswerD

Ensures proper change management.

Why this answer

Option D is correct because in the UAT phase, any defect must be formally logged and subjected to impact analysis before a fix is approved. This ensures that the proposed change does not introduce new risks, break other functionality, or violate regulatory compliance—critical for a financial application handling interest calculations. Skipping this process could lead to cascading failures or audit findings.

Exam trap

The trap here is that candidates often choose Option B (immediate fix) because it seems efficient, but CISA emphasizes that any change during UAT must follow a controlled process to avoid introducing new risks, especially in financial systems where accuracy and auditability are paramount.

How to eliminate wrong answers

Option A is wrong because instructing business users to work around a calculation error in a financial application is unacceptable; it risks financial misstatements and violates internal control requirements. Option B is wrong because authorizing an immediate fix without impact analysis bypasses change management controls, potentially destabilizing the application and introducing new defects. Option C is wrong because rolling back to a previous version may not resolve the interest calculation issue (it could have existed before) and would discard any other validated changes, causing regression without proper analysis.

Page 1

Page 2 of 7

Page 3

All pages