Certified Information Systems Auditor CISA (CISA) — Questions 226300

509 questions total · 7pages · All types, answers revealed

Page 3

Page 4 of 7

Page 5
226
MCQmedium

During system development, which testing phase is performed by developers to verify that individual program units function correctly?

A.Integration testing
B.User acceptance testing
C.Unit testing
D.System testing
AnswerC

Unit testing verifies individual program units.

Why this answer

Unit testing is the phase where developers test individual program units or modules in isolation to verify they function correctly according to their design specifications. This is the lowest level of testing and is typically performed using stubs and drivers to simulate interfaces with other components.

Exam trap

The trap here is confusing the scope of testing phases: candidates often mistake integration testing (which tests module interactions) for unit testing (which tests individual modules in isolation), especially when the question emphasizes 'by developers' and 'individual program units'.

How to eliminate wrong answers

Option A is wrong because integration testing focuses on verifying the interactions and data flow between integrated modules, not individual units. Option B is wrong because user acceptance testing is performed by end users to validate that the system meets business requirements, not by developers to test code units. Option D is wrong because system testing validates the complete, integrated system against functional and non-functional requirements, not individual program units.

227
Multi-Selecthard

Which TWO of the following are indicators that a project is at risk of failure according to ISACA's project governance framework?

Select 2 answers
A.Regular status meetings with stakeholders.
B.Lack of clear communication channels among team members.
C.Adoption of iterative development.
D.Frequent changes to project scope without formal approval.
E.Use of a project management office (PMO).
AnswersB, D

Poor communication causes misunderstandings and delays.

Why this answer

Option B is correct because ISACA's project governance framework identifies lack of clear communication channels as a key risk indicator. Without defined communication paths, team members cannot effectively share status updates, escalate issues, or coordinate tasks, leading to misalignment and increased failure probability.

Exam trap

The trap here is that candidates may confuse a lack of communication channels with other common risk factors like scope creep, but ISACA specifically lists communication breakdowns as a distinct risk indicator separate from scope change management.

228
MCQmedium

Refer to the exhibit. An auditor notices this log entry during a review. The user john.doe does not have a legitimate business need to access executive salaries. Which of the following is the MOST likely control failure?

A.Database firewall misconfiguration
B.Audit logging is not enabled
C.Inadequate access controls or role-based permissions
D.Lack of encryption at rest
AnswerC

The user should not have SELECT privilege on the Employee_salaries table.

Why this answer

The log entry shows user john.doe successfully accessed executive salary data via a SELECT query. Since the user has no legitimate business need for this data, the most likely control failure is inadequate access controls or role-based permissions (RBAC). Proper RBAC would restrict access to sensitive columns or tables based on job function, preventing unauthorized queries regardless of other controls.

Exam trap

The trap here is that candidates may focus on the log entry's existence and incorrectly assume audit logging is the issue (Option B), when in fact the log proves logging works, and the real failure is the lack of preventive access controls that should have blocked the query before it executed.

How to eliminate wrong answers

Option A is wrong because a database firewall misconfiguration might allow or deny traffic at the network layer, but it does not typically enforce granular row- or column-level access based on user identity within a query; the log shows the query succeeded, indicating the firewall (if present) allowed it, but the core issue is that the user should not have been permitted to see the data at all. Option B is wrong because audit logging is clearly enabled—the log entry itself is evidence of logging; the failure is not the absence of logs but the absence of preventive controls. Option D is wrong because lack of encryption at rest protects data from physical theft or unauthorized file access, but it does not prevent an authenticated user from querying data through the application or database interface; encryption at rest would not have blocked this SELECT statement.

229
MCQmedium

An IT steering committee is reviewing a proposal for a new customer relationship management (CRM) system. What is the committee's MOST important role?

A.Approving technical specifications
B.Selecting the vendor
C.Ensuring alignment with business objectives
D.Managing the project budget
AnswerC

Correct. The committee provides strategic oversight.

Why this answer

Option B is correct because the steering committee's primary role is to ensure that the proposed system aligns with business objectives. Option A is incorrect as technical specification approval is typically handled by technical teams. Option C is incorrect because budget management is a project management responsibility.

Option D is incorrect because vendor selection is often a procurement function, though the committee may provide input.

230
Multi-Selecthard

Which THREE of the following are common challenges when integrating a software package with existing legacy systems? (Select exactly three.)

Select 3 answers
A.Availability of modern integration middleware
B.Lack of documented application programming interfaces (APIs)
C.Performance constraints of the legacy environment
D.Data format and schema mismatches
E.Need for custom development to bridge the gap
AnswersB, C, D

Legacy systems may have undocumented or proprietary interfaces.

Why this answer

Legacy systems often lack well-documented or standardized APIs, making it difficult to establish reliable interfaces for integration. Without clear API documentation, developers must reverse-engineer communication protocols or rely on outdated methods like screen scraping, which increases integration risk and effort.

Exam trap

The trap here is confusing a solution (custom development or middleware) with the underlying challenge, leading candidates to select 'Need for custom development' as a challenge when it is actually a response to the real challenges of missing APIs, data mismatches, and performance constraints.

231
Matchingmedium

Match each log type to its typical content.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

System and application events

User login attempts and access

Changes to sensitive data

System errors and failures

Why these pairings

Logs are essential for monitoring and forensics.

232
MCQeasy

An IT manager needs to ensure that the organization's IT resources are used efficiently. Which of the following is the BEST metric to measure IT resource utilization?

A.System uptime percentage
B.Average server CPU utilization
C.Number of help desk tickets resolved per day
D.Percentage of projects completed on time
AnswerB

Directly measures how efficiently computing resources are used.

Why this answer

Average server CPU utilization directly measures how much of the computing capacity is being consumed over time, making it the most relevant metric for assessing whether IT resources are being used efficiently. High or low CPU utilization can indicate over-provisioning, under-utilization, or potential performance bottlenecks, enabling the IT manager to optimize resource allocation.

Exam trap

The trap here is that candidates often confuse availability metrics (uptime) with utilization metrics, or they mistakenly equate operational outputs (tickets resolved, project completion) with resource efficiency, leading them to pick a superficially plausible but incorrect answer.

How to eliminate wrong answers

Option A is wrong because system uptime percentage measures availability, not utilization; a server can be up 99.999% of the time but idle, wasting resources. Option C is wrong because the number of help desk tickets resolved per day measures service desk productivity and incident handling efficiency, not the utilization of IT resources like servers or storage. Option D is wrong because the percentage of projects completed on time measures project management performance and schedule adherence, not the operational efficiency of IT resource usage.

233
Multi-Selecthard

Which TWO of the following are BEST indicators that a system development project is at risk of failure?

Select 2 answers
A.Frequent scope changes
B.Clear communication
C.Robust testing
D.Unrealistic schedule
E.High team morale
AnswersA, D

Scope changes can lead to rework, budget overruns, and missed deadlines.

Why this answer

Frequent scope changes (A) are a classic risk indicator because they disrupt the project's baseline requirements, leading to rework, budget overruns, and schedule delays. In system development, uncontrolled scope creep often results in 'analysis paralysis' and can cause the final product to deviate from original objectives, increasing the likelihood of failure.

Exam trap

The trap here is that candidates confuse project risk indicators with project success factors, mistakenly selecting positive attributes like clear communication or high morale as signs of risk, when the question asks for indicators of failure.

234
MCQmedium

An organization experiences a critical system failure during non-business hours. The IT team discovers that the last full backup was 48 hours ago, and the incremental backups for the past 24 hours are corrupted. The recovery time objective (RTO) for this system is 4 hours, and the recovery point objective (RPO) is 1 hour. Which of the following is the MOST immediate concern?

A.The backup schedule should be changed to daily full backups
B.The data loss may exceed the recovery point objective (RPO)
C.The root cause of the failure must be determined before recovery
D.The recovery time objective (RTO) of 4 hours will be exceeded
AnswerB

With corrupted incremental backups, data loss will be at least 48 hours, far exceeding the 1-hour RPO.

Why this answer

The RPO of 1 hour means the organization can tolerate losing at most 1 hour of data. With the last full backup 48 hours old and incremental backups for the past 24 hours corrupted, the usable recovery point is at least 24 hours old, resulting in data loss far exceeding the 1-hour RPO. This gap between actual and acceptable data loss is the most immediate concern because it directly violates the business continuity requirement.

Exam trap

The trap here is that candidates focus on the RTO (4 hours) as the most urgent metric, overlooking that the RPO violation (data loss of 24+ hours vs. 1-hour tolerance) is a more fundamental and immediate business continuity failure, since lost data cannot be recovered by simply restoring faster.

How to eliminate wrong answers

Option A is wrong because changing the backup schedule to daily full backups does not address the immediate data loss crisis; it is a long-term preventive measure, not an urgent response to the current RPO violation. Option C is wrong because determining the root cause of the failure should occur after recovery, not before; delaying recovery to investigate the cause would worsen the RTO breach and data loss. Option D is wrong because the RTO of 4 hours is a recovery speed target, and while it may be challenged, the primary and most immediate concern is the massive data loss (RPO violation), not the recovery time itself.

235
MCQhard

A multinational organization operates a critical ERP system on a virtualized infrastructure across two data centers (primary and DR). The primary data center is located in Region A, and the DR site in Region B, 500 km away. The ERP database is 2 TB and changes at an average rate of 10 MB per second. The organization uses synchronous replication between the two sites over a dedicated 10 Gbps WAN link. During a recent disaster simulation, the IT team observed that the replication link experienced 15 ms latency, causing the primary database to slow down significantly under peak load, ultimately missing the defined RTO of 4 hours for full failover. The business has an RPO of 15 minutes. The CISO asks the IS auditor to recommend a solution that balances cost and performance while meeting both RTO and RPO. Which of the following is the BEST course of action?

A.Change replication to asynchronous mode and implement continuous data protection (CDP) to meet the 15-minute RPO.
B.Reduce the RPO to 30 minutes and perform snapshots every 30 minutes on the primary site.
C.Upgrade the WAN link to 40 Gbps to reduce latency and improve replication throughput.
D.Implement a backup-to-disk solution with daily full backups and hourly transaction log backups to the DR site.
AnswerA

Correct: Asynchronous replication eliminates performance impact, and CDP provides point-in-time recovery within RPO.

Why this answer

Synchronous replication over long distance introduces latency that degrades primary performance. Changing to asynchronous replication with continuous data protection (CDP) can meet the 15-minute RPO without impacting the primary site. Upgrading bandwidth does not reduce latency; backup-to-disk with hourly logs may not meet RPO due to potential data loss; reducing RPO changes the business requirement unacceptably.

236
MCQeasy

A mid-sized company is upgrading its legacy financial system to a new cloud-based ERP. The project manager has decided to use a big-bang cutover approach to minimize costs and time. During the first week post-go-live, users report that several critical reports are generating incorrect totals. An initial investigation reveals that the data mapping from the old system to the new system was not fully validated. Which of the following should the IS auditor recommend as the most appropriate corrective action?

A.Perform a data mapping review and remediation, then run parallel operations until accuracy is confirmed
B.Implement additional manual controls and have users double-check all reports
C.Increase the project budget and hire more consultants to fix the issues
D.Immediately revert to the legacy system and restart the project with a phased approach
AnswerA

This directly fixes the data mapping issue and validates correctness before relying solely on the new system.

Why this answer

A big-bang cutover with unvalidated data mapping introduces a high risk of data integrity issues, as seen with the incorrect report totals. Running parallel operations after a data mapping review and remediation allows the IS auditor to validate that the new ERP processes data correctly by comparing outputs with the legacy system, ensuring accuracy before full reliance. This aligns with ISACA's guidance on post-implementation verification and control testing for data conversion in cloud-based ERP migrations.

Exam trap

The trap here is that candidates may choose Option D (revert to legacy) because it seems safest, but the CISA exam emphasizes cost-effective, risk-based corrective actions that validate data integrity without abandoning the project, making parallel operations the preferred approach.

How to eliminate wrong answers

Option B is wrong because adding manual controls and user double-checks is a detective, not corrective, control that does not address the root cause of incorrect data mapping; it increases operational burden and error risk without fixing the underlying data transformation logic. Option C is wrong because increasing the budget and hiring more consultants is a reactive, non-technical solution that does not guarantee the data mapping errors are identified and corrected; it may accelerate work but does not provide a validation mechanism. Option D is wrong because immediately reverting to the legacy system and restarting with a phased approach is overly disruptive, costly, and time-consuming; it ignores the possibility of a targeted fix and parallel testing, which is more efficient and preserves project momentum.

237
MCQeasy

Which of the following is the PRIMARY benefit of using a prototype during system development?

A.Clarifying user requirements
B.Accelerating coding
C.Minimizing documentation
D.Reducing development cost
AnswerA

Prototyping provides a tangible model that users can interact with, leading to clearer and more accurate requirements.

Why this answer

Option B is correct because prototyping helps clarify and validate user requirements early, reducing the risk of misinterpretation. Reducing development cost (A) is not a primary benefit; prototyping can actually increase cost initially. Accelerating coding (C) and minimizing documentation (D) are not primary objectives.

238
MCQmedium

An organization is implementing a data masking solution for a non-production database. Which of the following is the MOST important requirement?

A.Masked data should maintain referential integrity.
B.Masked data should be encrypted.
C.Masked data should be irreversible.
D.Masked data should be randomized across all columns.
AnswerA

Maintaining referential integrity ensures application functionality.

Why this answer

In a non-production database, data masking must preserve referential integrity to ensure that relationships between tables (e.g., foreign keys) remain valid after masking. Without referential integrity, application logic that relies on these relationships would break, making the non-production environment unusable for testing or development. This is the most critical requirement because masked data must still function correctly within the database schema.

Exam trap

The trap here is that candidates often confuse data masking with encryption or hashing, assuming irreversibility or encryption are the top priorities, but the CISA exam emphasizes that the primary goal in a non-production environment is usability and data integrity, not cryptographic security.

How to eliminate wrong answers

Option B is wrong because encryption is a security control for data at rest or in transit, not a masking requirement; masked data is already obfuscated and does not need encryption to fulfill its purpose. Option C is wrong because irreversibility is a property of hashing or tokenization, not a mandatory requirement for data masking; masking can be reversible (e.g., using deterministic substitution) as long as the original data is not exposed. Option D is wrong because randomizing data across all columns would destroy referential integrity and consistency; masking often uses deterministic algorithms to maintain relationships and data distribution patterns.

239
MCQeasy

An organization has a policy requiring annual information security awareness training for all employees. During a recent audit, it was found that 20% of employees had not completed the training. What is the BEST course of action for the IT governance committee?

A.Reduce the training frequency to biennial.
B.Require managers to ensure their teams complete training and escalate non-compliance to HR.
C.Extend the training deadline by three months.
D.Make the training optional for employees with high performance ratings.
AnswerB

Manager accountability and HR escalation enforce policy.

Why this answer

Option B is correct because enforcing compliance through HR and management reinforces the policy. Option A is wrong because extending the deadline does not address non-compliance. Option C is wrong because reducing training frequency weakens security.

Option D is wrong because training is a mandatory policy, not optional.

240
Multi-Selecthard

Which THREE of the following are common challenges when implementing a bring-your-own-device (BYOD) policy that affect information systems operations? (Select exactly 3.)

Select 3 answers
A.Difficulty in enforcing data encryption and remote wipe capabilities
B.Reduced hardware procurement costs for the organization
C.Increased employee productivity due to device familiarity
D.Incompatibility between corporate applications and various device platforms
E.Increased risk of malware infections due to unmanaged devices
AnswersA, D, E

Ensuring data security on personal devices is challenging.

Why this answer

Options A, C, and D are correct. BYOD introduces security risks (A), support complexity (C), and data leakage (D). Option B is an advantage, not a challenge; Option E is less common as a challenge compared to the others.

241
Multi-Selectmedium

Which TWO of the following are essential controls to ensure data integrity during a cloud migration project?

Select 2 answers
A.Granting all migration team members full database access
B.Implementing encryption at rest and in transit
C.Using a phased migration approach without rollback capability
D.Running reconciliation checks comparing source and target data counts
E.Performing a single full data validation after migration
AnswersB, D

Encryption ensures data confidentiality and integrity during transfer and storage.

Why this answer

Encryption at rest and in transit (Option B) is essential for maintaining data integrity during cloud migration because it prevents unauthorized modification or corruption of data while stored in the source or target systems and while being transferred over networks. Without encryption, data is vulnerable to tampering, which directly undermines integrity. This control aligns with the principle of protecting data throughout its lifecycle, a key requirement in cloud migration projects.

Exam trap

The trap here is that candidates often confuse encryption with confidentiality and overlook its role in integrity, or they assume that a single post-migration validation (Option E) is sufficient, ignoring the need for ongoing reconciliation checks (Option D) to detect incremental data loss or corruption during the transfer process.

242
Multi-Selecteasy

Which of the following are effective controls to protect sensitive data in use? (Choose TWO.)

Select 2 answers
A.Transport Layer Security (TLS)
B.Access control lists (ACLs)
C.Homomorphic encryption
D.Data masking
E.Hashing
AnswersC, D

Homomorphic encryption allows computations on ciphertext without decrypting.

Why this answer

Homomorphic encryption allows computations to be performed directly on encrypted data without decrypting it first, thereby protecting the data while it is in use. This is a critical control for scenarios where sensitive data must be processed by untrusted environments, as the plaintext is never exposed during processing.

Exam trap

The trap here is that candidates often confuse controls for data in transit (TLS) or data at rest (ACLs, hashing) with controls for data in use, failing to recognize that homomorphic encryption and dynamic data masking are specifically designed to protect data during active processing.

243
MCQmedium

A company outsources its data center operations to a third-party provider. Which of the following is the MOST important control to include in the outsourcing contract?

A.Detailed escalation procedures for incidents
B.Service level agreements with financial penalties
C.Requirements for encryption of data at rest
D.Right to audit the provider's facilities and processes
AnswerD

Audit rights enable independent verification of controls.

Why this answer

Option D is correct because the right to audit allows the company to verify the provider's compliance. Option A is important but less critical than audit rights. Option B is operational.

Option C is a security control but not the most important contractual safeguard.

244
Multi-Selecteasy

Which THREE of the following are commonly used data encryption standards? (Choose three.)

Select 3 answers
A.3DES
B.SHA-256
C.RSA
D.AES
E.MD5
AnswersA, C, D

Triple DES, symmetric encryption.

Why this answer

3DES (Triple Data Encryption Standard) is a symmetric-key block cipher that applies the DES algorithm three times to each data block, effectively increasing the key length to 168 bits. It was widely adopted as a secure replacement for single DES, though it is now considered legacy due to performance and security limitations.

Exam trap

The trap here is confusing cryptographic hash functions (SHA-256, MD5) with encryption standards, leading candidates to select them as methods for protecting data confidentiality rather than integrity.

245
MCQeasy

Which of the following is the most important factor to consider when determining sample size for a compliance test?

A.Tolerable error rate
B.Expected error rate
C.Population size
D.Sampling method
AnswerA

Tolerable error rate is the primary driver; lower rates require larger samples.

Why this answer

In compliance testing (attribute sampling), the tolerable error rate is the maximum deviation rate from a control that the auditor is willing to accept without concluding the control is ineffective. It directly determines the required sample size because a lower tolerable error rate demands a larger sample to achieve sufficient precision, while a higher rate allows a smaller sample. This factor is more critical than others because it sets the boundary for the auditor's risk assessment.

Exam trap

The trap here is that candidates often confuse 'expected error rate' (a planning estimate) with 'tolerable error rate' (the maximum acceptable deviation), mistakenly thinking the expected rate is more important because it seems to reflect reality, but the tolerable rate is the key risk-based parameter that governs sample size.

How to eliminate wrong answers

Option B (Expected error rate) is wrong because it is an estimate of the actual deviation rate in the population, used to plan sample size but not the most important factor; it influences efficiency, not the fundamental precision requirement. Option C (Population size) is wrong because for large populations (typically >500), population size has a negligible effect on sample size in attribute sampling, as the sample size formula is driven by confidence level and tolerable error rate, not population size. Option D (Sampling method) is wrong because the method (e.g., random, systematic, or stratified) affects how the sample is selected and its representativeness, but does not determine the sample size; sample size is computed independently of the selection technique.

246
MCQmedium

An organization is implementing a data classification policy and needs to assign ownership for sensitive data. Which of the following is the most appropriate role to assign as the data owner?

A.The chief information security officer (CISO)
B.The system administrator of the database
C.The head of the business unit that creates and uses the data
D.The legal counsel responsible for compliance
AnswerC

The business unit head is accountable for the data's classification and protection.

Why this answer

The data owner is the person or entity with ultimate accountability for a specific dataset, typically a senior business manager who understands the data's value, legal requirements, and usage context. In this scenario, the head of the business unit that creates and uses the data is best positioned to classify the data, authorize access, and ensure compliance with the data classification policy, as they have direct business responsibility for the data's lifecycle.

Exam trap

The trap here is confusing the data owner (business accountability) with the data custodian (technical implementation) or the data steward (compliance oversight), leading candidates to incorrectly select the CISO or system administrator.

How to eliminate wrong answers

Option A is wrong because the CISO is a security advisor and enforcer, not the business owner; they lack the business context to determine data classification and usage rules. Option B is wrong because the system administrator is a custodian who implements technical controls (e.g., access control lists, encryption) but does not have ownership authority or business accountability for the data. Option D is wrong because legal counsel provides compliance guidance but does not own the data operationally; ownership must reside with the business unit that creates and uses the data.

247
MCQhard

A multinational corporation is replacing its legacy on-premises customer relationship management (CRM) system with a new cloud-based CRM solution. The project involves migrating data from the old system, customizing the new system to match business processes, and integrating with an existing enterprise resource planning (ERP) system. The project has a tight deadline of six months. During the planning phase, the project team decides to use a waterfall methodology because the requirements are well-defined. However, three months into the project, the business users request significant changes to the customer data fields, which were not originally specified. The project manager is concerned that accommodating these changes will delay the project. The integration with the ERP system is also proving more complex than anticipated, with data mapping errors causing delays. The go-live date is fixed due to the end-of-support for the legacy system. What is the BEST course of action for the project manager?

A.Conduct a formal change impact assessment and prioritize the changes; implement only critical ones for go-live
B.Inform the business users that no changes can be made due to the fixed deadline
C.Delay the go-live date to accommodate all changes and integration issues
D.Switch to an agile methodology for the remaining three months
AnswerA

Balances changes with schedule.

Why this answer

Option A is correct because it follows the structured change management process required in a waterfall project with a fixed deadline. By conducting a formal change impact assessment, the project manager can objectively evaluate the cost, schedule, and resource implications of the requested changes. Prioritizing only critical changes for go-live ensures that the core CRM functionality is delivered on time, while non-critical enhancements can be deferred to a post-implementation phase.

This approach balances the need to meet the legacy system's end-of-support deadline with accommodating essential business requirements.

Exam trap

The trap here is that candidates may assume that switching to agile (Option D) is a flexible solution, but they overlook the fact that mid-project methodology changes are disruptive and rarely feasible within a fixed deadline, especially when the project has already invested heavily in waterfall artifacts and integration work.

How to eliminate wrong answers

Option B is wrong because it is an inflexible response that ignores the business value of the requested changes; outright rejection can lead to user dissatisfaction and a system that fails to meet critical business needs. Option C is wrong because delaying the go-live date is not feasible given the fixed deadline imposed by the legacy system's end-of-support, and it would likely cause significant operational risk. Option D is wrong because switching to an agile methodology mid-project is impractical; the project is already three months into a waterfall lifecycle with well-defined requirements, and a methodology shift would require retraining, rework, and disrupt the current integration and data migration work, likely causing further delays.

248
MCQeasy

A company is in the process of acquiring a new customer relationship management (CRM) system. During which phase of the systems development life cycle (SDLC) should the business requirements be formally documented?

A.Implementation phase
B.Requirements phase (Planning)
C.Design phase
D.Maintenance phase
AnswerB

This phase involves gathering and documenting business requirements.

Why this answer

The business requirements for a new CRM system must be formally documented during the Requirements phase (Planning) of the SDLC. This phase establishes the functional and non-functional needs that the system must satisfy, serving as the foundation for all subsequent design, development, and testing activities. Without a formal requirements document, the project risks scope creep, misalignment with business objectives, and costly rework during later phases.

Exam trap

The trap here is that candidates often confuse the Requirements phase with the Design phase, mistakenly thinking that requirements are documented during design, but in reality, design assumes requirements are already formally approved and focuses on how to implement them, not what to implement.

How to eliminate wrong answers

Option A is wrong because the Implementation phase focuses on deploying the system into production, including installation, configuration, and user training; documenting business requirements at this stage would be too late, as the system has already been built based on earlier decisions. Option C is wrong because the Design phase translates documented requirements into technical specifications (e.g., data models, interface designs); it assumes requirements are already finalized and formalized. Option D is wrong because the Maintenance phase involves post-deployment support, patches, and enhancements; formal business requirements for the initial system must be captured long before this phase to avoid reactive changes that increase cost and risk.

249
MCQmedium

An organization uses risk-based authentication (RBA) for user access. Which of the following factors would MOST likely trigger a step-up authentication?

A.User logging in from a known device.
B.User accessing sensitive data from an unusual location.
C.User entering correct password.
D.User logging in during business hours.
AnswerB

Unusual location indicates higher risk and may trigger step-up.

Why this answer

Risk-based authentication (RBA) evaluates the risk level of each access attempt based on contextual factors. An unusual location is a high-risk indicator because it deviates from the user's established behavioral baseline, often triggering step-up authentication (e.g., requiring a one-time passcode or biometric verification) to verify the user's identity before granting access to sensitive data.

Exam trap

The trap here is that candidates may confuse 'step-up authentication' with 'multi-factor authentication' and assume any deviation from normal triggers it, but only high-risk anomalies (like unusual location or impossible travel) typically do, while low-risk factors like known devices or business hours do not.

How to eliminate wrong answers

Option A is wrong because logging in from a known device is a low-risk factor that typically reduces the authentication burden, not triggers step-up. Option C is wrong because entering a correct password is the baseline authentication requirement and does not itself indicate elevated risk; step-up is triggered by anomalous context, not by successful password entry. Option D is wrong because logging in during business hours is a normal, expected behavior that aligns with low-risk profiles and would not prompt additional verification.

250
MCQmedium

An IS auditor is auditing the user access management process for a large healthcare organization that uses an electronic health records (EHR) system. The organization has 5,000 users including doctors, nurses, and administrative staff. The auditor reviews a sample of access requests and finds that 20% of the requests were approved by the user's manager but the approval was not documented in the system. The auditor also finds that there is no periodic review of user access rights. The IT security manager states that users are automatically provisioned based on their role in the HR system, and that access reviews are performed manually by managers but not documented. What is the auditor's BEST recommendation to address the most significant risk?

A.Implement an automated access recertification process with quarterly reviews.
B.Disable automatic provisioning and require manual approval for all access.
C.Require that all access approvals be documented and stored in the system.
D.Perform a risk assessment to determine appropriate access controls.
AnswerA

Automated recertification ensures regular review and removal of unnecessary access.

Why this answer

The most significant risk is the lack of periodic review of user access rights, which can lead to excessive or inappropriate access (e.g., a former nurse retaining EHR access). Automating access recertification with quarterly reviews directly addresses this by enforcing a regular, documented validation of user entitlements against their current roles, reducing the risk of unauthorized access to protected health information (PHI) under HIPAA. While the undocumented approvals are a control weakness, the absence of any review cycle is a systemic failure that automated recertification resolves.

Exam trap

The trap here is that candidates focus on the documented approval finding (20% undocumented) and choose Option C, missing that the lack of any periodic review is a far more systemic risk that automated recertification directly mitigates.

How to eliminate wrong answers

Option B is wrong because disabling automatic provisioning and requiring manual approval for all access would introduce operational inefficiency and delay for 5,000 users, and it does not address the root cause—the lack of periodic review of existing access rights. Option C is wrong because requiring documentation of approvals only fixes the symptom (undocumented approvals) but ignores the more critical risk that no one is periodically verifying whether current access is still appropriate. Option D is wrong because performing a risk assessment is a preliminary step, not a direct remediation; the auditor already identified the risk (no periodic reviews), so the best recommendation is to implement a control (automated recertification) rather than re-assess.

251
Multi-Selectmedium

Which TWO of the following are key responsibilities of an IT steering committee?

Select 2 answers
A.Approving the annual IT budget and major capital expenditures
B.Performing daily system monitoring and incident response
C.Defining IT policies and standards
D.Writing application code for new software features
E.Configuring firewall rules and network access controls
AnswersA, C

The steering committee typically approves the IT budget and major expenditures to ensure alignment with business strategy.

Why this answer

The IT steering committee is a senior-level governance body responsible for aligning IT strategy with business objectives. Approving the annual IT budget and major capital expenditures (A) is a core fiduciary duty, ensuring resources are allocated to approved projects and initiatives. Defining IT policies and standards (C) establishes the governance framework for security, compliance, and operational consistency across the enterprise.

Exam trap

The trap here is confusing strategic governance roles (steering committee) with operational or technical roles (system administrators, developers, or network engineers), leading candidates to select hands-on tasks like monitoring, coding, or firewall configuration.

252
MCQmedium

A project team is using a prototyping approach for a new system. Which of the following is the BEST control to ensure the prototype accurately reflects user needs?

A.Conduct a post-implementation review.
B.Involve users in each iteration and obtain formal sign-off.
C.Require the project sponsor to approve the final design.
D.Perform regression testing after each prototype iteration.
AnswerB

User involvement and sign-off ensures prototype aligns with requirements.

Why this answer

Option C is correct because iterative feedback and formal sign-offs ensure the prototype evolves to meet true requirements. Option A is after the fact. Option B does not involve users directly.

Option D occurs too late.

253
MCQeasy

When implementing a data classification policy, which of the following roles is PRIMARILY responsible for assigning classification labels to data?

A.Data custodian.
B.Data owner.
C.Data user.
D.Data steward.
AnswerB

Data owner has authority and responsibility for classification.

Why this answer

The data owner is the senior manager or business process owner who has the authority to determine the sensitivity and criticality of the data. They are primarily responsible for assigning classification labels because they understand the business impact if the data is compromised. This role defines the classification level (e.g., Public, Internal, Confidential, Restricted) based on the data's value and legal or regulatory requirements.

Exam trap

ISACA often tests the distinction between data owner (who assigns classification) and data custodian (who implements controls), leading candidates to mistakenly choose the custodian because they confuse technical implementation with business ownership.

How to eliminate wrong answers

Option A is wrong because the data custodian (e.g., database administrator or system administrator) is responsible for implementing technical controls (access controls, encryption, backups) based on the classification assigned by the owner, not for assigning the labels themselves. Option C is wrong because the data user is an end-user who accesses data according to the policies and permissions set by the owner; they have no authority to assign classification labels. Option D is wrong because the data steward focuses on data quality, metadata management, and governance processes (e.g., data dictionary maintenance, data lineage) but does not have the business authority to determine the sensitivity or assign the classification label.

254
Multi-Selecthard

An IS auditor is reviewing the system development life cycle (SDLC) for a custom application. The project manager has decided to skip the design phase and proceed directly from requirements to coding. Which of the following risks are MOST likely to increase as a result? (Choose two.)

Select 2 answers
A.Delays in project schedule.
B.Increased cost due to rework.
C.Increased number of defects during unit testing.
D.Inadequate security controls.
E.The system may not meet user requirements.
AnswersD, E

Security controls are often defined in the design phase.

Why this answer

Skipping the design phase means that security requirements are never formally defined or integrated into the system architecture. Without a security design, controls such as authentication, authorization, encryption, and input validation are likely to be omitted or implemented ad hoc, leading to inadequate security controls. This directly increases the risk of vulnerabilities that could be exploited in production.

Exam trap

The trap here is that candidates focus on project management risks (schedule, cost, defects) rather than the specific security and requirements risks that are most directly amplified when the design phase is omitted, as the design phase is where both functional and non-functional requirements (including security) are translated into a technical blueprint.

255
MCQmedium

An organization is planning to deploy a web application firewall (WAF) to protect a critical application. Which deployment mode should be used to ensure that the WAF can block malicious traffic without introducing a single point of failure?

A.Inline with high-availability clustering.
B.Out-of-band monitoring only.
C.Transparent inline without failover.
D.Reverse proxy with active-passive clustering.
AnswerA

Provides blocking and redundancy.

Why this answer

Inline with high-availability clustering ensures the WAF can actively inspect and block malicious traffic in real time while eliminating a single point of failure through automatic failover between clustered appliances. This mode maintains traffic flow even if one WAF node fails, meeting both security and availability requirements.

Exam trap

The trap here is that candidates confuse 'high-availability clustering' with 'active-passive clustering,' assuming both eliminate single points of failure equally, but active-passive still has a failover delay and potential traffic loss.

How to eliminate wrong answers

Option B is wrong because out-of-band monitoring only allows the WAF to observe traffic and generate alerts without the ability to block malicious requests, failing the requirement to block traffic. Option C is wrong because transparent inline without failover introduces a single point of failure; if the WAF fails, traffic is dropped or bypassed, disrupting availability. Option D is wrong because reverse proxy with active-passive clustering still has a single point of failure if the active node fails and failover is not instantaneous or automatic, and it does not guarantee high availability as effectively as active-active clustering.

256
MCQeasy

In a traditional waterfall SDLC, when should the test plan be developed?

A.During the implementation phase
B.During the coding phase
C.During the requirements phase
D.During the design phase
AnswerD

Allows integration with design.

Why this answer

In a traditional waterfall SDLC, the test plan should be developed during the design phase because testing activities must be planned in parallel with system design to ensure that test cases, test data, and acceptance criteria are aligned with the design specifications. This allows for early identification of testability issues and ensures that the test plan is ready before coding begins, enabling a structured and efficient testing process.

Exam trap

The trap here is that candidates often confuse the timing of test plan development with the start of actual testing, mistakenly thinking the test plan can be deferred to the implementation or coding phase, but CISA emphasizes that test planning must begin during design to align with the V-model and ensure testability is built into the system.

How to eliminate wrong answers

Option A is wrong because the implementation phase is when the system is actually built or coded, and developing the test plan at this late stage would delay testing and miss the opportunity to design tests in alignment with the design specifications. Option B is wrong because the coding phase focuses on writing the actual program code, and creating the test plan here would be reactive rather than proactive, increasing the risk of incomplete test coverage and rework. Option C is wrong because the requirements phase is too early for detailed test planning; while high-level test objectives may be identified, the specific test cases, test data, and test environment requirements cannot be finalized until the design is complete.

257
MCQeasy

During an incident response, the IT team isolates a compromised system from the network. Which of the following is the primary purpose of this action?

A.To preserve evidence for forensic analysis.
B.To allow the system to be patched offline.
C.To comply with regulatory requirements.
D.To prevent further damage and contain the incident.
AnswerD

Correct. Isolation contains the threat and reduces impact.

Why this answer

Isolating a compromised system from the network (e.g., by disconnecting the Ethernet cable, disabling the switch port, or applying a host-based firewall rule to drop all traffic) immediately stops the system from communicating with other hosts. This containment action prevents the attacker from moving laterally, exfiltrating data, or deploying additional malware, thereby limiting the blast radius and stopping ongoing damage.

Exam trap

The trap here is that candidates confuse 'preserving evidence' (a forensic goal) with 'containing the incident' (the immediate operational goal), leading them to choose Option A even though isolation is primarily about stopping the attack, not about evidence handling.

How to eliminate wrong answers

Option A is wrong because isolation is a containment step, not a preservation step; while it can help preserve volatile evidence by preventing remote tampering, the primary purpose is containment, and forensic preservation requires specific steps like creating a bit-for-bit image before any changes. Option B is wrong because patching offline is a remediation activity that occurs after containment; the immediate goal is to stop the attack, not to prepare the system for patching. Option C is wrong because compliance requirements may mandate containment, but the primary operational purpose is to prevent further damage, not to satisfy a regulation.

258
MCQeasy

A nonprofit organization develops a small online donation platform using a third-party payment gateway. The project team skips formal security testing because of budget constraints. After launch, a security researcher discovers that the application fails to validate input on the donation amount field, allowing manipulation. The nonprofit loses several thousand dollars before the issue is patched. The IS auditor is asked to review the system development process. Which of the following is the PRIMARY finding?

A.The donation amount field was not validated.
B.The organization lost money due to the exploit.
C.Security testing was not performed during development.
D.The payment gateway was not properly integrated.
AnswerC

Testing would have identified the input validation issue.

Why this answer

Option C is correct because the primary finding for an IS auditor reviewing the system development process is the absence of security testing during development. Skipping formal security testing (e.g., static application security testing, dynamic application security testing, or penetration testing) violates the secure development lifecycle (SDLC) best practices and directly led to the input validation vulnerability. The IS auditor's focus is on process deficiencies, not the specific exploit or financial loss.

Exam trap

The trap here is that candidates focus on the immediate technical flaw (unvalidated input) or the financial loss, rather than recognizing that the IS auditor's role is to identify the systemic process failure (lack of security testing) that allowed the vulnerability to be introduced.

How to eliminate wrong answers

Option A is wrong because the unvalidated donation amount field is a symptom (a technical vulnerability), not the root cause in the development process; the IS auditor's primary finding should address the process gap that allowed the vulnerability to exist. Option B is wrong because the financial loss is an impact or consequence, not a process finding; the IS auditor evaluates controls and processes, not the monetary outcome. Option D is wrong because the payment gateway integration may be functional; the issue is the lack of input validation on the application side, not a misconfiguration or improper integration of the third-party gateway (e.g., incorrect API endpoint or missing signature verification).

259
MCQeasy

An IS auditor reviews the exhibit. Which of the following is the most likely cause of the denied traffic?

A.Misconfigured VPN tunnel
B.Intrusion prevention system blocking
C.Missing firewall rule allowing RDP traffic
D.Incorrect NAT configuration
AnswerC

The deny log specifically references the access-group, implying a rule is missing.

Why this answer

The log shows an RDP connection (port 3389) being denied by the access-group 'outside_in', indicating that no rule permits this traffic.

260
MCQmedium

An IS auditor is reviewing the change management process for a financial application. Which of the following findings would be of MOST concern?

A.Change requests are logged in a spreadsheet
B.Standard changes are pre-approved
C.Change windows are defined in the policy
D.Emergency changes are not reviewed within 30 days
AnswerD

Correct: Emergency changes require timely retroactive review to ensure proper authorization.

Why this answer

Emergency changes bypass normal controls; failure to review them within a reasonable time (e.g., 30 days) increases risk of undocumented changes. Logging in spreadsheet, pre-approved standard changes, and defined change windows are acceptable or even good practices.

261
MCQhard

A company stores sensitive customer data in a database. To comply with privacy regulations, the data must be anonymized for analytics. Which technique provides the strongest anonymization while preserving data utility?

A.Differential privacy with calibrated noise.
B.Tokenization with a reversible mapping.
C.Removing direct identifiers like names and SSNs.
D.Data masking with static substitution.
AnswerA

Correct. Differential privacy provides mathematical guarantees against re-identification while allowing statistical queries.

Why this answer

Differential privacy with calibrated noise is the strongest anonymization technique because it provides a formal mathematical guarantee that the output of a query does not reveal whether any specific individual's data was included. By adding carefully calibrated noise to query results, it preserves statistical utility for analytics while ensuring that re-identification is provably infeasible, meeting strict privacy regulations like GDPR or CCPA.

Exam trap

The trap here is that candidates often confuse pseudonymization (e.g., tokenization) with anonymization, or assume that simply removing direct identifiers is sufficient, failing to recognize that re-identification via quasi-identifiers is a well-known attack vector in privacy regulations.

How to eliminate wrong answers

Option B is wrong because tokenization with a reversible mapping is not anonymization; it is pseudonymization, as the original data can be recovered via the mapping table, which does not meet the irreversible anonymization required by privacy regulations. Option C is wrong because removing direct identifiers like names and SSNs alone leaves quasi-identifiers (e.g., ZIP code, age, gender) that can be combined with external data to re-identify individuals through linkage attacks, providing weak anonymization. Option D is wrong because data masking with static substitution (e.g., replacing values with fixed characters) is a form of obfuscation that does not preserve data utility for analytics (e.g., masked values lose statistical properties) and can often be reversed if the masking pattern is known or inferred.

262
MCQhard

Refer to the exhibit. This log entry MOST likely indicates:

A.An attempt to escalate privileges or lateral movement
B.A scheduled backup using the service account
C.A brute-force attack
D.Normal administrative activity
AnswerA

Using explicit admin credentials from a service account to another server via WMI is a common lateral movement technique.

Why this answer

The log entry shows a service account (svc_backup) executing commands that create a new local user and add it to the Administrators group, which is a classic privilege escalation technique. The use of net user and net localgroup commands from a service account indicates an attempt to gain unauthorized administrative access, often as a precursor to lateral movement. This is not normal administrative activity because service accounts are typically restricted to specific tasks and should not be creating interactive user accounts.

Exam trap

The trap here is that candidates see a service account and assume it is legitimate backup activity, but the specific commands (net user /add, net localgroup Administrators) are clear indicators of privilege escalation, not routine maintenance.

How to eliminate wrong answers

Option B is wrong because a scheduled backup using a service account would involve backup-specific commands (e.g., wbadmin, robocopy, or backup software APIs) and would not include net user or net localgroup commands to create a new user. Option C is wrong because a brute-force attack would manifest as multiple failed login attempts (Event ID 4625) or repeated authentication failures, not a single successful command execution from an already-authenticated session. Option D is wrong because normal administrative activity would typically use a dedicated admin account, not a service account, and would follow change management procedures; creating a new user and adding it to the Administrators group is a high-risk action that is not routine.

263
MCQhard

Refer to the exhibit. A security analyst notices that users on the INSIDE network (10.1.1.0/24) can browse HTTPS websites but cannot resolve domain names. What is the most likely cause?

A.The ACL denies TCP traffic to port 443
B.The ACL only permits DNS traffic to host 10.2.2.10, but users need to query a different DNS server
C.The DNS server at 10.2.2.10 is unreachable
D.The OUTSIDE interface has no security-level configured correctly
AnswerB

The DNS request to an external server is denied because the ACL only allows UDP to 10.2.2.10.

Why this answer

The exhibit shows an ACL that permits DNS traffic (UDP port 53) only to host 10.2.2.10. Since users can browse HTTPS (TCP/443) but cannot resolve domain names, the ACL is blocking DNS queries to any other DNS server. Option B correctly identifies that the ACL restricts DNS to a single server, and if users are configured to query a different DNS server, resolution fails.

Exam trap

The trap here is that candidates assume DNS resolution failure must be due to a DNS server being unreachable (Option C), but the ACL is actually restricting the destination IP of DNS queries, not the protocol itself.

How to eliminate wrong answers

Option A is wrong because the ACL permits TCP traffic to port 443 (HTTPS), as evidenced by users successfully browsing HTTPS websites. Option C is wrong because if the DNS server at 10.2.2.10 were unreachable, users would not be able to resolve names at all, but the issue is that users are configured to query a different DNS server, not 10.2.2.10. Option D is wrong because the security-level configuration on the OUTSIDE interface affects traffic direction and stateful inspection, not DNS resolution; the problem is specifically an ACL filtering issue.

264
MCQmedium

A financial services company is migrating its core banking system to a public cloud to improve scalability and reduce costs. The project is high-risk due to regulatory compliance requirements (e.g., data residency, audit trails). The IT governance committee has reviewed the project plan and finds that the risk assessment is incomplete – it does not address the potential impact of a cloud provider outage on critical transactions. The committee must approve the project or request changes. The project manager argues that the cloud provider's SLA guarantees 99.99% uptime and that additional controls would delay the project. What should the governance committee do?

A.Reject the project and require the system to remain on-premises.
B.Request a revised risk assessment that includes contingency plans for provider outages.
C.Approve the project based on the provider's strong SLA.
D.Approve a pilot migration for non-critical systems first.
AnswerB

The committee must ensure all risks are identified and mitigated.

Why this answer

Option D is correct because the committee's duty is to ensure risks are adequately addressed; requiring a comprehensive risk assessment and contingency plans is necessary. Option A is wrong because committees should not bypass governance processes. Option B is wrong because SLAs do not cover all risks (e.g., data residency).

Option C is wrong because a pilot does not address the missing assessment.

265
MCQeasy

An organization wants to protect its intellectual property from unauthorized disclosure via email. Which control should be implemented?

A.Encrypt all outgoing emails.
B.Implement a data loss prevention (DLP) system.
C.Disable email altogether.
D.Require employees to sign non-disclosure agreements.
AnswerB

Correct. DLP can inspect content and block unauthorized transmission of sensitive data.

Why this answer

Data loss prevention (DLP) solutions can monitor and block sensitive information from being sent via email, making it the most effective control for this purpose.

266
MCQhard

Based on the exhibit, which control is most likely missing to prevent this type of event?

A.Applying the latest security patches to the SSH service
B.Implementing account lockout after three failed attempts
C.Disabling direct root login via SSH
D.Enforcing strong password complexity
AnswerB

Account lockout directly mitigates brute-force attacks by blocking further attempts.

Why this answer

The exhibit describes a brute-force attack against an SSH service, where an attacker repeatedly attempts to guess credentials. Implementing account lockout after three failed attempts is the most direct control to prevent this type of event, as it halts further login attempts after a threshold, stopping the attack in its tracks regardless of password strength or patching.

Exam trap

The trap here is that candidates often choose 'Disabling direct root login via SSH' (Option C) because it is a well-known security best practice, but it does not prevent brute-force attacks against other user accounts, whereas account lockout directly stops the attack mechanism.

How to eliminate wrong answers

Option A is wrong because applying the latest security patches to the SSH service addresses vulnerabilities in the SSH protocol or implementation, but does not prevent brute-force attacks that exploit weak or guessed credentials. Option C is wrong because disabling direct root login via SSH reduces the attack surface by requiring a non-root account first, but it does not prevent brute-force attacks against any user account; the attacker can still target other usernames. Option D is wrong because enforcing strong password complexity makes passwords harder to guess, but it does not stop an attacker from making unlimited attempts; a brute-force attack can still succeed over time if no lockout mechanism is in place.

267
MCQmedium

An IT manager is reviewing the access control model for a financial application. The policy requires that no single person can approve a transaction. Which access control principle does this policy enforce?

A.Least privilege
B.Separation of duties
C.Mandatory access control
D.Need to know
AnswerB

Separation of duties requires multiple people to complete sensitive tasks.

Why this answer

The policy that no single person can approve a transaction enforces the separation of duties (SoD) principle. In financial applications, SoD requires that critical tasks, such as initiating and approving a transaction, be divided among multiple individuals to prevent fraud or error. This control ensures that no single user has the authority to complete a high-risk action alone, directly aligning with the requirement stated.

Exam trap

The trap here is that candidates confuse separation of duties with least privilege, but least privilege focuses on limiting permissions to the minimum needed, whereas separation of duties specifically requires dividing critical tasks among multiple users to prevent fraud or error.

How to eliminate wrong answers

Option A is wrong because least privilege restricts user permissions to the minimum necessary for their job function, but it does not inherently prevent a single user from approving a transaction if that approval is within their role. Option C is wrong because mandatory access control (MAC) enforces system-wide policies based on labels and clearances, not the division of task responsibilities among multiple users. Option D is wrong because need to know limits access to information required for a specific task, but it does not address the requirement that no single person can approve a transaction, which is a process control, not an information access restriction.

268
MCQhard

An organization has recently implemented a cloud-based identity provider (IdP) for single sign-on (SSO) across all SaaS applications. Users authenticate using their corporate credentials via SAML 2.0. After a week, the IT security team notices a significant increase in failed login attempts from various IP addresses targeting a specific user account. The helpdesk reports that the user, a senior executive, has not complained about any issues. The security team investigates and finds that the account lockout policy is set to 5 failed attempts within 15 minutes, after which the account is locked for 30 minutes. The failed attempts are occurring in bursts of 4, then stopping, then resuming from different IPs. The organization uses conditional access policies that require MFA from unknown locations. However, the failed attempts appear to be stopped at the authentication prompt and never reach the MFA stage. What is the most likely explanation and the best course of action?

A.The user's credentials have been compromised, and the attacker is testing them across the IdP. The organization should immediately force a password reset for the user and enable MFA for all users.
B.A misconfiguration in the IdP allows pre-authentication enumeration. The organization should disable account lockout and implement rate limiting at the application proxy.
C.The attacker is performing a password spraying attack, attempting to guess the password for that specific account. The organization should implement a CAPTCHA requirement after a few failed attempts.
D.The IdP is experiencing integration issues with the AD domain controller, causing authentication failures that are logged as failed attempts. The organization should check the synchronization status and network connectivity.
AnswerC

The burst pattern with IP rotation is classic password spraying. CAPTCHA or progressive delay will effectively slow automated attacks.

Why this answer

Option C is correct because the attack pattern—bursts of exactly 4 failed attempts (just below the lockout threshold of 5) from different IPs, then stopping—is a textbook password spraying attack. The attacker is trying commonly used passwords against a high-value account (senior executive) while deliberately avoiding account lockout to remain undetected. Since the attempts stop at the SAML authentication prompt and never reach MFA, the attacker is testing passwords against the IdP's SAML endpoint, which validates credentials before triggering conditional access policies.

Exam trap

The trap here is that candidates confuse a password spraying attack with a credential stuffing attack (Option A) or assume that any burst of failed attempts indicates a misconfiguration (Option B), when the key clue is the attacker deliberately staying below the lockout threshold to avoid detection.

How to eliminate wrong answers

Option A is wrong because the attacker is not testing already compromised credentials; they are attempting to guess the password, and forcing a password reset for only that user does not address the systematic guessing technique. Option B is wrong because pre-authentication enumeration would allow an attacker to determine valid usernames, but here the attacker already knows the specific user account and is targeting it with password guesses; disabling account lockout would remove the only protection against brute force. Option D is wrong because integration issues with AD would typically cause consistent failures for all users or show error patterns (e.g., timeouts, sync errors), not precise bursts of 4 attempts from varied IPs targeting a single executive account.

269
MCQeasy

Based on the exhibit, what is the MOST appropriate action for IT management?

A.Investigate the reasons for the shortfall and implement corrective actions.
B.Ignore the variance as it is within acceptable range.
C.Adjust the target to 80% to match actual performance.
D.Replace the survey with a different measurement tool.
AnswerA

A gap between actual and target should be analyzed and addressed.

Why this answer

Option A is correct because the actual score (82%) is below the target (85%), so IT management should investigate and take corrective action. Option B (lowering the target) is not appropriate without analysis. Option C (replacing the survey) is premature.

Option D (ignoring the variance) is not acceptable because it is below target.

270
MCQmedium

A hospital is implementing a new electronic health record (EHR) system. The project team includes clinicians and IT staff. During integration testing, the system fails to exchange lab results with the existing legacy system due to format mismatches. The IT team suggests developing a custom interface. The clinical team is concerned that any custom solution may not comply with health data privacy regulations. The project sponsor pressures the team to quickly fix the issue to avoid delays. The IS auditor is reviewing this situation. What is the MOST appropriate action for the auditor to recommend?

A.Conduct a privacy impact assessment on the custom interface and ensure controls are in place before deployment.
B.Proceed with the custom interface to meet the project deadline.
C.Reject the custom interface and delay the project until a standard solution is found.
D.Replace the legacy system with a new one that is compatible.
AnswerA

Balances speed with compliance.

Why this answer

The custom interface introduces a new data exchange path between the EHR and legacy system. Without a privacy impact assessment (PIA), the auditor cannot verify that the interface will enforce encryption, access controls, and audit logging required by HIPAA or similar regulations. A PIA identifies risks like unauthorized disclosure of protected health information (PHI) during format translation, ensuring controls are implemented before deployment.

This aligns with the IS auditor's role to safeguard data privacy, not just meet deadlines.

Exam trap

The trap here is that candidates may prioritize speed (Option B) or absolute standardization (Option C) over the auditor's core responsibility to assess and mitigate privacy risks before any new data processing component goes live.

How to eliminate wrong answers

Option B is wrong because proceeding without assessing privacy risks violates the auditor's duty to ensure compliance with health data privacy regulations (e.g., HIPAA), and a rushed custom interface may introduce vulnerabilities like unencrypted PHI in transit. Option C is wrong because rejecting the custom interface outright is overly rigid; a properly assessed and controlled custom interface can be compliant, and delaying the project unnecessarily ignores a viable solution. Option D is wrong because replacing the entire legacy system is disproportionate, costly, and introduces far greater project risk and disruption than addressing the format mismatch with a controlled interface.

271
Drag & Dropmedium

Order the steps for responding to a security incident in the correct sequence.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Incident response follows: detection, containment, eradication/recovery, review, and improvement.

272
Multi-Selecteasy

Which TWO of the following are essential components of a business case for a new system?

Select 2 answers
A.Implementation schedule.
B.Detailed system architecture.
C.Alignment with business strategy.
D.Risk assessment for all identified risks.
E.Cost-benefit analysis.
AnswersC, E

Ensures project supports organizational goals.

Why this answer

A business case must justify the investment in a new system by demonstrating how it supports the organization's strategic goals and provides net financial benefit. Alignment with business strategy (C) ensures the system directly enables key objectives, while cost-benefit analysis (E) quantifies the expected return on investment, making both essential for approval.

Exam trap

The trap here is that candidates confuse project management deliverables (like schedules and detailed architectures) with the strategic and financial justification required in a business case, leading them to select implementation schedule or detailed system architecture instead of the correct options.

273
MCQeasy

An organization is developing a new customer portal. The development team wants to use an agile methodology. Which of the following is a key benefit of using agile for this project?

A.Continuous stakeholder feedback is incorporated
B.Detailed requirements are defined upfront
C.Documentation is minimized to save time
D.The entire system is delivered at once
AnswerA

Agile emphasizes ongoing collaboration.

Why this answer

Agile methodologies emphasize iterative development with continuous stakeholder feedback, which is critical for a customer portal where user needs evolve. This ensures the final product aligns with actual requirements, reducing rework and increasing satisfaction. Option A directly captures this core benefit.

Exam trap

The trap here is that candidates often confuse agile's reduced documentation overhead (Option C) as a primary benefit, but the key advantage is continuous stakeholder feedback, not just saving time on documentation.

How to eliminate wrong answers

Option B is wrong because agile deliberately avoids defining detailed requirements upfront; instead, it embraces changing requirements through the project lifecycle. Option C is wrong because while agile values working software over comprehensive documentation, it does not minimize documentation to save time—it produces just enough documentation for the team and stakeholders. Option D is wrong because agile delivers the system incrementally in small, functional releases, not all at once, enabling early value delivery and feedback.

274
Multi-Selecthard

Which TWO of the following are primary objectives of a data loss prevention (DLP) strategy?

Select 2 answers
A.Encrypt all data in transit
B.Identify and classify sensitive data
C.Replace all existing security controls
D.Monitor and control data movement across endpoints
E.Ensure compliance with all regulations
AnswersB, D

Correct. Understanding what sensitive data exists is fundamental to DLP.

Why this answer

Option B is correct because identifying and classifying sensitive data is the foundational step in a DLP strategy. Without knowing where sensitive data resides (e.g., PII, PCI, IP), DLP policies cannot accurately detect or prevent unauthorized transfers. Classification enables the DLP system to apply context-aware rules, such as blocking credit card numbers in email attachments or flagging confidential documents uploaded to cloud storage.

Exam trap

The trap here is that candidates confuse DLP's primary objectives (identify, monitor, control) with supporting or adjacent activities like encryption or compliance, leading them to select options A or E instead of the core DLP functions.

275
Matchingmedium

Match each testing technique to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Simulated attack to find weaknesses

Automated check for known flaws

Manual inspection of source code

Manipulating people to divulge info

Why these pairings

Testing techniques assess different aspects.

276
MCQeasy

Which of the following is the PRIMARY purpose of a business impact analysis (BIA) in business continuity planning?

A.To determine the criticality of business processes and their recovery requirements
B.To create a list of emergency contacts
C.To identify the resources required for recovery
D.To document the technical recovery procedures
AnswerA

The BIA's main goal is to quantify the impact of disruptions and set RTO/RPO.

Why this answer

Option C is correct because BIA identifies critical processes and determines the maximum allowable downtime (RTO) and data loss (RPO). Options A, B, and D are subsequent steps after the BIA.

277
MCQhard

In an agile development environment, an IS auditor reviews the backlog and finds that security requirements are not explicitly included. What is the best recommendation?

A.Engage external security auditors to define requirements
B.Allocate a separate sprint dedicated solely to security
C.Perform comprehensive security testing during the final sprint
D.Include security stories in the product backlog
AnswerD

Integrating security into the backlog ensures it is addressed incrementally.

Why this answer

In agile development, security should be integrated continuously rather than treated as an afterthought. Including security stories in the product backlog ensures that security requirements are prioritized, estimated, and implemented incrementally within each sprint, aligning with the agile principle of delivering value early and often. This approach embeds security into the development lifecycle from the start, reducing technical debt and vulnerabilities.

Exam trap

The trap here is that candidates often choose a dedicated security sprint (Option B) or final testing (Option C) because they resemble traditional security review phases, but the CISA exam emphasizes integrating security into every sprint to align with agile's continuous delivery and risk management principles.

How to eliminate wrong answers

Option A is wrong because engaging external security auditors to define requirements creates a dependency on outside parties and delays security integration, contradicting agile's self-organizing team model and continuous feedback loops. Option B is wrong because allocating a separate sprint dedicated solely to security violates agile's iterative delivery principle and can lead to security being treated as a separate phase, increasing risk of integration issues and rework. Option C is wrong because performing comprehensive security testing only during the final sprint is a waterfall-like approach that misses the opportunity to detect and fix vulnerabilities early, often resulting in costly late-stage remediation and potential release delays.

278
MCQhard

During an audit of a privileged access management (PAM) system, the auditor finds that privileged sessions are recorded but not reviewed. What is the primary risk?

A.Inability to detect real-time threats.
B.Increased administrative overhead.
C.Non-compliance with licensing agreements.
D.Missing evidence of malicious activity after an incident.
AnswerD

Recordings are useless without review, losing forensic value.

Why this answer

Recording privileged sessions without review means that while a log of activities exists, it is not analyzed for signs of compromise or policy violations. The primary risk is that after a security incident, the recorded sessions may be the only source of evidence to reconstruct the attack, but without prior review, the organization may fail to identify malicious activity in a timely manner or may lose critical forensic data if logs are overwritten or deleted before an incident is discovered.

Exam trap

The trap here is that candidates may confuse 'recording' with 'monitoring' and assume that recording alone provides security, but without review, the recordings are merely stored data with no active threat detection value.

How to eliminate wrong answers

Option A is wrong because real-time threats are typically detected by monitoring and alerting mechanisms (e.g., SIEM, anomaly detection), not by reviewing recorded sessions after the fact; the question states sessions are recorded but not reviewed, which does not preclude real-time detection tools. Option B is wrong because increased administrative overhead is a potential operational impact, not the primary risk; the core concern is security and forensic capability, not resource usage. Option C is wrong because non-compliance with licensing agreements is unrelated to session recording and review; licensing compliance concerns software usage rights, not security monitoring.

279
MCQhard

A security review of the above Apache configuration identifies a critical vulnerability. Which of the following is the MOST significant issue?

A.Default DocumentRoot path is used
B.Directory listing is enabled (Indexes option)
C.AllowOverride All allows .htaccess overrides
D.Require all granted permits all access
AnswerB

The Indexes option allows attackers to browse directory contents, potentially exposing sensitive files.

Why this answer

The Indexes option in Apache enables directory listing, which exposes the entire contents of a directory when no index file (e.g., index.html) is present. This can reveal sensitive files, configuration backups, or source code, making it a critical information disclosure vulnerability. Unlike other options, Indexes directly leads to unauthorized data exposure without requiring any additional conditions.

Exam trap

The trap here is that candidates often focus on access control (Require all granted) or override permissions (AllowOverride All) as the most critical issue, but the immediate and direct information disclosure from directory listing (Indexes) is typically the most severe in a standard web server configuration.

How to eliminate wrong answers

Option A is wrong because using the default DocumentRoot path (e.g., /var/www/html) is a common configuration and not inherently a vulnerability; it only becomes a risk if combined with other misconfigurations. Option C is wrong because AllowOverride All allows .htaccess overrides, which can be a security concern if not properly managed, but it is not as immediately exploitable as directory listing and can be mitigated with proper .htaccess controls. Option D is wrong because 'Require all granted' permits all access, but this is often the intended default for public web content; the vulnerability arises only when combined with other issues like Indexes or weak authentication, and by itself it does not directly expose directory contents.

280
MCQeasy

An organization uses the access list above on its perimeter firewall. Which of the following is a valid conclusion?

A.All HTTP traffic from the 192.168.2.0 subnet is allowed.
B.All HTTPS traffic from the 192.168.1.0 subnet is allowed.
C.All traffic from the 192.168.2.0 subnet is allowed.
D.All traffic from the Internet to internal hosts is denied.
E.All traffic from 192.168.1.0 subnet is allowed on any port.
.All traffic from the Internet is denied.
.The ACL allows SSH traffic from 192.168.1.0 subnet.
AnswerB

Line 10 permits TCP on port 443 from that subnet.

Why this answer

Option B is correct because the access list permits TCP traffic from source network 192.168.1.0/24 to destination port 443 (HTTPS). The permit statement for TCP with eq 443 explicitly allows HTTPS traffic from that subnet, and there is no subsequent deny statement blocking it.

Exam trap

ISACA often tests the implicit deny all rule, where candidates mistakenly assume that traffic not explicitly permitted is allowed, when in fact it is denied by default.

How to eliminate wrong answers

Option A is wrong because the access list does not contain any permit statement for port 80 (HTTP); HTTP traffic from 192.168.2.0 subnet would be denied by the implicit deny all at the end. Option C is wrong because the access list only permits specific protocols (TCP on port 443, and possibly others) from 192.168.2.0 subnet, not all traffic; any non-matching traffic is denied. Option D is wrong because the access list permits certain traffic from internal subnets to the Internet, but it does not explicitly deny all traffic from the Internet to internal hosts; the implicit deny all applies to all unmatched traffic, but the question does not specify any inbound rules, so this conclusion is not valid based solely on the given list.

Option E is wrong because the access list does not permit all traffic from 192.168.1.0 subnet on any port; it only permits TCP traffic to port 443, and other ports are denied by the implicit deny. Option null (first) is wrong because the access list permits specific traffic from internal subnets, so not all traffic from the Internet is denied; the implicit deny only applies to unmatched traffic, but the list does not explicitly deny all Internet traffic. Option null (second) is wrong because the access list permits SSH traffic (TCP port 22) only if explicitly stated; the given list does not include a permit for port 22, so SSH traffic from 192.168.1.0 subnet would be denied.

281
MCQmedium

An organization is migrating sensitive customer data to a public cloud. Which of the following encryption strategies provides the STRONGEST protection against data exposure to the cloud provider?

A.Use transport layer security (TLS) for data in transit
B.Implement client-side encryption with keys managed on-premises
C.Encrypt data at rest using server-side encryption with AES-256
D.Enable the cloud provider's key management service
AnswerB

Client-side encryption ensures data is encrypted before leaving the premises, and the cloud provider never has access to plaintext or keys.

Why this answer

Client-side encryption with keys managed on-premises ensures that the cloud provider never has access to the encryption keys or the plaintext data. Even if the cloud provider's infrastructure is compromised or they have administrative access, the data remains encrypted and unreadable. This provides the strongest protection because the cloud provider is excluded from the cryptographic trust boundary.

Exam trap

The trap here is that candidates often confuse 'encryption at rest' or 'TLS' with full data protection, failing to realize that these methods still allow the cloud provider to access plaintext data either during processing or through key management access.

How to eliminate wrong answers

Option A is wrong because TLS only protects data in transit between the client and the cloud provider; once the data reaches the cloud provider's servers, it is decrypted and stored in plaintext, leaving it exposed to the provider. Option C is wrong because server-side encryption with AES-256 means the cloud provider manages the encryption process and typically has access to the keys (or can access them via their key management service), so the provider can decrypt the data at rest. Option D is wrong because enabling the cloud provider's key management service gives the provider control over the encryption keys, allowing them to decrypt the data if they choose or if compelled by legal request.

282
MCQhard

Refer to the exhibit. An administrator applied this ACL to a VLAN interface. The server at 10.0.0.100 hosts a web application. What is the effect of this ACL?

A.Allows HTTPS, but HTTP is allowed as well due to the permit ip any any
B.Allows HTTPS, blocks HTTP, and blocks all other traffic
C.Blocks both HTTP and HTTPS
D.Only allows HTTP and blocks HTTPS
AnswerA

The permit ip any any overrides the deny.

Why this answer

The ACL shown permits HTTPS (TCP port 443) from any source to the server at 10.0.0.100, and then has a 'permit ip any any' statement at the end. Because ACLs are processed top-down, the first match wins; HTTPS traffic matches the first line and is permitted, while HTTP (TCP port 80) is not explicitly denied, so it matches the 'permit ip any any' line and is also allowed. Thus, both HTTP and HTTPS are permitted, making option A correct.

Exam trap

The trap here is that candidates often overlook the 'permit ip any any' at the end of the ACL and incorrectly assume that only the explicitly permitted HTTPS traffic is allowed, missing that this catch-all statement permits all other traffic, including HTTP.

How to eliminate wrong answers

Option B is wrong because it claims HTTP is blocked, but the 'permit ip any any' at the end of the ACL permits all traffic not explicitly denied, including HTTP. Option C is wrong because it states both HTTP and HTTPS are blocked, but the ACL explicitly permits HTTPS and the 'permit ip any any' permits HTTP. Option D is wrong because it says only HTTP is allowed and HTTPS is blocked, but the ACL explicitly permits HTTPS and the 'permit ip any any' permits HTTP as well, so both are allowed.

283
MCQhard

An organization's IT strategy is not aligned with business strategy due to lack of communication. Which of the following would BEST improve alignment?

A.Business-IT strategy mapping workshops
B.Weekly IT status reports
C.Outsourcing non-core IT functions
D.IT budget increase
AnswerA

Workshops enable joint development of aligned strategies.

Why this answer

Business-IT strategy mapping workshops facilitate direct communication and collaboration, ensuring both sides understand and agree on priorities. Status reports, budget increases, or outsourcing do not address the communication gap.

284
MCQmedium

An organization is implementing a backup strategy for its critical database. The database is updated continuously during business hours, and the recovery point objective (RPO) is 15 minutes. Which backup method should be used to meet the RPO while minimizing backup storage and performance impact?

A.Perform full backups every 24 hours
B.Implement synchronous replication to a standby server
C.Perform incremental backups with transaction log backups every 15 minutes
D.Perform differential backups every 6 hours
AnswerC

Transaction log backups enable point-in-time recovery to within 15 minutes, meeting the RPO, while incremental backups reduce storage and performance overhead.

Why this answer

Incremental backups with transaction log backups every 15 minutes meets the 15-minute RPO by capturing all changes since the last full or incremental backup, while transaction log backups record every individual database transaction. This method minimizes storage by only backing up changes and reduces performance impact compared to continuous replication, as log backups are lightweight and can be scheduled without constant I/O overhead.

Exam trap

The trap here is that candidates often confuse synchronous replication (Option B) with a backup method, but it is a high-availability solution that does not meet RPO requirements without additional log backups and introduces performance degradation, whereas transaction log backups are the correct granular backup technique for low RPOs.

How to eliminate wrong answers

Option A is wrong because full backups every 24 hours can only restore to the point of the last full backup, which would result in up to 24 hours of data loss, far exceeding the 15-minute RPO. Option B is wrong because synchronous replication requires the primary and standby servers to commit transactions simultaneously, which introduces latency and high performance overhead on the primary database, and it does not inherently provide point-in-time recovery to a specific 15-minute window without additional log management. Option D is wrong because differential backups capture all changes since the last full backup, but if performed every 6 hours, the maximum data loss could be up to 6 hours, which exceeds the 15-minute RPO; moreover, differential backups do not provide the granularity needed for sub-hour recovery.

285
Multi-Selectmedium

Which THREE of the following are commonly accepted practices for securing mobile devices in an enterprise environment?

Select 3 answers
A.Install antivirus on all devices
B.Use containerization for corporate data
C.Enable remote wipe capability
D.Disable all third-party apps
E.Require complex passwords
AnswersB, C, E

Correct. Containerization separates corporate and personal data, enabling selective controls.

Why this answer

Containerization (Option B) is a commonly accepted practice for securing mobile devices in an enterprise environment because it creates a separate, encrypted workspace on the device that isolates corporate data and applications from personal data. This approach, often implemented through Mobile Device Management (MDM) or Enterprise Mobility Management (EMM) solutions, uses technologies like sandboxing and per-container encryption (e.g., AES-256) to prevent data leakage between the corporate and personal environments. It allows the enterprise to enforce security policies (e.g., remote wipe of only the container) without compromising the user's personal privacy, which is a key requirement for BYOD (Bring Your Own Device) programs.

Exam trap

The trap here is that candidates often confuse 'best practice' with 'maximum security' and incorrectly select Option D (disable all third-party apps) as a valid control, failing to recognize that enterprise security requires balancing usability with risk management, and that containerization is the standard approach for BYOD environments.

286
MCQhard

A multinational corporation operates in a highly regulated industry. The IT governance framework includes a risk appetite statement approved by the board. Recently, the company suffered a significant data breach due to an unpatched vulnerability that had been identified three months earlier. The IT audit found that the vulnerability was reported to the IT department but was not prioritized for remediation because it was deemed low risk by the IT operations team. The incident response plan was not activated because the breach was not initially detected. The board wants to strengthen governance to prevent recurrence. The most effective course of action for the auditor to recommend is:

A.Deploying an intrusion detection system to identify breaches sooner
B.Establishing a formal vulnerability management policy that requires risk-based prioritization in accordance with the risk appetite and escalation to the IT risk committee for decisions outside tolerance
C.Disciplining the IT operations team for not escalating the vulnerability
D.Implementing a more robust patch management system with automated patching
AnswerB

This embeds risk governance into the vulnerability management process, ensuring alignment with board-approved risk appetite.

Why this answer

Option D is correct because integrating vulnerability management with risk governance ensures that risk decisions are made according to the approved risk appetite, not solely by IT operations. Option A is too narrow. Option B addresses incident detection but not the governance gap.

Option C is reactive and does not prevent future occurrences.

287
MCQmedium

An organization is implementing a new identity management system. Which testing approach is MOST effective for verifying access controls?

A.Regression testing
B.Unit testing
C.User acceptance testing including role-based test cases
D.System integration testing
AnswerC

Role-based UAT scenarios simulate real user tasks and validate that access controls are correctly implemented.

Why this answer

User acceptance testing (UAT) with role-based test cases is the most effective approach because it directly validates that the identity management system enforces the correct access controls for each user role in real-world scenarios. Unlike lower-level tests, UAT involves actual users executing role-specific transactions to confirm that permissions, segregation of duties, and policy rules are properly implemented. This ensures that the system behaves as intended from an end-user and auditor perspective, which is critical for compliance and security.

Exam trap

The trap here is that candidates confuse 'system integration testing' with 'user acceptance testing' and assume that verifying system-to-system communication is sufficient to validate access controls, when in fact only role-based UAT confirms that the correct policies are enforced for actual users.

How to eliminate wrong answers

Option A is wrong because regression testing focuses on verifying that existing functionality still works after changes, not on validating the correctness of new access control rules. Option B is wrong because unit testing examines individual components or code modules in isolation, which cannot verify role-based permissions or end-to-end access control enforcement. Option D is wrong because system integration testing checks the interaction between systems (e.g., SSO with LDAP or SAML) but does not specifically validate that role-based access policies are correctly applied to user actions.

288
MCQhard

A security architect is designing a data classification schema for a multinational corporation. Which combination of factors is MOST critical for determining the classification level of a data asset?

A.Data volume and storage location.
B.Data format and encryption status.
C.Data creation date and last access time.
D.Legal, regulatory, and business impact if disclosed.
AnswerD

These are the core factors in determining classification.

Why this answer

The classification level of a data asset is primarily determined by the potential harm that could result from its unauthorized disclosure, modification, or loss. Legal, regulatory, and business impact factors—such as compliance with GDPR, HIPAA, or PCI DSS—directly dictate the required confidentiality, integrity, and availability controls. Without assessing these impacts, any classification scheme would be arbitrary and fail to align with organizational risk tolerance.

Exam trap

ISACA often tests the misconception that technical attributes (like encryption or storage location) determine classification, when in reality classification is a business-driven risk decision based on the impact of disclosure.

How to eliminate wrong answers

Option A is wrong because data volume and storage location influence operational decisions (e.g., replication, latency) but do not define the sensitivity or criticality of the data itself; a single record of PII can be far more sensitive than terabytes of public data. Option B is wrong because data format and encryption status are technical controls applied after classification, not criteria for determining the classification level; encryption status can change without altering the inherent sensitivity of the data. Option C is wrong because creation date and last access time are metadata useful for lifecycle management (e.g., retention policies) but irrelevant to the intrinsic value or risk of the data asset.

289
MCQhard

An organization uses a risk-based audit approach. For a high-risk area, the auditor decides to perform 100% testing instead of sampling. Which of the following is a valid reason for this decision?

A.The population size is small and errors are critical
B.The auditor has limited time
C.The tolerable error rate is high
D.The control is automated and always effective
AnswerA

100% testing is justified for small populations with high severity risks.

Why this answer

When the population is small and errors are critical, 100% testing ensures complete coverage and minimizes risk.

290
Multi-Selectmedium

An organization is implementing a new identity management system. Which THREE of the following are essential requirements for the system?

Select 3 answers
A.Segregation of duties enforcement.
B.Single sign-on capability.
C.Automated user provisioning.
D.Integration with Active Directory.
E.Support for biometric authentication.
AnswersA, C, D

Enforcing SoD is critical to prevent fraud.

Why this answer

Options B, D, and E are essential because automated provisioning ensures timely access, segregation of duties enforcement prevents conflicts, and integration with AD is common for centralized management. Option A is nice-to-have but not essential. Option C is not essential for most environments.

291
MCQeasy

An IT manager submits a request to change the firewall configuration during business hours. According to best practices for change management, what should be done FIRST?

A.Obtain approval from the change advisory board
B.Notify all users of the planned change
C.Assess the impact and risk of the proposed change
D.Implement the change immediately to address an urgent threat
AnswerC

Risk assessment is required before approval.

Why this answer

Option A is correct because assessing the impact and risk is the initial step. Option B may be done after assessment. Option C is premature without assessment.

Option D is not standard.

292
MCQmedium

An organization's IT department implemented a new change management process that requires all changes to be approved by a change advisory board (CAB). A critical security patch needs to be deployed within 2 hours to address an active zero-day vulnerability. The change request was submitted but the CAB is not scheduled to meet for another 24 hours. What is the BEST course of action?

A.Deploy the patch and inform the CAB after the fact during the next meeting.
B.Wait for the next scheduled CAB meeting to approve the change.
C.Deploy the patch immediately without any approval as it is a critical security fix.
D.Use the emergency change process to obtain expedited approval from a designated CAB member.
AnswerD

An emergency change process allows swift approval for critical patches, balancing security and control.

Why this answer

Option D is correct because it aligns with the ITIL-based emergency change process, which allows for expedited approval from a designated CAB member or emergency authority when a critical security patch must be deployed within hours to mitigate an active zero-day vulnerability. This ensures the change is authorized without waiting for the full CAB meeting, maintaining security while preserving governance and audit trails.

Exam trap

The trap here is that candidates may assume any critical security patch can be deployed immediately without approval (Option C) or that informing the CAB after the fact (Option A) is acceptable, but CISA emphasizes that even emergency changes must follow a defined process with expedited approval to maintain control and accountability.

How to eliminate wrong answers

Option A is wrong because deploying the patch without prior approval violates the change management policy and could lead to unauthorized changes, lack of audit trail, and potential conflicts with other changes. Option B is wrong because waiting 24 hours for the next CAB meeting would leave the system exposed to the active zero-day vulnerability, increasing risk of exploitation. Option C is wrong because deploying without any approval bypasses all governance controls, ignoring the need for documented authorization even for emergency fixes, and could cause operational disruptions without coordination.

293
Multi-Selecthard

Which TWO of the following are the MOST effective controls to prevent unauthorized access to a data center's server room? (Choose two.)

Select 2 answers
A.Server rack locks
B.Mantrap entry
C.CCTV monitoring
D.Visitor logbook
E.Biometric authentication on door
AnswersB, E

Mantrap prevents tailgating and unauthorized entry.

Why this answer

Options A and D are correct because biometric authentication and mantrap entry are preventive physical controls. Option B is incorrect as CCTV is detective. Option C is incorrect as visitor logbook is administrative.

Option E is incorrect as rack locks are secondary to room access.

294
MCQeasy

An IS auditor is reviewing the logical access controls of an enterprise resource planning (ERP) system. The auditor finds that terminated employees' accounts are disabled but not deleted. What is the PRIMARY risk associated with this practice?

A.Disabled accounts could be re-enabled without proper authorization
B.Segregation of duties controls may be compromised
C.System performance may degrade due to accumulation of disabled accounts
D.Audit trail completeness may be affected
AnswerA

If account management is weak, re-enabling could lead to unauthorized access.

Why this answer

The primary risk of disabling rather than deleting terminated employees' accounts is that a disabled account retains its existing privileges and can be re-enabled by an attacker or insider with sufficient access (e.g., a system administrator with compromised credentials). In an ERP system, this could allow unauthorized re-activation of accounts with elevated roles, bypassing the intended termination process and leading to data theft, fraud, or system compromise.

Exam trap

ISACA often tests the misconception that 'disabled accounts are safe because they cannot log in,' but the trap here is that the account's privileges remain intact, making re-enablement the primary risk over performance or audit concerns.

How to eliminate wrong answers

Option B is wrong because segregation of duties (SoD) controls are about preventing a single user from performing conflicting functions; disabled accounts do not actively perform transactions, so SoD is not directly compromised. Option C is wrong because system performance degradation from a few thousand disabled accounts is negligible in modern ERP databases; the real risk is security, not resource consumption. Option D is wrong because audit trail completeness is not affected—disabled accounts still generate logs for access attempts, and deletion would actually remove historical audit records, whereas disabling preserves them.

295
MCQeasy

Which of the following is the PRIMARY purpose of an IT governance framework?

A.To ensure IT aligns with and supports business strategy
B.To ensure compliance with laws and regulations
C.To protect IT assets from cyber threats
D.To reduce IT operational costs
AnswerA

Governance frameworks focus on alignment and value delivery.

Why this answer

The primary purpose of an IT governance framework is to ensure that IT investments, strategies, and operations are aligned with and support the overall business strategy, enabling the organization to achieve its goals. This alignment is achieved through mechanisms such as strategic planning, portfolio management, and performance measurement, which are core to frameworks like COBIT 2019. Without this alignment, IT may operate in isolation, leading to wasted resources and missed business opportunities.

Exam trap

The trap here is that candidates often confuse the primary purpose of IT governance with operational or security objectives, such as compliance or cost reduction, because those are more tangible and frequently tested in other domains, but the CISA exam emphasizes that governance is fundamentally about strategic alignment and value delivery.

How to eliminate wrong answers

Option B is wrong because ensuring compliance with laws and regulations is a secondary objective of IT governance, not the primary purpose; compliance is typically addressed through specific controls and policies within the framework, but the framework's overarching goal is strategic alignment. Option C is wrong because protecting IT assets from cyber threats is a function of information security management and risk management, which are components of governance but not its primary purpose; governance focuses on direction and oversight, not operational security. Option D is wrong because reducing IT operational costs is a potential outcome of effective governance, but it is not the primary purpose; cost reduction is a tactical benefit, whereas governance is fundamentally about value creation and strategic alignment.

296
Drag & Dropmedium

Arrange the steps to implement a patch management process in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Patch management starts with inventory, then evaluation, testing, deployment, and verification.

297
Multi-Selecthard

Which THREE of the following are common risks associated with the prototyping methodology?

Select 3 answers
A.Incomplete requirements specification
B.Lack of adequate documentation
C.Prototype being accepted as the final production version
D.User misunderstanding of prototype limitations
E.Scope creep due to frequent changes
AnswersB, C, E

Documentation is often overlooked in prototyping.

Why this answer

Option B is correct because prototyping often prioritizes rapid iteration over formal documentation, leading to incomplete or outdated records of system specifications, design decisions, and user agreements. This lack of adequate documentation creates risks for maintenance, knowledge transfer, and auditability, as the final system may lack the necessary artifacts for ongoing support and compliance.

Exam trap

The trap here is that candidates may confuse 'incomplete requirements specification' (a general risk) with a prototyping-specific risk, but the exam expects recognition that prototyping actually reduces this risk through iterative user feedback, while the three correct answers (B, C, E) are directly tied to the methodology's iterative and informal nature.

298
Multi-Selectmedium

Which TWO of the following are common risks in the procurement of custom-developed software?

Select 2 answers
A.Poor user acceptance
B.Excessive customization
C.Lack of documentation
D.Vendor lock-in
E.Inadequate service level agreements
AnswersC, D

Custom development often lacks thorough documentation.

Why this answer

Lack of documentation (C) is a common risk in custom-developed software because without comprehensive technical and user documentation, the organization faces challenges in maintenance, troubleshooting, and knowledge transfer. This risk is especially acute when the original developers leave, leaving the system opaque and difficult to support. Proper documentation is essential for ongoing operations, audits, and future enhancements.

Exam trap

The trap here is that candidates often confuse 'excessive customization' (a scope/design risk) with a procurement risk, when in fact the procurement risk is about the vendor's control over the software's future (vendor lock-in) and the lack of maintainability (lack of documentation).

299
MCQmedium

After a security incident, an organization discovers that an employee accessed sensitive files without authorization. Which of the following is the most effective preventive control to reduce the risk of such unauthorized access?

A.Deploying a data loss prevention (DLP) solution.
B.Implementing background checks on all employees.
C.Conducting regular access reviews and recertification.
D.Enforcing strong password policies.
AnswerC

Access reviews help identify and revoke unnecessary permissions, directly reducing the risk of unauthorized access.

Why this answer

Regular access reviews and recertification (Option C) are the most effective preventive control because they ensure that user permissions are periodically validated against current job roles and business needs. By systematically revoking excessive or outdated entitlements, this process directly reduces the attack surface for unauthorized access, addressing the root cause of privilege creep rather than merely detecting or deterring misuse.

Exam trap

The trap here is that candidates often confuse preventive controls with detective or deterrent controls, selecting DLP (a detective/corrective control) or strong passwords (an authentication control) instead of recognizing that access recertification directly prevents unauthorized access by removing excessive permissions before they can be exploited.

How to eliminate wrong answers

Option A is wrong because a Data Loss Prevention (DLP) solution is primarily a detective and corrective control that monitors and blocks data exfiltration after access has occurred; it does not prevent the initial unauthorized access to sensitive files. Option B is wrong because background checks are a pre-employment screening control that assesses trustworthiness but do not prevent an already-hired employee from subsequently accessing files without authorization. Option D is wrong because enforcing strong password policies only strengthens authentication at the point of login; it does not prevent an authorized user from abusing their legitimate credentials to access files they should not see, which is the core issue in this scenario.

300
Drag & Dropmedium

Order the steps for performing a disaster recovery test in the correct sequence.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

DR test: define objectives, prepare, execute, evaluate, and update plan.

Page 3

Page 4 of 7

Page 5

All pages