Certified Information Systems Auditor CISA (CISA) — Questions 301375

509 questions total · 7pages · All types, answers revealed

Page 4

Page 5 of 7

Page 6
301
Multi-Selecthard

An organization is implementing a new cloud-based HR system. The project sponsor wants to skip regular project status meetings to speed up delivery. Which THREE of the following are the MOST significant risks of eliminating these meetings?

Select 3 answers
A.Security requirements may be overlooked.
B.Stakeholders may be unaware of critical project issues.
C.Budget overruns may go unnoticed until the end.
D.Important decisions may not be documented or communicated.
E.Dependencies between project tasks may not be properly managed.
AnswersB, D, E

Meetings are key for issue communication.

Why this answer

Option B is correct because eliminating regular project status meetings removes a key communication channel for escalating critical project issues to stakeholders. Without these meetings, stakeholders may not receive timely updates on security vulnerabilities, integration failures, or compliance gaps in the cloud-based HR system, leading to delayed remediation and potential data breaches.

Exam trap

The trap here is that candidates confuse the purpose of status meetings with other project management artifacts, assuming that documentation alone (e.g., project plans, risk registers) can substitute for the real-time communication and decision-making that occurs in these meetings.

302
Multi-Selectmedium

Which TWO of the following are physical security controls to prevent unauthorized access to a data center?

Select 2 answers
A.Uninterruptible power supply
B.Cable locks
C.Mantrap
D.Biometric readers
E.Fire suppression system
AnswersC, D

Mantraps prevent tailgating and unauthorized entry.

Why this answer

Mantraps and biometric readers are physical access controls. Fire suppression and UPS are environmental controls. Cable locks secure equipment but do not prevent entry to the data center.

303
Multi-Selecteasy

During a disaster recovery test, the team discovers that the backup server is unable to restore data because of incompatible software versions. Which TWO controls should have been implemented to prevent this?

Select 2 answers
A.Maintaining a configuration management database
B.Using cloud-based backup solutions
C.Implementing intrusion detection systems
D.Increasing the frequency of full backups
E.Performing regular patch management
AnswersA, E

Correct: CMDB tracks software versions across environments.

Why this answer

A configuration management database (CMDB) tracks software versions, and a patch management process ensures compatibility. Cloud backups, backup frequency, and IDS do not address version compatibility.

304
MCQmedium

Which of the following is a potential risk in this RACI matrix?

A.The IT Director is accountable but not informed of all changes.
B.IT Operations is informed, but should be responsible for implementation.
C.The Business Process Owner is consulted, which may delay approvals.
D.The Change Manager is responsible but lacks authority to approve.
AnswerD

If the Change Manager is responsible but not accountable, they may not have approval authority, leading to bypassed controls.

Why this answer

Option B is correct because the Change Manager is marked as Responsible but typically the Responsible party performs the work; for approval, the Responsible party may lack the authority to approve (which would be Accountable). This creates a risk of unauthorized approvals. Option A is not a risk because Accountable can be informed later.

Option C is fine; consultation is normal. Option D is not a concern because IT Operations is informed appropriately.

305
MCQeasy

An IS auditor is reviewing the system development life cycle (SDLC) methodology. Which phase should include the development of detailed test plans?

A.Requirements definition.
B.System design.
C.Coding and unit testing.
D.User acceptance testing.
AnswerB

Design phase specifies how the system will work, enabling detailed test plans.

Why this answer

Detailed test plans should be developed during the system design phase because this is when the system's architecture, interfaces, and data flows are fully specified. Creating test plans at this stage ensures that tests are aligned with the design specifications and can validate that the implemented system meets the intended technical requirements, rather than waiting until after coding.

Exam trap

The trap here is that candidates confuse the creation of test plans with the execution of tests, incorrectly assuming that test plans are written during user acceptance testing or coding, when in fact they are a design-phase deliverable that drives all subsequent testing activities.

How to eliminate wrong answers

Option A is wrong because the requirements definition phase focuses on gathering and documenting business and functional requirements, not on the technical design details needed to create specific test cases. Option C is wrong because coding and unit testing occur after the test plans are developed; unit tests are typically created by developers during coding, not as part of a formal detailed test plan. Option D is wrong because user acceptance testing is the final validation phase where users execute pre-defined test scripts, not the phase where detailed test plans are originally authored.

306
MCQhard

A government agency is developing a case management system for law enforcement. The project follows an agile approach, releasing iterations every two weeks. During a sprint demo, users discover that the system does not redact personally identifiable information (PII) in documents shared with external parties, violating privacy laws. The development team says they planned to add redaction in a future sprint. The product owner wants to prioritize PII redaction immediately. The project manager is concerned that this will disrupt the release schedule. The IS auditor is assessing the project's risk management. Which of the following is the BEST recommendation?

A.Implement network-level restrictions to prevent external sharing.
B.Provide users with training on manual redaction as a workaround.
C.Re-estimate the sprint and include PII redaction as a top priority, adjusting the schedule accordingly.
D.Document the risk and accept the compliance exposure until the planned sprint.
AnswerC

Balances compliance and schedule.

Why this answer

Option C is correct because it aligns with agile risk management principles: when a critical compliance vulnerability (PII exposure) is discovered, the highest-priority user story must be re-estimated and inserted into the current sprint backlog, even if it means adjusting the release schedule. The IS auditor’s focus is on ensuring that the risk is actively mitigated, not deferred, and re-prioritization is the standard agile response to newly identified high-severity risks.

Exam trap

The trap here is that candidates may confuse risk acceptance (Option D) with a valid agile practice, but the IS auditor must prioritize compliance over schedule, and deferring a legal violation is not acceptable risk management when a feasible mitigation exists.

How to eliminate wrong answers

Option A is wrong because network-level restrictions (e.g., firewall rules or DLP policies) do not address the core requirement of redacting PII within documents; they only block external sharing at the transport layer, which is an incomplete and overly restrictive workaround that could hinder legitimate law enforcement data sharing. Option B is wrong because training users on manual redaction introduces human error, is not scalable, and does not provide an auditable, automated control for PII protection, which is required for compliance with privacy laws. Option D is wrong because accepting compliance exposure by deferring the fix to a future sprint violates the principle of timely risk mitigation; an IS auditor would not recommend accepting a known legal violation without a compensating control, especially when the risk is high and the fix is feasible.

307
MCQmedium

An IT manager notices that the CPU utilization of a critical server consistently exceeds 90% during peak hours. Which is the BEST course of action?

A.Implement load balancing
B.Immediately add more CPUs
C.Increase monitoring frequency
D.Schedule batch jobs during off-peak
AnswerA

Load balancing distributes traffic and reduces CPU utilization on a single server.

Why this answer

Option A is correct because implementing load balancing distributes the workload across multiple servers, addressing the performance issue. Options B, C, and D are not the best; B is hasty, C helps but is not best, D does not fix the problem.

308
MCQeasy

Which of the following is the PRIMARY purpose of an IT strategy committee?

A.To monitor IT project timelines
B.To manage IT vendor contracts
C.To approve IT project budgets
D.To ensure IT investments support business objectives
AnswerD

Strategic alignment is the primary goal.

Why this answer

Option B is correct because the committee's role is to align IT with business strategy. Option A is operational. Option C is project-specific.

Option D is too narrow.

309
Multi-Selecteasy

An IS auditor is evaluating the reliability of audit evidence. Which TWO of the following are characteristics of reliable audit evidence?

Select 2 answers
A.Independent source
B.Timely
C.Complex
D.Relevant
E.Large quantity
AnswersA, B

Evidence from independent sources is more reliable.

Why this answer

Reliable evidence is independent and timely, increasing objectivity and relevance.

310
MCQeasy

An organization is planning to replace its legacy accounting system with a commercial off-the-shelf (COTS) software package. Which of the following is the PRIMARY risk of using a COTS solution?

A.The total cost of ownership is likely to be higher than custom development
B.The software may not fully align with the organization's business processes
C.The software may have inherent security vulnerabilities
D.Vendor support may be discontinued after a few years
AnswerB

COTS is generic; customization may be limited or costly.

Why this answer

The primary risk of a COTS solution is that it is designed for a broad market and may not fully align with the organization's specific business processes. This misalignment can force the organization to change its workflows or perform costly customizations, which can negate the benefits of a packaged solution and introduce project delays or failures.

Exam trap

The trap here is that candidates often focus on security or vendor support as the primary risk, but the CISA exam emphasizes that the most immediate and impactful risk in COTS acquisition is the mismatch between the software's capabilities and the organization's business processes.

How to eliminate wrong answers

Option A is wrong because COTS solutions typically have a lower total cost of ownership than custom development, as development, testing, and maintenance costs are shared across many customers. Option C is wrong while security vulnerabilities are a concern, they are not the primary risk; COTS vendors often have dedicated security teams and patch cycles, whereas custom code may have more undetected flaws. Option D is wrong because vendor support discontinuation is a risk, but it is a secondary, longer-term risk that can be mitigated through escrow agreements or transition plans, whereas business process misalignment directly threatens project success from the start.

311
MCQhard

A healthcare organization has implemented a data classification policy with three levels: Public, Internal, and Restricted. The IT department recently received a report of a potential data breach. An internal auditor discovered that a database containing Protected Health Information (PHI) classified as Restricted was accessible via a web application that did not enforce encryption in transit. The web application uses HTTPS, but the auditor found that the connection was downgraded to HTTP due to a misconfiguration in the load balancer. Additionally, the database logs show that an external IP address queried the database for thousands of patient records over a two-hour period. The database was configured to allow only specific internal application servers, but the firewall rule was incorrectly set to allow connections from any IP address. The security team needs to determine the most effective immediate action to prevent further unauthorized access and protect the data. Which course of action should the security team take FIRST?

A.Correct the firewall rule to restrict database access to only the application servers.
B.Redesign the network architecture to place the database in a separate subnet.
C.Block the external IP address at the network perimeter.
D.Apply a security patch to the web application to enforce HTTPS.
AnswerA

Directly addresses the misconfiguration that allowed exposure.

Why this answer

The firewall rule is the root cause of the unauthorized access — it allowed connections from any IP address, directly enabling the external attacker to query the database. Correcting this rule immediately cuts off all external access to the database, stopping the ongoing breach at the network layer. This is the most effective immediate action because it addresses the misconfiguration that allowed the attack to succeed, regardless of the encryption or web application issues.

Exam trap

The trap here is that candidates focus on the encryption downgrade (HTTPS to HTTP) or the external IP address, but the core vulnerability is the misconfigured firewall rule that allows any IP to access the database directly — a classic 'defense in depth' failure where the network layer control was missing.

How to eliminate wrong answers

Option B is wrong because redesigning the network architecture (e.g., placing the database in a separate subnet) is a longer-term security improvement, not an immediate action to stop the current unauthorized access. Option C is wrong because blocking the external IP address is a reactive, temporary measure — the attacker can easily change IP addresses, and it does not fix the underlying misconfigured firewall rule that allows any IP to connect. Option D is wrong because applying a security patch to enforce HTTPS would prevent future downgrade attacks but does not address the fact that the database is already exposed to any IP address; the attacker can still query the database directly without using the web application.

312
MCQeasy

An organization has outsourced its IT operations to a third-party provider. The IS auditor is planning an audit of the outsourced services. What is the most appropriate source of audit evidence?

A.Service provider's financial statements
B.Interviews with provider's staff
C.Service auditor's SOC 2 report
D.Internal audit reports from the provider
AnswerC

SOC 2 reports provide a reliable, independent evaluation of controls relevant to security, availability, etc.

Why this answer

A SOC 2 report (Service Organization Control 2) is specifically designed to provide assurance over a service provider's controls related to security, availability, processing integrity, confidentiality, and privacy. It is issued by an independent service auditor and is the most reliable and relevant source of audit evidence when auditing outsourced IT operations, as it directly addresses the controls in place at the provider.

Exam trap

The trap here is that candidates often choose interviews with provider's staff (Option B) because they seem like direct evidence, but they lack the independence and systematic testing that a SOC 2 report provides, which is the gold standard for third-party assurance.

How to eliminate wrong answers

Option A is wrong because the service provider's financial statements are irrelevant to the operational effectiveness of IT controls; they provide financial health information, not assurance over IT processes or security. Option B is wrong because interviews with the provider's staff are subjective, lack independent verification, and are not considered sufficient audit evidence on their own for control effectiveness. Option D is wrong because internal audit reports from the provider are not independent; they are prepared by the provider's own internal audit function, which lacks the objectivity and external scrutiny required for reliable audit evidence.

313
MCQeasy

Refer to the exhibit. A developer is inserting a new employee record. What is the cause of this error?

A.The column 'email' does not exist
B.The email 'john.doe@example.com' already exists in the table
C.The table is full
D.The employee_id 101 already exists
AnswerB

Unique constraint violation.

Why this answer

The error message indicates a violation of a UNIQUE constraint on the 'email' column. The INSERT statement attempts to add 'john.doe@example.com', but that value already exists in the table. The database rejects the operation because the constraint ensures no duplicate email addresses are allowed.

Exam trap

The trap here is that candidates may misread the error message and assume it refers to a primary key violation (employee_id) rather than recognizing the specific wording of a UNIQUE constraint violation on the email column.

How to eliminate wrong answers

Option A is wrong because the error message explicitly references a UNIQUE constraint violation, not a missing column; if the column did not exist, the error would be 'column not found' or similar. Option C is wrong because a full table would produce a 'table is full' or disk-full error, not a constraint violation. Option D is wrong because the error message does not mention a primary key or unique constraint on employee_id; the violation is specifically on the email column, not the employee_id.

314
MCQhard

Based on the exhibit, the IS auditor is reviewing access to the payroll folder. Which of the following is the MOST significant finding?

A.Internal_Audit group has Read access to payroll data
B.User asmith has only Read access to payroll
C.HR_Managers group has Full Control over payroll
D.Potential excessive privileges for user jdoe due to overlapping permissions
AnswerD

Overlapping permissions may grant unintended access.

Why this answer

Option D is the most significant finding because user jdoe has overlapping permissions from multiple group memberships (e.g., HR_Managers and Payroll_Admin), which can result in unintended cumulative effective permissions. In Windows NTFS, effective permissions are the sum of all allowed permissions from each group, minus any explicit denies, so overlapping group memberships often grant more access than intended, violating the principle of least privilege.

Exam trap

The trap here is that candidates may focus on individual permission levels (Read vs. Full Control) rather than the cumulative effect of overlapping group memberships, which is the more critical security concern in access control auditing.

How to eliminate wrong answers

Option A is wrong because the Internal_Audit group having Read access to payroll is appropriate for audit purposes and does not represent a security risk; auditors need read-only access to review data without modifying it. Option B is wrong because user asmith having only Read access is a proper restriction and not excessive; it aligns with least privilege if asmith's role only requires viewing payroll data. Option C is wrong because HR_Managers having Full Control over payroll is expected for their job function to manage employee records; this is not a finding unless the group membership is improperly broad.

315
MCQhard

An organization uses a third-party cloud service for data storage. Which of the following is the BEST way to ensure data confidentiality in the event of a cloud provider breach?

A.Rely on the cloud provider's encryption at rest
B.Use TLS for data in transit
C.Implement client-side encryption before uploading data
D.Deploy a cloud access security broker (CASB) with DLP
AnswerC

Client-side encryption ensures only the organization controls keys.

Why this answer

Client-side encryption ensures that data is encrypted before it leaves the organization's control, so the cloud provider never has access to the plaintext or the encryption keys. In the event of a provider breach, the encrypted data remains confidential because only the organization holds the keys to decrypt it. This is the only option that guarantees confidentiality regardless of the cloud provider's security posture.

Exam trap

ISACA often tests the distinction between encryption at rest (provider-managed) and client-side encryption, where candidates mistakenly assume that any encryption at rest is sufficient to protect against a provider breach.

How to eliminate wrong answers

Option A is wrong because relying on the cloud provider's encryption at rest means the provider manages the encryption keys; if the provider is breached, an attacker could potentially access those keys or the decrypted data. Option B is wrong because TLS protects data only while it is in transit between the client and the cloud; once the data reaches the cloud storage, it is no longer protected by TLS and would be exposed in a breach. Option D is wrong because a CASB with DLP can monitor and enforce policies but does not encrypt the data itself; if the cloud provider is breached, the stored data (even if monitored) remains in plaintext or provider-managed encrypted form and could be accessed by the attacker.

316
MCQeasy

A company requires employees to use smart cards for facility access. Which additional control would BEST prevent tailgating?

A.Require biometric authentication
B.Use keypad locks on doors
C.Conduct random audits of access logs
D.Install mantraps at entry points
AnswerD

Mantraps create a physical barrier that allows only one authenticated person to enter at a time, preventing tailgating.

Why this answer

Mantraps prevent tailgating by allowing only one person per authentication. Biometrics address identity, not tailgating. Random audits are detective.

Keypad locks are simple and do not prevent tailgating.

317
MCQhard

A company has been developing a custom inventory management system using Scrum. In the current sprint, the team discovered that the integration module with the legacy ERP system has severe performance issues: under peak load, transactions time out and fail. The product owner is concerned because the release is scheduled in two weeks. The development team estimates that a proper fix will take three weeks. A similar issue occurred in a previous sprint and was temporarily resolved by reducing the number of concurrent transactions, which lowered performance but kept the system operational. The stakeholders are anxious about the deadline because the legacy ERP will be retired shortly after the planned go-live. What is the BEST action for the team to take?

A.Reduce the scope of the release to exclude the ERP integration feature entirely
B.Delay the release by one week to complete the proper fix (three weeks total)
C.Add two additional developers to the team to complete the fix within the original two-week timeline
D.Apply the same workaround for the go-live and plan a permanent fix in a later release
AnswerB

A one-week delay allows a proper fix, ensuring system reliability.

Why this answer

Option B is correct because delaying the release by one week allows the team to implement a proper, permanent fix for the ERP integration module's performance issue, which is critical given that the legacy ERP will be retired shortly after go-live. A temporary workaround would risk system instability and transaction failures under peak load, potentially causing data loss or corruption during the transition. The three-week estimate for a proper fix addresses the root cause, ensuring the system can handle peak loads reliably before the legacy system is decommissioned.

Exam trap

The trap here is that candidates may choose Option D (workaround) because it seems pragmatic and avoids delaying the release, but they fail to recognize that the legacy ERP's imminent retirement makes a later permanent fix impossible, leaving the system with a critical, unresolved performance flaw.

How to eliminate wrong answers

Option A is wrong because completely excluding the ERP integration feature would render the inventory management system unable to communicate with the legacy ERP, breaking core business functionality and likely making the release unusable. Option C is wrong because adding two developers to a Scrum team mid-sprint typically disrupts velocity, introduces ramp-up time, and does not linearly reduce development time for a complex performance fix; Brooks' law suggests this could delay rather than accelerate the fix. Option D is wrong because applying the same workaround (reducing concurrent transactions) would lower system performance and risk transaction timeouts under peak load, and with the legacy ERP being retired soon, there would be no opportunity for a later permanent fix, leaving the system vulnerable to failure.

318
MCQmedium

A retail company is merging with a competitor. The IT departments of both organizations have different IT governance structures: Company A uses a centralized model with strict change management, while Company B uses a decentralized model with autonomous business unit IT. The CIO has been tasked with integrating the IT functions post-merger. The board expects cost synergies and improved service levels. The integration team is facing resistance from Company B's business heads who fear loss of agility. The CIO needs to propose a governance model for the merged entity. Which approach would BEST meet the board's expectations while addressing resistance?

A.Keep both models separate and allow business units to choose their preferred model.
B.Adopt Company B's decentralized model to preserve agility.
C.Immediately impose Company A's centralized model across the merged entity.
D.Implement a phased integration with a transitional governance structure that includes representatives from both sides.
AnswerD

Phased integration respects both cultures and reduces resistance.

Why this answer

Option B is correct because a phased integration with interim governance allows gradual convergence, managing change and resistance while building toward synergy. Option A is wrong because immediate full centralization may cause disruption and strong resistance. Option C is wrong because adopting the weaker model (decentralized) may not achieve synergies.

Option D is wrong because maintaining both models permanently does not achieve integration.

319
Multi-Selecthard

An IS auditor is assessing the effectiveness of an organization's IT governance framework. Which THREE of the following are key indicators of a mature governance process?

Select 3 answers
A.Defined roles and responsibilities for IT decisions
B.Annual IT budget approval by senior management
C.Existence of an IT steering committee
D.Outsourcing of all IT operations
E.Regular measurement of IT performance against metrics
AnswersA, C, E

Clear accountability is a hallmark of governance maturity.

Why this answer

Mature governance includes defined roles, performance measurement, and an IT steering committee for oversight.

320
MCQhard

The exhibit shows a log entry from a domain controller. The IS auditor is investigating account lockout issues. What is the MOST likely cause of this event?

A.Multiple failed authentication attempts from the backup server
B.The service account password has expired
C.The service account does not exist
D.The service account has been disabled by an administrator
AnswerA

Account lockout is triggered by multiple failed attempts.

Why this answer

The log entry shows a failed authentication attempt from the backup server's IP address (10.0.0.15) using the service account 'svc_backup'. The event ID 4625 indicates an account logon failure, and the 'Failure Reason' field explicitly states 'Unknown user name or bad password'. Since the account name is correct, the most likely cause is multiple failed authentication attempts (e.g., due to a stale or incorrect password cached in the backup software) leading to account lockout, not a single event.

Exam trap

The trap here is that candidates assume a single failed logon event directly indicates lockout, but the question asks for the 'MOST likely cause' of the lockout issue, which is the accumulation of multiple failed attempts from the same source (the backup server) due to a mismatched password.

How to eliminate wrong answers

Option B is wrong because a password expiration would generate a different event (e.g., event ID 4739 or a 'password must change' prompt), not a 'bad password' failure with event ID 4625. Option C is wrong because if the service account did not exist, the failure reason would be 'No such user' or 'user name not found', not 'Unknown user name or bad password' which implies the account exists but the password is wrong. Option D is wrong because a disabled account would produce a failure reason of 'Account disabled' or 'Account currently disabled', not 'Unknown user name or bad password'.

321
MCQmedium

An IS auditor is reviewing a system development project and notices that user acceptance testing (UAT) is being conducted in the production environment due to lack of a separate test environment. What is the primary risk?

A.System availability issues
B.Performance degradation
C.Security breaches due to unauthorized access
D.Data integrity violations
AnswerC

UAT in production exposes sensitive data and may lead to breaches.

Why this answer

Conducting UAT in production exposes sensitive production data and live systems to test scripts and users who may not have proper authorization, creating a direct path for security breaches. Production environments typically have broader access controls and audit trails that are not designed to isolate test activities, increasing the risk of unauthorized data exposure or modification. This violates the principle of segregation of duties and can lead to compliance issues with standards like PCI DSS or HIPAA.

Exam trap

The trap here is that candidates focus on operational impacts like performance or availability, but the CISA exam emphasizes that the highest risk from using production for testing is the compromise of sensitive data and unauthorized access, not just system slowdowns.

How to eliminate wrong answers

Option A is wrong because system availability issues are a secondary concern; the primary risk is not that the system becomes unavailable but that unauthorized access or data leakage occurs. Option B is wrong because performance degradation is a potential side effect but not the primary risk; the core issue is the security and integrity of production data. Option D is wrong because while data integrity violations could occur, they are a consequence of unauthorized access or modification, not the primary risk itself; the root cause is the lack of a separate test environment leading to security breaches.

322
Multi-Selectmedium

An IS auditor is evaluating the effectiveness of a backup strategy for a critical database. Which TWO of the following are essential controls to ensure data recoverability?

Select 2 answers
A.Storing backups offsite
B.Encrypting backup tapes
C.Performing regular restoration tests
D.Labeling tapes with dates
E.Using high-capacity media
AnswersA, C

Correct: Offsite storage protects against site-level disasters.

Why this answer

Regular restoration tests verify that backups are recoverable, and offsite storage ensures availability after a site disaster. Encryption, labeling, and capacity are security or operational considerations but not essential for recoverability.

323
MCQhard

An organization has decentralized IT management with each business unit making its own technology decisions. Which of the following is the BEST way to maintain enterprise-wide governance?

A.Deploy a single enterprise resource planning (ERP) system across all units.
B.Require all IT projects to be approved by the corporate IT department.
C.Create a central IT budget that allocates funds to business units.
D.Establish an enterprise architecture review board with representatives from all business units.
AnswerD

This provides governance without removing unit autonomy.

Why this answer

Option A is correct because an enterprise architecture review board with unit representatives ensures alignment while respecting decentralization. Option B is too centralized. Option C forces a single system, which may not suit all units.

Option D is budgeting, not governance of decisions.

324
Multi-Selectmedium

Which TWO of the following are examples of detective controls? (Choose two.)

Select 2 answers
A.Firewall rules that block unauthorized traffic.
B.Regular review of security incident logs.
C.Intrusion detection system (IDS) alerts.
D.Encryption of sensitive data at rest.
E.Access control lists (ACLs) on network devices.
AnswersB, C

Log review is a detective control that identifies past events.

Why this answer

Intrusion detection systems (A) and review of security incident logs (C) are detective controls that identify events after they occur.

325
MCQeasy

A company's backup policy requires that backup media be stored offsite. Which of the following is the PRIMARY reason for this requirement?

A.To ensure data is available in case of a site disaster
B.To reduce backup storage costs
C.To comply with regulatory requirements
D.To protect against theft
AnswerA

Offsite storage preserves data integrity when the primary site is compromised.

Why this answer

Option C is correct because offsite storage ensures data availability in case of a site disaster. Options A, B, and D are secondary or incorrect.

326
MCQmedium

During an audit of a cloud service provider, the IS auditor finds that the provider's datacenter access logs show multiple successful logins by an employee during non-business hours over several weeks. The employee works in the sales department. What should the auditor do first?

A.Recommend disabling the employee's access immediately.
B.Review the access rights policy and compare with actual access.
C.Discuss with the employee's supervisor to verify if access was authorized.
D.Report the finding immediately to senior management.
AnswerC

This is the appropriate first step to confirm authorization.

Why this answer

Option C is correct because the IS auditor's first priority is to gather evidence and understand the context before taking action. The employee's sales role and non-business hours access may be legitimate (e.g., supporting a client in a different time zone). Discussing with the supervisor is a standard audit procedure to verify authorization, aligning with ISACA's audit evidence collection and due professional care.

Exam trap

The trap here is that candidates confuse the auditor's role with that of a security incident responder, leading them to choose immediate disabling or escalation without first performing due diligence through inquiry and evidence gathering.

How to eliminate wrong answers

Option A is wrong because immediately disabling access is a management action, not an auditor's role; the auditor should first verify if the access was authorized before recommending any changes. Option B is wrong because reviewing the access rights policy and comparing with actual access is a subsequent step after confirming the context; the policy review alone does not determine if this specific instance was authorized or an anomaly. Option D is wrong because reporting to senior management is premature without first understanding the situation; escalation should occur after initial verification and if unauthorized access is confirmed.

327
MCQmedium

An e-commerce company stores customer payment card data in a tokenized database. The tokenization system replaces credit card numbers with tokens, and the actual card numbers are stored in a separate, highly restricted vault. The company is audited for Payment Card Industry Data Security Standard (PCI DSS) compliance. During the audit, it is discovered that the tokenization system sometimes fails due to high load, causing the application to fall back to storing actual card numbers temporarily. This fallback mechanism was not documented or approved. The company also uses the same encryption key for the vault as for other non-sensitive data. The auditor identifies several non-compliances. Which of the following should the company prioritize to remediate?

A.Replace the tokenization system with end-to-end encryption
B.Remove the fallback mechanism and ensure the tokenization system has appropriate redundancy
C.Use a separate encryption key for the vault
D.Increase the capacity of the tokenization server to handle peak loads
AnswerB

Eliminating the fallback prevents storage of raw card numbers.

Why this answer

Option D is correct because the fallback mechanism directly exposes cardholder data, violating PCI DSS requirement to protect stored card data. Correcting this eliminates the risk. Option A is important but not as immediate.

Option B (redundancy) is a performance issue. Option C (key separation) is also critical, but the fallback is a direct data exposure.

328
MCQhard

An organization outsources its data center operations. What is the BEST way to ensure the service provider's controls are effective?

A.Conduct periodic third-party audits
B.Rely on the provider's internal audit reports
C.Monitor service level agreements only
D.Require the provider to implement all organizational controls
AnswerA

Correct. Independent audits validate control design and operation.

Why this answer

Option A is correct because independent third-party audits provide objective verification of controls. Option B is incorrect because relying solely on the provider's internal audit may lack independence. Option C is incorrect because requiring all controls may be impractical and expensive.

Option D is incorrect because SLAs focus on performance, not control effectiveness.

329
MCQhard

You are an IS auditor reviewing the remote access configuration for a medium-sized enterprise. The company uses a VPN concentrator to allow employees to connect from home. The VPN is configured with IPsec using pre-shared keys (PSK) and requires no multi-factor authentication. Employees use company-issued laptops with full disk encryption. The VPN logs show that connections are coming from a wide range of IP addresses, including some from countries where the company has no business operations. The IT manager argues that the PSK is changed monthly and that full disk encryption mitigates any risk. However, during the audit, you find that the PSK is stored in a shared document on an internal file server accessible to all employees. Additionally, the VPN concentrator uses a single PSK for all users. Which of the following is the MOST critical finding?

A.The PSK is changed monthly, but the change interval is too long
B.The VPN uses a single pre-shared key for all users, increasing the risk of widespread compromise
C.Full disk encryption on laptops is not sufficient to protect VPN credentials
D.VPN connections from unexpected countries indicate possible unauthorized access
AnswerB

Single PSK creates a single point of failure.

Why this answer

The use of a single pre-shared key (PSK) for all VPN users is the most critical finding because it creates a single point of failure: if that key is compromised, an attacker can impersonate any authorized user and gain full network access. The fact that the PSK is stored in a shared document accessible to all employees dramatically increases the likelihood of exposure, and changing it monthly does not remediate the fundamental lack of user-level authentication. Without per-user credentials or multi-factor authentication, the VPN concentrator cannot distinguish between legitimate employees and an attacker who possesses the shared key.

Exam trap

The trap here is that candidates focus on the visible symptom (unexpected IP addresses) or the partial control (monthly PSK rotation) rather than recognizing that a single shared secret for all users is a fundamental architectural flaw that undermines all other controls.

How to eliminate wrong answers

Option A is wrong because the monthly PSK change interval is not the core issue; even a daily change would not fix the lack of per-user authentication and the risk of a single shared secret being exposed. Option C is wrong because full disk encryption protects data at rest on the laptop, but it does not protect the PSK when it is stored in a shared document on a file server or when it is transmitted or used during VPN authentication. Option D is wrong while connections from unexpected countries are suspicious and warrant investigation, they are not as critical as the fundamental authentication weakness; the single PSK means that any external attacker who obtains the key can connect from anywhere, making the geographic anomaly a symptom rather than the root cause.

330
MCQeasy

An IS auditor is planning an audit of a newly implemented financial system. Which of the following is the PRIMARY consideration when determining the audit scope?

A.Management's request to include all modules
B.Previous audit findings and recommendations
C.Risk assessment of the financial system
D.Regulatory requirements applicable to the system
AnswerC

Risk assessment identifies areas with highest impact and likelihood, guiding scope.

Why this answer

The primary consideration for determining audit scope is a risk assessment of the financial system. ISACA standards require auditors to use a risk-based approach to focus audit efforts on areas with the highest residual risk, ensuring that resources are allocated to the most critical controls and processes. Without a risk assessment, the scope may be too broad or miss key vulnerabilities, such as segregation of duties or access control weaknesses in the new system.

Exam trap

The trap here is that candidates often select regulatory requirements (Option D) as primary because they are mandatory, but the IS auditor must first perform a risk assessment to determine which regulatory requirements are most relevant and how to scope the audit effectively.

How to eliminate wrong answers

Option A is wrong because management's request to include all modules is a stakeholder preference, not a risk-based scoping criterion; including all modules without risk analysis can lead to inefficient audits and missed high-risk areas. Option B is wrong because previous audit findings and recommendations are historical inputs that inform the risk assessment but are not the primary driver for scoping a newly implemented system, which may have different risks. Option D is wrong because regulatory requirements are mandatory compliance factors that must be included in the scope, but they are a subset of the broader risk assessment; the risk assessment determines which regulatory requirements are most relevant and how deeply to test them.

331
MCQmedium

Refer to the exhibit. An IS auditor reviewing backup logs notices this error. Which of the following is the MOST likely root cause?

A.Backup script has a syntax error
B.Incorrect database credentials
C.Storage array is offline
D.Insufficient disk space on backup target
AnswerC

Correct: Offline array prevents mounting.

Why this answer

The error indicates failure to mount the backup target, implying a connectivity issue with the storage array. A syntax error would produce a script error; disk space would show a different error; authentication would show a credentials error.

332
Multi-Selecteasy

Which TWO of the following are essential elements of a business continuity plan (BCP) for a newly developed system?

Select 2 answers
A.Testing schedule for the BCP
B.List of incident response team members
C.Detailed system architecture
D.Recovery time objectives (RTOs)
E.Backup and recovery procedures
AnswersD, E

RTOs define maximum acceptable downtime.

Why this answer

Recovery time objectives (RTOs) are essential because they define the maximum acceptable downtime for the system, directly driving the design of backup and recovery strategies. Without RTOs, the BCP cannot prioritize recovery actions or allocate resources effectively, making them a foundational element for any newly developed system.

Exam trap

The trap here is confusing operational components (testing schedule, incident response team) with the core strategic elements (RTOs and recovery procedures) that must be defined before a BCP can be considered complete for a new system.

333
MCQmedium

Refer to the exhibit. A cloud load balancer uses this JSON configuration. A request arrives from source IP 10.0.1.100 to port 80. Which backend pool will receive the request?

A.The request is dropped
B.backend-pool-1
C.The request is sent to both pools
D.backend-pool-2
AnswerA

No matching rule and no default.

Why this answer

The JSON configuration shows a load balancer rule that only forwards requests to backend-pool-1 when the source IP matches 10.0.1.0/24 AND the destination port is 80. The request from source IP 10.0.1.100 to port 80 satisfies both conditions, so it should be forwarded to backend-pool-1. However, the exhibit (not fully shown) likely includes a default deny or a missing rule for this specific combination, causing the request to be dropped.

Option A is correct because the configuration explicitly drops unmatched traffic.

Exam trap

ISACA often tests the misconception that a matching rule automatically forwards traffic, ignoring that a default deny or missing listener action can override the rule and drop the request.

How to eliminate wrong answers

Option B is wrong because backend-pool-1 is the intended target for this request based on the rule, but the exhibit's configuration (e.g., a missing listener or a default action) causes the request to be dropped instead. Option C is wrong because load balancers do not send a single request to multiple pools unless configured for multicast or anycast, which is not shown here; the rule specifies a single pool. Option D is wrong because backend-pool-2 is not matched by the source IP or port condition in the rule; it would only receive traffic from different source ranges or ports.

334
MCQmedium

An organization is acquiring a third-party SaaS application. Which of the following should be included in the contract to ensure data protection?

A.Right to audit the vendor's security practices
B.Service level agreement (SLA) for uptime
C.Data ownership and location specification
D.Data encryption clause for data at rest and in transit
AnswerA

Right to audit enables verification of data protection controls.

Why this answer

A right to audit the vendor's security practices is essential in a SaaS contract because it allows the organization to independently verify that the vendor's controls (e.g., access management, patch management, incident response) meet contractual and regulatory requirements. Without this clause, the organization must rely solely on the vendor's self-assessments or third-party reports like SOC 2, which may not cover all relevant risks or may be outdated. This right is a key mechanism for ensuring ongoing data protection in a shared responsibility model.

Exam trap

The trap here is that candidates often choose a specific technical control like encryption (Option D) because it seems directly related to data protection, but they overlook that the right to audit is the overarching governance mechanism that ensures all controls, including encryption, are actually implemented and effective.

How to eliminate wrong answers

Option B is wrong because an SLA for uptime addresses service availability, not data protection; it does not cover confidentiality, integrity, or security controls. Option C is wrong because data ownership and location specification, while important for compliance (e.g., GDPR), does not by itself ensure that the vendor implements adequate security measures to protect the data. Option D is wrong because a data encryption clause for data at rest and in transit is a necessary security requirement but is insufficient on its own; it does not provide the organization with a mechanism to verify that encryption is properly implemented or that other critical controls (e.g., key management, access controls) are in place.

335
MCQhard

Refer to the exhibit. An IT operator receives this error message from an automated backup job. What is the MOST likely cause of this failure?

A.The FinanceDB database is corrupted
B.The network link between servers is down
C.The backup server's disk is full
D.The LUN presenting the virtual disk is not zoned or masked to the backup server
AnswerD

The error 'Unable to mount virtual disk' strongly suggests a SAN zoning/LUN masking issue.

Why this answer

Option D is correct because the error indicates that the backup server cannot access the virtual disk, which is typically a LUN masking or zoning issue. Option A is plausible but the message specifically points to storage access; Option B is not indicated; Option C is possible but less direct.

336
MCQmedium

An organization has the S3 bucket policy shown. Which of the following is the MOST likely intent of this policy?

A.Prevent deletion of objects from the bucket over unencrypted connections.
B.Prevent all deletion of objects from the bucket.
C.Prevent access to the bucket over HTTP.
D.Allow deletion only over HTTPS.
AnswerA

The policy denies s3:DeleteObject when SecureTransport is false.

Why this answer

Option A is correct because the policy denies DeleteObject when the request is not over HTTPS (SecureTransport false), thereby blocking deletion over HTTP but allowing deletion over HTTPS. Option B is incorrect because deletion over HTTPS is still allowed. Option C is incorrect because other actions like read are not restricted.

Option D is incorrect because it does not specifically allow deletion only over HTTPS; it denies over HTTP, so deletion over HTTPS is allowed implicitly.

337
MCQhard

You are the lead IT auditor for a multinational corporation that recently completed a merger with another company. During the post-merger integration audit, you discover that the acquired company's legacy HR system contains sensitive personal data of 20,000 employees and has been directly accessible from the internet for the last 18 months. The system runs on an unsupported operating system (Windows Server 2008) and uses a custom-built application with no logging enabled. The acquired company's IT manager argues that the server is isolated behind a firewall and has never been compromised. However, your review of firewall logs shows numerous connection attempts from unknown IP addresses. The integration team plans to decommission this system in three months. You need to determine the appropriate audit response. Which of the following should you do NEXT?

A.Conduct a forensic analysis of the server to determine if a breach has occurred
B.Wait for the decommissioning timeline and monitor the server logs for any signs of breach
C.Issue an urgent audit report to senior management highlighting the risk and recommending immediate isolation or remediation
D.Propose a compensating control, such as requiring VPN access to the server
AnswerC

Correct: Auditors must escalate critical findings promptly to management for action.

Why this answer

Option B is correct: Immediately reporting the critical vulnerability to management is the first step because the risk of data exposure is severe and requires urgent attention. Option A delays action, C assumes a compromise that hasn't been confirmed, and D is premature without management directive.

338
MCQmedium

During an audit of an organization's change management process, the IS auditor selects a sample of 50 change requests from a population of 500. The auditor finds that 3 of the 50 did not have proper approval. What is the estimated error rate in the population?

A.3%
B.6%
C.10%
D.5%
AnswerB

Correct: 3/50 = 6% is the point estimate of the population error rate.

Why this answer

The estimated error rate is the sample error rate, which is 3/50 = 6%.

339
MCQmedium

Refer to the exhibit. Which of the following services is accessible from the internet to host 10.1.1.100?

A.HTTP only
B.Telnet only
C.HTTPS and SSH
D.FTP only
AnswerC

Ports 443 (HTTPS) and 22 (SSH) are explicitly permitted.

Why this answer

The exhibit shows an access control list (ACL) permitting TCP ports 443 (HTTPS) and 22 (SSH) from any source to host 10.1.1.100. Since the ACL is applied inbound on the internet-facing interface, only HTTPS and SSH traffic are allowed through to that host. Therefore, option C is correct.

Exam trap

The trap here is that candidates often confuse HTTP with HTTPS or Telnet with SSH, assuming that if one is allowed, the other must also be allowed, but the ACL explicitly permits only the specific port numbers listed.

How to eliminate wrong answers

Option A is wrong because HTTP (port 80) is not permitted by the ACL; only HTTPS (port 443) is allowed, so HTTP alone is not accessible. Option B is wrong because Telnet (port 23) is not listed in the ACL; only SSH (port 22) is permitted for remote access. Option D is wrong because FTP (ports 20/21) is not permitted by the ACL; no FTP traffic is allowed to reach host 10.1.1.100.

340
MCQeasy

An organization is implementing a business continuity plan (BCP). Which of the following is the PRIMARY purpose of conducting a business impact analysis (BIA)?

A.To document the step-by-step recovery procedures for each system
B.To identify potential threats and vulnerabilities to the organization
C.To inventory all IT assets and their configurations
D.To identify critical business processes and their recovery time objectives (RTOs)
AnswerD

BIA helps prioritize processes and define RTOs and RPOs.

Why this answer

The primary purpose of a business impact analysis (BIA) is to identify critical business processes and quantify the impact of their disruption, which directly drives the recovery time objectives (RTOs) and recovery point objectives (RPOs). These RTOs and RPOs form the foundation for selecting appropriate recovery strategies and technologies, such as synchronous replication for near-zero RPO or warm standby sites for specific RTO windows. Without a BIA, the BCP would lack the business-driven metrics needed to prioritize recovery efforts and allocate resources effectively.

Exam trap

The trap here is that candidates often confuse the BIA with a risk assessment or asset inventory, but the BIA is exclusively focused on business process criticality and recovery time objectives, not on threats, vulnerabilities, or hardware lists.

How to eliminate wrong answers

Option A is wrong because documenting step-by-step recovery procedures is the purpose of the recovery plan development phase, not the BIA; the BIA identifies what needs recovery and how quickly, but does not prescribe the technical steps. Option B is wrong because identifying potential threats and vulnerabilities is the domain of a risk assessment, which is a separate process that often uses the BIA's outputs to prioritize risks, but the BIA itself focuses on business process impact, not threat enumeration. Option C is wrong because inventorying all IT assets and their configurations is part of asset management or configuration management (e.g., CMDB), not the BIA; the BIA identifies which processes are critical, not the detailed hardware/software inventory.

341
MCQmedium

An administrator sees the above error after a failed backup job. What is the MOST likely cause?

A.The backup service account does not have write permissions to the destination
B.The network share \\BACKUPSRV\DBBackups\DB01\ is offline or unreachable
C.The SQL Server backup client is not installed
D.The backup destination disk is full
AnswerB

The error indicates the path specified does not exist or is unavailable.

Why this answer

The error message indicates that the backup destination path \BACKUPSRV\DBBackups\DB01\ is inaccessible. This is most commonly caused by the network share being offline, unreachable due to network issues, or the target server being down. Without connectivity to the UNC path, the backup job cannot proceed, even if permissions and disk space are adequate.

Exam trap

The trap here is that candidates often assume a failed backup is always due to permissions or disk space, but the error message's specific wording about the path being 'offline or unreachable' directly points to a network connectivity issue, not authorization or capacity.

How to eliminate wrong answers

Option A is wrong because the error message does not mention permission denial; a permissions issue would typically produce an 'access denied' or similar error, not a generic 'unreachable' failure. Option C is wrong because the SQL Server backup client is not required for backing up to a network share; SQL Server uses its native VDI or T-SQL BACKUP command, and the error points to connectivity, not missing client software. Option D is wrong because a full disk would generate a 'disk full' or 'insufficient space' error, not a failure to reach the destination path.

342
MCQeasy

An organization has a policy requiring strong passwords. Which additional control is most effective at preventing credential stuffing attacks?

A.Increasing password length and complexity requirements.
B.Implementing account lockout after 3 failed attempts.
C.Requiring multi-factor authentication (MFA) for all logins.
D.Conducting annual security awareness training.
AnswerC

MFA renders stolen passwords useless as the second factor is required for access.

Why this answer

Multi-factor authentication (MFA) stops attackers who have stolen passwords because they cannot provide the second factor.

343
Multi-Selecthard

Which THREE of the following are responsibilities of the board of directors regarding IT governance? (Choose three.)

Select 3 answers
A.Designing network security architecture
B.Setting IT risk appetite
C.Reviewing IT performance
D.Implementing IT controls
E.Approving IT strategy
AnswersB, C, E

Correct. Board defines risk tolerance.

Why this answer

Options A, B, and C are correct because setting IT risk appetite, approving IT strategy, and reviewing IT performance are board-level responsibilities. Option D is incorrect as implementing controls is management's role. Option E is incorrect as designing network security is an operational task.

344
MCQmedium

An auditor is reviewing the encryption strategy for a healthcare application that stores protected health information (PHI) in a database. The database currently uses transparent data encryption (TDE). What is a key risk associated with TDE?

A.It requires complex key management
B.It significantly degrades database performance
C.It does not protect against privileged database users
D.It cannot be used with column-level encryption
AnswerC

TDE encrypts data at rest but decrypts when accessed by authorized users, so DBA's can still see data.

Why this answer

TDE generally does not protect data from users with database admin privileges because the decryption occurs at the database level and authorized users can access plaintext. Option A is wrong because performance impact is typically minor. Option C is wrong because key management is a consideration but not the key risk related to user access.

Option D is wrong because TDE can be implemented.

345
MCQmedium

Refer to the exhibit. A tester executes test case TC-101 and records the result shown. What is the NEXT appropriate step in the testing process?

A.Re-run the test case after the defect is fixed
B.Create a new test case to cover the error
C.Update the requirements to reflect the actual behavior
D.Log a defect in the defect tracking system
AnswerD

The discrepancy indicates a defect that should be logged for resolution.

Why this answer

The tester executed TC-101 and observed a result that deviates from the expected behavior, indicating a defect. The immediate next step in the structured testing process is to log the defect in the defect tracking system to formally document the issue, assign severity, and initiate the resolution workflow. This aligns with the CISA testing lifecycle, where defects are captured before any re-testing or requirement changes.

Exam trap

The trap here is that candidates may think re-running the test (Option A) is the logical next step, but CISA emphasizes that defects must be formally logged before any remediation actions to maintain audit trail and process integrity.

How to eliminate wrong answers

Option A is wrong because re-running the test case after a fix is premature; the defect must first be logged and triaged before any fix is applied. Option B is wrong because creating a new test case to cover the error is not the immediate next step; the existing test case already exposes the defect, and additional coverage is handled after defect logging. Option C is wrong because updating requirements to reflect actual behavior would incorrectly treat a defect as a feature, violating the principle that requirements drive expected outcomes, not the other way around.

346
MCQeasy

A small business lacks formal IT governance. What is the FIRST step to establish governance?

A.Assign an IT manager
B.Define IT policies
C.Conduct a risk assessment
D.Implement COBIT
AnswerC

Risk assessment reveals the starting point for governance.

Why this answer

Conducting a risk assessment identifies the most critical issues and guides the development of governance policies and structure. Defining policies or assigning roles without understanding risks may be premature.

347
MCQmedium

An organization is implementing a new IT governance framework. Which of the following is the BEST approach to ensure alignment between IT strategy and business goals?

A.Align IT budget with the previous year's business plan
B.Conduct annual IT strategy reviews independent of business cycles
C.Establish an IT steering committee with business representation
D.Delegate IT strategy to the CIO without business input
AnswerC

A steering committee with business leaders ensures ongoing alignment.

Why this answer

Option A is correct because a steering committee with both IT and business leaders ensures strategic alignment. Option B is wrong because it only involves IT. Option C is wrong because reactive alignment after budgeting is less effective.

Option D is wrong because annual reviews are insufficient for ongoing alignment.

348
MCQeasy

When implementing a commercial off-the-shelf (COTS) software package, which of the following is the MOST important activity to ensure the software meets business requirements?

A.Conducting a vendor demonstration
B.Developing a project plan with milestones
C.Performing a gap analysis between requirements and software features
D.Reviewing the software's technical architecture
AnswerC

Directly addresses requirements coverage.

Why this answer

Performing a gap analysis is the most important activity because it systematically maps each business requirement against the COTS software's delivered features, identifying any shortfalls that must be addressed through configuration, customization, or process adaptation. Without this structured comparison, the organization risks deploying software that fails to support critical business processes, leading to costly rework or project failure.

Exam trap

The trap here is that candidates often confuse vendor demonstrations with functional validation, assuming a demo proves the software fits all requirements, when in reality demos are scripted and omit edge cases that a gap analysis would expose.

How to eliminate wrong answers

Option A is wrong because a vendor demonstration is a marketing tool that showcases the software under ideal conditions, not a rigorous method to verify that every specific business requirement is met; it cannot uncover gaps in functionality or data handling. Option B is wrong because developing a project plan with milestones is a project management activity that ensures tasks are scheduled and tracked, but it does not directly assess whether the software's features align with business needs. Option D is wrong because reviewing the software's technical architecture focuses on infrastructure, scalability, and security design, not on functional fit; a technically sound system can still completely miss key business requirements.

349
Multi-Selecteasy

Which TWO of the following are examples of administrative controls for information security?

Select 2 answers
A.Intrusion detection system
B.Firewall configuration
C.Access control policy
D.Encryption algorithms
E.Security awareness training
AnswersC, E

Policies are administrative controls that define rules and procedures.

Why this answer

Access control policy is an administrative control because it defines the rules, roles, and responsibilities for granting or restricting access to information assets. It is a documented directive that governs user behavior and management processes, not a technical mechanism. Administrative controls are management-level safeguards, such as policies, procedures, and training, that guide the implementation of technical and physical controls.

Exam trap

ISACA often tests the distinction between administrative, technical, and physical controls, and the trap here is that candidates confuse policy documents (administrative) with the technical mechanisms that implement them, such as firewalls or encryption.

350
MCQhard

An organization uses the policy shown. Which of the following is an omission in the policy?

A.No definition of authorized users
B.No mention of backup frequency
C.No specification of data disposal methods after retention periods
D.Missing encryption requirement for log data
AnswerC

The policy defines retention but not deletion or archiving.

Why this answer

Option A is correct because there is no rule for data disposal after retention. Option B is present. Option C is addressed.

Option D is not mentioned but not an omission in this context.

351
MCQmedium

During a penetration test, a tester discovers that an application stores passwords using a reversible encryption algorithm. Which of the following is the BEST remediation?

A.Use MD5 hashing with a salt
B.Replace the encryption algorithm with AES-256
C.Implement a strong one-way hashing algorithm such as bcrypt
D.Add a random salt before encryption
AnswerC

bcrypt is designed for password storage.

Why this answer

Storing passwords using reversible encryption is fundamentally flawed because any encryption key can be compromised, allowing an attacker to decrypt all passwords. The best remediation is to use a strong, one-way hashing algorithm like bcrypt, which is designed to be computationally expensive and includes a built-in salt to resist rainbow table attacks and brute-force attempts. Unlike encryption, hashing is irreversible, so even if the database is breached, the original passwords cannot be recovered.

Exam trap

The trap here is that candidates confuse encryption with hashing, thinking that a strong encryption algorithm like AES-256 is sufficient for password storage, when in fact any reversible method is insecure for this purpose.

How to eliminate wrong answers

Option A is wrong because MD5 is a broken hashing algorithm that is vulnerable to collision attacks and fast brute-force computation; even with a salt, it is not considered secure for password storage. Option B is wrong because AES-256 is a symmetric encryption algorithm, not a hashing algorithm; replacing one reversible encryption with another still leaves passwords recoverable if the encryption key is compromised. Option D is wrong because adding a salt before encryption does not address the core issue—the passwords remain reversible and can be decrypted if the key is obtained.

352
MCQhard

An IS auditor is reviewing the change management process for a financial institution. The auditor finds that emergency changes bypass normal approval but are documented and reviewed within 48 hours. Which of the following is the BEST recommendation?

A.Require a second administrator to approve during the emergency.
B.Implement a risk classification for changes and apply controls accordingly.
C.Increase the frequency of post-implementation reviews to every 24 hours.
D.Require all emergency changes to be approved by the change advisory board (CAB) before implementation.
AnswerB

Risk classification allows appropriate control for each change type.

Why this answer

Option B is correct because implementing a risk classification for changes allows the organization to apply appropriate controls based on the change's impact and urgency. Emergency changes inherently require speed, but a risk-based approach ensures that high-risk emergency changes receive more stringent controls (e.g., mandatory peer review) while low-risk changes can proceed with lighter oversight. This balances security with operational agility, which is critical in a financial institution where system availability and data integrity are paramount.

Exam trap

The trap here is that candidates assume all emergency changes must be treated equally and thus focus on adding more approval steps (A or D) or increasing review frequency (C), rather than recognizing that a risk-based classification is the most effective and efficient control to address varying levels of risk in emergency changes.

How to eliminate wrong answers

Option A is wrong because requiring a second administrator to approve during the emergency introduces a bottleneck that defeats the purpose of an emergency change process, which is to rapidly address critical incidents; it also does not address the root issue of varying risk levels across changes. Option C is wrong because increasing post-implementation reviews to every 24 hours does not solve the lack of pre-implementation controls for emergency changes; it only adds administrative overhead without ensuring that high-risk changes are properly vetted before deployment. Option D is wrong because requiring all emergency changes to be approved by the CAB before implementation is impractical for true emergencies, as CAB meetings are typically scheduled and cannot convene instantly; this would delay critical fixes and potentially cause service outages or security breaches.

353
MCQeasy

A company is experiencing frequent server crashes due to memory leaks. The operations team has implemented a monitoring solution. Which of the following is the BEST indicator to trigger an automated failover to a standby server?

A.Memory usage exceeding 90% for more than 5 minutes
B.Disk I/O latency greater than 10ms
C.CPU utilization spikes above 80% for 1 minute
D.Network packet loss exceeding 1%
AnswerA

Correct: Directly reflects memory leak condition.

Why this answer

Memory leaks cause gradual memory consumption; sustained high memory usage directly indicates the condition. CPU spikes, disk latency, and packet loss are less specific to memory leaks.

354
Multi-Selectmedium

An organization is adopting COBIT 2019. Which TWO of the following are components of the governance system?

Select 2 answers
A.Processes
B.IT hardware inventory
C.Information flows
D.Organizational structures
E.Employee satisfaction surveys
AnswersA, D

Processes are a core component in COBIT.

Why this answer

Options A and B are correct. COBIT 2019 defines governance system components including processes (A) and organizational structures (B). C (hardware inventory) is an asset, not a component.

D (information flows) is part of the information component but not a standalone component. E (employee satisfaction) is not a component.

355
MCQmedium

During system development, the project team discovers that the original requirements are incomplete. What is the BEST course of action?

A.Formally document the new requirements and follow the change management process
B.Inform the steering committee and continue as planned
C.Proceed with development and address changes during maintenance
D.Halt the project until all requirements are finalized
AnswerA

Change management ensures proper evaluation and approval of new requirements.

Why this answer

Option A is correct because formally documenting new requirements and following the change management process ensures that all changes are controlled, assessed for impact on scope, budget, and schedule, and approved by stakeholders. This aligns with the systems development lifecycle (SDLC) best practices and the ISACA standard for managing requirements changes, preventing scope creep and maintaining project integrity.

Exam trap

The trap here is that candidates often choose Option D (halting the project) because they assume all requirements must be fully finalized before development, but the CISA exam emphasizes that change management is the appropriate mechanism to handle evolving requirements without stopping the project entirely.

How to eliminate wrong answers

Option B is wrong because simply informing the steering committee without formally documenting and processing the new requirements through change management bypasses the necessary impact analysis and approval controls, risking unauthorized scope changes. Option C is wrong because deferring requirement changes to maintenance violates the principle of early defect detection and correction; addressing changes during maintenance is significantly more costly and can introduce technical debt and security vulnerabilities. Option D is wrong because halting the project entirely is an overreaction; incomplete requirements are common, and the proper response is to manage them through a structured change control process, not to stop all progress.

356
MCQmedium

An IS auditor is reviewing a change management process. A developer made an emergency change directly to production without following the standard change approval process. The change was later documented as a normal change. Which control weakness is MOST indicated by this scenario?

A.Inadequate segregation of duties between development and production environments
B.Absence of a rollback plan for emergency changes
C.Insufficient testing of emergency changes before deployment
D.Lack of a formal change documentation policy
AnswerA

Direct production access by developers violates segregation of duties.

Why this answer

The developer bypassed the standard change approval process by making an emergency change directly to production, then retroactively documenting it as a normal change. This directly violates the principle of segregation of duties (SoD), as the same individual who implemented the change also controlled the documentation and approval trail, eliminating independent oversight. In a properly segregated environment, developers should not have direct write access to production systems without a separate change authorization and deployment step.

Exam trap

The trap here is that candidates focus on the lack of testing or documentation, but the most critical control weakness is the violation of segregation of duties, as the developer both made the change and controlled its documentation, eliminating independent oversight.

How to eliminate wrong answers

Option B is wrong because the absence of a rollback plan, while a concern, is not the primary control weakness indicated; the core issue is the lack of segregation of duties, not the absence of a recovery procedure. Option C is wrong because insufficient testing of emergency changes is a risk, but the scenario does not mention whether testing occurred or not—the key failure is the unauthorized direct change and subsequent misdocumentation, not the testing process itself. Option D is wrong because a formal change documentation policy may exist (the change was documented as a normal change), but the weakness is that the documentation was falsified to hide the emergency bypass, not that the policy is missing.

357
MCQhard

A multinational corporation is adopting a hybrid cloud strategy. The IT governance board must decide on a framework to ensure alignment with business objectives and regulatory compliance. Which framework is MOST appropriate?

A.ITIL 4 Service Value System
B.COBIT 2019
C.ISO/IEC 27001 Information Security Management
D.PMBOK Guide
AnswerB

COBIT 2019 is a comprehensive framework for IT governance and management.

Why this answer

COBIT 2019 is the most appropriate framework because it is specifically designed for IT governance, providing a comprehensive set of controls and processes to align IT with business objectives and ensure regulatory compliance. In a hybrid cloud strategy, COBIT 2019's focus on governance objectives, stakeholder needs, and risk management directly addresses the board's need for oversight across on-premises and cloud environments, unlike frameworks that target service management, security, or project management.

Exam trap

The trap here is that candidates often confuse ITIL (service management) with governance, assuming that best practices for service delivery inherently cover board-level alignment and compliance, but ITIL lacks the governance objectives and stakeholder-driven goal cascade that COBIT provides for hybrid cloud strategies.

How to eliminate wrong answers

Option A is wrong because ITIL 4 Service Value System focuses on IT service management (ITSM) best practices, such as incident and change management, but lacks the governance and compliance alignment mechanisms required for board-level decision-making in a hybrid cloud strategy. Option C is wrong because ISO/IEC 27001 is an information security management standard that addresses security controls and risk management, but it does not provide a holistic governance framework for aligning IT with business objectives and regulatory compliance across the entire enterprise. Option D is wrong because PMBOK Guide is a project management framework that covers project lifecycle and processes, but it is not designed for ongoing IT governance or ensuring sustained alignment with business goals and compliance in a hybrid cloud environment.

358
Multi-Selecthard

Based on the backup logs, the backup administrator notices that the incremental backup job failed due to insufficient storage. Which TWO actions should the administrator take to resolve the immediate issue and prevent recurrence?

Select 2 answers
A.Free up space on the backup storage device by removing old backup sets manually
B.Check network bandwidth between the backup server and storage device
C.Increase the frequency of incremental backups to reduce data volume per job
D.Configure backup retention policies and enable data deduplication on the backup device
E.Investigate and resolve the file-in-use warnings from the full backup job
AnswersA, D

This addresses the immediate 'insufficient storage' error by freeing up space for the next backup.

Why this answer

Option A is correct because freeing up space on the backup storage device by removing old backup sets immediately resolves the insufficient storage issue that caused the incremental backup job to fail. This is a direct, short-term fix that reclaims capacity without altering backup schedules or configurations.

Exam trap

The trap here is that candidates may confuse a storage capacity issue with a performance issue (Option B) or incorrectly assume that increasing backup frequency (Option C) reduces data volume, when in fact it increases the number of backup objects and metadata overhead.

359
MCQmedium

During an audit of a cloud service provider, the IS auditor discovers that the provider's data center access logs show an employee accessing the production environment outside of normal business hours without a change request. What should the auditor do FIRST?

A.Report the incident to the provider's management immediately
B.Recommend immediate remediation procedures
C.Obtain supporting evidence such as system logs and change tickets
D.Evaluate the potential impact and the effectiveness of compensating controls
AnswerD

Understanding the significance helps determine the appropriate response.

Why this answer

Option D is correct because the IS auditor's first priority is to assess risk. Without evaluating the potential impact of the unauthorized access and the effectiveness of any compensating controls (e.g., intrusion detection systems, session recording, or multi-factor authentication), the auditor cannot determine the severity of the finding or the urgency of subsequent actions. This aligns with the ISACA audit methodology, which mandates risk-based analysis before recommending remediation or reporting.

Exam trap

The trap here is that candidates often jump to 'gather evidence' (Option C) because it seems logical, but the CISA exam emphasizes that risk assessment (evaluating impact and controls) must precede evidence collection to avoid wasting resources on irrelevant data.

How to eliminate wrong answers

Option A is wrong because reporting to management immediately without first assessing the risk and impact is premature; the auditor must gather sufficient evidence and evaluate the situation to provide an informed report. Option B is wrong because recommending remediation procedures before understanding the full scope and compensating controls could lead to unnecessary or ineffective actions, violating the principle of risk-based auditing. Option C is wrong because while obtaining supporting evidence is important, it is not the first step; the auditor should first evaluate the potential impact and compensating controls to determine what evidence is most relevant and whether immediate escalation is needed.

360
MCQeasy

A company is implementing a new customer relationship management (CRM) system. The project team is currently defining user roles and permissions. Which of the following is the PRIMARY reason to enforce segregation of duties (SoD) within the CRM?

A.To reduce the risk of fraud and errors
B.To ensure data accuracy and completeness
C.To comply with regulatory requirements
D.To improve system performance and efficiency
AnswerA

SoD ensures no single individual has control over two or more phases of a transaction, reducing fraud and error risk.

Why this answer

Segregation of duties (SoD) in a CRM system is primarily enforced to prevent a single user from having conflicting capabilities, such as creating a customer record and also approving credit limits or processing refunds. Without SoD, an employee could both initiate and approve a fraudulent transaction, directly increasing the risk of fraud and undetected errors. While SoD can indirectly support data accuracy and compliance, the primary control objective is risk reduction through separation of conflicting functions.

Exam trap

The trap here is that candidates often choose 'compliance' (Option C) because SoD is a common regulatory requirement, but the question asks for the PRIMARY reason, which is the fundamental control objective of reducing fraud and error risk, not the secondary benefit of meeting external mandates.

How to eliminate wrong answers

Option B is wrong because ensuring data accuracy and completeness is a goal of input validation, data quality controls, and reconciliation processes, not the primary reason for enforcing SoD. Option C is wrong because while SoD may help meet regulatory requirements (e.g., SOX, GDPR), compliance is a secondary benefit; the primary reason is to reduce the risk of fraud and errors inherent in the system's design. Option D is wrong because SoD typically adds process steps and approval workflows, which can reduce system performance and efficiency, not improve them.

361
Multi-Selectmedium

Which TWO of the following are primary objectives of IT governance as defined by COBIT 5?

Select 2 answers
A.Resource optimization
B.Cost reduction
C.Incident response
D.Value delivery
E.Data encryption
AnswersA, D

Resource optimization is a key governance objective.

Why this answer

Options A and C are correct because COBIT 5 defines IT governance objectives as stakeholder value creation and resource optimization. Option B is a management objective, not governance. Option D is a goal of information security, not governance overall.

Option E is too narrow (cost reduction) and not a primary governance objective.

362
MCQmedium

A company's IT service desk receives multiple reports of users being unable to access a cloud-based CRM system. The network team confirms that internet connectivity is working. Which of the following should be the FIRST step in troubleshooting the issue?

A.Ask a user to try accessing from a different device
B.Restart the company's firewall and proxy servers
C.Check the vendor's service status page for any reported outages
D.Review recent change requests for the CRM system
AnswerC

This quickly identifies if the issue is widespread and outside the organization's control.

Why this answer

Option A is correct because checking the status of the CRM service provider helps determine if it is a known outage. Option B is premature; Option C is device-specific; Option D is a later step.

363
MCQeasy

A medium-sized financial services firm recently suffered a ransomware attack that encrypted critical servers and backups. The recovery process took three weeks because the backup tapes were stored in the same building (which was also infected) and the backup software had a vulnerability that allowed the ransomware to delete old backups. The firm's BCP did not account for simultaneous loss of primary and secondary data. As the IS auditor, you are asked to recommend the most effective improvement to the backup strategy to prevent recurrence and improve resilience. Which of the following actions should the firm implement?

A.Implement immutable backups and store them offsite or in a separate air-gapped environment
B.Increase the frequency of full backups to daily
C.Conduct quarterly tabletop exercises to test recovery procedures
D.Move all backups to a cloud storage provider with default settings
AnswerA

Immutable backups prevent unauthorized deletion or modification, directly mitigating the risk from ransomware.

Why this answer

Immutable backups prevent modification or deletion by ransomware, even if the backup software or administrative credentials are compromised. Storing them offsite or in an air-gapped environment ensures that a simultaneous physical or logical attack cannot destroy both primary and secondary data, directly addressing the root cause of the three-week recovery delay.

Exam trap

The trap here is that candidates often choose increased backup frequency or cloud migration, thinking they improve resilience, but they overlook the critical requirement that backups must be protected from deletion or encryption by the same attack that compromises the primary systems.

How to eliminate wrong answers

Option B is wrong because increasing the frequency of full backups to daily does not protect against ransomware that can encrypt or delete existing backups; it only reduces the recovery point objective, not the vulnerability to deletion. Option C is wrong because quarterly tabletop exercises test recovery procedures and team readiness but do not prevent the backup data from being encrypted or deleted by ransomware; they improve process, not data resilience. Option D is wrong because moving all backups to a cloud storage provider with default settings does not guarantee immutability or air-gapping; default cloud storage configurations often allow deletion or overwrite by compromised credentials, leaving backups vulnerable to the same attack vector.

364
MCQmedium

A multinational corporation is implementing a disaster recovery plan for its critical financial systems. The plan includes off-site backups and redundant hardware. During a recent test, the recovery time objective (RTO) was met, but the recovery point objective (RPO) was exceeded by 30 minutes due to delayed data replication. Which of the following is the BEST action to address this issue?

A.Extend the RPO to accommodate the delay.
B.Implement synchronous replication to the secondary site.
C.Reduce the bandwidth for replication to avoid congestion.
D.Increase the frequency of full backups to every 4 hours.
AnswerB

Synchronous replication ensures near-zero data loss, directly addressing the RPO exceedance.

Why this answer

Option B is correct because synchronous replication ensures data is written to both sites simultaneously, minimizing RPO. Option A is wrong because increasing full backups to every 4 hours still leaves up to 4 hours of potential data loss. Option C is wrong because reducing bandwidth for replication would likely increase the delay further.

Option D is wrong because extending the RTO does not address the RPO issue.

365
MCQhard

A healthcare organization is required to comply with HIPAA regulations for data backup and disaster recovery. They operate a primary data center and a colocation facility for disaster recovery. The current backup strategy involves nightly full backups to tape, which are stored off-site monthly. The recovery time for the electronic health record (EHR) system is estimated at 8 hours, but the RTO required by the business is 2 hours. Additionally, the RPO requirement is 15 minutes. The IT manager proposes implementing a continuous data protection (CDP) solution. However, the CFO is concerned about the cost. Which of the following is the BEST argument to justify the CDP investment?

A.CDP can achieve an RPO of seconds and significantly reduce recovery time.
B.CDP is required by HIPAA for all healthcare systems.
C.CDP will reduce the need for IT staff to perform backups.
D.CDP eliminates the need for any off-site storage, reducing costs.
AnswerA

This directly addresses the gaps in RTO and RPO, justifying the investment.

Why this answer

Option A is correct because CDP provides near-zero RPO and can significantly reduce recovery time, directly meeting the RTO and RPO requirements. Option B is false; CDP still requires off-site storage for disaster recovery. Option C is incorrect; HIPAA does not mandate CDP.

Option D is a benefit but not the primary justification.

366
MCQhard

Refer to the exhibit. An IS auditor is reviewing the architecture. Which of the following is the MOST critical security weakness?

A.Application servers can initiate outbound internet connections.
B.The use of TLS between tiers.
C.Centralized logging to a SIEM.
D.Lack of encryption on the database server.
AnswerA

This bypasses security controls and can be exploited.

Why this answer

Option C is correct because allowing application servers to initiate outbound connections to the internet is a common attack vector (e.g., for command and control). Option A is acceptable; B is not a weakness; D is not mentioned or required.

367
Matchingmedium

Match each CISA domain to its focus.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Information System Auditing Process

Governance and Management of IT

Information Systems Acquisition, Development, and Implementation

Information Systems Operations and Business Resilience

Protection of Information Assets

Why these pairings

CISA exam covers five domains.

368
MCQmedium

A company is implementing a new ERP system. The project team plans to use a parallel conversion strategy. What is the PRIMARY advantage of this approach?

A.Immediate realization of benefits from the new system.
B.Risk mitigation by allowing fallback to the old system.
C.Lower total cost due to reduced training requirements.
D.Faster implementation compared to phased approach.
AnswerB

The main benefit is risk reduction via fallback capability.

Why this answer

The primary advantage of a parallel conversion strategy is risk mitigation. By running the new ERP system alongside the old system for a period, the organization can validate the new system's functionality and data integrity while retaining the ability to immediately fall back to the legacy system if critical failures occur. This approach ensures business continuity and reduces the impact of unforeseen issues during the transition.

Exam trap

The trap here is that candidates often confuse parallel conversion with phased conversion, mistakenly believing that parallel conversion is faster or cheaper, when in fact its primary value is risk reduction through fallback capability.

How to eliminate wrong answers

Option A is wrong because immediate realization of benefits is not a characteristic of parallel conversion; benefits are delayed until the new system is fully validated and the old system is decommissioned. Option C is wrong because parallel conversion typically increases total cost due to the need to operate and maintain both systems simultaneously, and training requirements are not reduced—staff must learn the new system while still using the old one. Option D is wrong because parallel conversion is generally slower than a phased approach, as it requires a full cutover after a parallel run, whereas a phased approach rolls out functionality incrementally.

369
MCQeasy

What is the PRIMARY purpose of conducting a feasibility study before acquiring a new information system?

A.To define detailed system requirements
B.To select a vendor through a bidding process
C.To assess the technical, operational, and economic viability
D.To determine the total cost of ownership
AnswerC

The primary purpose is to evaluate viability.

Why this answer

The primary purpose of a feasibility study is to evaluate whether a proposed information system is technically achievable, operationally compatible with existing processes, and economically justified before committing resources. This upfront assessment prevents investment in systems that cannot be successfully implemented or sustained, directly addressing risk management in the acquisition lifecycle.

Exam trap

The trap here is that candidates confuse the feasibility study with later phases like requirements gathering or vendor selection, leading them to pick A or B, when the core CISA focus is on the study's role as a go/no-go decision gate based on viability assessment.

How to eliminate wrong answers

Option A is wrong because defining detailed system requirements occurs after the feasibility study, typically during the requirements analysis phase, not as the primary purpose of the feasibility study. Option B is wrong because vendor selection through a bidding process happens later in the procurement cycle, after the feasibility study confirms the project is viable and requirements are defined. Option D is wrong because determining total cost of ownership is a component of the economic viability assessment within the feasibility study, not the primary purpose; the study must also evaluate technical and operational factors.

370
MCQhard

A company is implementing a privileged access management (PAM) system. Which of the following is the MOST important control to prevent lateral movement after a privileged account is compromised?

A.Implement just-in-time (JIT) privilege elevation
B.Enforce multi-factor authentication for all privileged accounts
C.Monitor and record all privileged sessions
D.Rotate passwords after each use
AnswerA

JIT reduces exposure time.

Why this answer

Just-in-time (JIT) privilege elevation is the most important control to prevent lateral movement because it eliminates standing privileged access. By granting temporary, time-bound privileges only when needed, JIT reduces the attack surface and ensures that even if an attacker compromises a privileged account, they cannot use those credentials to move laterally to other systems after the access window expires. This directly addresses the root cause of lateral movement: persistent privileged credentials that can be reused across the network.

Exam trap

The trap here is that candidates often choose MFA (option B) because it is a well-known security best practice, but they fail to recognize that MFA does not prevent lateral movement after the account is already compromised—it only protects against unauthorized initial access.

How to eliminate wrong answers

Option B is wrong because multi-factor authentication (MFA) is a strong authentication control that can prevent initial compromise, but it does not prevent lateral movement once the account is already compromised (e.g., via session hijacking or token theft). Option C is wrong because monitoring and recording privileged sessions is a detective control that helps identify lateral movement after it occurs, but it does not prevent it. Option D is wrong because rotating passwords after each use (password cycling) reduces the window of credential reuse but still leaves the account with standing privileges during the session; an attacker can still move laterally within that session before the password is rotated.

371
MCQmedium

An organization is developing a web application using an Agile methodology. The security team wants to integrate security testing early in the development lifecycle. Which of the following is the BEST approach to achieve this?

A.Implement static application security testing (SAST) in the continuous integration pipeline
B.Conduct a penetration test after each sprint
C.Schedule an annual vulnerability scan of the production environment
D.Perform dynamic application security testing (DAST) on deployed builds
AnswerA

SAST scans source code and can be integrated into CI to find vulnerabilities early.

Why this answer

Integrating SAST into the CI pipeline allows automated scanning of source code for vulnerabilities (e.g., SQL injection, XSS) as code is committed, aligning with Agile's iterative development. This shift-left approach catches flaws early, reducing remediation cost and effort compared to later stages.

Exam trap

The trap here is confusing 'early testing' with any security test performed during development, but only SAST in the CI pipeline provides automated, continuous analysis at the code level before builds are deployed.

How to eliminate wrong answers

Option B is wrong because penetration testing after each sprint is too late for early integration; it occurs after code is built and deployed, missing the opportunity to find issues during development. Option C is wrong because an annual vulnerability scan of production is far too infrequent and occurs post-deployment, violating the goal of early lifecycle testing. Option D is wrong because DAST on deployed builds tests the running application, which is still a later-stage activity and does not provide the same early feedback as source-level analysis.

372
MCQhard

An organization's business continuity plan includes a reciprocal agreement with another company. What is the PRIMARY risk of this arrangement?

A.The other company may be a competitor
B.Both companies may be affected by the same disaster
C.The agreement may not be legally enforceable
D.The other company may not have adequate security
AnswerB

If the companies are geographically close, a single disaster can impact both, rendering the agreement useless.

Why this answer

Option D is correct because both companies may be affected by the same regional disaster. Options A, B, and C are valid concerns but secondary.

373
Multi-Selecteasy

Which TWO of the following are key components of an IT governance framework?

Select 2 answers
A.IT strategy committee
B.IT asset inventory
C.IT risk management
D.IT project portfolio management
E.IT help desk ticketing system
AnswersA, C

Governance requires a steering or strategy committee.

Why this answer

Options A and E are correct. An IT governance framework includes structures like an IT strategy committee (A) and processes like IT risk management (E). B (project portfolio management) is a management practice, not a core governance component.

C (help desk) and D (asset inventory) are operational.

374
MCQeasy

An IS auditor is using statistical sampling to test a population of 10,000 transactions. The desired confidence level is 95%, and the tolerable error rate is 5%. Which of the following factors would MOST likely increase the required sample size?

A.An increase in the expected error rate to 6%
B.A decrease in the tolerable error rate to 3%
C.A decrease in the confidence level to 90%
D.An increase in the population size to 15,000
AnswerA

Higher expected error rate requires larger sample size for the same precision.

Why this answer

An increase in the expected error rate to 6% increases the required sample size because the sample size formula is directly proportional to the product of the expected error rate and its complement (p × (1-p)). At a 95% confidence level, the z-value is fixed (1.96), and as the expected error rate moves closer to 50%, the variance increases, requiring a larger sample to achieve the same precision. This is a core statistical sampling principle in audit testing.

Exam trap

The trap here is that candidates mistakenly think increasing population size always increases sample size, but in statistical sampling for large populations, the population size has a diminishing effect and is not the primary driver of sample size.

How to eliminate wrong answers

Option B is wrong because a decrease in the tolerable error rate to 3% actually increases the required sample size, not decreases it, as the auditor needs more precision to detect smaller deviations. Option C is wrong because a decrease in the confidence level to 90% reduces the z-value (from 1.96 to 1.645), which decreases the required sample size. Option D is wrong because for large populations (over 5,000), the population size has a negligible effect on sample size; increasing it to 15,000 does not materially increase the required sample size.

375
Matchingmedium

Match each type of access control to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Owner determines access permissions

System-enforced based on labels

Roles assigned to users

Attributes used to grant access

Why these pairings

Access control models are tested frequently.

Page 4

Page 5 of 7

Page 6

All pages