Certified Information Systems Auditor CISA (CISA) — Questions 376450

509 questions total · 7pages · All types, answers revealed

Page 5

Page 6 of 7

Page 7
376
MCQhard

During an IT audit, the auditor discovers that the IT department has not conducted a business impact analysis (BIA) for three years. The organization's disaster recovery plan (DRP) is based on the previous BIA. The IT manager argues that the DRP is still valid because no major changes have occurred. What should the auditor recommend?

A.Recommend that a new BIA be conducted to validate and update the DRP.
B.Accept the IT manager's rationale and close the finding.
C.Recommend terminating the current DRP until the BIA is completed.
D.Recommend accepting the risk and documenting the decision.
AnswerA

A current BIA is essential to identify changes in business processes and threats, ensuring the DRP is aligned.

Why this answer

A business impact analysis (BIA) is the foundation of a valid disaster recovery plan (DRP). Without a current BIA, the DRP may not reflect the organization's current critical processes, recovery time objectives (RTOs), or recovery point objectives (RPOs). Even if no major changes are perceived, subtle shifts in dependencies, resource availability, or regulatory requirements can render the DRP ineffective.

Therefore, the auditor should recommend conducting a new BIA to validate and update the DRP.

Exam trap

The trap here is that candidates may assume the IT manager's claim of 'no major changes' is sufficient, but the CISA exam emphasizes that a BIA must be periodically reviewed (typically annually) regardless of perceived stability, because hidden dependencies or gradual changes can still affect recovery requirements.

How to eliminate wrong answers

Option B is wrong because accepting the IT manager's rationale without evidence ignores the risk that the DRP may be outdated; the auditor's role is to verify, not assume, that no changes have impacted recovery requirements. Option C is wrong because terminating the current DRP would leave the organization without any recovery plan until the BIA is completed, increasing operational risk unnecessarily. Option D is wrong because accepting the risk and documenting the decision without further action is premature; the auditor should first recommend a BIA to determine the actual risk level before deciding to accept it.

377
Multi-Selecteasy

During a data migration from a legacy system to a new ERP, the following log entries were generated. Which TWO issues should the IS auditor flag as high risk?

Select 2 answers
A.Source system downtime
B.Rapid growth of rollback segment
C.Constraint violation due to missing parent records
D.Duplicate key violation
E.Data type mismatch between source and target
AnswersC, D

This error indicates a foreign key violation where a parent record is missing, compromising referential integrity.

Why this answer

Option C is correct because a constraint violation due to missing parent records indicates a referential integrity failure. In a data migration, this means child records are being inserted without their corresponding parent records, which can cause orphaned data and application logic errors. This is a high-risk issue as it compromises data consistency and may require complex reconciliation or rollback.

Exam trap

The trap here is that candidates often confuse operational issues (downtime, performance) with data integrity issues, or they underestimate the severity of referential integrity and duplicate key violations during migration.

378
MCQmedium

A company is migrating its on-premises data center to a public cloud provider. Which of the following is the MOST important control to implement before migration to ensure data security?

A.Enable multi-factor authentication (MFA) for all cloud accounts
B.Deploy a cloud access security broker (CASB)
C.Establish a virtual private network (VPN) between on-premises and cloud
D.Implement data encryption at rest and in transit
AnswerD

Encryption ensures data confidentiality and integrity during and after migration.

Why this answer

Data encryption at rest and in transit is the most important control before migration because it protects sensitive data from exposure during the transfer process and after it is stored in the cloud. Without encryption, data could be intercepted over the network or accessed by unauthorized parties in the cloud provider's infrastructure. This control directly addresses the core risk of data leakage during and after migration, which is a fundamental security requirement.

Exam trap

The trap here is that candidates often choose a VPN (Option C) thinking it fully secures data during migration, but they overlook that encryption at rest is equally critical and that a VPN only protects data in transit, not after it is stored in the cloud.

How to eliminate wrong answers

Option A is wrong because enabling MFA for cloud accounts is an important identity and access management control, but it does not protect data during the migration process itself or while at rest in the cloud. Option B is wrong because deploying a CASB is a monitoring and policy enforcement tool for cloud usage, but it is not a prerequisite for securing data during migration and does not provide the foundational encryption needed. Option C is wrong because establishing a VPN between on-premises and cloud secures the network channel during transit, but it does not address data at rest in the cloud, nor does it protect against threats within the cloud environment.

379
MCQhard

Based on the exhibit, which of the following is the MOST likely result of the current firewall configuration?

A.Remote SSH connections are permitted from any IP address
B.SSH access is restricted to the internal network
C.HTTPS traffic from the internal network is blocked
D.HTTPS traffic from the internet is allowed
AnswerA

Rule 1 allows SSH from anywhere.

Why this answer

The exhibit shows an access control list (ACL) that permits TCP traffic on port 22 (SSH) from any source IP address (0.0.0.0/0) to the destination IP address of the firewall's external interface. Since there is no source restriction, remote SSH connections are allowed from any IP address on the internet. This is a significant security risk because it exposes the firewall's management interface to brute-force attacks from the entire internet.

Exam trap

ISACA often tests the concept that an ACL with a permit statement for a specific service from 'any' source overrides any implicit deny, and candidates may mistakenly think that the implicit deny blocks all traffic, forgetting that explicit permits take precedence.

How to eliminate wrong answers

Option B is wrong because the ACL explicitly permits SSH from any source (0.0.0.0/0), not just the internal network; there is no rule restricting SSH to internal IP ranges. Option C is wrong because the ACL does not block HTTPS (TCP port 443) traffic from the internal network; in fact, there is no deny rule for HTTPS from internal sources, and the implicit deny at the end of the ACL only blocks traffic not explicitly permitted, but the question asks about the 'current firewall configuration' which includes the implicit deny, but HTTPS from internal is not explicitly blocked—it would be allowed if a permit rule existed for it, but the exhibit only shows SSH rules, so HTTPS from internal is not affected by this ACL. Option D is wrong because the ACL does not contain any permit rule for HTTPS (TCP port 443) from the internet; without an explicit permit, the implicit deny at the end of the ACL blocks all HTTPS traffic from the internet.

380
MCQhard

A project uses a waterfall model. After design, the team discovers that the requirements have changed significantly. What is the BEST action?

A.Cancel the project and start over
B.Update the requirements and proceed with the design revision
C.Continue with original requirements as planned
D.Switch to an agile methodology for the remainder of the project
AnswerB

Updating requirements and adjusting design is necessary to ensure the final product aligns with current needs.

Why this answer

Option B is correct because in a waterfall model, the most practical approach is to update the requirements and proceed to incorporate the changes, accepting some rework. Continuing with outdated requirements (A) leads to an irrelevant product; switching to agile mid-project (C) may cause process disruption; canceling (D) is drastic unless changes are infeasible.

381
Multi-Selecthard

An organization has implemented a database activity monitoring (DAM) solution. Which of the following are BEST practices for tuning the DAM to reduce false positives? (Choose TWO.)

Select 2 answers
A.Implement exclusions for routine maintenance activities
B.Enable alerts for all database queries
C.Increase the sensitivity of all detection rules
D.Review alerts in real-time only
E.Define a baseline of normal user behavior
AnswersA, E

Excluding known safe activities reduces false positives.

Why this answer

Implementing exclusions for routine maintenance activities (Option A) is a best practice because these activities often generate predictable database queries that are not indicative of security threats. By excluding them, the DAM solution avoids alerting on benign operations, thereby reducing false positives without compromising security coverage.

Exam trap

The trap here is that candidates may think increasing sensitivity (Option C) improves detection, but it actually amplifies false positives, whereas the correct approach is to establish a baseline (Option E) and exclude known benign activities (Option A).

382
MCQhard

An IS auditor is evaluating the use of continuous auditing techniques. Which of the following is the most significant benefit of implementing continuous monitoring over traditional periodic audits?

A.Reduced need for substantive testing
B.Elimination of control risk assessments
C.Automated generation of audit reports
D.Timely detection of control deficiencies
AnswerD

Continuous monitoring detects issues in real time, allowing prompt corrective action.

Why this answer

Continuous monitoring provides timely detection of control deficiencies, enabling faster remediation.

383
MCQhard

A large enterprise is implementing a backup strategy for a critical database that requires an RTO of 2 hours and an RPO of 15 minutes. The database is 2 TB in size. Which backup method would BEST meet these requirements while minimizing storage costs?

A.Daily full backups
B.Continuous data protection (CDP) replicating to a remote site
C.Weekly full backups with transactional log backups every 15 minutes
D.A daily full backup and a differential backup every 4 hours
AnswerC

Log backups capture every transaction, achieving a 15-minute RPO, and storage cost is low compared to frequent full backups.

Why this answer

Option B is correct because incremental backups after a full backup minimize data loss and allow frequent backups with low storage overhead, meeting the 15-minute RPO. Option A does not meet RPO; Option C uses too much storage; Option D is for file-level, not databases.

384
Multi-Selecthard

Which THREE are indicators of a possible data exfiltration attempt via the network? (Choose three.)

Select 3 answers
A.Use of unauthorized encryption or tunneling protocols
B.Unusual outbound data transfer volumes during non-business hours
C.Increase in phishing emails targeting executives
D.Repeated access attempts to sensitive databases by unauthorized users
E.Large number of HTTPS connections to legitimate cloud services
AnswersA, B, D

Unauthorized encryption can hide exfiltration.

Why this answer

Option A is correct because data exfiltration often involves bypassing security controls by using unauthorized encryption or tunneling protocols (e.g., SSH over port 443, IPsec over UDP, or custom VPNs) to hide malicious traffic within legitimate-looking flows. Such protocols can encapsulate stolen data and evade deep packet inspection (DPI) or data loss prevention (DLP) systems, making them a strong indicator of exfiltration attempts.

Exam trap

ISACA often tests the distinction between precursors to an attack (like phishing) and actual indicators of exfiltration (like unauthorized tunneling or unusual outbound volumes), so candidates mistakenly choose phishing because it is a common attack vector, but it is not a network-level exfiltration indicator.

385
MCQmedium

During the acquisition of a new software package, the procurement team evaluates two vendors. Vendor A offers a lower upfront cost but higher annual maintenance fees. Vendor B has a higher upfront cost but includes three years of maintenance. What is the MOST important factor for the IS auditor to consider?

A.The upfront cost of each vendor.
B.The vendor's market reputation.
C.The total cost of ownership over the expected life of the system.
D.The organization's budget constraints.
AnswerC

TCO gives a comprehensive cost comparison.

Why this answer

Option D is correct because total cost of ownership (TCO) captures all costs over the system's life, providing a true comparison. Option A is wrong because upfront cost alone is misleading. Option B is wrong because vendor references are important but not the most critical for cost comparison.

Option C is wrong because the auditor should not make the decision; they should advise on cost analysis.

386
Multi-Selectmedium

Which TWO controls are most effective for protecting data at rest on a database server? (Choose two.)

Select 2 answers
A.Placing the database server behind a firewall
B.Enforcing role-based access control (RBAC)
C.Implementing transparent data encryption (TDE)
D.Enabling SSL/TLS for client connections
E.Using file-level encryption on the database files
AnswersB, C

RBAC ensures only authorized users can access data.

Why this answer

Role-based access control (RBAC) restricts data access to authorized users based on their roles, directly preventing unauthorized viewing or modification of data at rest. Transparent data encryption (TDE) encrypts the database files at the storage level, ensuring that even if the physical media is stolen, the data remains unreadable without the encryption keys. Both controls address the core requirement of protecting data while it is stored on the database server.

Exam trap

The trap here is that candidates often confuse network controls (firewall, SSL/TLS) with data-at-rest protection, mistakenly thinking perimeter security or transport encryption secures stored data, when in fact they only protect data in motion or the network layer.

387
MCQmedium

During the implementation of a new ERP system, the project team discovers that the legacy system data cannot be directly migrated due to incompatible data formats. The project manager proposes building a custom script to extract, transform, and load (ETL) data. Which of the following is the BEST course of action?

A.Manually re-enter all legacy data into the new system.
B.Delay the implementation until a commercial migration tool is available.
C.Proceed with the custom ETL script after thorough testing and validation.
D.Abandon the legacy data and start fresh in the new system.
AnswerC

Custom ETL is appropriate with proper validation.

Why this answer

Option C is correct because building a custom ETL script is a common and acceptable approach when legacy data formats are incompatible with a new ERP system. The key is that the script must undergo thorough testing and validation to ensure data integrity, completeness, and accuracy before migration. This balances the need for timely implementation with the risk of data corruption, which can be mitigated through rigorous quality assurance processes.

Exam trap

The trap here is that candidates may assume custom scripts are inherently risky and choose to delay or abandon data, failing to recognize that with proper testing and validation, custom ETL is a standard and effective solution for incompatible data formats.

How to eliminate wrong answers

Option A is wrong because manual re-entry is error-prone, time-consuming, and impractical for large datasets, violating the principle of data integrity and efficiency in system implementation. Option B is wrong because delaying the implementation for a commercial migration tool is unnecessary when a custom ETL script can be developed and validated in a shorter timeframe, and commercial tools may still require customization for unique legacy formats. Option D is wrong because abandoning legacy data can lead to loss of critical historical records, operational continuity issues, and potential compliance violations, making it a high-risk and generally unacceptable approach.

388
MCQhard

A multinational corporation operates an e-commerce platform hosted in a private cloud environment. The platform consists of web servers, application servers, and a database cluster. The database cluster uses synchronous replication across two data centers (Primary and DR) located 500 km apart. The recovery time objective (RTO) for the platform is 2 hours, and the recovery point objective (RPO) is 15 minutes. During a recent disaster simulation, the primary data center lost power completely. The IT team initiated failover to the DR site. However, the failover process took 3 hours due to a misconfiguration in the DNS failover scripts, and the database was found to be inconsistent because the replication link was broken 30 minutes before the power loss. The team had to restore from a backup that was 4 hours old. After the incident, management requests a review of the disaster recovery plan. Which of the following is the BEST course of action to address the issues identified?

A.Increase the synchronous replication distance limit to ensure link stability over 500 km
B.Conduct a full-scale disaster recovery test including DNS failover and database consistency checks
C.Switch to asynchronous replication to avoid data loss during link failures
D.Implement automated DNS failover with health checks and reduce TTL values to 60 seconds
AnswerB

A comprehensive test would identify both the DNS script error and the replication link vulnerability, allowing corrective actions.

Why this answer

The correct answer is B because the incident revealed failures in DNS failover scripts (causing RTO breach) and database consistency checks (causing RPO breach). A full-scale test that includes DNS failover and database consistency validation is the only option that directly addresses both root causes, ensuring the DR plan meets the stated RTO of 2 hours and RPO of 15 minutes. Without such a test, the organization cannot verify that the failover process and data integrity mechanisms work as intended under realistic conditions.

Exam trap

The trap here is that candidates focus on the technical symptom (DNS failover delay) and choose a quick fix like automated DNS failover (Option D), while ignoring the more critical database inconsistency issue that requires a comprehensive test to validate the entire DR plan.

How to eliminate wrong answers

Option A is wrong because increasing the synchronous replication distance limit does not fix link stability; synchronous replication over 500 km is inherently prone to latency and link failures, and the issue was a broken replication link 30 minutes before the power loss, not a distance limit. Option C is wrong because switching to asynchronous replication would increase the risk of data loss beyond the 15-minute RPO, as asynchronous replication introduces a lag that could exceed the RPO during link failures, and the problem here was inconsistency, not replication mode. Option D is wrong because while automated DNS failover with health checks and reduced TTL values can improve failover speed, it does not address the database inconsistency caused by the broken replication link and the need to restore from a 4-hour-old backup, which requires validation of database consistency and backup integrity.

389
MCQeasy

Which physical security control is most effective for preventing unauthorized individuals from tailgating into a data center?

A.Mantrap (dual-door interlocking system).
B.Security guards at the entrance.
C.Closed-circuit television (CCTV) surveillance.
D.Biometric fingerprint readers.
AnswerA

A mantrap requires entry through one door before the second opens, forcing single occupancy and preventing tailgating.

Why this answer

A mantrap, or dual-door interlocking system, is the most effective physical security control against tailgating because it physically isolates individuals in a small vestibule where both doors cannot be opened simultaneously. This forces authentication and verification for each person before the second door unlocks, preventing an unauthorized person from following an authorized individual through a single entry point.

Exam trap

The trap here is that candidates often choose biometric readers or CCTV because they associate them with high security, but fail to recognize that tailgating exploits the gap between authentication and physical passage, which only a mantrap's interlocking doors can mechanically enforce.

How to eliminate wrong answers

Option B is wrong because security guards, while useful for monitoring and deterrence, are prone to human error, distraction, or social engineering, and cannot guarantee prevention of tailgating in high-traffic scenarios. Option C is wrong because CCTV surveillance is a detective control that records events for after-the-fact review, not a preventive control that stops tailgating in real time. Option D is wrong because biometric fingerprint readers authenticate identity but do not prevent a second person from entering immediately after an authorized user without their own authentication.

390
Matchingmedium

Match each audit risk component to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Risk without controls

Risk that controls fail

Risk that audit misses errors

Overall risk of incorrect opinion

Why these pairings

Audit risk model is fundamental to CISA.

391
MCQmedium

You are an information security manager for a global financial services company. The organization maintains a hybrid infrastructure with critical customer data stored on an on-premises Oracle database server (DB-SRV-01) and in an AWS S3 bucket (customer-data-prod). At 10:00 AM, the security operations center (SOC) alerts you to an anomalous outbound data transfer from DB-SRV-01 to an unknown IP address in a high-risk country. The transfer started at 9:45 AM and involves 500 MB of data, likely including personally identifiable information (PII). The SOC has already quarantined the server's network egress by blocking all outbound traffic from DB-SRV-01, but the server remains connected to the internal production network. Meanwhile, a separate analysis indicates that the S3 bucket has been accessed via an IAM key that was stolen from a compromised developer workstation three days ago. The key has not been rotated. The incident response team is preparing to act. The primary objective is to protect information assets and minimize data exposure. Given this scenario, which of the following actions should the team take FIRST?

A.Restore DB-SRV-01 from a clean backup taken before the incident and change the IAM keys for the S3 bucket.
B.Notify the appropriate data protection authority within the required 72-hour timeframe.
C.Patch the Oracle database server to the latest version to close any known vulnerabilities.
D.Isolate DB-SRV-01 from the internal network by disconnecting its network cable or disabling the virtual switch port.
AnswerD

Isolating the server halts any ongoing data exfiltration and prevents the attacker from moving laterally to other systems. This preserves the system state for forensic analysis while containing the breach.

Why this answer

Option C is correct because immediately isolating the affected server from the internal network is the most critical first step to prevent lateral movement and further data exfiltration. Option A is incorrect because patching the server without understanding the attack vector could destroy forensic evidence and may not address the active compromise. Option B is incorrect because notifying the data protection authority is a legal requirement but not an immediate containment action.

Option D is incorrect because restoring from backup would eliminate any forensic evidence and may reintroduce the same vulnerability, and it does not address the S3 bucket issue.

392
MCQeasy

Refer to the exhibit. A CISA is reviewing this S3 bucket policy. What is the PRIMARY security concern?

A.The bucket is configured for public read access
B.Encryption is not enforced on the bucket
C.The policy allows unauthorized write access
D.Versioning is not enabled on the bucket
AnswerA

The policy grants anonymous read access to all objects.

Why this answer

The bucket policy explicitly grants `s3:GetObject` to `Principal: "*"` with `Effect: "Allow"`, which means any unauthenticated user on the internet can read objects in the bucket. This is a classic misconfiguration that leads to public read access, exposing sensitive data. While encryption and versioning are important security controls, the immediate and most severe risk is unauthorized data disclosure via public read.

Exam trap

ISACA often tests the distinction between 'public read' and 'public write' — candidates may incorrectly assume the policy allows write access because it uses `"*"`, but the action is specifically `s3:GetObject`, so only read is permitted.

How to eliminate wrong answers

Option B is wrong because the policy does not mention encryption at all; while encryption enforcement is a best practice, the policy's explicit public read grant is a more direct and critical security concern. Option C is wrong because the policy only grants `s3:GetObject` (read) and does not include `s3:PutObject` or any write action, so unauthorized write access is not permitted by this policy. Option D is wrong because versioning is a data protection and recovery feature, not a security control that prevents unauthorized access; the lack of versioning does not create an immediate exposure risk like public read does.

393
MCQhard

An IS auditor reviews the disposal process of hard drives. Which of the following methods provides the HIGHEST assurance that data cannot be recovered?

A.Physical shredding.
B.Overwriting with zeros.
C.Degaussing.
D.Quick format.
AnswerA

Shredding destroys the physical media, ensuring data cannot be recovered.

Why this answer

Option C is correct because physical shredding destroys the media, making data recovery virtually impossible. Option A is incorrect because quick format only removes file pointers. Option B is incorrect because degaussing may not work on SSDs.

Option D is incorrect because overwriting may leave residual data.

394
Multi-Selectmedium

An organization is implementing IT governance based on COBIT. Which THREE of the following are enablers? (Select exactly three.)

Select 3 answers
A.Application software
B.Organizational structures
C.Culture, ethics, and behavior
D.Network infrastructure
E.Processes
AnswersB, C, E

Structures are enablers for decision-making.

Why this answer

COBIT defines enablers as factors that influence the effectiveness of governance. Processes, organizational structures, and culture/ethics/behavior are key enablers. Network infrastructure and application software are resources, not enablers in the COBIT framework.

395
Multi-Selectmedium

An organization is implementing an IT governance framework to align IT with business objectives. Which TWO of the following are primary responsibilities of the IT steering committee?

Select 2 answers
A.Performing daily IT operations
B.Defining IT security policies
C.Approving IT project budgets and priorities
D.Conducting technical vulnerability assessments
E.Ensuring IT investments deliver value
AnswersC, E

The IT steering committee provides oversight and approval for major IT investments and priorities.

Why this answer

Options A and D are correct. The IT steering committee is responsible for approving IT project budgets and priorities (A) and ensuring IT investments deliver value (D). Performing daily IT operations (B) is an operational management task.

Defining IT security policies (C) is typically the responsibility of the security function. Conducting technical vulnerability assessments (E) is a technical operational activity.

396
MCQmedium

Based on the exhibit, which metric would be LEAST relevant to the 'Customer' perspective?

A.Number of New Features Delivered
B.System Uptime Percentage
C.Satisfaction Survey Score
D.Complaint Resolution Time
AnswerB

Correct. Uptime is more aligned with internal process perspective.

Why this answer

Option C is correct because system uptime is an operational metric typically aligned with the Internal Process perspective, not directly with customer satisfaction as measured by surveys and complaint resolution. Option A is incorrect because survey scores directly measure customer satisfaction. Option B is incorrect because complaint resolution time is a customer-facing metric.

Option D is incorrect because number of new features may be customer-driven, but it is less directly related than the given metrics; however, it is still more relevant than uptime. Uptime is the least relevant.

397
MCQmedium

A large financial institution has a well-defined IT governance framework with a clear organizational structure, policies, and processes. However, the internal audit department has identified that several IT projects are over budget and behind schedule. The project managers blame unclear requirements and scope creep. The IT governance committee meets monthly but reviews projects only at a high level. The auditor's best recommendation to improve project governance is to:

A.Increase the frequency of security reviews for all projects
B.Change the IT steering committee's meeting frequency to weekly with detailed reviews
C.Establish a project management office (PMO) to oversee project governance and reporting
D.Require all projects to use a specific project management software tool
AnswerC

A PMO provides centralized oversight, standardizes processes, and ensures compliance with governance.

Why this answer

Option C is correct because establishing a project management office (PMO) provides standardized project management practices, oversight, and controls to prevent scope creep and improve delivery. Option A is tactical and does not address governance. Option B focuses on security, not project delivery.

Option D may improve business alignment but does not directly address project management issues.

398
Multi-Selecteasy

Which TWO of the following are primary objectives of information classification? (Choose two.)

Select 2 answers
A.Simplify network architecture by segmenting data.
B.Determine appropriate access controls and protection requirements.
C.Improve system performance by prioritizing critical data.
D.Ensure compliance with legal and regulatory requirements.
E.Reduce storage costs by identifying duplicate data.
AnswersB, D

Classification helps define who needs access and what controls apply.

Why this answer

Information classification is a foundational security process that assigns sensitivity labels (e.g., public, internal, confidential, restricted) to data assets. Its primary objectives are to determine the appropriate access controls and protection requirements for each classification level (Option B) and to ensure compliance with legal and regulatory requirements such as GDPR, HIPAA, or PCI DSS (Option D). These objectives directly drive the implementation of security controls like encryption, access control lists (ACLs), and data loss prevention (DLP) policies.

Exam trap

The trap here is that candidates confuse the secondary benefits of classification (like improved storage management or network design) with its primary objectives, which are strictly about determining protection requirements and ensuring compliance.

399
MCQmedium

An IS auditor is reviewing the configuration for a web application. Which of the following is the MOST significant security weakness?

A.The authentication method is Basic
B.Session timeout is set to 600 seconds (10 minutes)
C.The base URL uses HTTPS
D.Encryption uses SSL instead of TLS
AnswerA

Basic authentication sends credentials in plain text if not over TLS; even with TLS, it's weaker than digest or certificate-based.

Why this answer

Basic authentication transmits credentials in Base64-encoded plaintext over the network, which is trivially decoded and captured by any attacker with access to the traffic. Even when used over HTTPS, the credentials are exposed in the browser's cache and server logs, making this the most significant weakness among the options.

Exam trap

The trap here is that candidates often focus on the deprecated SSL protocol (Option D) as the most significant weakness, overlooking that Basic authentication exposes credentials in a trivially reversible format regardless of the transport layer security.

How to eliminate wrong answers

Option B is wrong because a 600-second (10-minute) session timeout is within acceptable limits for many web applications and does not represent a critical security weakness. Option C is wrong because using HTTPS for the base URL is a security best practice, not a weakness. Option D is wrong because while SSL is deprecated and TLS is preferred, using SSL instead of TLS is a configuration weakness but is less severe than transmitting credentials in plaintext via Basic authentication.

400
MCQeasy

A small manufacturing company uses a network-attached storage (NAS) device to store design files, financial records, and employee data. The NAS is backed up weekly to an external hard drive that is stored in the same office. The company has no encryption on the NAS or the backup drive. One weekend, the office is burglarized, and both the NAS and the backup drive are stolen. The company had no remote backup. Which of the following would have best protected the data in this scenario?

A.Enabling full-disk encryption on the NAS
B.Implementing strong passwords and user authentication on the NAS
C.Storing a backup offsite in a secure location
D.Installing a security camera and alarm system
AnswerA

Encryption renders data unreadable without the key.

Why this answer

Full-disk encryption (FDE) on the NAS would render the data unreadable without the decryption key, even if the physical device is stolen. Since the backup drive was also unencrypted and stored in the same location, both were equally vulnerable. FDE protects data at rest, which is the primary risk in a theft scenario where physical access is obtained.

Exam trap

The trap here is that candidates often choose offsite backup (Option C) because it is a best practice for disaster recovery, but the question specifically asks for protection of the data in a theft scenario where both the primary and backup are stolen together, making encryption the only effective control.

How to eliminate wrong answers

Option B is wrong because strong passwords and user authentication protect against unauthorized logical access over the network, but they do nothing to protect data once the physical device is stolen and the attacker can bypass the OS by directly reading the disks. Option C is wrong because storing a backup offsite would protect the backup from being stolen in the same burglary, but it does not protect the primary NAS data that was also stolen; the question asks for the best protection of the data in this scenario, and offsite backup alone leaves the primary copy exposed. Option D is wrong because security cameras and alarm systems are physical deterrents that may reduce the risk of theft, but they do not protect the data if the theft still occurs; they are preventive controls, not data protection controls.

401
MCQhard

During a risk assessment, an IS auditor identifies that the IT department has not performed a business impact analysis (BIA) for critical systems. Which of the following is the MOST significant risk?

A.Non-compliance with software licensing
B.Increased likelihood of security breaches
C.Inability to calculate total cost of ownership
D.Uncertainty regarding recovery time objectives for critical systems
AnswerD

BIA defines RTOs; without it, recovery priorities are unclear.

Why this answer

Option D is correct because without a BIA, recovery time objectives (RTOs) are uncertain, leading to potential unacceptable downtime. Option A is a consequence but not the primary risk. Option B is incorrect because BIA is for recovery, not cost.

Option C is less direct.

402
MCQmedium

Based on the exhibit, what is the most likely control weakness that allowed this condition?

A.Weak password complexity requirements
B.Lack of individual accountability for privileged actions
C.Failure to disable the default administrator account
D.Inadequate segregation of duties between IT and security teams
AnswerB

Correct: Using a shared default account prevents attribution of actions to individuals.

Why this answer

The exhibit shows that multiple users are sharing a single privileged account (e.g., 'root' or 'admin') to perform administrative actions. Without unique user IDs for each administrator, it is impossible to map specific actions (e.g., a 'sudo' command or a configuration change) back to an individual. This lack of individual accountability is the core control weakness, as it violates the audit principle of non-repudiation and prevents effective forensic investigation.

Exam trap

The trap here is that candidates confuse 'shared accounts' with 'default accounts' (Option C) or 'weak passwords' (Option A), but the exhibit's key indicator is multiple users logging in with the same non-default privileged account, which directly points to a lack of individual accountability.

How to eliminate wrong answers

Option A is wrong because weak password complexity requirements would allow brute-force attacks, but the exhibit shows shared credentials, not a password cracking scenario. Option C is wrong because failure to disable the default administrator account is a specific vulnerability (e.g., leaving the 'sa' account enabled in SQL Server), but the exhibit indicates multiple users actively using a shared account, not a dormant default account. Option D is wrong because inadequate segregation of duties between IT and security teams would involve conflicting roles (e.g., a network admin also managing firewall rules), but the exhibit focuses on shared credentials, not role separation.

403
MCQmedium

During user acceptance testing (UAT) of a new financial system, users report that the system fails to enforce a segregation of duties rule where the same user should not be able to create a purchase order and approve it. The requirement was documented in the functional specifications. Which of the following is the MOST likely cause of this issue?

A.Performance testing was prioritized over functional testing.
B.The functional requirements were incomplete.
C.The requirements were ambiguous and misinterpreted by developers.
D.The system was not configured to enforce the control.
AnswerD

The system likely has the capability but was not properly configured.

Why this answer

Option D is correct because the segregation of duties (SoD) rule is a functional control that must be explicitly configured in the system's authorization or workflow engine. Since the requirement was documented in the functional specifications, the most likely cause is that the system was not configured to enforce the control, meaning the access control list (ACL) or role-based access control (RBAC) settings did not prevent the same user from both creating and approving a purchase order.

Exam trap

The trap here is that candidates may assume the issue is due to incomplete or ambiguous requirements (options B or C) when the requirement was clearly documented, but the real cause is a failure to configure the control in the system's security settings.

How to eliminate wrong answers

Option A is wrong because performance testing focuses on system responsiveness and throughput, not on functional controls like segregation of duties; prioritizing performance testing over functional testing would not directly cause a missing SoD enforcement. Option B is wrong because the requirement was documented in the functional specifications, so the functional requirements were complete; the issue is not incompleteness but a failure in implementation or configuration. Option C is wrong because the requirement to prevent the same user from creating and approving a purchase order is unambiguous and not open to misinterpretation; the developers likely understood the requirement but did not configure the system to enforce it.

404
MCQeasy

Refer to the exhibit. An IS auditor is reviewing backup error logs. The error indicates a failed backup due to a missing file. What is the MOST likely cause?

A.The backup job was scheduled during peak hours causing timeout
B.The destination path '\\BackupServer01\Backup\Shares' is invalid
C.A file in the source volume was moved or deleted during the backup window
D.Insufficient disk space on the backup destination
AnswerC

File not found during backup is common when files change.

Why this answer

The error indicates a failed backup due to a missing file. The most likely cause is that a file in the source volume was moved or deleted during the backup window. Backup processes that use file-level snapshots or open-file managers (e.g., Volume Shadow Copy Service on Windows) capture a point-in-time view; if a file is moved or deleted after the snapshot is taken but before it is read by the backup agent, the backup will fail with a 'missing file' error.

This is a classic race condition in file-level backups without proper snapshot consistency.

Exam trap

The trap here is that candidates may confuse a 'missing file' error with a destination path issue or resource constraint, but the error message specifically points to a source-side file inconsistency, not a connectivity or capacity problem.

How to eliminate wrong answers

Option A is wrong because a timeout due to peak hours would typically produce a 'timeout' or 'operation aborted' error, not a 'missing file' error. Option B is wrong because an invalid destination path would cause a 'path not found' or 'access denied' error at the start of the backup, not a mid-backup missing file error. Option D is wrong because insufficient disk space on the destination would generate a 'disk full' or 'out of space' error, not a 'missing file' error.

405
MCQhard

An IS auditor is reviewing the incident management process. The organization has a policy that all security incidents must be reported within one hour. However, the average reporting time is four hours. Which is the BEST corrective action?

A.Reduce the reporting time requirement
B.Increase penalties for non-compliance
C.Implement automated incident detection
D.Provide additional training to staff
AnswerD

Training improves awareness and compliance with reporting requirements.

Why this answer

Option A is correct because additional training addresses the human factors causing delays. Option B lowers the standard; C is punitive; D might help but is not the best first step.

406
MCQeasy

An organization is replacing its legacy customer relationship management (CRM) system. Which of the following is the MOST important control to ensure data integrity during the data conversion process?

A.Perform reconciliation of total record counts and key field sums before and after conversion.
B.Implement encryption for data in transit during migration.
C.Conduct user acceptance testing on the new system.
D.Ensure data mapping documents are approved by business owners.
AnswerA

Reconciliation verifies accuracy and completeness of data conversion.

Why this answer

Option A is correct because reconciliation and validation ensures all records are accurately transferred. Option B focuses on completeness but not accuracy. Option C is security, not integrity.

Option D is about functionality, not conversion accuracy.

407
MCQhard

During data conversion from a legacy system to a new ERP, the project team decides to clean data during extraction but not during loading. What is the PRIMARY risk associated with this approach?

A.Data integrity issues may remain undetected in the target system.
B.The legacy system performance may degrade.
C.The project may exceed its budget due to rework.
D.The conversion process will be significantly slower.
AnswerA

Errors can be introduced after extraction, so cleaning only at source is insufficient.

Why this answer

Cleaning data only during extraction and not during loading means that any data quality issues introduced during the extraction process or that become apparent only after mapping to the target schema will not be caught. This creates a primary risk that data integrity issues—such as referential integrity violations, duplicate keys, or format mismatches—will remain undetected in the new ERP system, potentially corrupting business operations and reporting.

Exam trap

The trap here is that candidates focus on operational concerns like speed or cost, rather than the core IS audit principle that data integrity is the paramount risk when data is not validated at the final point of entry into the target system.

How to eliminate wrong answers

Option B is wrong because legacy system performance degradation is not a primary risk of the data cleaning approach; it is more related to the extraction method (e.g., full table scans) rather than the cleaning phase. Option C is wrong because while rework could occur, the primary risk is not budget overrun but undetected data integrity issues that could cause systemic failures. Option D is wrong because cleaning during extraction can actually slow the extraction process, but the question asks about the primary risk, and performance speed is secondary to data integrity.

408
MCQhard

An IS auditor is evaluating a system development project that uses an outsourced team. The contract allows the vendor to reuse some of the developed code in other projects. What is the auditor's PRIMARY concern?

A.The vendor might not deliver on time.
B.The organization may lose control of intellectual property.
C.The vendor may not maintain the code after the project ends.
D.The vendor may use substandard development practices.
AnswerB

Reuse rights could dilute exclusivity and security control.

Why this answer

The contract clause allowing the vendor to reuse developed code in other projects directly transfers ownership or licensing rights of the intellectual property (IP) to the vendor. This means the organization may lose exclusive control over the code, potentially allowing competitors to access proprietary logic or algorithms. The IS auditor's primary concern is safeguarding the organization's IP assets, as this loss can have long-term strategic and competitive implications.

Exam trap

The trap here is that candidates focus on operational risks (delays, maintenance, quality) rather than the contractual and legal risk of losing intellectual property rights, which is the auditor's primary concern when the vendor is explicitly allowed to reuse code.

How to eliminate wrong answers

Option A is wrong because delivery timelines are a project management risk, not the primary audit concern when IP reuse rights are granted; the contract clause directly addresses IP, not schedule. Option C is wrong because post-project maintenance is a separate contractual issue (e.g., SLA for support) and is not inherently tied to the vendor's right to reuse code; the auditor's focus is on ownership, not ongoing maintenance. Option D is wrong because substandard development practices are a quality risk that can be mitigated through code reviews and testing, but the explicit permission to reuse code is a direct IP concern, not a quality concern.

409
MCQeasy

When implementing a commercial off-the-shelf (COTS) system, what is the MOST important factor?

A.Customization to fit all requirements
B.Lowest total cost
C.Vendor reputation
D.Alignment with business processes with minimal modification
AnswerD

Minimal modification reduces risk and cost.

Why this answer

When implementing a commercial off-the-shelf (COTS) system, the most important factor is alignment with business processes with minimal modification. COTS systems are designed to provide standardized functionality; extensive customization undermines the core benefits of reduced cost, faster deployment, and easier vendor support. Modifying the COTS codebase creates a 'forked' version that complicates patch management, increases testing overhead, and risks incompatibility with future vendor updates, directly contradicting the acquisition rationale.

Exam trap

The trap here is that candidates confuse 'customization' (modifying source code) with 'configuration' (using built-in parameters), and mistakenly believe that tailoring the software to every requirement is the goal, when in fact minimizing modification is the key to preserving the COTS benefits of low cost and easy maintenance.

How to eliminate wrong answers

Option A is wrong because extensive customization of a COTS system negates its primary advantages—lower total cost of ownership, faster time-to-market, and simplified maintenance—by creating a unique codebase that requires custom testing, documentation, and support, often leading to vendor lock-in and upgrade failures. Option B is wrong because while total cost is a consideration, prioritizing the lowest initial cost can lead to hidden expenses from necessary modifications, integration work, or poor vendor support; the most important factor is ensuring the COTS product fits business processes to avoid costly rework. Option C is wrong because vendor reputation is secondary to functional fit; a reputable vendor's product that requires heavy customization will still incur significant long-term costs and risks, whereas a less-known vendor with a product that aligns closely with business needs can deliver greater value.

410
MCQhard

What is the primary security concern in this architecture?

A.Traffic between application and database servers is not encrypted
B.Web servers are directly accessible from the internet
C.Database port is exposed to application servers
D.Lack of intrusion detection
AnswerA

Sensitive data in transit should be encrypted.

Why this answer

The primary security concern is that traffic between the application and database servers is not encrypted. In a typical three-tier web architecture, sensitive data such as authentication credentials, SQL queries, and result sets are transmitted in cleartext if TLS/SSL is not enforced between the application layer and the database layer. This exposes the data to eavesdropping or man-in-the-middle attacks on the internal network, which is a direct violation of the principle of defense in depth and common compliance requirements like PCI DSS or HIPAA.

Exam trap

The trap here is that candidates often focus on perimeter defenses (like web server exposure) or operational controls (like intrusion detection) instead of recognizing that unencrypted internal traffic between trusted tiers is a critical and often overlooked vulnerability in application architecture.

How to eliminate wrong answers

Option B is wrong because web servers being directly accessible from the internet is a standard and expected design in a three-tier architecture; they are placed in a DMZ and are meant to serve public traffic, so this is not a primary security concern. Option C is wrong because exposing the database port (e.g., TCP 3306 for MySQL or 1433 for MSSQL) to application servers is necessary for the application to function; the risk is mitigated by firewall rules and network segmentation, not by hiding the port. Option D is wrong because lack of intrusion detection is a monitoring deficiency, not the primary security concern; while important, it is a detective control, whereas the unencrypted traffic is a direct exposure of data in transit.

411
Multi-Selectmedium

Which THREE of the following are best practices for managing system testing in an IS development project?

Select 3 answers
A.Create test data that mirrors production data.
B.Perform testing in a environment identical to production.
C.Implement automated regression tests for critical functions.
D.Use an independent test team separate from developers.
E.Developers should test their own code thoroughly.
AnswersA, C, D

Realistic test data uncovers more issues.

Why this answer

Creating test data that mirrors production data is a best practice because it ensures that the test environment closely reflects real-world data volumes, distributions, and edge cases. This approach helps uncover defects that might only appear under production-like data conditions, such as performance bottlenecks, data integrity issues, or boundary value errors. It also validates that the system handles the actual data formats and constraints it will encounter in production.

Exam trap

The trap here is that candidates may assume a production-identical environment is always a best practice, but the CISA exam emphasizes cost-benefit analysis and practical constraints, making 'identical' too absolute; instead, the focus is on using a representative environment and independent testing to ensure quality.

412
Multi-Selecteasy

Which TWO of the following are benefits of using a version control system in software development?

Select 2 answers
A.Generate test cases
B.Eliminate all bugs
C.Automate deployment
D.Rollback to previous versions
E.Track changes made by developers
AnswersD, E

Core feature.

Why this answer

Option D is correct because version control systems (e.g., Git, SVN) allow developers to revert code to a previous commit or tag, enabling recovery from bugs or regressions. This rollback capability is a core feature that preserves the history of the codebase and supports safe experimentation.

Exam trap

The trap here is that candidates confuse version control with CI/CD or testing tools, mistakenly thinking VCS can automate deployment or generate test cases, when its primary purpose is change tracking and history management.

413
MCQhard

A financial institution is required by regulators to demonstrate that IT controls are effective. Which of the following provides the BEST evidence?

A.IT balanced scorecard
B.Internal audit reports
C.IT risk register
D.Service organization control (SOC) reports
AnswerD

SOC reports provide independent assurance on controls.

Why this answer

Service organization control (SOC) reports are independent audits of control effectiveness, highly regarded by regulators. Internal audit reports are valuable but may lack independence; risk register and balanced scorecard are not direct evidence of control effectiveness.

414
MCQeasy

An IT department uses a balanced scorecard to measure performance. Which metric would BEST reflect the 'customer perspective'?

A.Training hours per employee
B.System uptime percentage
C.User satisfaction survey results
D.Project completion rate
AnswerC

Correct. Directly measures customer perception.

Why this answer

Option C is correct because the customer perspective focuses on user satisfaction and service responsiveness. Option A is incorrect as system uptime is an internal process metric. Option B is incorrect as project completion rate is an internal efficiency metric.

Option D is incorrect as training hours relate to learning and growth perspective.

415
MCQmedium

Refer to the exhibit. An auditor reviews the security log of a sensitive server. Which of the following is the MOST suspicious event?

A.The use of Negotiate authentication package
B.The logoff event at 23:45:12
C.The remote interactive logon from IP 192.168.10.50 using NTLM
D.The logon from workstation WS-FINANCE at 10.0.0.15
AnswerC

Remote interactive logon allows interactive access, and the source IP is different from the usual internal range; NTLM is less secure.

Why this answer

Option B is correct because a logon type 10 (Remote Interactive) from an unknown IP (192.168.10.50) using NTLM could indicate an unauthorized remote desktop session, especially if the employee is not on shift or the IP is unfamiliar. Option A is a normal network logon; Option C is not an event; Option D is not logged here.

416
Multi-Selecteasy

Which THREE of the following are typical phases in the system development life cycle (SDLC)?

Select 3 answers
A.Unit testing.
B.Implementation.
C.Patch management.
D.Requirements analysis.
E.Design.
AnswersB, D, E

Implementation phase involves coding, testing, and deployment.

Why this answer

Implementation is a standard phase in the SDLC where the designed system is built, coded, and deployed into the production environment. This phase follows design and precedes testing and maintenance, ensuring the solution is operational and meets the specified requirements.

Exam trap

The trap here is confusing operational activities like patch management or specific testing techniques with the high-level phases of the SDLC, leading candidates to select activities that occur post-deployment or are sub-steps of a phase.

417
MCQhard

A multinational corporation's data center in the European Union (EU) stores personal data of EU citizens. The company must comply with the General Data Protection Regulation (GDPR), which requires that personal data be protected and that data subjects have the right to erasure ('right to be forgotten'). The company's IT team uses a centralized identity management system that stores user credentials and personal data in an active directory (AD) forest. The AD forest is replicated across multiple data centers worldwide, including a non-EU country. The data protection officer (DPO) is concerned that personal data might be inadvertently replicated to jurisdictions without adequate protection. Which of the following is the most effective way to address this concern?

A.Pseudonymize all personal data before storing it in AD
B.Encrypt all personal data at rest and in transit, with keys held solely within the EU
C.Implement data residency controls to ensure EU personal data is only stored and processed within the EU
D.Obtain explicit consent from all EU data subjects for international data transfer
AnswerC

Technical controls can enforce geographic boundaries for data replication.

Why this answer

Option C is correct because GDPR mandates that personal data of EU citizens must not be transferred to countries without adequate protection unless specific safeguards are in place. Implementing data residency controls ensures that EU personal data is stored and processed only within the EU, preventing inadvertent replication to non-EU jurisdictions via AD replication. This directly addresses the DPO's concern by enforcing geographic boundaries on data storage and processing.

Exam trap

The trap here is that candidates often confuse encryption (Option B) with data residency, thinking encryption alone prevents data exposure, but encryption does not stop replication and may still allow data to be stored in non-EU jurisdictions where it could be subject to local access laws.

How to eliminate wrong answers

Option A is wrong because pseudonymization reduces identifiability but does not prevent data from being replicated to non-EU jurisdictions; the pseudonymized data remains personal data under GDPR and could still be subject to inadequate protection. Option B is wrong because encryption protects data confidentiality but does not prevent replication; if keys are held solely within the EU, the data can still be replicated to non-EU servers, and the encrypted data may be accessible if the key management is compromised or if the encryption is bypassed during replication. Option D is wrong because explicit consent for international data transfer is a possible lawful basis but is not the most effective technical control; it does not prevent inadvertent replication and can be withdrawn by data subjects, making it unreliable for ongoing compliance.

418
Multi-Selectmedium

An IS auditor is evaluating the controls over program changes. Which TWO of the following are essential controls?

Select 2 answers
A.Management authorization for the change
B.Documented change request
C.Automated deployment scripts
D.Regression testing of all changes
E.Post-change review by independent party
AnswersA, B

Authorization ensures changes are approved by appropriate parties.

Why this answer

Options A and B are correct because documented change requests and management authorization are fundamental to ensure changes are controlled and approved. Option C is not essential as automation is a tool, not a control. Option D is a good practice but not essential for authorization.

Option E is a testing control, not directly an authorization control.

419
MCQmedium

An IT manager is reviewing the service level agreements (SLAs) for a cloud-based email service. The SLA guarantees 99.9% uptime per month. The service experienced an outage of 45 minutes in a 30-day month. Did the service meet the SLA?

A.Yes, because 45 minutes is within 0.1% of the total time.
B.Yes, because the SLA is calculated per day, not per month.
C.No, because any downtime exceeding 30 minutes is a violation.
D.No, because the allowed downtime for 99.9% uptime is approximately 43 minutes.
AnswerD

The SLA allows 43.2 minutes; 45 minutes is over the limit.

Why this answer

The SLA guarantees 99.9% uptime per month. For a 30-day month (43,200 minutes), 99.9% uptime allows only 0.1% downtime, which is 43.2 minutes. The actual outage of 45 minutes exceeds this threshold, so the SLA was not met.

Option D correctly identifies the allowed downtime as approximately 43 minutes.

Exam trap

The trap here is that candidates may incorrectly round 43.2 minutes to 43 minutes and then assume 45 minutes is close enough, or they may mistakenly think 0.1% of a month is 30 minutes, leading them to choose option C.

How to eliminate wrong answers

Option A is wrong because 45 minutes is not within 0.1% of the total time; 0.1% of 43,200 minutes is 43.2 minutes, so 45 minutes exceeds the allowed downtime. Option B is wrong because the SLA explicitly states 'per month,' not per day, and calculating per day would allow even less downtime (e.g., 0.1% of 1,440 minutes = 1.44 minutes per day). Option C is wrong because the SLA does not specify a 30-minute threshold; the allowed downtime is derived from the 99.9% uptime calculation, not an arbitrary 30-minute limit.

420
MCQhard

You are the IT audit manager for a multinational corporation. The company recently implemented a new enterprise resource planning (ERP) system using a phased rollout approach. The first phase (finance module) was deployed to three regional offices six months ago. During a post-implementation review, you discovered that the user acceptance testing (UAT) for the finance module was completed in only two days instead of the planned two weeks. The UAT was performed by a small group of power users selected by the project manager, and they reported no critical issues. However, after go-live, several finance staff in one region found that the system does not support a statutory reporting requirement specific to that country, which was not tested. The project manager argues that the requirement was never documented in the business requirements specification. The system has been live for six months, and the missing functionality requires a significant customization that will take three months and cost $200,000. Management is reluctant to fund the customization because the budget is exhausted. As the IT auditor, what is the BEST course of action?

A.Report the project manager to senior management for failing to include the requirement
B.Recommend that the organization accept the risk and proceed without the customization
C.Advise the project manager to retroactively document the requirement and request a change order for the customization
D.Recommend that management implement a formal UAT process with representatives from all regions and include a checklist of statutory requirements for future rollouts
AnswerD

This addresses the root cause—inadequate UAT—and prevents similar issues in future phases.

Why this answer

Option D is correct because the root cause is a deficient UAT process, not just a missing requirement. A formal UAT process with representatives from all regions and a statutory requirements checklist would have caught the country-specific reporting need before go-live. As an IT auditor, recommending process improvements for future rollouts addresses the systemic control weakness, which is more effective than blaming individuals or accepting risk without remediation.

Exam trap

The trap here is that candidates focus on the missing requirement or blame the project manager, rather than recognizing that the core issue is a weak UAT process that failed to include all regional stakeholders and statutory requirements, which is a systemic control weakness the auditor should address.

How to eliminate wrong answers

Option A is wrong because the project manager correctly notes the requirement was never documented in the business requirements specification; reporting him without addressing the process gap does not fix the underlying UAT deficiency. Option B is wrong because accepting the risk of non-compliance with a statutory reporting requirement could lead to regulatory penalties, which is not a prudent recommendation for an auditor. Option C is wrong because retroactively documenting a requirement and requesting a change order after six months of live operation is a project management action, not an audit recommendation; it does not prevent recurrence and may not be feasible given budget exhaustion.

421
MCQhard

An IS auditor is testing the effectiveness of a preventive control that rejects invalid transactions. The auditor uses a computer-assisted audit technique (CAAT) to create a set of test transactions. What is the primary risk associated with this approach?

A.The audit may disrupt system performance
B.Test transactions may be processed as real transactions
C.Test transactions may not be representative
D.The CAAT may corrupt production data
AnswerB

If test data is not properly isolated, it can be accepted as actual data, causing data integrity issues.

Why this answer

The primary risk is that test transactions may be processed as real transactions if the CAAT does not properly isolate them from the production environment. This could result in unintended data corruption, financial misstatements, or operational disruptions. The auditor must ensure that test data is clearly flagged or run in a separate test environment to avoid integration with live processing.

Exam trap

The trap here is that candidates often confuse the risk of test transactions being processed as real (option B) with the risk of CAATs corrupting production data (option D), but corruption is a consequence of the processing error, not the direct risk of the CAAT tool itself.

How to eliminate wrong answers

Option A is wrong because system performance disruption is a secondary operational risk, not the primary risk specific to using test transactions; CAATs are designed to minimize performance impact. Option C is wrong because while representativeness is a concern for test data validity, it is not the primary risk of the approach—the core risk is that test transactions could be processed as real. Option D is wrong because CAATs themselves do not corrupt production data; the corruption occurs only if test transactions are mistakenly processed as real, which is already covered by option B.

422
MCQeasy

During the feasibility study for a new inventory system, the project team identifies that the expected benefits are significantly lower than the initial estimates. What is the MOST appropriate action for the IS auditor to recommend?

A.Proceed with the project as planned, focusing on cost reduction.
B.Cancel the project immediately and document lessons learned.
C.Continue with the project but postpone the benefits realization.
D.Re-evaluate the feasibility study and update the business case.
AnswerD

Re-evaluation ensures accurate decision-making based on current data.

Why this answer

When expected benefits fall significantly below initial estimates, the IS auditor should recommend re-evaluating the feasibility study and updating the business case. This ensures that the project's justification is based on current, accurate data before proceeding, which is a key control in the systems development lifecycle (SDLC) to prevent investment in a project that may no longer deliver adequate value.

Exam trap

The trap here is that candidates may confuse the need for immediate project cancellation (Option B) with proper project governance, but the correct approach is to first re-evaluate the feasibility study to determine if the project can be salvaged with a revised business case.

How to eliminate wrong answers

Option A is wrong because proceeding as planned while focusing on cost reduction ignores the fundamental issue that the benefits no longer justify the investment, which could lead to a failed project. Option B is wrong because canceling the project immediately is premature without first reassessing the feasibility study and exploring whether the business case can be revised to reflect realistic benefits. Option C is wrong because continuing the project while postponing benefits realization does not address the root cause of the benefit shortfall and may result in wasted resources on a project that cannot achieve its intended objectives.

423
MCQmedium

An IT audit revealed that the organization's IT steering committee has not met in the past six months. Which of the following is the MOST likely consequence of this situation?

A.Higher IT staff turnover.
B.Increased number of security incidents.
C.Inconsistent IT policies across departments.
D.Delayed decision-making on IT investments.
AnswerD

The committee's primary role is to make strategic decisions.

Why this answer

Option B is correct because the steering committee is responsible for approving and prioritizing IT investments; lack of meetings delays decision-making. Option A may occur but is less direct. Option C is unrelated.

Option D may happen but is secondary.

424
Multi-Selecteasy

Which TWO of the following are benefits of establishing an IT steering committee?

Select 2 answers
A.Improved operational efficiency of IT systems
B.Enhanced prioritization of IT investments
C.Better alignment between IT and business strategy
D.Reduction of management overhead
E.Direct control over technical IT decisions
AnswersB, C

Prioritization is a core benefit.

Why this answer

Options B and D are correct because an IT steering committee provides strategic alignment and prioritization of IT initiatives. Option A is not a benefit; it may increase bureaucracy. Option C is not a direct benefit; operational efficiency is management's role.

Option E is not a primary benefit; detailed technical decisions are outside committee scope.

425
Multi-Selecteasy

Which TWO of the following are primary objectives of the audit planning phase? (Select TWO.)

Select 2 answers
A.Develop detailed audit procedures
B.Identify and assess risks relevant to the audit
C.Test the effectiveness of internal controls
D.Issue the final audit report
E.Define audit scope and objectives
AnswersB, E

Risk assessment is a key planning activity.

Why this answer

During the audit planning phase, the primary objectives are to define the audit scope and objectives (Option E) and to identify and assess risks relevant to the audit (Option B). This sets the foundation for the entire audit engagement, ensuring resources are focused on high-risk areas and that the audit is aligned with organizational goals. Detailed procedures are developed later, and testing controls or issuing reports occur in subsequent phases.

Exam trap

The trap here is confusing the planning phase with the execution phase, leading candidates to select 'develop detailed audit procedures' (Option A) as a planning objective, when it is actually a step in the audit program development after planning is complete.

426
MCQeasy

Which of the following is the PRIMARY objective of an operational audit?

A.To identify security vulnerabilities
B.To evaluate financial reporting
C.To verify compliance with laws
D.To assess the efficiency and effectiveness of operations
AnswerD

Operational audits evaluate how well resources are used and objectives are met.

Why this answer

Option A is correct because operational audit focuses on efficiency and effectiveness. Options B, C, and D are objectives of other types of audits.

427
MCQmedium

An organization is planning to outsource its data center operations. Which of the following governance practices should be implemented to ensure proper oversight?

A.Conduct annual financial audits of the outsourcer.
B.Require the outsourcer to obtain ISO 27001 certification.
C.Establish a service level agreement (SLA) with key performance indicators (KPIs).
D.Allow the outsourcer to manage all security controls independently.
AnswerC

SLA with KPIs enables ongoing performance monitoring.

Why this answer

Option B is correct because an SLA with KPIs provides measurable performance targets and accountability. Option A is a certification but not a governance practice for oversight. Option C abdicates control.

Option D is financial, not operational oversight.

428
Multi-Selectmedium

Which TWO of the following are key elements of an effective incident response plan? (Select exactly 2.)

Select 2 answers
A.A schedule for post-incident reviews
B.A detailed inventory of software licenses
C.A clear escalation path with contact information
D.A list of all hardware serial numbers
E.Predefined communication templates for internal and external stakeholders
AnswersC, E

Escalation ensures that incidents are routed to the appropriate response teams.

Why this answer

Options B and D are correct. A clear escalation path ensures proper reporting and decision-making; predefined communication templates speed up notification. Option A is not essential; Option C is part of strategy but not directly incident response; Option E is after-action, not during.

429
MCQmedium

Which of the following is the BEST method to ensure that a system development project is completed on time?

A.Regular status meetings
B.A realistic project schedule with milestones
C.Frequent scope changes
D.Use of a project management software
AnswerB

A realistic schedule with milestones provides a clear plan and tracking.

Why this answer

A realistic project schedule with milestones (Option B) is the best method because it establishes a time-phased plan with measurable checkpoints, enabling early detection of delays and facilitating proactive corrective actions. Without a realistic baseline, even the best tracking tools or meetings cannot prevent schedule overruns, as the schedule itself is the foundation for monitoring and controlling project progress.

Exam trap

The trap here is that candidates often confuse project management tools or meetings with the fundamental planning artifact (the schedule) that actually drives on-time delivery, leading them to select a supporting activity (like status meetings or software) instead of the core control mechanism.

How to eliminate wrong answers

Option A is wrong because regular status meetings are a communication tool, not a method to ensure on-time completion; they can identify issues but do not prevent schedule overruns without a realistic schedule to compare against. Option C is wrong because frequent scope changes directly increase project risk and often lead to schedule delays, scope creep, and resource reallocation, making on-time delivery less likely. Option D is wrong because project management software is an enabling tool that can help track progress but does not guarantee on-time completion; its effectiveness depends entirely on having a realistic schedule and disciplined change control.

430
MCQhard

An organization is developing a mobile app that will handle personal health information (PHI). The security team mandates that data must be encrypted both in transit and at rest. Which of the following implementation strategies BEST ensures compliance?

A.Use HTTPS for all network communication and store data in plaintext
B.Use SSL and encrypt all data with a simple XOR cipher
C.Rely on platform-level encryption provided by the mobile OS
D.Implement TLS for data in transit and AES-256 encryption for data at rest
AnswerD

Covers both requirements.

Why this answer

Option D is correct because it uses TLS (the modern, secure successor to SSL) to encrypt data in transit, ensuring confidentiality and integrity during network communication, and AES-256, a strong symmetric encryption standard, to encrypt data at rest. This combination directly satisfies the mandate for encryption both in transit and at rest, as TLS protects against eavesdropping and tampering on the wire, while AES-256 protects stored PHI from unauthorized access if the device is lost or compromised.

Exam trap

The trap here is that candidates may confuse 'platform-level encryption' (Option C) as sufficient, but the CISA exam tests the understanding that platform encryption does not cover data in transit and may not meet specific regulatory requirements for application-layer encryption at rest.

How to eliminate wrong answers

Option A is wrong because storing data in plaintext violates the mandate for encryption at rest, leaving PHI exposed if the device is lost or the storage is accessed. Option B is wrong because SSL (deprecated in favor of TLS) is insecure, and a simple XOR cipher is trivially breakable with known-plaintext attacks, providing no real cryptographic protection. Option C is wrong because relying solely on platform-level encryption (e.g., iOS Data Protection or Android File-Based Encryption) does not guarantee the app's data is encrypted in transit, and the platform may not encrypt app-specific data at rest with sufficient granularity or key management for PHI compliance.

431
Multi-Selecthard

Which THREE of the following are common risks associated with outsourcing software development?

Select 3 answers
A.Quality issues due to lack of oversight
B.Loss of intellectual property
C.Communication barriers
D.Faster time to market
E.Increased internal control
AnswersA, B, C

Common risk.

Why this answer

Option A is correct because outsourcing software development often results in quality issues due to the client's limited visibility into the vendor's development processes, testing rigor, and adherence to coding standards. Without direct oversight, defects may go undetected until later stages, increasing rework costs and project delays.

Exam trap

The trap here is that candidates confuse potential benefits (faster time to market, increased internal control) with risks, failing to distinguish between advantages and the inherent vulnerabilities of outsourcing.

432
Multi-Selecthard

Which THREE of the following are commonly recognized benefits of implementing a formal IT service management (ITSM) framework such as ITIL?

Select 3 answers
A.Better alignment between IT services and business needs
B.Guaranteed zero downtime for critical services
C.Elimination of the need for external IT audits
D.Improved service quality and availability
E.Increased efficiency and cost savings through standardized processes
AnswersA, D, E

ITSM incorporates business requirements into service design and delivery.

Why this answer

Option A is correct because a formal ITSM framework like ITIL explicitly focuses on aligning IT service delivery with business objectives through defined processes like service strategy and service design. This alignment ensures that IT investments and operations directly support business outcomes, such as improving customer satisfaction or enabling new revenue streams, rather than operating in a silo.

Exam trap

The trap here is that candidates may confuse the risk-reduction benefits of ITSM (like improved availability) with an absolute guarantee, or assume that a framework replaces independent verification, when in reality ITSM improves processes but does not eliminate the need for external audits or guarantee perfect uptime.

433
MCQeasy

An IT manager is developing a governance policy for change management. Which element is MOST important to include?

A.Project management methodology
B.Detailed technical procedures
C.List of all applications
D.Roles and responsibilities
AnswerD

Correct. Governance policies define who is responsible for what.

Why this answer

Option D is correct because clearly defined roles and responsibilities ensure accountability in the change process. Option A is incorrect as technical procedures are part of implementation, not governance. Option B is incorrect because listing applications is operational.

Option C is incorrect because methodology is separate from governance.

434
Multi-Selecteasy

Which TWO of the following are key components of an effective information security awareness program?

Select 2 answers
A.Periodic review of security logs
B.Annual password change policy
C.Mandatory training for all employees
D.Regular vulnerability scans
E.Phishing simulation exercises
AnswersC, E

Correct. Training is the foundation of an awareness program.

Why this answer

Option C is correct because mandatory training for all employees ensures that every user understands their security responsibilities, recognizes threats like phishing, and follows organizational policies. This is a foundational element of an awareness program as defined by frameworks such as NIST SP 800-50, which emphasizes that awareness and training must be tailored to roles and delivered to all personnel. Without mandatory participation, coverage gaps leave the organization vulnerable to social engineering and policy violations.

Exam trap

The trap here is that candidates confuse operational security controls (like log reviews and vulnerability scans) with awareness program components, but the exam specifically tests the distinction between technical controls and human-focused training activities.

435
MCQhard

In a DevOps environment, which practice BEST supports auditability?

A.Use of configuration management tools
B.Manual approval gates
C.Separate development and production environments
D.Automated logging of all code changes
AnswerD

Automated logging provides a complete and verifiable audit trail.

Why this answer

Automated logging of all code changes (D) best supports auditability in a DevOps environment because it provides an immutable, timestamped record of every change made to the codebase, including who made the change, what was changed, and when. This aligns with the principle of continuous audit, where every deployment artifact is traceable through the CI/CD pipeline, enabling compliance with standards like SOC 2 or ISO 27001. Unlike manual processes, automated logging ensures no change goes unrecorded, which is critical for forensic analysis and regulatory audits.

Exam trap

The trap here is that candidates confuse 'configuration management' (Option A) with 'change management' or 'audit logging,' assuming that tools like Chef or Terraform inherently provide auditability, when in fact they only track infrastructure state, not the full code change lifecycle including commits, approvals, and deployments.

How to eliminate wrong answers

Option A is wrong because configuration management tools (e.g., Ansible, Puppet) focus on maintaining desired state and consistency across environments, but they do not inherently provide a complete, auditable log of all code changes—they track infrastructure changes, not the code commits or pipeline events themselves. Option B is wrong because manual approval gates introduce human delay and potential for bypass, undermining the continuous audit trail; they are a control, not a logging mechanism, and can be overridden or forgotten, breaking auditability. Option C is wrong because separate development and production environments are a security best practice to prevent accidental changes to production, but they do not directly support auditability—auditability requires recording changes across all environments, not just separating them.

436
Multi-Selecthard

Which THREE of the following are components of a typical IT governance framework?

Select 3 answers
A.Network troubleshooting procedures
B.Strategic alignment of IT with business
C.Risk management and compliance
D.Performance measurement and reporting
E.Vendor contract management
AnswersB, C, D

Core governance component.

Why this answer

Strategic alignment of IT with business is a core component of an IT governance framework because it ensures that IT initiatives directly support and enable the organization's business objectives and strategies. This alignment is achieved through mechanisms like balanced scorecards and IT steering committees, which prioritize IT investments based on business value. Without this component, IT may operate in a silo, leading to wasted resources and missed opportunities.

Exam trap

The trap here is that candidates often confuse operational IT activities (like troubleshooting or contract management) with the strategic, oversight-oriented components of governance, leading them to select options that describe 'doing IT' rather than 'governing IT'.

437
MCQhard

During the design phase of a waterfall project, the development team discovers that a key security requirement was omitted from the functional specification. The design has already been partially completed based on the flawed specification. What is the MOST appropriate action?

A.Proceed with design and add the requirement as an enhancement in the next release
B.Continue design and incorporate the security requirement during testing
C.Implement the security requirement as a change request through the formal change control process
D.Halt design activities and revisit the requirements phase to add the security requirement
AnswerD

Waterfall requires revisiting the earlier phase to correct the specification.

Why this answer

Option B is correct because in waterfall, each phase should be completed before moving on; missing requirements require returning to the earlier phase. Option A is wrong because continuing design ignores the gap. Option C is wrong because change requests are for scope changes after baselines, but the requirement was omitted, not changed.

Option D is wrong because deferring a critical security requirement is unacceptable.

438
MCQhard

An IS auditor is reviewing the disaster recovery plan (DRP) for an e-commerce company that generates 90% of its revenue online. The DRP states that the recovery time objective (RTO) for the transactional database is 4 hours, and the recovery point objective (RPO) is 1 hour. The current backup strategy includes nightly full backups and hourly transaction log backups stored on a local disk array. The backups are then copied to a remote datacenter via a WAN link with an average transfer speed of 10 Mbps. The database size is 500 GB. The auditor calculates that the time to transfer the full backup over the WAN is approximately 12 hours. The organization's management is confident that the DRP is adequate because they have never had to invoke it. What is the auditor's MOST critical finding?

A.The DRP has never been tested, so its feasibility is unknown.
B.The backup strategy does not include encryption for data in transit.
C.The RTO of 4 hours is not achievable given the backup transfer time.
D.The RPO of 1 hour is not achievable because transaction logs are only taken hourly.
AnswerC

The 12-hour transfer time far exceeds the 4-hour RTO, making the DRP infeasible.

Why this answer

The DRP states an RTO of 4 hours for the transactional database, but the full backup transfer time over the 10 Mbps WAN link is approximately 12 hours. Since the backup must be restored before the database can be made available, the RTO cannot be met. This is the most critical finding because it directly invalidates a core recovery objective, regardless of whether the plan has been tested.

Exam trap

The trap here is that candidates focus on the lack of testing (Option A) as the most critical finding, but the question is designed to test whether you can identify a quantitative, objective failure to meet a stated recovery objective over a qualitative process concern.

How to eliminate wrong answers

Option A is wrong because while testing is important, the fundamental technical constraint of backup transfer time exceeding the RTO is a more immediate and critical issue; even a tested plan cannot overcome a physical bandwidth limitation. Option B is wrong because encryption of data in transit, though a security best practice, is not the most critical finding when the core recovery objective (RTO) is mathematically unachievable. Option D is wrong because the RPO of 1 hour is actually achievable with hourly transaction log backups; the issue is with the RTO, not the RPO.

439
MCQhard

During an audit, an IS auditor finds that the organization uses a cloud-based identity provider (IdP) for single sign-on (SSO) but does not enforce multi-factor authentication (MFA) for all users. Which of the following is the BEST recommendation to reduce risk?

A.Require MFA only for external-facing applications
B.Disable SSO and require separate passwords for each application
C.Reduce session timeout to 15 minutes
D.Enforce MFA for all users accessing any application
AnswerD

Comprehensive MFA reduces risk of unauthorized access.

Why this answer

Enforcing MFA for all users accessing any application is the best recommendation because it directly addresses the lack of a second authentication factor, which is the primary control to mitigate credential theft and unauthorized access. In a cloud-based IdP SSO environment, a single compromised password grants access to all integrated applications, so MFA must be applied universally to protect the entire trust boundary, not just external-facing apps. This aligns with NIST SP 800-63B and zero-trust principles, ensuring that every authentication request is verified with something the user knows and something they have.

Exam trap

The trap here is that candidates often choose Option A (MFA only for external-facing apps) because they mistakenly believe internal apps are safe behind a corporate network perimeter, failing to recognize that cloud-based SSO eliminates network boundaries and that the IdP is the single point of authentication for all apps.

How to eliminate wrong answers

Option A is wrong because requiring MFA only for external-facing applications leaves internal applications vulnerable to lateral movement if an attacker gains access via a compromised credential, as the IdP does not differentiate between internal and external apps in its SSO token issuance. Option B is wrong because disabling SSO and requiring separate passwords for each application increases password fatigue, encourages weak password reuse, and eliminates the security benefits of centralized identity management, such as consistent policy enforcement and automated deprovisioning. Option C is wrong because reducing session timeout to 15 minutes only limits the window of exposure for an active session but does not prevent an attacker from authenticating with a stolen password; it is a compensating control, not a preventive one, and does not address the root cause of missing MFA.

440
MCQhard

During system implementation, a critical defect is found in the production environment. The project manager wants to apply an emergency patch without full testing. Which of the following is the BEST course of action?

A.Apply the patch immediately without testing
B.Delay deployment until full testing can be completed
C.Revert to the previous version of the system
D.Conduct a risk assessment and obtain approval from the change control board
AnswerD

A risk-based approach ensures that the urgency is balanced with proper oversight, allowing a controlled emergency change.

Why this answer

Option A is correct because a risk assessment should be performed to evaluate the potential impact of the patch versus the risk of not applying it, and then obtain proper change approval. Applying the patch without testing (D) bypasses controls; reverting (B) may not address the defect; delaying (C) may not be feasible for critical defects.

441
MCQhard

A company is designing a public cloud-based application that processes highly sensitive personal data. Which of the following data protection strategies provides the STRONGEST assurance that data remains confidential even if the cloud provider's infrastructure is compromised?

A.Use server-side encryption with cloud provider managed keys
B.Implement client-side encryption with customer managed keys
C.Enable encryption in transit using TLS 1.3
D.Apply data masking at the application layer
AnswerB

Data encrypted before leaving client; provider never has keys, ensuring confidentiality even if provider breached.

Why this answer

Client-side encryption with customer managed keys ensures that data is encrypted before it leaves the client environment, and the cloud provider never has access to the plaintext data or the encryption keys. Even if the cloud provider's infrastructure is fully compromised, the attacker cannot decrypt the data because the keys are never stored or processed by the provider. This provides the strongest assurance of confidentiality because the data remains encrypted end-to-end, independent of the provider's security controls.

Exam trap

The trap here is that candidates often confuse 'encryption at rest' (server-side) with 'end-to-end confidentiality' and assume that any encryption managed by the cloud provider is sufficient, failing to recognize that provider-managed keys are still accessible to the provider and thus vulnerable in a provider compromise scenario.

How to eliminate wrong answers

Option A is wrong because server-side encryption with cloud provider managed keys means the cloud provider holds the encryption keys and performs the encryption/decryption on its infrastructure; if the provider's infrastructure is compromised, an attacker could access both the encrypted data and the keys, breaking confidentiality. Option C is wrong because encryption in transit (TLS 1.3) only protects data while it is moving between the client and the cloud, not at rest; once the data reaches the provider's storage, it is no longer protected by TLS, and a compromise of the provider's infrastructure would expose the plaintext data. Option D is wrong because data masking at the application layer only obscures data for display or processing within the application but does not encrypt the underlying stored data; if the provider's infrastructure is compromised, the actual sensitive data stored in the database remains in plaintext and can be exfiltrated.

442
MCQhard

An IS auditor is reviewing an organization's change management process. The auditor notes that all emergency changes are approved post-implementation by the change advisory board (CAB) within 48 hours. Which of the following is the auditor's BEST course of action?

A.Escalate the issue to senior management as a control weakness
B.Verify that all emergency changes are tested before implementation
C.Assess whether the emergency change policy includes proper justification and post-approval controls
D.Recommend that emergency changes be approved prior to implementation
AnswerC

The auditor should evaluate the adequacy of controls around the process.

Why this answer

Option D is correct because the auditor should assess whether emergency changes are properly authorized, but the post-approval within 48 hours is acceptable if controls are adequate. Option A is incorrect because immediate escalation is not warranted without evidence of a problem. Option B is wrong because testing is important but the issue is authorization.

Option C is incorrect because there is no inherent violation; the auditor should evaluate the control design.

443
MCQhard

During a system development project, the project manager notices that the actual cost is significantly higher than the planned cost at the 50% completion point. The earned value (EV) is $500,000, the actual cost (AC) is $600,000, and the planned value (PV) is $550,000. Which of the following is the MOST appropriate action?

A.Request additional budget from senior management
B.Reduce the project scope to align with the budget
C.Conduct a root cause analysis to identify the reasons for cost overrun
D.Crash the project schedule to make up for lost time
AnswerC

Understanding the cause is the first step before taking corrective action.

Why this answer

Option C is correct because the project is over budget (EV $500K vs AC $600K) and behind schedule (EV $500K vs PV $550K). Before taking corrective action, the project manager must first perform a root cause analysis to understand why costs are exceeding planned values. This aligns with the CISA’s emphasis on identifying the underlying cause of variances before implementing changes to scope, budget, or schedule.

Exam trap

The trap here is that candidates often jump to a corrective action (like crashing or requesting more budget) without first diagnosing the root cause, but the CISA exam emphasizes that analysis must precede action in project management.

How to eliminate wrong answers

Option A is wrong because requesting additional budget without understanding the root cause of the cost overrun is premature and could mask systemic issues such as poor estimation or scope creep. Option B is wrong because reducing project scope without first analyzing the cause of the variance may eliminate necessary functionality and does not address whether the overrun is due to inefficiency, rework, or external factors. Option D is wrong because crashing the schedule (adding resources to compress time) typically increases costs further and does not solve the existing cost overrun; it may even worsen the budget variance.

444
MCQeasy

Which of the following is the MOST important objective of system testing?

A.Verify that the system meets specified requirements
B.Confirm that end users are satisfied
C.Ensure the code is free of defects
D.Validate system performance under load
AnswerA

System testing checks the overall system against requirements.

Why this answer

System testing is a formal, structured process that validates the entire integrated system against its specified requirements. The primary goal is to confirm that the system behaves as defined in the functional and technical specifications, ensuring that all requirements are correctly implemented before user acceptance testing. While user satisfaction and defect removal are important, they are secondary to verifying requirement compliance, which is the core objective of system testing.

Exam trap

The trap here is confusing the objective of system testing with that of user acceptance testing (UAT) or unit testing, leading candidates to select user satisfaction or defect-free code as the primary goal.

How to eliminate wrong answers

Option B is wrong because end-user satisfaction is validated during User Acceptance Testing (UAT), not system testing; system testing focuses on technical compliance, not subjective user feedback. Option C is wrong because ensuring code is free of defects is the primary objective of unit testing and code reviews, not system testing, which tests integrated functionality against requirements. Option D is wrong because validating system performance under load is a specific type of non-functional testing (performance/load testing), not the overarching objective of system testing, which covers both functional and non-functional requirements.

445
MCQeasy

A financial institution is implementing a data classification policy. Which of the following is the most important factor in determining the classification level of a data asset?

A.The sensitivity and criticality to business operations
B.The cost of acquiring the data
C.The format of the data (structured vs unstructured)
D.The storage location of the data
AnswerA

Correct. Sensitivity and criticality determine the required level of protection.

Why this answer

The classification level of a data asset is determined by its sensitivity and criticality to business operations because these factors directly drive the required confidentiality, integrity, and availability controls. For example, personally identifiable information (PII) or financial transaction records require higher classification due to regulatory mandates (e.g., GDPR, PCI DSS) and the potential for severe business impact if compromised. Cost, format, or location are secondary attributes that do not inherently define the risk profile or protection needs of the data.

Exam trap

The trap here is that candidates confuse operational attributes (cost, format, location) with the foundational risk-based criteria (sensitivity and criticality) that actually define classification levels in information security governance.

How to eliminate wrong answers

Option B is wrong because the cost of acquiring data is a financial metric unrelated to its inherent risk or the controls needed; data can be cheap to acquire yet highly sensitive (e.g., a leaked password list). Option C is wrong because the format (structured vs unstructured) affects storage and processing methods but does not dictate classification level; both formats can contain equally sensitive information (e.g., structured credit card numbers vs unstructured email containing trade secrets). Option D is wrong because storage location (e.g., on-premises vs cloud) influences security architecture but is a deployment decision, not a determinant of the data's inherent sensitivity or criticality to business operations.

446
Multi-Selectmedium

Which TWO of the following are primary objectives of a business continuity plan (BCP)?

Select 2 answers
A.Replace the disaster recovery plan
B.Minimize financial loss
C.Guarantee 100% system uptime
D.Maintain regulatory compliance during disruptions
E.Ensure critical business functions continue during a disruption
AnswersD, E

Compliance with regulations is a primary objective of BCP.

Why this answer

Option D is correct because a primary objective of a BCP is to ensure that the organization can continue to meet legal and regulatory obligations during a disruption. This includes maintaining required data protection, reporting, and operational standards as mandated by regulations such as GDPR, HIPAA, or SOX, even when normal operations are impaired.

Exam trap

The trap here is that candidates often confuse the BCP's primary objectives with secondary benefits like cost savings or uptime guarantees, or mistakenly think the BCP replaces the DRP, when in fact the BCP is a broader plan that includes the DRP as a component.

447
MCQeasy

An IS auditor is reviewing the logical access controls of a system. Which of the following is the BEST evidence that access rights are appropriately assigned?

A.An audit log showing all successful and failed login attempts
B.A password policy requiring complex passwords
C.An access control matrix defining roles and permissions
D.A recent user access review report signed by department managers
AnswerD

Management sign-off confirms proper assignment.

Why this answer

Option D is the best evidence because a user access review report signed by department managers provides documented confirmation that the assigned access rights have been explicitly verified and approved by the data owners. This is a detective control that directly validates the appropriateness of access assignments, whereas the other options are either preventive or detective controls that do not confirm the correctness of the rights themselves.

Exam trap

The trap here is that candidates confuse a control design document (access control matrix) with evidence of control effectiveness, failing to recognize that only a recent, signed user access review provides proof that the assigned rights have been validated by the data owner.

How to eliminate wrong answers

Option A is wrong because an audit log of login attempts only records authentication events, not the authorization levels or appropriateness of assigned access rights. Option B is wrong because a password policy addresses authentication strength, not the correctness of which users have which permissions. Option C is wrong because an access control matrix is a design document that defines intended roles and permissions, but it does not provide evidence that those definitions have been correctly implemented or that the actual assigned rights are appropriate.

448
MCQmedium

A company's IT governance policy requires that all critical systems have a documented business continuity plan (BCP). During an audit, an IT auditor finds that the BCP for a critical financial system has not been updated in three years. Which of the following is the BEST recommendation?

A.Archive the outdated BCP and develop a new one from scratch.
B.Update the BCP to reflect current processes and conduct a test.
C.Accept the risk because the system has been stable.
D.Implement a new system with built-in redundancy.
AnswerB

Updating and testing ensures the plan is viable and aligns with governance requirements.

Why this answer

Option B is correct because IT governance policies require that BCPs remain current to reflect actual operational processes. An outdated BCP (three years stale) may contain obsolete recovery procedures, contact information, or dependencies, rendering it ineffective during a real incident. Updating the BCP and then testing it validates that the documented steps align with the current system architecture and can be executed successfully, which is a core requirement of the BCP lifecycle per ISACA guidelines.

Exam trap

The trap here is that candidates may assume a stable system means the BCP remains valid, but CISA tests the principle that BCPs must be living documents reviewed and tested at regular intervals (typically annually) regardless of system stability.

How to eliminate wrong answers

Option A is wrong because archiving and rewriting from scratch is unnecessarily disruptive and time-consuming; the existing BCP likely contains valuable baseline information that should be reviewed and updated rather than discarded. Option C is wrong because accepting risk based on system stability ignores the fact that processes, personnel, and dependencies change over time; a stable system does not guarantee that the BCP's recovery steps, contact lists, or resource allocations are still valid. Option D is wrong because implementing a new system with built-in redundancy is a disproportionate and costly response to an outdated BCP; it does not address the immediate compliance gap and may introduce new risks without proper BCP documentation.

449
MCQeasy

During an IT audit, the auditor finds that a system administrator has local administrator rights on multiple production servers and uses a shared service account for routine maintenance. What is the PRIMARY risk associated with this practice?

A.Audit trails cannot attribute actions to a specific individual
B.Password changes become more difficult to manage
C.The administrator may accidentally delete critical files
D.The shared account may be used by unauthorized personnel
AnswerA

Shared accounts break the link between an action and an individual, violating the principle of accountability.

Why this answer

Option B is correct because a shared account obscures individual accountability, making it impossible to determine who performed specific actions. Option A is a general risk but less specific; Option C is not the primary risk; Option D is the opposite.

450
MCQmedium

According to COBIT 2019, which design factor is MOST critical for tailoring a governance system?

A.Regulatory environment
B.Technology complexity
C.Organizational size
D.Enterprise strategy
AnswerD

Correct. Strategy sets the direction for governance design.

Why this answer

Option D is correct because enterprise strategy determines the governance objectives and risk appetite, making it the most critical design factor. Options A, B, and C are all important but secondary; they influence the system but are driven by strategy.

Page 5

Page 6 of 7

Page 7

All pages