Certified Information Systems Auditor CISA (CISA) — Questions 451509

509 questions total · 7pages · All types, answers revealed

Page 6

Page 7 of 7

451
MCQeasy

An organization's IT strategy must be aligned with business strategy. Which of the following is the PRIMARY benefit of this alignment?

A.Faster adoption of new technologies
B.Enhanced security posture
C.Reduced IT operational costs
D.Increased value of IT investments to business objectives
AnswerD

Alignment ensures IT delivers value that supports business strategy.

Why this answer

When IT strategy is aligned with business strategy, every IT investment is directly tied to achieving specific business objectives, such as increasing revenue, improving customer experience, or enabling new business models. This alignment ensures that resources are allocated to projects that deliver measurable business value, rather than being spent on technology for its own sake. The primary benefit is therefore the increased value of IT investments to business objectives, as misalignment often leads to wasted expenditure on systems that do not support core business goals.

Exam trap

The trap here is that candidates often confuse operational benefits (like cost reduction or faster tech adoption) with the strategic primary benefit, failing to recognize that alignment is fundamentally about ensuring IT investments deliver value to the business, not about efficiency or security alone.

How to eliminate wrong answers

Option A is wrong because faster adoption of new technologies is a potential operational benefit, but it is not the primary benefit of alignment; rapid adoption without business context can actually lead to misalignment and wasted resources. Option B is wrong because enhanced security posture is a critical outcome of good IT governance, but it is a secondary benefit that results from aligning security controls with business risk appetite, not the primary reason for aligning IT and business strategy. Option C is wrong because reduced IT operational costs can be a byproduct of alignment (e.g., eliminating redundant systems), but cost reduction is not the primary goal; the primary goal is ensuring IT spending directly supports business value creation, which may sometimes require increased investment.

452
Drag & Dropmedium

Arrange the steps to configure a firewall rule in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Firewall rule configuration begins with policy, then specifics, action, application, and testing.

453
Multi-Selecteasy

Which TWO of the following are examples of administrative controls for information security? (Choose two.)

Select 2 answers
A.Encryption of data at rest
B.Biometric access controls
C.Incident response policy
D.Security awareness training
E.Firewall configuration
AnswersC, D

Policy is an administrative control.

Why this answer

Option C is correct because an incident response policy is a documented set of procedures that defines roles, responsibilities, and steps to be taken when a security incident occurs. This is an administrative control as it governs human behavior and organizational processes, not technology. It aligns with the CISA domain of Protection of Information Assets by establishing a framework for detecting, responding to, and recovering from security events.

Exam trap

The trap here is that candidates often confuse administrative controls with technical or physical controls, mistakenly selecting encryption or firewall configuration because they are common security measures, but the CISA exam specifically tests the distinction that administrative controls are policy-based and people-focused, not technology-based.

454
MCQmedium

A company is migrating its applications to a public IaaS cloud. What is the primary concern for protecting data in this environment?

A.Regularly patching the operating system and applications.
B.Using only hardened virtual machine images from the provider.
C.Ensuring encryption keys are stored in the cloud provider's key management service.
D.Properly configuring security groups and access control lists (ACLs) to limit network access.
AnswerD

Misconfigured security groups can expose resources to the internet, leading to unauthorized access. This is the top risk in IaaS.

Why this answer

In an IaaS public cloud, the customer retains responsibility for securing the network layer, including virtual firewalls. Security groups (stateful) and ACLs (stateless) are the primary mechanisms to enforce least-privilege network access, which directly protects data from unauthorized exposure over the network. This aligns with the shared responsibility model where the provider secures the physical infrastructure, but the customer must control traffic to their instances.

Exam trap

The trap here is that candidates often focus on encryption or patching as the universal answer for data protection, but in an IaaS shared responsibility model, the primary concern is controlling network access because the cloud provider does not manage the customer's virtual network boundaries.

How to eliminate wrong answers

Option A is wrong because patching the OS and applications is a critical security practice but it addresses vulnerability management, not the primary concern for protecting data in transit or at rest from network-based attacks in a shared IaaS environment. Option B is wrong because using hardened VM images is a good baseline for reducing initial attack surface, but it does not control ongoing network access or data flow, which is the primary data protection concern. Option C is wrong because storing encryption keys in the provider's KMS can be part of a data-at-rest protection strategy, but it does not address the primary concern of controlling network access to the data; moreover, key management is a shared responsibility and storing keys in the provider's KMS may introduce trust and availability risks if not combined with proper access controls.

455
MCQhard

An organization is implementing a new ERP system. The project sponsor requests a change that will significantly increase project scope without additional budget. Which of the following is the BEST action for the project manager?

A.Accept the change and adjust the project timeline accordingly.
B.Initiate the formal change control process and escalate to the steering committee.
C.Implement the change and inform the steering committee later.
D.Reject the change because it is outside the original scope.
AnswerB

Proper change control ensures governance and stakeholder involvement.

Why this answer

The project manager must follow the formal change control process to evaluate the impact of a scope change that lacks additional budget. Escalating to the steering committee is appropriate because they have the authority to approve or reject changes that affect project constraints, ensuring alignment with organizational governance and IT strategy.

Exam trap

The trap here is that candidates may choose to reject the change outright (Option D) thinking it protects the baseline, but the CISA exam emphasizes following the formal change control process and escalating to the appropriate governance body rather than making unilateral decisions.

How to eliminate wrong answers

Option A is wrong because accepting the change without budget or formal approval violates project governance and may lead to resource overallocation and timeline failure. Option C is wrong because implementing the change before informing the steering committee bypasses the required change control process and risks unauthorized scope creep. Option D is wrong because outright rejection without following the change control process denies the steering committee the opportunity to assess the change's strategic value or reallocate priorities.

456
MCQhard

An organization stores sensitive research data in a cloud storage service. The data must be encrypted at rest and in transit, and the organization wants to maintain control over encryption keys. Which solution best meets these requirements?

A.Use a cloud hardware security module (HSM) to generate keys
B.Implement client-side encryption using a customer-managed key vault
C.Enable HTTPS for all data transfers
D.Use server-side encryption with AWS S3 managed keys (SSE-S3)
AnswerB

Client-side encryption ensures data is encrypted before reaching the cloud, and keys are controlled by the organization.

Why this answer

Client-side encryption with a customer-managed key vault ensures data is encrypted before it leaves the client environment, so the cloud provider never has access to plaintext or the encryption keys. This satisfies both at-rest and in-transit encryption requirements while giving the organization full control over key management, unlike server-side options where the provider manages at least part of the key lifecycle.

Exam trap

The trap here is that candidates often confuse server-side encryption with customer-managed keys (e.g., SSE-KMS or SSE-C) as giving full control, but those still allow the cloud provider to process the data server-side, whereas client-side encryption ensures the provider never has access to plaintext.

How to eliminate wrong answers

Option A is wrong because a cloud HSM generates and stores keys within the cloud provider's infrastructure; while the customer controls the keys, the provider still has physical access to the HSM, and the data is typically encrypted server-side, meaning the provider could theoretically access plaintext. Option C is wrong because HTTPS only protects data in transit; it does not address encryption at rest, leaving stored data vulnerable if the cloud storage bucket is compromised. Option D is wrong because SSE-S3 uses AWS-managed keys, meaning the cloud provider controls key management and can decrypt the data, violating the requirement for the organization to maintain control over encryption keys.

457
MCQhard

An organization's data classification policy defines 'Confidential' data as requiring encryption at rest. An IS auditor discovers that a database containing customer personal information is not encrypted. What is the auditor's BEST course of action?

A.Encrypt the database immediately
B.Report the finding to the data owner and IT management
C.Recommend a compensating control
D.Verify the classification of the data
AnswerB

Reporting ensures accountability for remediation.

Why this answer

Option D is correct because reporting the non-compliance to management is the auditor's responsibility. Option A is not an audit action. Option B may be outside scope.

Option C is after reporting.

458
MCQeasy

An IS auditor is planning an audit of a newly implemented ERP system. The auditor wants to ensure that the audit covers critical controls. Which of the following is the most appropriate first step in the audit planning process?

A.Interview the system administrator.
B.Review prior audit workpapers.
C.Conduct a risk assessment of the ERP implementation.
D.Develop a detailed audit program.
AnswerC

Risk assessment is the foundational step to identify risks and prioritize audit work.

Why this answer

The first step in audit planning is to conduct a risk assessment to identify high-risk areas and focus audit efforts.

459
Multi-Selecteasy

Which THREE of the following are essential components of a change management process?

Select 3 answers
A.Immediate implementation without review
B.Impact analysis
C.Rollback plan
D.Bypassing testing for urgent changes
E.Change request approval
AnswersB, C, E

Impact analysis identifies potential effects on systems and processes.

Why this answer

Impact analysis (B) is essential because it evaluates the potential effects of a proposed change on system functionality, security, and performance before implementation. This ensures that risks are identified and mitigated, preventing unintended disruptions to production environments. Without impact analysis, changes could introduce vulnerabilities or cause system outages, violating IT governance principles.

Exam trap

The trap here is that candidates confuse 'urgent change' with 'no testing,' but even emergency changes require a documented risk assessment and a rollback plan, not a complete bypass of testing and review.

460
Matchingmedium

Match each disaster recovery site type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Fully equipped and ready within hours

Partially configured, ready in days

Basic infrastructure, no equipment

Portable unit deployed as needed

Why these pairings

Recovery site types differ in readiness and cost.

461
MCQhard

An organization uses a COTS (commercial off-the-shelf) ERP system with significant customizations. The IS auditor is reviewing the system's configuration management. Which of the following findings would MOST indicate a weakness?

A.The vendor releases quarterly patches but the organization only applies critical security patches.
B.The system administrator has the ability to modify both configuration and production data.
C.Customizations are not tracked in a separate change management system.
D.The organization does not have a formal testing environment for customizations.
AnswerB

This is a direct violation of segregation of duties, significantly increasing risk of unauthorized changes.

Why this answer

Option B is correct because in a COTS ERP system with significant customizations, allowing the system administrator to modify both configuration and production data violates the principle of segregation of duties (SoD). This creates a risk of unauthorized or undetected changes, as the same individual can alter system configurations and then manipulate production data to conceal the impact, bypassing audit trails and controls.

Exam trap

The trap here is that candidates often focus on patch management or testing environments as the most critical weakness, but the CISA exam prioritizes segregation of duties as a fundamental control, especially in customized COTS systems where configuration changes can directly impact data integrity.

How to eliminate wrong answers

Option A is wrong because while applying only critical security patches is not ideal, it is a common risk-acceptance strategy for stability in heavily customized ERP systems; the question asks for the MOST indicative weakness, and patch management is less critical than SoD. Option C is wrong because customizations not tracked in a separate change management system is a procedural weakness, but it is secondary to the direct control risk of SoD; the primary concern is the ability to modify both configuration and data, not just the tracking method. Option D is wrong because lacking a formal testing environment is a risk for quality assurance, but it does not directly enable unauthorized data manipulation like the SoD violation in B does.

462
MCQhard

An IS auditor is performing a review of an organization's IT governance framework. Which of the following findings would be of MOST concern?

A.No documented IT strategy aligned with business strategy
B.Incomplete IT project portfolio management
C.Lack of an IT steering committee
D.Absence of an enterprise-wide information security policy
AnswerA

Governance requires IT to support business objectives; without alignment, the framework fails.

Why this answer

Option D is correct because absence of IT strategy alignment with business strategy undermines governance, making IT decisions misaligned. Option A is incorrect while a steering committee is important, its absence is not as critical as lack of strategic alignment. Option B is wrong because portfolio management is a tactic; without strategic alignment, it may be ineffective.

Option C is incorrect because security policies are operational, not strategic governance.

463
MCQmedium

An IT auditor is reviewing the system development life cycle (SDLC) process for a critical application. Which of the following findings would be of MOST concern?

A.Test data is refreshed from production monthly
B.Developers use local development environments
C.Developers have production database access
D.Code reviews are performed by senior developers
AnswerC

Violates segregation of duties.

Why this answer

Developers having direct production database access violates the principle of segregation of duties and poses a significant risk of unauthorized data modification, deletion, or exfiltration. In a well-controlled SDLC, production access should be restricted to operations or DBA teams, with changes promoted through automated deployment pipelines. This finding directly undermines data integrity and confidentiality controls.

Exam trap

The trap here is that candidates may dismiss local development environments or monthly test data refreshes as risky, while overlooking the critical segregation of duties violation inherent in granting developers direct production database access.

How to eliminate wrong answers

Option A is wrong because refreshing test data from production monthly is a common practice to ensure test environments reflect realistic data, though it requires proper masking to protect sensitive information. Option B is wrong because developers using local development environments is standard for coding and unit testing, as long as code is version-controlled and integrated into a shared repository. Option D is wrong because code reviews performed by senior developers are a positive control that helps identify defects and security vulnerabilities before deployment.

464
MCQmedium

A company's backup policy requires that backup tapes be stored offsite for at least one year. During an audit, the auditor finds that the offsite storage facility is not access-controlled and backup tapes are not encrypted. Which of the following is the auditor's BEST recommendation?

A.Negotiate a new contract with a different offsite storage provider
B.Move the tapes back to the primary site until the offsite facility is secured
C.Implement a check-in/check-out log for the offsite facility
D.Encrypt all backup tapes before sending them offsite
AnswerD

Encryption mitigates the risk of unauthorized access to data on the tapes.

Why this answer

The core issue is that backup tapes contain sensitive data and are stored in an uncontrolled environment. Encrypting the tapes before transport ensures that even if the physical security of the offsite facility is compromised, the data remains confidential. This directly addresses the risk of unauthorized access to the data, which is the primary concern, and is a cost-effective, immediate control that does not disrupt operations.

Exam trap

The trap here is that candidates often focus on physical security controls (like logs or moving tapes) rather than recognizing that data confidentiality is the paramount risk, and encryption is the only option that directly protects the data itself regardless of physical security failures.

How to eliminate wrong answers

Option A is wrong because negotiating a new contract is a long-term administrative solution that does not address the immediate data exposure risk; the current tapes are still unencrypted and vulnerable. Option B is wrong because moving tapes back to the primary site violates the backup policy requirement for offsite storage and increases the risk of a single point of failure (e.g., fire or theft at the primary site). Option C is wrong because a check-in/check-out log only provides accountability for physical access but does not protect the data on the tapes if the facility is breached or a tape is stolen; it does not mitigate the confidentiality risk.

465
MCQeasy

During an IT audit, the auditor discovers that the IT strategy is not formally documented. Which of the following is the MOST significant risk associated with this finding?

A.Difficulty in recruiting qualified IT staff.
B.Inability to measure the performance of IT systems.
C.Lack of alignment between IT investments and business goals.
D.Increased operational costs due to unplanned IT initiatives.
AnswerC

Undocumented strategy leads to misalignment, the most significant risk.

Why this answer

Option D is correct because without a documented strategy, IT investments may not support business goals, leading to misalignment. Option A is possible but less direct. Option B is a consequence but not the most significant.

Option C is unrelated.

466
MCQmedium

A company's security policy requires that all laptops have full-disk encryption. During an audit, 10% of laptops are found without encryption. Which of the following is the MOST effective corrective action?

A.Require users to manually enable encryption
B.Distribute encryption keys to users
C.Conduct security awareness training on encryption
D.Deploy centralized endpoint management to enforce encryption
AnswerD

Automated enforcement ensures all laptops comply with policy.

Why this answer

Centralized endpoint management (e.g., Microsoft Intune, SCCM, or a third-party MDM) allows administrators to enforce full-disk encryption (such as BitLocker or FileVault) via policy, automatically encrypting non-compliant laptops and preventing users from disabling encryption. This is the most effective corrective action because it addresses the root cause—lack of enforcement—rather than relying on user action or manual processes.

Exam trap

The trap here is that candidates may choose security awareness training (Option C) as a 'best practice' for policy compliance, but the CISA exam emphasizes that technical controls (enforcement via endpoint management) are more effective than administrative controls for ensuring consistent security configuration.

How to eliminate wrong answers

Option A is wrong because requiring users to manually enable encryption relies on user compliance, which has already failed (10% non-compliance), and provides no mechanism to verify or enforce the action. Option B is wrong because distributing encryption keys to users does not ensure encryption is enabled; keys are only useful after encryption is applied, and this action could introduce security risks if keys are mishandled. Option C is wrong because security awareness training, while beneficial for education, does not enforce technical controls and is unlikely to remediate existing non-compliant laptops; it addresses behavior rather than the technical gap.

467
MCQhard

A company uses role-based access control (RBAC). An employee moves from one department to another but retains some previous access due to overlapping role permissions. This condition is known as:

A.Access aggregation
B.Privilege creep
C.Segregation of duties conflict
D.Entitlement explosion
AnswerB

Privilege creep is the gradual accumulation of access rights beyond what is needed, often due to role changes.

Why this answer

Privilege creep occurs when an employee accumulates access rights over time, often due to role changes or lateral moves, without corresponding removal of previous permissions. In RBAC, overlapping role permissions can cause this condition when old role memberships are not revoked, leading to excessive entitlements that violate the principle of least privilege.

Exam trap

The trap here is confusing privilege creep with access aggregation, as both involve excessive permissions, but privilege creep specifically results from role changes over time rather than combining separate low-level privileges into a high-risk action.

How to eliminate wrong answers

Option A is wrong because access aggregation refers to combining multiple low-level privileges to perform a high-risk action, not the gradual accumulation of permissions from role changes. Option C is wrong because segregation of duties conflict involves a single user having incompatible roles that could enable fraud, not simply retaining previous access due to overlapping permissions. Option D is wrong because entitlement explosion describes a rapid, uncontrolled increase in permissions across many users, often due to misconfigured role hierarchies or automated provisioning, not the gradual creep from individual role changes.

468
MCQhard

During a nightly batch job, the above error appears in the application logs. The transaction table ACCT_TRANS has a unique constraint on the REF_NUM column. Which of the following is the MOST likely root cause?

A.The batch job lacks sufficient privileges to insert into the ACCT_TRANS table
B.There is a mismatch between the number of columns in the INSERT statement and the table definition
C.The batch job is missing an index on the REF_NUM column
D.The batch job is not idempotent and is re-processing previously successful transactions
AnswerD

Duplicate REF_NUM suggests reprocessing of already inserted records.

Why this answer

The unique constraint violation on REF_NUM indicates that the batch job is attempting to insert a row with a REF_NUM value that already exists in the ACCT_TRANS table. This occurs when the job is not idempotent—meaning it does not check for or handle previously processed transactions—and re-processes the same data, leading to duplicate key errors.

Exam trap

The trap here is that candidates often confuse a unique constraint violation with a permissions or schema mismatch error, but the specific error message (unique constraint on REF_NUM) directly points to duplicate data from non-idempotent processing, not structural or privilege issues.

How to eliminate wrong answers

Option A is wrong because insufficient privileges would typically result in an 'access denied' or 'insufficient privileges' error, not a unique constraint violation. Option B is wrong because a column mismatch would cause a syntax or data type error (e.g., 'column count doesn't match value count'), not a constraint violation on a specific column. Option C is wrong because missing an index does not prevent inserts; indexes improve query performance but do not enforce uniqueness or cause constraint violations—the unique constraint itself is enforced by the database regardless of index existence.

469
MCQeasy

During a security assessment, an auditor discovers that employees are sharing passwords to access a critical system. Which of the following controls would BEST mitigate this risk?

A.Provide security awareness training
B.Implement multi-factor authentication
C.Log all authentication attempts
D.Enforce complex password policies
AnswerB

MFA requires additional factors, reducing the effectiveness of shared passwords.

Why this answer

Multi-factor authentication (MFA) mitigates the risk of password sharing because even if credentials are shared, an attacker cannot authenticate without the second factor (e.g., a one-time passcode from a hardware token or authenticator app). MFA decouples authentication from a single shared secret, making shared passwords insufficient for access. This directly addresses the root cause—reliance on passwords alone—rather than attempting to prevent sharing behavior.

Exam trap

The trap here is that candidates confuse 'preventing password sharing' with 'detecting or discouraging it,' and choose awareness training or logging, when the only control that technically renders shared passwords useless is multi-factor authentication.

How to eliminate wrong answers

Option A is wrong because security awareness training relies on voluntary compliance and does not technically prevent password sharing; it only educates users, leaving the vulnerability intact. Option C is wrong because logging authentication attempts is a detective control that records incidents after they occur, not a preventive control that stops password sharing from granting access. Option D is wrong because enforcing complex password policies does not prevent sharing; users can still share a complex password, and the policy does not verify the identity of the person entering it.

470
MCQeasy

A small manufacturing company decides to acquire an off-the-shelf inventory management system. The purchasing manager selects a vendor based solely on the lowest price, ignoring the vendor's financial stability and support history. After purchase, the vendor declares bankruptcy, leaving the company without support. The system has a critical bug that halts inventory tracking. The IT manager considers hiring a consultant to fix the bug. As an IS auditor, what should the auditor's PRIMARY concern be?

A.There is no backup system for inventory management.
B.The company may have legal recourse against the vendor.
C.The critical bug disrupts inventory tracking.
D.The vendor selection process lacked due diligence.
AnswerD

Root cause is process failure.

Why this answer

The primary concern for an IS auditor is that the vendor selection process lacked due diligence, as this directly violates the principle of proper acquisition governance. By selecting a vendor based solely on lowest price without evaluating financial stability and support history, the company exposed itself to significant operational risk, which materialized when the vendor declared bankruptcy. This oversight is a root cause failure in the information systems acquisition and implementation process, making it the most critical audit finding.

Exam trap

The trap here is that candidates focus on the immediate operational impact (the bug or lack of backup) rather than the root cause governance failure in the acquisition process, which is the auditor's primary concern per CISA's emphasis on preventive controls.

How to eliminate wrong answers

Option A is wrong because while having no backup system is a risk, it is a secondary operational concern; the auditor's primary focus should be on the flawed acquisition process that led to the current situation. Option B is wrong because legal recourse against a bankrupt vendor is typically impractical and unlikely to recover costs or restore support, so it is not a primary audit concern. Option C is wrong because the critical bug disrupting inventory tracking is a symptom of the underlying problem, not the root cause; the auditor must address the systemic failure in vendor selection.

471
Multi-Selectmedium

Which TWO of the following are key responsibilities of an IT steering committee?

Select 2 answers
A.Monitoring IT performance and value delivery
B.Managing day-to-day IT operations
C.Writing and testing application code
D.Prioritizing IT projects and allocating resources
E.Conducting IT audit engagements
AnswersA, D

Steering committee oversees performance.

Why this answer

The IT steering committee is a senior-level governance body responsible for aligning IT strategy with business objectives. Monitoring IT performance and value delivery (A) is a key responsibility because the committee must ensure that IT investments generate the expected business benefits and that service levels meet agreed targets. Prioritizing IT projects and allocating resources (D) is also a core duty, as the committee decides which initiatives receive funding and staffing based on strategic importance and risk, rather than operational urgency.

Exam trap

The trap here is confusing governance responsibilities (steering committee) with management or execution tasks (operations, coding, auditing), leading candidates to select options that sound plausible but belong to lower-level roles.

472
Multi-Selectmedium

Which THREE are commonly used techniques to protect sensitive data in a cloud environment? (Select exactly 3.)

Select 3 answers
A.Code obfuscation for application logic.
B.Network segmentation between tiers.
C.Tokenization of sensitive fields.
D.Encryption at rest and in transit.
E.Data masking for non-production environments.
AnswersC, D, E

Replaces sensitive data with tokens.

Why this answer

Tokenization replaces sensitive data (e.g., credit card numbers) with a non-sensitive placeholder (token) that has no exploitable value. This technique is commonly used in cloud environments to reduce the scope of compliance (e.g., PCI DSS) because the token can be stored and processed without exposing the original sensitive value, even if the cloud storage is compromised.

Exam trap

ISACA often tests the distinction between data protection techniques (like encryption, tokenization, and masking) and general security controls (like network segmentation or code obfuscation), leading candidates to mistakenly select network segmentation as a data protection method.

473
MCQeasy

Refer to the exhibit. An auditor reviews the log shipping configuration for a critical database. Based on the information provided, what is the MOST significant finding?

A.The current latency of 18 minutes exceeds the 15-minute log shipping interval
B.The alert threshold of 30 minutes is too high
C.The secondary server is not being used for reporting
D.The last backup was created at 06:00, but it is now later in the day
AnswerA

This indicates a potential data loss if a failover occurs, as the secondary may not have the latest data.

Why this answer

Option B is correct because the latency (18 minutes) exceeds the log shipping interval (15 minutes), indicating that the secondary server is falling behind. Option A is not a finding; Option C is not indicated; Option D is about alerting but latency is the core issue.

474
Multi-Selecthard

An organization is evaluating its business continuity plan (BCP) to ensure alignment with the IT disaster recovery plan. Which TWO of the following are critical elements that should be included in the BCP to support effective business resilience?

Select 2 answers
A.A list of all critical IT applications with their recovery priorities.
B.Procedures for manual operations during system unavailability.
C.A complete inventory of hardware and software licenses.
D.Contact information for key stakeholders and emergency response teams.
E.Detailed step-by-step procedures for restoring network connectivity.
AnswersB, D

Manual workarounds are essential for business continuity when systems are down.

Why this answer

Option C (contact information for stakeholders) and Option E (procedures for manual operations) are essential BCP elements. Option A and B are more aligned with IT disaster recovery, and Option D is an asset inventory detail, not a critical BCP element.

475
Multi-Selecthard

Which THREE of the following are indicators of mature IT governance?

Select 3 answers
A.The IT department has high staff retention.
B.IT risks are formally assessed and managed.
C.IT projects are completed on time and within budget.
D.IT decisions are aligned with business strategy.
E.The board receives regular IT performance reports.
AnswersB, D, E

Risk management is a hallmark of mature governance.

Why this answer

Options A, C, and E are correct. Mature governance ensures alignment with business strategy (A), formal risk management (C), and board reporting (E). B (on-time projects) is a project management metric, not governance.

D (staff retention) is an HR metric.

476
MCQmedium

An organization implemented a business continuity plan (BCP) that includes manual workarounds. Which of the following is the PRIMARY risk of relying on manual processes during a disruption?

A.Higher probability of human error under stress
B.Longer recovery time for automated systems
C.Higher cost of implementation
D.Increased dependency on technology
AnswerA

Correct: Stress increases error likelihood, jeopardizing continuity.

Why this answer

Human error is significantly higher under stress, which can cause delays and mistakes. Other options are not primary risks.

477
MCQeasy

A university's research department stores sensitive research data on a file server that is shared among faculty and graduate students. The server is accessible from the campus network and via VPN for remote access. Recently, a student downloaded a large dataset containing personally identifiable information (PII) of research subjects to a personal laptop. The laptop was later stolen. The university's incident response team determines that the student had legitimate access to the data for research purposes. Which control would have most effectively prevented the data exposure?

A.Require full-disk encryption on all laptops
B.Restrict VPN access to only university-issued devices
C.Conduct annual access reviews for the file server
D.Implement a DLP solution that restricts downloads of sensitive data to unmanaged devices
AnswerD

DLP can block transfer of sensitive data to unauthorized devices.

Why this answer

Option C is correct because data loss prevention (DLP) can detect and block the transfer of sensitive data to unapproved devices, such as a personal laptop. Option A (laptop encryption) would protect data on the stolen laptop but did not prevent the download. Option B (firewall) might block the connection but the student used VPN.

Option D (access review) is periodic and would not prevent the action.

478
Multi-Selecthard

Which THREE of the following are key elements that should be included in a risk assessment report for information systems?

Select 3 answers
A.Identification of critical assets and their vulnerabilities
B.Recommendations for risk mitigation or acceptance
C.List of all vendors and their contract terms
D.Evaluation of current controls and their effectiveness
E.Detailed budget for implementing security controls
AnswersA, B, D

Needed to understand what is at risk.

Why this answer

A is correct because a risk assessment report must identify critical assets and their vulnerabilities to establish the scope and basis for risk analysis. Without this, the report cannot prioritize which systems require immediate attention or justify subsequent control recommendations.

Exam trap

The trap here is that candidates confuse operational or financial details (vendor lists, budgets) with the core risk assessment deliverables, which must focus on assets, vulnerabilities, controls, and risk treatment decisions.

479
MCQhard

An organization is evaluating its business continuity plan (BCP) for a critical application with a recovery time objective (RTO) of 4 hours and a recovery point objective (RPO) of 1 hour. The current backup strategy involves daily full backups and hourly transaction log backups. Which of the following is the MOST significant risk?

A.The backup media is stored in the same building as the primary system
B.The recovery process requires manual intervention to apply logs
C.The backups are not tested regularly
D.The hourly logs cover only the last 24 hours
AnswerA

If the building is destroyed, both primary and backup data are lost, violating basic business continuity principles.

Why this answer

Option D is correct because if the backups are stored at the same site, a disaster destroying the primary site would also destroy the backups, making recovery impossible. Options A, B, and C are less critical: A is a procedural issue, B is a minor gap, C is about recovery method but not as fundamental as off-site storage.

480
MCQhard

An IS auditor is evaluating the effectiveness of an organization's information security awareness program. Which of the following is the BEST indicator of program effectiveness?

A.Percentage of employees who completed the training
B.Number of employees who acknowledged the security policy
C.Average score on the post-training quiz
D.Trend in security incidents attributed to human error
AnswerD

A downward trend indicates improved behavior due to awareness.

Why this answer

Option D is the best indicator because it directly measures the program's outcome: a reduction in security incidents caused by human error. While training completion, policy acknowledgment, and quiz scores measure activity or knowledge, they do not confirm that employees have changed their behavior. A downward trend in human-error-related incidents provides empirical evidence that the awareness program is effectively influencing employee actions in real-world scenarios.

Exam trap

The trap here is that candidates confuse activity metrics (completion, acknowledgment, quiz scores) with outcome metrics (actual behavior change and incident reduction), leading them to choose a proxy for effectiveness rather than the direct measure of program impact.

How to eliminate wrong answers

Option A is wrong because completion rates only measure attendance, not learning or behavior change; an employee can complete training without retaining or applying the material. Option B is wrong because acknowledging a policy is a procedural checkbox that does not verify understanding or compliance; it merely confirms receipt of information. Option C is wrong because post-training quiz scores measure short-term knowledge retention under test conditions, not the sustained application of secure practices in daily operations, and can be inflated by memorization or easy questions.

481
Multi-Selecthard

Which THREE of the following are key considerations when selecting a software development methodology for a project?

Select 3 answers
A.Availability of project management software
B.Regulatory compliance requirements
C.Project size and complexity
D.Level of stakeholder involvement
E.Programming language preferences
AnswersB, C, D

May dictate waterfall.

Why this answer

Regulatory compliance requirements (Option B) are a key consideration because the chosen methodology must support necessary audit trails, documentation, and control frameworks (e.g., SOX, HIPAA, PCI DSS). A methodology like Waterfall provides rigid phase-gate documentation, while Agile may require adaptation (e.g., SAFe) to satisfy compliance evidence demands. Failure to align methodology with regulatory needs can lead to non-compliance findings during a CISA audit.

Exam trap

The trap here is that candidates confuse operational preferences (like tooling or language) with structural project characteristics (size, complexity, stakeholder involvement, and compliance) that truly constrain methodology choice.

482
Multi-Selecteasy

Which TWO are primary criteria for classifying information assets within an organization? (Choose two.)

Select 2 answers
A.The format of the data (structured vs. unstructured)
B.The age of the data
C.Business impact if the data is lost or disclosed
D.Physical storage location of the data
E.Legal and regulatory requirements
AnswersC, E

Impact determines sensitivity level.

Why this answer

Business impact if the data is lost or disclosed (Option C) is a primary criterion because classification directly depends on the potential harm to the organization—confidentiality, integrity, and availability breaches drive the classification level (e.g., public, internal, confidential, restricted). Legal and regulatory requirements (Option E) are also primary because they mandate specific classification labels and handling controls (e.g., GDPR for PII, HIPAA for PHI, PCI DSS for cardholder data) that override internal business impact assessments. These two factors form the core of any information classification policy, as they dictate the protective measures required.

Exam trap

The trap here is that candidates confuse operational attributes (format, age, location) with the foundational drivers of classification (business impact and legal/regulatory requirements), leading them to select options that describe how data is stored rather than why it needs protection.

483
MCQmedium

An IT department is struggling with project delays and budget overruns. Which governance practice would be MOST effective?

A.Establishing a project management office (PMO)
B.Outsourcing projects
C.Increasing IT staff
D.Adopting agile methodology
AnswerA

PMO provides governance, standards, and oversight.

Why this answer

Establishing a Project Management Office (PMO) provides standardized project management practices, oversight, and governance, addressing delays and overruns. Agile methodology alone may not provide governance; increasing staff or outsourcing may not solve underlying issues.

484
Multi-Selecthard

Which THREE of the following are key metrics to include in a disaster recovery test report? (Select exactly 3.)

Select 3 answers
A.Amount of data lost (actual vs. RPO)
B.Cost per incident
C.Time taken to recover each critical system
D.Number of personnel involved
E.Percentage of successful restores
AnswersA, C, E

Measures data loss.

Why this answer

Option A is correct because the amount of data lost (actual vs. RPO) directly measures whether the recovery process met the Recovery Point Objective. This metric validates the effectiveness of backup frequency and replication lag, which is critical for determining if the DR plan preserved data integrity within acceptable loss limits.

Exam trap

The trap here is that candidates often confuse operational metrics (like cost or personnel count) with technical DR success metrics, leading them to select B or D instead of focusing on RPO, RTO, and restore integrity.

485
MCQhard

During a systems audit, the auditor finds that the project did not follow the organization's systems development methodology. What should the auditor do FIRST?

A.Accept if the project is on schedule
B.Recommend that the project be stopped
C.Report the deviation and assess the impact on controls
D.Interview the project team to understand why
AnswerC

The auditor must report and evaluate the risk.

Why this answer

The auditor's first responsibility upon discovering a deviation from the organization's systems development methodology is to report the finding and assess the impact on internal controls. This aligns with ISACA's audit standards, which require auditors to evaluate whether the deviation introduces risks to data integrity, security, or project governance. Without this assessment, the auditor cannot determine the severity of the non-compliance or recommend appropriate corrective actions.

Exam trap

The trap here is that candidates confuse the auditor's investigative curiosity (interviewing the team) with the required procedural first step (reporting and assessing control impact), leading them to select Option D instead of the correct audit response.

How to eliminate wrong answers

Option A is wrong because accepting a deviation solely because the project is on schedule ignores the potential for compromised controls, security vulnerabilities, or regulatory non-compliance that could arise from skipping methodology steps. Option B is wrong because recommending the project be stopped is a premature, high-impact action that should only be considered after assessing the control impact and discussing with management; the auditor's role is to evaluate, not unilaterally halt operations. Option D is wrong because while interviewing the project team may provide context, it is not the first step—the auditor must first formally document the deviation and evaluate its effect on controls to maintain audit trail integrity and objectivity.

486
MCQeasy

An organization is selecting a vendor for a new enterprise resource planning (ERP) system. Which of the following is the MOST critical factor in the vendor selection process?

A.Negotiate service level agreements (SLAs) in the contract.
B.Check vendor references for similar projects.
C.Clearly define business requirements before issuing the request for proposal (RFP).
D.Evaluate vendor financial stability.
AnswerC

Defining requirements ensures the RFP elicits relevant vendor responses.

Why this answer

Clearly defining business requirements before issuing the RFP is the most critical factor because it ensures that the ERP system will align with the organization's operational needs, processes, and data flows. Without a precise requirements definition, the RFP will lack the necessary evaluation criteria, leading to mismatched vendor proposals, scope creep, and potential project failure. This step directly impacts the success of the acquisition, as it forms the foundation for all subsequent vendor evaluation and contract negotiations.

Exam trap

The trap here is that candidates often prioritize contractual or due diligence activities (like SLAs or financial checks) over the foundational step of requirements definition, mistakenly believing that vendor evaluation can proceed without a clear, documented baseline of what the system must accomplish.

How to eliminate wrong answers

Option A is wrong because negotiating SLAs is a contractual activity that occurs after vendor selection; while important for performance monitoring, it is not the most critical factor in the selection process itself. Option B is wrong because checking vendor references, though useful for validating past performance, is a secondary validation step that cannot compensate for a poorly defined requirements baseline. Option D is wrong because evaluating vendor financial stability, while relevant for long-term viability, is a risk assessment factor that should be considered after ensuring the vendor can meet the defined business needs; it does not address the core alignment of the ERP system with organizational requirements.

487
Matchingmedium

Match each security control to its category.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Preventive

Detective

Corrective

Administrative

Technical

Why these pairings

Controls are classified by function.

488
MCQhard

A financial services company is developing a new customer-facing web application for account management. The project is using a waterfall methodology. The initial requirements were gathered six months ago, and the coding phase is nearly complete. The business sponsor now requests a new feature that allows customers to view transaction receipts online. The project manager is concerned that this change will delay the project by two months and exceed the budget. The sponsor insists that the feature is critical for customer satisfaction and that the project must adapt. The development team estimates it will take 200 hours to implement. The steering committee is divided. As an IS auditor, what would be the BEST recommendation to resolve this?

A.Formally submit a change request, assess the impact on cost and schedule, and obtain approval from the change control board before proceeding.
B.Terminate the current project and launch a new project incorporating the new feature.
C.Advise the sponsor to postpone the feature until the next release and continue as planned.
D.Instruct the development team to implement the feature immediately to satisfy the sponsor.
AnswerA

Change control manages scope creep.

Why this answer

In a waterfall methodology, changes after the coding phase require a formal change control process to assess impact on cost, schedule, and scope. The correct answer is A because submitting a change request to the change control board (CCB) ensures that the 200-hour effort, two-month delay, and budget overrun are evaluated against business priorities, maintaining project governance and auditability. This aligns with ISACA’s guidance on managing scope creep in systems development.

Exam trap

The trap here is that candidates may choose Option C (postpone) thinking it avoids delay, but the question explicitly states the sponsor insists the feature is critical, so ignoring it fails to address the business need and can lead to project failure despite staying on schedule.

How to eliminate wrong answers

Option B is wrong because terminating the current project and launching a new one is an extreme, inefficient response that wastes completed coding work and introduces unnecessary risk, failing to leverage the existing investment. Option C is wrong because it unilaterally overrides the sponsor’s business-critical requirement without formal evaluation, which can lead to stakeholder dissatisfaction and missed market needs, violating the principle of balanced governance. Option D is wrong because instructing the team to implement immediately bypasses change control, budget approval, and impact analysis, creating uncontrolled scope creep and potential audit findings for unauthorized changes.

489
MCQhard

A multinational corporation is designing its disaster recovery strategy to meet a recovery point objective (RPO) of 15 minutes for its critical database. Which replication method is MOST appropriate?

A.Asynchronous replication over WAN
B.Daily incremental backups to tape
C.Synchronous replication with write-back caching
D.Periodic snapshot every hour
AnswerC

Correct: Synchronous replication ensures transactions are committed at both sites, meeting RPO.

Why this answer

Synchronous replication with write-back caching provides near-zero data loss while managing performance impact. Asynchronous replication may have higher latency, daily backups exceed RPO, and hourly snapshots are insufficient.

490
MCQhard

An organization has configured HSRP as shown. During a failover test, the primary router (G0/1) is shut down, but the DR site router does not become active. What is the MOST likely reason?

A.The default route on the primary router points to the wrong next-hop
B.The preempt command is missing on the DR router
C.The OSPF routing protocol is not redistributing the default route
D.The HSRP group numbers on the two interfaces do not match
AnswerD

HSRP group 1 is on G0/1 and group 2 on G0/2; they should be the same group to provide redundancy for the same virtual IP.

Why this answer

HSRP requires that both routers participating in the same virtual IP address use the same group number to form a single HSRP group. If the group numbers on the two interfaces do not match, each router will form its own separate HSRP group, and neither will recognize the other as a peer. Consequently, when the primary router fails, the DR router does not assume the active role because it is not part of the same HSRP group.

Exam trap

The trap here is that candidates often confuse HSRP group number mismatch with missing preempt or routing issues, but Cisco specifically tests the fundamental requirement that HSRP group numbers must match for the protocol to establish adjacency.

How to eliminate wrong answers

Option A is wrong because the default route on the primary router pointing to the wrong next-hop would affect traffic forwarding but does not prevent HSRP failover; HSRP operates independently of routing table entries. Option B is wrong because the preempt command is only needed if you want a higher-priority router to reclaim the active role after it recovers; it is not required for the DR router to become active during a failover when the primary is shut down. Option C is wrong because OSPF redistribution of a default route is unrelated to HSRP state transitions; HSRP uses its own hello messages and timers to determine active/standby status, not OSPF routing updates.

491
Drag & Dropmedium

Arrange the steps to perform a risk assessment in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Risk assessment begins with asset identification, then threat/vulnerability identification, followed by risk analysis, prioritization, and documentation of treatment.

492
MCQmedium

Which of the following is the MOST effective control to prevent unauthorized USB devices from connecting to corporate workstations?

A.Device control software that blocks non-approved USB devices.
B.User awareness training.
C.Physical security guards.
D.Encrypting all USB devices.
AnswerA

Technical enforcement is most effective.

Why this answer

Device control software (e.g., endpoint DLP or USB whitelisting tools) operates at the OS kernel or driver level to enforce a hardware ID or vendor ID allowlist, blocking any USB device not explicitly approved. This is the only option that provides a preventive, automated, and continuous control against unauthorized USB connections, regardless of user behavior or physical access.

Exam trap

The trap here is that candidates often confuse encryption (which protects data confidentiality) with access control (which prevents connection), or overestimate the effectiveness of training and physical security against a technical bypass like USB autorun or BadUSB.

How to eliminate wrong answers

Option B is wrong because user awareness training is a detective/deterrent control that relies on human compliance and does not technically prevent a USB device from being recognized by the operating system. Option C is wrong because physical security guards control physical access to the facility but cannot prevent an insider from plugging an unauthorized USB device into a workstation already inside the perimeter. Option D is wrong because encrypting USB devices protects data at rest on the device but does nothing to prevent the device from being connected to a corporate workstation in the first place.

493
Multi-Selecthard

An IS auditor is assessing the backup and recovery procedures for a critical database. Which TWO of the following are the MOST important controls to ensure recoverability?

Select 2 answers
A.Backup media is encrypted.
B.Full backups are performed weekly.
C.Restore tests are conducted quarterly.
D.Backup logs are reviewed daily.
E.Backups are stored offsite.
AnswersC, E

Restore tests verify that backups can actually be recovered.

Why this answer

Options A and D are correct because storing backups offsite ensures survival of site disaster, and restore tests validate recoverability. Option B is important but not as directly critical. Option C is not necessarily most important as full backups frequency depends on RPO.

Option E is important for confidentiality but not recoverability.

494
Multi-Selectmedium

Which THREE of the following are acceptable methods for gathering audit evidence? (Select THREE.)

Select 3 answers
A.Accepting management's assertions without corroboration
B.Observation of processes being performed
C.Reperformance of control procedures
D.Inquiry of personnel
E.Obtaining hearsay from third parties
AnswersB, C, D

Observation provides direct evidence of control performance.

Why this answer

Observation of processes being performed (Option B) is an acceptable audit evidence-gathering technique because the auditor directly witnesses the execution of controls or procedures, providing firsthand evidence of their operation. This method is particularly valuable for assessing the effectiveness of manual controls or physical security measures, as it allows the auditor to verify that the process is performed as documented and to identify any deviations in real-time.

Exam trap

The trap here is that candidates may mistakenly believe that inquiry alone (Option D) is insufficient, but inquiry is a valid evidence-gathering method when combined with other procedures, while accepting unsupported assertions (Option A) and hearsay (Option E) are never acceptable as primary evidence.

495
MCQeasy

An organization's backup strategy involves weekly full backups and daily incremental backups. After a system failure, the restoration takes longer than expected. What is the most likely cause?

A.Incremental backups not stored offsite
B.Full backup frequency too low
C.Restoration process not tested
D.Tape rotation failure
AnswerC

Without testing, the actual time required for restoration is unknown, leading to unrealistic expectations.

Why this answer

Option D is correct because without periodic testing, the recovery time may be underestimated. Option A is plausible but not the most likely cause given the time issue; B and C are incorrect because they are not directly related to the restoration time.

496
MCQmedium

An IS auditor is reviewing the logical access controls of a financial application. Which of the following is the BEST way to verify that user access rights are appropriate?

A.Interview the IT security manager about the access control process.
B.Review the access control list for each user.
C.Re-perform a sample of transactions to detect unauthorized access.
D.Compare the user access rights with the job descriptions and responsibilities.
AnswerD

This directly validates whether access aligns with job functions.

Why this answer

Option D is correct because comparing user access rights directly against job descriptions and responsibilities is the most effective method to verify that access is appropriate based on the principle of least privilege. This approach ensures that each user's permissions align with their actual job functions, which is the core objective of a logical access control review. Interviewing or reviewing lists alone does not validate the appropriateness of access against business roles.

Exam trap

The trap here is that candidates often choose Option C (re-performing transactions) because it sounds like a direct test of control effectiveness, but it only detects unauthorized access after the fact and does not verify the appropriateness of the access rights themselves.

How to eliminate wrong answers

Option A is wrong because interviewing the IT security manager only provides a subjective, second-hand description of the process, not objective evidence that actual user access rights are appropriate. Option B is wrong because reviewing the access control list for each user shows what rights exist but does not compare them against any baseline (e.g., job roles) to determine if those rights are appropriate. Option C is wrong because re-performing a sample of transactions detects unauthorized access attempts but does not verify that the current access rights assigned to users are appropriate; it tests operational effectiveness, not the design of access provisioning.

497
MCQeasy

An organization is developing its IT strategy to align with the overall business strategy. The business strategy emphasizes rapid market expansion through digital products. Which of the following IT strategies would BEST support this business goal?

A.Standardize all IT systems to reduce complexity.
B.Adopt agile development methods and scalable cloud infrastructure.
C.Outsource all IT operations to a low-cost provider.
D.Minimize IT investment to preserve capital for business growth.
AnswerB

Agile and cloud enable rapid, scalable deployment of digital products.

Why this answer

Option C is correct because rapid market expansion requires agility and speed. Option A is wrong because strict standardization may slow down innovation. Option B is wrong because minimizing IT investment would hinder digital product development.

Option D is wrong because outsourcing to the lowest-cost provider may compromise quality and speed.

498
MCQmedium

A company is considering restructuring its IT department from a centralized to a decentralized model to give business units more autonomy. What is a PRIMARY governance risk associated with this move?

A.Difficulty in managing vendor contracts due to decentralization.
B.Reduced innovation due to lack of central coordination.
C.Increased risk of project cost overruns.
D.Inconsistent IT policies and security controls across business units.
AnswerD

Decentralization often leads to divergence in standards and controls.

Why this answer

Option A is correct because decentralized IT can lead to inconsistent policies and standards across units. Option B is wrong because cost overruns can occur in any model. Option C is wrong because innovation may increase with autonomy.

Option D is wrong because vendor management can be decentralized but still controlled.

499
MCQeasy

Refer to the exhibit. An auditor reviews the ACL and notes that it allows traffic from a specific host while blocking other IPs in the same subnet. What is the most likely security issue?

A.The ACL blocks all traffic from the subnet except the host, which is desired.
B.The ACL is misconfigured because the permit any at the end bypasses the deny.
C.The ACL allows all traffic from the specific host, which is a risk.
D.The ACL should be reversed to deny first.
AnswerB

Correct. The permit any at the end makes the deny rule redundant, allowing all traffic from the subnet.

Why this answer

Option B is correct because the ACL has a 'permit any' statement at the end, which overrides the preceding 'deny' statements. In Cisco ACLs, packets are processed sequentially from top to bottom; once a match is found, no further rules are evaluated. Therefore, the 'deny' for the subnet is never reached, and all traffic (including from the blocked subnet) is permitted, defeating the intended restriction.

Exam trap

The trap here is that candidates assume that a 'deny' statement earlier in the ACL will block traffic regardless of later 'permit any' statements, but Cisco ACLs process rules sequentially and the first match wins, so the 'permit any' overrides the deny.

How to eliminate wrong answers

Option A is wrong because the ACL does not block all traffic from the subnet except the host; the 'permit any' at the end permits all traffic, including from the subnet, so the desired behavior is not achieved. Option C is wrong because allowing traffic from the specific host is the intended function, not a risk; the real issue is that the 'permit any' allows unintended traffic. Option D is wrong because reversing the order (deny first) is not the core problem; the issue is the presence of the 'permit any' statement that bypasses the deny, not the sequence of existing rules.

500
MCQmedium

An organization has experienced several security incidents due to unauthorized changes to production systems. Which governance mechanism should be strengthened?

A.IT asset management
B.Configuration management database
C.Incident response plan
D.Change management process
AnswerD

This controls the approval and implementation of changes.

Why this answer

A change management process ensures that all changes are authorized, tested, and approved, directly addressing unauthorized changes. Asset management, CMDB, and incident response are supportive but not the primary control.

501
MCQmedium

Refer to the exhibit. The IAM policy is intended to allow only requests originating from account 123456789012 to perform any S3 actions. Why does the policy NOT achieve this objective?

A.The Resource element is set to "*", which allows all actions on all resources regardless of the condition.
B.The condition key 'aws:SourceAccount' only applies when the request is made from another account; it does not restrict access to resources owned by the same account.
C.The policy should include a Deny statement for all other accounts to be effective.
D.The Version element is incorrect and should be updated to the latest version.
AnswerB

The condition key is misapplied; it does not limit the S3 resources to those in the specified account.

Why this answer

Option B is correct because the 'aws:SourceAccount' condition key is designed for use in resource-based policies (like S3 bucket policies) to prevent cross-account confusion of resources. It does not restrict access within the same account; it only validates the source account when the request originates from a different account. Since the policy is an IAM identity-based policy (attached to a user/role), the 'aws:SourceAccount' condition is not evaluated for same-account requests, so any principal in account 123456789012 can still perform S3 actions without being restricted by this condition.

Exam trap

The trap here is that candidates assume 'aws:SourceAccount' works identically in both identity-based and resource-based policies, but it only restricts cross-account access and has no effect on same-account requests, leading to a false sense of security.

How to eliminate wrong answers

Option A is wrong because the Resource element set to '*' is valid in an IAM identity-based policy and does not inherently cause the policy to fail; the issue is with the condition key, not the resource wildcard. Option C is wrong because adding a Deny statement for other accounts is unnecessary and would not fix the core problem—the condition key 'aws:SourceAccount' is already intended to restrict access, but it does not apply to same-account requests. Option D is wrong because the Version element (e.g., '2012-10-17') is correct and does not affect the policy's logic; the latest version is not required for functionality.

502
MCQeasy

An IT steering committee is reviewing a proposal for a new customer relationship management (CRM) system. Which of the following BEST demonstrates that the proposal aligns with the organization's strategic goals?

A.The business case includes a clear link to the organization's five-year strategic plan.
B.The project manager has extensive experience with CRM implementations.
C.The proposed system includes advanced analytics capabilities.
D.The vendor offers discounted licensing for the first year.
AnswerA

Direct reference to the strategic plan demonstrates alignment.

Why this answer

Option C is correct because a clear link to the organization's strategic plan demonstrates alignment. Option A is about PM experience, not alignment. Option B is a feature that may not be strategic.

Option D is a cost-saving tactic, not evidence of strategic alignment.

503
MCQhard

An IT auditor is reviewing the business continuity plan (BCP) for a financial services firm. The plan includes a hot site that is shared with another organization under a reciprocal agreement. Which of the following findings should be of MOST concern to the auditor?

A.The hot site uses a different internet service provider than the primary site
B.The hot site has not been tested in the past 12 months
C.The reciprocal agreement does not guarantee exclusive use of the hot site during a disaster
D.The hot site is located in the same seismic zone as the primary site
AnswerC

If both organizations activate simultaneously, the hot site may not have sufficient capacity for both.

Why this answer

Option C is correct because a reciprocal agreement for a shared hot site does not guarantee exclusive access during a disaster. If both organizations declare a disaster simultaneously, the site may become oversubscribed, leading to resource contention and potential failure of the BCP. This directly undermines the recovery capability, making it the most critical finding.

Exam trap

The trap here is that candidates may focus on technical details like ISP diversity or testing frequency, but the core BCP principle is that a shared resource without guaranteed exclusive access is a fundamental design flaw that can render the entire plan ineffective during a concurrent disaster.

How to eliminate wrong answers

Option A is wrong because using a different ISP for the hot site is actually a best practice to avoid single points of failure and is not a concern. Option B is wrong because while annual testing is recommended, the lack of a test in 12 months is a finding but not as critical as the lack of guaranteed exclusive access; the plan could still be viable with more frequent testing scheduled. Option D is wrong because being in the same seismic zone is a risk, but it is less immediate than the operational risk of resource contention; many organizations accept this risk with geographic separation within the same region.

504
MCQhard

An organization is implementing a COTS application. The project team plans to heavily customize the application to meet unique business processes. Which of the following is the most significant risk?

A.Vendor lock-in
B.Incompatibility with future releases
C.Difficulties in applying future vendor upgrades
D.High implementation cost
AnswerC

Customizations break compatibility with standard upgrades, jeopardizing future support.

Why this answer

Option B is correct because heavy customization makes it difficult to apply vendor upgrades, potentially leading to unsupported software. Option A is incorrect while vendor lock-in is a risk, upgrade difficulties are more direct. Option C is incorrect because incompatibility is a symptom of upgrade difficulties.

Option D is incorrect because high cost is a secondary concern.

505
MCQmedium

A software development company uses a cloud-based source code repository (e.g., GitHub) to store proprietary code. The company has two-factor authentication (2FA) enabled for all accounts. A developer's personal computer was infected with malware that stole the developer's session cookies and local credentials. The attacker used the stolen session to access the code repository and exfiltrated the entire codebase. The company's security team reviews the incident and notes that the repository has audit logging, but the logs were not monitored in real time. The team wants to implement additional controls to prevent a similar incident. Which control would have been most effective in preventing the exfiltration?

A.Use a SIEM to alert on unusual access patterns in real time
B.Enforce code signing for all commits
C.Require access to the code repository only from company-managed IP addresses
D.Implement a shorter session timeout for the code repository
AnswerC

IP whitelisting prevents access from unauthorized locations.

Why this answer

Option C is correct because restricting access to the code repository to only company-managed IP addresses (e.g., via a VPN or a corporate NAT gateway) would have prevented the attacker from using the stolen session cookies from an external, non-corporate IP. Even though the attacker had valid session tokens, the repository's access control list (ACL) would have blocked the connection at the network layer, stopping the exfiltration before it could begin. This control addresses the root cause—unauthorized network origin—rather than relying on detection or session management alone.

Exam trap

The trap here is that candidates often choose a detective or session-management control (like SIEM or shorter timeout) because they focus on the stolen session cookies, but the most effective preventive control is one that restricts the network origin of access, which the attacker cannot bypass without a corporate IP.

How to eliminate wrong answers

Option A is wrong because a SIEM alerting on unusual access patterns is a detective control, not a preventive one; it would not stop the exfiltration in real time, especially if the attacker mimicked normal developer behavior. Option B is wrong because code signing ensures the integrity and authenticity of commits but does not prevent an attacker from cloning or exfiltrating the repository; it protects against tampered code, not unauthorized access. Option D is wrong because a shorter session timeout would only reduce the window of opportunity for an attacker using stolen cookies, but it would not prevent the exfiltration if the attacker acted within the valid session window; the session was already compromised.

506
Multi-Selectmedium

Which TWO of the following are considered essential components of an information security policy framework? (Choose two.)

Select 2 answers
A.Data classification policy
B.Business continuity plan
C.Incident response plan
D.Network architecture diagram
E.Acceptable use policy
AnswersA, E

Establishes data sensitivity categories.

Why this answer

A data classification policy is essential because it defines how information assets are categorized based on sensitivity and criticality (e.g., public, internal, confidential, restricted). This classification directly drives the selection and enforcement of appropriate security controls, such as encryption standards (e.g., AES-256 for confidential data) and access control mechanisms (e.g., role-based access control). Without it, security measures cannot be consistently applied across the organization, leading to gaps in protection.

Exam trap

ISACA often tests the distinction between policies (high-level rules) and operational plans or technical artifacts, so candidates mistakenly select BCP or incident response plans as policy components because they are security-related, but they are not part of the policy framework itself.

507
MCQhard

A company plans to implement a commercial off-the-shelf (COTS) application and requires significant customization to match its unique business processes. The vendor advises against extensive customization because it may complicate future upgrades. What is the BEST course of action?

A.Use the vendor's customization module to minimize upgrade risks
B.Customize but maintain detailed documentation for upgrade impact analysis
C.Proceed with extensive customization to meet business needs
D.Avoid customization and re-engineer business processes to match the COTS application
AnswerD

Minimizing customization is best practice to ensure smooth upgrades.

Why this answer

The best course of action is to avoid customization and re-engineer business processes to match the COTS application. This approach preserves the integrity of the vendor's standard codebase, ensuring that future upgrades and patches can be applied with minimal friction. Extensive customization creates a fork from the vendor's baseline, leading to costly regression testing, potential security gaps, and upgrade incompatibilities that undermine the long-term value of the COTS investment.

Exam trap

The trap here is that candidates often choose 'customize but document' (Option B) because it sounds like a balanced, pragmatic approach, but the CISA exam emphasizes that any customization that deviates from the vendor's standard configuration introduces unacceptable upgrade and maintenance risks, making process re-engineering the only truly sustainable choice.

How to eliminate wrong answers

Option A is wrong because using a vendor's customization module does not eliminate upgrade risks; it only provides a structured way to apply customizations, but those customizations still create dependencies on specific API versions or hooks that can break during major version upgrades. Option B is wrong because maintaining detailed documentation for upgrade impact analysis is a mitigation tactic, not a solution—it does not prevent the underlying technical debt, code conflicts, or the need for extensive rework when the vendor releases a new version. Option C is wrong because proceeding with extensive customization directly contradicts the vendor's guidance and industry best practices, leading to a 'customized fork' that makes future upgrades prohibitively expensive or impossible without re-implementing all custom logic.

508
MCQeasy

A financial institution is deploying a data loss prevention (DLP) solution. Which of the following is the MOST important prerequisite to ensure the DLP can effectively detect sensitive data?

A.Configuring incident response procedures
B.Installing endpoint agents on all devices
C.Implementing network segmentation
D.Performing a data classification exercise
AnswerD

Data classification identifies and labels sensitive data, allowing DLP to detect it accurately.

Why this answer

A DLP solution detects sensitive data by matching content against predefined patterns or rules. Without a data classification exercise, the organization cannot define what constitutes 'sensitive data' (e.g., PII, PCI, IP), making the DLP blind to what it should monitor. Classification provides the taxonomy and metadata (e.g., labels, tags) that the DLP engine uses to trigger alerts or blocks, ensuring detection is both accurate and aligned with policy.

Exam trap

ISACA often tests the misconception that deploying agents or configuring network controls is the first step, but the trap here is that technical controls are useless without first defining what data is sensitive through classification.

How to eliminate wrong answers

Option A is wrong because incident response procedures are reactive steps taken after a DLP alert is generated, not a prerequisite for detection itself; configuring them before classification would leave the DLP without a detection baseline. Option B is wrong because endpoint agents are a deployment method for DLP, but without knowing what data is sensitive, agents cannot be configured to scan for the correct content or patterns. Option C is wrong because network segmentation controls data flow between zones but does not define what data is sensitive; a DLP can still fail to detect sensitive data crossing segments if it lacks classification rules.

509
Multi-Selectmedium

Which TWO of the following are key benefits of using a system development life cycle (SDLC) methodology? (Select exactly two.)

Select 2 answers
A.It provides a structured approach to system development
B.It ensures user requirements are captured and validated
C.It prevents any scope changes during development
D.It eliminates the need for security testing
E.It reduces the overall cost of development
AnswersA, B

SDLC defines phases and deliverables.

Why this answer

Options A and C are correct. A: SDLC provides structure and phases. C: SDLC includes user involvement.

B is wrong because SDLC does not guarantee reduced cost; it may increase upfront cost. D is wrong because SDLC is not primarily for security testing. E is wrong because SDLC may not eliminate scope creep, but helps manage it.

Page 6

Page 7 of 7

All pages