Certified Information Systems Auditor CISA (CISA) — Questions 526600

984 questions total · 14pages · All types, answers revealed

Page 7

Page 8 of 14

Page 9
526
MCQhard

Refer to the exhibit. A security analyst notices that users on the INSIDE network (10.1.1.0/24) can browse HTTPS websites but cannot resolve domain names. What is the most likely cause?

A.The ACL denies TCP traffic to port 443
B.The ACL only permits DNS traffic to host 10.2.2.10, but users need to query a different DNS server
C.The DNS server at 10.2.2.10 is unreachable
D.The OUTSIDE interface has no security-level configured correctly
AnswerB

The DNS request to an external server is denied because the ACL only allows UDP to 10.2.2.10.

Why this answer

The exhibit shows an ACL that permits DNS traffic (UDP port 53) only to host 10.2.2.10. Since users can browse HTTPS (TCP/443) but cannot resolve domain names, the ACL is blocking DNS queries to any other DNS server. Option B correctly identifies that the ACL restricts DNS to a single server, and if users are configured to query a different DNS server, resolution fails.

Exam trap

The trap here is that candidates assume DNS resolution failure must be due to a DNS server being unreachable (Option C), but the ACL is actually restricting the destination IP of DNS queries, not the protocol itself.

How to eliminate wrong answers

Option A is wrong because the ACL permits TCP traffic to port 443 (HTTPS), as evidenced by users successfully browsing HTTPS websites. Option C is wrong because if the DNS server at 10.2.2.10 were unreachable, users would not be able to resolve names at all, but the issue is that users are configured to query a different DNS server, not 10.2.2.10. Option D is wrong because the security-level configuration on the OUTSIDE interface affects traffic direction and stateful inspection, not DNS resolution; the problem is specifically an ACL filtering issue.

527
MCQmedium

An organization is implementing a new IT governance framework. Which of the following is a key component of the COBIT 2019 governance system?

A.Plan, Do, Check, Act
B.Evaluate, Direct, Monitor
C.Service value system
D.Four dimensions model
AnswerB

These are the three governance objectives in COBIT 2019.

Why this answer

COBIT 2019 defines governance as having three key objectives: evaluate, direct, and monitor. Management objectives are grouped into domains like APO, BAI, DSS, MEA.

528
MCQmedium

A financial services company is migrating its core banking system to a public cloud to improve scalability and reduce costs. The project is high-risk due to regulatory compliance requirements (e.g., data residency, audit trails). The IT governance committee has reviewed the project plan and finds that the risk assessment is incomplete – it does not address the potential impact of a cloud provider outage on critical transactions. The committee must approve the project or request changes. The project manager argues that the cloud provider's SLA guarantees 99.99% uptime and that additional controls would delay the project. What should the governance committee do?

A.Reject the project and require the system to remain on-premises.
B.Request a revised risk assessment that includes contingency plans for provider outages.
C.Approve the project based on the provider's strong SLA.
D.Approve a pilot migration for non-critical systems first.
AnswerB

The committee must ensure all risks are identified and mitigated.

Why this answer

Option D is correct because the committee's duty is to ensure risks are adequately addressed; requiring a comprehensive risk assessment and contingency plans is necessary. Option A is wrong because committees should not bypass governance processes. Option B is wrong because SLAs do not cover all risks (e.g., data residency).

Option C is wrong because a pilot does not address the missing assessment.

529
MCQhard

An organization is considering acquiring a commercial off-the-shelf (COTS) ERP system. Which of the following risks is most effectively mitigated by including a contractual clause for audit rights?

A.Incompatibility with existing infrastructure
B.Inadequate vendor security controls
C.Vendor lock-in due to proprietary data formats
D.Cost overruns from customization
AnswerB

Audit rights enable the organization to assess the vendor's security posture and ensure controls are adequate.

Why this answer

Audit rights allow the organization to verify that the vendor's controls are operating effectively. This directly addresses the risk of inadequate vendor security controls, which could expose the organization to data breaches or compliance violations.

530
MCQeasy

An organization wants to protect its intellectual property from unauthorized disclosure via email. Which control should be implemented?

A.Encrypt all outgoing emails.
B.Implement a data loss prevention (DLP) system.
C.Disable email altogether.
D.Require employees to sign non-disclosure agreements.
AnswerB

Correct. DLP can inspect content and block unauthorized transmission of sensitive data.

Why this answer

A DLP system is the correct control because it can inspect email content and attachments in real time, applying policies to block or quarantine unauthorized disclosures of intellectual property. Unlike encryption, which only protects data in transit but does not prevent an authorized user from sending sensitive information, DLP provides content-aware enforcement at the point of transmission.

Exam trap

The trap here is confusing encryption (which protects data in transit) with data loss prevention (which controls what data can leave the organization), leading candidates to choose encryption as a catch-all security measure.

How to eliminate wrong answers

Option A is wrong because encrypting all outgoing emails protects the confidentiality of the message in transit but does not prevent an authorized user from sending intellectual property to an unauthorized recipient; encryption alone lacks content inspection and policy enforcement. Option C is wrong because disabling email altogether is an extreme operational disruption that eliminates a critical business communication channel, and it does not address other vectors like file uploads or messaging apps. Option D is wrong because requiring employees to sign non-disclosure agreements is a administrative control that relies on user compliance and provides no technical enforcement to stop unauthorized email disclosures.

531
MCQhard

Based on the exhibit, which control is most likely missing to prevent this type of event?

A.Applying the latest security patches to the SSH service
B.Implementing account lockout after three failed attempts
C.Disabling direct root login via SSH
D.Enforcing strong password complexity
AnswerB

Account lockout directly mitigates brute-force attacks by blocking further attempts.

Why this answer

The exhibit describes a brute-force attack against an SSH service, where an attacker repeatedly attempts to guess credentials. Implementing account lockout after three failed attempts is the most direct control to prevent this type of event, as it halts further login attempts after a threshold, stopping the attack in its tracks regardless of password strength or patching.

Exam trap

The trap here is that candidates often choose 'Disabling direct root login via SSH' (Option C) because it is a well-known security best practice, but it does not prevent brute-force attacks against other user accounts, whereas account lockout directly stops the attack mechanism.

How to eliminate wrong answers

Option A is wrong because applying the latest security patches to the SSH service addresses vulnerabilities in the SSH protocol or implementation, but does not prevent brute-force attacks that exploit weak or guessed credentials. Option C is wrong because disabling direct root login via SSH reduces the attack surface by requiring a non-root account first, but it does not prevent brute-force attacks against any user account; the attacker can still target other usernames. Option D is wrong because enforcing strong password complexity makes passwords harder to guess, but it does not stop an attacker from making unlimited attempts; a brute-force attack can still succeed over time if no lockout mechanism is in place.

532
MCQmedium

During a post-implementation review of a new customer relationship management (CRM) system, the IS auditor finds that the system is processing transactions slower than anticipated. What is the BEST initial course of action for the auditor?

A.Recommend immediate performance tuning to resolve the issue
B.Report the issue to senior management immediately
C.Conduct a load test to identify bottlenecks
D.Compare actual performance to the performance criteria in the business case
AnswerD

This is the standard approach for a post-implementation review.

Why this answer

The auditor should first verify actual performance against the criteria defined in the business case to determine if objectives were met.

533
MCQmedium

An IT manager is reviewing the access control model for a financial application. The policy requires that no single person can approve a transaction. Which access control principle does this policy enforce?

A.Least privilege
B.Separation of duties
C.Mandatory access control
D.Need to know
AnswerB

Separation of duties requires multiple people to complete sensitive tasks.

Why this answer

The policy that no single person can approve a transaction enforces the separation of duties (SoD) principle. In financial applications, SoD requires that critical tasks, such as initiating and approving a transaction, be divided among multiple individuals to prevent fraud or error. This control ensures that no single user has the authority to complete a high-risk action alone, directly aligning with the requirement stated.

Exam trap

The trap here is that candidates confuse separation of duties with least privilege, but least privilege focuses on limiting permissions to the minimum needed, whereas separation of duties specifically requires dividing critical tasks among multiple users to prevent fraud or error.

How to eliminate wrong answers

Option A is wrong because least privilege restricts user permissions to the minimum necessary for their job function, but it does not inherently prevent a single user from approving a transaction if that approval is within their role. Option C is wrong because mandatory access control (MAC) enforces system-wide policies based on labels and clearances, not the division of task responsibilities among multiple users. Option D is wrong because need to know limits access to information required for a specific task, but it does not address the requirement that no single person can approve a transaction, which is a process control, not an information access restriction.

534
MCQhard

An organization has recently implemented a cloud-based identity provider (IdP) for single sign-on (SSO) across all SaaS applications. Users authenticate using their corporate credentials via SAML 2.0. After a week, the IT security team notices a significant increase in failed login attempts from various IP addresses targeting a specific user account. The helpdesk reports that the user, a senior executive, has not complained about any issues. The security team investigates and finds that the account lockout policy is set to 5 failed attempts within 15 minutes, after which the account is locked for 30 minutes. The failed attempts are occurring in bursts of 4, then stopping, then resuming from different IPs. The organization uses conditional access policies that require MFA from unknown locations. However, the failed attempts appear to be stopped at the authentication prompt and never reach the MFA stage. What is the most likely explanation and the best course of action?

A.The user's credentials have been compromised, and the attacker is testing them across the IdP. The organization should immediately force a password reset for the user and enable MFA for all users.
B.A misconfiguration in the IdP allows pre-authentication enumeration. The organization should disable account lockout and implement rate limiting at the application proxy.
C.The attacker is performing a password spraying attack, attempting to guess the password for that specific account. The organization should implement a CAPTCHA requirement after a few failed attempts.
D.The IdP is experiencing integration issues with the AD domain controller, causing authentication failures that are logged as failed attempts. The organization should check the synchronization status and network connectivity.
AnswerC

The burst pattern with IP rotation is classic password spraying. CAPTCHA or progressive delay will effectively slow automated attacks.

Why this answer

Option C is correct because the attack pattern—bursts of exactly 4 failed attempts (just below the lockout threshold of 5) from different IPs, then stopping—is a textbook password spraying attack. The attacker is trying commonly used passwords against a high-value account (senior executive) while deliberately avoiding account lockout to remain undetected. Since the attempts stop at the SAML authentication prompt and never reach MFA, the attacker is testing passwords against the IdP's SAML endpoint, which validates credentials before triggering conditional access policies.

Exam trap

The trap here is that candidates confuse a password spraying attack with a credential stuffing attack (Option A) or assume that any burst of failed attempts indicates a misconfiguration (Option B), when the key clue is the attacker deliberately staying below the lockout threshold to avoid detection.

How to eliminate wrong answers

Option A is wrong because the attacker is not testing already compromised credentials; they are attempting to guess the password, and forcing a password reset for only that user does not address the systematic guessing technique. Option B is wrong because pre-authentication enumeration would allow an attacker to determine valid usernames, but here the attacker already knows the specific user account and is targeting it with password guesses; disabling account lockout would remove the only protection against brute force. Option D is wrong because integration issues with AD would typically cause consistent failures for all users or show error patterns (e.g., timeouts, sync errors), not precise bursts of 4 attempts from varied IPs targeting a single executive account.

535
MCQeasy

Based on the exhibit, what is the MOST appropriate action for IT management?

A.Investigate the reasons for the shortfall and implement corrective actions.
B.Ignore the variance as it is within acceptable range.
C.Adjust the target to 80% to match actual performance.
D.Replace the survey with a different measurement tool.
AnswerA

A gap between actual and target should be analyzed and addressed.

Why this answer

Option A is correct because the actual score (82%) is below the target (85%), so IT management should investigate and take corrective action. Option B (lowering the target) is not appropriate without analysis. Option C (replacing the survey) is premature.

Option D (ignoring the variance) is not acceptable because it is below target.

536
MCQeasy

An IS auditor is assessing the effectiveness of network segmentation for a payment card processing environment. Which of the following is the PRIMARY benefit of network segmentation in meeting PCI DSS requirements?

A.Reduced scope of the PCI DSS assessment
B.Improved network performance
C.Elimination of the need for firewalls
D.Simplified patch management
AnswerA

Segmentation allows the cardholder data environment to be isolated, reducing the number of systems that must be compliant.

Why this answer

Network segmentation reduces the scope of the PCI DSS assessment by isolating the cardholder data environment from other networks, so only systems that handle card data need to comply with PCI DSS.

537
Multi-Selecteasy

Which TWO of the following are characteristics of the iterative SDLC model?

Select 2 answers
A.The final product is delivered only at the end of the project
B.User feedback is incorporated after each iteration
C.Requirements are defined in detail at the start of the project
D.The system is developed and refined through multiple cycles
E.Risk analysis is performed only at the beginning
AnswersB, D

Feedback drives improvements.

Why this answer

Iterative models develop systems through repeated cycles (iterations) that incorporate user feedback, unlike waterfall where requirements are fixed upfront.

538
MCQmedium

A hospital is implementing a new electronic health record (EHR) system. The project team includes clinicians and IT staff. During integration testing, the system fails to exchange lab results with the existing legacy system due to format mismatches. The IT team suggests developing a custom interface. The clinical team is concerned that any custom solution may not comply with health data privacy regulations. The project sponsor pressures the team to quickly fix the issue to avoid delays. The IS auditor is reviewing this situation. What is the MOST appropriate action for the auditor to recommend?

A.Conduct a privacy impact assessment on the custom interface and ensure controls are in place before deployment.
B.Proceed with the custom interface to meet the project deadline.
C.Reject the custom interface and delay the project until a standard solution is found.
D.Replace the legacy system with a new one that is compatible.
AnswerA

Balances speed with compliance.

Why this answer

The custom interface introduces a new data exchange path between the EHR and legacy system. Without a privacy impact assessment (PIA), the auditor cannot verify that the interface will enforce encryption, access controls, and audit logging required by HIPAA or similar regulations. A PIA identifies risks like unauthorized disclosure of protected health information (PHI) during format translation, ensuring controls are implemented before deployment.

This aligns with the IS auditor's role to safeguard data privacy, not just meet deadlines.

Exam trap

The trap here is that candidates may prioritize speed (Option B) or absolute standardization (Option C) over the auditor's core responsibility to assess and mitigate privacy risks before any new data processing component goes live.

How to eliminate wrong answers

Option B is wrong because proceeding without assessing privacy risks violates the auditor's duty to ensure compliance with health data privacy regulations (e.g., HIPAA), and a rushed custom interface may introduce vulnerabilities like unencrypted PHI in transit. Option C is wrong because rejecting the custom interface outright is overly rigid; a properly assessed and controlled custom interface can be compliant, and delaying the project unnecessarily ignores a viable solution. Option D is wrong because replacing the entire legacy system is disproportionate, costly, and introduces far greater project risk and disruption than addressing the format mismatch with a controlled interface.

539
MCQmedium

An IS auditor is reviewing the vulnerability management program. The auditor notes that a critical vulnerability was identified in a production system six months ago and has not been patched due to a business impact assessment. Which of the following should the auditor examine NEXT?

A.The technical details of the vulnerability
B.The patch deployment schedule for the next quarter
C.Whether a formal risk acceptance and compensating controls are in place
D.The vendor's patch release notes
AnswerC

If the organization decided not to patch, there should be documented risk acceptance and compensating controls.

Why this answer

The auditor should verify that the risk acceptance is formally documented and approved by the appropriate management, including compensating controls, to ensure the risk is managed.

540
Multi-Selecteasy

Which TWO of the following are essential components of a business case for a new system?

Select 2 answers
A.Implementation schedule.
B.Detailed system architecture.
C.Alignment with business strategy.
D.Risk assessment for all identified risks.
E.Cost-benefit analysis.
AnswersC, E

Ensures project supports organizational goals.

Why this answer

A business case must justify the investment in a new system by demonstrating how it supports the organization's strategic goals and provides net financial benefit. Alignment with business strategy (C) ensures the system directly enables key objectives, while cost-benefit analysis (E) quantifies the expected return on investment, making both essential for approval.

Exam trap

The trap here is that candidates confuse project management deliverables (like schedules and detailed architectures) with the strategic and financial justification required in a business case, leading them to select implementation schedule or detailed system architecture instead of the correct options.

541
MCQeasy

An organization is developing a new customer portal. The development team wants to use an agile methodology. Which of the following is a key benefit of using agile for this project?

A.Continuous stakeholder feedback is incorporated
B.Detailed requirements are defined upfront
C.Documentation is minimized to save time
D.The entire system is delivered at once
AnswerA

Agile emphasizes ongoing collaboration.

Why this answer

Agile methodologies emphasize iterative development with continuous stakeholder feedback, which is critical for a customer portal where user needs evolve. This ensures the final product aligns with actual requirements, reducing rework and increasing satisfaction. Option A directly captures this core benefit.

Exam trap

The trap here is that candidates often confuse agile's reduced documentation overhead (Option C) as a primary benefit, but the key advantage is continuous stakeholder feedback, not just saving time on documentation.

How to eliminate wrong answers

Option B is wrong because agile deliberately avoids defining detailed requirements upfront; instead, it embraces changing requirements through the project lifecycle. Option C is wrong because while agile values working software over comprehensive documentation, it does not minimize documentation to save time—it produces just enough documentation for the team and stakeholders. Option D is wrong because agile delivers the system incrementally in small, functional releases, not all at once, enabling early value delivery and feedback.

542
MCQmedium

In a RACI matrix for an IT process, which role should be assigned to the person who ultimately approves the outcome and is held accountable for its success?

A.Consulted (C)
B.Responsible (R)
C.Accountable (A)
D.Informed (I)
AnswerC

Accountable is the person who is ultimately answerable and must approve the outcome.

Why this answer

Accountable (A) is the person who is ultimately answerable for the correct and thorough completion of the deliverable or task, and who must approve the work.

543
MCQeasy

An organization uses a chargeback model to allocate IT costs to business units. What is a PRIMARY benefit of this approach?

A.Reduces total IT costs
B.Eliminates the need for an IT steering committee
C.Simplifies IT budgeting process
D.Encourages responsible consumption of IT resources
AnswerD

Business units become cost-conscious.

Why this answer

Chargeback increases transparency and encourages business units to use IT resources efficiently.

544
MCQhard

An IS auditor is reviewing firewall rule sets and discovers a rule that permits any source IP to access the internal database server on TCP port 1433 (Microsoft SQL). The rule was documented as a temporary measure but has been in place for 18 months. What is the auditor's BEST course of action?

A.Report the issue to senior management as a critical finding
B.Recommend immediate removal of the rule
C.Accept the risk as a compensating control
D.Determine if there is a business justification for the rule and, if not, recommend removal or restriction to specific IPs
AnswerD

This approach ensures that necessary access is maintained while reducing risk.

Why this answer

Overly permissive rules that are not justified create significant risk. The auditor should first confirm the business need and then recommend removal or tightening of the rule. If no valid justification exists, the rule should be removed.

545
MCQmedium

An IS auditor is assessing the risk of a new financial application. The auditor determines that inherent risk is high due to complex transactions, but control risk is low because of strong automated controls. If detection risk is set at 5%, what is the audit risk?

A.8.0%
B.0.8%
C.1.0%
D.5.0%
AnswerB

Audit risk = Inherent risk × Control risk × Detection risk. With inherent risk 80%, control risk 20%, detection risk 5%: 0.8 × 0.2 × 0.05 = 0.008 = 0.8%.

Why this answer

Audit risk = Inherent risk × Control risk × Detection risk. Assuming inherent risk = 80%, control risk = 20%, detection risk = 5%, audit risk = 0.8 × 0.2 × 0.05 = 0.008 = 0.8%.

546
Multi-Selecthard

Which TWO of the following are primary objectives of a data loss prevention (DLP) strategy?

Select 2 answers
A.Encrypt all data in transit
B.Identify and classify sensitive data
C.Replace all existing security controls
D.Monitor and control data movement across endpoints
E.Ensure compliance with all regulations
AnswersB, D

Correct. Understanding what sensitive data exists is fundamental to DLP.

Why this answer

Option B is correct because identifying and classifying sensitive data is the foundational step in a DLP strategy. Without knowing where sensitive data resides (e.g., PII, PCI, IP), DLP policies cannot accurately detect or prevent unauthorized transfers. Classification enables the DLP system to apply context-aware rules, such as blocking credit card numbers in email attachments or flagging confidential documents uploaded to cloud storage.

Exam trap

The trap here is that candidates confuse DLP's primary objectives (identify, monitor, control) with supporting or adjacent activities like encryption or compliance, leading them to select options A or E instead of the core DLP functions.

547
MCQmedium

Which of the following is the PRIMARY purpose of performing a walkthrough during the audit planning phase?

A.To test the operating effectiveness of controls
B.To collect evidence of control failures
C.To identify process owners and key personnel
D.To gain an understanding of the process and identify control points
AnswerD

Correct; walkthroughs are used to understand process flow and controls.

Why this answer

A walkthrough helps the auditor understand the flow of transactions and identify control points, which aids in assessing control design and identifying risks.

548
Multi-Selecthard

During a post-implementation review of a new ERP system, the IS auditor identified that the project was delivered within budget but user satisfaction scores are low. Which THREE areas should the auditor examine further?

Select 3 answers
A.Extent of integration testing performed
B.Whether all predefined user requirements were met
C.Accuracy and completeness of data migration
D.Compliance with the original project budget
E.Adequacy of user training provided
AnswersB, C, E

Unmet requirements are a direct cause of low satisfaction.

Why this answer

Low user satisfaction may stem from inadequate training, unmet requirements, or data migration issues affecting business processes. While budget and timeline were met, these operational aspects often drive satisfaction. Integration testing completeness is important but more technical; vendor SLA compliance is contractual and less directly tied to user satisfaction.

549
MCQhard

An IS auditor is reviewing an organization's vulnerability management program. The auditor notes that a critical vulnerability in a key application has not been patched for 90 days, and there is no documented risk acceptance. What should the auditor do FIRST?

A.Report the finding as a non-compliance with the patch management policy
B.Discuss with management the absence of a risk acceptance
C.Escalate the issue to senior management immediately
D.Determine if compensating controls exist to mitigate the vulnerability
AnswerD

Compensating controls may reduce risk; the auditor should evaluate them before making a recommendation.

Why this answer

The auditor should determine if compensating controls are in place to mitigate the risk, as this information is essential to assess the residual risk.

550
MCQeasy

Which of the following is the PRIMARY purpose of a business impact analysis (BIA) in business continuity planning?

A.To determine the criticality of business processes and their recovery requirements
B.To create a list of emergency contacts
C.To identify the resources required for recovery
D.To document the technical recovery procedures
AnswerA

The BIA's main goal is to quantify the impact of disruptions and set RTO/RPO.

Why this answer

Option C is correct because BIA identifies critical processes and determines the maximum allowable downtime (RTO) and data loss (RPO). Options A, B, and D are subsequent steps after the BIA.

551
MCQhard

In an agile development environment, an IS auditor reviews the backlog and finds that security requirements are not explicitly included. What is the best recommendation?

A.Engage external security auditors to define requirements
B.Allocate a separate sprint dedicated solely to security
C.Perform comprehensive security testing during the final sprint
D.Include security stories in the product backlog
AnswerD

Integrating security into the backlog ensures it is addressed incrementally.

Why this answer

In agile development, security should be integrated continuously rather than treated as an afterthought. Including security stories in the product backlog ensures that security requirements are prioritized, estimated, and implemented incrementally within each sprint, aligning with the agile principle of delivering value early and often. This approach embeds security into the development lifecycle from the start, reducing technical debt and vulnerabilities.

Exam trap

The trap here is that candidates often choose a dedicated security sprint (Option B) or final testing (Option C) because they resemble traditional security review phases, but the CISA exam emphasizes integrating security into every sprint to align with agile's continuous delivery and risk management principles.

How to eliminate wrong answers

Option A is wrong because engaging external security auditors to define requirements creates a dependency on outside parties and delays security integration, contradicting agile's self-organizing team model and continuous feedback loops. Option B is wrong because allocating a separate sprint dedicated solely to security violates agile's iterative delivery principle and can lead to security being treated as a separate phase, increasing risk of integration issues and rework. Option C is wrong because performing comprehensive security testing only during the final sprint is a waterfall-like approach that misses the opportunity to detect and fix vulnerabilities early, often resulting in costly late-stage remediation and potential release delays.

552
MCQhard

During an audit of a privileged access management (PAM) system, the auditor finds that privileged sessions are recorded but not reviewed. What is the primary risk?

A.Inability to detect real-time threats.
B.Increased administrative overhead.
C.Non-compliance with licensing agreements.
D.Missing evidence of malicious activity after an incident.
AnswerD

Recordings are useless without review, losing forensic value.

Why this answer

Recording privileged sessions without review means that while a log of activities exists, it is not analyzed for signs of compromise or policy violations. The primary risk is that after a security incident, the recorded sessions may be the only source of evidence to reconstruct the attack, but without prior review, the organization may fail to identify malicious activity in a timely manner or may lose critical forensic data if logs are overwritten or deleted before an incident is discovered.

Exam trap

The trap here is that candidates may confuse 'recording' with 'monitoring' and assume that recording alone provides security, but without review, the recordings are merely stored data with no active threat detection value.

How to eliminate wrong answers

Option A is wrong because real-time threats are typically detected by monitoring and alerting mechanisms (e.g., SIEM, anomaly detection), not by reviewing recorded sessions after the fact; the question states sessions are recorded but not reviewed, which does not preclude real-time detection tools. Option B is wrong because increased administrative overhead is a potential operational impact, not the primary risk; the core concern is security and forensic capability, not resource usage. Option C is wrong because non-compliance with licensing agreements is unrelated to session recording and review; licensing compliance concerns software usage rights, not security monitoring.

553
MCQhard

A security review of the above Apache configuration identifies a critical vulnerability. Which of the following is the MOST significant issue?

A.Default DocumentRoot path is used
B.Directory listing is enabled (Indexes option)
C.AllowOverride All allows .htaccess overrides
D.Require all granted permits all access
AnswerB

The Indexes option allows attackers to browse directory contents, potentially exposing sensitive files.

Why this answer

The Indexes option in Apache enables directory listing, which exposes the entire contents of a directory when no index file (e.g., index.html) is present. This can reveal sensitive files, configuration backups, or source code, making it a critical information disclosure vulnerability. Unlike other options, Indexes directly leads to unauthorized data exposure without requiring any additional conditions.

Exam trap

The trap here is that candidates often focus on access control (Require all granted) or override permissions (AllowOverride All) as the most critical issue, but the immediate and direct information disclosure from directory listing (Indexes) is typically the most severe in a standard web server configuration.

How to eliminate wrong answers

Option A is wrong because using the default DocumentRoot path (e.g., /var/www/html) is a common configuration and not inherently a vulnerability; it only becomes a risk if combined with other misconfigurations. Option C is wrong because AllowOverride All allows .htaccess overrides, which can be a security concern if not properly managed, but it is not as immediately exploitable as directory listing and can be mitigated with proper .htaccess controls. Option D is wrong because 'Require all granted' permits all access, but this is often the intended default for public web content; the vulnerability arises only when combined with other issues like Indexes or weak authentication, and by itself it does not directly expose directory contents.

554
MCQeasy

An organization uses the access list above on its perimeter firewall. Which of the following is a valid conclusion?

A.All HTTP traffic from the 192.168.2.0 subnet is allowed.
B.All HTTPS traffic from the 192.168.1.0 subnet is allowed.
C.All traffic from the 192.168.2.0 subnet is allowed.
D.All traffic from the Internet to internal hosts is denied.
E.All traffic from 192.168.1.0 subnet is allowed on any port.
.All traffic from the Internet is denied.
.The ACL allows SSH traffic from 192.168.1.0 subnet.
AnswerB

Line 10 permits TCP on port 443 from that subnet.

Why this answer

Option B is correct because the access list permits TCP traffic from source network 192.168.1.0/24 to destination port 443 (HTTPS). The permit statement for TCP with eq 443 explicitly allows HTTPS traffic from that subnet, and there is no subsequent deny statement blocking it.

Exam trap

ISACA often tests the implicit deny all rule, where candidates mistakenly assume that traffic not explicitly permitted is allowed, when in fact it is denied by default.

How to eliminate wrong answers

Option A is wrong because the access list does not contain any permit statement for port 80 (HTTP); HTTP traffic from 192.168.2.0 subnet would be denied by the implicit deny all at the end. Option C is wrong because the access list only permits specific protocols (TCP on port 443, and possibly others) from 192.168.2.0 subnet, not all traffic; any non-matching traffic is denied. Option D is wrong because the access list permits certain traffic from internal subnets to the Internet, but it does not explicitly deny all traffic from the Internet to internal hosts; the implicit deny all applies to all unmatched traffic, but the question does not specify any inbound rules, so this conclusion is not valid based solely on the given list.

Option E is wrong because the access list does not permit all traffic from 192.168.1.0 subnet on any port; it only permits TCP traffic to port 443, and other ports are denied by the implicit deny. Option null (first) is wrong because the access list permits specific traffic from internal subnets, so not all traffic from the Internet is denied; the implicit deny only applies to unmatched traffic, but the list does not explicitly deny all Internet traffic. Option null (second) is wrong because the access list permits SSH traffic (TCP port 22) only if explicitly stated; the given list does not include a permit for port 22, so SSH traffic from 192.168.1.0 subnet would be denied.

555
MCQeasy

During an agile software development project, which of the following events provides the best opportunity for the IS auditor to assess the effectiveness of controls implemented in the current sprint?

A.Sprint planning meeting
B.Sprint review
C.Daily standup meeting
D.Sprint retrospective
AnswerB

The sprint review allows the auditor to see working functionality and verify controls.

Why this answer

The sprint review is a demonstration of working software where controls can be observed. The retrospective is about process improvement, not control assessment.

556
MCQmedium

An organization is migrating sensitive customer data to a public cloud. Which of the following encryption strategies provides the STRONGEST protection against data exposure to the cloud provider?

A.Use transport layer security (TLS) for data in transit
B.Implement client-side encryption with keys managed on-premises
C.Encrypt data at rest using server-side encryption with AES-256
D.Enable the cloud provider's key management service
AnswerB

Client-side encryption ensures data is encrypted before leaving the premises, and the cloud provider never has access to plaintext or keys.

Why this answer

Client-side encryption with keys managed on-premises ensures that the cloud provider never has access to the encryption keys or the plaintext data. Even if the cloud provider's infrastructure is compromised or they have administrative access, the data remains encrypted and unreadable. This provides the strongest protection because the cloud provider is excluded from the cryptographic trust boundary.

Exam trap

The trap here is that candidates often confuse 'encryption at rest' or 'TLS' with full data protection, failing to realize that these methods still allow the cloud provider to access plaintext data either during processing or through key management access.

How to eliminate wrong answers

Option A is wrong because TLS only protects data in transit between the client and the cloud provider; once the data reaches the cloud provider's servers, it is decrypted and stored in plaintext, leaving it exposed to the provider. Option C is wrong because server-side encryption with AES-256 means the cloud provider manages the encryption process and typically has access to the keys (or can access them via their key management service), so the provider can decrypt the data at rest. Option D is wrong because enabling the cloud provider's key management service gives the provider control over the encryption keys, allowing them to decrypt the data if they choose or if compelled by legal request.

557
MCQhard

Refer to the exhibit. An administrator applied this ACL to a VLAN interface. The server at 10.0.0.100 hosts a web application. What is the effect of this ACL?

A.Allows HTTPS, but HTTP is allowed as well due to the permit ip any any
B.Allows HTTPS, blocks HTTP, and blocks all other traffic
C.Blocks both HTTP and HTTPS
D.Only allows HTTP and blocks HTTPS
AnswerA

The permit ip any any overrides the deny.

Why this answer

The ACL shown permits HTTPS (TCP port 443) from any source to the server at 10.0.0.100, and then has a 'permit ip any any' statement at the end. Because ACLs are processed top-down, the first match wins; HTTPS traffic matches the first line and is permitted, while HTTP (TCP port 80) is not explicitly denied, so it matches the 'permit ip any any' line and is also allowed. Thus, both HTTP and HTTPS are permitted, making option A correct.

Exam trap

The trap here is that candidates often overlook the 'permit ip any any' at the end of the ACL and incorrectly assume that only the explicitly permitted HTTPS traffic is allowed, missing that this catch-all statement permits all other traffic, including HTTP.

How to eliminate wrong answers

Option B is wrong because it claims HTTP is blocked, but the 'permit ip any any' at the end of the ACL permits all traffic not explicitly denied, including HTTP. Option C is wrong because it states both HTTP and HTTPS are blocked, but the ACL explicitly permits HTTPS and the 'permit ip any any' permits HTTP. Option D is wrong because it says only HTTP is allowed and HTTPS is blocked, but the ACL explicitly permits HTTPS and the 'permit ip any any' permits HTTP as well, so both are allowed.

558
MCQhard

An organization's IT strategy is not aligned with business strategy due to lack of communication. Which of the following would BEST improve alignment?

A.Business-IT strategy mapping workshops
B.Weekly IT status reports
C.Outsourcing non-core IT functions
D.IT budget increase
AnswerA

Workshops enable joint development of aligned strategies.

Why this answer

Business-IT strategy mapping workshops facilitate direct communication and collaboration, ensuring both sides understand and agree on priorities. Status reports, budget increases, or outsourcing do not address the communication gap.

559
MCQeasy

An organization performs daily full backups of its critical database. The recovery time objective (RTO) is 4 hours. During a disaster, it takes 6 hours to restore the database. What is the most likely cause?

A.Offsite storage location is too far.
B.The backup type (full) is insufficient.
C.Recovery procedures are not tested against the RTO.
D.Backup retention period is too short.
AnswerC

Testing should validate that restore meets the RTO.

Why this answer

If the restore takes longer than the RTO, the backup and recovery process does not meet the required timeline. This could be due to inadequate infrastructure or testing.

560
MCQhard

During an audit of privacy controls, the IS auditor discovers that the organization processes personal data of EU residents but has not appointed a Data Protection Officer (DPO). Which regulation is MOST likely being violated?

A.PCI DSS
B.SOX
C.HIPAA
D.GDPR
AnswerD

GDPR mandates a DPO under certain conditions, which likely apply here.

Why this answer

GDPR requires mandatory appointment of a DPO for organizations that process special categories of data or engage in large-scale systematic monitoring. The other regulations do not have a DPO requirement.

561
MCQmedium

During a vendor evaluation for a critical system, the IS auditor notes that the vendor's SOC 2 report includes an adverse opinion. What should be the auditor's PRIMARY recommendation?

A.Negotiate a lower price to offset the risk
B.Evaluate compensating controls or seek an alternative vendor
C.Accept the risk because the vendor is well-known
D.Request a customized SOC 2 report
AnswerB

Compensating controls may reduce risk, but alternative vendor might be safer.

Why this answer

An adverse SOC 2 opinion indicates material weaknesses in controls; the organization should seek compensating controls or consider alternative vendors.

562
MCQmedium

An organization is implementing a backup strategy for its critical database. The database is updated continuously during business hours, and the recovery point objective (RPO) is 15 minutes. Which backup method should be used to meet the RPO while minimizing backup storage and performance impact?

A.Perform full backups every 24 hours
B.Implement synchronous replication to a standby server
C.Perform incremental backups with transaction log backups every 15 minutes
D.Perform differential backups every 6 hours
AnswerC

Transaction log backups enable point-in-time recovery to within 15 minutes, meeting the RPO, while incremental backups reduce storage and performance overhead.

Why this answer

Incremental backups with transaction log backups every 15 minutes meets the 15-minute RPO by capturing all changes since the last full or incremental backup, while transaction log backups record every individual database transaction. This method minimizes storage by only backing up changes and reduces performance impact compared to continuous replication, as log backups are lightweight and can be scheduled without constant I/O overhead.

Exam trap

The trap here is that candidates often confuse synchronous replication (Option B) with a backup method, but it is a high-availability solution that does not meet RPO requirements without additional log backups and introduces performance degradation, whereas transaction log backups are the correct granular backup technique for low RPOs.

How to eliminate wrong answers

Option A is wrong because full backups every 24 hours can only restore to the point of the last full backup, which would result in up to 24 hours of data loss, far exceeding the 15-minute RPO. Option B is wrong because synchronous replication requires the primary and standby servers to commit transactions simultaneously, which introduces latency and high performance overhead on the primary database, and it does not inherently provide point-in-time recovery to a specific 15-minute window without additional log management. Option D is wrong because differential backups capture all changes since the last full backup, but if performed every 6 hours, the maximum data loss could be up to 6 hours, which exceeds the 15-minute RPO; moreover, differential backups do not provide the granularity needed for sub-hour recovery.

563
Multi-Selectmedium

Which TWO of the following are guiding principles of ITIL 4? (Select TWO)

Select 2 answers
A.Progress iteratively with feedback
B.Automate everything
C.Focus on value
D.Standardize services
E.Centralize decision making
AnswersA, C

Progress iteratively with feedback is an ITIL 4 guiding principle.

Why this answer

ITIL 4 has seven guiding principles. 'Focus on value' and 'Progress iteratively with feedback' are two of them. 'Centralize decision making' and 'Standardize services' are not ITIL 4 principles, and 'Automate everything' is not a principle.

564
MCQhard

During the fieldwork phase, an IS auditor discovers that a control is not operating as designed. The auditor reperforms the control and finds that it is effective. Which of the following conclusions is MOST appropriate?

A.The control is operating effectively based on the re-performance.
B.The control design is adequate but implementation is weak.
C.The re-performance is not sufficient; additional testing is required.
D.The control is not operating effectively because the design was not followed.
AnswerA

Correct; the re-performance provides direct evidence of effectiveness.

Why this answer

If the auditor's independent re-performance shows the control is effective, the control is operating effectively, despite the initial indication of a deviation.

565
Multi-Selectmedium

Which THREE of the following are commonly accepted practices for securing mobile devices in an enterprise environment?

Select 3 answers
A.Install antivirus on all devices
B.Use containerization for corporate data
C.Enable remote wipe capability
D.Disable all third-party apps
E.Require complex passwords
AnswersB, C, E

Correct. Containerization separates corporate and personal data, enabling selective controls.

Why this answer

Containerization (Option B) is a commonly accepted practice for securing mobile devices in an enterprise environment because it creates a separate, encrypted workspace on the device that isolates corporate data and applications from personal data. This approach, often implemented through Mobile Device Management (MDM) or Enterprise Mobility Management (EMM) solutions, uses technologies like sandboxing and per-container encryption (e.g., AES-256) to prevent data leakage between the corporate and personal environments. It allows the enterprise to enforce security policies (e.g., remote wipe of only the container) without compromising the user's personal privacy, which is a key requirement for BYOD (Bring Your Own Device) programs.

Exam trap

The trap here is that candidates often confuse 'best practice' with 'maximum security' and incorrectly select Option D (disable all third-party apps) as a valid control, failing to recognize that enterprise security requires balancing usability with risk management, and that containerization is the standard approach for BYOD environments.

566
MCQhard

A multinational corporation operates in a highly regulated industry. The IT governance framework includes a risk appetite statement approved by the board. Recently, the company suffered a significant data breach due to an unpatched vulnerability that had been identified three months earlier. The IT audit found that the vulnerability was reported to the IT department but was not prioritized for remediation because it was deemed low risk by the IT operations team. The incident response plan was not activated because the breach was not initially detected. The board wants to strengthen governance to prevent recurrence. The most effective course of action for the auditor to recommend is:

A.Deploying an intrusion detection system to identify breaches sooner
B.Establishing a formal vulnerability management policy that requires risk-based prioritization in accordance with the risk appetite and escalation to the IT risk committee for decisions outside tolerance
C.Disciplining the IT operations team for not escalating the vulnerability
D.Implementing a more robust patch management system with automated patching
AnswerB

This embeds risk governance into the vulnerability management process, ensuring alignment with board-approved risk appetite.

Why this answer

Option D is correct because integrating vulnerability management with risk governance ensures that risk decisions are made according to the approved risk appetite, not solely by IT operations. Option A is too narrow. Option B addresses incident detection but not the governance gap.

Option C is reactive and does not prevent future occurrences.

567
MCQmedium

An organization is implementing a new identity management system. Which testing approach is MOST effective for verifying access controls?

A.Regression testing
B.Unit testing
C.User acceptance testing including role-based test cases
D.System integration testing
AnswerC

Role-based UAT scenarios simulate real user tasks and validate that access controls are correctly implemented.

Why this answer

User acceptance testing (UAT) with role-based test cases is the most effective approach because it directly validates that the identity management system enforces the correct access controls for each user role in real-world scenarios. Unlike lower-level tests, UAT involves actual users executing role-specific transactions to confirm that permissions, segregation of duties, and policy rules are properly implemented. This ensures that the system behaves as intended from an end-user and auditor perspective, which is critical for compliance and security.

Exam trap

The trap here is that candidates confuse 'system integration testing' with 'user acceptance testing' and assume that verifying system-to-system communication is sufficient to validate access controls, when in fact only role-based UAT confirms that the correct policies are enforced for actual users.

How to eliminate wrong answers

Option A is wrong because regression testing focuses on verifying that existing functionality still works after changes, not on validating the correctness of new access control rules. Option B is wrong because unit testing examines individual components or code modules in isolation, which cannot verify role-based permissions or end-to-end access control enforcement. Option D is wrong because system integration testing checks the interaction between systems (e.g., SSO with LDAP or SAML) but does not specifically validate that role-based access policies are correctly applied to user actions.

568
MCQmedium

An organization is considering whether to build a custom application or purchase a commercial off-the-shelf (COTS) product. Which of the following factors is MOST important when deciding to build rather than buy?

A.Reduced need for ongoing maintenance
B.Faster time to market
C.Lower initial cost
D.Need for highly specialized functionality not available in the market
AnswerD

Unique requirements may justify building.

Why this answer

When an organization requires highly specialized functionality that is not available in any commercial off-the-shelf (COTS) product, building a custom application becomes the only viable option. COTS products are designed for broad market needs and often lack the unique features or compliance requirements that a custom solution can provide. This factor overrides cost, time, and maintenance considerations because no amount of configuration or customization of a COTS product can meet the specific functional gap.

Exam trap

The trap here is that candidates often prioritize lower initial cost or faster time to market, failing to recognize that if the required functionality does not exist in the market, those benefits are irrelevant because the COTS product cannot fulfill the core business need.

How to eliminate wrong answers

Option A is wrong because custom applications typically require more ongoing maintenance, not less, due to the need for in-house support, updates, and bug fixes, whereas COTS products include vendor-provided maintenance and patches. Option B is wrong because building a custom application generally takes longer to develop and deploy than purchasing a ready-made COTS product, which can be implemented immediately. Option C is wrong because custom development usually has a higher initial cost due to design, coding, testing, and deployment efforts, while COTS products have a fixed license fee that is often lower than bespoke development.

569
MCQhard

A security architect is designing a data classification schema for a multinational corporation. Which combination of factors is MOST critical for determining the classification level of a data asset?

A.Data volume and storage location.
B.Data format and encryption status.
C.Data creation date and last access time.
D.Legal, regulatory, and business impact if disclosed.
AnswerD

These are the core factors in determining classification.

Why this answer

The classification level of a data asset is primarily determined by the potential harm that could result from its unauthorized disclosure, modification, or loss. Legal, regulatory, and business impact factors—such as compliance with GDPR, HIPAA, or PCI DSS—directly dictate the required confidentiality, integrity, and availability controls. Without assessing these impacts, any classification scheme would be arbitrary and fail to align with organizational risk tolerance.

Exam trap

ISACA often tests the misconception that technical attributes (like encryption or storage location) determine classification, when in reality classification is a business-driven risk decision based on the impact of disclosure.

How to eliminate wrong answers

Option A is wrong because data volume and storage location influence operational decisions (e.g., replication, latency) but do not define the sensitivity or criticality of the data itself; a single record of PII can be far more sensitive than terabytes of public data. Option B is wrong because data format and encryption status are technical controls applied after classification, not criteria for determining the classification level; encryption status can change without altering the inherent sensitivity of the data. Option C is wrong because creation date and last access time are metadata useful for lifecycle management (e.g., retention policies) but irrelevant to the intrinsic value or risk of the data asset.

570
MCQhard

An organization uses a risk-based audit approach. For a high-risk area, the auditor decides to perform 100% testing instead of sampling. Which of the following is a valid reason for this decision?

A.The population size is small and errors are critical
B.The auditor has limited time
C.The tolerable error rate is high
D.The control is automated and always effective
AnswerA

100% testing is justified for small populations with high severity risks.

Why this answer

When a high-risk area is identified and the population size is small, 100% testing is justified because the cost of missing a critical error outweighs the cost of testing every item. This approach eliminates sampling risk entirely, ensuring that all errors are detected. In audit, 100% testing is appropriate when the population is small enough to make full examination feasible and the consequences of error are severe.

Exam trap

The trap here is that candidates confuse 'high risk' with 'need for more testing' and incorrectly choose limited time or automated controls, but the key is that 100% testing is only practical and justified when the population is small and errors are critical.

How to eliminate wrong answers

Option B is wrong because limited time typically forces an auditor to use sampling, not 100% testing, as full testing requires more time. Option C is wrong because a high tolerable error rate means the auditor is willing to accept more errors, which would support sampling, not 100% testing. Option D is wrong because even if a control is automated and always effective, the auditor would rely on testing the control once or using a small sample to confirm its effectiveness, not test 100% of transactions.

571
MCQmedium

An IS auditor is planning an audit of a financial application. The auditor wants to ensure that audit effort is focused on areas with the highest risk. Which approach should the auditor adopt?

A.Substantive approach
B.Control self-assessment approach
C.Compliance-based approach
D.Risk-based audit approach
AnswerD

Correctly focuses on high-risk areas.

Why this answer

A risk-based audit approach prioritizes high-risk areas for more intensive testing, aligning with ISACA standards.

572
MCQeasy

Which of the following is a key performance indicator (KPI) for IT service management?

A.IT budget as a percentage of revenue
B.Help desk resolution time
C.Number of IT staff
D.Number of servers
AnswerB

This measures the time to resolve incidents, reflecting service quality.

Why this answer

Help desk resolution time is a common KPI for IT service management, measuring efficiency.

573
Multi-Selectmedium

An organization is implementing a new payroll system using an agile methodology. Which TWO of the following are the MOST important controls for the IS auditor to assess?

Select 2 answers
A.Comprehensive documentation of all design decisions
B.A formal change control board to approve all changes
C.A detailed project plan with all tasks upfront
D.The product backlog is prioritized and includes security requirements
E.Sprint reviews are conducted with stakeholders to demonstrate working software
AnswersD, E

This ensures requirements are managed and security is addressed.

Why this answer

In agile, the product backlog is the primary control for requirements, and sprint reviews provide stakeholder validation.

574
Multi-Selectmedium

An organization is implementing a new identity management system. Which THREE of the following are essential requirements for the system?

Select 3 answers
A.Segregation of duties enforcement.
B.Single sign-on capability.
C.Automated user provisioning.
D.Integration with Active Directory.
E.Support for biometric authentication.
AnswersA, C, D

Enforcing SoD is critical to prevent fraud.

Why this answer

Segregation of duties enforcement is essential because it ensures that no single user has excessive privileges that could lead to fraud or error. In an identity management system, this is implemented through role-based access control (RBAC) and access review workflows, preventing conflicts of interest by separating critical functions like user creation, approval, and access assignment.

Exam trap

The trap here is that candidates mistake convenience features like SSO or advanced authentication methods like biometrics as essential requirements, when the core identity management system must enforce access control, automate provisioning, and integrate with existing directory services to be functional and auditable.

575
MCQmedium

An organization outsources its IT help desk to a third-party vendor. Which clause is MOST important for the IS auditor to verify in the contract to ensure the organization can assess the vendor's controls?

A.Service level agreement (SLA) metrics
B.Subcontracting restrictions
C.Exit strategy provisions
D.Right-to-audit clause
AnswerD

Correct. This clause enables the organization to verify vendor controls.

Why this answer

A right-to-audit clause allows the organization to review the vendor's processes and controls, ensuring compliance with contractual and regulatory requirements.

576
MCQmedium

An IS auditor is reviewing the access recertification process for a financial institution. The process requires users and their managers to confirm access rights quarterly. During the review, the auditor finds that recertifications are consistently completed late, with an average delay of 45 days. Additionally, terminated employees' access is not always removed promptly, and there are no compensating controls. Which of the following is the MOST significant risk arising from these findings?

A.Increased likelihood of audit findings for non-compliance with internal policies
B.Difficulty in tracking user access history
C.Higher probability of unauthorized access to sensitive information
D.Potential loss of audit trails for access changes
AnswerC

Delayed recertification and failure to promptly remove terminated employees' access increase the risk of unauthorized access.

Why this answer

The greatest risk from delayed access recertification and late removal of terminated employees is that unauthorized users may retain access, leading to potential data breaches or fraudulent activities. While audit trails and policy violations are concerns, the primary risk is unauthorized access.

577
MCQeasy

An IT manager submits a request to change the firewall configuration during business hours. According to best practices for change management, what should be done FIRST?

A.Obtain approval from the change advisory board
B.Notify all users of the planned change
C.Assess the impact and risk of the proposed change
D.Implement the change immediately to address an urgent threat
AnswerC

Risk assessment is required before approval.

Why this answer

Option A is correct because assessing the impact and risk is the initial step. Option B may be done after assessment. Option C is premature without assessment.

Option D is not standard.

578
Multi-Selectmedium

An IS auditor is reviewing the organization's data inventory process for privacy compliance. Which TWO of the following are the MOST important elements that should be included in the data inventory?

Select 2 answers
A.Data elements or fields containing personal data
B.Data classification labels
C.Location of personal data storage and processing
D.Data retention periods
E.Data subject consent status
AnswersA, C

Identifying specific data fields helps in mapping and protection.

Why this answer

Data inventory must identify what personal data is held, where it is stored, and how it flows. Legal basis and retention are also important, but location and data elements are foundational.

579
Multi-Selecthard

An IS auditor is reviewing an agile project. Which THREE of the following are controls the auditor should evaluate?

Select 3 answers
A.Sprint review
B.Burndown charts
C.Retrospective actions
D.Daily standup
E.Product backlog prioritization
AnswersA, C, E

Correct. Sprint review validates completed work with stakeholders.

Why this answer

In agile, sprint reviews, product backlog prioritization, and retrospective actions are key controls to ensure quality and continuous improvement.

580
Multi-Selectmedium

Which TWO of the following are types of statistical sampling methods? (Select TWO.)

Select 2 answers
A.Block sampling
B.Stratified sampling
C.Systematic sampling
D.Haphazard sampling
E.Judgmental sampling
AnswersB, C

Stratified sampling divides the population into subgroups.

Why this answer

Stratified sampling and systematic sampling are both statistical methods that use random selection.

581
MCQmedium

An organization's IT department implemented a new change management process that requires all changes to be approved by a change advisory board (CAB). A critical security patch needs to be deployed within 2 hours to address an active zero-day vulnerability. The change request was submitted but the CAB is not scheduled to meet for another 24 hours. What is the BEST course of action?

A.Deploy the patch and inform the CAB after the fact during the next meeting.
B.Wait for the next scheduled CAB meeting to approve the change.
C.Deploy the patch immediately without any approval as it is a critical security fix.
D.Use the emergency change process to obtain expedited approval from a designated CAB member.
AnswerD

An emergency change process allows swift approval for critical patches, balancing security and control.

Why this answer

Option D is correct because it aligns with the ITIL-based emergency change process, which allows for expedited approval from a designated CAB member or emergency authority when a critical security patch must be deployed within hours to mitigate an active zero-day vulnerability. This ensures the change is authorized without waiting for the full CAB meeting, maintaining security while preserving governance and audit trails.

Exam trap

The trap here is that candidates may assume any critical security patch can be deployed immediately without approval (Option C) or that informing the CAB after the fact (Option A) is acceptable, but CISA emphasizes that even emergency changes must follow a defined process with expedited approval to maintain control and accountability.

How to eliminate wrong answers

Option A is wrong because deploying the patch without prior approval violates the change management policy and could lead to unauthorized changes, lack of audit trail, and potential conflicts with other changes. Option B is wrong because waiting 24 hours for the next CAB meeting would leave the system exposed to the active zero-day vulnerability, increasing risk of exploitation. Option C is wrong because deploying without any approval bypasses all governance controls, ignoring the need for documented authorization even for emergency fixes, and could cause operational disruptions without coordination.

582
Multi-Selecthard

Which TWO of the following are the MOST effective controls to prevent unauthorized access to a data center's server room? (Choose two.)

Select 2 answers
A.Server rack locks
B.Mantrap entry
C.CCTV monitoring
D.Visitor logbook
E.Biometric authentication on door
AnswersB, E

Mantrap prevents tailgating and unauthorized entry.

Why this answer

Options A and D are correct because biometric authentication and mantrap entry are preventive physical controls. Option B is incorrect as CCTV is detective. Option C is incorrect as visitor logbook is administrative.

Option E is incorrect as rack locks are secondary to room access.

583
MCQeasy

Which of the following is the PRIMARY purpose of conducting a privacy impact assessment (PIA) before implementing a new system that processes personal data?

A.To document data flows for audit purposes.
B.To identify and mitigate privacy risks.
C.To obtain consent from data subjects.
D.To ensure compliance with data protection regulations.
AnswerB

PIA systematically assesses privacy risks and proposes mitigations.

Why this answer

PIA aims to identify and mitigate privacy risks early in the project lifecycle.

584
MCQeasy

An IS auditor is reviewing the logical access controls of an enterprise resource planning (ERP) system. The auditor finds that terminated employees' accounts are disabled but not deleted. What is the PRIMARY risk associated with this practice?

A.Disabled accounts could be re-enabled without proper authorization
B.Segregation of duties controls may be compromised
C.System performance may degrade due to accumulation of disabled accounts
D.Audit trail completeness may be affected
AnswerA

If account management is weak, re-enabling could lead to unauthorized access.

Why this answer

The primary risk of disabling rather than deleting terminated employees' accounts is that a disabled account retains its existing privileges and can be re-enabled by an attacker or insider with sufficient access (e.g., a system administrator with compromised credentials). In an ERP system, this could allow unauthorized re-activation of accounts with elevated roles, bypassing the intended termination process and leading to data theft, fraud, or system compromise.

Exam trap

ISACA often tests the misconception that 'disabled accounts are safe because they cannot log in,' but the trap here is that the account's privileges remain intact, making re-enablement the primary risk over performance or audit concerns.

How to eliminate wrong answers

Option B is wrong because segregation of duties (SoD) controls are about preventing a single user from performing conflicting functions; disabled accounts do not actively perform transactions, so SoD is not directly compromised. Option C is wrong because system performance degradation from a few thousand disabled accounts is negligible in modern ERP databases; the real risk is security, not resource consumption. Option D is wrong because audit trail completeness is not affected—disabled accounts still generate logs for access attempts, and deletion would actually remove historical audit records, whereas disabling preserves them.

585
MCQeasy

Which of the following is the PRIMARY purpose of an IT governance framework?

A.To ensure IT aligns with and supports business strategy
B.To ensure compliance with laws and regulations
C.To protect IT assets from cyber threats
D.To reduce IT operational costs
AnswerA

Governance frameworks focus on alignment and value delivery.

Why this answer

The primary purpose of an IT governance framework is to ensure that IT investments, strategies, and operations are aligned with and support the overall business strategy, enabling the organization to achieve its goals. This alignment is achieved through mechanisms such as strategic planning, portfolio management, and performance measurement, which are core to frameworks like COBIT 2019. Without this alignment, IT may operate in isolation, leading to wasted resources and missed business opportunities.

Exam trap

The trap here is that candidates often confuse the primary purpose of IT governance with operational or security objectives, such as compliance or cost reduction, because those are more tangible and frequently tested in other domains, but the CISA exam emphasizes that governance is fundamentally about strategic alignment and value delivery.

How to eliminate wrong answers

Option B is wrong because ensuring compliance with laws and regulations is a secondary objective of IT governance, not the primary purpose; compliance is typically addressed through specific controls and policies within the framework, but the framework's overarching goal is strategic alignment. Option C is wrong because protecting IT assets from cyber threats is a function of information security management and risk management, which are components of governance but not its primary purpose; governance focuses on direction and oversight, not operational security. Option D is wrong because reducing IT operational costs is a potential outcome of effective governance, but it is not the primary purpose; cost reduction is a tactical benefit, whereas governance is fundamentally about value creation and strategic alignment.

586
MCQmedium

During an SDLC audit, the IS auditor finds that security requirements were not formally documented during the requirements phase. Which of the following is the BEST recommendation to mitigate the associated risk?

A.Perform a penetration test after go-live
B.Conduct a vulnerability scan after deployment to identify security gaps
C.Implement a firewall and intrusion detection system
D.Include security requirements in the design phase and obtain sign-off
AnswerD

Adding security requirements during design is better than later, but ideally they should be in requirements. However, this is the best option given the context.

Why this answer

Security requirements should be defined early to ensure controls are designed in, not bolted on. The best practice is to include security requirements in the requirements phase and have them reviewed by security experts.

587
Multi-Selecthard

An organization is developing a business continuity strategy. Which THREE of the following are essential components of a comprehensive BC strategy?

Select 3 answers
A.Alternate facilities
B.Data backup and technology recovery
C.Software licensing compliance
D.Vendor audit reports
E.People procedures and communication
AnswersA, B, E

Provides a place to operate.

Why this answer

People procedures, alternate facilities, and data/technology recovery are core to BC.

588
MCQmedium

Which of the following is the most reliable form of audit evidence?

A.Re-performance of a control by the auditor
B.Inquiry of management about a control
C.Observation of a control being performed
D.Inspection of signed approval forms
AnswerA

Re-performance provides direct, objective evidence.

Why this answer

Re-performance is the most reliable because the auditor independently performs the control, obtaining direct evidence. Observation is less reliable because the auditor may influence behavior.

589
Multi-Selecthard

Which THREE of the following are common risks associated with the prototyping methodology?

Select 3 answers
A.Incomplete requirements specification
B.Lack of adequate documentation
C.Prototype being accepted as the final production version
D.User misunderstanding of prototype limitations
E.Scope creep due to frequent changes
AnswersB, C, E

Documentation is often overlooked in prototyping.

Why this answer

Option B is correct because prototyping often prioritizes rapid iteration over formal documentation, leading to incomplete or outdated records of system specifications, design decisions, and user agreements. This lack of adequate documentation creates risks for maintenance, knowledge transfer, and auditability, as the final system may lack the necessary artifacts for ongoing support and compliance.

Exam trap

The trap here is that candidates may confuse 'incomplete requirements specification' (a general risk) with a prototyping-specific risk, but the exam expects recognition that prototyping actually reduces this risk through iterative user feedback, while the three correct answers (B, C, E) are directly tied to the methodology's iterative and informal nature.

590
MCQeasy

Which of the following is a primary advantage of fixed-price contracts in systems acquisition?

A.Vendor has incentive to complete quickly
B.Greater flexibility to change requirements
C.Lower total cost compared to time-and-materials
D.Predictable cost for the buyer
AnswerD

The price is agreed upfront, reducing financial risk.

Why this answer

Fixed-price contracts provide cost certainty for the buyer, as the vendor bears the risk of cost overruns.

591
MCQeasy

Which of the following is a key principle of corporate governance of IT according to ISO/IEC 38500?

A.Progress iteratively
B.Optimize and automate
C.Focus on value
D.Responsibility
AnswerD

Responsibility is one of the six principles in ISO/IEC 38500.

Why this answer

ISO/IEC 38500 defines six key principles for the corporate governance of IT: Responsibility, Strategy, Acquisition, Performance, Conformance, and Human Behaviour. The 'Responsibility' principle mandates that individuals and groups within the organization understand and accept their responsibilities for the supply of, and demand for, IT. This is the foundational governance principle because it establishes clear accountability, which is necessary for all other governance activities to function effectively.

Exam trap

The trap here is that candidates confuse the principles of specific IT management frameworks (like Agile, ITIL, or COBIT) with the high-level corporate governance principles defined in ISO/IEC 38500, leading them to select a familiar-sounding but incorrect option.

How to eliminate wrong answers

Option A is wrong because 'Progress iteratively' is a principle from the Agile Manifesto (specifically for software development) and is not a principle of corporate governance of IT as defined in ISO/IEC 38500. Option B is wrong because 'Optimize and automate' is a guiding principle from the ITIL 4 framework for service management, not a governance principle from ISO/IEC 38500. Option C is wrong because 'Focus on value' is a core principle of the COBIT 5 framework (and later COBIT 2019), which is a governance and management framework, but it is not one of the six specific principles listed in ISO/IEC 38500.

592
MCQhard

In a large enterprise, the IT department uses a RACI matrix for its change management process. The change manager is responsible for executing the change, but which role is typically accountable for the success or failure of the change?

A.The end user representative
B.The system owner
C.The change manager
D.The IT director
AnswerD

The IT director or a senior manager is typically accountable for the change process and outcomes.

Why this answer

In a RACI matrix, the accountable person (A) is ultimately answerable for the outcome. For change management, the change advisory board (CAB) or a senior manager is often accountable.

593
MCQeasy

During which phase of the audit process does the auditor perform procedures such as inquiry, observation, and inspection?

A.Follow-up
B.Fieldwork
C.Reporting
D.Planning
AnswerB

Fieldwork includes executing audit procedures like inquiry, observation, and inspection.

Why this answer

Fieldwork is the phase where audit procedures are executed to gather evidence.

594
MCQhard

An organization has a disaster recovery plan that includes a hot site. During a full interruption test, the recovery team discovers that the hot site's network configuration is incompatible with the production environment. What is the most likely root cause?

A.The backup data was not encrypted.
B.The test was not conducted during business hours.
C.The DR plan was not updated to reflect production changes.
D.The hot site is too far from the primary site.
AnswerC

Changes in production should be replicated to the hot site; otherwise, incompatibility occurs.

Why this answer

The incompatibility suggests that the hot site was not properly configured to mirror production, possibly due to lack of change synchronization or testing.

595
Multi-Selectmedium

Which TWO of the following are common risks in the procurement of custom-developed software?

Select 2 answers
A.Poor user acceptance
B.Excessive customization
C.Lack of documentation
D.Vendor lock-in
E.Inadequate service level agreements
AnswersC, D

Custom development often lacks thorough documentation.

Why this answer

Lack of documentation (C) is a common risk in custom-developed software because without comprehensive technical and user documentation, the organization faces challenges in maintenance, troubleshooting, and knowledge transfer. This risk is especially acute when the original developers leave, leaving the system opaque and difficult to support. Proper documentation is essential for ongoing operations, audits, and future enhancements.

Exam trap

The trap here is that candidates often confuse 'excessive customization' (a scope/design risk) with a procurement risk, when in fact the procurement risk is about the vendor's control over the software's future (vendor lock-in) and the lack of maintainability (lack of documentation).

596
MCQmedium

After a security incident, an organization discovers that an employee accessed sensitive files without authorization. Which of the following is the most effective preventive control to reduce the risk of such unauthorized access?

A.Deploying a data loss prevention (DLP) solution.
B.Implementing background checks on all employees.
C.Conducting regular access reviews and recertification.
D.Enforcing strong password policies.
AnswerC

Access reviews help identify and revoke unnecessary permissions, directly reducing the risk of unauthorized access.

Why this answer

Regular access reviews and recertification (Option C) are the most effective preventive control because they ensure that user permissions are periodically validated against current job roles and business needs. By systematically revoking excessive or outdated entitlements, this process directly reduces the attack surface for unauthorized access, addressing the root cause of privilege creep rather than merely detecting or deterring misuse.

Exam trap

The trap here is that candidates often confuse preventive controls with detective or deterrent controls, selecting DLP (a detective/corrective control) or strong passwords (an authentication control) instead of recognizing that access recertification directly prevents unauthorized access by removing excessive permissions before they can be exploited.

How to eliminate wrong answers

Option A is wrong because a Data Loss Prevention (DLP) solution is primarily a detective and corrective control that monitors and blocks data exfiltration after access has occurred; it does not prevent the initial unauthorized access to sensitive files. Option B is wrong because background checks are a pre-employment screening control that assesses trustworthiness but do not prevent an already-hired employee from subsequently accessing files without authorization. Option D is wrong because enforcing strong password policies only strengthens authentication at the point of login; it does not prevent an authorized user from abusing their legitimate credentials to access files they should not see, which is the core issue in this scenario.

597
MCQmedium

During an audit, the IS auditor identifies that a system access control deficiency could lead to unauthorized modification of financial data. The deficiency does not have a compensating control. How should the auditor classify this finding?

A.Material weakness
B.Deficiency
C.Observation
D.Finding
AnswerA

A material weakness is a deficiency that could result in a material misstatement.

Why this answer

A deficiency that could result in a material misstatement is classified as a material weakness.

598
MCQmedium

Which type of audit evidence involves the auditor independently performing a control procedure to verify its effectiveness?

A.Inspection
B.Observation
C.Re-performance
D.Inquiry
AnswerC

Re-performance is the auditor doing the control themselves.

Why this answer

Re-performance is when the auditor independently executes a control to confirm it operates as intended.

599
Multi-Selecthard

An organization is implementing a new cloud-based HR system. The project sponsor wants to skip regular project status meetings to speed up delivery. Which THREE of the following are the MOST significant risks of eliminating these meetings?

Select 3 answers
A.Security requirements may be overlooked.
B.Stakeholders may be unaware of critical project issues.
C.Budget overruns may go unnoticed until the end.
D.Important decisions may not be documented or communicated.
E.Dependencies between project tasks may not be properly managed.
AnswersB, D, E

Meetings are key for issue communication.

Why this answer

Option B is correct because eliminating regular project status meetings removes a key communication channel for escalating critical project issues to stakeholders. Without these meetings, stakeholders may not receive timely updates on security vulnerabilities, integration failures, or compliance gaps in the cloud-based HR system, leading to delayed remediation and potential data breaches.

Exam trap

The trap here is that candidates confuse the purpose of status meetings with other project management artifacts, assuming that documentation alone (e.g., project plans, risk registers) can substitute for the real-time communication and decision-making that occurs in these meetings.

600
Multi-Selectmedium

An IS auditor is assessing the organization's compliance with privacy regulations regarding cross-border data transfers. Which TWO of the following are acceptable mechanisms to legitimize such transfers under the GDPR?

Select 3 answers
A.Binding corporate rules (BCRs) approved by a supervisory authority
B.Encryption of data prior to transfer
C.Standard contractual clauses (SCCs) adopted by the European Commission
D.Adequacy decision by the European Commission for the recipient country
E.Explicit consent from the data subjects
AnswersA, C, D

BCRs are a valid mechanism for intra-group transfers.

Why this answer

Standard contractual clauses (SCCs) and binding corporate rules (BCRs) are recognized mechanisms under GDPR. Adequacy decisions cover some countries. Consent alone is not sufficient if other safeguards are missing; encryption does not legitimize the transfer.

Page 7

Page 8 of 14

Page 9