Back to Certified Information Systems Auditor CISA questions

Scenario-based practice

Refer to the Exhibit Practice Questions

Practise Certified Information Systems Auditor CISA practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

15
scenario questions
CISA
exam code
ISACA
vendor

Scenario guide

How to approach refer to the exhibit practice questions

Practise exhibit-style questions that ask you to read a topology, table, command output or diagram before choosing the best answer.

Quick answer

Exhibit-style questions test whether you can read a topology, command output, diagram or table before choosing the best answer.

How to extract the relevant detail from an exhibit.

How topology, command output or routing information affects the answer.

How to avoid answering from memory before reading the evidence.

How to map the exhibit back to the exam objective.

Related practice questions

Related CISA topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1hardmultiple choice
Full question →

Based on the exhibit, which control is most likely missing to prevent this type of event?

Exhibit

Refer to the exhibit.

syslog output:
Mar 15 10:23:45 server01 sshd[1234]: Failed password for root from 10.0.0.99 port 22 ssh2
Mar 15 10:23:46 server01 sshd[1234]: Failed password for root from 10.0.0.99 port 22 ssh2
Mar 15 10:23:47 server01 sshd[1234]: Failed password for root from 10.0.0.99 port 22 ssh2
Mar 15 10:23:48 server01 sshd[1234]: Failed password for root from 10.0.0.99 port 22 ssh2
Mar 15 10:23:49 server01 sshd[1234]: Failed password for root from 10.0.0.99 port 22 ssh2
Question 2hardmultiple choice
Full question →

Based on the exhibit, the IS auditor is reviewing access to the payroll folder. Which of the following is the MOST significant finding?

Exhibit

Refer to the exhibit.
```
Access Control List for /payroll:
User: jdoe (Read, Write)
User: asmith (Read)
Group: HR_Managers (Full Control)
Group: Payroll_Clerks (Read, Write)
Group: Internal_Audit (Read)
Effective permissions for user jdoe: Read, Write
```
Question 3hardmultiple choice
Full question →

Refer to the exhibit. A security analyst notices that users on the INSIDE network (10.1.1.0/24) can browse HTTPS websites but cannot resolve domain names. What is the most likely cause?

Exhibit

Refer to the exhibit.

Exhibit: Firewall rule excerpt (Cisco ASA)

access-list INSIDE extended permit tcp 10.1.1.0 255.255.255.0 any eq 443
access-list INSIDE extended permit udp 10.1.1.0 255.255.255.0 host 10.2.2.10 eq 53
access-list INSIDE extended deny ip any any

interface GigabitEthernet0/0
 nameif INSIDE
 security-level 100
 ip address 10.1.1.1 255.255.255.0

interface GigabitEthernet0/1
 nameif OUTSIDE
 security-level 0
 ip address 192.168.1.1 255.255.255.0

route OUTSIDE 0.0.0.0 0.0.0.0 192.168.1.254 1
Question 4hardmultiple choice
Full question →

The exhibit shows a log entry from a domain controller. The IS auditor is investigating account lockout issues. What is the MOST likely cause of this event?

Exhibit

Refer to the exhibit.
```
System Log Entry:
Timestamp: 2024-03-15 14:32:17
Event ID: 4625 (Logon Failure)
Account: svc_backup
Source: Backup Server
Failure Reason: Account locked out.
```
Question 5mediummultiple choice
Full question →

Refer to the exhibit. An application log shows an error. What is the MOST likely cause of this error?

Exhibit

Refer to the exhibit.

```
ERROR 2019-11-15 14:23:45,123 [main] com.example.App - Error processing record ID 1045
java.sql.SQLIntegrityConstraintViolationException: ORA-00001: unique constraint (USERS.UK_USERNAME) violated
	at com.example.dao.UserDao.insert(UserDao.java:45)
	... 8 more
```
Question 6hardmultiple choice
Full question →

Based on the exhibit, what should the IS auditor MOST likely recommend?

Exhibit

Refer to the exhibit.
```
Change Management Log Extract:
CR-2024-001: Approved | Implemented 01/15 14:00
CR-2024-002: Approved | Implemented 01/20 09:30
CR-2024-003: Emergency (post-approved) | Implemented 01/25 22:15
CR-2024-004: Approved | Implemented 02/01 11:00
CR-2024-005: Emergency (post-approved) | Implemented 02/10 23:45
CR-2024-006: Approved | Implemented 02/15 10:00
CR-2024-007: Emergency (post-approved) | Implemented 02/20 21:30
```
Question 7hardmultiple choice
Full question →

Refer to the exhibit. A security administrator is troubleshooting why external users cannot reach the web server at 203.0.113.10 from the internet. Based on the configuration, what is the MOST likely issue?

Exhibit

Refer to the exhibit.

```
! Cisco ASA configuration snippet
access-list OUTSIDE_IN extended permit tcp any host 203.0.113.10 eq www
access-list OUTSIDE_IN extended permit tcp any host 203.0.113.10 eq https
access-list OUTSIDE_IN extended deny ip any any log
!
object network WEB_SERVER
 host 203.0.113.10
nat (inside,outside) source static any any destination static WEB_SERVER WEB_SERVER no-proxy-arp route-lookup
!
```
Question 8hardmultiple choice
Full question →

Based on the exhibit, what is the MOST likely compliance issue requiring immediate remediation?

Exhibit

Refer to the exhibit.

```
[Storage Policy: HR_Data]
Retention: 7 years
Encryption: AES-256
Access: Restricted (HR Managers only)
Backup: Daily, stored in Offsite Vault
Last Compliance Check: 2023-02-15
Status: Non-compliant (Reason: Backup media not encrypted)
```
Question 9hardmultiple choice
Open the full VLAN trunking answer →

Refer to the exhibit. An administrator applied this ACL to a VLAN interface. The server at 10.0.0.100 hosts a web application. What is the effect of this ACL?

Exhibit

Refer to the exhibit.

SW1(config)# access-list 101 permit tcp any host 10.0.0.100 eq 443
SW1(config)# access-list 101 deny tcp any host 10.0.0.100 eq 80
SW1(config)# access-list 101 permit ip any any
SW1(config)# interface vlan 10
SW1(config-if)# ip access-group 101 in
Question 10easymultiple choice
Full question →

Refer to the exhibit. A developer is inserting a new employee record. What is the cause of this error?

Exhibit

Refer to the exhibit.

ERROR: ORA-00001: unique constraint (HR.EMP_EMAIL_UK) violated
INSERT INTO employees (employee_id, email) VALUES (101, 'john.doe@example.com');
Question 11mediummultiple choice
Full question →

Based on the exhibit, which user account poses the HIGHEST security risk?

Exhibit

Refer to the exhibit.

```
# cat /etc/shadow | grep -E "^(root|admin|test):"
root:$6$xyz...$abc:18000:0:99999:7:::
admin:!:18001:0:99999:7:::
test:$6$def...$ghi:18001:0:99999:7:::
```
Question 12mediummultiple choice
Full question →

Refer to the exhibit. A cloud load balancer uses this JSON configuration. A request arrives from source IP 10.0.1.100 to port 80. Which backend pool will receive the request?

Exhibit

Refer to the exhibit.

{
  "version": "2.0",
  "routeSelection": "lowest-cost",
  "rules": [
    {
      "action": "forward",
      "match": {
        "sourceIp": "10.0.1.0/24",
        "destinationPort": 8080
      },
      "target": "backend-pool-1"
    },
    {
      "action": "forward",
      "match": {
        "sourceIp": "10.0.2.0/24",
        "destinationPort": 80
      },
      "target": "backend-pool-2"
    }
  ]
}
Question 13hardmultiple choice
Full question →

Based on the exhibit, which of the following is the MOST likely result of the current firewall configuration?

Exhibit

Refer to the exhibit.

```
# iptables -L -n -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       192.168.1.0/24       0.0.0.0/0            tcp dpt:443
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
```
Question 14easymultiple choice
Full question →

Based on the exhibit, what is the security risk of this bucket policy?

Network Topology
# s3api get-bucket-policybucket example-bucketRefer to the exhibit.```"Policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":\"s3:GetObject\",\"Resource\":\"arn:aws:s3:::example-bucket/*\"}]}"
Question 15easymultiple choice
Full question →

Refer to the exhibit. A CISA is reviewing this S3 bucket policy. What is the PRIMARY security concern?

Exhibit

Refer to the exhibit.

Exhibit:
Configuration file for an Amazon S3 bucket policy:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*"
    }
  ]
}

These CISA practice questions are part of Courseiva's free ISACA certification practice question bank. Courseiva provides original exam-style CISA questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.