CCNA Cisa Operations Resilience Questions

39 of 114 questions · Page 2/2 · Cisa Operations Resilience topic · Answers revealed

76
Multi-Selectmedium

An IT auditor is reviewing the capacity management process. Which TWO of the following are key activities that should be performed?

Select 2 answers
A.Performing daily backup verification
B.Monitoring resource utilization trends
C.Reviewing incident response times
D.Setting threshold alerts for resource usage
E.Conducting annual disaster recovery tests
AnswersB, D

Essential for proactive capacity management.

Why this answer

Monitoring trends helps proactive planning; threshold alerts prevent overload.

77
MCQeasy

In ITIL incident management, which severity level typically indicates a critical incident that severely impacts business operations and requires immediate resolution?

A.P2
B.P3
C.P1
D.P4
AnswerC

P1 is the highest priority.

Why this answer

P1 (Priority 1) incidents are the highest severity, requiring immediate attention.

78
MCQeasy

Which of the following disaster recovery test types involves a full switch-over to the alternate site, resulting in actual disruption to normal operations?

A.Simulation test
B.Full interruption test
C.Parallel test
D.Tabletop test
AnswerB

Actual switch-over causing disruption.

Why this answer

The full interruption test (also known as a cold-start test) involves an actual shutdown of primary systems and a complete switch-over to the alternate site, causing real disruption to normal operations. This validates the entire recovery capability under realistic conditions, including failover, data synchronization, and user reconnection, but carries the highest risk of data loss or extended downtime.

Exam trap

The trap here is confusing a parallel test with a full interruption test, as both involve the alternate site processing live data, but only the full interruption test causes actual disruption by taking the primary site offline.

How to eliminate wrong answers

Option A is wrong because a simulation test models a disaster scenario without actually failing over or disrupting live systems; it typically uses walkthroughs or scripted exercises to validate procedures. Option C is wrong because a parallel test runs the alternate site in parallel with the primary site, processing live data but not switching over, so normal operations continue uninterrupted. Option D is wrong because a tabletop test is a discussion-based exercise where key personnel review plans and roles without any actual system failover or operational impact.

79
MCQeasy

Which of the following backup types copies only data that has changed since the last full backup?

A.Mirror backup
B.Differential backup
C.Full backup
D.Incremental backup
AnswerB

Correct. Differential copies all changes since the last full backup.

Why this answer

A differential backup copies all data that has changed since the last full backup, regardless of how many incremental backups have been performed. This means each differential backup contains all changes accumulated since the most recent full backup, making it larger than an incremental backup but faster to restore (requiring only the full backup plus the latest differential).

Exam trap

The trap here is that candidates often confuse 'differential' with 'incremental' because both copy changed data, but the key differentiator is the reference point: differential uses the last full backup, while incremental uses the last backup of any type.

How to eliminate wrong answers

Option A is wrong because a mirror backup creates an exact, real-time copy of the source data, often using block-level replication (e.g., RAID 1 or rsync), and does not rely on a 'last full backup' marker; it continuously synchronizes changes. Option C is wrong because a full backup copies all selected data regardless of change status, serving as the baseline for differential and incremental backups. Option D is wrong because an incremental backup copies only data that has changed since the last backup of any type (full or incremental), not specifically since the last full backup; this is the key distinction from differential backups.

80
MCQmedium

An organization outsources its help desk to a third-party vendor. The contract includes a service level agreement (SLA) with response times. The auditor wants to ensure that the organization can monitor vendor performance. Which clause is most important?

A.Exit strategy clause
B.Right-to-audit clause
C.Indemnification clause
D.Confidentiality clause
AnswerB

Correct: The right-to-audit clause enables the organization to verify the vendor's compliance with SLAs.

Why this answer

The right-to-audit clause allows the organization to audit the vendor's processes and performance, ensuring SLA compliance.

81
MCQmedium

During a problem management meeting, the team identifies a recurring issue causing multiple incidents. The root cause is known, but a permanent fix is not yet available. Which of the following is the BEST approach to manage this situation until a permanent fix is implemented?

A.Escalate the problem to senior management
B.Reclassify the problem as an incident
C.Document the known error and implement a workaround
D.Close the problem record and wait for the fix
AnswerC

This is the purpose of a known error database.

Why this answer

Option C is correct because in ITIL-based problem management, when a root cause is known but a permanent fix is unavailable, the known error should be documented in the Known Error Database (KEDB) and a workaround should be implemented to reduce incident impact and restore service. This aligns with the problem management process of controlling the error until a permanent solution (e.g., a patch or change) is deployed, ensuring operational continuity and minimizing recurrence of incidents.

Exam trap

The trap here is that candidates confuse 'problem' with 'incident' and think reclassifying (Option B) is acceptable, but the CISA exam tests the ITIL distinction that a problem is the root cause of multiple incidents and must be managed separately, not reclassified as an incident.

How to eliminate wrong answers

Option A is wrong because escalating to senior management is not the best operational step for a known error with a workaround; escalation is reserved for strategic decisions, resource approval, or when the problem exceeds the team's authority, not for routine workaround implementation. Option B is wrong because reclassifying a problem as an incident violates the ITIL distinction: a problem is the underlying cause of one or more incidents, and reclassifying it would incorrectly treat the root cause as a single event, bypassing proper problem management tracking. Option D is wrong because closing the problem record while waiting for a fix would remove visibility and control, preventing the team from applying the workaround and potentially allowing the same incidents to recur without a documented resolution path.

82
MCQeasy

Which backup method copies all data that has changed since the last full backup, regardless of subsequent incremental backups, and is often used to reduce restore time?

A.Full backup
B.Differential backup
C.Incremental backup
D.Mirror backup
AnswerB

Differential copies all changes since last full backup, simplifying restore.

Why this answer

A differential backup copies all data that has changed since the last full backup, regardless of any incremental backups taken in between. This approach reduces restore time because only the last full backup and the most recent differential backup are needed, unlike incremental backups which require the full backup plus every subsequent incremental in sequence.

Exam trap

The trap here is confusing differential backups with incremental backups, as both copy only changed data, but the key distinction is that differentials copy all changes since the last full backup, while incrementals copy changes since the last backup of any type, leading to longer restore chains for incrementals.

How to eliminate wrong answers

Option A is wrong because a full backup copies all data, not just changed data, and is typically the baseline for other backup types, not a method to reduce restore time by copying only changes. Option C is wrong because an incremental backup copies only data changed since the last backup of any type (full, differential, or incremental), requiring the full backup plus all subsequent incremental backups for restore, which increases restore time. Option D is wrong because a mirror backup creates an exact replica of the source data in real-time or near-real-time, often using disk mirroring (e.g., RAID 1), and does not focus on copying only changed data since the last full backup; it is designed for high availability, not backup efficiency or restore time reduction.

83
MCQhard

An organization is selecting an alternate site for disaster recovery. The site must have sufficient equipment to resume operations within a few hours, and the organization is willing to share the site with another business. Which type of alternate site is MOST appropriate?

A.Mobile site
B.Warm site
C.Cold site
D.Hot site
AnswerB

Warm sites have some equipment and can be shared, enabling faster activation than cold sites.

Why this answer

A hot site is fully equipped and can be operational quickly, but sharing is uncommon. A warm site has some equipment. A cold site has no equipment.

A mobile site is not a standard classification.

84
MCQeasy

An IT auditor is reviewing capacity management. The server team monitors CPU utilization and disk space. They receive alerts when thresholds are exceeded. Which practice is most effective for proactive capacity planning?

A.Performing weekly manual checks
B.Analyzing historical utilization trends
C.Increasing server resources quarterly
D.Setting threshold alerts at 90% utilization
AnswerB

Correct: Trend analysis helps forecast future capacity requirements and avoid performance issues.

Why this answer

Analyzing historical utilization trends allows IT to predict future capacity needs and plan upgrades before issues occur.

85
Multi-Selectmedium

An IS auditor is reviewing the software asset management (SAM) process. The organization uses a mix of commercial off-the-shelf (COTS) and open-source software. The auditor finds that several servers are running end-of-life (EOL) operating systems that are no longer patched. Which TWO risks are most directly associated with this finding?

Select 2 answers
A.Increased risk of security breaches due to unpatched vulnerabilities.
B.Difficulty in integrating with newer systems.
C.Non-compliance with regulatory requirements for patching.
D.Reduced performance due to outdated software.
E.Higher software licensing costs.
AnswersA, C

EOL software lacks security patches, making it vulnerable.

Why this answer

End-of-life (EOL) operating systems no longer receive security patches from the vendor, leaving known vulnerabilities unmitigated. This directly increases the risk of security breaches because attackers can exploit these unpatched flaws. Additionally, many regulatory frameworks (e.g., PCI DSS, SOX) require timely patching of critical systems, so running EOL software constitutes non-compliance with those requirements.

Exam trap

The trap here is that candidates may confuse operational issues (like integration difficulty or performance) with the primary security and compliance risks that directly stem from unpatched vulnerabilities on EOL systems.

86
MCQhard

An IS auditor is reviewing automated job scheduling controls. A critical batch job failed due to a dependency on a previous job that had not completed. The system did not alert operations staff. Which control weakness is most significant?

A.Missing dependency management in job scheduling.
B.Insufficient capacity management to handle job load.
C.Inadequate rerun procedures for the failed job.
D.Lack of a known error database entry for this issue.
AnswerA

Dependency management should prevent the job from starting if prerequisites are not met.

Why this answer

Job scheduling should include dependency management and failure alerts. The lack of an alert means the issue went unnoticed, potentially causing delays.

87
Multi-Selecthard

An IS auditor is reviewing the end-of-life (EOL) software policy. Which THREE risks are associated with running unsupported software? (Select THREE).

Select 3 answers
A.Reduced need for data backups
B.Regulatory non-compliance
C.Higher software licensing costs
D.Compatibility issues with newer systems
E.Increased vulnerability to security breaches
AnswersB, D, E

Some regulations require the use of supported software.

Why this answer

Unsupported software no longer receives security patches, increasing vulnerability risk. It also may cause compatibility issues with other systems. Additionally, it may lead to non-compliance with regulations that require supported software.

88
MCQeasy

An organization's IT service desk categorizes incidents based on severity levels. A P1 incident is defined as a critical system outage affecting all users. Which of the following is the MOST appropriate target for the initial response time for a P1 incident?

A.Within 15 minutes
B.Within 4 hours
C.Within 1 business day
D.Within 30 minutes
AnswerA

Immediate response is expected for critical incidents.

Why this answer

P1 incidents are critical and require immediate response, typically within minutes, not hours.

89
MCQmedium

An organization's availability management team reports that a critical server has an MTBF of 720 hours and an MTTR of 4 hours. What is the availability percentage for this server?

A.99.45%
B.99.56%
C.99.72%
D.99.89%
AnswerA

Correct: 720/(720+4) = 720/724 ≈ 99.45%.

Why this answer

Availability = MTBF / (MTBF + MTTR) = 720 / (720 + 4) = 720/724 ≈ 0.9945, or 99.45%.

90
MCQmedium

An organization uses automated job scheduling with dependency management. A critical nightly batch job failed because a prerequisite job did not complete successfully. The job scheduler automatically attempted to rerun the failed job three times, each time failing due to the same dependency. The operations team was not alerted until the next morning. What control should the auditor recommend to improve this process?

A.Increase the number of automatic rerun attempts.
B.Implement real-time alerts for job failures and dependency issues.
C.Remove dependency management for critical jobs.
D.Schedule all critical jobs to run sequentially without dependencies.
AnswerB

Alerts would enable timely intervention.

Why this answer

The core issue is the lack of timely notification, not the number of retries or the dependency logic itself. The job scheduler correctly identified the dependency failure and attempted reruns, but the operations team remained unaware until the next morning. Implementing real-time alerts for job failures and dependency issues (Option B) ensures that the operations team can intervene immediately, rather than discovering the problem hours later during a manual check.

Exam trap

The trap here is that candidates focus on the retry mechanism (Option A) or the dependency structure (Options C and D) instead of recognizing that the fundamental control gap is the absence of real-time notification, which is a core operations resilience requirement.

How to eliminate wrong answers

Option A is wrong because increasing the number of automatic rerun attempts does not address the root cause—the prerequisite job failed, and retrying the dependent job without fixing the dependency is futile and wastes system resources. Option C is wrong because removing dependency management for critical jobs would break the logical execution order, potentially causing data integrity issues or cascading failures where downstream jobs run on incomplete or erroneous data. Option D is wrong because scheduling all critical jobs to run sequentially without dependencies ignores the reality that many jobs rely on the output of others; this would either force artificial delays or require manual coordination, defeating the purpose of automated scheduling.

91
MCQhard

A system has a Mean Time Between Failures (MTBF) of 500 hours and a Mean Time To Repair (MTTR) of 20 hours. What is the availability of the system?

A.97.50%
B.92.00%
C.96.15%
D.95.00%
AnswerC

Correct calculation.

Why this answer

Availability is calculated as MTBF / (MTBF + MTTR). With MTBF = 500 hours and MTTR = 20 hours, availability = 500 / (500 + 20) = 500 / 520 ≈ 0.9615, or 96.15%. This formula measures the proportion of time the system is operational, directly reflecting its resilience and recoverability.

Exam trap

The trap here is that candidates may incorrectly compute availability as (MTBF - MTTR)/MTBF or simply subtract MTTR/MTBF from 1 without using the correct denominator, leading to plausible but wrong percentages like 96% or 95%.

How to eliminate wrong answers

Option A is wrong because 97.50% would result from incorrectly using MTBF / (MTBF + MTTR) but miscalculating the denominator as 512.82 or misplacing the decimal. Option B is wrong because 92.00% might come from subtracting MTTR/MTBF (20/500 = 0.04) from 1 and rounding incorrectly, or from a confusion with a different metric like inherent availability. Option D is wrong because 95.00% could be obtained by using MTBF / (MTBF + 2*MTTR) or by mistakenly treating MTTR as a percentage of MTBF (20/500 = 4%, then 100% - 4% = 96%, but rounding down to 95%).

92
Multi-Selectmedium

An organization is performing software asset management (SAM) to ensure license compliance. Which two activities should the auditor verify?

Select 2 answers
A.Reconciling installed software with purchase records
B.Performing vulnerability scans
C.Conducting regular license compliance audits
D.Monitoring network bandwidth usage
E.Tracking hardware depreciation
AnswersA, C

Correct: Reconciliation helps identify discrepancies.

Why this answer

Regular license compliance audits ensure proper licensing. Reconciliation of installed software with purchased licenses identifies gaps or over-licensing.

93
MCQmedium

An organization uses a hot site as its disaster recovery alternative. Which of the following is the MOST critical consideration when selecting a hot site?

A.Compatibility of hardware and software with the production environment
B.Distance from the primary site
C.Cost of the hot site contract
D.Availability of staff at the hot site
AnswerA

Without compatibility, the hot site cannot be used effectively.

Why this answer

The hot site must be compatible with the production environment to enable quick recovery.

94
MCQmedium

An IS auditor is reviewing the availability management process. The auditor calculates that the mean time between failures (MTBF) is 200 hours and the mean time to repair (MTTR) is 20 hours. What is the availability percentage?

A.90.91%
B.99.00%
C.95.00%
D.80.00%
AnswerA

Correct calculation.

Why this answer

Availability = MTBF / (MTBF + MTTR) = 200 / 220 ≈ 0.9091, or 90.91%.

95
MCQmedium

An IT auditor is reviewing the release management process. Which of the following is the MOST important control to ensure that new releases do not negatively impact production systems?

A.Testing in a pre-production environment
B.Rollback plan
C.Communication to users
D.Approval from the change advisory board
AnswerA

Testing reduces the risk of negative impacts.

Why this answer

Testing in a pre-production environment is essential to identify issues before deployment.

96
Multi-Selectmedium

An IS auditor is reviewing the vendor management program for a critical outsourced service. The vendor has recently been acquired by another company. Which TWO factors should the auditor be most concerned about regarding the acquisition?

Select 2 answers
A.The vendor's new owner may have different security standards.
B.The vendor's new owner may increase prices.
C.The vendor's new owner may have a different organizational culture.
D.The vendor's new owner may lay off key personnel.
E.The contract may not have a clause requiring consent for change of control.
AnswersA, E

Security standards may change, affecting the organization's risk posture.

Why this answer

A change in vendor ownership can affect the contractual relationship and service delivery. The auditor should focus on whether the contract allows assignment (without consent) and whether the new owner's financial stability poses a risk.

97
MCQmedium

An organization uses RAID 5 for its database server. Which of the following is the PRIMARY advantage of RAID 5?

A.Simplified backup process
B.Increased storage capacity without parity overhead
C.Fault tolerance with one disk failure
D.Improved read performance
AnswerC

This is the primary advantage.

Why this answer

RAID 5 provides fault tolerance with parity, allowing recovery from a single disk failure.

98
MCQmedium

During a change management review, an IS auditor discovers that a recent database upgrade was implemented without prior approval from the Change Advisory Board (CAB) because it was classified as a 'standard change.' However, the change involved migrating to a new database version that required application code modifications. What should concern the auditor most?

A.The change was implemented without CAB approval.
B.The change did not include a backout plan.
C.The change was implemented during business hours.
D.The change was implemented without testing.
AnswerA

The change required code modifications, so it should not have been standard; thus CAB approval was needed.

Why this answer

The core issue is that the change was misclassified as a 'standard change' to bypass CAB approval, but it required application code modifications, which means it was not pre-authorized and should have been treated as a normal or emergency change. Standard changes are low-risk, pre-approved, and typically involve no application code changes (e.g., applying a routine patch to a database that does not alter the schema or API). By bypassing CAB review, the organization lost the opportunity to assess risks, dependencies, and rollback procedures, which is a critical control failure in change management.

Exam trap

The trap here is that candidates focus on the operational details (missing backout plan, business hours, testing) instead of recognizing that the misclassification of the change type is the fundamental control weakness that undermines the entire change management process.

How to eliminate wrong answers

Option B is wrong because while a missing backout plan is a concern, it is a symptom of the larger governance failure; the lack of CAB approval is the root cause that allowed the change to proceed without proper planning. Option C is wrong because implementing during business hours is not inherently a control issue—many standard changes are designed for business hours—and the real problem is the unauthorized nature of the change. Option D is wrong because although testing may have been inadequate, the question does not state that testing was skipped; the primary red flag is the misclassification that circumvented the approval process, which is the auditor's top concern.

99
MCQmedium

A company outsources its IT help desk to a third-party vendor. The service level agreement (SLA) specifies that all P1 incidents must be resolved within 2 hours. During an audit, the auditor finds that the vendor’s average resolution time for P1 incidents is 3 hours. What is the most appropriate recommendation?

A.Terminate the contract immediately
B.Renegotiate the SLA to 3 hours
C.Issue a non-compliance notice and require a remediation plan
D.Accept the performance as within acceptable variance
AnswerC

This holds the vendor accountable and drives improvement.

Why this answer

The correct action is to monitor SLA compliance and enforce penalties or require corrective action. This ensures the vendor meets contractual obligations.

100
MCQmedium

During a change management process review, an IS auditor finds that the change advisory board (CAB) approved a change that subsequently caused a major service outage. The change was classified as 'normal' with no emergency. What is the auditor's primary concern?

A.The service desk was not notified of the change.
B.The CAB did not adequately assess the potential impact of the change.
C.The change should have been classified as emergency.
D.The change was not tested in a pre-production environment.
AnswerB

The outage suggests the CAB failed to identify risks.

Why this answer

The primary concern is that the CAB approved a 'normal' change without adequately assessing its potential impact, leading to a major service outage. In ITIL-based change management, the CAB is responsible for evaluating the risk, impact, and resource requirements of a change before approval. A failure in this assessment indicates a breakdown in the change management process, which is the core issue an IS auditor must address.

Exam trap

The trap here is that candidates may focus on operational details (like testing or classification) rather than the governance failure of the CAB's impact assessment, which is the core audit concern in change management.

How to eliminate wrong answers

Option A is wrong because while notifying the service desk is a good practice, it is not the primary concern; the outage occurred due to the change itself, not a lack of notification. Option C is wrong because the change was classified as 'normal' with no emergency, and reclassifying it as emergency would not address the root cause—the CAB's inadequate impact assessment. Option D is wrong because testing in a pre-production environment is a control to reduce risk, but the auditor's primary concern is the CAB's failure to assess impact, which should have identified the need for testing or other mitigations.

101
MCQhard

During an audit of IT asset management, the IS auditor finds that several servers are running an operating system that has reached end-of-life (EOL). The organization has not deployed any compensating controls. Which of the following is the GREATEST risk?

A.Incompatibility with new applications
B.Increased licensing costs
C.Lack of vendor support
D.Unpatched security vulnerabilities
AnswerD

This is the greatest risk as it can lead to exploitation.

Why this answer

An operating system that has reached end-of-life (EOL) no longer receives security patches from the vendor. Without compensating controls, any newly discovered vulnerabilities remain unpatched, exposing the organization to exploitation, data breaches, and system compromise. This directly undermines the confidentiality, integrity, and availability of the IT assets, making unpatched security vulnerabilities the greatest risk.

Exam trap

The trap here is that candidates may confuse 'lack of vendor support' (Option C) as the greatest risk, but the actual risk is the resulting unpatched security vulnerabilities that directly threaten the organization's security posture.

How to eliminate wrong answers

Option A is wrong because incompatibility with new applications is an operational inconvenience, not a security or compliance risk; it can often be mitigated through virtualization or containerization. Option B is wrong because EOL operating systems typically do not incur increased licensing costs—in fact, licensing may cease or become unsupported, but cost is not the primary risk. Option C is wrong because lack of vendor support is a contributing factor to the risk, not the risk itself; the absence of patches and updates is the direct consequence that creates the security exposure.

102
MCQmedium

An IT auditor is reviewing backup procedures. The organization performs daily full backups and retains them for 30 days. Additionally, weekly backups are retained for 12 months. Which of the following is the MOST likely risk associated with this backup strategy?

A.Backup data may not be recoverable
B.Inability to meet recovery point objectives
C.Backup encryption may be weak
D.Excessive storage consumption and longer backup windows
AnswerD

Daily full backups are inefficient.

Why this answer

Full backups every day consume large amounts of storage and time; incremental backups are more efficient.

103
Multi-Selecthard

During a disaster recovery planning audit, the IS auditor notes that the organization's plan includes a hot standby site. However, the plan has not been updated in two years, and the last test was a tabletop exercise 18 months ago. The organization has recently implemented a new ERP system. Which THREE findings should the auditor report as most significant?

Select 3 answers
A.The DR plan has not been tested in over a year.
B.The DR plan is outdated; it was last updated two years ago.
C.The hot standby site is located too far from the primary site.
D.The DR plan has not been reviewed and approved by senior management in the last year.
E.The DR plan has not been updated to reflect the new ERP system.
AnswersA, B, E

Regular testing is critical; a tabletop test is insufficient for a hot site.

Why this answer

The plan is outdated (two years), the last test was only tabletop (not sufficient for a hot site), and the new ERP system is not reflected in the plan. These three issues directly impact the ability to recover effectively.

104
MCQhard

An organization's backup strategy includes daily incremental backups and weekly full backups. During a disaster recovery test, the restoration of a critical server fails because a required incremental backup is corrupt. Which control should the organization implement to verify the integrity of backups?

A.Implement backup encryption
B.Use a different backup software
C.Perform periodic restore verification tests
D.Increase the frequency of full backups
AnswerC

Restore verification tests validate that backups are usable and complete.

Why this answer

Regular restore verification tests confirm that backups can be successfully restored. This is a key control to ensure backup integrity.

105
MCQeasy

An organization is implementing a new incident management process based on ITIL. An incident classified as P1 (Priority 1) occurs. According to ITIL best practices, what is the most appropriate initial action?

A.Escalate the incident to problem management for root cause analysis.
B.Immediately assign the incident to the appropriate support team for resolution.
C.Update the known error database with a workaround.
D.Log the incident and inform the user that it will be handled within the next business day.
AnswerB

Correct for a P1 incident requiring immediate action.

Why this answer

P1 incidents are critical and require immediate response to restore service. The service desk should assign the incident to the appropriate support team without delay.

106
MCQmedium

An organization outsources its data center operations to a third-party vendor. The contract includes a right-to-audit clause. During a scheduled audit, the vendor refuses to provide access to logs from a subcontractor managing network security. What is the IS auditor's best course of action?

A.Escalate the issue to the vendor management team to enforce the contractual right.
B.Accept the vendor's refusal to avoid conflict.
C.Request the vendor to include a clause in its subcontractor agreement allowing audits.
D.Report the refusal to senior management and recommend terminating the contract.
AnswerA

The vendor management team can use contractual remedies to obtain access.

Why this answer

The right-to-audit clause in the contract gives the organization legal authority to examine all relevant records, including those from subcontractors. Escalating to the vendor management team is the correct first step because they can enforce the contractual obligation without prematurely escalating to termination. This preserves the business relationship while asserting the organization's audit rights over the entire outsourced environment, including subcontracted network security operations.

Exam trap

The trap here is that candidates may prematurely choose termination (Option D) or accept the refusal (Option B) without recognizing that the right-to-audit clause is a contractual lever that should be enforced through escalation before considering contract termination.

How to eliminate wrong answers

Option B is wrong because accepting the refusal without action would violate the audit clause and create an unmanaged risk, potentially masking security incidents in the subcontractor's logs. Option C is wrong because the contract already exists; requesting a new clause after the fact is reactive and does not address the immediate refusal, and the vendor is already contractually obligated to provide access. Option D is wrong because recommending termination is premature; the contract provides a right-to-audit, and escalation to enforce that right should be attempted before considering such a drastic step.

107
MCQmedium

During a recent audit, the IT auditor found that the problem management process does not include a known error database (KEDB). Which of the following is the MOST significant risk associated with this finding?

A.Higher likelihood of unauthorized changes
B.Increased backup failure rates
C.Increased time to resolve incidents
D.Inaccurate SLA reporting
AnswerC

Without a KEDB, incidents that could be resolved quickly using known workarounds will take longer, increasing resolution times.

Why this answer

Without a known error database (KEDB), incident resolution relies on ad-hoc troubleshooting rather than leveraging documented root causes and workarounds. This directly increases the mean time to resolve (MTTR) incidents because support teams cannot quickly identify and apply previously identified fixes, leading to longer outages and reduced operational efficiency.

Exam trap

The trap here is that candidates confuse the KEDB with the change management process or SLA metrics, assuming that missing documentation leads to unauthorized changes or reporting inaccuracies, when the direct operational impact is prolonged incident resolution time.

How to eliminate wrong answers

Option A is wrong because unauthorized changes are primarily controlled by the change management process (e.g., CAB approval, segregation of duties), not by the problem management process or the existence of a KEDB. Option B is wrong because backup failure rates are influenced by backup software configuration, storage health, and monitoring alerts, not by the presence or absence of a KEDB. Option D is wrong because SLA reporting accuracy depends on proper incident classification, timestamp capture, and automated ticketing system data, not on the problem management process's KEDB.

108
MCQhard

An IS auditor is reviewing the release management process for a critical application. The release strategy includes a phased rollout to 10% of users initially, then 50%, then 100%. The first phase revealed a data integrity issue that affected a subset of transactions. The release manager decided to continue with the next phase while a patch was being developed. What should the auditor most recommend?

A.Document the issue as a known error and proceed.
B.Accelerate the rollout to quickly identify all issues.
C.Increase testing in the next phase to catch issues earlier.
D.Halt the rollout until the data integrity issue is resolved.
AnswerD

Halting prevents further damage and ensures the fix is applied before broader deployment.

Why this answer

Continuing the rollout while a data integrity issue exists could affect more users. Best practice is to halt the rollout until the issue is resolved and patched, to prevent further impact and ensure the fix is effective.

109
Multi-Selectmedium

An IS auditor is reviewing a business continuity plan (BCP). Which TWO of the following are key components of the business continuity strategy? (Select two.)

Select 2 answers
A.Incident management procedures
B.Data backup and recovery
C.Alternate facilities
D.Service desk procedures
E.Change management process
AnswersB, C

Data backup and recovery are critical for continuity.

Why this answer

Alternate facilities and data backup and recovery are essential components of BC strategy.

110
MCQmedium

An IS auditor is reviewing the capacity management process for a server hosting a critical application. The server's CPU utilization has been consistently above 90% for the past three months, and memory usage is at 85%. There are no threshold alerts configured. The capacity plan shows that additional resources are scheduled to be added in six months. What should the auditor most recommend?

A.Review the capacity plan and adjust the forecast.
B.Accept the risk as the server has not failed yet.
C.Request immediate addition of resources to meet current demand.
D.Implement threshold alerts to monitor the situation.
AnswerC

Given sustained high utilization, immediate action is needed.

Why this answer

The high utilization indicates a need for immediate capacity expansion. The existing plan is too far in the future, risking performance degradation or outages. The auditor should recommend expediting the addition of resources.

111
MCQmedium

An IT auditor is reviewing the change management process for a financial institution. The auditor finds that emergency changes are frequently approved by the change manager without CAB review. Which risk is most associated with this practice?

A.Increase in unauthorized changes
B.Excessive documentation overhead
C.Delayed incident resolution
D.Inadequate backup procedures
AnswerA

Lack of CAB oversight for emergency changes can lead to unauthorized modifications.

Why this answer

Emergency changes bypass normal review, increasing the risk of unauthorized or poorly tested changes that could disrupt operations or introduce security vulnerabilities.

112
MCQhard

An IT auditor is evaluating the capacity management process. Which of the following findings would be of MOST concern?

A.Alert thresholds are set at 80% utilization
B.Resource utilization trends are not monitored
C.Capacity thresholds are reviewed annually
D.Capacity reports are generated monthly
AnswerB

Without monitoring trends, the organization cannot proactively plan for capacity needs, leading to increased risk of outages.

Why this answer

The most concerning finding is that capacity planning is reactive, leading to performance degradation and potential outages before thresholds are raised. This indicates a lack of proactive management.

113
Multi-Selecthard

An organization is implementing a change management process based on ITIL. Which THREE change types should be included in the policy?

Select 3 answers
A.Planned change – scheduled during maintenance windows with no approval needed.
B.Emergency change – requires immediate implementation to resolve a major incident.
C.Standard change – pre-approved, low risk, follows a defined procedure.
D.Major change – requires executive approval and a separate risk assessment.
E.Normal change – requires approval from the Change Advisory Board (CAB).
AnswersB, C, E

Correct definition of emergency change.

Why this answer

Option B is correct because ITIL defines an Emergency change as one that must be implemented as soon as possible—often to resolve a major incident or security vulnerability. This change type bypasses the normal CAB approval cycle and uses a dedicated Emergency CAB (ECAB) process to authorize and implement the fix rapidly while still maintaining control.

Exam trap

The trap here is that candidates confuse 'Planned change' (a scheduling concept) with a formal ITIL change type, leading them to select Option A, but ITIL only recognizes Standard, Emergency, and Normal changes.

114
MCQhard

A company's availability monitoring shows that a critical application has an average MTBF of 720 hours and an average MTTR of 4 hours. What is the availability percentage?

A.99.72%
B.99.17%
C.99.95%
D.99.45%
AnswerD

Calculated as 720/(720+4)=0.9945.

Why this answer

Availability = MTBF / (MTBF + MTTR) = 720 / (720 + 4) = 720 / 724 ≈ 0.994475, or 99.45%.

← PreviousPage 2 of 2 · 114 questions total

Ready to test yourself?

Try a timed practice session using only Cisa Operations Resilience questions.