CCNA Cisa Systems Development Questions

33 of 108 questions · Page 2/2 · Cisa Systems Development topic · Answers revealed

76
MCQeasy

An organization is considering replacing its legacy financial system with a new ERP solution. Which of the following is the PRIMARY advantage of purchasing a commercial off-the-shelf (COTS) ERP package over building a custom system?

A.Greater control over customization
B.Lower total cost of ownership
C.Complete alignment with business processes
D.Faster implementation
AnswerD

Reduced development time as the system is pre-built.

Why this answer

COTS packages typically have a faster implementation timeline because the core functionality already exists, reducing development time.

77
MCQmedium

During an ERP implementation, the project team decides to customize the software to align with existing business processes. Which of the following risks is MOST likely to increase as a result of extensive customization?

A.Increased vendor lock-in
B.Simpler data migration
C.Reduced user acceptance
D.Higher costs for future upgrades
AnswerD

Custom code must be adapted for each new version.

Why this answer

Extensive customization of an ERP system typically involves modifying the core code or configuration beyond standard parameters. This creates a custom code base that diverges from the vendor's standard release, making future upgrades significantly more complex and costly because each upgrade requires re-applying and testing all customizations against the new version, often requiring specialized skills and extensive regression testing.

Exam trap

The trap here is that candidates often confuse customization with configuration; customization modifies source code or adds custom objects, while configuration uses built-in parameters, and only customization significantly increases upgrade costs.

How to eliminate wrong answers

Option A is wrong because vendor lock-in is primarily driven by reliance on proprietary data formats, APIs, or licensing models, not by customization itself; in fact, customizations can sometimes reduce lock-in by making the system more tailored to the organization's unique needs. Option B is wrong because extensive customization often complicates data migration, as custom fields, tables, and logic must be mapped and transformed, increasing the risk of data loss or corruption. Option C is wrong because user acceptance typically increases when the system is customized to align with existing business processes, as it reduces the need for users to adapt to new workflows.

78
MCQeasy

An IS auditor is reviewing a software development project that follows the waterfall model. Which of the following is the MAIN advantage of this methodology?

A.Reduced risk of requirements misinterpretation
B.Clear milestones and documentation at each phase
C.Early delivery of working software increments
D.Ability to accommodate changing requirements easily
AnswerB

Each phase produces deliverables and sign-offs.

Why this answer

Waterfall's sequential phases and formal sign-offs provide clear milestones and documentation.

79
MCQhard

During a spiral SDLC project, the project team has completed a risk analysis and created a prototype. What is the most likely next step in the spiral model?

A.Deploy the system to production
B.Obtain formal sign-off from the business owner on requirements
C.Develop the next level of the product based on the risk analysis
D.Conduct user acceptance testing (UAT)
AnswerC

In the spiral model, after risk analysis, the team proceeds to develop the next level of the product (e.g., a more refined prototype or increment).

Why this answer

In the spiral model, each iteration begins with identifying objectives, evaluating alternatives, and resolving risks through risk analysis. After completing risk analysis and building a prototype, the next step is to develop the next level of the product, incorporating the risk analysis findings to refine requirements and design. This ensures that high-risk areas are addressed incrementally before proceeding to subsequent phases.

Exam trap

The trap here is that candidates confuse the spiral model's iterative prototyping with a linear waterfall approach, mistakenly thinking that a prototype leads directly to deployment or formal sign-off, rather than understanding that the spiral model uses risk-driven iteration to progressively refine the product.

How to eliminate wrong answers

Option A is wrong because deploying to production occurs only after multiple iterations and final validation, not immediately after a single risk analysis and prototype. Option B is wrong because formal sign-off on requirements is typically done earlier in the planning phase, not after risk analysis and prototyping; the spiral model emphasizes iterative refinement over rigid sign-offs. Option D is wrong because user acceptance testing (UAT) is performed later in the development cycle, after the product has been built and tested, not directly after risk analysis and prototyping.

80
MCQmedium

An IS auditor is reviewing the system design phase of a project. Which of the following activities is most important to ensure that security is adequately addressed?

A.Creating a data flow diagram
B.Developing a detailed project schedule
C.Conducting a threat modeling exercise
D.Reviewing the budget for security tools
AnswerC

Threat modeling proactively identifies and mitigates security risks.

Why this answer

Threat modeling identifies potential security threats and informs the design of controls, ensuring security is built in.

81
MCQeasy

During which phase of the waterfall SDLC should security requirements be formally documented and approved by the business owner?

A.Development phase
B.Requirements phase
C.Design phase
D.Testing phase
AnswerB

Requirements phase is the correct stage for documenting and approving security requirements.

Why this answer

In the waterfall model, security requirements must be defined during the requirements phase to ensure they are integrated into the design. Formal sign-off by the business owner ensures accountability.

82
MCQeasy

Which of the following is the primary purpose of conducting a static application security test (SAST) during the development phase of the SDLC?

A.To ensure the application is free of runtime errors
B.To validate that the application meets business requirements
C.To identify security vulnerabilities in the source code
D.To test the application's performance under load
AnswerC

SAST is a white-box test that finds coding flaws.

Why this answer

SAST analyzes source code for vulnerabilities early in development, allowing fixes before deployment.

83
MCQmedium

An IS auditor is reviewing change management procedures and finds that standard changes are approved by the change manager without CAB review. What is the auditor's BEST conclusion?

A.This is acceptable provided that standard changes are clearly defined and low-risk
B.The change manager should be a member of the CAB
C.The auditor should recommend that all changes go through CAB
D.This is a control weakness because all changes should be reviewed by the CAB
AnswerA

ITIL allows standard changes to be handled via a pre-approved process to improve efficiency.

Why this answer

Standard changes are pre-approved, low-risk changes that do not require CAB review. This is acceptable if the criteria for standard changes are properly defined.

84
MCQhard

During an ERP implementation, data migration is a critical activity. Which of the following controls would be most effective in ensuring the accuracy and completeness of migrated data?

A.Using automated data extraction tools
B.Performing a trial migration and reconciling the results
C.Assigning a data owner for each data field
D.Running parallel processing for one month
AnswerB

Trial migration with reconciliation identifies discrepancies before final migration.

Why this answer

Reconciliation reports compare source and target data, providing evidence of completeness and accuracy. Other options are less direct.

85
Multi-Selectmedium

An IS auditor is reviewing a post-implementation review of a new payroll system. Which TWO findings should most concern the auditor? (Select two.)

Select 2 answers
A.The project was completed 10% over budget.
B.User acceptance testing did not include all payroll scenarios.
C.The vendor's implementation team was helpful.
D.The system's response time is slower than expected.
E.Some employees reported inaccurate pay calculations.
AnswersB, E

Missing test scenarios could result in undetected errors.

Why this answer

Inaccurate pay calculations and unresolved segregation of duties issues directly impact control objectives and financial accuracy.

86
MCQhard

An IS auditor is evaluating the change management process for a critical financial application. The auditor finds that all standard changes are approved by the Change Advisory Board (CAB). However, emergency changes are approved by the IT manager and later ratified by the CAB. Which of the following is the greatest risk associated with this process?

A.The IT manager may not have sufficient technical expertise to approve emergency changes.
B.Emergency changes may be delayed while waiting for CAB ratification.
C.The CAB may not have enough time to review emergency changes properly.
D.There is no clear definition of what constitutes an emergency change.
AnswerD

Without a clear definition, non-emergency changes could be inappropriately fast-tracked.

Why this answer

Without a well-defined definition of what constitutes an emergency, changes could be misclassified to bypass CAB scrutiny, weakening controls.

87
Multi-Selectmedium

An organization is evaluating two vendors for a critical cloud-based ERP system. Which TWO contractual clauses are most important to include to ensure the organization can monitor vendor performance and security? (Select TWO)

Select 2 answers
A.Data ownership clause
B.Indemnification clause
C.Audit rights
D.Service level agreements (SLAs)
E.Non-disclosure agreement (NDA)
AnswersC, D

Audit rights allow the organization to assess the vendor's security and operational controls.

Why this answer

Service level agreements (SLAs) define performance metrics and remedies for breaches, ensuring accountability. Audit rights allow the organization to verify the vendor's controls, which is essential for security and compliance.

88
MCQmedium

An organization is implementing an ERP system and is concerned about segregation of duties conflicts. What is the most effective control to address this risk during implementation?

A.Implementing role-based access controls
B.Performing a data migration risk assessment
C.Reviewing vendor SOC 2 reports
D.Conducting user acceptance testing
AnswerA

Correct. Role-based access controls enforce segregation of duties by limiting user permissions.

Why this answer

Segregation of duties conflicts are best addressed by designing and implementing role-based access controls tailored to the organization's processes.

89
MCQeasy

Which of the following is a key objective of a post-implementation review?

A.To conduct penetration testing
B.To approve the project budget
C.To determine if the system meets user requirements
D.To select the vendor
AnswerC

Correct. The review evaluates whether objectives were met.

Why this answer

A post-implementation review assesses whether the system meets its objectives and identifies lessons learned.

90
Multi-Selecteasy

During the design phase of an SDLC, which TWO activities should be performed to ensure security is integrated into the system? (Select TWO)

Select 2 answers
A.User acceptance testing (UAT)
B.Code review
C.Threat modeling
D.Architecture review
E.Penetration testing
AnswersC, D

Threat modeling helps identify and mitigate security threats during design.

Why this answer

Architecture review ensures the system design meets security requirements, and threat modeling identifies potential threats and vulnerabilities early. Both are proactive security controls in the design phase.

91
MCQhard

An organization is implementing an enterprise resource planning (ERP) system. The project team plans to migrate legacy data without performing a full reconciliation between source and target systems. As an IS auditor, which of the following should be your PRIMARY concern?

A.The legacy system may be decommissioned prematurely
B.User acceptance testing may be delayed
C.The data migration may exceed the planned timeline
D.Incomplete or inaccurate data may be loaded into the new system
AnswerD

Without reconciliation, errors go unnoticed, leading to unreliable data.

Why this answer

Data migration without reconciliation can cause undetected data corruption or loss, impacting financial reporting and operations.

92
MCQhard

An IS auditor is reviewing a contract with a vendor for a new financial system. Which of the following clauses is MOST critical to ensure auditability?

A.Penalties for non-performance
B.Service level agreements (SLAs) for system uptime
C.Right to audit the vendor's operations and controls
D.Data ownership and confidentiality provisions
AnswerC

This ensures the organization can verify compliance and controls.

Why this answer

Audit rights allow the organization to review the vendor's controls and operations, which is essential for assurance.

93
Multi-Selecthard

An organization is implementing a new CRM system using an iterative development methodology. The IS auditor wants to verify that appropriate controls are in place. Which THREE of the following are essential controls for iterative development? (Select THREE.)

Select 3 answers
A.Formal sign-off on a complete requirements document before development begins
B.Risk assessment at the start of each iteration
C.Version control and configuration management
D.A mandatory change control board for every change
E.Frequent stakeholder reviews and feedback after each iteration
AnswersB, C, E

Iterative risk assessment helps identify and mitigate new risks.

Why this answer

Iterative development requires continuous stakeholder involvement, version control, and risk assessment each iteration. These controls ensure the evolving system meets requirements and manages risks.

94
Multi-Selecthard

An organization is planning to purchase a cloud-based HR system. Which THREE of the following should be included in the vendor contract to ensure adequate control and oversight? (Select three.)

Select 3 answers
A.A list of all subprocessors
B.Right to audit the vendor's controls
C.Service-level agreement (SLA) specifying uptime and response times
D.A fixed-price payment schedule
E.Data ownership and data protection clauses
AnswersB, C, E

Audit rights allow the organization to verify controls.

Why this answer

A right to audit the vendor's controls (Option B) is essential for ensuring that the cloud-based HR system's security and operational controls are functioning as agreed. This contractual clause allows the organization to verify compliance with policies, regulations, and the vendor's own security assertions, such as SOC 2 Type II reports or ISO 27001 certifications, through direct examination or independent third-party assessments.

Exam trap

Cisco often tests the distinction between operational requirements (like a list of subprocessors) and actual control/oversight mechanisms (like audit rights and SLAs), leading candidates to select transparency items instead of enforceable governance clauses.

95
MCQeasy

What is the PRIMARY purpose of conducting a static application security testing (SAST) during the development phase?

A.To identify security vulnerabilities in the source code
B.To ensure the application is free of logic errors
C.To test the application's functionality
D.To validate that security requirements are met
AnswerA

This is the primary purpose of SAST.

Why this answer

SAST analyzes source code for vulnerabilities early in the SDLC, allowing remediation before deployment.

96
MCQmedium

An IS auditor is reviewing an agile software development project. Which of the following practices would BEST help ensure that security controls are adequately addressed?

A.Requiring sign-off from the project sponsor before each sprint review
B.Performing a single comprehensive security test after all sprints are complete
C.Conducting a formal design review at the end of each sprint
D.Including security acceptance criteria in user stories
AnswerD

Security criteria in user stories ensure that security is tested and verified during the sprint.

Why this answer

In agile, security requirements should be included in user stories and tested during the sprint. Accepting a user story only after successful testing ensures security is validated.

97
Multi-Selecthard

An IS auditor is reviewing a project that uses an iterative SDLC approach. Which THREE controls should the auditor expect to see in place during the development iterations? (Select THREE)

Select 3 answers
A.Formal sign-off on requirements before each iteration
B.Code reviews
C.User acceptance testing (UAT) before each iteration
D.Static application security testing (SAST)
E.Unit testing
AnswersB, D, E

Code reviews are a key control for ensuring code quality and security in each iteration.

Why this answer

Code reviews ensure code quality and security. Static application security testing (SAST) identifies vulnerabilities in source code. Unit testing validates individual components.

These are key controls in iterative development.

98
Multi-Selecthard

An organization is adopting a DevOps approach for system development. Which THREE controls should an IS auditor expect to see in place to maintain security and compliance?

Select 3 answers
A.Annual penetration testing after the release
B.Automated security scanning integrated into the CI/CD pipeline
C.Version control and change tracking for infrastructure as code
D.Manual code review for every change before deployment
E.Real-time monitoring and logging of production systems
AnswersB, C, E

Ensures security checks are performed with every build.

Why this answer

In DevOps, automated security scanning, infrastructure as code with security review, and continuous monitoring are key controls to integrate security into the pipeline.

99
Multi-Selectmedium

During a change management audit, which TWO of the following are essential elements of a normal change request? (Select two.)

Select 2 answers
A.The name of the developer who will implement the change
B.Justification for the change
C.The project manager's approval
D.Impact analysis
E.A list of all users affected
AnswersB, D

Justification explains why the change is needed.

Why this answer

A change request should include justification and an impact analysis to assess risks and benefits before approval.

100
MCQmedium

An organization is implementing a new CRM system using an agile methodology. The IS auditor wants to assess whether security requirements are being addressed. What is the best evidence for the auditor to review?

A.The security policy
B.The sprint retrospective minutes
C.The system architecture document
D.The product backlog
AnswerD

The backlog captures all requirements, including security, as user stories.

Why this answer

The product backlog contains user stories, including security-related stories. Reviewing them shows whether security requirements are explicitly included.

101
MCQhard

An organization is using a spiral model for a high-risk project. The IS auditor wants to ensure that risk assessment is performed at each iteration. Which of the following is the BEST evidence that this control is effective?

A.The project schedule shows spiral iterations
B.Each spiral iteration includes a risk analysis document
C.The project manager has a risk management plan
D.The system has passed user acceptance testing
AnswerB

Documented risk analysis is direct evidence of the control.

Why this answer

In the spiral model, each cycle includes risk analysis; documented risk assessments in iteration artifacts demonstrate this.

102
MCQhard

An organization is implementing an agile methodology for a new software project. Which of the following is the MOST effective control to ensure that security requirements are addressed?

A.Conducting a single security requirements review at the start of the project
B.Including security requirements in the product backlog
C.Requiring a separate security sprint after development
D.Performing a security audit only at the end of the project
AnswerB

This integrates security into the iterative process.

Why this answer

In agile, including security requirements in the product backlog ensures they are prioritized and addressed in each sprint.

103
MCQmedium

An organization is implementing a new CRM system and has chosen a build (in-house development) approach over buying a COTS product. Which of the following is the most significant risk of this decision?

A.Inability to customize the system to meet user requirements
B.Higher likelihood of project delays and budget overruns
C.Reduced control over security and data privacy
D.Vendor lock-in due to proprietary technology
AnswerB

In-house projects often face delays and cost overruns due to complexity and changing requirements.

Why this answer

In-house development carries a higher risk of project delays and budget overruns due to unforeseen technical challenges, scope creep, and resource constraints. This is a well-known risk in custom development projects.

104
MCQmedium

In the context of ITIL change management, which change type requires approval from the Change Advisory Board (CAB)?

A.Emergency change
B.Normal change
C.Minor change
D.Standard change
AnswerB

Correct. Normal changes require CAB approval.

Why this answer

Normal changes require CAB approval because they have a higher risk and impact, unlike pre-approved standard changes or emergency fast-track changes.

105
Multi-Selectmedium

Which TWO of the following are typical controls in the testing phase of the SDLC? (Select two.)

Select 2 answers
A.Rollback plan testing
B.Code reviews
C.Security testing (DAST/pen test)
D.Threat modeling
E.User acceptance testing (UAT)
AnswersC, E

Security testing is part of testing phase.

Why this answer

UAT ensures user acceptance, and security testing (e.g., DAST) identifies vulnerabilities before deployment.

106
Multi-Selectmedium

An IS auditor is reviewing vendor management practices for a cloud-based SaaS solution. Which TWO of the following are critical elements to include in the contract's service level agreement (SLA)? (Select TWO.)

Select 2 answers
A.Guaranteed uptime percentage with penalties for non-compliance
B.The vendor's marketing plan for the solution
C.Data ownership and portability rights
D.The vendor's employee training program details
E.The vendor's disaster recovery testing schedule
AnswersA, C

Uptime guarantees are a key performance indicator in SLAs.

Why this answer

The SLA should define performance metrics (uptime) and data ownership/portability to ensure business continuity and data control. Audit rights are also important but are often in a separate clause.

107
Multi-Selectmedium

An IS auditor is evaluating an organization's SDLC controls for a new system. Which TWO of the following are key controls that should be in place during the design phase? (Select TWO.)

Select 2 answers
A.Architecture review by a senior architect
B.Static application security testing (SAST)
C.User acceptance testing (UAT)
D.Regression testing
E.Threat modeling to identify security threats
AnswersA, E

Architecture review validates the design against requirements and best practices.

Why this answer

Architecture review by a senior architect is a key control during the design phase because it ensures the system's high-level structure aligns with security, scalability, and business requirements before development begins. This review catches design flaws early, reducing costly rework and preventing architectural weaknesses that could be exploited later. It is a formal gate in the SDLC that validates the design against established patterns and standards.

Exam trap

The trap here is that candidates confuse security testing techniques like SAST with design-phase controls, or they mistakenly think UAT or regression testing occur early in the SDLC, when in fact they belong to later phases.

108
MCQmedium

An organization is selecting a vendor for a new procurement system. Which of the following is the MOST important factor to include in the contract?

A.A clause limiting vendor liability
B.Fixed price for the entire contract term
C.Detailed service level agreements (SLAs)
D.Right to audit the vendor's security controls
AnswerD

This allows the organization to assess vendor compliance.

Why this answer

Audit rights ensure the organization can verify vendor controls and compliance, which is critical for outsourcing.

← PreviousPage 2 of 2 · 108 questions total

Ready to test yourself?

Try a timed practice session using only Cisa Systems Development questions.