×

Quiz Session - Attempts With Random Questions

ISACA CISA Exam Questions

Page 1 of 50

1.

Which of the following is NOT one of the five volumes of the IT Infrastructure Library (ITIL)?

  • Service Delivery

  • Service Strategy

  • Service Design

  • Continual Service Improvement

Correct answer: Service Delivery

The IT Infrastructure Library (ITIL) is a reference body of knowledge for service delivery best practices. It is a comprehensive framework detailed over five volumes: Service Strategy, Service Design, Service Transition, Service Operations, and Continual Service Improvement. 

The main objective of ITIL is to improve service quality to a business.

2.

Which of the following statements is TRUE about the QA group in an enterprise?

  • The QA group needs to be independent.

  • The group is more efficient if each programmer does quality control for their own work.

  • The best person to perform quality reviews of application system changes is the system programmer.

  • The QA group primarily checks output accuracy.

Correct answer: The QA group needs to be independent.

Since QA needs to have the freedom to analyze quality without being influenced by other departments, it should be independent.

A programmer should never do quality control for their own work, and quality control should never be done when there is a role conflict. For example, a system programmer should not be doing reviews for application system changes. The quality control (QC) group assists by checking the accuracy of outputs.

3.

One common way of defining project objectives is to use an OBS. What characterizes an OBS?

  • Represents components of the solution and their relationship to each other in a table or graph

  • Uses a sequence of activities to determine the longest path through a project

  • Makes a logical representation of tasks that must be performed to complete the project

  • Creates a chart that shows the start and end dates for activities in a project

Correct answer: Represents components of the solution and their relationship to each other in a table or graph

An object breakdown structure (OBS) represents component solutions and their relationship to each other in a table or graph. It helps visualize the scope of the project. An OBS also helps prevent components from being overlooked.

Critical path methodology uses a sequence of activities to determine the longest path through a project. WBS makes a logical representation of tasks that must be performed to complete the project. A Gantt chart shows the start and end dates for activities in a project.

4.

What is the MOST SECURE type of firewall system?

  • Screened-subnet firewall

  • Dual-homed firewall

  • Screened-host firewall

  • Application firewall

Correct answer: Screened-subnet firewall

The screened-subnet firewall, or demilitarized zone (DMZ), is the most secure firewall system. The system uses two packet-filtering routers plus a bastion host. This type of firewall is the most secure because it supports both network- and application-level security and provides the extra security of the DMZ network. A DMZ is configured to minimize access from both the internet and the organization. It protects the organization by limiting available services.

A dual-homed firewall has two network interface cards. A screened-host firewall uses a bastion host and packet-filtering router. An application firewall filters data based on the application layer of the OSI model.

5.

An auditor is examining an organization's enterprise architecture. They notice that while the organization's application servers have strict security controls against external connections, they do NOT apply strict security controls to connections originating from their internal network. In this situation, what should the auditor note in their recommendations? 

  • Implement zero trust

  • Add perimeter-based security

  • Use SIEM

  • Require IAM

Correct answer: Implement zero trust

With a zero-trust network, every connection is treated as if it is coming from an untrusted client. This is useful because even connections from internal networks could be compromised due to malware.

Perimeter-based security uses firewalls or other security controls to protect network resources. Security and information management (SIEM) collects security logs across a network. Identity and access management (IAM) directs user access to network resources.

6.

What is the foundation of effective security for any organization?

  • User awareness and training

  • Strong passwords

  • Multi-factor authentication

  • System hardening

Correct answer: User awareness and training

The foundation for effective security is an organization's people. Users need awareness and training to know their security expectations.

Strong passwords, multi-factor authentication, and system hardening are components of security but are not as encompassing as user awareness and training.

7.

When are session keys generated during a cryptographic process?

  • During the key exchange phase

  • Before the client and server start their handshake

  • At the end of the communication session

  • Once the server receives its digital certificate

Correct answer: During the key exchange phase

A session key is a temporary symmetric key that is generated during the key exchange phase of a communication session. It is encrypted with the recipient's public key.

The other choices do not involve session keys.

8.

How should naming conventions for system resources be structured?

  • So that all resources beginning with the same high-level qualifier can be managed using the same rules

  • So that it's obvious what department the resource belongs to

  • So that it is clear when the resources were made available

  • So that they facilitate logging an audit trail

Correct answer: So that all resources beginning with the same high-level qualifier can be managed using the same rules

Naming conventions for system resources should be structured so that the resources beginning with the same high-level qualifier can be managed together. The goal is to reduce the number of rules for managing resources and to make security administration and maintenance easier and more transparent. 

Naming conventions are usually set by the owners of the data in collaboration with the security officer. These conventions need to simplify security administration and make it easier to prevent unauthorized access.

9.

What is the term for a field in a database table that uniquely identifies each row?

  • Primary key

  • Foreign key

  • Index

  • Data dictionary

Correct answer: Primary key

A primary key is a unique field in a database table. Common primary keys are fields such as user IDs or invoice numbers.

A foreign key is a field that refers to a primary key in another table. An index is used to make searches faster. A data dictionary is a directory system for storing information about the internal structure of databases.

10.

Which of the following is the BEST definition of compliance testing?

  • Gathering evidence in order to test a business’s compliance with control procedures

  • Gathering evidence in order to evaluate the integrity of transactions, data, or other information

  • Gathering evidence in order to measure the effectiveness and efficiency of controls, primarily by automated processes

  • Extrapolating characteristics of a large population based on the characteristics of a sample

Correct answer: Gathering evidence in order to test a business’s compliance with control procedures

The best definition of compliance testing is gathering evidence in order to test a business’s compliance with control procedures. For example, an auditor may look at a certain system such as change control and determine whether this is being done properly.

Evaluating the integrity of transactions and data is substantive testing. IS auditing is concerned with the assessment of IS controls. Sampling is used to infer the characteristics of the entire population.

11.

An IS auditor is examining a company's job scheduling automation. Some discoveries they have made in this area include daily backups occurring every night, running system reorganization scripts during office hours, logs of job runs sent to a logging server, and personnel who record all exceptions to job processing requests. 

In this scenario, what should an auditor recommend to the company? 

  • Run system reorganization scripts during off-hours

  • Change backups to run every other day

  • Keep log files on the system where they are run

  • Alert personnel to all job processing events

Correct answers: Run system reorganization scripts during off-hours

Intensive jobs should be run during non-peak times. This will save resources for users.

Backups should be performed at least daily during non-peak hours. Log files can be sent to a logging server for analysis. Too many alerts can lead to false positives or personnel missing an important event.

12.

A company is using system interfaces for transferring data to partner organizations. If the data is intercepted in transit, the unauthorized user intercepting the data must not be able to read it. What type of solution should they implement in this scenario?

  • Encryption

  • MAC

  • IDS

  • Network segmentation

Correct answer: Encryption

By using appropriate encryption, the data in transit will be unreadable by any unauthorized person who intercepts it. 

Mandatory access control (MAC) assigns labels to resources. An intrusion detection system (IDS) is used to discover threats on a network. Network segmentation is used to increase security and optimize local networks.

13.

An auditor is examining the environmental controls of a company's server room. They find that the company controls the power supply with power surges and UPS, along with a power generator in the building; uses air conditioning and ventilation to maintain a constant environment in the room; has an anti-static floor mat on the ground; and prohibits smoking, eating, and drinking in the room. 

Based on these findings, what should an auditor recommend?

  • Add humidity control to the room

  • Remove the UPS because it conflicts with the power generator

  •  Replace the anti-static floor mat with carpet

  • Allow beverages in the room

Correct answer: Add humidity control to the room

For environmental control, temperature, humidity, and ventilation are important. Humidity that is too low or too high will present issues for computers.

A UPS is needed to maintain operations during short power outages.  An anti-static floor mat helps prevent ESD damage. Beverages should not be allowed because liquids can damage equipment.

14.

A company issues mobile devices to employees that often contain sensitive information. In case a device is lost or stolen, they want to reduce the risk of data exfiltration. Which feature of mobile device management should they use to accomplish this?

  • Remote wipe

  • Acceptable use policy

  • Geofencing

  • Device registration

Correct answer: Remote wipe

A remote wipe is the ability to reset a system remotely. This will remove all sensitive data on the device.

An acceptable use policy is an agreement that users should agree to before using company equipment. Geofencing is used to create a virtual boundary around an area. Device registration is used to ensure that devices are recognized.

15.

While documenting evidence for an audit, an auditor is observing employees in the performance of their duties. The auditor notices that one employee is doing work that they should not have access to. What category of exception should the auditor note in this scenario?

  • Actual functions

  • Actual processes

  • Security awareness

  • Reporting relationships

Correct answer: Actual functions

Job functions should be completed by the particular person who is assigned the job. An employee doing another user's job can be a sign of improper logical access rights.

Actual processes refer to not following documented procedures to complete a process. Security awareness refers to employees being trained to practice preventive security measures. Reporting relationships refers to following the hierarchy of authority in an organization.

16.

A company has recently implemented an IDS. Now, an auditor has been asked to assign value to that project. Which framework can they use for IT portfolio management to aid in this?

  • Val IT

  • ITIL

  •  NIST 800-53

  • ISO 9001

Correct answer: Val IT

ISACA's IT Value Delivery (Val IT) framework is an IT portfolio management framework. It is a part of the COBIT framework.

ITIL is a framework for service delivery. NIST 800-53 is a framework for security controls. ISO 9001 is a framework for quality assurance.

17.

An IS auditor has been contracted by Acme Inc. to review their network configuration and determine best-practice improvements. Acme has a signature-based intrusion detection system that is being employed in the hope of discovering an attacker if the attacker were to penetrate the network. Which of the following discoveries would be the MOST concerning?

  • The IDS is configured for manual updates of signature files.

  • An anomaly-based IDS is also analyzing traffic.

  • Data packets that are encrypted and transmitted on the network are not being analyzed.

  • The IDS is located on the perimeter between the internet and the internal network.

Correct answer: The IDS is configured for manual updates of signature files.

A signature-based intrusion detection system relies on accurate and up-to-date signature files in order to perform its necessary function: detecting intrusions. If the updates are being performed manually and not automatically, there is a chance that they are being updated infrequently and not in time to be effective against potential threats. Automatic updating should be enabled to ensure that the new signatures are downloaded and enforced as they are made available.

18.

A new programmer at a software development company has been issued organization-provided hardware and software. They discover they cannot use external data storage devices or install their own applications when using their system. What type of control has the organization implemented on its employees' systems?

  • End-user computing

  • Intrusion prevention system

  • Web content filtering

  • Data loss prevention

Correct answer: End-user computing

End-user computing refers to the ability of users to implement their own applications or information systems. An organization typically uses enterprise management tools to manage end users' computers.

Intrusion prevention systems detect and mitigate attacks. Web content filtering protects users from malicious websites. Data loss prevention stops data exfiltration, including blocking USB drives.

19.

Network architecture is often based on the Open System Interconnection model. In this model, what does the presentation layer do?

  • Transforms data to provide a standard interface for the application layer

  • Controls sessions between computers

  • Provides reliable transfer of data between endpoints, recovery, and flow control

  • Creates a virtual circuit between the transport layer on a local device and the transport layer on a remote device

Correct answer: Transforms data to provide a standard interface for the application layer

The presentation layer transforms data so that it presents a standard interface. The presentation layer also provides services like encryption and reformatting. It can transform EBCDIC into ASCII, for example. It can transform data and pass it to the session layer, then transform data from the session layer to prepare it to be processed by the application layer.

The session layer controls sessions between computers. The transport layer provides reliable transfer of data between endpoints, recovery, and flow control. The network layer creates a virtual circuit between the transport layer on a local device and the transport layer on a remote device.

20.

Which enterprise back-end device is used to provide information to both the public and to clients and is accessed through uniform resource locators?

  • Web server

  • File server

  • Print server

  • Proxy server

Correct answer: Web server

A web server responds to queries for information from public sources. A user can request information by entering a uniform resource locator (URL) into their web browser.

A file server holds files and folders for users on a local area network. A print server lets users on a local network print documents. A proxy server is an intermediate link between users and network resources.

×