Free Isaca CISA Practice Exam with Questions & Answers | Set: 3

A digital signature is the most appropriate control to ensure integrity of online orders because it provides a way to verify the authenticity and integrity of the data sent by the sender. A digital signature is created by applying a cryptographic algorithm to the data and attaching the result to the data. The receiver can then use the sender’s public key to verify that the data has not been altered or tampered with during transmission. A digital signature also provides non-repudiation, which means that the sender cannot deny sending the data.

Data Encryption Standard (DES) is a symmetric encryption algorithm that can provide confidentiality of online orders, but not integrity. DES uses the same key to encrypt and decrypt the data, which means that anyone who has the key can modify the data without detection.

Public key encryption is an asymmetric encryption algorithm that can also provide confidentiality of online orders, but not integrity. Public key encryption uses a pair of keys: a public key and a private key. The sender encrypts the data with the receiver’s public key, and the receiver decrypts it with their own private key. However, public key encryption does not prevent anyone from modifying the encrypted data.

Multi-factor authentication is a control that can provide authentication and authorization of online orders, but not integrity. Multi-factor authentication requires the user to provide two or more pieces of evidence to prove their identity, such as a password, a token, or a biometric factor. Multi-factor authentication can prevent unauthorized access to online orders, but it does not protect the data from being modified after being sent.

References:

ISACA, CISA Review Manual, 27th Edition, 2019, p. 281 1

ISACA, CISA Review Questions, Answers & Explanations Database - 12 MonthSubscription 2

The most effective method of destroying sensitive data stored on electronic media is physical destruction, which involves breaking, shredding, melting, or incinerating the media to make it unreadable and unrecoverable. Degaussing, random character overwrite, and low-level formatting are methods of sanitizing or erasing data from electronic media, but they do not guarantee complete destruction of data and may leave some traces that can be recovered by advanced techniques. Therefore, physical destruction is the most secure and reliable method of data disposal for sensitive data. References: CISA Review Manual (Digital Version), Chapter 5: Protection of Information Assets, Section 5.4: Data Disposal

Recovery facilities providing a redundant combination of Internet connections to the local communications loop is an example of last-mile circuit protection. Last-mile circuit protection is a type of telecommunications continuity that ensures the availability and redundancy of the final segment of the network that connects the end-user to the service provider. The local communications loop, also known as the local loop or subscriber line, is the physical link between the customer premises and the nearest central office or point of presence of the service provider. Byhavingmultiple Internet connections from different providers or technologies, such as cable, DSL, fiber, wireless, or satellite, the recoveryfacilities can avoid losing connectivity in case one of the connections fails or is disrupted by a disaster5.

References:

9: Last Mile Redundancy - How to Ensure Business Continuity - Multapplied Networks

This means that the IT investments are aligned with the strategic goals and priorities of the organization, and that they deliver value and benefits to the business. Mapping IT investments to specific business objectives can help ensure that the IT investments are relevant, justified, and measurable, and that they support the organization’s mission and vision.

IT investments are implemented and monitored following a system development life cycle (SDLC) is an indication of effective IT project management, but not necessarily of effective IT investment management. The SDLC is a framework that guides the development and implementation of IT systemsand applications, but it does not address the alignment, justification, or measurement of the IT investments.

Key performance indicators (KPIs) are defined for each business requiring IT investment is an indication of effective IT performance management, but not necessarily of effective IT investment management. KPIs are metrics that measure the outcomes and results of IT activities and processes, but they do not address the alignment, justification, or value of the IT investments.

The IT investment budget is significantly below industry benchmarks is not an indication of effective IT investment management, but rather of low IT spending. The IT investment budget should be based on the organization’s needs and capabilities, and not on external comparisons. A low IT investment budget may indicate that the organization is underinvesting in IT, which could limit its potential for growth and innovation.

Requiring a key code to be entered on the printer to produce hard copy is a method to prevent disclosure of classified documents printed on a shared printer. This is because requiring a key code adds an extra layer of security and authentication to the printing process, ensuring that only authorized users can access and retrieve the printed documents. Requiring a key code also prevents unauthorized users from viewingor tampering with the documents while they are in the printer’s queue or output tray1.

Using passwords to allow authorized users to send documents to the printer is not a sufficient method to prevent disclosure of classified documents printed on a shared printer. This is because passwords only protect the transmission of the documents from the user’s computer to the printer, but they do not protect the documents once they are printed. Passwords can also be compromised or forgotten by users, making them vulnerable to unauthorized access or denial of service2.

Encrypting the data stream between the user’s computer and the printer is not a sufficient method to prevent disclosure of classified documents printed on a shared printer. This is because encryption only protects the confidentiality and integrity of the documents while they are in transit, but they do not protect the documents once they are printed. Encryption can also introduce performance issues or compatibility problems with different printers or devices2.

Producing a header page with classification level for printed documents is not a method to prevent disclosure of classified documents printed on a shared printer. This is because producing a header page only informs the users about the sensitivity and handling of the documents, but it does not prevent unauthorized users from accessing or viewing them. Producing a header page can also waste paper and ink, as well asincrease the risk of misplacing or mixing up the documents

The quality assurance (QA) phase is the phase where the IS auditor should first examine requirements from an in-house SDLC project that has not met user specifications. This is because the QA phase is the phase where the system is tested and verified against the user specifications and the design specifications to ensure that it meets the functional and non-functional requirements, as well as the quality standards and expectations. The QA phase involves various testing activities, such as unit testing, integration testing, system testing, acceptance testing, performance testing, security testing, etc., to identify and resolve any defects, errors, or deviations from the specifications12.

The configuration phase is not the phase where the IS auditor should first examine requirements from an in-house SDLC project that has not met user specifications. The configuration phase is the phase where the system is installed and configured on the target environment, such as hardware, software,network, etc., to prepare it for deployment and operation. The configuration phase may involve activities such as installation, customization, migration, integration, etc., to ensure that the system is compatible and interoperable with the existinginfrastructure and systems34.

The user training phase is not the phase where the IS auditor should first examine requirements from an in-house SDLC project that has not met user specifications. The user training phase is the phase where the end-users are trained and educated on how to use the system effectively and efficiently. The user training phase may involve activities such as developing training materials, conducting training sessions, providing feedback and support, etc., to ensure that the users are familiar and comfortable with the system features and functions56.

The development phase is not the phase where the IS auditor should first examine requirements from an in-house SDLC project that has not met user specifications. The development phase is the phase where the system is coded and built based on the design specifications and the user specifications. The development phase may involve activities such as programming, debugging, documenting, etc., to create a working prototype or a final product of the system

 A checksum is classified as a detective control. A checksum is a mathematical value that is calculated from a data set and used to verify the integrity of the data. A checksum can detect if the data has been altered or corrupted during transmission or storage. A checksum does not prevent or correct the data corruption, but it alerts the user or system of the problem. Therefore, it is a detective control. A preventive control is a control that prevents an error or incident from occurring. A corrective control is a control that restores normal operations after an error or incident has occurred. Anadministrative control is a controlthat involves policies, procedures, standards, guidelines, or organizational structures. References: CISA Review Manual (Digital Version)1, page 439.

A single point of failure is a component or system that, if it fails, will cause the entire system to stop functioning. In virtual environments, the hypervisor is the software layer that enables multiple virtual machines to run on a single physical host. If the hypervisor is compromised, corrupted, or unavailable, all the virtual machines running on that host will be affected. This can result in data loss, downtime, or security breaches.

References

ISACA CISA Review Manual, 27th Edition, page 254

Virtualization: What are the security risks?

What Is a Hypervisor? (Definition, Types, Risks)

 An IT balanced scorecard is primarily used for measuring IT strategic performance. An IT balanced scorecard is a framework that translates the IT strategy into measurable objectives, indicators, targets, and initiatives across four perspectives: financial, customer, internal process, and learning and growth. An IT balanced scorecard helps to monitor and evaluate how well the IT function is delivering value to the organization, achieving its strategic goals, and improving its capabilities and competencies. The otheroptions are not the primary uses of an IT balanced scorecard, because they either focus on specific aspects of IT rather than the overall performance, or they are not directly related to the IT strategy. References: CISA Review Manual (Digital Version)1, Chapter 1, Section 1.2.3

The first step in managing the impact of a recently discovered zero-day attack is to identify vulnerable assets. A zero-day attack is a cyberattack that exploits a previously unknown or unpatched vulnerability in a software or system, before the vendor or developer has had time to fix it. Identifying vulnerable assets is crucial for managing the impact of a zero-day attack, because it helps to determine the scope and severity of the attack, prioritize the protection and mitigation measures, and isolate or quarantine the affected assets from further damage or compromise. The other options are not the first steps in managing the impact of a zero-day attack, because they either require more informationabout the vulnerable assets, or they are part of the subsequentsteps of assessing, responding, or recovering from the attack. References: CISA Review Manual (Digital Version)1, Chapter 5, Section 5.2.4

Control self-assessment (CSA) is a process that allows business units to evaluate the effectiveness of internal controls. It is primarily used toestablish baselines(Option B) for measuring control effectiveness and risk management.

ISACA CISA Reference:CSA is a recognized internal control mechanism that supports risk assessment and control improvement.

Risk Implication:If CSAs are not conducted properly, organizations may lack visibility into weak controls, increasing exposure to risks.

Alternative Choices:

Option A:CSA does not focus on asset valuation.

Option C:Strategic business goals are assessed separately through governance processes.

Option D:CSA complements, but does not replace, formal audits.

Comprehensive and Detailed Step-by-Step Explanation:

Data collection and obtaining consentis themost critical regulatory requirementwhen using customer data for AI training, especially under laws likeGDPR, CCPA, and ISO 27701.

Collection of Data and Obtaining Consent (Correct Answer – C)

Ensures compliance withprivacy lawsthat require explicit customer consent.

Example:UnderGDPR, companies mustinform usershow their data will be used and allow them toopt out.

AI Algorithm Accuracy (Incorrect – A)

Important formodel performancebutnot a primary legal concern.

Ethical Use of Computing Resources (Incorrect – B)

Ethical considerations are valuable butnot a regulatory priority.

Continuous Monitoring of AI (Incorrect – D)

Ensuresperformance, butregulatory compliance focuses on data privacy.

References:

ISACA CISA Review Manual

GDPR & CCPA Compliance Guidelines

ISO 27701 (Privacy Information Management System)

Comprehensive and Detailed Step-by-Step Explanation:

Thoroughsystem testingbefore deployment helps identify potentialbugs, vulnerabilities, and performance issuesto prevent system failures.

System Testing (Correct Answer – B)

Detects defects that could lead to system crashes.

Ensures compatibility and performance stability.

Example:Stress testing an e-commerce application to prevent crashes on Black Friday.

System Recovery Plan (Incorrect – A)

Focuses on recovery after failure rather than prevention.

Business Continuity Plan (Incorrect – C)

Addresses overall business resilience, not application stability.

Transaction Monitoring (Incorrect – D)

Detects fraud and anomalies but does not prevent failures.

References:

ISACA CISA Review Manual

NIST 800-160 (Systems Security Engineering)

Periodic recertification of users ensures that only authorized individuals retain access to cloud services and helps identify and revoke access for users who no longer require it. This is a critical control for maintaining security and compliance in a cloud environment.

Classifying Cloud Services (Option A):This is foundational but does not verify ongoing user access.

Centrally Managing Users (Option B):While useful for consistency, it does not assess whether access rights are still valid.

Ensuring Cloud Process Resilience (Option C):This focuses on operational continuity rather than access control.

Periodic recertification aligns with governance practices to ensure access rights remain appropriate over time.

Using risk assessments to determine areas to be included in an audit plan is a primary benefit because it helps to prioritize the audit activities based on the level of risk and the potential impact of the audit findings. This way, the audit resources, such as time, staff, and budget, can be allocated more efficiently and effectively to the areas that need the most attention and provide the most value.

References

ISACA CISA Review Manual, 27th Edition, page 256

What is the Purpose of a Risk Assessment?

Mastering the Process of Risk Assessment

Comprehensive and Detailed Step-by-Step Explanation:

When outsourcingIS functions,independent audit provisionsensure thatcontractors meet security, compliance, and operational standards.

Option A (Incorrect):Security procedures should be included but are subject tochangeandmay not be detailedin the contract.

Option B (Correct):Independent audit rightsallow the organization toverifythat the vendor complies with security, operational, and regulatory requirements.

Option C (Incorrect):Naming specific staff isimpracticaland not acore contractual requirement.

Option D (Incorrect):Data transfer protocols are important, but they are atechnical detailrather than aprimary contract requirement.

The primary reason to perform internal QA for an internal audit function is to ensure that the internal audit activity adheres to the Definition of Internal Auditing and the International Standards for the Professional Practiceof Internal Auditing (Standards) issued by the Institute of Internal Auditors (IIA), as well as the internal audit methodology and policies of the organization. A QA program enables an evaluation of the internal audit activity’s performance, efficiency, effectiveness, and value, andidentifies opportunities for improvement. A QA program also helps to enhance the credibility and reputation of the internal audit function among the stakeholders.

References

Quality Assurance - The Institute of Internal Auditors or The IIA

Benefits of a quality assurance review for internal audit

Optimize your internal audit function with a quality assurance review …

Comprehensive and Detailed Step-by-Step Explanation:

Thespeed at which security threats are mitigatedis akey indicatorof an organization'srisk management effectiveness.

Option A (Correct):Response time to security threatsmeasures how efficiently security teams detect, analyze, and mitigate risks, providingclear insight into security operations.

Option B (Incorrect):The number of security controls auditeddoes not indicatehow well risk is being managed, only that reviews are taking place.

Option C (Incorrect):Log analysis speedis useful, but it does notdirectly measure risk mitigation effectiveness.

Option D (Incorrect):Risk register entriesindicate known risks but do not provide insight intohow well those risks are managed.

Comprehensive and Detailed Step-by-Step Explanation:

A lack ofMobile Device Management (MDM) enrollmentis the biggest concern, asunmanaged devicespose a serious security risk.

Not All Devices Enrolled in MDM (Correct Answer – C)

Unenrolled devices can bypass security policies.

Example:A stolen, unenrolled device may lack encryption, exposing corporate data.

Biometric Authentication Required (Incorrect – A)

Biometrics are anenhanced security measure, not a concern.

VPN Not Required for Internal Network (Incorrect – B)

VPNs are typically used for external access, not always needed internally.

Remote Wipe Requires Internet (Incorrect – D)

A limitation but stillless riskythan allowing unsecured devices.

References:

ISACA CISA Review Manual

NIST 800-124 (Mobile Device Security)

Comprehensive and Detailed Step-by-Step Explanation:

In forensic investigations,maintaining a proper chain of custodyiscriticalto ensuring that evidence is admissible in court and has not been altered.

Option A (Incorrect):Activatingsecurity features(e.g., encryption or tokenization) is apreventive measurebut does not aid in investigating the attack.

Option B (Incorrect):Blocking payment platforms may be necessary fordamage control, but it does not ensure a properinvestigation.

Option C (Correct):Thechain of custodyensures thatevidence remains intact, can betraced, and islegally validfor prosecution. This is the most critical aspect of forensic investigations.

Option D (Incorrect):Interviewing staff may provide insights, but without properevidence handling, the investigation’s integrity is at risk.

Reviewing input and output control reports to verify the accuracy of the system decisions is the most important procedure for the IS auditor to perform during the post-implementation review of intelligent-agent software for granting loans to customers, because it can help identify any errors or anomalies in the system logic or data that may affect the quality and reliability of the system outcomes. Reviewingsystemand error logs, signed approvals, and systemdocumentation are also important procedures, but they are not as critical as verifying the accuracy of the system decisions. References: CISA Review Manual (Digital Version), Chapter 4, Section 4.2.21

The IS auditor should inform audit management of the earlier involvement in designing the application. This is to ensure that there is no conflict of interest or bias that may affect the objectivity or independence of the audit. Audit management can then decide whether to assign a different auditor or to proceed with the same auditor with appropriate safeguards. The other options are not appropriate for the IS auditor to do in this situation. Refusing the assignment to avoid conflict of interest is an extrememeasure that may not be necessary or feasible, especially if there are no other qualified auditors available. Using the knowledge of the application to carry out the audit is risky, as it may lead to overlooking or ignoring potential issues or errors in the application. Modifying the scope of the audit is not advisable, as it may compromise the quality or completeness of the audit. References: CISA Review Manual (Digital Version), Chapter 2, Section 2.1

 To confirm integrity for a hashed message, the receiver should use the same hashing algorithm as the sender’s to create a binary image of the file. A hashing algorithm is a mathematical function that transforms an input data into a fixed-length output value, called a hash or a digest. A hashing algorithm has two main properties: it is one-way, meaning that it is easy to compute the hash from the input, but hard to recover the input from the hash; and it is collision-resistant, meaning that it is very unlikely to find two different inputs that produce the same hash. These properties make hashing algorithms useful for verifying the integrity of data, as any change in the input data will result in a different hash value. Therefore, to confirm integrity for a hashed message, the receiver should use the same hashing algorithm as the sender’s to create a binary image of the file, which is a representation of the file in bits (0s and 1s). The receiver should then compare this binary image with the hash value sent by the sender. If they match, then the message has not been altered in transit. If they do not match, then the message has been corrupted or tampered with.

References:

Ensuring Data Integrity with Hash Codes

Message Integrity

 User requirements are statements that describe what the users expect from the software system in terms of functionality, quality, and usability. They are essential inputs for the software development process, as they guide the design, implementation, testing, and deployment of the system. Therefore, an IS auditor’s greatest concern when reviewing the early stages of a software development project would be the lack of acceptance criteria behind user requirements. Acceptance criteria are measurable conditions that define when a user requirement is met or satisfied. They help ensure that the user requirements are clear, complete, consistent, testable, and verifiable. Without acceptance criteria, it would be difficult to evaluate whether the system meets the user expectations and delivers value to the organization. Technical documentation, such as program code, is usually produced in later stages of the software development process. Completion of all requirements at the end of each sprint is not mandatory in agile software development methods, as long as there is a prioritized backlog of requirements that can be delivered incrementally. A detailed unit and system test plan is also important for ensuring software quality, but it depends on well-defined user requirements andacceptance criteria. References: Information Systems Acquisition, Development & Implementation, CISA ReviewManual (Digital Version)

The IS auditor’s best recommendation is to ensure that programmers cannot access code after the completion of program edits. This is because programmers who have access to code after editing may introduce unauthorized or malicious changes that could compromise the security, functionality, or performance of the application. By restricting access to code after editing, the organization can ensurethat only authorized and tested code is released into production, and prevent any tampering or reoccurrence of the same issue.

References:

1 discusses the importance of controlling access to code after editing and testing, and provides some best practices for doing so.

2 explains how programmers can introduce malicious code into applications, and how to prevent and detect such attacks.

3 describes the role of IS auditors in reviewing and assessing the security and quality of application code.