Isaca CISA Exam Practice Test Instant Access

Question 1

Which of the following is a social engineering attack method?

AAn employee is induced to reveal confidential IP addresses and passwords by answering questions over the phone.

BA hacker walks around an office building using scanning tools to search for a wireless network to gain access.

CAn intruder eavesdrops and collects sensitive information flowing through the network and sells it to third parties.

DAn unauthorized person attempts to gain access to secure premises by following an authorized person through a secure door.

Answer : A

Social engineering is a technique that exploits human weaknesses, such as trust, curiosity, or greed, to obtain information or access from a target. An employee is induced to reveal confidential IP addresses and passwords by answering questions over the phone is an example of a social engineering attack method, as it involves manipulating the employee into divulging sensitive information that can be used to compromise the network or system. A hacker walks around an office building using scanning tools to search for a wireless network to gain access, an intruder eavesdrops and collects sensitive information flowing through the network and sells it to third parties, and an unauthorized person attempts to gain access to secure premises by following an authorized person through a secure door are not examples of social engineering attack methods, as they do not involve human interaction or deception.Reference:[ISACA CISA Review Manual 27th Edition], page 361.

Question 2

A new regulation in one country of a global organization has recently prohibited cross-border transfer of personal data. An IS auditor has been asked to determine the organization's level of exposure In the affected country. Which of the following would be MOST helpful in making this assessment?

ADeveloping an inventory of all business entities that exchange personal data with the affected jurisdiction

BIdentifying data security threats in the affected jurisdiction

CReviewing data classification procedures associated with the affected jurisdiction

DIdentifying business processes associated with personal data exchange with the affected jurisdiction

Answer : D

Identifying business processes associated with personal data exchange with the affected jurisdiction is the most helpful activity in making an assessment of the organization's level of exposure in the affected country. An IS auditor should understand how the organization's business operations and functions rely on or involve the cross-border transfer of personal data, as well as the potentialimpacts and risks of the new regulation on the business continuity and compliance. The other options are less helpful activities that may provide additional information or context for the assessment, but not its primary focus.Reference:

CISA Review Manual (Digital Version), Chapter 7, Section 7.4.21

CISA Review Questions, Answers & Explanations Database, Question ID 221

Question 3

Which of the following is the BEST control to minimize the risk of unauthorized access to lost company-owned mobile devices?

APassword/PIN protection

BDevice tracking software

CDevice encryption

DPeriodic backup

Answer : C

The best control to minimize the risk of unauthorized access to lost company-owned mobile devices is device encryption. Device encryption is a process that transforms data on a device into an unreadable format using a cryptographic key. Device encryption protects the data stored on the device from being accessed by unauthorized parties, even if they bypass the password or PIN protection. Device encryption can also prevent data leakage if the device is disposed of or recycled without proper data sanitization. Password or PIN protection is a basic control that prevents unauthorized access to the device by requiring a secret code or pattern to unlock it. However, password or PIN protection can be easily compromised by brute force attacks, shoulder surfing, or social engineering. Device trackingsoftware is a tool that allows the device owner or administrator to locate, lock, or wipe the device remotely in case of loss or theft. However, device tracking software depends on the device's network connectivity and GPS functionality, which may not be available or reliable in some situations. Periodic backup is a process that copies the data from the device to another storage location for recovery purposes. Periodic backup can help restore the data in case of loss or damage of the device, but it does not prevent unauthorized access to the data on the device itself.Reference:CISA ReviewManual (Digital Version), Chapter 5: Protection of Information Assets, Section 5.4: Mobile Devices

Question 4

Which of the following provides the BEST evidence that system requirements are met when evaluating a project before implementation?

AIntegration testing results

BSign-off from senior management

CUser acceptance testing (UAT) results

DRegression testing results

Answer : C

Question 5

An IS auditor has been asked to provide support to the control self-assessment (CSA) program. Which of the following BEST represents the scope of the auditor's role in the program?

AThe auditor should act as a program facilitator.

BThe auditor should focus on improving process productivity

CThe auditor should perform detailed audit procedures

DThe auditor's presence replaces the audit responsibilities of other team members.

Answer : A

Question 6

Which of the following control measures is the MOST effective against unauthorized access of confidential information on stolen or lost laptops?

ARemote wipe capabilities

BDisk encryption

CUser awareness

DPassword-protected files

Answer : B

Comprehensive and Detailed Step-by-Step

Thebest protectionfor a stolen laptop isfull disk encryption, which prevents unauthorized accesseven if the device is lost.

Option A (Incorrect):Remote wipe capabilitiesare useful, but theyrequire an internet connectionto function, which is not always available when a device is stolen.

Option B (Correct):Full disk encryption (FDE)ensures that data remainsunreadablewithout the correct decryption key,even if the hard drive is removed.

Option C (Incorrect):User awarenessis helpful, but itdoes not physically securedata on a lost device.

Option D (Incorrect):Password-protected filescan be bypassed by copying them to another system, making them an inadequate security measure.

Question 7

An IS auditor would MOST likely recommend that IT management use a balanced scorecard to:

Aindicate whether the organization meets quality standards.

Bensure that IT staff meet performance requirements.

Ctrain and educate IT staff.

Dassess IT functions and processes.

Answer : D

A balanced scorecard is a strategic planning framework that companies use to assign priority to their products, projects, and services; communicate about their targets or goals; and plan their routine activities1. The scorecard enables companies to monitor and measure the success of their strategies to determine how well they have performed.A balanced scorecard for IT management can help assess IT functions and processes by defining four perspectives: financial, customer, internal business process, and learning and growth2.These perspectives can help IT management align their IT objectives with the organization's vision and mission, identify and prioritize the key performance indicators (KPIs) for IT, and evaluate the effectiveness and efficiency of IT operations and services3.

Reference

1: Balanced Scorecard - Overview, Four Perspectives2: The IT Balanced Scorecard (BSC) Explained - BMC Software3: A BALANCED SCORECARD (BSC) FOR IT PERFORMANCE MANAGEMENT - SAS Support

Isaca Certified Information Systems Auditor CISA Exam Practice Test