Isaca CISA Free Practice Questions

NEW QUESTION 1

Which of the following provides the MOST relevant information for proactively strengthening security settings?

• A. Bastion host
• B. Intrusion detection system
• C. Honeypot
• D. Intrusion prevention system

Answer: C

Explanation:

The design of a honeypot is such that it lures the hacker and provides clues as to the hacker's methods and strategies and the resources required to address such attacks. A bastion host does not provide information about an attack. Intrusion detection systems and intrusion prevention systems are designed to detect and address an attack in progress and stop it as soon as possible. A honeypot allows the attack to continue, so as to obtain information about the hacker's strategy and methods.

NEW QUESTION 2

What should be the GREATEST concern to an IS auditor when employees use portable media (MP3 players, flash drives)?

• A. The copying of sensitive data on them
• B. The copying of songs and videos on them
• C. The cost of these devices multiplied by all the employees could be high
• D. They facilitate the spread of malicious code through the corporate network

Answer: A

Explanation:

The MAIN concern with MP3 players and flash drives is data leakage, especially sensitive information. This could occur if the devices were lost or stolen. The risk when copying songs and videos is copyright infringement, but this is normally aless important risk than information leakage. Choice C is hardly an issue because employees normally buy the portable media with their own funds. Choice D is a possible risk, but not as important as information leakage and can be reduced by other controls.

NEW QUESTION 3

Wi-Fi Protected Access implements the majority of which IEEE standard?

• A. 802.11i
• B. 802.11g
• C. 802.11x
• D. 802.11v
• E. None of the choice

Answer: A

Explanation:

Wi-Fi Protected Access (WPA / WPA2) is a class of systems to secure wireless computer networks. It implements the majority of the IEEE 802.11i standard, and is designed to work with all wireless network interface cards (but not necessarily with first generation wireless access points). One major improvement in WPA over WEP is the Temporal Key Integrity Protocol (TKIP), which dynamically changes keys as the system is used.

NEW QUESTION 4

A critical function of a firewall is to act as a:

• A. special router that connects the Internet to a LA
• B. device for preventing authorized users from accessing the LA
• C. server used to connect authorized users to private trusted network resource
• D. proxy server to increase the speed of access to authorized user

Answer: B

Explanation:

A firewall is a set of related programs, located at a network gateway server, that protects the resources of a private network from users of other networks. An enterprise with an intranet that allows its workers access to the wider Internet installs a firewall to prevent outsiders from accessing its own private data resources and for controlling the outside resources to which its own users have access. Basically, a firewall, working closely with a router program, filters all network packets to determine whether or not to forward them toward their destination. A firewall includes or works with a proxy server that makes network requests on behalf of workstation users. A firewall is often installed in a specially designated computer separate from the rest of the network so no incoming request can get directed to private network resources.

NEW QUESTION 5

For a discretionary access control to be effective, it must:

• A. operate within the context of mandatory access control
• B. operate independently of mandatory access control
• C. enable users to override mandatory access controls when necessar
• D. be specifically permitted by the security polic

Answer: A

Explanation:

Mandatory access controls are prohibitive; anything that is not expressly permitted is forbidden. Only within this context do discretionary controls operate, prohibiting still more access with the same exclusionary principle. When systems enforce mandatory access control policies, they must distinguish between these and the mandatory access policies that offer more flexibility. Discretionary controls do not override access controls and they do not have to be permitted in the security policy to be effective.

NEW QUESTION 6

What type of BCP test uses actual resources to simulate a system crash and validate the plan's effectiveness?

• A. Paper
• B. Preparedness
• C. Walk-through
• D. Parallel

Answer: B

Explanation:
Of the three major types of BCP tests (paper, walk-through, and preparedness), only the preparedness test uses actual resources to simulate a system crash and validate the plan's effectiveness.

NEW QUESTION 7

The extent to which data will be collected during an IS audit should be determined based on the:

• A. availability of critical and required informatio
• B. auditor's familiarity with the circumstance
• C. auditee's ability to find relevant evidenc
• D. purpose and scope of the audit being don

Answer: D

Explanation:

The extent to which data will be collected during an IS audit should be related directly to the scope and purpose of the audit. An audit with a narrow purpose and scope would result most likely in less data collection, than an audit with a wider purpose and scope. The scope of an IS audit should not be constrained by the ease of obtaining the information or by the auditor's familiarity with the area being audited. Collecting all the required evidence is a required element of an IS audit, and thescope of the audit should not be limited by the auditee's ability to find relevant evidence.

NEW QUESTION 8

A sequence of bits appended to a digital document that is used to secure an e-mail sent through the Internet is called a:

• A. digest signatur
• B. electronic signatur
• C. digital signatur
• D. hash signatur

Answer: C

Explanation:

A digital signature through the private cryptographic key authenticates a transmission from a sender through the private cryptographic key. It is a string of bits that uniquely represent another string of bits, a digital document. An electronic signature refers to the string of bits that digitally represents a handwritten signature captured by a computer system when a human applies it on an electronic pen pad, connected to the system.

NEW QUESTION 9

Which of the following network configuration options contains a direct link between any two host machines?

• A. Bus
• B. Ring
• C. Star
• D. Completely connected (mesh)

Answer: D

Explanation:

A completely connected mesh configuration creates a direct link between any two host machines.

NEW QUESTION 10

Which of the following is an object-oriented technology characteristic that permits an enhanced degree of security over data?

• A. inheritance
• B. Dynamic warehousing
• C. Encapsulation
• D. Polymorphism

Answer: C

Explanation:

Encapsulation is a property of objects, and it prevents accessing either properties or methods that have not been previously defined as public. This means that any implementation of the behavior of an object is not accessible. An object defines a communication interface with the exterior and only that which belongs to that interface can be accessed.

NEW QUESTION 11

What should regression testing use to obtain accurate conclusions regarding the effects of changes or corrections to a program, and ensuring that those changes and corrections have not introduced new errors?

• A. Contrived data
• B. Independently created data
• C. Live data
• D. Data from previous tests

Answer: D

Explanation:
Regression testing should use data from previous tests to obtain accurate conclusions regarding the effects of changes or corrections to a program, and ensuring that those changes and corrections have not introduced new errors.

NEW QUESTION 12

An IS auditor has completed a network audit. Which of the following is the MOST significant logical security finding?

• A. Network workstations are not disabled automatically after a period of inactivit
• B. Wiring closets are left unlocked
• C. Network operating manuals and documentation are not properly secure
• D. Network components are not equipped with an uninterruptible power suppl

Answer: A

Explanation:

Choice A is the only logical security finding. Network logical security controls should be in place to restrict, identify, and report authorized and unauthorized users of the network. Disabling inactive workstations restricts users of the network. Choice D is an environmental issue and choices B and C are physical security issues. Choices B, C and D should be reported to the appropriate entity.

NEW QUESTION 13

The cost of ongoing operations when a disaster recovery plan is in place, compared to not having a disaster recovery plan, will MOST likely:

• A. increas
• B. decreas
• C. remain the sam
• D. be unpredictabl

Answer: A

Explanation:

Due to the additional cost of disaster recovery planning (DRP) measures, the cost of normal operations for any organization will always increase after a DRP implementation, i.e., the cost of normal operations during a nondisaster period will be morethan the cost of operations during a nondisaster period when no disaster recovery plan was in place.

NEW QUESTION 14

A lower recovery time objective (RTO) results in:

• A. higher disaster toleranc
• B. higher cos
• C. wider interruption window
• D. more permissive data los

Answer: B

Explanation:

A recovery time objective (RTO) is based on the acceptable downtime in case of a disruption of operations. The lower the RTO, the higher the cost of recovery strategies. The lower the disaster tolerance, the narrower the interruption windows, and thelesserthe permissive data loss.

NEW QUESTION 15

The GREATEST advantage of using web services for the exchange of information between two systems is:

• A. secure communication
• B. improved performanc
• C. efficient interfacin
• D. enhanced documentatio

Answer: C

Explanation:

Web services facilitate the exchange of information between two systems, regardless of the operating system or programming language used. Communication is not necessarily securer or faster, and there is no documentation benefit in using web services.

NEW QUESTION 16

Which of the following is a feature of Wi-Fi Protected Access (WPA) in wireless networks?

• A. Session keys are dynamic
• B. Private symmetric keys are used
• C. Keys are static and shared
• D. Source addresses are not encrypted or authenticated

Answer: A

Explanation:

WPA uses dynamic session keys, achieving stronger encryption than wireless encryption privacy (WEP), which operates with static keys (same key is used for everyone in the wireless network). All other choices are weaknesses of WEP.

NEW QUESTION 17

For application acquisitions with significant impacts, participation of your IS audit team should be encouraged:

• A. early in the due diligence stag
• B. at the testing stag
• C. at the final approval stag
• D. at the budget preparation stag
• E. None of the choice

Answer: A

Explanation:

For acquisitions with significant IT impacts, participation of IS audit is often necessary early in the due diligence stage as defined in the audit policy.

NEW QUESTION 18

A transaction journal provides the information necessary for detecting unauthorized _____________ (fill in the blank) from a terminal.

• A. Deletion
• B. Input
• C. Access
• D. Duplication

Answer: B

Explanation:
A transaction journal provides the information necessary for detecting unauthorized input from a terminal.

NEW QUESTION 19
......