CISA Practice exam questions with
complete solutions
1. In a risk-based audit approach, the IS auditor must consider the inherent risk as well as
considering:
A. how to eliminate the risk through the application of controls.
B. the balance of loss potential vs. the cost to implement controls.
C. whether the risk is material, regardless of management's tolerance for risk. D. whether the
residual risk is higher than the insurance coverage purchased. - ANS ✔✔B Determining the
correct balance between the loss potential and the cost to implement controls is a very
important part of an effective risk mitigation strategy. The best internal control is one where the
benefit of implementing the control at least matches the cost. Eliminating risk is very difficult to
achieve and often impossible to attain. Hence, the IS auditor should not recommend that risk be
eliminated since this is not likely to be cost-effective for the organization. Whether the risk is
material is not the correct answer since the risk tolerance of management determines what is
material. Insurance coverage is not necessarily the only control to consider for mitigating
residual risk
2. Which of the following is the PRIMARY safeguard for securing software and data within an
information processing facility?
A. Security awareness
B. Reading the security policy
C. Security committee
D. Logical access controls - ANS ✔✔D To retain a competitive advantage and meet basic
business requirements, organizations must ensure that the integrity of the information stored
on their computer systems preserves the confidentiality of sensitive data and ensures that the
continued availability of their information systems. To meet these goals, logical access controls
must be in place. Awareness (choice A) does not, in itself, protect against unauthorized access
or disclosure of information. Knowledge of an information systems security policy (choice B),
which should be known by the organization's employees, would help to protect information but
would not prevent the unauthorized access of information. A security committee (choice C) is
,key to the protection of information assets but would address security issues within a broader
perspective.
3. When an organization is outsourcing their information security function, which of the
following should be kept in the organization?
A. Accountability for the corporate security policy
B. Defining the corporate security policy
C. Implementing the corporate security policy
D. Defining security procedures and guidelines - ANS ✔✔A Accountability cannot be transferred
to external parties. Choices B, C and D can be performed by outside entities as long as
accountability remains within the organization.
4. Naming conventions for system resources are important for access control because they:
A. ensure that resource names are not ambiguous.
B. reduce the number of rules required to adequately protect resources. C. ensure that user
access to resources is clearly and uniquely identified. D. ensure that internationally recognized
names are used to protect resources. - ANS ✔✔B Naming conventions for system resources are
important for the efficient administration of security controls. The conventions can be
structured so resources beginning with the same high-level qualifier can be governed by one or
more generic rules. This reduces the number of rules required to adequately protect resources
which, in turn, facilitates security administration and maintenance efforts. Reducing the number
of rules required to protect resources allows for the grouping of resources and files by
application, which makes it easier to provide access. Ensuring that resource names are not
ambiguous cannot be achieved through the use of naming conventions. Ensuring the clear and
unique identification of user access to resources is handled by access control rules, not naming
conventions. Internationally recognized names are not required to control access to resources.
Naming conventions tend to be based on how each organization wants to identify its resources.
5. When auditing the proposed acquisition of a new computer system, an IS auditor should
FIRST ensure that:
A. a clear business case has been approved by management.
B. corporate security standards will be met.
,C. users will be involved in the implementation plan.
D. the new system will meet all required user functionality. - ANS ✔✔A The first concern of an IS
auditor should be to ensure that the proposal meets the needs of the business, and this should
be established by a clear business case. Although compliance with security standards is
essential, as is meeting the needs of the users and having users involved in the implementation
process, it is too early in the procurement process for these to be an IS auditor's first concern.
6. An IS auditor has been assigned to review an organization's information security policy.
Which of the following issues represents the highest potential risk?
A. The policy has not been updated in more than one year.
B. The policy includes no revision history.
C. The policy is approved by the security administrator.
D. The company does not have an information security policy committee. - ANS ✔✔C The
information security policy should have an owner who has approved management responsibility
for the development, review and evaluation of the security policy. The position of security
administrator is typically a staff-level position (not management), and therefore would not have
the authority to approve the policy. Without proper management approval, enforcing the policy
may be problematic, leading to compliance or security issues. While the information security
policy should be updated on a regular basis, the specific time period may vary based on the
organization. Although reviewing policies annually is a best practice, the policy could be
updated less frequently and still be relevant and effective. An outdated policy is still
enforceable, whereas a policy without proper approval is not enforceable.
7. Which of the following procedures would MOST effectively detect the loading of illegal
software packages onto a network?
A. The use of diskless workstations
B. Periodic checking of hard drives
C. The use of current antivirus software
D. Policies that result in instant dismissal if violated - ANS ✔✔B The periodic checking of hard
drives would be the most effective method of identifying illegal software packages loaded to the
network. Antivirus software will not necessarily identify illegal software, unless the software
contains a virus. Diskless workstations act as a preventive control and are not effective since
, users could still download software from other than diskless workstations. Policies lay out the
rules about loading the software, but will not detect the actual occurrence.
8. Which of the following acts as a decoy to detect active Internet attacks?
A. Honeypots
B. Firewalls
C. Trapdoors
D. Traffic analysis - ANS ✔✔A Honeypots are computer systems that are expressly set up to
attract and trap individuals who attempt to penetrate other individuals' computer systems. The
concept of a honeypot is to learn from intruder's actions. A properly designed and configured
honeypot provides data on methods used to attack systems. The data are then used to improve
measures that could curb future attacks. A firewall is basically a preventive measure. Trapdoors
create a vulnerability that provides an opportunity for the insertion of unauthorized code into a
system. Traffic analysis is a type of passive attack.
9. Which of the following sampling methods is MOST useful when testing for compliance?
A. Attribute sampling
B. Variable sampling
C. Stratified mean per unit
D. Difference estimation - ANS ✔✔A Attribute sampling is the primary sampling method used
for compliance testing. Attribute sampling is a sampling model that is used to estimate the rate
of occurrence of a specific quality (attribute) in a population and is used in compliance testing to
confirm whether the quality exists. The other choices are used in substantive testing, which
involves testing of details or quantity.
10. Which of the following is MOST critical for the successful implementation and maintenance
of a security policy?
A. Assimilation of the framework and intent of a written security policy by all appropriate
parties
B. Management support and approval for the implementation and maintenance of a security
policy
complete solutions
1. In a risk-based audit approach, the IS auditor must consider the inherent risk as well as
considering:
A. how to eliminate the risk through the application of controls.
B. the balance of loss potential vs. the cost to implement controls.
C. whether the risk is material, regardless of management's tolerance for risk. D. whether the
residual risk is higher than the insurance coverage purchased. - ANS ✔✔B Determining the
correct balance between the loss potential and the cost to implement controls is a very
important part of an effective risk mitigation strategy. The best internal control is one where the
benefit of implementing the control at least matches the cost. Eliminating risk is very difficult to
achieve and often impossible to attain. Hence, the IS auditor should not recommend that risk be
eliminated since this is not likely to be cost-effective for the organization. Whether the risk is
material is not the correct answer since the risk tolerance of management determines what is
material. Insurance coverage is not necessarily the only control to consider for mitigating
residual risk
2. Which of the following is the PRIMARY safeguard for securing software and data within an
information processing facility?
A. Security awareness
B. Reading the security policy
C. Security committee
D. Logical access controls - ANS ✔✔D To retain a competitive advantage and meet basic
business requirements, organizations must ensure that the integrity of the information stored
on their computer systems preserves the confidentiality of sensitive data and ensures that the
continued availability of their information systems. To meet these goals, logical access controls
must be in place. Awareness (choice A) does not, in itself, protect against unauthorized access
or disclosure of information. Knowledge of an information systems security policy (choice B),
which should be known by the organization's employees, would help to protect information but
would not prevent the unauthorized access of information. A security committee (choice C) is
,key to the protection of information assets but would address security issues within a broader
perspective.
3. When an organization is outsourcing their information security function, which of the
following should be kept in the organization?
A. Accountability for the corporate security policy
B. Defining the corporate security policy
C. Implementing the corporate security policy
D. Defining security procedures and guidelines - ANS ✔✔A Accountability cannot be transferred
to external parties. Choices B, C and D can be performed by outside entities as long as
accountability remains within the organization.
4. Naming conventions for system resources are important for access control because they:
A. ensure that resource names are not ambiguous.
B. reduce the number of rules required to adequately protect resources. C. ensure that user
access to resources is clearly and uniquely identified. D. ensure that internationally recognized
names are used to protect resources. - ANS ✔✔B Naming conventions for system resources are
important for the efficient administration of security controls. The conventions can be
structured so resources beginning with the same high-level qualifier can be governed by one or
more generic rules. This reduces the number of rules required to adequately protect resources
which, in turn, facilitates security administration and maintenance efforts. Reducing the number
of rules required to protect resources allows for the grouping of resources and files by
application, which makes it easier to provide access. Ensuring that resource names are not
ambiguous cannot be achieved through the use of naming conventions. Ensuring the clear and
unique identification of user access to resources is handled by access control rules, not naming
conventions. Internationally recognized names are not required to control access to resources.
Naming conventions tend to be based on how each organization wants to identify its resources.
5. When auditing the proposed acquisition of a new computer system, an IS auditor should
FIRST ensure that:
A. a clear business case has been approved by management.
B. corporate security standards will be met.
,C. users will be involved in the implementation plan.
D. the new system will meet all required user functionality. - ANS ✔✔A The first concern of an IS
auditor should be to ensure that the proposal meets the needs of the business, and this should
be established by a clear business case. Although compliance with security standards is
essential, as is meeting the needs of the users and having users involved in the implementation
process, it is too early in the procurement process for these to be an IS auditor's first concern.
6. An IS auditor has been assigned to review an organization's information security policy.
Which of the following issues represents the highest potential risk?
A. The policy has not been updated in more than one year.
B. The policy includes no revision history.
C. The policy is approved by the security administrator.
D. The company does not have an information security policy committee. - ANS ✔✔C The
information security policy should have an owner who has approved management responsibility
for the development, review and evaluation of the security policy. The position of security
administrator is typically a staff-level position (not management), and therefore would not have
the authority to approve the policy. Without proper management approval, enforcing the policy
may be problematic, leading to compliance or security issues. While the information security
policy should be updated on a regular basis, the specific time period may vary based on the
organization. Although reviewing policies annually is a best practice, the policy could be
updated less frequently and still be relevant and effective. An outdated policy is still
enforceable, whereas a policy without proper approval is not enforceable.
7. Which of the following procedures would MOST effectively detect the loading of illegal
software packages onto a network?
A. The use of diskless workstations
B. Periodic checking of hard drives
C. The use of current antivirus software
D. Policies that result in instant dismissal if violated - ANS ✔✔B The periodic checking of hard
drives would be the most effective method of identifying illegal software packages loaded to the
network. Antivirus software will not necessarily identify illegal software, unless the software
contains a virus. Diskless workstations act as a preventive control and are not effective since
, users could still download software from other than diskless workstations. Policies lay out the
rules about loading the software, but will not detect the actual occurrence.
8. Which of the following acts as a decoy to detect active Internet attacks?
A. Honeypots
B. Firewalls
C. Trapdoors
D. Traffic analysis - ANS ✔✔A Honeypots are computer systems that are expressly set up to
attract and trap individuals who attempt to penetrate other individuals' computer systems. The
concept of a honeypot is to learn from intruder's actions. A properly designed and configured
honeypot provides data on methods used to attack systems. The data are then used to improve
measures that could curb future attacks. A firewall is basically a preventive measure. Trapdoors
create a vulnerability that provides an opportunity for the insertion of unauthorized code into a
system. Traffic analysis is a type of passive attack.
9. Which of the following sampling methods is MOST useful when testing for compliance?
A. Attribute sampling
B. Variable sampling
C. Stratified mean per unit
D. Difference estimation - ANS ✔✔A Attribute sampling is the primary sampling method used
for compliance testing. Attribute sampling is a sampling model that is used to estimate the rate
of occurrence of a specific quality (attribute) in a population and is used in compliance testing to
confirm whether the quality exists. The other choices are used in substantive testing, which
involves testing of details or quantity.
10. Which of the following is MOST critical for the successful implementation and maintenance
of a security policy?
A. Assimilation of the framework and intent of a written security policy by all appropriate
parties
B. Management support and approval for the implementation and maintenance of a security
policy
