CISA Online Practice Questions and Answers

Correct Answer: D

The greatest concern for an IS auditor reviewing an organization's business continuity plan (BCP) is that the BCP has not been tested since it was first issued. A BCP is a document that describes how an organization will continue its critical business functions in the event of a disruption or disaster. A BCP should include information such as roles and responsibilities, recovery strategies, resources, procedures, communication plans, and backup arrangements3. Testing the BCP is a vital step in ensuring its validity, effectiveness, and readiness. Testing the BCP involves simulating various scenarios and executing the BCP to verify whether it meets its objectives and requirements. Testing the BCP can also help to identify and correct any gaps, errors, or weaknesses in the BCP before they become issues during a real incident4. Therefore, an IS auditor should be concerned if the BCP has not been tested since it was first issued, as it may indicate that the BCP is outdated, inaccurate, incomplete, or ineffective. The other options are less concerning or incorrect because:

A. The BCP's contact information needs to be updated is not a great concern for an IS auditor reviewing an organization's BCP, as it is a minor issue that can be easily fixed. Contact information refers to the names, phone numbers, email addresses, or other details of the people involved in the BCP execution or communication. Contact information needs to be updated regularly to reflect any changes in personnel or roles. While having outdated contact information may cause some delays or confusion during a BCP activation, it does not affect the overall validity or effectiveness of the BCP.

B. The BCP is not version controlled is not a great concern for an IS auditor reviewing an organization's BCP, as it is a moderate issue that can be improved. Version control refers to the process of tracking and managing changes made to the BCP over time. Version control helps to ensure that only authorized changes are made to the BCP and that there is a clear record of who made what changes when and why. Version control also helps to avoid conflicts or inconsistencies among different versions of the BCP. While having no version control may cause some difficulties or risks in maintaining and updating the BCP, it does not affect the overall validity or effectiveness of the BCP. C. The BCP has not been approved by senior management is not a great concern for an IS auditor reviewing an organization's BCP, as it is a high-level issue that can be resolved. Approval by senior management refers to the formal endorsement and support of the BCP by the top executives or leaders of the organization. Approval by senior management helps to ensure that the BCP is aligned with the organization's strategy, objectives, and priorities, and that it has sufficient resources and authority to be implemented. Approval by senior management also helps to increase the awareness and commitment of the organization's stakeholders to the BCP. While having no approval by senior management may affect the credibility and acceptance of the BCP, it does not affect the overall validity or effectiveness of the BCP. References: Working Toward a Managed, Mature Business Continuity Plan - ISACA, ISACA Introduces New Audit Programs for Business Continuity/ Disaster ..., Disaster Recovery and Business Continuity Preparedness for Cloud-based ...

Correct Answer: A

A backlog consumption report is a report that shows the amount of work that has been completed and the amount of work that remains to be done in a project. It is a useful tool for measuring the progress and performance of a web-based customer service application development project, as it can indicate whether the project is on track, ahead or behind schedule, and how much effort is required to finish the project. A backlog consumption report can also help identify any issues or risks that may affect the project delivery. Critical path analysis reports, developer status reports and change management logs are also helpful for evaluating a project, but they are not as helpful as a backlog consumption report, as they do not provide a clear picture of the overall project status and completion rate. References: : [Backlog Consumption Report Definition] : Backlog Consumption Report | ISACA

Correct Answer: D

Tabletop exercises are a type of simulation used to test an organization's incident response plan. They involve key stakeholders in a hypothetical scenario to see how they would respond. This allows management to assess the effectiveness

of the incident response process and identify areas for improvement. Regularly conducting these exercises ensures that the organization is prepared for a real incident and that the incident response process remains effective over time.

References:

Cybersecurity incident response: The 6 steps to success Six steps for building a robust incident response strategy - IBM

Correct Answer: D

The greatest segregation of duties conflict would occur if the individual who performs the related tasks also has approval authority for purchase requisitions and purchase orders. This is because these two tasks are directly related to each other and involve financial transactions. If the same person is responsible for both tasks, it could lead to potential fraud or error. For instance, the individual could approve a purchase order for a personal need and then also approve the payment for it, leading to misuse of company funds. References: Segregation of Duties: Examples of Roles, Duties and Violations - Pathlock Functions in the Purchasing Process and how to Segregate Purchasing Duties

Correct Answer: D

A data loss prevention (DLP) tool is a software application that detects and prevents data breaches by monitoring and protecting sensitive data from unauthorized access, transfer, or use1. A DLP tool can help your organization comply with

regulations, prevent insider threats, and protect your intellectual property.

Before implementing a DLP tool, the most important prerequisite is to identify where existing data resides and establish a data classification matrix. This is because you need to know what data you have, where it is stored, how sensitive it is,

and who can access it. A data classification matrix is a framework that defines the categories and levels of data sensitivity, such as public, internal, confidential, or restricted2. By identifying and classifying your data, you can determine the

appropriate DLP policies and controls to apply to each type of data and prevent data loss or leakage.

Correct Answer: D

The performance and reliability of a job scheduling tool can be significantly affected if maintenance patches and the latest enhancement upgrades are missing. These patches and upgrades often contain fixes for known issues and improvements to the tool's functionality. If they are not applied, the tool may continue to exhibit known problems or fail to benefit from enhancements that could improve its performance and reliability. While factors like administrator password requirements23, number of support staff45, and tool classification can impact various aspects of a tool's operation, they are less likely to be the direct cause of performance and reliability problems. References: Patch Management Definition and Best Practices - Rapid7 Password must meet complexity requirements - Windows Security NIST's New Password Rule Book: Updated Guidelines Offer Benefits and Risk - ISACA Workforce optimization: Staff scheduling with AI | McKinsey Poor Employee Scheduling - Major Consequences And Solutions A Critical Analysis of Job Shop Scheduling in Context of Industry 4.0

Correct Answer: D

Correct Answer: B

Correct Answer: B

Correct Answer: D