• Home
  • Articles
  • CISA Exam PDF [2023] Tests Free Updated Today with Correct 690 Questions [Q389-Q406]

CISA Exam PDF [2023] Tests Free Updated Today with Correct 690 Questions [Q389-Q406]

Share

CISA Exam PDF [2023] Tests Free Updated Today with Correct 690 Questions

ISACA CISA Exam Preparation Guide and PDF Download


The CISA certification exam covers a wide range of topics, including IS audit process, IT governance, system and infrastructure life cycle, information security management, and business continuity and disaster recovery. CISA exam is designed to test the candidate's knowledge and skills in these areas, as well as their ability to apply them in real-world scenarios. CISA exam consists of 150 multiple-choice questions and is four hours long.

 

NEW QUESTION # 389
A technology service organization has recently acquired a new subsidiary. What should be the IS auditor's NEXT course of action when considering the impact on the development of the IT audit plan?

  • A. Proceed with the current audit plan.
  • B. Perform a risk assessment.
  • C. Review the revised business impact analysis (BIA).
  • D. Include the new systems in the audit plan.

Answer: B


NEW QUESTION # 390
Which of the following risks could result from inadequate software baselining?

  • A. Scope creep
  • B. Sign-off delays
  • C. Software integrity violations
  • D. inadequate controls

Answer: A

Explanation:
Section: Protection of Information Assets
Explanation:
A software baseline is the cut-off point in the design and development of a system beyond which additional
requirements or modifications to the design do not or cannot occur without undergoing formal strict
procedures for approval based on a business cost-benefit analysis. Failure to adequately manage the
requirements of a system through baselining can result in a number of risks. Foremost among these risks
is scope creep, the process through which requirements change during development. Choices, C and D
may not always result, but choice A is inevitable.


NEW QUESTION # 391
Which of the following BEST indicates the effectiveness of an organization's risk management program?

  • A. Overall risk is quantified.
  • B. Control risk is minimized.
  • C. Residual risk is minimized.
  • D. Inherent risk is eliminated.

Answer: C


NEW QUESTION # 392
During an exit interview, senior management disagrees with some of the facts presented in the draft audit report and wants them removed from tie report. Which of the blowing would be the auditor's BEST course of action?

  • A. Escalate the issue to audit management
  • B. Revise the assessment based on senior management's objections
  • C. Gather evidence to analyze senior management's objections
  • D. Finalize tie draft audit report without changes

Answer: C


NEW QUESTION # 393
Which of the following is MOST important for an IS auditor to understand when planning an IS audit?

  • A. Number of high-risk auditable processes
  • B. Management focus on particular operations
  • C. Availability of IS audit resources
  • D. Inherent risk of auditable areas

Answer: B


NEW QUESTION # 394
An IS auditor finds that client requests were processed multiple times when received from different independent departmental databases, which are synchronized weekly. What would be the BEST recommendation?

  • A. Change the application architecture so that common data are held in just one shared database for all departments.
  • B. implement reconciliation controls to detect duplicates before orders are processed in the systems.
  • C. Centralize all request processing in one department to avoid parallel processing of the same request.
  • D. increase the frequency for data replication between the different department systems to ensure timely updates.

Answer: A

Explanation:
Explanation/Reference:
Explanation:
Keeping the data in one place is the best way to ensure that data are stored without redundancy and that all users have the same data on their systems. Although increasing the frequency may help to minimize the problem, the risk of duplication cannot be eliminated completely because parallel data entry is still possible. Business requirements will most likely dictate where data processing activities are performed.
Changing the business structure to solve an IT problem is not practical or politically feasible. Detective controls do not solve the problem of duplicate processing, and would require that an additional process be implemented to handle the discovered duplicates.


NEW QUESTION # 395
An IS auditor reviewed the business case for a proposed investment to virtualize an organization's server infrastructure. Which of the following is MOST likely to be included among the benefits in the project proposal?

  • A. Reduced hardware footprint
  • B. Better efficiency of logical resources
  • C. Less memory and storage space
  • D. Fewer operating system licenses

Answer: A


NEW QUESTION # 396
To address issues related to privileged users identified in an IS audit, management implemented a security information and event management (SIEM) system. Which type of control .........

  • A. Directive
  • B. Corrective
  • C. Detective
  • D. Preventive

Answer: C


NEW QUESTION # 397
During an audit of an enterprise that is dedicated to e-commerce, the IS manager states that digital signatures are used when receiving communications from customers. To substantiate this, an IS auditor must prove that which of the following is used?

  • A. A hash of the data that is transmitted and encrypted with the customer's public key
  • B. A hash of the data that is transmitted and encrypted with the customer's private key
  • C. The customer's scanned signature encrypted with the customer's public key
  • D. A biometric, digitalized and encrypted parameter with the customer's public key

Answer: B

Explanation:
Section: Protection of Information Assets
Explanation:
The calculation of a hash, or digest, of the data that are transmitted and its encryption require the public key of the client (receiver) and is called a signature of the message, or digital signature.
The receiver performs the same process and then compares the received hash, once it has been decrypted with their private key, to the hash that is calculated with the received data. If they are the same, the conclusion would be that there is integrity in the data that have arrived and the origin is authenticated.
The concept of encrypting the hash with the private key of the originator provides non repudiation, as it can only be decrypted with their public key and, as the CD suggests, the private key would not be known to the recipient. Simply put, in a key-pair situation, anything that can be decrypted by a sender's public key must have been encrypted with their private key, so they must have been the sender, i.e., non-repudiation.
Choice C is incorrect because, if this were the case, the hash could not be decrypted by the recipient, so the benefit of non-repudiation would be lost and there could be no verification that the message had not been intercepted and amended. A digital signature is created by encrypting with a private key. A person creating the signature uses their own private key, otherwise everyone would be able to create a signature with any public key. Therefore, the signature of the client is created with the client's private key, and this can be verified-by the enterprise-using the client's public key. Choice B is the correct answer because, in this case, the customer uses their private key to sign the hash data.


NEW QUESTION # 398
An IS auditor should expect the responsibility for authorizing access rights to production
data and systems to be entrusted to the:

  • A. process owners.
  • B. security administrator.
  • C. system administrators.
  • D. data owners.

Answer: D

Explanation:
Data owners are primarily responsible for safeguarding the data and authorizing access to production data on a need-to-know basis.


NEW QUESTION # 399
Which of the following is an effective way to ensure the integrity of file transfers in a peer-to-peer (P2P) computing environment?

  • A. Ensure the files transferred through an intrusion detection system (IDS).
  • B. Associate a message authentication code with each file transferred.
  • C. Connect the client computers in the environment to a jump server.
  • D. Encrypt the packets shared between peers within the environment.

Answer: D


NEW QUESTION # 400
When responding to an ongoing Daniel of service (DoS) attack, an organization's FIRST course of action should be to:

  • A. restore service
  • B. analyze the attack path.
  • C. investigate damage
  • D. minimize impact

Answer: D


NEW QUESTION # 401
An IS auditor should carefully review the functional requirements in a systems-development project to ensure that the project is designed to:

  • A. Enforce data security
  • B. Be financially feasible
  • C. Meet business objectives
  • D. Be culturally feasible

Answer: C

Explanation:
Explanation/Reference:
An IS auditor should carefully review the functional requirements in a systems-development project to ensure that the project is designed to meet business objectives.


NEW QUESTION # 402
After reviewing its business processes, a large organization is deploying a new web application based on a VoIP technology. Which of the following is the MOST appropriate approach for implementing access control that will facilitate security management of the VoIP web application?

  • A. Access control lists
  • B. Network/service access control
  • C. Role-based access control (RBAC)
  • D. Fine-grained access control

Answer: C

Explanation:
Explanation/Reference:
Explanation:
Authorization in this VoIP case can best be addressed by role-based access control (RBAC) technology.
RBAC is easy to manage and can enforce strong and efficient access controls in large-scale web environments including VoIP implementation. Access control lists and fine-grained access control on VoIP web applications do not scale to enterprise wide systems, because they are primarily based on individual user identities and their specific technical privileges. Network/service addresses VoIP availability but does not address application-level access or authorization.


NEW QUESTION # 403
During a vulnerability assessment, an IS auditor finds a high-risk vulnerability in a public-facing web server used to process online customer orders via credit card. The IS auditor could FIRST:

  • A. redesign the customer order process.
  • B. document the finding in the report
  • C. suspend credit card processing.
  • D. notify management.

Answer: D


NEW QUESTION # 404
When reviewing procedures for emergency changes to programs, the IS auditor should verify that the procedures:

  • A. allow undocumented changes directly to the production library.
  • B. allow changes, which will be completed using after-the-fact follow-up.
  • C. allow programmers permanent access to production programs.
  • D. do not allow any emergency changes.

Answer: B

Explanation:
Explanation/Reference:
Explanation:
There may be situations where emergency fixes are required to resolve system problems. This involves the use of special logon IDs that grant programmers temporary access to production programs during emergency situations. Emergency changes should be completed using after-the-fact follow-up procedures, which ensure that normal procedures are retroactively applied; otherwise, production may be impacted.
Changes made in this fashion should be held in an emergency library from where they can be moved to the production library, following the normal change management process. Programmers should not directly alter the production library nor should they be allowed permanent access to production programs.


NEW QUESTION # 405
A LAN administrator normally would be restricted from:

  • A. having end-user responsibilities.
  • B. reporting to the end-user manager.
  • C. having programming responsibilities.
  • D. being responsible for LAN security administration.

Answer: C

Explanation:
Section: Protection of Information Assets
Explanation:
A LAN administrator should not have programming responsibilities but may have end- user responsibilities.
The LAN administrator may report to the director of the IPF or, in a decentralized operation, to the end-user manager. In small organizations, the LAN administrator also may be responsible for security administration over the LAN.


NEW QUESTION # 406
......


The CISA certification is highly respected in the IT industry and is recognized by many organizations around the world, including government agencies, financial institutions, and multinational corporations. It is also a mandatory requirement for many information security positions and is often used as a benchmark for hiring and promotion decisions.

 

Verified & Correct CISA Practice Test Reliable Source Sep 30, 2023 Updated: https://www.prep4pass.com/CISA_exam-braindumps.html

Free ISACA CISA Exam Files Downloaded Instantly: https://drive.google.com/open?id=1ZVryZCJI1MYT-HN3e4UKHM9Oste5CoVx

Related Articles

more
ISACA CISA Certification Practice Exam

Prep4pass is experienced IT certification exam prep provider with high passing rate, our accurate and valid exam preparation help candidates pass exam 100%.

Latest Exam Prep

Useful Links

Contact Us

Our Working Time: ( GMT 0:00-15:00 )
From Monday to Saturday

Support: Contact now 

If you have any question please leave me your email address, we will reply and send email to you in 12 hours.

Copyright © 2026 Prep4pass NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy