Skip to Content

ISACA CISA Certified Information Systems Auditor Exam Questions and Answers – 12

By: Author Alex Lim

Posted on  - Last updated:

Categories Exam

The latest ISACA CISA (Certified Information Systems Auditor) certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the ISACA CISA exam and earn ISACA CISA certification.

ISACA Certified Information Systems Auditor (CISA) Exam Questions and Answers

CISA Question 1281

Question

Which of the following term describes a failure of an electric utility company to supply power within acceptable range?

A. Sag
B. Blackout
C. Brownout
D. EMI

Answer

C. Brownout

Explanation

The failure of an electric utility company to supply power within acceptable range. Such a failure places a strain on electronic equipment and may limit their operational life or even cause permanent damage.

For CISA exam you should know below information about power failure:

  • Total Failure (Blackout) – A complete loss of electric power, which may span from a single building to an entire geographical are and is often caused by weather conditions or inability of an electric utility company to meet user demands.
  • Severely reduced voltage (brownout) – The failure of an electric utility company to supply power within acceptable range. Such a failure places a strain on electronic equipment and may limit their operational life or even cause permanent damage.
  • Sags, spike and surge – Temporary and rapid decreases (sag) or increases (spike and surges) in a voltage levels. These anomalies can cause loss of data, data corruption, network transmission errors or physical damage to hardware devices.
  • Electromagnetic interference (EMI) – The electromagnetic interference (EMI) caused by electrical storms or noisy electrical equipments. The interference may cause computer system to hang or crash as well as damages similar to those caused by sags, spike and surges.

The following were incorrect answers:

  • Sag – Temporarily rapid decrease in a voltage.
  • Total Failure (Blackout) – A complete loss of electric power, which may span from a single building to an entire geographical are and is often caused by weather conditions or inability of an electric utility company to meet user demands.
  • Severely reduced voltage (brownout) – The failure of an electric utility company to supply power within acceptable range. Such a failure places a strain on electronic equipment and may limit their operational life or even cause permanent damage.

CISA Question 1282

Question

Which of the following is an environmental issue caused by electric storms or noisy electric equipment and may also cause computer system to
hang or crash?

A. Sag
B. Blackout
C. Brownout
D. EMI

Answer

D. EMI

Explanation

The electromagnetic interference (EMI) caused by electrical storms or noisy electrical equipments. The interference may cause computer system to hang or crash as well as damages similar to those caused by sags, spike and surges.

Because Unshielded Twisted Pair cables does not have shielding like shielded twisted-pair cables, UTP is susceptible to interference from external electrical sources, which could reduce the integrity of the signal. Also, to intercept transmitted data, an intruder can install a tap on the cable or monitor the radiation from the wire. Thus, UTP may not be a good choice when transmitting very sensitive data or when installed in an environment with much electromagnetic interference (EMI) or radio frequency interference (RFI). Despite its drawbacks, UTP is the most common cable type. UTP is inexpensive, can be easily bent during installation, and, in most cases, the risk from the above drawbacks is not enough to justify more expensive cables.

For your exam you should know below information about power failure:

  • Total Failure (Blackout) – A complete loss of electric power, which may span from a single building to an entire geographical are and is often caused by weather conditions or inability of an electric utility company to meet user demands.
  • Severely reduced voltage (brownout) – The failure of an electric utility company to supply power within acceptable range. Such a failure places a strain on electronic equipment and may limit their operational life or even cause permanent damage.
  • Sags, spike and surge – Temporary and rapid decreases (sag) or increases (spike and surges) in a voltage levels. These anomalies can cause loss of data, data corruption, network transmission errors or physical damage to hardware devices.
  • Electromagnetic interference (EMI) – The electromagnetic interference (EMI) caused by electrical storms or noisy electrical equipments. The interference may cause computer system to hang or crash as well as damages similar to those caused by sags, spike and surges.

The following were incorrect answers:

  • Sag – Temporarily rapid decrease in a voltage.
  • Total Failure (Blackout) – A complete loss of electric power, which may span from a single building to an entire geographical are and is often caused by weather conditions or inability of an electric utility company to meet user demands.
  • Severely reduced voltage (brownout) – The failure of an electric utility company to supply power within acceptable range. Such a failure places a strain on electronic equipment and may limit their operational life or even cause permanent damage.

CISA Question 1283

Question

Which of the following is penetration test where the penetration tester is provided with limited or no knowledge of the target’s information systems?

A. External Testing
B. Internal Testing
C. Blind Testing
D. Targeted Testing

Answer

C. Blind Testing

Explanation

Blind Testing refers to the condition of testing when the penetration tester is provided with limited or no knowledge of the target. Such a testing is expensive, since the penetration tester has to research the target and profile it based on publicly available information.

For your exam you should know below mentioned penetration types:

  • External Testing -Refers to attack and control circumvention attempts on a target’s network perimeter from outside the target’s system is usually the Internet
  • Internal Testing – Refers to attack and control circumvention attempt on target from within the perimeter. The objective is to identify what would occur if the external perimeter was successfully compromised and/or an authorized user from within the network wanted to compromise security of a specific resource on a network.
  • Blind Testing – Refers to the condition of testing when the penetration tester is provided with limited or no knowledge of the target’s information systems. Such a testing is expensive, since penetration tester have to research the target and profile it based on publicly available information.
  • Double Blind Testing – It is an extension of blind testing, since the administrator and security staff at the target are also not aware of test. Such a testing can effectively evaluate the incident handling and response capability of the target.
  • Targeted Testing – Refers to attack and control circumvention attempts on the target, while both the target’s IT team and penetration tester are aware of the testing activities. Penetration testers are provided with information related to target and network design. Additionally, they are also provided with a limited privilege user account to be used as a starting point to identify privilege escalation possibilities in the system.

The following were incorrect answers:

  • External Testing – Refers to attack and control circumvention attempts on a target’s network perimeter from outside the target’s system is usually the Internet
  • Internal Testing – Refers to attack and control circumvention attempt on target from within the perimeter. The objective is to identify what would occur if the external perimeter was successfully compromised and/or an authorized user from within the network wanted to compromise security of a specific resource on a network.
  • Targeted Testing – Refers to attack and control circumvention attempts on the target, while both the target’s IT team and penetration tester are aware of the testing activities. Penetration testers are provided with information related to target and network design. Additionally, they are also provided with a limited privilege user account to be used as a starting point to identify privilege escalation possibilities in the system.

CISA Question 1284

Question

There are several types of penetration tests depending upon the scope, objective and nature of a test. Which of the following describes a penetration test where you attack and attempt to circumvent the controls of the targeted network from the outside, usually the Internet?

A. External Testing
B. Internal Testing
C. Blind Testing
D. Targeted Testing

Answer

A. External Testing

Explanation

External testing refers to attack and control circumvention attempts on a target’s network perimeter from outside the target’s system, usually the Internet.

For the CISA exam you should know penetration test types listed below:

  • External Testing – Refers to attack and control circumvention attempts on a target’s network perimeter from outside the target’s system, usually the Internet
  • Internal Testing – Refers to attack and control circumvention attempt on target from within the perimeter. The objective is to identify what would occur if the external perimeter was successfully compromised and/or an authorized user from within the network wanted to compromise security of a specific resource on a network.
  • Blind Testing – Refers to the condition of testing when the penetration tester is provided with limited or no knowledge of the target’s information systems. Such testing is expensive, since penetration tester have to research the target and profile it based on publicly available information.
  • Double Blind Testing – It is an extension of blind testing, since the administrator and security staff at the target are also not aware of test. Such a testing can effectively evaluate the incident handling and response capability of the target and how well managed the environment is.
  • Targeted Testing – Refers to attack and control circumvention attempts on the target, while both the target’s IT team and penetration tester are aware of the testing activities. Penetration testers are provided with information related to target and network design. Additionally, they are also provided with a limited privilege user account to be used as a starting point to identify privilege escalation possibilities in the system.

The following were incorrect answers:

  • Internal Testing – Refers to attack and control circumvention attempt on target from within the perimeter. The objective is to identify what would occur if the external perimeter was successfully compromised and/or an authorized user from within the network wanted to compromise security of a specific resource on a network.
  • Blind Testing – Refers to the condition of testing when the penetration tester is provided with limited or no knowledge of the target’s information systems. Such a testing is expensive, since penetration tester have to research the target and profile it based on publicly available information.
  • Targeted Testing – Refers to attack and control circumvention attempts on the target, while both the target’s IT team and penetration tester are aware of the testing activities. Penetration testers are provided with information related to target and network design. Additionally, they are also provided with a limited privilege user account to be used as a starting point to identify privilege escalation possibilities in the system.

CISA Question 1285

Question

Which of the following process consist of identification and selection of data from the imaged data set in computer forensics?

A. Investigation
B. Interrogation
C. Reporting
D. Extraction

Answer

D. Extraction

Explanation

Extraction is the process of identification and selection of data from the imaged data set. This process should include standards of quality, integrity and reliability.

The extraction process includes software used and media where an image was made. The extraction process could include different sources such as system logs, firewall logs, audit trails and network management information.

For CISA exam you should know below mentioned key elements of computer forensics during audit planning.

Data Protection – To prevent sought-after information from being altered, all measures must be in place. It is important to establish specific protocol to inform appropriate parties that electronic evidence will be sought and not destroy it by any means.

Data Acquisition – All information and data required should transferred into a controlled location; this includes all types of electronic media such as fixed disk drives and removable media. Each device must be checked to ensure that it is write protected. This may be achieved by using device known as write blocker.

Imaging – The Imaging is a process that allows one to obtain bit-for bit copy of a data to avoid damage of original data or information when multiple analyses may be performed. The imaging process is made to obtain residual data, such as deleted files, fragments of deleted files and other information present, from the disk for analysis. This is possible because imaging duplicates the disk surface, sector by sector.

Extraction – This process consists of identification and selection of data from the imaged data set. This process should include standards of quality, integrity and reliability. The extraction process includes software used and media where an image was made. The extraction process could include different sources such as system logs, firewall logs, audit trails and network management information.

Interrogation – Integration is used to obtain prior indicators or relationships, including telephone numbers, IP addresses, and names of individuals from extracted data.

Investigation/ Normalization – This process converts the information extracted to a format that can be understood by investigator. It includes conversion of hexadecimal or binary data into readable characters or a format suitable for data analysis tool.

Reporting – The information obtained from computer forensic has limited value when it is not collected and reported in proper way. When an IS auditor writes report, he/she must include why the system was reviewed, how the computer data were reviewed and what conclusion were made from analysis. The report should achieve the following goals:

  • Accurately describes the details of an incident.
  • Be understandable to decision makers.
  • Be able to withstand a barrage of legal security
  • Be unambiguous and not open to misinterpretation.
  • Be easily referenced –
  • Contains all information required to explain conclusions reached
  • Offer valid conclusions, opinions or recommendations when needed
  • Be created in timely manner.

The following were incorrect answers:

  • Investigation/ Normalization – This process converts the information extracted to a format that can be understood by investigator. It includes conversion of hexadecimal or binary data into readable characters or a format suitable for data analysis tool.
  • Interrogation – Integration is used to obtain prior indicators or relationships, including telephone numbers, IP addresses, and names of individuals from extracted data.
  • Reporting – The information obtained from computer forensic has limited value when it is not collected and reported in proper way. When an IS auditor writes report, he/she must include why the system was reviewed, how the computer data were reviewed and what conclusion were made from analysis.

CISA Question 1286

Question

In computer forensic which of the following describe the process that converts the information extracted into a format that can be understood by investigator?

A. Investigation
B. Interrogation
C. Reporting
D. Extraction

Answer

A. Investigation

Explanation

Investigation is the process that converts the information extracted to a format that can be understood by investigator. It includes conversion of hexadecimal or binary data into readable characters or a format suitable for data analysis tool.

For CISA exam you should know below mentioned key elements of computer forensics during audit planning.

Data Protection – To prevent sought-after information from being altered, all measures must be in place. It is important to establish specific protocol to inform appropriate parties that electronic evidence will be sought and not destroy it by any means.

Data Acquisition – All information and data required should transferred into a controlled location; this includes all types of electronic media such as fixed disk drives and removable media. Each device must be checked to ensure that it is write protected. This may be achieved by using device known as write blocker.

Imaging – The Imaging is a process that allows one to obtain bit-for bit copy of a data to avoid damage of original data or information when multiple analyses may be performed. The imaging process is made to obtain residual data, such as deleted files, fragments of deleted files and other information present, from the disk for analysis. This is possible because imaging duplicates the disk surface, sector by sector.

Extraction – This process consists of identification and selection of data from the imaged data set. This process should include standards of quality, integrity and reliability. The extraction process includes software used and media where an image was made. The extraction process could include different sources such as system logs, firewall logs, audit trails and network management information.

Interrogation – Integration is used to obtain prior indicators or relationships, including telephone numbers, IP addresses, and names of individuals from extracted data.

Investigation/ Normalization – This process converts the information extracted to a format that can be understood by investigator. It includes conversion of hexadecimal or binary data into readable characters or a format suitable for data analysis tool.

Reporting – The information obtained from computer forensic has limited value when it is not collected and reported in proper way. When an IS auditor writes report, he/she must include why the system was reviewed, how the computer data were reviewed and what conclusion were made from analysis. The report should achieve the following goals:

  • Accurately describes the details of an incident.
  • Be understandable to decision makers.
  • Be able to withstand a barrage of legal security
  • Be unambiguous and not open to misinterpretation.
  • Be easily referenced
  • Contains all information required to explain conclusions reached
  • Offer valid conclusions, opinions or recommendations when needed
  • Be created in timely manner.

The following were incorrect answers:

  • Interrogation – Integration is used to obtain prior indicators or relationships, including telephone numbers, IP addresses, and names of individuals from extracted data.
  • Extraction – This process consists of identification and selection of data from the imaged data set. This process should include standards of quality, integrity and reliability.
  • Reporting – The information obtained from computer forensic has limited value when it is not collected and reported in proper way. When an IS auditor writes report, he/she must include why the system was reviewed, how the computer data were reviewed and what conclusion were made from analysis.

CISA Question 1287

Question

In computer forensics, which of the following is the process that allows bit-for-bit copy of a data to avoid damage of original data or information when multiple analysis may be performed?

A. Imaging
B. Extraction
C. Data Protection
D. Data Acquisition

Answer

A. Imaging

Explanation

Imaging is the process that allows one to obtain a bit-for bit copy of a data to avoid damage to the original data or information when multiple analysis may be performed. The imaging process is made to obtain residual data, such as deleted files, fragments of deleted files and other information present, from the disk for analysis. This is possible because imaging duplicates the disk surface, sector by sector.

For CISA exam you should know below mentioned key elements of computer forensics during audit planning.

Data Protection – To prevent sought-after information from being altered, all measures must be in place. It is important to establish specific protocol to inform appropriate parties that electronic evidence will be sought and not destroy it by any means.

Data Acquisition – All information and data required should transferred into a controlled location; this includes all types of electronic media such as fixed disk drives and removable media. Each device must be checked to ensure that it is write protected. This may be achieved by using device known as write blocker.

Imaging – The Imaging is a process that allows one to obtain bit-for bit copy of a data to avoid damage of original data or information when multiple analyses may be performed. The imaging process is made to obtain residual data, such as deleted files, fragments of deleted files and other information present, from the disk for analysis. This is possible because imaging duplicates the disk surface, sector by sector.

Extraction – This process consists of identification and selection of data from the imaged data set. This process should include standards of quality, integrity and reliability. The extraction process includes software used and media where an image was made. The extraction process could include different sources such as system logs, firewall logs, audit trails and network management information.

Interrogation – Integration is used to obtain prior indicators or relationships, including telephone numbers, IP addresses, and names of individuals from extracted data.

Investigation/ Normalization – This process converts the information extracted to a format that can be understood by investigator. It includes conversion of hexadecimal or binary data into readable characters or a format suitable for data analysis tool.

Reporting – The information obtained from computer forensic has limited value when it is not collected and reported in proper way. When an IS auditor writes report, he/she must include why the system was reviewed, how the computer data were reviewed and what conclusion were made from analysis. The report should achieve the following goals:

  • Accurately describes the details of an incident.
  • Be understandable to decision makers.
  • Be able to withstand a barrage of legal security
  • Be unambiguous and not open to misinterpretation.
  • Be easily referenced –
  • Contains all information required to explain conclusions reached
  • Offer valid conclusions, opinions or recommendations when needed
  • Be created in timely manner.

The following were incorrect answers:

Extraction – This process consists of identification and selection of data from the imaged data set. This process should include standards of quality, integrity and reliability.

Data Protection – To prevent sought-after information from being altered, all measures must be in place. It is important to establish specific protocol to inform appropriate parties that electronic evidence will be sought and not destroy it by any means.

Data Acquisition – All information and data required should transferred into a controlled location; this includes all types of electronic media such as fixed disk drives and removable media. Each device must be checked to ensure that it is write protected. This may be achieved by using device known as write blocker.

CISA Question 1288

Question

Identify the correct sequence which needs to be followed as a chain of event in regards to evidence handling in computer forensics?

A. Identify, Analyze, preserve and Present
B. Analyze, Identify, preserve and present
C. Preserve, Identify, Analyze and Present
D. Identify, Preserve, Analyze and Present

Answer

D. Identify, Preserve, Analyze and Present

Explanation

There are 4 major considerations in the chain of event in regards to evidence in computer forensics:

  • Identify – Refers to identification of information that is available and might form evidence of an accident
  • Preserve – Refers to the practice of retrieving identified information and preserving it as evidence. The practice generally includes the imaging of original media in presence of an independent third party. The process also requires being able to document chain-of-custody so that it can be established in a court law.
  • Analyze – Involves extracting, processing and interpreting the evidence. Extracted data could be unintelligible binary data after it has been processed and converted into human readable format. Interpreting the data requires an in-depth knowledge of how different pieces of evidences may fit together. The analysis should be performed using an image of media and not the original.
  • Present – Involves a presentation of the various audiences such as management, attorneys, court, etc.Acceptance of evidence depends upon the manner of presentation, qualification of the presenter, and credibility of the process used to preserve and analyze the evidence.

The following were incorrect answers:

  • The other options presented are not a valid sequence which needs to be followed in the chain of events in regards to evidence in computer forensic.

CISA Question 1289

Question

While evaluating logical access control the IS auditor should follow all of the steps mentioned below EXCEPT one?

1. Obtain general understanding of security risk facing information processing, through a review of relevant documentation, inquiry and observation,etc

2. Document and evaluate controls over potential access paths into the system to assess their adequacy, efficiency and effectiveness

3. Test Control over access paths to determine whether they are functioning and effective by applying appropriate audit technique

4. Evaluate the access control environment to determine if the control objective is achieved by analyzing test result and other audit evidence

5. Evaluate the security environment to assess its adequacy by reviewing written policies, observing practices and procedures, and comparing them with appropriate security standard or practice and procedures used by other organization.

6. Evaluate and deploy technical controls to mitigate all identified risks during audit.

A. 2
B. 3
C. 1
D. 6

Answer

D. 6

Explanation

The word EXCEPT is the keyword used in the question. You need find out the item an IS auditor should not perform while evaluating logical access control. It is not an IT auditor’s responsibility to evaluate and deploy technical controls to mitigate all identified risks during audit.

For CISA exam you should know below information about auditing logical access:

  • Obtain general understanding of security risk facing information processing, through a review of relevant documentation, inquiry and observation,etc:
  • Document and evaluate controls over potential access paths into the system to assess their adequacy, efficiency and effectiveness
  • Test Control over access paths to determine whether they are functioning and effective by applying appropriate audit technique
  • Evaluate the access control environment to determine if the control objective are achieved by analyzing test result and other audit evidence
  • Evaluate the security environment to assess its adequacy by reviewing written policies, observing practices and procedures, and comparing them with appropriate security standard or practice and procedures used by other organization.

The following were incorrect answers:

  • The other options presented are valid choices which IS auditor needs to follow while evaluating logical access control.

CISA Question 1290

Question

During Involuntary termination of an employee, which of the following is the MOST important step to be considered?

A. Get a written NDA agreement from an employee
B. Terminate all physical and logical access
C. Provide compensation in lieu of notice period
D. Do not communicate to the respective employee about the termination

Answer

B. Terminate all physical and logical access

Explanation

For CISA exam you should know below information about Terminated Employee Access

Termination of employment can occur in the following circumstances:

  • On the request of the employee (Voluntary resignation from service)
  • Scheduled (On retirement or completion of contract)
  • Involuntary (forced by management in special circumstances)

In case of an involuntary termination of employment, the logical and physical access rights of employees to the IT infrastructure should either be withdrawn completely or highly restricted as early as possible, before the employee become aware of termination or its likelihood.

This ensures that terminated employees cannot continue to access potentially confidential or damaging information from the IT resources or perform any action that would result in damage of any kind of IT infrastructure, applications and data. Similar procedure in place to terminate access for third parties upon terminating their activities with the organization.

When it is necessary for employee to continue to have accesses, such access must be monitored carefully and continuously and should take place with senior management’s knowledge and authorization.

In case of a voluntary or scheduled termination of employment, it is management’s prerogative to decide whether access is restricted or withdrawn. This depends on:

  • The specific circumstances associated with each case
  • The sensitivity of employee’s access to the IT infrastructure and resources
  • The requirement of the organization’s information security policies, standards and procedure.

The following were incorrect answers:

  • The other options presented are incorrectly describes about involuntary termination.