DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

Boost Your Certification Prep with CISA Mock Tests, Certified Information Systems Auditor | SPOTO

Accelerate your CISA certification journey with SPOTO's comprehensive mock tests. Our meticulously crafted exam simulations mirror the actual CISA exam, providing an unparalleled preparation experience. Access a vast pool of exam questions and answers aligned with the latest exam objectives. Identify knowledge gaps through detailed explanations and performance analysis. Simulate the real exam environment with timed, full-length mock tests to build confidence and endurance. Stay ahead of the curve with regularly updated exam materials, including practice questions, sample questions, and free test dumps. Unlock your auditing prowess and achieve certification success with SPOTO's mock exams.
Take other online exams

Question #1
Which of the following types of firewalls would BEST protect a network from an internet attack?
A. Screened subnet firewall
B. Application filtering gateway
C. Packet filtering router
D. Circuit-level gateway
View answer
Correct Answer: A
Question #2
Which of the following statement is NOT true about smoke detector?
A. The Smoke detectors should be above and below the ceiling tiles throughout the facilities and below the raised in the computer room floor
B. The smoke detector should produce an audible alarm when activated and be linked to a monitored station
C. The location of the smoke detector should be marked on the tiling for easy identification and access
D. Smoke detector should replace fire suppression system
View answer
Correct Answer: B
Question #3
What type of approach to the development of organizational policies is often driven by risk assessment?
A. Bottom-up
B. Top-down
C. Comprehensive
D. Integrated
View answer
Correct Answer: B
Question #4
To determine who has been given permission to use a particular system resource, an IS auditor should review:
A. activity lists
B. access control lists
C. logon ID lists
D. password lists
View answer
Correct Answer: A
Question #5
The reason a certification and accreditation process is performed on critical systems is to ensure that:
A. security compliance has been technically evaluated
B. data have been encrypted and are ready to be stored
C. the systems have been tested to run on different platforms
D. the systems have followed the phases of a waterfall model
View answer
Correct Answer: A
Question #6
Which of the following is an example of the defense in-depth security principle?
A. Using two firewalls of different vendors to consecutively check the incoming network traffic
B. Using a firewall as well as logical access controls on the hosts to control incoming network traffic
C. Having no physical signs on the outside of a computer center building
D. Using two firewalls in parallel to check different types of incoming traffic
View answer
Correct Answer: A
Question #7
In what way is a common gateway interface (CGI) MOST often used on a webserver?
A. Consistent way for transferring data to the application program and back to the user
B. Computer graphics imaging method for movies and TV
C. Graphic user interface for web design
D. interface to access the private gateway domain
View answer
Correct Answer: C
Question #8
The implementation of access controls FIRST requires:
A. a classification of IS resources
B. the labeling of IS resources
C. the creation of an access control list
D. an inventory of IS resources
View answer
Correct Answer: C
Question #9
After installing a network, an organization installed a vulnerability assessment tool or security scanner to identify possible weaknesses. Which is the MOST serious risk associated with such tools?
A. Differential reporting
B. False-positive reporting
C. False-negative reporting
D. Less-detail reporting
View answer
Correct Answer: A
Question #10
Web and e-mail filtering tools are PRIMARILY valuable to an organization because they:
A. protect the organization from viruses and nonbusiness materials
B. maximize employee performance
C. safeguard the organization's image
D. assist the organization in preventing legal issues
View answer
Correct Answer: D
Question #11
A core tenant of an IS strategy is that it must:
A. Be inexpensive
B. Be protected as sensitive confidential information
C. Protect information confidentiality, integrity, and availability
D. Support the business objectives of the organization
View answer
Correct Answer: B
Question #12
Which of the following functionality is NOT supported by SSL protocol?
A. Confidentiality
B. Integrity
C. Authentication
D. Availability
View answer
Correct Answer: A
Question #13
Which of the following cryptography demands less computational power and offers more security per bit?
A. Quantum cryptography
B. Elliptic Curve Cryptography (ECC)
C. Symmetric Key Cryptography
D. Asymmetric Key Cryptography
View answer
Correct Answer: B
Question #14
When reviewing the implementation of a LAN, an IS auditor should FIRST review the:
A. node list
B. acceptance test report
C. network diagram
D. user's list
View answer
Correct Answer: A
Question #15
Which of the following would MOST effectively enhance the security of a challenge- response based authentication system?
A. Selecting a more robust algorithm to generate challenge strings
B. implementing measures to prevent session hijacking attacks
C. increasing the frequency of associated password changes
D. increasing the length of authentication strings
View answer
Correct Answer: A
Question #16
An organization is using an enterprise resource management (ERP) application. Which of the following would be an effective access control?
A. User-level permissions
B. Role-based
C. Fine-grained
D. Discretionary
View answer
Correct Answer: C
Question #17
The PRIMARY objective of an audit of IT security policies is to ensure that:
A. they are distributed and available to all staff
B. security and control policies support business and IT objectives
C. there is a published organizational chart with functional descriptions
D. duties are appropriately segregated
View answer
Correct Answer: B
Question #18
During an IS audit, auditor has observed that authentication and authorization steps are split into two functions and there is a possibility to force the authorization step to be completed before the authentication step. Which of the following technique an attacker could user to force authorization step before authentication?
A. Eavesdropping
B. Traffic analysis
C. Masquerading
D. Race Condition
View answer
Correct Answer: D
Question #19
Which of the following is a feature of Wi-Fi Protected Access (WPA) in wireless networks? Session keys are dynamic
B. Private symmetric keys are used
C. Keys are static and shared
D. Source addresses are not encrypted or authenticated
View answer
Correct Answer: C
Question #20
Corrective action has been taken by an auditee immediately after the identification of a reportable finding. The auditor should:
A. include the finding in the final report, because the IS auditor is responsible for an accurate report of all findings
B. not include the finding in the final report, because the audit report should include only unresolved findings
C. not include the finding in the final report, because corrective action can be verified by the IS auditor during the audit
D. include the finding in the closing meeting for discussion purposes only
View answer
Correct Answer: C
Question #21
Which of the following would an IS auditor use to determine if unauthorized modifications were made to production programs?
A. System log analysis
B. Compliance testing
C. Forensic analysis
D. Analytical review
View answer
Correct Answer: A
Question #22
Diskless workstation is an example of:
A. Handheld devices
B. Thin client computer
C. Personal computer
D. Midrange server
View answer
Correct Answer: B
Question #23
After reviewing its business processes, a large organization is deploying a new web application based on a VoIP technology. Which of the following is the MOST appropriate approach for implementing access control that will facilitate security management of the VoIP web application?
A. Fine-grained access control
B. Role-based access control (RBAC)
C. Access control lists
D. Network/service access control
View answer
Correct Answer: A
Question #24
An auditor needs to be aware of technical controls which are used to protect computer from malware. Which of the following technical control interrupts DoS and ROM BIOS call and look for malware like action?
A. Scanners
B. Active Monitors
C. Immunizer
D. Behavior blocker
View answer
Correct Answer: D
Question #25
Which of the following would be the BEST access control procedure?
A. The data owner formally authorizes access and an administrator implements the user authorization tables
B. Authorized staff implements the user authorization tables and the data owner sanctions them
C. The data owner and an IS manager jointly create and update the user authorization tables
D. The data owner creates and updates the user authorization tables
View answer
Correct Answer: B
Question #26
An IS auditor performing an independent classification of systems should consider a situation where functions could be performed manually at a tolerable cost for an extended period of time as:
A. critical
B. vital
C. sensitive
D. noncritical
View answer
Correct Answer: B
Question #27
The final decision to include a material finding in an audit report should be made by the:
A. audit committee
B. auditee's manager
C. IS auditor
D. CEO of the organization
View answer
Correct Answer: D
Question #28
Which of the following is a function of an IS steering committee?
A. Monitoring vendor-controlled change control and testing
B. Ensuring a separation of duties within the information's processing environment
C. Approving and monitoring major projects, the status of IS plans and budgets
D. Liaising between the IS department and the end users
View answer
Correct Answer: B
Question #29
The database administrator (DBA) suggests that DB efficiency can be improved by denormalizing some tables. This would result in:
A. loss of confidentiality
B. increased redundancy
C. unauthorized accesses
D. application malfunctions
View answer
Correct Answer: C
Question #30
A company has recently upgraded its purchase system to incorporate EDI transmissions. Which of the following controls should be implemented in the EDI interface to provide for efficient data mapping?
A. Key verification
B. One-for-one checking
C. Manual recalculations
D. Functional acknowledgements
View answer
Correct Answer: D
Question #31
The GREATEST advantage of using web services for the exchange of information between two systems is:
A. secure communications
B. improved performance
C. efficient interfacing
D. enhanced documentation
View answer
Correct Answer: C
Question #32
Which of the following is the MOST critical and contributes the greatest to the quality of data in a data warehouse?
A. Accuracy of the source data
B. Credibility of the data source
C. Accuracy of the extraction process
D. Accuracy of the data transformation
View answer
Correct Answer: A
Question #33
Which of the following statement INCORRECTLY describes anti-malware? A .....................................................................................................................................................................................................................................................2 B ................................................................................................................................................................................................
C. 2 andD
View answer
Correct Answer: A
Question #34
Which of the following is protocol data unit (PDU) of transport layer in TCP/IP model?
A. Data
B. Segment
C. Packet
D. Frame
View answer
Correct Answer: C
Question #35
Which of the following provides the framework for designing and developing logical access controls?
A. Information systems security policy
B. Access control lists
C. Password management
D. System configuration files
View answer
Correct Answer: B
Question #36
Which of the following is the BEST type of program for an organization to implement to aggregate, correlate and store different log and event files, and then produce weekly and monthly reports for IS auditors?
A. A security information event management (SIEM) product
B. An open-source correlation engine
C. A log management tool
D. An extract, transform, load (ETL) system
View answer
Correct Answer: B
Question #37
Who is primarily responsible for storing and safeguarding the data?
A. Data Owner
B. Data User
C. Data Steward
D. Security Administrator
View answer
Correct Answer: D
Question #38
When reviewing an intrusion detection system (IDS), an IS auditor should be MOST concerned about which of the following?
A. Number of nonthreatening events identified as threatening
B. Attacks not being identified by the system
C. Reports/logs being produced by an automated tool
D. Legitimate traffic being blocked by the system
View answer
Correct Answer: D
Question #39
Which of the following is the MOST important element for the successful implementation of IT governance?
A. Implementing an IT scorecard
B. Identifying organizational strategies
C. Performing a risk assessment
D. Creating a formal security policy
View answer
Correct Answer: C
Question #40
Which of the following term related to network performance refers to the actual rate that information is transferred over a network?
A. Bandwidth
B. Throughput
C. Latency
D. Jitter
View answer
Correct Answer: C
Question #41
An IT steering committee should review information systems PRIMARILY to assess:
A. whether IT processes support business requirements
B. if proposed system functionality is adequate
C. the stability of existing software
D. the complexity of installed technology
View answer
Correct Answer: B
Question #42
When transmitting a payment instruction, which of the following will help verify that the instruction was not duplicated?
A. Use of a cryptographic hashing algorithm
B. Enciphering the message digest
C. Deciphering the message digest
D. A sequence number and time stamp
View answer
Correct Answer: A
Question #43
In a public key infrastructure, a registration authority:
A. verifies information supplied by the subject requesting a certificate
B. issues the certificate after the required attributes are verified and the keys are generated
C. digitally signs a message to achieve nonrepudiation of the signed message
D. registers signed messages to protect them from future repudiation
View answer
Correct Answer: A
Question #44
To gain an understanding of the effectiveness of an organization's planning and management of investments in IT assets, an IS auditor should review the:
A. enterprise data model
B. IT balanced scorecard (BSC)
C. IT organizational structure
D. historical financial statements
View answer
Correct Answer: A
Question #45
Which of the following network components is PRIMARILY set up to serve as a security measure by preventing unauthorized traffic between different segments of the network?
A. Firewalls
B. Routers
C. Layer 2 switches
D. VLANs
View answer
Correct Answer: B
Question #46
What can be very helpful to an IS auditor when determining the efficacy of a systems maintenance program?
A. Network-monitoring software
B. A system downtime log
C. Administration activity reports
D. Help-desk utilization trend reports
View answer
Correct Answer: B
Question #47
Which of the following PBX feature provides the possibility to break into a busy line to inform another user of an important message?
A. Account Codes
B. Access Codes
C. Override
D. Tenanting
View answer
Correct Answer: B
Question #48
Which of the following attack includes social engineering, link manipulation or web site forgery techniques?
A. surf attack
B. Traffic analysisC
D. Interrupt attack
View answer
Correct Answer: B
Question #49
Which of the following activities performed by a database administrator (DBA) should be performed by a different person?
A. Deleting database activity logs
B. Implementing database optimization tools
C. Monitoring database usage
D. Defining backup and recovery procedures
View answer
Correct Answer: A
Question #50
Once an organization has finished the business process reengineering (BPR) of all its critical operations, an IS auditor would MOST likely focus on a review of:
A. pre-BPR process flowcharts
B. post-BPR process flowcharts
C. BPR project plans
D. continuous improvement and monitoring plans
View answer
Correct Answer: C
Question #51
Which of the following controls would an IS auditor look for in an environment where duties cannot be appropriately segregated?
A. Overlapping controls
B. Boundary controls Access controls
D. Compensating controls
View answer
Correct Answer: B
Question #52
Which significant risk is introduced by running the file transfer protocol (FTP) service on a server in a demilitarized zone (DMZ)?
A. A user from within could send a file to an unauthorized person
B. FTP services could allow a user to download files from unauthorized sources
C. A hacker may be able to use the FTP service to bypass the firewall
D. FTP could significantly reduce the performance of a DMZ server
View answer
Correct Answer: D
Question #53
Which of the following would be the BEST method for ensuring that critical fields in a master record have been updated properly?
A. Field checks
B. Control totals
C. Reasonableness checks
D. A before-and-after maintenance report
View answer
Correct Answer: C
Question #54
A clerk changed the interest rate for a loan on a master file. The rate entered is outside the normal range for such a loan. Which of the following controls is MOST effective in providing reasonable assurance that the change was authorized?
A. The system will not process the change until the clerk's manager confirms the change by entering an approval code
B. The system generates a weekly report listing all rate exceptions and the report is reviewed by the clerk's manager
C. The system requires the clerk to enter an approval code
D. The system displays a warning message to the clerk
View answer
Correct Answer: C
Question #55
IT operations for a large organization have been outsourced. An IS auditor reviewing the outsourced operation should be MOST concerned about which of the following findings?
A. The outsourcing contract does not cover disaster recovery for the outsourced IT operations
B. The service provider does not have incident handling procedures
C. Recently a corrupted database could not be recovered because of library management problems
D. incident logs are not being reviewed
View answer
Correct Answer: D
Question #56
Which of the following is MOST critical for the successful implementation and maintenance of a security policy?
A. Assimilation of the framework and intent of a written security policy by all appropriate parties
B. Management support and approval for the implementation and maintenance of a security policy
C. Enforcement of security rules by providing punitive actions for any violation of security rules
D. Stringent implementation, monitoring and enforcing of rules by the security officer through access control software
View answer
Correct Answer: B
Question #57
An IS auditor reviewing an accounts payable system discovers that audit logs are not being reviewed. When this issue is raised with management the response is that additional controls are not necessary because effective system access controls are in place. The BEST response the auditor can make is to:
A. review the integrity of system access controls
B. accept management's statement that effective access controls are in place
C. stress the importance of having a system control framework in place
D. review the background checks of the accounts payable staff
View answer
Correct Answer: B
Question #58
In transport mode, the use of the Encapsulating Security Payload (ESP) protocol is advantageous over the Authentication Header (AH) protocol because it provides:
A. connectionless integrity
B. data origin authentication
C. antireplay service
D. confidentiality
View answer
Correct Answer: A
Question #59
During Involuntary termination of an employee, which of the following is the MOST important step to be considered?
A. Get a written NDA agreement from an employee
B. Terminate all physical and logical access
C. Provide compensation in lieu of notice period
D. Do not communicate to the respective employee about the termination
View answer
Correct Answer: C
Question #60
As an outcome of information security governance, strategic alignment provides:
A. security requirements driven by enterprise requirements
B. baseline security following best practices
C. institutionalized and commoditized solutions
D. an understanding of risk exposure
View answer
Correct Answer: C
Question #61
Which of the following tests is an IS auditor performing when a sample of programs is selected to determine if the source and object versions are the same?
A. A substantive test of program library controls
B. A compliance test of program library controls
C. A compliance test of the program compiler controls
D. A substantive test of the program compiler controls
View answer
Correct Answer: A
Question #62
IT best practices for the availability and continuity of IT services should:
A. minimize costs associated with disaster-resilient components
B. provide for sufficient capacity to meet the agreed upon demands of the business
C. provide reasonable assurance that agreed upon obligations to customers can be met
D. produce timely performance metric reports
View answer
Correct Answer: D
Question #63
During an audit of the logical access control of an ERP financial system an IS auditor found some user accounts shared by multiple individuals. The user IDs were based on roles rather than individual identities. These accounts allow access to financial transactions on the ERP. What should the IS auditor do next?
A. Look for compensating controls
B. Review financial transactions logs
C. Review the scope of the audit
D. Ask the administrator to disable these accounts
View answer
Correct Answer: D
Question #64
What is the lowest level of the IT governance maturity model where an IT balanced scorecard exists?
A. Repeatable but Intuitive
B. Defined
C. Managed and Measurable
D. Optimized
View answer
Correct Answer: A
Question #65
Which of the following should be of PRIMARY concern to an IS auditor reviewing the management of external IT service providers?
A. Minimizing costs for the services provided
B. Prohibiting the provider from subcontracting services
C. Evaluating the process for transferring knowledge to the IT department
D. Determining if the services were provided as contracted
View answer
Correct Answer: A
Question #66
An IS auditor finds that a DBA has read and write access to production data. The IS auditor should:
A. accept the DBA access as a common practice
B. assess the controls relevant to the DBA function
C. recommend the immediate revocation of the DBA access to production data
D. review user access authorizations approved by the DBA
View answer
Correct Answer: C
Question #67
Naming conventions for system resources are important for access control because they:
A. ensure that resource names are not ambiguous
B. reduce the number of rules required to adequately protect resources
C. ensure that user access to resources is clearly and uniquely identified
D. ensure that internationally recognized names are used to protect resources
View answer
Correct Answer: A
Question #68
An IS auditor performing an application maintenance audit would review the log of program changes for the:
A. authorization of program changes
B. creation date of a current object module
C. number of program changes actually made
D. creation date of a current source program
View answer
Correct Answer: C
Question #69
Which are the two primary types of scanner used for protecting against Malware? Malware mask/signatures and Heuristic Scanner Active and passive Scanner Behavioral Blockers and immunizer Scanner None of the above
A. Malware mask/signatures and Heuristic Scanner
B. Active and passive Scanner
C. Behavioral Blockers and immunizer Scanner
D. None of the above
View answer
Correct Answer: A
Question #70
Which of the following will prevent dangling tuples in a database?
A. Cyclic integrity
B. Domain integrity
C. Relational integrity
D. Referential integrity
View answer
Correct Answer: C
Question #71
Which of the following statement correctly describes the difference between IPSec and SSH protocols?
A. IPSec works at the transport layer where as SSH works at the network layer of an OSI Model
B. IPSec works at the network layer where as SSH works at the application layer of an OSI Model
C. IPSec works at the network layer and SSH works at the transport layer of an OSI Model
D. IPSec works at the transport layer and SSH works at the network layer of an OSI Model
View answer
Correct Answer: C
Question #72
Which of the following is protocol data unit (PDU) of network interface layer in TCP/IP model?
A. Data
B. Segment
C. Packet
D. Frame
View answer
Correct Answer: B
Question #73
When performing a database review, an IS auditor notices that some tables in the database are not normalized. The IS auditor should next:
A. recommend that the database be normalized
B. review the conceptual data model
C. review the stored procedures
D. review the justification
View answer
Correct Answer: C
Question #74
Which of the following controls would be MOST effective in ensuring that production source code and object code are synchronized?
A. Release-to-release source and object comparison reports
B. Library control software restricting changes to source code
C. Restricted access to source code and object code
D. Date and time-stamp reviews of source and object code
View answer
Correct Answer: D

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: