Pattern of questions - CISA

I've been going through CISA study material and went through the practice questions database, I feel that at times the questions are a bit generic in nature. For example, we can rule out two possible choices but the remaining two possible choices both appear to be correct, compliant with CISA standards/guidelines. Now, the selection of choice is subjective and solely depends on the test maker's subjective analysis.

This is one bit that frustrates me as it appears that passing CISA exam will always be to some extent a matter of luck due to the aforementioned reasons. This question goes towards everyone who have passed the examination or planning to appear for one, and CISA test makers if there are any on these forums.

Find more posts tagged with

Comments

Hiskies

Here's an example.

Q. When evaluating the collective effect of preventive, detective and corrective controls within a process, an IS auditor should be aware of which of the following?

A. The point at which controls are exercised as data flow through the system
B. Only preventive and detective controls are relevant
C. Corrective controls can only be regarded as compensating
D. Classification allows an IS auditor to determine which controls are missing

What kind of question is this? I chose option D which is incorrect. Here's the explanation:

An IS auditor should focus on when controls are exercised as data flow through a computer system. Choice B is incorrect since corrective controls may also be relevant. Choice C is incorrect because corrective controls remove or reduce the effects of errors or irregularities and are not exclusively regarded as compensating controls. Choice D is incorrect and irrelevant, because the existence and function of controls is important, not the classification. ??? How do you confirm existence of controls without first classifying them?

Then I saw the following question.

Q. An IS auditor is reviewing risk and controls of a bank wire transfer system. To ensure that the bank's financial risk is properly addressed, the IS auditor will most likely review which of the following?

A. Privileged access to the wire transfer system
B. Wire transfer procedures
C. Fraud monitoring controls
D. Employee background checks

I will MOST likely review A,B and C which all appear to be correct. If the question stated that what I would MOST likely review at FIRST then I would've selected B.

Another one.

Q. Which of the following forms of evidence for the auditor would be considered the MOST reliable?

A. An oral statement from the auditee
B. The results of a test performed by an external IS auditor
C. An internally generated computer accounting report
D. A confirmation letter received from an outside source

In my opinion the most RELIABLE evidence would be a computer generated accounting report but it appears that the correct answer is test performed by an external IS auditor, even thou human element and detection risk is involved in such a report. If the question stated that which would be more USEFUL and COMPREHENSIVE then I would've went for B but as far as the accuracy/reliability is concerned, I don't see how an external auditor could assure that.

And then last but not the least for now.

Q. When testing program change requests, an IS auditor finds that the population of changes was too small to provide a reasonable level of assurance. What is the MOST appropriate action for the IS auditor to take?

A. Develop an alternate testing procedure.
B. Report the finding to management as a deficiency.
C. Perform a walk-through of the change management process.
D. Create additional sample changes to programs.

Supposedly correct answer is A with following explanation.

If a sample size objective cannot be met with the given data, the IS auditor would not be able to provide assurance regarding the testing objective. In this instance, the IS auditor should develop (with audit management approval) an alternate testing procedure. There is not enough evidence to report the finding as a deficiency. A walk-through should not be initiated until an analysis is performed to confirm that this could provide the required assurance. It would not be appropriate for an IS auditor to create sample data for the purpose of the audit.

Wouldn't I had initiated a walk through already prior to reviewing the actual change requests. If not then it would be reviewing forms before properly realizing and understanding how they were processed and for what they are being used for exactly.

Please share your opinion on these.

EXPL01TUS

Oh, I certainly agree! It seems as they subjectively pick-and-choose when they want to place emphasis on a single word... After putting myself into the ISACA mindset, here was my train of thought on the following question:

Which of the following BEST encrypts data on a mobile device?
A. Elliptical Curve Cryptography (ECC)
B. Data Encryption Standard (DES)
C. Advanced Encryption Services (AES)
D. The blowfish algorithm

I immediately narrowed this down to A and C. I leaned toward ECC, knowing that it's faster and less resource intensive, which would be better suited for mobile processors.

"But wait - the question doesn't ask which is BEST SUITED for mobile devices, it's asking what's the BEST for encryption, period," I thought.

I concluded the question is essentially asking, "Which of the following best encrypts data?" The prepositional phrase, "on a mobile device" is irrelevant, because an algorithm will result in the same ciphertext no matter the platform. Although ECC is less resource intensive and better suited for mobile encryption, AES still "[better] encrypts" data than ECC does (whether or not it's better suited for mobile platforms).

So, of course, ISACA elected to make 'A' the correct answer.

Naturally, you see, "mobile device" and you would think to answer ECC, but if you actually break the question down similarly to other questions, it seems like a trick. I hate having to guess which questions they're actually going to emphasize the verbiage. Sometimes, I'm seriously like, "Well, they put this word in there, but are they considering that a key part of the question this time? Because that would change my answer." >.<

EasyPeezy

I am having similar issues... The only saving grace is... because i was doing the tests a domain at a time, i had to assume that anything in domain 4 for example has a disaster recovery connotation although it might not be mentioned in the question. I am a CISSP, and this exam looks impossible.

colemic

Hiskies wrote: »

An IS auditor should focus on when controls are exercised as data flow through a computer system. Choice B is incorrect since corrective controls may also be relevant. Choice C is incorrect because corrective controls remove or reduce the effects of errors or irregularities and are not exclusively regarded as compensating controls. Choice D is incorrect and irrelevant, because the existence and function of controls is important, not the classification. ??? How do you confirm existence of controls without first classifying them?

Why would they need to be classified in order to evaluate them? While that would be a nice-to-have, out of all the choices offered, the book answer is correct, because the auditor’s goal is to validate the effectiveness of the controls, no classification is needed. The auditor is looking to make sure that the controls are applied when they are supposed to be called into action. If a technical control, for example, triggers on a certain action, the auditor’s job is to make sure that not only does the control activate when needed, but that is, in fact, the appropriate place for that particular control to be implemented.

Hiskies wrote: »

Q. Which of the following forms of evidence for the auditor would be considered the MOST reliable?

A. An oral statement from the auditee
B. The results of a test performed by an external IS auditor
C. An internally generated computer accounting report
D. A confirmation letter received from an outside source
In my opinion the most RELIABLE evidence would be a computer generated accounting report but it appears that the correct answer is test performed by an external IS auditor, even thou human element and detection risk is involved in such a report. If the question stated that which would be more USEFUL and COMPREHENSIVE then I would've went for B but as far as the accuracy/reliability is concerned, I don't see how an external auditor could assure that.

The external auditor is the most reliable, from an objectivity standpoint… I think you assumed that the only computer-generated report was the internally-generated one. There is a risk that internal elements could modify a report (even computer-based) to protect shortcomings by themselves or their department. The external auditor is completely independent, and will give an honest assessment (almost certainly using information gathered from computer-generated reports.)

Hiskies wrote: »

Q. When testing program change requests, an IS auditor finds that the population of changes was too small to provide a reasonable level of assurance. What is the MOST appropriate action for the IS auditor to take?
A. Develop an alternate testing procedure.
B. Report the finding to management as a deficiency.
C. Perform a walk-through of the change management process.
D. Create additional sample changes to programs.
Supposedly correct answer is A with following explanation.
If a sample size objective cannot be met with the given data, the IS auditor would not be able to provide assurance regarding the testing objective. In this instance, the IS auditor should develop (with audit management approval) an alternate testing procedure. There is not enough evidence to report the finding as a deficiency. A walk-through should not be initiated until an analysis is performed to confirm that this could provide the required assurance. It would not be appropriate for an IS auditor to create sample data for the purpose of the audit.
Wouldn't I had initiated a walk through already prior to reviewing the actual change requests. If not then it would be reviewing forms before properly realizing and understanding how they were processed and for what they are being used for exactly.

No, you probably would not have already done a walkthrough of the change management process, because the question indicates you are testing the change requests themselves, not the efficacy of the change management process. The issue is that the sample size of changes is too small, that in and of itself is not an indication that the process needs to be reviewed. The analysis portion would be to determine if the small amount of changes was a result of a shortcoming in the change management process.

As for the last question, you pretty much answered it in your logic – the mistake was in thinking that ‘on a mobile device’ wasn’t an important part of the question; it is. Taken as a whole statement, ECC is the best choice, because, as you said, it uses less resources, which are in fairly short supply on a mobile platform.

Think of it this way – would you have given the same answer if the question said ‘on a server’ or on a wearable device? The resource requirements do matter (not so much on the server, more so on the wearable device.)

Hope that helps some.

EXPL01TUS

Oh, here's another frustrating one:

For mission-critical applications with a low recovery time objective (RTO), the IS auditor would recommend the use of which of the following recovery strategies?

A. Mobile Site
B. Redundant Site
C. Hot Site
D. Reciprocal Agreements

I immediately boil it down to B and C. Although the application is "mission-critical," it has still been assigned a LOW (not zero) RTO. "Low" is relative and is definitively not zero. It would be most appropriate to have a hot site that can be up in a few hours, as it would be the most cost-effective solution to meet the RTO. A redundant site would also meet the RTO, but would be more costly to maintain with regard to time, human, and financial resources.

Of course, ISACA elected to make 'B' (Redundant site) the correct answer.

I hope they do better for the actual exam, because this is ridiculous.

EXPL01TUS

And another stupid one:

This question refers to the following diagram:

Internet <--> Firewall-1 <--> Mail Gateway <--> Firwall-2 <--> IDS

Email traffic from the Internet is routed via firewall-1 to the mail gateway. Mail is routed from the mail gateway, via firewall-2, to the mail recipients in the internal network. Other traffic is not allowed. For example, the firewalls do not allow direct traffic from the Internet to the internal network. The intrusion detection system (IDS) detects traffic for the internal network that did not originate from the mail gateway. The FIRST action triggered by the IDS should be to:

A. alert the appropriate staff
B. create an entry in the log
C. close firewall-2
D. close firewall-1

In my experience (SNORT), the first action triggered by an IDS is for the IDS to generate and log an event, or "create an entry in the log."

Of course, ISACA elects to make 'C' the correct answer.

I'm not an IDS or firewall engineer, but is it even possible for the IDS/IPS to "close" a firewall upon the generation of an event? I don't even think embedded modules (like Cisco IDS on an ASA) can shut down or disable an interface on the host firewall like that.

Is that a thing? Am I missing something here? Also, that's a stupid setup.

xiny

EXPL01TUS wrote: »

And another stupid one:

This question refers to the following diagram:

Internet <--> Firewall-1 <--> Mail Gateway <--> Firwall-2 <--> IDS

Email traffic from the Internet is routed via firewall-1 to the mail gateway. Mail is routed from the mail gateway, via firewall-2, to the mail recipients in the internal network. Other traffic is not allowed. For example, the firewalls do not allow direct traffic from the Internet to the internal network. The intrusion detection system (IDS) detects traffic for the internal network that did not originate from the mail gateway. The FIRST action triggered by the IDS should be to:

A. alert the appropriate staff
B. create an entry in the log
C. close firewall-2
D. close firewall-1

In my experience (SNORT), the first action triggered by an IDS is for the IDS to generate and log an event, or "create an entry in the log."

Of course, ISACA elects to make 'C' the correct answer.

I'm not an IDS or firewall engineer, but is it even possible for the IDS/IPS to "close" a firewall upon the generation of an event? I don't even think embedded modules (like Cisco IDS on an ASA) can shut down or disable an interface on the host firewall like that.

Is that a thing? Am I missing something here? Also, that's a stupid setup.

If the IDS and Firewall are the same brand, Cisco for example, then the IDS can request that the Firewall shutdown an interface on it's behalf. Obviously an IPS could just shut down it's own interface, but some IDS's do have the ability to make that kind of request as long as the interoperability is there with the Firewall.

The question doesn't out right say that the IDS has that capability though. But if it does then the order would be (1) Shutdown the Interface (2) Create a Log and (3) Alert the Staff

If a company has a DMZ specifically meant for Mail traffic tells me that they have HEAVY mail traffic. So in this setup you would use an IDS with the ability to shut down a firewalls interface as opposed to the overhead that can be caused by an IPS.

xiny

EXPL01TUS wrote: »

Oh, here's another frustrating one:

For mission-critical applications with a low recovery time objective (RTO), the IS auditor would recommend the use of which of the following recovery strategies?

A. Mobile Site
B. Redundant Site
C. Hot Site
D. Reciprocal Agreements

I immediately boil it down to B and C. Although the application is "mission-critical," it has still been assigned a LOW (not zero) RTO. "Low" is relative and is definitively not zero. It would be most appropriate to have a hot site that can be up in a few hours, as it would be the most cost-effective solution to meet the RTO. A redundant site would also meet the RTO, but would be more costly to maintain with regard to time, human, and financial resources.

Of course, ISACA elected to make 'B' (Redundant site) the correct answer.

I hope they do better for the actual exam, because this is ridiculous.

After thinking about it this actually makes a lot of sense. The first thing is, one of the answers is Hot Site so that makes me assume that the Redundant Site is being considered a Cold Site.

Since these are Low RTO's, meaning they do not take a long time to get up and running, means you would use a redundant site. You could use a Hot Site but the company would ultimately waste money to keep the site up 24/7 (which is what a hot site is meant to be).

So the answer would be redundant site. Basically what you should pull from this question is that you shouldn't use a Hot Site (An Expensive, needs to be up 24/7 site) for Low RTO Applications.

xiny

Q. An IS auditor is reviewing risk and controls of a bank wire transfer system. To ensure that the bank's financial risk is properly addressed, the IS auditor will most likely review which of the following?

A. Privileged access to the wire transfer system
B. Wire transfer procedures
C. Fraud monitoring controls
D. Employee background checks

I'm an IT Manager/InfoSec Officer of a bank so i'm going to chime in on this question as well.
I would Select answer (B).

When i get audited by the FDIC (by people with CISA Certification) the first thing they look at when auditing our Wire Transfer Controls is HOW they are being performed and then by WHO.

Because privileged access controls and fraud monitoring controls do not do you jack diddly squat if the Wire Transfer Procedures can be abused. Basically, your controls are based upon how you you DO your Wire Transfer aka the procedure.

EXPL01TUS

Thanks for the perspective, xiny. For the hot site/redundant site question, I was considering "redundant site" to be, essentially, a failover/mirror site.

ISACA defines a redundant site as, "A recovery strategy involving the duplication of key IT components, including data or other key business processes, whereby fast recovery can take place."

I guess, technically, all mirror/hot/warm/cold sites are "redundant" sites, and you'd have to presume they are referring to a cold site based on the nature of the remaining potential distractors in the question.

Also, xiny, you should totally go back and take the Security+ exam so you can arrange your CompTIA certifications as P+L+A+N+S+ (Or P+L+A+N+ right now). I have no idea why that crossed my mind.

xiny

EXPL01TUS wrote: »

Also, xiny, you should totally go back and take the Security+ exam so you can arrange your CompTIA certifications as P+L+A+N+S+ (Or P+L+A+N+ right now). I have no idea why that crossed my mind.

lol, Done.

Aaronsmity

EXPL01TUS wrote: »

And another stupid one:

This question refers to the following diagram:

Internet <--> Firewall-1 <--> Mail Gateway <--> Firwall-2 <--> IDS

Email traffic from the Internet is routed via firewall-1 to the mail gateway. Mail is routed from the mail gateway, via firewall-2, to the mail recipients in the internal network. Other traffic is not allowed. For example, the firewalls do not allow direct traffic from the Internet to the internal network. The intrusion detection system (IDS) detects traffic for the internal network that did not originate from the mail gateway. The FIRST action triggered by the IDS should be to:

A. alert the appropriate staff
B. create an entry in the log
C. close firewall-2
D. close firewall-1

In my experience (SNORT), the first action triggered by an IDS is for the IDS to generate and log an event, or "create an entry in the log."

Of course, ISACA elects to make 'C' the correct answer.

I'm not an IDS or firewall engineer, but is it even possible for the IDS/IPS to "close" a firewall upon the generation of an event? I don't even think embedded modules (like Cisco IDS on an ASA) can shut down or disable an interface on the host firewall like that.

Is that a thing? Am I missing something here? Also, that's a stupid setup.

xiny wrote: »

If the IDS and Firewall are the same brand, Cisco for example, then the IDS can request that the Firewall shutdown an interface on it's behalf. Obviously an IPS could just shut down it's own interface, but some IDS's do have the ability to make that kind of request as long as the interoperability is there with the Firewall.

The question doesn't out right say that the IDS has that capability though. But if it does then the order would be (1) Shutdown the Interface (2) Create a Log and (3) Alert the Staff

If a company has a DMZ specifically meant for Mail traffic tells me that they have HEAVY mail traffic. So in this setup you would use an IDS with the ability to shut down a firewalls interface as opposed to the overhead that can be caused by an IPS.

I know this was posted awhile back but just wanted to say ISACA must be reading this or you must have sent them an email regarding it because this question is still in their 2015 database CD which I am running through right now but they have CHANGED THE ANSWER to "B", create an entry in the log. In all honesty I think answer "C" to close the firewall is still the best answer from a risk standpoint. Closing firewall-2 FIRST mitigates the risk of possible malicious packets entering the internal network IMMEDIATELY, whereas a log just sits there until someone reads it. By the time someone gets around to reviewing the log there could be packets subverting firewall-2 into the internal network causing an exploitation, DoS, etc... I will agree that in most IDS default configurations the log will be the first thing created, but as auditors we are concerned about mitigating the risk, not knowing what the usual IDS default configuration is then accepting it. This does not give me much confidence in what I paid for, if ISACA is changing their database answers year to year then we should be given the ability to assess the questions we got wrong on the official exam and plead our case, it could mean the difference between pass and fail. I mean if they cant get the OFFICIAL practice questions database accurate, what assurances do we have that the official exam is any different? End Rant.

colemic

I can't speak to your frustrations with ISACA, but as to the correct answer - it is B. From a security risk perspective, C would be the most correct - until closing that interface on the firewall completely shut down the business, until the alert was reviewed, analyzed, and interface reopened. That could mean an false positive could cripple business activities. For critical business systems, that is an entirely unacceptable risk mitigation model that would be laughed out of the room. Additionally, it's an IDS - detection. Meaning ALL it can do is alert. If it were IPS, it would be able to initiate responses in accordance with its rule set.

Aaronsmity

A. The first action taken by an intrusion detection system
(IDS) will be to create a log entry and then alert the administrator.

B. Creating an entry in the log is the first step taken by a network
IDS. The IDS may also be configured to send an alert to the administrator, send
a note to the firewall and may even be configured to record the suspicious
packet.

C. Traffic for the internal network that did not originate
from the mail gateway is a sign that firewall-1 is not functioning properly.
This may have been be caused by an attack from a hacker. After the IDS has
logged the suspicious traffic, it may signal firewall-2 to close, thus
preventing damage to the internal network. After closing firewall-2, the
malfunctioning of firewall-1 can be investigated. The IDS should trigger the
closing of firewall-2 either automatically or by manual intervention. Between
the detection by the IDS and a response from the system administrator, valuable
time can be lost, in which a hacker could also compromise firewall-2.

D. The IDS will usually only protect the internal network by
closing firewall-2 and will not close the externally facing firewall-1.

Aaronsmity

judging by these ISACA answers, they make it sound like they were looking for what an IDS normally does, not what would mitigate the most risk. The mail gateway has nothing to do with the risk present from their wording, the firewall has been subverted and now unwanted packets are entering the network. The mail gateway may still be working, but other packets are now entering the network not originating from the mail gateway which is the problem.. I don't know, I think this questions has some serious holes in how it is worded and as well as the logic behind the answers from ISACA. It would boil down to which risk is more acceptable that the other, packets not originating from the mail gateway into the internal network, or people on the internal network not receiving data from the mail gateway.

colemic

The ISACA answer is incorrect. It is confusing IDS with IPS.

seuss_ssues

xiny wrote: »

After thinking about it this actually makes a lot of sense. The first thing is, one of the answers is Hot Site so that makes me assume that the Redundant Site is being considered a Cold Site.

Since these are Low RTO's, meaning they do not take a long time to get up and running, means you would use a redundant site. You could use a Hot Site but the company would ultimately waste money to keep the site up 24/7 (which is what a hot site is meant to be).

So the answer would be redundant site. Basically what you should pull from this question is that you shouldn't use a Hot Site (An Expensive, needs to be up 24/7 site) for Low RTO Applications.

I believe you have concept of RTO applied incorrectly. A Low RTO would indicate that you want to recover quickly (recover in a short (low) amount of time regardless of how difficult the recovery task is. In this situation a redundant site would allow faster recovery than a hot site for a "mission critical" task.....at least thats my take on it.

riyan

As you correctly pointed out there is generally two techniques to reach to the correct answer:
* You read the question and then you can think of answer before reading choices what would be the correct one, these questions are those that you have very good knowledge about the subject.
* You read the question but can not think of possible answer before reading the choice, in these cases you best best would be to use power of elimination. I.E remove the most irrelevant ones than then pick the one that you cannot eliminate.