0% found this document useful (1 vote)

801 views21 pages

CISA Exam Questions and Answers Guide

John is the product manager for an information system that underwent a security review by an IS auditor. The auditor identified some security risks. John decided to apply appropriate security controls to reduce the risks, as suggested by the auditor. Applying security controls to reduce risks is an example of risk mitigation, which treats identified risks by decreasing their level through countermeasures.

Uploaded by

Virat Arya

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

Topics covered

Security Monitoring,
Security Awareness,
Risk Avoidance,
Firewall Mechanisms,
Risk Acceptance,
Security Vulnerabilities,
Information Security,
Security Operations,
Security Audits,
Recovery Controls

0% found this document useful (1 vote)

801 views21 pages

CISA Exam Questions and Answers Guide

Uploaded by

Virat Arya

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

Topics covered

Security Monitoring,
Security Awareness,
Risk Avoidance,
Firewall Mechanisms,
Risk Acceptance,
Security Vulnerabilities,
Information Security,
Security Operations,
Security Audits,
Recovery Controls

Question 1
Question 2
Question 3
Question 4
Question 5
Question 6
Question 7
Question 8
Question 9
Question 10

Isaca CISA

Certified Information Systems Auditor

Isaca CISA Dumps Available Here at:
[Link]

Enrolling now you will get access to 2692 questions in a unique set of
CISA dumps

Question 1
A shared resource matrix is a technique commonly used to locate:

Options:

A. Malicious code

B. Security flaws

C. Trap doors

D. Covert channels

Answer: D

Explanation:
Analyzing resources of a system is one standard for locating covert channels because the basis of a covert
channel is a shared resource.
The following properties must hold for a storage channel to exist:
1. Both sending and receiving process must have access to the same attribute of a shared object.
2. The sending process must be able to modify the attribute of the shared object.
3. The receiving process must be able to reference that attribute of the shared object.
4. A mechanism for initiating both processes and properly sequencing their respective accesses to the
shared resource must exist.
Note: Similar properties for timing channel can be listed
The following answers are incorrect:
All other answers were not directly related to discovery of Covert Channels.
The following reference(s) were/was used to create this question:
Acerbic Publications, Acerbic Publications (Test Series) - CRC Press LLC, Page No. 225
[Link]
[Link]
[Link]

Question 2

[Link]
Isaca CISA

You are part of a security staff at a highly profitable bank and each day, all traffic on the network is logged
for later review. Every Friday when major deposits are made you're seeing a series of bits placed in the
"Urgent Pointer" field of a TCP packet. This is only 16 bits which isn't much but it concerns you because:

Options:

A. This could be a sign of covert channeling in bank network communications and should be
investigated.

B. It could be a sign of a damaged network cable causing the issue.

C. It could be a symptom of malfunctioning network card or drivers and the source system should
be
checked for the problem.

D. It is normal traffic because sometimes the previous fields 16-bit checksum value can over run
into the
urgent pointer's 16-bit field causing the condition.

Answer: A

Explanation:
The Urgent Pointer is used when some information has to reach the server ASAP. When the TCP/IP stack
at the other end sees a packet using the Urgent Pointer set, it is duty bound to stop all ongoing activities
and immediately send this packet up the stack for immediate processing. Since the packet is plucked out of
the processing queue and acted upon immediately, it is known as an Out Of Band (OOB)packet and the
data is called Out Of Band (OOB) data.
The Urgent Pointer is usually used in Telnet, where an immediate response (e.g. the echoing of characters)
is desirable.
Covert Channels are not directly synonymous with backdoors. A covert channel is simply using a
communication protocol in a way it was not intended to be used or sending data without going through the
proper access control mechanisms or channels. For example, in a Mandatory Access Control systems a
user at secret has found a way to communicate information to a user at Confidential without going through
the normal channels.
In this case the Urgent bit could be used for a few reasons:
1. It could be to attempt a Denial of service where the host receiving a packet with the Urgent bit set will
give immediate attention to the request and will be in wait state until the urgent message is receive, if the
sender does not send the urgent message then it will simply sit there doing nothing until it times out. Some
of the TCP/IP stacks used to have a 600 seconds time out, which means that for 10 minutes nobody could
use the port. By sending thousands of packet with the URGENT flag set, it would create a very effective
denial of service attack.
2. It could be used as a client server application to transmit data back and forward without going through
the proper channels. It would be slow but it is possible to use reserved fields and bits to transmit data
outside the normal communication channels.
The other answers are incorrect
The following reference(s) were/was used to create this question:

[Link]
Isaca CISA

[Link] document covering the subject of covert channels

and also see:
[Link] which is a large collection of documents on Covert Channels

Question 3
John is the product manager for an information system. His product has undergone under security review
by an IS auditor. John has decided to apply appropriate security controls to reduce the security risks
suggested by an IS auditor. Which of the following technique is used by John to treat the identified risk
provided by an IS auditor?

Options:

A. Risk Mitigation

B. Risk Acceptance

C. Risk Avoidance

D. Risk transfer

Answer: A

Explanation:
Risk mitigation is the practice of the elimination of, or the significant decrease in the level of risk presented.
For your exam you should know below information about risk assessment and treatment:
A risk assessment, which is a tool for risk management, is a method of identifying vulnerabilities and
threats and assessing the possible impacts to determine where to implement security controls. A risk
assessment is carried out, and the results are analyzed. Risk analysis is used to ensure that security is
cost-effective, relevant, timely, and responsive to threats. Security can be quite complex, even for well-
versed security professionals, and it is easy to apply too much security, not enough security, or the wrong
security controls, and to spend too much money in the process without attaining the necessary objectives.
Risk analysis helps companies prioritize their risks and shows management the amount of resources that
should be applied to protecting against those risks in a sensible manner.
A risk analysis has four main goals:
Identify assets and their value to the organization.
Identify vulnerabilities and threats.
Quantify the probability and business impact of these potential threats.
Provide an economic balance between the impact of the threat and the cost of the countermeasure.
Treating Risk
Risk Mitigation
Risk mitigation is the practice of the elimination of, or the significant decrease in the level of risk presented.
Examples of risk mitigation can be seen in everyday life and are readily apparent in the information
technology world. Risk Mitigation involves applying appropriate control to reduce risk. For example, to
lessen the risk of exposing personal and financial information that is highly sensitive and confidential
organizations put countermeasures in place, such as firewalls, intrusion detection/prevention systems, and
other mechanisms, to deter malicious outsiders from accessing this highly sensitive information. In the

[Link]
Isaca CISA

underage driver example, risk mitigation could take the form of driver education for the youth or
establishing a policy not allowing the young driver to use a cell phone while driving, or not letting youth of a
certain age have more than one friend in the car as a passenger at any given time.
Risk Transfer
Risk transfer is the practice of passing on the risk in question to another entity, such as an insurance
company. Let us look at one of the examples that were presented above in a different way. The family is
evaluating whether to permit an underage driver to use the family car. The family decides that it is
important for the youth to be mobile, so it transfers the financial risk of a youth being in an accident to the
insurance company, which provides the family with auto insurance.
It is important to note that the transfer of risk may be accompanied by a cost. This is certainly true for the
insurance example presented earlier, and can be seen in other insurance instances, such as liability
insurance for a vendor or the insurance taken out by companies to protect against hardware and software
theft or destruction. This may also be true if an organization must purchase and implement security
controls in order to make their organization less desirable to attack. It is important to remember that not all
risk can be transferred. While financial risk is simple to transfer through insurance, reputational risk may
almost never be fully transferred.
Risk Avoidance
Risk avoidance is the practice of coming up with alternatives so that the risk in question is not realized. For
example, have you ever heard a friend, or parents of a friend, complain about the costs of insuring an
underage driver? How about the risks that many of these children face as they become mobile? Some of
these families will decide that the child in question will not be allowed to drive the family car, but will rather
wait until he or she is of legal age (i.e., 18 years of age) before committing to owning, insuring, and driving
a motor vehicle.
In this case, the family has chosen to avoid the risks (and any associated benefits) associated with an
underage driver, such as poor driving performance or the cost of insurance for the child. Although this
choice may be available for some situations, it is not available for all. Imagine a global retailer who,
knowing the risks associated with doing business on the Internet, decides to avoid the practice. This
decision will likely cost the company a significant amount of its revenue (if, indeed, the company has
products or services that consumers wish to purchase). In addition, the decision may require the company
to build or lease a site in each of the locations, globally, for which it wishes to continue business. This could
have a catastrophic effect on the company’s ability to continue business operations
Risk Acceptance
In some cases, it may be prudent for an organization to simply accept the risk that is presented in certain
scenarios. Risk acceptance is the practice of accepting certain risk(s), typically based on a business
decision that may also weigh the cost versus the benefit of dealing with the risk in another way.
For example, an executive may be confronted with risks identified during the course of a risk assessment
for their organization. These risks have been prioritized by high, medium, and low impact to the
organization. The executive notes that in order to mitigate or transfer the low-level risks, significant costs
could be involved. Mitigation might involve the hiring of additional highly skilled personnel and the purchase
of new hardware, software, and office equipment, while transference of the risk to an insurance company
would require premium payments. The
executive then further notes that minimal impact to the organization would occur if any of the reported low-
level threats were realized. Therefore, he or she (rightly) concludes that it is wiser for the organization to
forgo the costs and accept the risk. In the young driver example, risk acceptance could be based on the

[Link]
Isaca CISA

observation that the youngster has demonstrated the responsibility and maturity to warrant the parent’s
trust in his or her judgment.
The following answers are incorrect:
Risk Transfer - Risk transfer is the practice of passing on the risk in question to another entity, such as an
insurance company. Let us look at one of the examples that were presented above in a different way.
Risk Avoidance - Risk avoidance is the practice of coming up with alternatives so that the risk in question is
not realized.
Risk Acceptance - Risk acceptance is the practice of accepting certain risk(s), typically based on a
business decision that may also weigh the cost versus the benefit of dealing with the risk in another way.
The following reference(s) were/was used to create this question:
CISA Review Manual 2014 Page number 51
Official ISC2 guide to CISSP CBK 3rd edition page number 383,384 and 385

Question 4
Sam is the security Manager of a financial institute. Senior management has requested he performs a risk
analysis on all critical vulnerabilities reported by an IS auditor. After completing the risk analysis, Sam has
observed that for a few of the risks, the cost benefit analysis shows that risk mitigation cost
(countermeasures, controls, or safeguard) is more than the potential lost that could be incurred. What kind
of a strategy should Sam recommend to the senior management to treat these risks?

Options:

A. Risk Mitigation

B. Risk Acceptance

C. Risk Avoidance

D. Risk transfer

Answer: B

Explanation:
Risk acceptance is the practice of accepting certain risk(s), typically based on a business decision that may
also weigh the cost versus the benefit of dealing with the risk in another way.
For your exam you should know below information about risk assessment and treatment:
A risk assessment, which is a tool for risk management, is a method of identifying vulnerabilities and
threats and assessing the possible impacts to determine where to implement security controls. A risk
assessment is carried out, and the results are analyzed. Risk analysis is used to ensure that security is
cost-effective, relevant, timely, and responsive to threats. Security can be quite complex, even for well-
versed security professionals, and it is easy to apply too much security, not enough security, or the wrong
security controls, and to spend too much money in the process without attaining the necessary objectives.
Risk analysis helps companies prioritize their risks and shows
management the amount of resources that should be applied to protecting against those risks in a sensible
manner.
A risk analysis has four main goals:

[Link]
Isaca CISA

Identify assets and their value to the organization.

Identify vulnerabilities and threats.
Quantify the probability and business impact of these potential threats.
Provide an economic balance between the impact of the threat and the cost
of the countermeasure.
Treating Risk
Risk Mitigation
Risk mitigation is the practice of the elimination of, or the significant decrease in the level of risk presented.
Examples of risk mitigation can be seen in everyday life and are readily apparent in the information
technology world. Risk Mitigation involves applying appropriate control to reduce risk. For example, to
lessen the risk of exposing personal and financial information that is highly sensitive and confidential
organizations put countermeasures in place, such as firewalls, intrusion detection/prevention systems, and
other mechanisms, to deter malicious outsiders from accessing this highly sensitive information. In the
underage driver example, risk mitigation could take the form of driver education for the youth or
establishing a policy not allowing the young driver to use a cell phone while driving, or not letting youth of a
certain age have more than one friend in the car as a passenger at any given time.
Risk Transfer
Risk transfer is the practice of passing on the risk in question to another entity, such as an insurance
company. Let us look at one of the examples that were presented above in a different way. The family is
evaluating whether to permit an underage driver to use the family car. The family decides that it is
important for the youth to be mobile, so it transfers the financial risk of a youth being in an accident to the
insurance company, which provides the family with auto insurance.
It is important to note that the transfer of risk may be accompanied by a cost. This is certainly true for the
insurance example presented earlier, and can be seen in other insurance instances, such as liability
insurance for a vendor or the insurance taken out by companies to protect against hardware and software
theft or destruction. This may also be true if an organization must purchase and implement security
controls in order to make their organization less desirable to attack. It is important to remember that not all
risk can be transferred. While financial risk is simple to transfer through insurance, reputational risk may
almost never be fully transferred.
Risk Avoidance
Risk avoidance is the practice of coming up with alternatives so that the risk in question is not realized. For
example, have you ever heard a friend, or parents of a friend, complain about the costs of insuring an
underage driver? How about the risks that many of these children face as they become mobile? Some of
these families will decide that the child in question will not be allowed to drive the family car, but will rather
wait until he or she is of legal age (i.e., 18 years of age) before committing to owning, insuring, and driving
a motor vehicle.
In this case, the family has chosen to avoid the risks (and any associated benefits) associated with an
underage driver, such as poor driving performance or the cost of insurance for the child. Although this
choice may be available for some situations, it is not available for all. Imagine a global retailer who,
knowing the risks associated with doing business on the Internet, decides to avoid the practice. This
decision will likely cost the company a significant amount of its revenue (if, indeed, the company has
products or services that consumers wish to purchase). In addition, the decision may require the company
to build or lease a site in each of the locations, globally, for which it wishes to continue business. This could
have a catastrophic effect on the company’s ability to continue business operations

[Link]
Isaca CISA

Risk Acceptance
In some cases, it may be prudent for an organization to simply accept the risk that is presented in certain
scenarios. Risk acceptance is the practice of accepting certain risk(s), typically based on a business
decision that may also weigh the cost versus the benefit of dealing with the risk in another way.
For example, an executive may be confronted with risks identified during the course of a risk assessment
for their organization. These risks have been prioritized by high, medium, and low impact to the
organization. The executive notes that in order to mitigate or transfer the low-level risks, significant costs
could be involved. Mitigation might involve the hiring of additional highly skilled personnel and the purchase
of new hardware, software, and office equipment, while transference of the risk to an insurance company
would require premium payments. The
executive then further notes that minimal impact to the organization would occur if any of the reported low-
level threats were realized. Therefore, he or she (rightly) concludes that it is wiser for the organization to
forgo the costs and accept the risk. In the young driver example, risk acceptance could be based on the
observation that the youngster has demonstrated the responsibility and maturity to warrant the parent’s
trust in his or her judgment.
The following answers are incorrect:
Risk Transfer - Risk transfer is the practice of passing on the risk in question to another entity, such as an
insurance company. Let us look at one of the examples that were presented above in a different way.
Risk Avoidance - Risk avoidance is the practice of coming up with alternatives so that the risk in question is
not realized.
Risk Mitigation -Risk mitigation is the practice of the elimination of, or the significant decrease in the level of
risk presented.
The following reference(s) were/was used to create this question:
CISA Review Manual 2014 Page number 51
and
Official ISC2 guide to CISSP CBK 3rd edition page number 534-539

Question 5
Which of the following risk handling technique involves the practice of being proactive so that the risk in
question is not realized?

Options:

A. Risk Mitigation

B. Risk Acceptance

C. Risk Avoidance

D. Risk transfer

Answer: C

Explanation:
Risk avoidance is the practice of coming up with alternatives so that the risk in question is not realized.
For your exam you should know below information about risk assessment and treatment:

[Link]
Isaca CISA

A risk assessment, which is a tool for risk management, is a method of identifying vulnerabilities and
threats and assessing the possible impacts to determine where to implement security controls. A risk
assessment is carried out, and the results are analyzed. Risk analysis is used to ensure that security is
cost-effective, relevant, timely, and responsive to threats. Security can be quite complex, even for well-
versed security professionals, and it is easy to apply too much security, not enough security, or the wrong
security controls, and to spend too much money in the process without attaining the necessary objectives.
Risk analysis helps companies prioritize their risks and shows management the amount of resources that
should be applied to protecting against those risks in a sensible manner.
A risk analysis has four main goals:
Identify assets and their value to the organization.
Identify vulnerabilities and threats.
Quantify the probability and business impact of these potential threats.
Provide an economic balance between the impact of the threat and the cost
of the countermeasure.
Treating Risk
Risk Mitigation
Risk mitigation is the practice of the elimination of, or the significant decrease in the level of risk presented.
Examples of risk mitigation can be seen in everyday life and are readily apparent in the information
technology world. Risk Mitigation involves applying appropriate control to reduce risk. For example, to
lessen the risk of exposing personal and financial information that is highly sensitive and confidential
organizations put countermeasures in place, such as firewalls, intrusion detection/prevention systems, and
other mechanisms, to deter malicious outsiders from accessing this highly sensitive information. In the
underage driver example, risk mitigation could take the form of driver education for the youth or
establishing a policy not allowing the young driver to use a cell phone while driving, or not letting youth of a
certain age have more than one friend in the car as a passenger at any given time.
Risk Transfer
Risk transfer is the practice of passing on the risk in question to another entity, such as an insurance
company. Let us look at one of the examples that were presented above in a different way. The family is
evaluating whether to permit an underage driver to use the family car. The family decides that it is
important for the youth to be mobile, so it transfers the financial risk of a youth being in an accident to the
insurance company, which provides the family with auto insurance.
It is important to note that the transfer of risk may be accompanied by a cost. This is certainly true for the
insurance example presented earlier, and can be seen in other insurance instances, such as liability
insurance for a vendor or the insurance taken out by companies to protect against hardware and software
theft or destruction. This may also be true if an organization must purchase and implement security
controls in order to make their organization less desirable to attack. It is important to remember that not all
risk can be transferred. While financial risk is simple to transfer through insurance, reputational risk may
almost never be fully transferred.
Risk Avoidance
Risk avoidance is the practice of coming up with alternatives so that the risk in question is not realized. For
example, have you ever heard a friend, or parents of a friend, complain about the costs of insuring an
underage driver? How about the risks that many of these children face as they become mobile? Some of
these families will decide that the child in question will not be allowed to drive the family car, but will rather
wait until he or she is of legal age (i.e., 18 years of age) before committing to owning, insuring, and driving

[Link]
Isaca CISA

a motor vehicle.
In this case, the family has chosen to avoid the risks (and any associated benefits) associated with an
underage driver, such as poor driving performance or the cost of insurance for the child. Although this
choice may be available for some situations, it is not available for all. Imagine a global retailer who,
knowing the risks associated with doing business on the Internet, decides to avoid the practice. This
decision will likely cost the company a significant amount of its revenue (if, indeed, the company has
products or services that consumers wish to purchase). In addition, the decision may require the company
to build or lease a site in each of the locations, globally, for which it wishes to continue business. This could
have a catastrophic effect on the company’s ability to continue business operations
Risk Acceptance
In some cases, it may be prudent for an organization to simply accept the risk that is presented in certain
scenarios. Risk acceptance is the practice of accepting certain risk(s), typically based on a business
decision that may also weigh the cost versus the benefit of dealing with the risk in another way.
For example, an executive may be confronted with risks identified during the course of a risk assessment
for their organization. These risks have been prioritized by high, medium, and low impact to the
organization. The executive notes that in order to mitigate or transfer the low-level risks, significant costs
could be involved. Mitigation might involve the hiring of additional highly skilled personnel and the purchase
of new hardware, software, and office equipment, while transference of the risk to an insurance company
would require premium payments. The
executive then further notes that minimal impact to the organization would occur if any of the reported low-
level threats were realized. Therefore, he or she (rightly) concludes that it is wiser for the organization to
forgo the costs and accept the risk. In the young driver example, risk acceptance could be based on the
observation that the youngster has demonstrated the responsibility and maturity to warrant the parent’s
trust in his or her judgment.
The following answers are incorrect:
Risk Transfer - Risk transfer is the practice of passing on the risk in question to another entity, such as an
insurance company. Let us look at one of the examples that were presented above in a different way.
Risk Acceptance - Risk acceptance is the practice of accepting certain risk(s), typically based on a
business decision that may also weigh the cost versus the benefit of dealing with the risk in another way.
Risk Mitigation -Risk mitigation is the practice of the elimination of, or the significant decrease in the level of
risk presented
The following reference(s) were/was used to create this question:
CISA Review Manual 2014 Page number 51
and
Official ISC2 guide to CISSP CBK 3rd edition page number 534-536

Question 6
Which of the following control is intended to discourage a potential attacker?

Options:

A. Deterrent

B. Preventive

[Link]
Isaca CISA

C. Corrective

D. Recovery

Answer: A

Explanation:
Deterrent Control are intended to discourage a potential attacker
For your exam you should know below information about different security controls
Deterrent Controls
Deterrent Controls are intended to discourage a potential attacker. Access controls act as a deterrent to
threats and attacks by the simple fact that the existence of the control is enough to keep some potential
attackers from attempting to circumvent the control. This is often because the effort required to circumvent
the control is far greater than the potential reward if the attacker is successful, or, conversely, the negative
implications of a failed attack (or getting caught) outweigh the benefits of success. For example, by forcing
the identification and authentication of a user, service, or application, and all that it implies, the potential for
incidents associated with the system is significantly reduced because an attacker will fear association with
the incident. If there are no controls for a given access path, the number of incidents and the potential
impact become infinite. Controls inherently reduce exposure to risk by applying oversight for a process.
This oversight acts as a deterrent, curbing an attacker’s appetite in the face of probable repercussions.
The best example of a deterrent control is demonstrated by employees and their propensity to intentionally
perform unauthorized functions, leading to unwanted events.
When users begin to understand that by authenticating into a system to perform a function, their activities
are logged and monitored, and it reduces the likelihood they will attempt such an action. Many threats are
based on the anonymity of the threat agent, and any potential for identification and association with their
actions is avoided at all costs.
It is this fundamental reason why access controls are the key target of circumvention by attackers.
Deterrents also take the form of potential punishment if users do something unauthorized. For example, if
the organization policy specifies that an employee installing an unauthorized wireless access point will be
fired, that will determine most employees from installing wireless access points.
Preventative Controls
Preventive controls are intended to avoid an incident from occurring. Preventative access controls keep a
user from performing some activity or function. Preventative controls differ from deterrent controls in that
the control is not optional and cannot (easily) be bypassed. Deterrent controls work on the theory that it is
easier to obey the control
rather than to risk the consequences of bypassing the control. In other words, the power for action resides
with the user (or the attacker). Preventative controls place the power of action with the system, obeying the
control is not optional. The only way to bypass the control is to find a flaw in the control’s implementation.
Compensating Controls
Compensating controls are introduced when the existing capabilities of a system do not support the
requirement of a policy. Compensating controls can be technical, procedural, or managerial. Although an
existing system may not support the required controls, there may exist other technology or processes that
can supplement the existing environment, closing the gap in controls, meeting policy requirements, and
reducing overall risk.
For example, the access control policy may state that the authentication process must be encrypted when

[Link]
Isaca CISA

performed over the Internet. Adjusting an application to natively support encryption for authentication
purposes may be too costly. Secure Socket Layer (SSL), an encryption protocol, can be employed and
layered on top of the authentication process to support the policy statement.
Other examples include a separation of duties environment, which offers the capability to isolate certain
tasks to compensate for technical limitations in the system and ensure the security of transactions. In
addition, management processes, such as authorization, supervision, and administration, can be used to
compensate for gaps in the access control environment.
Detective Controls
Detective controls warn when something has happened, and are the earliest point in the post-incident
timeline. Access controls are a deterrent to threats and can be aggressively utilized to prevent harmful
incidents through the application of least privilege. However, the detective nature of access controls can
provide significant visibility into the access environment and help organizations manage their access
strategy and related security risk.
As mentioned previously, strongly managed access privileges provided to an authenticated user offer the
ability to reduce the risk exposure of the enterprise’s assets by limiting the capabilities that authenticated
user has. However, there are few options to control what a user can perform once privileges are provided.
For example, if a user is provided write access to a file and that file is damaged, altered, or otherwise
negatively impacted (either deliberately or unintentionally), the use of applied access controls will offer
visibility into the transaction. The control environment can be established to log activity regarding the
identification, authentication, authorization, and use of privileges on a system.
This can be used to detect the occurrence of errors, the attempts to perform an unauthorized action, or to
validate when provided credentials were exercised. The logging system as a detective device provides
evidence of actions (both successful and unsuccessful) and tasks that were executed by authorized users.
Corrective Controls
When a security incident occurs, elements within the security infrastructure may require corrective actions.
Corrective controls are actions that seek to alter the security posture of an environment to correct any
deficiencies and return the environment to a secure state. A security incident signals the failure of one or
more directive, deterrent, preventative, or compensating controls. The detective controls may have
triggered an alarm or notification, but now the corrective controls must work to stop the incident in its
tracks. Corrective controls can take many forms, all depending on the particular situation at hand or the
particular security failure that needs to be dealt with.
Recovery Controls
Any changes to the access control environment, whether in the face of a security incident or to offer
temporary compensating controls, need to be accurately reinstated and returned to normal operations.
There are several situations that may affect access controls, their applicability, status, or management.
Events can include system outages, attacks, project changes, technical demands, administrative gaps, and
full-blown disaster situations. For example, if an application is not correctly installed or deployed, it may
adversely affect controls placed on system files or even have default administrative accounts unknowingly
implemented upon install.
Additionally, an employee may be transferred, quit, or be on temporary leave that may affect policy
requirements regarding separation of duties. An attack on systems may have resulted in the implantation of
a Trojan horse program, potentially exposing private user information, such as credit card information and
financial data. In all of these cases, an undesirable situation must be rectified as quickly as possible and
controls returned to normal operations.

[Link]
Isaca CISA

The following answers are incorrect:

Preventive - Preventive controls are intended to avoid an incident from occurring
Corrective - Corrective control fixes components or systems after an incident has occurred
Recovery - Recovery controls are intended to bring the environment back to regular operations
The following reference(s) were/was used to create this question:
CISA Review Manual 2014 Page number 44
and
Official ISC2 CISSP guide 3rd edition Page number 50 and 51

Question 7
Which of the following security control is intended to avoid an incident from occurring?

Options:

A. Deterrent

B. Preventive

C. Corrective

D. Recovery

Answer: B

Explanation:
Preventive controls are intended to avoid an incident from occurring
For your exam you should know below information about different security controls
Deterrent Controls
Deterrent Controls are intended to discourage a potential attacker. Access controls act as a deterrent to
threats and attacks by the simple fact that the existence of the control is enough to keep some potential
attackers from attempting to circumvent the control. This is often because the effort required to circumvent
the control is far greater than the potential reward if the attacker is successful, or, conversely, the negative
implications of a failed attack (or getting caught) outweigh the benefits of success. For example, by forcing
the identification and authentication of a user, service, or application, and all that it implies, the potential for
incidents associated with the system is significantly reduced because an attacker will fear association with
the incident. If there are no controls for a given access path, the number of incidents and the potential
impact become infinite. Controls inherently reduce exposure to risk by applying oversight for a process.
This oversight acts as a deterrent, curbing an attacker’s appetite in the face of probable repercussions.
The best example of a deterrent control is demonstrated by employees and their propensity to intentionally
perform unauthorized functions, leading to unwanted events.
When users begin to understand that by authenticating into a system to perform a function, their activities
are logged and monitored, and it reduces the likelihood they will attempt such an action. Many threats are
based on the anonymity of the threat agent, and any potential for identification and association with their
actions is avoided at all costs.
It is this fundamental reason why access controls are the key target of circumvention by attackers.
Deterrents also take the form of potential punishment if users do something unauthorized. For example, if

[Link]
Isaca CISA

the organization policy specifies that an employee installing an unauthorized wireless access point will be
fired, that will determine most employees from installing wireless access points.
Preventative Controls
Preventive controls are intended to avoid an incident from occurring. Preventative access controls keep a
user from performing some activity or function. Preventative controls differ from deterrent controls in that
the control is not optional and cannot (easily) be bypassed. Deterrent controls work on the theory that it is
easier to obey the control
rather than to risk the consequences of bypassing the control. In other words, the power for action resides
with the user (or the attacker). Preventative controls place the power of action with the system, obeying the
control is not optional. The only way to bypass the control is to find a flaw in the control’s implementation.
Compensating Controls
Compensating controls are introduced when the existing capabilities of a system do not support the
requirement of a policy. Compensating controls can be technical, procedural, or managerial. Although an
existing system may not support the required controls, there may exist other technology or processes that
can supplement the existing environment, closing the gap in controls, meeting policy requirements, and
reducing overall risk.
For example, the access control policy may state that the authentication process must be encrypted when
performed over the Internet. Adjusting an application to natively support encryption for authentication
purposes may be too costly. Secure Socket Layer (SSL), an encryption protocol, can be employed and
layered on top of the authentication process to support the policy statement.
Other examples include a separation of duties environment, which offers the capability to isolate certain
tasks to compensate for technical limitations in the system and ensure the security of transactions. In
addition, management processes, such as authorization, supervision, and administration, can be used to
compensate for gaps in the access control environment.
Detective Controls
Detective controls warn when something has happened, and are the earliest point in the post-incident
timeline. Access controls are a deterrent to threats and can be aggressively utilized to prevent harmful
incidents through the application of least privilege. However, the detective nature of access controls can
provide significant visibility into the access environment and help organizations manage their access
strategy and related security risk.
As mentioned previously, strongly managed access privileges provided to an authenticated user offer the
ability to reduce the risk exposure of the enterprise’s assets by limiting the capabilities that authenticated
user has. However, there are few options to control what a user can perform once privileges are provided.
For example, if a user is provided write access to a file and that file is damaged, altered, or otherwise
negatively impacted (either deliberately or unintentionally), the use of applied access controls will offer
visibility into the transaction. The control environment can be established to log activity regarding the
identification, authentication, authorization, and use of privileges on a system.
This can be used to detect the occurrence of errors, the attempts to perform an unauthorized action, or to
validate when provided credentials were exercised. The logging system as a detective device provides
evidence of actions (both successful and unsuccessful) and tasks that were executed by authorized users.
Corrective Controls
When a security incident occurs, elements within the security infrastructure may require corrective actions.
Corrective controls are actions that seek to alter the security posture of an environment to correct any
deficiencies and return the environment to a secure state. A security incident signals the failure of one or

[Link]
Isaca CISA

more directive, deterrent, preventative, or compensating controls. The detective controls may have
triggered an alarm or notification, but now the corrective controls must work to stop the incident in its
tracks. Corrective controls can take many forms, all depending on the particular situation at hand or the
particular security failure that needs to be dealt with.
Recovery Controls
Any changes to the access control environment, whether in the face of a security incident or to offer
temporary compensating controls, need to be accurately reinstated and returned to normal operations.
There are several situations that may affect access controls, their applicability, status, or management.
Events can include system outages, attacks, project changes, technical demands, administrative gaps, and
full-blown disaster situations. For example, if an application is not correctly installed or deployed, it may
adversely affect controls placed on system files or even have default administrative accounts unknowingly
implemented upon install.
Additionally, an employee may be transferred, quit, or be on temporary leave that may affect policy
requirements regarding separation of duties. An attack on systems may have resulted in the implantation of
a Trojan horse program, potentially exposing private user information, such as credit card information and
financial data. In all of these cases, an undesirable situation must be rectified as quickly as possible and
controls returned to normal operations.
The following answers are incorrect:
Deterrent - Deterrent controls are intended to discourage a potential attacker
Corrective - Corrective control fixes components or systems after an incident has occurred
Recovery - Recovery controls are intended to bring the environment back to regular operations
The following reference(s) were/was used to create this question:
CISA Review Manual 2014 Page number 44
and
Official ISC2 CISSP guide 3rd edition Page number 50 and 51

Question 8
Which of the following control fixes a component or system after an incident has occurred?

Options:

A. Deterrent

B. Preventive

C. Corrective

D. Recovery

Answer: C

Explanation:
Corrective control fixes components or systems after an incident has occurred
For your exam you should know below information about different security controls
Deterrent Controls
Deterrent Controls are intended to discourage a potential attacker. Access controls act as a deterrent to

[Link]
Isaca CISA

threats and attacks by the simple fact that the existence of the control is enough to keep some potential
attackers from attempting to circumvent the control. This is often because the effort required to circumvent
the control is far greater than the potential reward if the attacker is successful, or, conversely, the negative
implications of a failed attack (or getting caught) outweigh the benefits of success. For example, by forcing
the identification and authentication of a user, service, or application, and all that it implies, the potential for
incidents associated with the system is significantly reduced because an attacker will fear association with
the incident. If there are no controls for a given access path, the number of incidents and the potential
impact become infinite. Controls inherently reduce exposure to risk by applying oversight for a process.
This oversight acts as a deterrent, curbing an attacker’s appetite in the face of probable repercussions.
The best example of a deterrent control is demonstrated by employees and their propensity to intentionally
perform unauthorized functions, leading to unwanted events.
When users begin to understand that by authenticating into a system to perform a function, their activities
are logged and monitored, and it reduces the likelihood they will attempt such an action. Many threats are
based on the anonymity of the threat agent, and any potential for identification and association with their
actions is avoided at all costs.
It is this fundamental reason why access controls are the key target of circumvention by attackers.
Deterrents also take the form of potential punishment if users do something unauthorized. For example, if
the organization policy specifies that an employee installing an unauthorized wireless access point will be
fired, that will determine most employees from installing wireless access points.
Preventative Controls
Preventive controls are intended to avoid an incident from occurring. Preventative access controls keep a
user from performing some activity or function. Preventative controls differ from deterrent controls in that
the control is not optional and cannot (easily) be bypassed. Deterrent controls work on the theory that it is
easier to obey the control
rather than to risk the consequences of bypassing the control. In other words, the power for action resides
with the user (or the attacker). Preventative controls place the power of action with the system, obeying the
control is not optional. The only way to bypass the control is to find a flaw in the control’s implementation.
Compensating Controls
Compensating controls are introduced when the existing capabilities of a system do not support the
requirement of a policy. Compensating controls can be technical, procedural, or managerial. Although an
existing system may not support the required controls, there may exist other technology or processes that
can supplement the existing environment, closing the gap in controls, meeting policy requirements, and
reducing overall risk.
For example, the access control policy may state that the authentication process must be encrypted when
performed over the Internet. Adjusting an application to natively support encryption for authentication
purposes may be too costly. Secure Socket Layer (SSL), an encryption protocol, can be employed and
layered on top of the authentication process to support the policy statement.
Other examples include a separation of duties environment, which offers the capability to isolate certain
tasks to compensate for technical limitations in the system and ensure the security of transactions. In
addition, management processes, such as authorization, supervision, and administration, can be used to
compensate for gaps in the access control environment.
Detective Controls
Detective controls warn when something has happened, and are the earliest point in the post-incident
timeline. Access controls are a deterrent to threats and can be aggressively utilized to prevent harmful

[Link]
Isaca CISA

incidents through the application of least privilege. However, the detective nature of access controls can
provide significant visibility into the access environment and help organizations manage their access
strategy and related security risk.
As mentioned previously, strongly managed access privileges provided to an authenticated user offer the
ability to reduce the risk exposure of the enterprise’s assets by limiting the capabilities that authenticated
user has. However, there are few options to control what a user can perform once privileges are provided.
For example, if a user is provided write access to a file and that file is damaged, altered, or otherwise
negatively impacted (either deliberately or unintentionally), the use of applied access controls will offer
visibility into the transaction. The control environment can be established to log activity regarding the
identification, authentication, authorization, and use of privileges on a system.
This can be used to detect the occurrence of errors, the attempts to perform an unauthorized action, or to
validate when provided credentials were exercised. The logging system as a detective device provides
evidence of actions (both successful and unsuccessful) and tasks that were executed by authorized users.
Corrective Controls
When a security incident occurs, elements within the security infrastructure may require corrective actions.
Corrective controls are actions that seek to alter the security posture of an environment to correct any
deficiencies and return the environment to a secure state. A security incident signals the failure of one or
more directive, deterrent, preventative, or compensating controls. The detective controls may have
triggered an alarm or notification, but now the corrective controls must work to stop the incident in its
tracks. Corrective controls can take many forms, all depending on the particular situation at hand or the
particular security failure that needs to be dealt with.
Recovery Controls
Any changes to the access control environment, whether in the face of a security incident or to offer
temporary compensating controls, need to be accurately reinstated and returned to normal operations.
There are several situations that may affect access controls, their applicability, status, or management.
Events can include system outages, attacks, project changes, technical demands, administrative gaps, and
full-blown disaster situations. For example, if an application is not correctly installed or deployed, it may
adversely affect controls placed on system files or even have default administrative accounts unknowingly
implemented upon install.
Additionally, an employee may be transferred, quit, or be on temporary leave that may affect policy
requirements regarding separation of duties. An attack on systems may have resulted in the implantation of
a Trojan horse program, potentially exposing private user information, such as credit card information and
financial data. In all of these cases, an undesirable situation must be rectified as quickly as possible and
controls returned to normal operations.
The following answers are incorrect:
Deterrent - Deterrent controls are intended to discourage a potential attacker
Preventive - Preventive controls are intended to avoid an incident from occurring
Recovery - Recovery controls are intended to bring the environment back to regular operations
The following reference(s) were/was used to create this question:
CISA Review Manual 2014 Page number 44
and
Official ISC2 CISSP guide 3rd edition Page number 50 and 51

[Link]
Isaca CISA

Question 9
Which of the following security control is intended to bring environment back to regular operation?

Options:

A. Deterrent

B. Preventive

C. Corrective

D. Recovery

Answer: D

Explanation:
Recovery controls are intended to bring the environment back to regular operations
For your exam you should know below information about different security controls
Deterrent Controls
Deterrent Controls are intended to discourage a potential attacker. Access controls act as a deterrent to
threats and attacks by the simple fact that the existence of the control is enough to keep some potential
attackers from attempting to circumvent the control. This is often because the effort required to circumvent
the control is far greater than the potential reward if the attacker is successful, or, conversely, the negative
implications of a failed attack (or getting caught) outweigh the benefits of success. For example, by forcing
the identification and authentication of a user, service, or application, and all that it implies, the potential for
incidents associated with the system is significantly reduced because an attacker will fear association with
the incident. If there are no controls for a given access path, the number of incidents and the potential
impact become infinite. Controls inherently reduce exposure to risk by applying oversight for a process.
This oversight acts as a deterrent, curbing an attacker’s appetite in the face of probable repercussions.
The best example of a deterrent control is demonstrated by employees and their propensity to intentionally
perform unauthorized functions, leading to unwanted events.
When users begin to understand that by authenticating into a system to perform a function, their activities
are logged and monitored, and it reduces the likelihood they will attempt such an action. Many threats are
based on the anonymity of the threat agent, and any potential for identification and association with their
actions is avoided at all costs.
It is this fundamental reason why access controls are the key target of circumvention by attackers.
Deterrents also take the form of potential punishment if users do something unauthorized. For example, if
the organization policy specifies that an employee installing an unauthorized wireless access point will be
fired, that will determine most employees from installing wireless access points.
Preventative Controls
Preventive controls are intended to avoid an incident from occurring. Preventative access controls keep a
user from performing some activity or function. Preventative controls differ from deterrent controls in that
the control is not optional and cannot (easily) be bypassed. Deterrent controls work on the theory that it is
easier to obey the control
rather than to risk the consequences of bypassing the control. In other words, the power for action resides
with the user (or the attacker). Preventative controls place the power of action with the system, obeying the
control is not optional. The only way to bypass the control is to find a flaw in the control’s implementation.

[Link]
Isaca CISA

Compensating Controls
Compensating controls are introduced when the existing capabilities of a system do not support the
requirement of a policy. Compensating controls can be technical, procedural, or managerial. Although an
existing system may not support the required controls, there may exist other technology or processes that
can supplement the existing environment, closing the gap in controls, meeting policy requirements, and
reducing overall risk.
For example, the access control policy may state that the authentication process must be encrypted when
performed over the Internet. Adjusting an application to natively support encryption for authentication
purposes may be too costly. Secure Socket Layer (SSL), an encryption protocol, can be employed and
layered on top of the authentication process to support the policy statement.
Other examples include a separation of duties environment, which offers the capability to isolate certain
tasks to compensate for technical limitations in the system and ensure the security of transactions. In
addition, management processes, such as authorization, supervision, and administration, can be used to
compensate for gaps in the access control environment.
Detective Controls
Detective controls warn when something has happened, and are the earliest point in the post-incident
timeline. Access controls are a deterrent to threats and can be aggressively utilized to prevent harmful
incidents through the application of least privilege. However, the detective nature of access controls can
provide significant visibility into the access environment and help organizations manage their access
strategy and related security risk.
As mentioned previously, strongly managed access privileges provided to an authenticated user offer the
ability to reduce the risk exposure of the enterprise’s assets by limiting the capabilities that authenticated
user has. However, there are few options to control what a user can perform once privileges are provided.
For example, if a user is provided write access to a file and that file is damaged, altered, or otherwise
negatively impacted (either deliberately or unintentionally), the use of applied access controls will offer
visibility into the transaction. The control environment can be established to log activity regarding the
identification, authentication, authorization, and use of privileges on a system.
This can be used to detect the occurrence of errors, the attempts to perform an unauthorized action, or to
validate when provided credentials were exercised. The logging system as a detective device provides
evidence of actions (both successful and unsuccessful) and tasks that were executed by authorized users.
Corrective Controls
When a security incident occurs, elements within the security infrastructure may require corrective actions.
Corrective controls are actions that seek to alter the security posture of an environment to correct any
deficiencies and return the environment to a secure state. A security incident signals the failure of one or
more directive, deterrent, preventative, or compensating controls. The detective controls may have
triggered an alarm or notification, but now the corrective controls must work to stop the incident in its
tracks. Corrective controls can take many forms, all depending on the particular situation at hand or the
particular security failure that needs to be dealt with.
Recovery Controls
Any changes to the access control environment, whether in the face of a security incident or to offer
temporary compensating controls, need to be accurately reinstated and returned to normal operations.
There are several situations that may affect access controls, their applicability, status, or management.
Events can include system outages, attacks, project changes, technical demands, administrative gaps, and
full-blown disaster situations. For example, if an application is not correctly installed or deployed, it may

[Link]
Isaca CISA

adversely affect controls placed on system files or even have default administrative accounts unknowingly
implemented upon install.
Additionally, an employee may be transferred, quit, or be on temporary leave that may affect policy
requirements regarding separation of duties. An attack on systems may have resulted in the implantation of
a Trojan horse program, potentially exposing private user information, such as credit card information and
financial data. In all of these cases, an undesirable situation must be rectified as quickly as possible and
controls returned to normal operations.
The following answers are incorrect:
Deterrent - Deterrent controls are intended to discourage a potential attacker
Preventive - Preventive controls are intended to avoid an incident from occurring
Corrective - Corrective control fixes components or systems after an incident has occurred
The following reference(s) were/was used to create this question:
CISA Review Manual 2014 Page number 44
and
Official ISC2 CISSP guide 3rd edition Page number 50 and 51

Question 10
Which of the following control helps to identify an incident’s activities and potentially an intruder?

Options:

A. Deterrent

B. Preventive

C. Detective

D. Compensating

Answer: C

Explanation:
Detective control helps identify an incident’s activities and potentially an intruder
For your exam you should know below information about different security controls
Deterrent Controls
Deterrent Controls are intended to discourage a potential attacker. Access controls act as a deterrent to
threats and attacks by the simple fact that the existence of the control is enough to keep some potential
attackers from attempting to circumvent the control. This is often because the effort required to circumvent
the control is far greater than the potential reward if the attacker is successful, or, conversely, the negative
implications of a failed attack (or getting caught) outweigh the benefits of success. For example, by forcing
the identification and authentication of a user, service, or application, and all that it implies, the potential for
incidents associated with the system is significantly reduced because an attacker will fear association with
the incident. If there are no controls for a given access path, the number of incidents and the potential
impact become infinite. Controls inherently reduce exposure to risk by applying oversight for a process.
This oversight acts as a deterrent, curbing an attacker’s appetite in the face of probable repercussions.
The best example of a deterrent control is demonstrated by employees and their propensity to intentionally

[Link]
Isaca CISA

perform unauthorized functions, leading to unwanted events.

When users begin to understand that by authenticating into a system to perform a function, their activities
are logged and monitored, and it reduces the likelihood they will attempt such an action. Many threats are
based on the anonymity of the threat agent, and any potential for identification and association with their
actions is avoided at all costs.
It is this fundamental reason why access controls are the key target of circumvention by attackers.
Deterrents also take the form of potential punishment if users do something unauthorized. For example, if
the organization policy specifies that an employee installing an unauthorized wireless access point will be
fired, that will determine most employees from installing wireless access points.
Preventative Controls
Preventive controls are intended to avoid an incident from occurring. Preventative access controls keep a
user from performing some activity or function. Preventative controls differ from deterrent controls in that
the control is not optional and cannot (easily) be bypassed. Deterrent controls work on the theory that it is
easier to obey the control
rather than to risk the consequences of bypassing the control. In other words, the power for action resides
with the user (or the attacker). Preventative controls place the power of action with the system, obeying the
control is not optional. The only way to bypass the control is to find a flaw in the control’s implementation.
Compensating Controls
Compensating controls are introduced when the existing capabilities of a system do not support the
requirement of a policy. Compensating controls can be technical, procedural, or managerial. Although an
existing system may not support the required controls, there may exist other technology or processes that
can supplement the existing environment, closing the gap in controls, meeting policy requirements, and
reducing overall risk.
For example, the access control policy may state that the authentication process must be encrypted when
performed over the Internet. Adjusting an application to natively support encryption for authentication
purposes may be too costly. Secure Socket Layer (SSL), an encryption protocol, can be employed and
layered on top of the authentication process to support the policy statement.
Other examples include a separation of duties environment, which offers the capability to isolate certain
tasks to compensate for technical limitations in the system and ensure the security of transactions. In
addition, management processes, such as authorization, supervision, and administration, can be used to
compensate for gaps in the access control environment.
Detective Controls
Detective controls warn when something has happened, and are the earliest point in the post-incident
timeline. Access controls are a deterrent to threats and can be aggressively utilized to prevent harmful
incidents through the application of least privilege. However, the detective nature of access controls can
provide significant visibility into the access environment and help organizations manage their access
strategy and related security risk.
As mentioned previously, strongly managed access privileges provided to an authenticated user offer the
ability to reduce the risk exposure of the enterprise’s assets by limiting the capabilities that authenticated
user has. However, there are few options to control what a user can perform once privileges are provided.
For example, if a user is provided write access to a file and that file is damaged, altered, or otherwise
negatively impacted (either deliberately or unintentionally), the use of applied access controls will offer
visibility into the transaction. The control environment can be established to log activity regarding the
identification, authentication, authorization, and use of privileges on a system.

[Link]
Isaca CISA

This can be used to detect the occurrence of errors, the attempts to perform an unauthorized action, or to
validate when provided credentials were exercised. The logging system as a detective device provides
evidence of actions (both successful and unsuccessful) and tasks that were executed by authorized users.
Corrective Controls
When a security incident occurs, elements within the security infrastructure may require corrective actions.
Corrective controls are actions that seek to alter the security posture of an environment to correct any
deficiencies and return the environment to a secure state. A security incident signals the failure of one or
more directive, deterrent, preventative, or compensating controls. The detective controls may have
triggered an alarm or notification, but now the corrective controls must work to stop the incident in its
tracks. Corrective controls can take many forms, all depending on the particular situation at hand or the
particular security failure that needs to be dealt with.
Recovery Controls
Any changes to the access control environment, whether in the face of a security incident or to offer
temporary compensating controls, need to be accurately reinstated and returned to normal operations.
There are several situations that may affect access controls, their applicability, status, or management.
Events can include system outages, attacks, project changes, technical demands, administrative gaps, and
full-blown disaster situations. For example, if an application is not correctly installed or deployed, it may
adversely affect controls placed on system files or even have default administrative accounts unknowingly
implemented upon install.
Additionally, an employee may be transferred, quit, or be on temporary leave that may affect policy
requirements regarding separation of duties. An attack on systems may have resulted in the implantation of
a Trojan horse program, potentially exposing private user information, such as credit card information and
financial data. In all of these cases, an undesirable situation must be rectified as quickly as possible and
controls returned to normal operations.
The following answers are incorrect:
Deterrent - Deterrent controls are intended to discourage a potential attacker
Preventive - Preventive controls are intended to avoid an incident from occurring
Compensating - Compensating Controls provide an alternative measure of control
The following reference(s) were/was used to create this question:
CISA Review Manual 2014 Page number 44
and
Official ISC2 CISSP guide 3rd edition Page number 50 and 51

Would you like to see more? Don't miss our CISA PDF
file at:
[Link]

[Link]

Common questions

Risk transfer is effective in scenarios where financial risks can be clearly quantified and passed on to an insurance entity, such as auto insurance for underwriting drivers. The limitations of this approach include potential costs associated with insurance premiums and the inability to transfer non-quantifiable risks like reputational damage, which cannot be entirely offloaded to another entity .

Detective controls help minimize access-related security issues by providing visibility into access environments through the logging of activities. This helps in detecting unauthorized or anomalous behavior, allowing for the analysis of such activities and facilitating a timely response to potential incidents. These controls act as a deterrent by increasing the likelihood of detection and thus contribute to better management and reduction of overall risk exposure .

Deterrent controls differ from preventive controls primarily in their method of influence. Deterrent controls rely on influencing user behavior by introducing potential consequences, making it easier to comply than to risk the repercussions of non-compliance, thereby leaving the power of decision with the user. Preventive controls, in contrast, enforce behavior through the system, making circumvention difficult without exploiting a system flaw, thereby taking the decision power away from the user and placing emphasis on automatic system enforcement .

Compensating controls are security measures applied when existing capabilities of a system do not fully meet policy requirements. They supplement the current environment to close the gaps in controls. For instance, in an access control environment, if a system does not support encrypted authentication, using Secure Socket Layer (SSL) as an additional layer for encryption during the authentication process serves as a compensating control. This ensures the security requirement (encryption) is fulfilled without native application support .

Preventive controls are designed to avoid an incident from occurring by implementing barriers to deter unauthorized actions. Detective controls, on the other hand, are aimed at identifying and alerting when unauthorized or suspicious activity occurs, allowing for timely response. Corrective controls focus on modifying the current security measures to respond and mitigate the effects of a security incident after it has occurred. Therefore, they are implemented primarily after an issue has been detected to prevent recurrence .

An organization might opt to accept certain risks when the potential cost of mitigating or transferring the risk outweighs the probable impact of the risk on the organization. Considerations influencing this decision include the relative impact of potential risks, the cost associated with mitigating those risks, and the overall strategic objectives of the organization that might accept minor risks for greater flexibility or cost savings .

Failure to apply adequate risk controls can lead to misallocation of resources, where either too much or too little is spent on security, thereby not achieving the necessary protection objectives. This can result in exposure to risks due to inadequate coverage or wastage of resources without proportionate benefits, possibly leaving critical vulnerabilities unaddressed or overspending without addressing the true risk priorities .

The main goals of a risk analysis in security management are: 1) Identify assets and their value to the organization, 2) Identify vulnerabilities and threats, 3) Quantify the probability and business impact of these potential threats, 4) Provide an economic balance between the impact of the threat and the cost of the countermeasure. These goals help companies prioritize their resources effectively by focusing on significant risks and apply necessary security measures without overspending while achieving desired protection levels .

Risk mitigation strategies can be effectively integrated into daily operations by implementing controls such as firewalls, intrusion detection/prevention systems, and access control measures tailored to the sensitivity and confidentiality of the information. These measures need to be continuously monitored and updated according to threat intelligence to ensure ongoing protection against evolving threats. Regular training for employees to recognize potential threats also strengthens daily operational security .

The benefits of risk avoidance include the complete elimination of specific risks by choosing not to engage in certain activities known to be risky. However, drawbacks include potentially missing out on beneficial opportunities and revenue, such as a company avoiding internet sales due to perceived risks, resulting in loss of business opportunities and revenue .

CISA Sample Exam
100% (3)
CISA Sample Exam
15 pages
Cisa
100% (3)
Cisa
264 pages
CISA Exam Practice Questions Guide
No ratings yet
CISA Exam Practice Questions Guide
37 pages
CISA - Domain 5 - Protection of Information Assets
100% (4)
CISA - Domain 5 - Protection of Information Assets
202 pages
CISA FAQs Ad
No ratings yet
CISA FAQs Ad
12 pages
CISA Exam Practice Questions & Answers
No ratings yet
CISA Exam Practice Questions & Answers
6 pages
CISA Study Guide & Practice Questions
90% (10)
CISA Study Guide & Practice Questions
41 pages
CISM Exam Overview and Study Guide
0% (1)
CISM Exam Overview and Study Guide
6 pages
CISA - Domain 2 - Governance and Management of IT
100% (2)
CISA - Domain 2 - Governance and Management of IT
98 pages
CISM Exam Preparation and Questions Guide
No ratings yet
CISM Exam Preparation and Questions Guide
5 pages
CPISI Exam Questions Overview
0% (1)
CPISI Exam Questions Overview
82 pages
CISA Domain 1: Auditing Fundamentals
0% (1)
CISA Domain 1: Auditing Fundamentals
3 pages
CISA Exam Questions and Answers 2022
100% (1)
CISA Exam Questions and Answers 2022
78 pages
CISA Exam Study Guide: Key Concepts
No ratings yet
CISA Exam Study Guide: Key Concepts
182 pages
CISA Exam Question Bank Overview
No ratings yet
CISA Exam Question Bank Overview
15 pages
CISA - Domain 3 - IS Acquisition, Development and Implementation
100% (3)
CISA - Domain 3 - IS Acquisition, Development and Implementation
153 pages
CISA Exam Practice Questions PDF
100% (5)
CISA Exam Practice Questions PDF
89 pages
EISA Mock Test for IS Auditors
No ratings yet
EISA Mock Test for IS Auditors
35 pages
CISM Exam Questions & Insights
No ratings yet
CISM Exam Questions & Insights
22 pages
Free CISA Exam Questions & Answers
20% (5)
Free CISA Exam Questions & Answers
10 pages
CISA Exam Questions and Answers 2024
100% (1)
CISA Exam Questions and Answers 2024
25 pages
CISA Domain 1: Auditing Information Systems
100% (7)
CISA Domain 1: Auditing Information Systems
17 pages
CISA Notes
100% (1)
CISA Notes
173 pages
CISA Exam Prep Domain 3-2019
100% (1)
CISA Exam Prep Domain 3-2019
129 pages
IS Audit Control Weaknesses Explained
100% (1)
IS Audit Control Weaknesses Explained
100 pages
CISA Domain 3 Overview and Key Concepts
No ratings yet
CISA Domain 3 Overview and Key Concepts
3 pages
CISA Exam Q&A: 13th Edition Insights
100% (2)
CISA Exam Q&A: 13th Edition Insights
70 pages
CISA Student Handout Domain3
100% (2)
CISA Student Handout Domain3
39 pages
CISA Acronyms
No ratings yet
CISA Acronyms
8 pages
IS Auditor Exam Questions and Answers
No ratings yet
IS Auditor Exam Questions and Answers
241 pages
CISA - Domain 1 - Process of Auditing Information Systems
100% (5)
CISA - Domain 1 - Process of Auditing Information Systems
87 pages
CISA Domain 4 Overview and Insights
0% (1)
CISA Domain 4 Overview and Insights
27 pages
CISA Domain 1 Exam Practice Questions
No ratings yet
CISA Domain 1 Exam Practice Questions
14 pages
At Cisa Domain 4 - 23.8.19
100% (1)
At Cisa Domain 4 - 23.8.19
137 pages
How To Prepare For and Pass The CISA Examination PDF
50% (2)
How To Prepare For and Pass The CISA Examination PDF
39 pages
CISA Exam Review Questions and Answers
No ratings yet
CISA Exam Review Questions and Answers
189 pages
Key Skills for IS Auditors
No ratings yet
Key Skills for IS Auditors
65 pages
CISM Exam Preparation Guide PDF
No ratings yet
CISM Exam Preparation Guide PDF
6 pages
Audit Protocols and Control Evidence
100% (1)
Audit Protocols and Control Evidence
258 pages
CISA Exam Passing Principles Guide
100% (1)
CISA Exam Passing Principles Guide
9 pages
CISM Exam Practice Questions and Answers
100% (1)
CISM Exam Practice Questions and Answers
8 pages
Domain 4 - CISA
No ratings yet
Domain 4 - CISA
110 pages
CISA Notes on IT Controls and Auditing
100% (2)
CISA Notes on IT Controls and Auditing
7 pages
Data Classification in Information Security
No ratings yet
Data Classification in Information Security
192 pages
CISA Exam Question Bank 2024
0% (1)
CISA Exam Question Bank 2024
18 pages
CISA Exam Domain 1 Overview
100% (3)
CISA Exam Domain 1 Overview
142 pages
CISA Exam Questions and Answers Guide
No ratings yet
CISA Exam Questions and Answers Guide
21 pages
Cryptography and Network Security Insights
100% (1)
Cryptography and Network Security Insights
6 pages
Isc Cissp
No ratings yet
Isc Cissp
23 pages
Operating System Security and Auditing Guide
No ratings yet
Operating System Security and Auditing Guide
5 pages
IT Controls Part II: Security and Access: Accounting Information Systems, 5
No ratings yet
IT Controls Part II: Security and Access: Accounting Information Systems, 5
39 pages
Operations Security Quiz Questions
No ratings yet
Operations Security Quiz Questions
5 pages
Network Security Essentials Overview
No ratings yet
Network Security Essentials Overview
31 pages
Computer Security Fundamentals Explained
No ratings yet
Computer Security Fundamentals Explained
30 pages
Computer Security Threats and Protections
No ratings yet
Computer Security Threats and Protections
2 pages
Overview of Information Security Services
No ratings yet
Overview of Information Security Services
25 pages
Network Security Overview and Strategies
No ratings yet
Network Security Overview and Strategies
39 pages
Network Security Overview and Strategies
No ratings yet
Network Security Overview and Strategies
54 pages
IT Security Controls for Operating Systems
No ratings yet
IT Security Controls for Operating Systems
42 pages
Security Mechanisms and PIN Analysis
No ratings yet
Security Mechanisms and PIN Analysis
7 pages
AlgoSec Certification Training Overview
No ratings yet
AlgoSec Certification Training Overview
2 pages
AlgoSec Administrator Training Overview
No ratings yet
AlgoSec Administrator Training Overview
2 pages
Cybersecurity Analyst Course PDF
No ratings yet
Cybersecurity Analyst Course PDF
1 page
CISSP Certification Exam Outline 2018
No ratings yet
CISSP Certification Exam Outline 2018
16 pages
CISM Exam Prep Course Overview
0% (1)
CISM Exam Prep Course Overview
5 pages
Simplifying Cybersecurity Solutions
No ratings yet
Simplifying Cybersecurity Solutions
1 page
VILT Courses for Counter-IED Training
No ratings yet
VILT Courses for Counter-IED Training
1 page
CISA Demo Class
No ratings yet
CISA Demo Class
13 pages
CISSP Certification Training in Pune
No ratings yet
CISSP Certification Training in Pune
2 pages
CISM Training
67% (3)
CISM Training
78 pages
Free CISM Exam Practice Questions
100% (3)
Free CISM Exam Practice Questions
106 pages
CISM Training Course
75% (4)
CISM Training Course
203 pages
Essential Insurance Vocabulary Guide
No ratings yet
Essential Insurance Vocabulary Guide
3 pages
JM Event Services Overview and Offerings
No ratings yet
JM Event Services Overview and Offerings
34 pages
Top 100 Pension Schemes 2010
No ratings yet
Top 100 Pension Schemes 2010
44 pages
Travel Insurance Certificate - Qatar
No ratings yet
Travel Insurance Certificate - Qatar
2 pages
Recruiting Quality Advisors at TATA AIG
No ratings yet
Recruiting Quality Advisors at TATA AIG
32 pages
US Life Insurance Claims Dashboard Insights
100% (1)
US Life Insurance Claims Dashboard Insights
12 pages
Deer Valley Faculty Handbook Overview
No ratings yet
Deer Valley Faculty Handbook Overview
171 pages
MBA Programs at Lincoln University College
No ratings yet
MBA Programs at Lincoln University College
20 pages
Digit Commercial Vehicle Insurance Policy
No ratings yet
Digit Commercial Vehicle Insurance Policy
2 pages
Out of Scope Financial Transactions
No ratings yet
Out of Scope Financial Transactions
46 pages
Evaluating Lenddoefl's API Infrastructure
No ratings yet
Evaluating Lenddoefl's API Infrastructure
27 pages
NEBOSH National General Certificate Notes
No ratings yet
NEBOSH National General Certificate Notes
243 pages
New MBA Detailed Syllabus Sem III
No ratings yet
New MBA Detailed Syllabus Sem III
121 pages
HDFC Life Insurance Member Certificate
No ratings yet
HDFC Life Insurance Member Certificate
7 pages
Motor Insurance Policy Schedule
No ratings yet
Motor Insurance Policy Schedule
1 page
Denial Management Scenarios and Codes
100% (3)
Denial Management Scenarios and Codes
31 pages
Address Proof Declaration Form
No ratings yet
Address Proof Declaration Form
2 pages
Risk Management and Its Impacts
No ratings yet
Risk Management and Its Impacts
263 pages
J&K Government Employee Insurance Form
No ratings yet
J&K Government Employee Insurance Form
2 pages
ICICI Pru iProtect Smart Policy Summary
No ratings yet
ICICI Pru iProtect Smart Policy Summary
2 pages
Breezy Home Insurance Policy Overview
No ratings yet
Breezy Home Insurance Policy Overview
20 pages
Kelly Turner Indictment for Murder and Fraud
100% (1)
Kelly Turner Indictment for Murder and Fraud
17 pages
Group Accident Guard Policy Overview
No ratings yet
Group Accident Guard Policy Overview
2 pages
Notice of Life Insurance Lapse
No ratings yet
Notice of Life Insurance Lapse
2 pages
Tokio Marine Payment Methods Guide
No ratings yet
Tokio Marine Payment Methods Guide
21 pages
Preliminary Roofing Contract Agreement
No ratings yet
Preliminary Roofing Contract Agreement
1 page
Root Insurance ID Card Instructions
50% (2)
Root Insurance ID Card Instructions
4 pages
TCS Job Offer Letter for Trainee Position
100% (3)
TCS Job Offer Letter for Trainee Position
13 pages
ICICI Lombard Two Wheeler Insurance Policy
33% (3)
ICICI Lombard Two Wheeler Insurance Policy
1 page
Life Insurance vs. Family Takaful
No ratings yet
Life Insurance vs. Family Takaful
6 pages

CISA Exam Questions and Answers Guide

Uploaded by

CISA Exam Questions and Answers Guide

Uploaded by

Isaca CISA

Certified Information Systems Auditor

B. It could be a sign of a damaged network cable causing the issue.

[Link] document covering the subject of covert channels

Identify assets and their value to the organization.

The following answers are incorrect:

perform unauthorized functions, leading to unwanted events.

Common questions

In what scenarios might risk transfer be an effective strategy, and what are the limitations of this approach?

Discuss how detective controls can contribute to minimizing access-related security issues within an organization.

Explain how deterrent controls differ from preventive controls, particularly in terms of user behavior and system enforcement.

Explain the concept of compensating controls and provide an example of how they can be applied in an access control environment.

How do preventive, detective, and corrective controls differ in their approach to managing security risks within an organization?

Why might an organization opt to accept certain risks, and what considerations could influence this decision?

Describe how the failure to apply adequate risk controls can adversely impact an organization despite having sufficient resources.

What are the main goals of a risk analysis in the context of security management, and how do they contribute to effective risk handling?

How can risk mitigation strategies be effectively integrated into daily operations to protect sensitive information within an organization?

What are the benefits and drawbacks of risk avoidance as a risk management strategy?

You might also like