30 CISA Practice 2 Questions Answer and Explanation

The most important consideration for an IS auditor when assessing the adequacy of an organization’s information security policy is its alignment with the business objectives. The information security policy is a high-level document that defines the organization’s vision, goals, principles, and responsibilities for protecting its information assets. The information security policy should support and enable the achievement of the business objectives, such as increasing customer satisfaction, enhancing competitive advantage, or complying with legal requirements. The information security policy should also be consistent with other relevant policies, standards, and frameworks that guide the organization’s governance, risk management, and compliance activities.

The primary advantage of object-oriented technology is enhanced efficiency due to the re-use of elements of logic. Object-oriented technology is a software design model that uses objects, which contain both data and code, to create modular and reusable programs. Objects can be inherited from other objects, which reduces duplication and improves maintainability. Grouping objects into methods for data access, managing sequential program execution for data access, and managing a restricted variety of data types for a data object are not advantages of object-oriented technology. References: ISACA CISA Review Manual 27th Edition, page 304

Risk-based auditing is an audit approach that focuses on the analysis and management of risk within an organization. Risk-based auditing helps identify and prioritize the areas or processes that pose the highest risk to the organization’s objectives and allocate audit resources accordingly. Risk-based auditing also helps provide assurance and advisory services related to the organization’s risk management processes and controls. By using risk-based auditing, internal auditors can optimize the use of their audit resources and add value to the organization. Agile auditing, continuous auditing, and outsourced auditing are not audit approaches that are most helpful in optimizing the use of IS audit resources. Agile auditing is a flexible and iterative audit methodology that adapts to changing circumstances and stakeholder needs. Continuous auditing is a method of performing audit activities on a real-time or near-real- time basis using automated tools and techniques. Outsourced auditing is a practice of contracting external auditors to perform some or all of the internal audit functions. These audit methods may have some advantages or disadvantages depending on the context and objectives of the audit, but they do not necessarily optimize the use of IS audit resources.

Input validation is the best control to address SQL injection vulnerabilities, because it can prevent malicious users from entering SQL commands or statements into input fields that are intended for data entry, such as usernames or passwords. SQL injection is a technique that exploits a security vulnerability in an application’s software by inserting SQL code into a query string that can execute commands on a database server. Unicode translation, SSL encryption, and digital signatures are not effective controls against SQL injection, because they do not prevent or detect SQL code injection into input fields. References: CISA Review Manual (Digital Version), Chapter 5, Section 5.4.2

When implementing Internet Protocol security (IPsec) architecture, the servers involved in application delivery communicate via Transport Layer Security (TLS), which is a protocol that provides encryption and authentication for data transmitted over a network. IPsec operates at the network layer and provides security for IP packets, while TLS operates at the transport layer and provides security for TCP connections. Blocking authorized users from unauthorized activities, channeling access only through the public- facing firewall, and channeling access through authentication are not functions of IPsec architecture. References: CISA Review Manual (Digital Version), Chapter 5, Section 5.4.2

The best recommendation to address the risk of privileged application accounts with passwords set to never expire in a 24/7 processing environment is to introduce database access monitoring into the environment. Database access monitoring is a security control that tracks and records all activities and transactions performed on a database, especially by privileged users or accounts. Database access monitoring can help address the risk of privileged application accounts with passwords set to never expire by detecting and alerting any unauthorized or abnormal access or actions on the database. The other options are not as effective as database access monitoring in addressing the risk, as they may cause disruption to the business or violate the access management policy. Modifying applications to no longer require direct access to the database is a complex and costly solution that may affect the functionality or performance of the applications, and it may not be feasible or practical in a 24/7 processing environment. Modifying the access management policy to make allowances for application accounts is a risky solution that may create exceptions or loopholes in the policy, and it may not comply with the best practices or standards for password management. Scheduling downtime to implement password changes is a disruptive solution that may affect the availability or continuity of the systems or applications, and it may not be acceptable or possible in a 24/7 processing environment. References: CISA Review Manual (Digital Version), Chapter 5, Section 5.2.4

One benefit of return on investment (ROI) analysis in IT decision making is that it provides the basis for allocating financial resources. ROI analysis is a method of evaluating the profitability or cost-effectiveness of an IT project or investment by comparing the expected benefits with the required costs. ROI analysis can help IT decision makers prioritize and justify their IT initiatives, allocate their financial resources optimally, and demonstrate the value contribution of IT to the organization’s goals and objectives. Basis for allocating indirect costs, cost of replacing equipment, and estimated cost of ownership are not benefits of ROI analysis in IT decision making. These are more inputs or outputs of ROI analysis that could be used to calculate or estimate the costs or benefits of an IT project or investment. References: [ISACA CISA Review Manual 27th Edition], page 307

The most important prerequisite for the protection of physical information assets in a data center is a complete and accurate list of information assets that have been deployed. Information assets are any data, devices, systems, or software that have value for the organization and need to be protected from unauthorized access, use, disclosure, modification, or destruction4. A data center is a facility that houses various information assets such as servers, storage devices, network equipment, etc., that support the organization’s IT operations and services5. A complete and accurate list of information assets that have been deployed in a data center can help to identify and classify the assets based on their importance, sensitivity, or criticality for the organization. This can help to determine the appropriate level of protection and security measures that need to be applied to each asset. A complete and accurate list of information assets can also help to track and monitor the location, status, ownership, usage, configuration, maintenance, etc., of each asset. This can help to prevent or detect any unauthorized or inappropriate changes or movements of assets that may compromise their security or integrity. Segregation of duties between staff ordering and staff receiving information assets, availability and testing of onsite backup generators, and knowledge of the IT staff regarding data protection requirements are also important prerequisites for the protection of physical information assets in a data center, but not as important as a complete and accurate list of information assets that have been deployed. These factors are more related to the implementation and maintenance of security controls and procedures that depend on having a complete and accurate list of information assets as a starting point. References: ISACA CISA Review Manual 27th Edition, page 308

The IS auditor’s most important course of action after finding that several similar incidents were logged during the audit period is to determine if a root cause analysis was conducted. A root cause analysis is a systematic process that identifies the underlying causes of system failures or incidents. A root cause analysis can help to prevent recurrence of similar incidents, improve system performance and reliability, and enhance incident management processes. The IS auditor should evaluate whether a root cause analysis was performed for each incident, whether it was timely and thorough, and whether it resulted in effective corrective actions.

The most effective control for protecting the confidentiality and integrity of data stored unencrypted on virtual machines is to monitor access to stored images and snapshots of virtual machines. Images and snapshots are copies of virtual machines that can be used for backup, restoration, or cloning purposes. If data stored on virtual machines are unencrypted, they may be exposed or compromised if unauthorized or malicious users access or copy the images or snapshots. Therefore, monitoring access to stored images and snapshots can help detect and prevent any unauthorized or suspicious activities, and provide audit trails for accountability and investigation. Restricting access to images and snapshots of virtual machines, limiting creation of virtual machine images and snapshots, and reviewing logical access controls on virtual machines regularly are not the most effective controls for protecting the confidentiality and integrity of data stored unencrypted on virtual machines. These controls may help reduce the risk or impact of data exposure or compromise, but they do not provide sufficient visibility or assurance of data protection. Restricting access to images and snapshots may not prevent authorized users from abusing their privileges or credentials. Limiting creation of virtual machine images and snapshots may not address the existing copies that may contain sensitive data. Reviewing logical access controls on virtual machines regularly may not reflect the actual access activities on images and snapshots.

The most effective way to maintain network integrity when using mobile devices is to implement network access control. Network access control is a security control that regulates and restricts access to network resources based on predefined policies and criteria, such as device type, identity, location, or security posture. Network access control can help maintain network integrity when using mobile devices by preventing unauthorized or compromised devices from accessing or affecting network systems or data. The other options are not as effective as network access control in maintaining network integrity when using mobile devices, as they do not address all aspects of network access or security. Implementing outbound firewall rules is a security control that filters and blocks network traffic based on source, destination, protocol, or port, but it does not regulate or restrict network access based on device characteristics or conditions. Performing network reviews is a monitoring activity that evaluates and reports on the performance, availability, or security of network resources, but it does not regulate or restrict network access based on device characteristics or conditions. Reviewing access control lists is a verification activity that validates and confirms the access rights and privileges of network users or devices, but it does not regulate or restrict network access based on device characteristics or conditions. References: CISA Review Manual (Digital Version), Chapter 5, Section 5.2.2

The IS auditor’s best course of action if they suspect an organization’s computer may have been used to commit a crime is to contact the incident response team to conduct an investigation. The incident response team is a group of experts who are responsible for responding to security incidents, such as data breaches, ransomware attacks, or cybercrimes. The incident response team can help to preserve and collect digital evidence, determine the scope and impact of the incident, contain and eradicate the threat, and restore normal operations. The IS auditor should not examine the computer themselves, as they may inadvertently alter or destroy potential evidence, or compromise the chain of custody. The IS auditor should also not notify local law enforcement before further investigation, as this may escalate the situation unnecessarily or interfere with the internal investigation process. The IS auditor should advise management of the crime after the investigation, or as soon as possible if there is an imminent risk or legal obligation to do so.

When reviewing an enterprise architecture (EA) department’s decision to change a legacy system’s components while maintaining its original functionality, an IS auditor should understand the current business capabilities delivered by the legacy system, as this would help to evaluate whether the change is justified, feasible, and aligned with the business goals and needs. The proposed network topology to be used by the redesigned system, the data flows between the components to be used by the redesigned system, and the database entity relationships within the legacy system are technical details that are less relevant for an IS auditor to understand when reviewing this decision. References: CISA Review Manual (Digital Version), Chapter 3, Section 3.2

The first thing that should be done when an intrusion into an organization network is detected is to identify nodes that have been compromised. Identifying nodes that have been compromised is a critical step in responding to an intrusion, as it helps determine the scope, impact, and source of the attack, and enables the implementation of appropriate containment and recovery measures. The other options are not the first things that should be done when an intrusion into an organization network is detected, as they may be premature or ineffective without identifying nodes that have been compromised. Blocking all compromised network nodes is a containment measure that can help isolate and prevent the spread of the attack, but it may not be possible or feasible without identifying nodes that have been compromised. Contacting law enforcement is a reporting measure that can help seek external assistance and comply with legal obligations, but it may not be necessary or appropriate without identifying nodes that have been compromised. Notifying senior management is a communication measure that can help inform and escalate the incident, but it may not be urgent or accurate without identifying nodes that have been compromised. References: CISA Review Manual (Digital Version), Chapter 4, Section 4.2.2

The strategy that would provide the greatest assurance of system quality at implementation is delivering only the core functionality on the initial target date. This strategy can help avoid compromising the quality of the system by focusing on the essential features that meet the user needs and expectations. Delivering only the core functionality can also help reduce the scope creep, complexity, and testing efforts of the system development project. Implementing overtime pay and bonuses for all development staff, utilizing new system development tools to improve productivity, and recruiting IS staff to expedite system development are not strategies that would provide the greatest assurance of system quality at implementation. These strategies may help speed up the system development process, but they may also introduce new risks or challenges such as burnout, learning curve, integration issues, or communication gaps. These risks or challenges may adversely affect the quality of the system.

The IS auditor’s first action after discovering an option in a database that allows the administrator to directly modify any table should be to determine whether the audit trail is secured and reviewed. This is because direct modification of database tables can pose a significant risk to data integrity, security, and accountability. An audit trail is a record of all changes made to database tables, including who made them, when they were made, and what was changed. An audit trail can help to detect unauthorized or erroneous changes, provide evidence for investigations or audits, and support data recovery or restoration. The IS auditor should assess whether the audit trail is protected from tampering or deletion, and whether it is regularly reviewed for anomalies or exceptions.

The first course of action when a data breach has occurred due to malware is to quarantine the impacted systems. This means isolating the infected systems from the rest of the network and preventing any further communication or data transfer with them. This can help contain the spread of the malware, limit the damage and exposure of sensitive data, and facilitate the investigation and remediation of the incident. Quarantining the impacted systems can also help preserve the evidence and logs that may be needed for forensic analysis or legal action. References: ✑ [1] provides a guide on how to respond to a data breach caused by malware and recommends quarantining the impacted systems as the first step. ✑ [2] explains what is malware and how it can cause data breaches, and suggests quarantining the infected devices as a best practice. ✑ [3] describes the steps involved in quarantining a system infected by malware and the benefits of doing so.

The most concerning issue when determining if information assets are adequately safeguarded during transport and disposal is lack of appropriate data classification. Data classification is a process that assigns categories or levels of sensitivity to different types of information assets based on their value, criticality, or risk to the organization. Data classification can help safeguard information assets during transport and disposal by providing criteria and guidelines for identifying, labeling, handling, and protecting information assets according to their sensitivity. Lack of appropriate data classification can compromise the security and confidentiality of information assets during transport and disposal by exposing them to unauthorized access, disclosure, theft, damage, or destruction. The other options are not as concerning as lack of appropriate data classification in safeguarding information assets during transport and disposal, as they do not affect the identification, labeling, handling, or protection of information assets according to their sensitivity. Lack of appropriate labeling is a possible factor that may increase the risk of misplacing, losing, or mishandling information assets during transport and disposal, but it does not affect the classification of information assets according to their sensitivity. Lack of recent awareness training is a possible factor that may affect the knowledge or behavior of staff involved in transporting or disposing of information assets, but it does not affect the classification of information assets according to their sensitivity. Lack of password protection is a possible factor that may affect the security or confidentiality of information assets stored on devices during transport and disposal, but it does not affect the classification of information assets according to their sensitivity. References: CISA Review Manual (Digital Version), Chapter 5, Section 5.3.2

The primary concern when negotiating a contract for a hot site is the availability of the site in the event of multiple disaster declarations. A hot site is a fully equipped alternative facility that can be used to resume business operations in the event of a disaster. However, if multiple clients of the hot site provider declare a disaster at the same time, there may be a shortage of resources or capacity to accommodate all of them. Therefore, the contract should specify the terms and conditions for ensuring the availability and priority of the hot site for the organization. The other options are not as important as availability, as they do not affect the ability to use the hot site in a disaster situation. Coordination with the site staff in the event of multiple disaster declarations is a logistical issue that can be resolved by communication and planning. Reciprocal agreements with other organizations are alternative arrangements that can be used to share resources or facilities in a disaster, but they may not be as reliable or suitable as a hot site. Complete testing of the recovery plan is a good practice that can help validate and improve the effectiveness of the recovery plan, but it is not a concern for negotiating a contract for a hot site. References: CISA Review Manual (Digital Version), Chapter 4, Section 4.2.3

Deferring remediation testing until the next audit is justified only when there are significant changes in the audit environment that affect the relevance or validity of the audit observations and recommendations. For example, if there are changes in the business processes, systems, regulations, or risks that require a new audit scope or approach. The other options are not valid justifications for deferring remediation testing, as they do not address the timeliness or quality of the audit follow-up process. The auditor who conducted the audit and agreed with the timeline has left the organization does not affect the responsibility of the audit function to ensure that remediation testing is performed as planned. Management’s planned actions are sufficient given the relative importance of the observations does not guarantee that management will actually implement those actions or that they will be effective in addressing the audit issues. Auditee management has accepted all observations reported by the auditor does not eliminate the need for verification of remediation actions by an independent party. References: CISA Review Manual (Digital Version), Chapter 2, Section 2.4

The IS auditor’s best course of action in this situation is to determine whether the alternative controls sufficiently mitigate the risk. Alternative controls are different from those originally discussed and agreed with the audit function, but they may still achieve the same objective of addressing the audit issue or reducing the risk to an acceptable level. The IS auditor should evaluate whether the alternative controls are appropriate, effective, and sustainable before closing the audit finding or escalating it to senior management. The other options are not appropriate for resolving this situation, as they do not consider whether the alternative controls are adequate or reasonable. Re- prioritizing the original issue as high risk and escalating to senior management is a drastic step that may undermine the relationship between the auditor and management, and it should be done only after exhausting other means of resolving the issue. Scheduling a follow-up audit in the next audit cycle is unnecessary, as follow-up activities should be performed as soon as possible after management has implemented corrective actions. Postponing follow-up activities and escalating the alternative controls to senior audit management is premature, as follow-up activities should be completed before reporting any findings or recommendations to senior audit management. References: CISA Review Manual (Digital Version), Chapter 2, Section 2.4

The role within the RACI chart that would provide information on who has oversight of staff performing a specific task is accountable. A RACI chart is a matrix that defines and assigns the roles and responsibilities of different stakeholders for a project, process, or activity. RACI stands for responsible, accountable, consulted, and informed. Accountable is the role that has the authority and oversight to approve or reject the work done by the responsible role. The other options are not the roles that provide information on who has oversight of staff performing a specific task, as they have different meanings and functions. Consulted is the role that provides input or advice to the responsible or accountable roles. Informed is the role that receives updates or reports from the responsible or accountable roles. Responsible is the role that performs or executes the work or task. References: CISA Review Manual (Digital Version), Chapter 3, Section 3.3

Reconciliation of total amounts by project is the best control to ensure that data is accurately entered into the job-costing system from spreadsheets. Reconciliation is a process of comparing two sets of data to identify any differences or discrepancies between them. By reconciling the total amounts by project from spreadsheets with those from the job-costing system, any errors or omissions in data entry can be detected and corrected. Validity checks are controls that verify that data conforms to predefined formats or ranges. They can prevent entry of character data into numeric fields, but they cannot ensure that the numeric data is correct or complete. Reasonableness checks are controls that verify that data is within expected or acceptable limits. They can detect outliers or anomalies in data, but they cannot ensure that the data matches the source. Display back of project detail after entry is a control that allows the user to review and confirm the data entered into the system. It can help reduce human errors, but it cannot guarantee that the data is accurate or consistent with the source. References: Information Systems Operations and Business Resilience, CISA Review Manual (Digital Version)

The first thing that an IS auditor should review when finding that transaction processing times in an order processing system have significantly increased after a major release is stress testing results. Stress testing is a type of testing that evaluates how a system performs under extreme or abnormal conditions, such as high volume, load, or concurrency of transactions. Stress testing results can help explain why transaction processing times in an order processing system have significantly increased after a major release by revealing any bottlenecks, limitations, or errors in the system’s capacity, performance, or functionality under stress. The other options are not as relevant as stress testing results in explaining why transaction processing times in an order processing system have significantly increased after a major release, as they do not directly measure how the system performs under extreme or abnormal conditions. Capacity management plan is a document that defines and implements the processes and activities for ensuring that the system has adequate resources and capabilities to meet current and future demands. Training plans are documents that define and implement the processes and activities for ensuring that the system users have adequate skills and knowledge to use the system effectively and efficiently. Database conversion results are outcomes or outputs of transforming data from one format or structure to another to suit the system’s requirements or specifications. References: CISA Review Manual (Digital Version), Chapter 3, Section 3.3

Write access to production program libraries presents the greatest risk when granted to a new member of the system development staff. Production program libraries contain executable code that runs on live systems and supports critical business functions. Write access allows a user to modify or delete existing programs, or add new programs to the library. If a user were to make unauthorized or erroneous changes to production programs, it could cause serious disruptions, errors, or security breaches in the organization’s operations. Therefore, write access to production program libraries should be restricted to authorized personnel only, and subject to strict change management controls.

The best indicator of whether a PIR performed by the PMO was effective is whether project outcomes have been realized. Project outcomes are the benefits or value that a project delivers to its stakeholders, such as improved efficiency, quality, customer satisfaction, or revenue. A PIR should evaluate whether project outcomes have been achieved in accordance with project objectives, scope, budget, and schedule. The other options are not as good as project outcomes in determining the effectiveness of a PIR. Lessons learned are valuable inputs for improving future projects, but they do not measure whether project outcomes have been realized. Management approval of the PIR report is a sign of acceptance and support for the PIR findings and recommendations, but it does not reflect whether project outcomes have been achieved. The review performed by an external provider is a way of ensuring objectivity and independence for the PIR, but it does not guarantee whether project outcomes have been realized. References: CISA Review Manual (Digital Version), Chapter 3, Section 3.3

Data loss can occur due to various reasons, such as accidental deletion, hardware failure, malware infection, theft, or unauthorized access. Data classification procedures can help to identify and protect sensitive data, but they are not sufficient to prevent data loss. The most effective way to protect against data loss is to conduct periodic security awareness training for employees, which can educate them on the importance of data security, the best practices for data handling and storage, and the common threats and risks to data.

The first step in addressing a vulnerability is to evaluate the associated risk, which involves assessing the likelihood and impact of a potential exploit. Based on the risk assessment, the appropriate mitigation strategy can be determined, such as implementing a new system, adding firewalls, or decommissioning the server. References: ISACA CISA Review Manual 27th Edition, page 280