Isaca CISA Practice Test - Questions Answers, Page 103

The missing access control requirements should present the greatest concern to the IS auditor when reviewing a contract for the outsourcing of IT facilities. Access control requirements are essential for ensuring the confidentiality, integrity, and availability of the outsourced IT resources and data. They specify the roles, responsibilities, and permissions of the outsourcing vendor and its staff, as well as the client and its users, in accessing and managing the IT facilities. They also define the security policies, standards, and procedures that the outsourcing vendor must follow to protect the IT facilities from unauthorized or malicious access, use, modification, or disclosure. Without clear and comprehensive access control requirements, the outsourcing contract may expose the client to significant risks of data breaches, compliance violations, service disruptions, or reputational damage.

Hardware configurations, help desk availability, and perimeter network security diagram are important aspects of an outsourcing contract, but they are not as critical as access control requirements. Hardware configurations describe the technical specifications and performance of the IT equipment that the outsourcing vendor will provide and maintain. Help desk availability defines the service levels and support channels that the outsourcing vendor will offer to the client and its users. Perimeter network security diagram illustrates the network architecture and security measures that the outsourcing vendor will implement to protect the IT facilities from external threats. These aspects can be verified or modified during the implementation or operation phases of the outsourcing contract, but access control requirements need to be established and agreed upon before signing the contract.

ISACA, CISA Review Manual, 27th Edition, Chapter 5: Protection of Information Assets, Section 5.3: Logical Access1

CIO.com, 7 tips for managing an IT outsourcing contract2

Brainhub.eu, 8 Tips for Managing an IT Outsourcing Contract

The most effective control over visitor access to highly secured areas is to require visitors to be escorted by authorized personnel. This control ensures that visitors are supervised at all times and do not enter any restricted or sensitive areas without permission. It also allows authorized personnel to verify the identity, purpose, and clearance of the visitors, and to monitor their behavior and activities. Escorting visitors also reduces the risk of tailgating, piggybacking, or unauthorized duplication of access credentials.

Requiring visitors to use biometric authentication, monitoring visitors online by security cameras, and requiring visitors to enter through dead-man doors are all examples of technical controls that can enhance visitor access control, but they are not as effective as escorting visitors. Biometric authentication can provide a high level of identity verification, but it does not prevent visitors from accessing unauthorized areas or compromising security in other ways. Security cameras can provide a record of visitor movements and actions, but they may not deter or detect security breaches in real time. Dead-man doors can prevent unauthorized entry by requiring two-factor authentication, but they do not ensure that visitors are accompanied by authorized personnel.

ISC Best Practices for Facility Access Control1

Visitor Management Best Practices From Top Organizations2

8 Best Practices for Setting Up a Visitor Management System3

The best indicator of the performance of a web application is the average response time. This metric measures how long it takes for the web server to process and deliver a request from the client. It reflects the user's perception of how fast or slow the web application is, and it affects the user's satisfaction, engagement, and conversion. A low average response time means that the web application is responsive and efficient, while a high average response time means that the web application is sluggish and unreliable.

HTTP server error rate, server thread count, and server uptime are not as good indicators of the performance of a web application as the average response time. HTTP server error rate measures how often the web server fails to handle a request and returns an error code, such as 404 (Not Found) or 500 (Internal Server Error). This metric indicates the reliability and availability of the web application, but it does not capture how fast or slow the web application is. Server thread count measures how many concurrent requests the web server can handle at a given time. This metric indicates the scalability and capacity of the web application, but it does not capture how long each request takes to process. Server uptime measures how long the web server has been running without interruption. This metric indicates the stability and resilience of the web application, but it does not capture how well the web application performs during that time.

10 Key Application Performance Metrics & How to Measure Them - Stackify1

Measuring performance - Learn web development | MDN2

Understanding the Basics of Web Performance | BrowserStack3

14 Important Website Performance Metrics You Should Be Analyzing4

Top 8 Web Application Performance Metrics | MetricFire Blog5

Web Performance Monitoring: A How to Guide for Developers - Stackify6

File checksums are values that are calculated from the contents of a file and can detect any changes or corruption in the file. They are used to verify that the files that are transferred or processed through system interfaces are not altered in any way. File checksums are more effective than periodic audits, file counts, or IT operator monitoring, which are other types of controls that can help ensure the integrity of system interfaces, but they are not as reliable or timely as file checksums.

The best method for maintaining the security of corporate applications pushed to employee-owned mobile devices is implementing mobile device management (MDM). MDM is a software solution that allows an organization to remotely manage, configure, and secure the mobile devices that access its network and data. MDM can help protect corporate applications on employee-owned devices by:

Enforcing security policies and settings, such as encryption, password, firewall, antivirus, and VPN.

Controlling the installation, update, and removal of corporate applications and data.

Separating corporate and personal data and applications on the device using containers or profiles.

Monitoring and auditing the device's compliance status, activity, and location.

Performing remote actions, such as lock, wipe, backup, or restore, in case of loss, theft, or compromise.

MDM can provide a comprehensive and centralized approach to maintain the security of corporate applications on employee-owned devices, regardless of the device type, platform, or ownership. MDM can also help the organization comply with regulatory and industry standards for data protection and privacy.

Enabling remote data destruction capabilities is a useful feature for maintaining the security of corporate applications on employee-owned devices, but it is not the best method by itself. Remote data destruction allows the organization to erase the corporate data and applications from the device in case of loss, theft, or compromise. However, this feature does not prevent unauthorized access or misuse of the corporate data and applications before they are destroyed. Remote data destruction is usually part of an MDM solution.

Disabling unnecessary network connectivity options is a good practice for maintaining the security of corporate applications on employee-owned devices, but it is not the best method by itself. Network connectivity options, such as Wi-Fi, Bluetooth, NFC, or USB, can expose the device to potential attacks or data leakage. Disabling these options when they are not needed can reduce the attack surface and improve battery life. However, this practice does not address other security risks or requirements for the corporate applications on the device. Disabling network connectivity options can also be part of an MDM solution.

Requiring security awareness training for mobile users is an important measure for maintaining the security of corporate applications on employee-owned devices, but it is not the best method by itself. Security awareness training can educate the users about the potential threats and best practices for using their devices securely. It can also help foster a culture of security and responsibility among the users. However, security awareness training cannot guarantee that the users will follow the security policies and guidelines consistently and correctly. Security awareness training should be complemented by technical controls, such as MDM.

Protecting Corporate Data on Mobile Devices for All Companies1

Mobile Device Security: Corporate-Owned Personally-Enabled (COPE)23

The most significant risk when an application uses individual end-user accounts to access the underlying database is that users may be able to circumvent application controls. Application controls are the policies, procedures, and mechanisms that ensure the accuracy, completeness, validity, and authorization of transactions and data within an application. Application controls can include input validation, output verification, processing logic, reconciliation, exception handling, and audit trails. Application controls can help prevent or detect errors, fraud, or unauthorized access or modification of data.

However, if an application uses individual end-user accounts to access the underlying database, it means that the users have direct access to the database without going through the application layer. This can expose the database to potential risks such as:

Users may be able to bypass the application controls and manipulate the data in the database directly using SQL commands or other tools. For example, users may be able to change their own or others' salaries, grades, or balances without proper authorization or validation.

Users may be able to access or disclose sensitive or confidential data that they are not supposed to see or share. For example, users may be able to view other users' personal information, passwords, or credit card numbers.

Users may be able to introduce errors or inconsistencies in the data by entering invalid or incorrect data or by deleting or modifying existing data. For example, users may be able to create duplicate records, break referential integrity, or cause data loss or corruption.

Users may be able to compromise the security and performance of the database by creating unauthorized objects, granting excessive privileges, executing malicious code, or consuming excessive resources. For example, users may be able to create backdoors, viruses, or denial-of-service attacks.

Therefore, using individual end-user accounts to access the underlying database can pose a serious threat to the integrity, confidentiality, availability, and reliability of the data and the application.

The other options are not as significant as option C. Multiple connects to the database are used and slow the process is a performance issue that can affect the efficiency and responsiveness of the application and the database, but it does not necessarily compromise the data quality or security. User accounts may remain active after a termination is a security issue that can increase the risk of unauthorized access or misuse of data by former employees or others who have access to their credentials, but it can be mitigated by implementing proper account management and monitoring processes. Application may not capture a complete audit trail is a compliance issue that can affect the accountability and traceability of transactions and data within the application and the database, but it does not directly affect the data accuracy or protection.

Should application users be database users?- Stack Overflow1

An Approach Toward Sarbanes-Oxley ITGC Risk Assessment - ISACA2

ISACA CISA Certified Information Systems Auditor Exam ... - PUPUWEB3

Why inactive accounts are a security risk | Stratosphere4

The type of review that is most important to conduct when an IS auditor is informed that a recent internal exploitation of a bug has been discovered in a business application is C. Forensic audit.A forensic audit is a type of audit that involves collecting, analyzing, and preserving evidence of fraud, corruption, or other illegal or unethical activities1. A forensic audit can help the IS auditor to identify and document the source, scope, and impact of the exploitation, as well as the perpetrators, motives, and methods involved.A forensic audit can also help the IS auditor to provide recommendations for preventing or mitigating future exploitations, and to support any legal actions or investigations that may arise from the incident2.

The sampling method in which the entire sample is considered to be irregular if a single error is found is discovery sampling. Discovery sampling is a type of statistical sampling that is used to test for the existence of at least one occurrence of a specific characteristic or condition in a population. Discovery sampling is often used when the auditor expects the characteristic or condition to be very rare or nonexistent, and when any occurrence would have a significant impact on the audit objective. For example, discovery sampling can be used to test for fraud, noncompliance, or material misstatement.

Discovery sampling works by setting a very low tolerable error rate (the maximum rate of occurrence of the characteristic or condition that the auditor is willing to accept) and a high confidence level (the degree of assurance that the auditor wants to obtain). The auditor then selects a sample from the population using a random or systematic method, and examines each item in the sample for the presence or absence of the characteristic or condition. If no error is found in the sample, the auditor can conclude with a high level of confidence that the characteristic or condition does not exist or is very rare in the population. However, if one or more errors are found in the sample, the auditor cannot draw any conclusion about the population and must either expand the sample size or perform alternative procedures.

Discovery sampling differs from other sampling methods in that it does not allow for any errors in the sample. Other sampling methods, such as variable sampling, stop-or-go sampling, or judgmental sampling, can tolerate some errors in the sample and use them to estimate the error rate or amount in the population. However, discovery sampling is designed to test for zero-tolerance situations, where any error would be unacceptable or material. Therefore, discovery sampling considers the entire sample to be irregular if a single error is found.

Audit Sampling - Overview, Purpose, Importance, and Types1

Audit Sampling - What Is It, Methods, Example, Advantage, Reason2

ISA 530: Audit sampling | ICAEW3

Audit Sampling - AICPA4

Sending a copy of the transaction logs to offsite storage on a daily basis would minimize the risk of losing transactions as a result of a disaster. This is because offsite storage provides a backup of the data that can be recovered in case of a catastrophic event that destroys or damages the onsite data. Storing a copy of the transaction logs onsite in a fireproof vault (B) would not protect the data from other types of disasters, such as floods, earthquakes, or theft. Encrypting or signing (D) a copy of the transaction logs and storing them on a local server would not prevent the loss of data if the server is affected by the disaster. Encryption and digital signatures are security measures that protect the confidentiality and integrity of the data, but not the availability.