Isaca CISA Practice Test - Questions Answers, Page 37

The greatest concern for an IS auditor reviewing an organization's disaster recovery plan (DRP) is that the DRP has not been updated since an IT infrastructure upgrade. This could render the DRP obsolete or ineffective, as it may not reflect the current configuration, dependencies or recovery requirements of the IT systems. The IS auditor should ensure that the DRP is reviewed and updated regularly to align with any changes in the IT environment. The DRP has not been formally approved by senior management is a concern for an IS auditor reviewing an organization's DRP, but it is not as critical as ensuring that the DRP is up to date and valid. The DRP has not been distributed to end users or the DRP contains recovery procedures for critical servers only are issues that relate to the communication or scope of the DRP, but not to its validity or effectiveness.Reference:ISACA, CISA Review Manual, 27th Edition, 2018, page 389

The most critical factor for the effective implementation of IT governance is a supportive corporate culture. A supportive corporate culture is one that fosters collaboration, communication and commitment among all stakeholders involved in IT governance processes. A supportive corporate culture also promotes a shared vision, values and goals for IT governance across the organization. Strong risk management practices, internal auditor commitment or documented policies are important elements for IT governance implementation, but they are not sufficient without a supportive corporate culture.Reference:ISACA, CISA Review Manual, 27th Edition, 2018, page 41

The greatest risk of using a reciprocal site for disaster recovery is the inability to utilize the site when required. A reciprocal site is an agreement between two organizations to provide backup facilities for each other in case of a disaster. However, this arrangement may not be reliable or enforceable, especially if both organizations are affected by the same disaster or have conflicting priorities.Therefore, the IS auditor should recommend that management consider alternative options for disaster recovery, such as dedicated sites or cloud services12.Reference:

CISA Review Manual, 27th Edition, page 3381

CISA Review Questions, Answers & Explanations Database - 12 Month Subscription

The approach adopted by management in this scenario is risk avoidance.Risk avoidance is the elimination of a risk by discontinuing or not undertaking an activity that poses a threat to the organization3. By moving data center operations to another facility on higher ground, management is avoiding the potential flooding risk that could disrupt or damage the data center. Risk transfer, risk acceptance and risk reduction are other possible approaches for dealing with risks, but they do not apply in this case.Reference:

CISA Review Manual, 27th Edition, page 641

CISA Review Questions, Answers & Explanations Database - 12 Month Subscription

The best control to mitigate attacks that redirect Internet traffic to an unauthorized website is to perform domain name system (DNS) server security hardening.DNS servers are responsible for resolving domain names into IP addresses, and they are often targeted by attackers who want to manipulate or spoof DNS records to redirect users to malicious websites4. By applying security best practices to DNS servers, such as encrypting DNS traffic, implementing DNSSEC, restricting access and updating patches, the organization can reduce the risk of DNS hijacking attacks. A network-based firewall, user security awareness training and a strong password policy are also important controls, but they are not as effective as DNS server security hardening in preventing this specific type of attack.Reference:

CISA Review Manual, 27th Edition, page 4021

CISA Review Questions, Answers & Explanations Database - 12 Month Subscription

The best way to reduce the immediate risk associated with using an unsupported version of the software is to segregate the outdated software system from the main network. An unsupported software system may have unpatched vulnerabilities that could be exploited by attackers to compromise the system or access sensitive data. By isolating the system from the rest of the network, the organization can limit the exposure and impact of a potential breach. Verifying all patches have been applied to the outdated software system, closing all unused ports on the outdated software system and monitoring network traffic attempting to reach the outdated software system are also good practices, but they do not address the root cause of the risk, which is the lack of vendor support and updates.Reference:

CISA Review Manual, 27th Edition, page 2951

CISA Review Questions, Answers & Explanations Database - 12 Month Subscription

The most appropriate control to prevent unauthorized retrieval of confidential information stored in a business application system is to enforce an internal data access policy. A data access policy defines who can access what data, under what conditions and for what purposes. It also specifies the roles and responsibilities of data owners, custodians and users, as well as the security measures and controls to protect data confidentiality, integrity and availability. By enforcing a data access policy, the organization can ensure that only authorized personnel can retrieve confidential information from the business application system. Applying single sign-on for access control, implementing segregation of duties and enforcing the use of digital signatures are also useful controls, but they are not sufficient to prevent unauthorized data retrieval without a clear and comprehensive data access policy.Reference:

CISA Review Manual, 27th Edition, page 2301

CISA Review Questions, Answers & Explanations Database - 12 Month Subscription2

The most effective control to protect information assets in a data center from theft by a vendor is to monitor and restrict vendor activities. A vendor may have legitimate access to the data center for maintenance or support purposes, but they may also have malicious intentions or be compromised by an attacker. By monitoring and restricting vendor activities, the organization can ensure that the vendor only performs authorized tasks and does not access or tamper with sensitive data or equipment. Issuing an access card to the vendor, concealing data devices and information labels, and restricting use of portable and wireless devices are also useful controls, but they are not as effective as monitoring and restricting vendor activities in preventing theft by a vendor.Reference:

CISA Review Manual, 27th Edition, page 3381

CISA Review Questions, Answers & Explanations Database - 12 Month Subscription

The most helpful tool in matching demand for projects and services with available resources in a way that supports business objectives is portfolio management.Portfolio management is the process of selecting, prioritizing, balancing and aligning IT projects and services with the strategic goals and value proposition of the organization3. Portfolio management helps the IT organization to allocate resources efficiently and effectively, to deliver value to the business units, and to align IT initiatives with business strategies. Project management, risk assessment results and IT governance framework are also important tools, but they are not as helpful as portfolio management in matching demand and supply of IT projects and services.Reference:

CISA Review Manual, 27th Edition, page 721

CISA Review Questions, Answers & Explanations Database - 12 Month Subscription