Isaca CISA Practice Test - Questions Answers, Page 99

The IS audit standard for proficiency states that the IS auditor must have the knowledge, skills and experience needed to perform the audit work. This implies that the IS auditor must be competent in both the technical and business aspects of the audit subject matter. Therefore, team member assignments must be based on individual competencies, so that each auditor can perform the tasks that match their qualifications and expertise. This will also ensure that the audit objectives are met and the audit quality is maintained.

Option B is incorrect because technical co-sourcing is not a requirement to meet the IS audit standard for proficiency. Co-sourcing is an option that may be used when the internal audit function lacks the necessary resources or skills to perform the audit work. However, co-sourcing does not guarantee that the new staff will acquire the proficiency needed for the audit. Moreover, co-sourcing may introduce additional risks and challenges, such as confidentiality, independence, communication and coordination issues.

Option C is incorrect because having a globally recognized audit certification does not necessarily mean that the standard for proficiency is met. A certification is an indication of the auditor's knowledge and competence in a specific domain, but it does not cover all aspects of IS auditing. The auditor must also have relevant experience and continuous learning to maintain and enhance their proficiency. Furthermore, having one certified member does not ensure that the other members are also proficient.

Option D is incorrect because having a supervisor review the new auditors' work is not sufficient to meet the IS audit standard for proficiency. A supervisor review is a quality assurance measure that helps to ensure that the audit work is performed in accordance with the standards and policies. However, a supervisor review does not substitute for the proficiency of the auditors who perform the work. The auditors must still have the necessary knowledge, skills and experience to conduct the audit tasks effectively and efficiently.

CISA Online Review Course1, Module 1: The Process of Auditing Information Systems, Lesson 2: Mandatory Guidance, slide 8-9.

CISA Review Manual (Digital Version)2, Chapter 1: The Process of Auditing Information Systems, Section 1.3: Mandatory Guidance, p. 24-25.

CISA Review Manual (Print Version), Chapter 1: The Process of Auditing Information Systems, Section 1.3: Mandatory Guidance, p. 24-25.

CISA Questions, Answers & Explanations Database3, Question ID: QAE_CISA_711.

A digital signature is a type of electronic signature that uses cryptographic techniques to provide authentication, integrity, and non-repudiation of digital documents. A digital signature is created by applying a mathematical function (called a hash function) to the document and then encrypting the result with the sender's private key. The encrypted hash, along with the sender's public key and other information, forms the digital signature. The receiver can verify the digital signature by decrypting it with the sender's public key and comparing the hash with the one computed from the document. If they match, it means that the document has not been altered and that it was signed by the owner of the private key.

Option D is correct because a digital signature is unique to the sender using it, as it depends on the sender's private key, which only the sender knows and controls. No one else can create a valid digital signature with the same private key, and no one can forge or modify a digital signature without being detected.

Option A is incorrect because a digital signature is not under control of the receiver, but rather under control of the sender. The receiver can only verify the digital signature, but cannot create or modify it.

Option B is incorrect because a digital signature is not capable of authorization, but rather capable of authentication. Authorization is the process of granting or denying access to resources based on predefined rules or policies. Authentication is the process of verifying the identity or legitimacy of a person or entity. A digital signature can authenticate the sender of a document, but it cannot authorize what actions the receiver can perform on the document.

Option C is incorrect because a digital signature does not dynamically validate modifications of data, but rather statically validates the integrity of data. A digital signature is based on a snapshot of the document at the time of signing, and any subsequent changes to the document will invalidate the digital signature. A digital signature does not monitor or update itself based on data modifications.

CISA Online Review Course1, Module 5: Protection of Information Assets, Lesson 2: Encryption Basics, slide 13-14.

CISA Review Manual (Digital Version)2, Chapter 5: Protection of Information Assets, Section 5.2: Encryption Basics, p. 273-274.

CISA Review Manual (Print Version), Chapter 5: Protection of Information Assets, Section 5.2: Encryption Basics, p. 273-274.

CISA Questions, Answers & Explanations Database3, Question ID: QAE_CISA_712.

What Is a Digital Signature (and How Does it Work)1

What are digital signatures and certificates?2

Digital Signature Definition3

Examples and uses of electronic signatures4

What is an Electronic Signature?5

The greatest concern with the lack of structure for technology risk governance is C. Key decision-making entities for technology risk have not been identified.Technology risk governance is the process of establishing and maintaining the policies, roles, responsibilities, and accountabilities for managing technology risks within an organization1.Technology risk governance requires a clear organizational structure that defines who has the authority and responsibility to make decisions, set objectives, allocate resources, monitor performance, and ensure compliance for technology risk management2. Without such a structure, an organization may face the following challenges:

Lack of alignment and integration between technology and business strategies, leading to suboptimal outcomes and missed opportunities.

Lack of clarity and consistency in technology risk identification, assessment, mitigation, and reporting, leading to gaps and overlaps in risk coverage and exposure.

Lack of communication and collaboration among different stakeholders involved in technology risk management, leading to conflicts and inefficiencies.

Lack of oversight and accountability for technology risk management activities and results, leading to poor quality and reliability.

The best recommendation to improve IT governance within the organization is C. Require executive management to draft IT strategy.IT governance is the process of establishing and maintaining the policies, roles, responsibilities, and accountabilities for managing technology risks within an organization1.One of the key objectives of IT governance is to ensure alignment and integration between technology and business strategies, leading to optimal outcomes and value creation1. Therefore, it is essential that executive management, who are responsible for setting the vision, mission, and goals of the organization, are also involved in drafting the IT strategy that supports and enables them. By requiring executive management to draft IT strategy, the organization can:

Ensure that the IT strategy is consistent and coherent with the business strategy, and reflects the organization's priorities, values, and culture2.

Enhance communication and collaboration between IT and business functions, and foster a shared understanding and commitment to the IT strategy2.

Increase accountability and transparency for IT performance and outcomes, and ensure that IT investments are aligned with the organization's risk appetite and value proposition2.

The best recommendation for the auditor to make is D. Line management should regularly review and request modification of access rights.Access rights are the permissions and privileges granted to users to access, view, modify, or delete data or resources on a system or network1.Excessive rights are access rights that are not necessary or appropriate for a user's role or function, and may pose a risk of unauthorized or inappropriate use of data or resources2.Therefore, it is important to ensure that access rights are aligned with the principle of least privilege, which means that users should only have the minimum level of access required to perform their duties2.

Line management is responsible for overseeing and supervising the activities and performance of their staff, and ensuring that they comply with the organization's policies and standards3. Therefore, line management should regularly review and request modification of access rights for their staff, as they are in the best position to:

Understand the roles and functions of their staff, and determine the appropriate level of access rights needed for them to perform their duties effectively and efficiently.

Monitor and evaluate the usage and behavior of their staff, and identify any changes or anomalies that may indicate excessive or inappropriate access rights.

Communicate and collaborate with IT security or system administrators, who are responsible for granting, revoking, or modifying access rights, and request any necessary adjustments or corrections.

The correct answer is B. Management's commitment to information security. Management's commitment to information security is the most critical factor for the success of an information security program, as it provides the leadership, support, and resources needed to establish and maintain a secure environment. Management's commitment to information security can be demonstrated by:

Setting the vision, mission, and goals for information security, and aligning them with the organization's strategies and objectives1.

Establishing and enforcing the policies, standards, and procedures for information security, and ensuring compliance with relevant laws and regulations1.

Allocating sufficient budget, staff, and technology for information security, and investing in training and awareness programs2.

Promoting a culture of security within the organization, and engaging with stakeholders and partners to foster trust and collaboration2.

The correct answer is A. Overwriting multiple times.Overwriting is a method of securely erasing data from a hard disk by replacing the existing data with random or meaningless data, making it difficult or impossible to recover the original data1.Overwriting multiple times, also known as multiple-pass overwriting, is a more effective way of disposing of sensitive data than overwriting once, as it reduces the possibility of residual traces of data that could be recovered by advanced techniques2.Overwriting multiple times can be done by using specialized software tools that follow certain standards or algorithms, such as the US Department of Defense's DoD 5220.22-M or the Gutmann method3.

The most effective control to maintain segregation of duties in a DevOps environment is A. Enforce approval prior to deployment by a member of the team who has not taken part in the development.Segregation of duties (SoD) is a principle that requires multiple actors to complete a task to reduce the risk of fraud, error, or abuse1. In a DevOps environment, where developers and operators work together to deliver software faster and more reliably, SoD may seem to be incompatible or impractical.However, SoD can still be achieved by implementing controls that ensure that no single person can develop, test, and deploy code without oversight or review2.

Enforcing approval prior to deployment by a member of the team who has not taken part in the development is an effective control that ensures that code changes are verified and validated by a peer before they are released to production.This control can help prevent or detect any unauthorized or malicious modifications, errors, or vulnerabilities in the code, and ensure that the code meets the quality and security standards3.This control can also promote collaboration and feedback among the team members, and improve the transparency and accountability of the software delivery process3.

The correct answer is C. Software escrow agreement. A software escrow agreement is a legal arrangement between three parties: the software developer (licensor), the end-user (licensee), and an escrow agent.The agreement ensures that the software's source code and other relevant assets are securely stored with the escrow agent, and can be released to the licensee under certain conditions, such as the licensor's bankruptcy, insolvency, or failure to provide support or maintenance1.A software escrow agreement can provide the licensee with assurance and continuity for the software they depend on, and protect them from losing access or functionality in case of any unforeseen events or disputes with the licensor1.