- (Topic 1)
Which of the following fire suppression systems needs to be combined with an automatic switch to shut down the electricity supply in the event of activation?
Correct Answer:
A
Carbon dioxide fire suppression systems need to be combined with an automatic switch to shut down the electricity supply in the event of activation. This is because carbon dioxide displaces oxygen in the air and can create a suffocation hazard for people in the protected area. Therefore, it is essential to cut off the power source before releasing carbon dioxide to avoid electrical shocks and sparks that could ignite the fire again. Carbon dioxide systems are typically used for total flooding applications in spaces that are not habitable, such as server rooms or data centers.
- (Topic 4)
A computer forensic audit is MOST relevant in which of the following situations?
Correct Answer:
D
A computer forensic audit is a process of collecting, preserving, analyzing, and presenting digital evidence from electronic devices in a legally admissible manner. It is most relevant
in situations where data loss due to hacking of servers occurs, as it can help to identify the source, method, and extent of the attack, as well as recover the lost or damaged data. The other options are not as suitable for a computer forensic audit, as they relate to internal control issues, data quality issues, or system maintenance issues, which can be addressed by other types of audits or reviews. References: CISA Review Manual (Digital Version), Domain 4: Information Systems Operations and Business Resilience, Section 4.5
Computer Forensics1
- (Topic 4)
An IS department is evaluated monthly on its cost-revenue ratio user satisfaction rate, and computer downtime This is BEST zed as an application of.
Correct Answer:
B
A balanced scorecard is a framework that translates the IT strategy into measurable objectives, indicators, targets, and initiatives across four perspectives: financial, customer, internal process, and learning and growth. A balanced scorecard helps to monitor and evaluate how well the IT function is delivering value to the organization, achieving its strategic goals, and improving its capabilities and competencies. The other options are not the primary uses of a balanced scorecard, because they either focus on specific aspects of IT rather than the overall performance, or they are not directly related to the IT strategy.
- (Topic 3)
An IS auditor reviewing the threat assessment tor a data center would be MOST concerned if:
Correct Answer:
C
An IS auditor reviewing the threat assessment for a data center would be most concerned if the exercise was completed by local management, because this could introduce bias, conflict of interest, or lack of expertise in the assessment process. A threat assessment is a systematic method of identifying and evaluating the potential threats that could affect the availability, integrity, or confidentiality of the data center and its assets. A threat assessment should be conducted by an independent and qualified team that has the necessary skills, knowledge, and experience to perform a comprehensive and objective analysis of the data center’s environment, vulnerabilities, and risks1.
The other options are not as concerning as option C for an IS auditor reviewing the threat assessment for a data center. Option A, some of the identified threats are unlikely to occur, is not a problem as long as the likelihood and impact of each threat are properly estimated and prioritized. A threat assessment should consider all possible scenarios, even if they have a low probability of occurrence, to ensure that the data center is prepared for any eventuality2. Option B, all identified threats relate to external entities, is not a flaw as long as the assessment also considers internal threats, such as human errors, malicious insiders, or equipment failures. External threats are often more visible and severe than internal threats, but they are not the only source of risk for a data center3. Option D, neighboring organizations’ operations have been included, is not a mistake as long as the assessment also focuses on the data center’s own operations. Neighboring organizations’ operations may have an impact on the data center’s security and availability, especially if they share physical or network infrastructure or resources. A threat assessment should take into account the interdependencies and interactions between the data center and its external environment4.
References:
✑ ISACA, CISA Review Manual, 27th Edition, 2019
✑ ISACA, CISA Review Questions, Answers & Explanations Database - 12 Month Subscription
✑ Data Center Threats and Vulnerabilities1
✑ Datacenter threat, vulnerability, and risk assessment2
✑ Data Centre Risk Assessment3
- (Topic 3)
Management receives information indicating a high level of risk associated with potential flooding near the organization's data center within the next few years. As a result, a decision has been made to move data center operations to another facility on higher ground. Which approach has been adopted?
Correct Answer:
A
The approach adopted by management in this scenario is risk
avoidance. Risk avoidance is the elimination of a risk by discontinuing or not undertaking an activity that poses a threat to the organization3. By moving data center operations to another facility on higher ground, management is avoiding the potential flooding risk that could disrupt or damage the data center. Risk transfer, risk acceptance and risk reduction are other possible approaches for dealing with risks, but they do not apply in this case. References:
✑ CISA Review Manual, 27th Edition, page 641
✑ CISA Review Questions, Answers & Explanations Database - 12 Month Subscription