- (Topic 4)
Which of the following indicates that an internal audit organization is structured to support the independence and clarity of the reporting process?
Correct Answer:
C
The internal audit manager should have a reporting line to the audit committee, which is an independent body that oversees the internal audit function and ensures its objectivity and accountability. Reporting functionally to a senior management official may compromise the independence and clarity of the internal audit reporting process, as senior management may have a vested interest in the audit results or influence the audit scope and priorities. *References: According to the ISACA IT Audit and Assurance Standards, Guidelines and Tools and Techniques for IS Audit and Assurance Professionals, section 1002 Independence, “The chief audit executive (CAE) should report functionally to the board or its equivalent (e.g., audit committee) and administratively to executive management.” 1
- (Topic 4)
A global organization's policy states that all workstations must be scanned for malware each day. Which of the following would provide an IS auditor with the BEST evidence of continuous compliance with this policy?
Correct Answer:
C
Anti-malware tool audit logs would provide an IS auditor with the best evidence of continuous compliance with the global organization’s policy that states that all workstations must be scanned for malware each day. Anti-malware tool audit logs are records that capture the activities and events related to the anti-malware software installed on the workstations, such as scan schedules, scan results, updates, alerts, and actions taken1. These logs can help the IS auditor to verify that the anti-malware software is functioning properly, that the scans are performed regularly and effectively, and that any malware incidents are detected and resolved in a timely manner2. Anti-malware tool audit logs can also help the IS auditor to identify any gaps or weaknesses in the anti-malware policy or implementation, and to provide recommendations for improvement3.
The other options are not the best evidence of continuous compliance with the anti- malware policy. Penetration testing results are reports that show the vulnerabilities and risks of the workstations and network from an external or internal attacker’s perspective4. While penetration testing can help to assess the security posture and resilience of the organization, it does not provide information on the daily anti-malware scans or their outcomes. Management attestation is a statement or declaration from the management that they have complied with the anti-malware policy5. While management attestation can demonstrate commitment and accountability, it does not provide objective or verifiable evidence of compliance. Recent malware scan reports are documents that show the summary or details of the latest anti-malware scans performed on the workstations. While
recent malware scan reports can indicate the current status and performance of the anti- malware software, they do not provide historical or comprehensive evidence of compliance. References:
✑ Malwarebytes Anti-Malware (MBAM) log collection and threat reports …
✑ Malicious Behavior Detection using Windows Audit Logs
✑ PCI Requirement 5.2 – Ensure all Anti-Virus Mechanisms are Current …
✑ Management Attestation - an overview | ScienceDirect Topics
✑ How to Read a Malware Scan Report | Techwalla
- (Topic 3)
Which of the following should be of GREATEST concern for an IS auditor reviewing an organization's disaster recovery plan (DRP)?
Correct Answer:
C
The greatest concern for an IS auditor reviewing an organization’s disaster recovery plan (DRP) is that the DRP has not been updated since an IT infrastructure upgrade. This could render the DRP obsolete or ineffective, as it may not reflect the current configuration, dependencies or recovery requirements of the IT systems. The IS auditor should ensure that the DRP is reviewed and updated regularly to align with any changes in the IT environment. The DRP has not been formally approved by senior management is a concern for an IS auditor reviewing an organization’s DRP, but it is not as critical as ensuring that the DRP is up to date and valid. The DRP has not been distributed to end users or the DRP contains recovery procedures for critical servers only are issues that relate to the communication or scope of the DRP, but not to its validity or effectiveness. References: ISACA, CISA Review Manual, 27th Edition, 2018, page 389
- (Topic 4)
Which of the following risk scenarios is BEST addressed by implementing policies and procedures related to full disk encryption?
Correct Answer:
D
Full disk encryption (FDE) is a means of protecting information by encrypting all of the data on a disk, including temporary files, programs, and system files1. FDE is best suited for addressing the risk scenario of physical theft of media on which information is stored, as it prevents unauthorized access to the data even if the device is lost or stolen2.
FDE does not prevent data leakage as a result of employees leaving to work for competitors, as they may still have access to the data while using the device or copy the data to another device before leaving. FDE does not prevent noncompliance fines related to storage of regulated information, as it does not ensure that the data is stored in accordance with the applicable laws and regulations. FDE does not prevent unauthorized logical access to information through an application interface, as it does not control the access rights and permissions of users and applications. *References: According to the ISACA IT Audit and Assurance Standards, Guidelines and Tools and Techniques for IS Audit and Assurance Professionals, section 2402 Planning, “The IS audit and assurance professional should identify and assess risk relevant to the area under review.” 3 One of the risk factors to consider is “the sensitivity of information processed, stored or transmitted by the system” 3. FDE is one of the possible controls to mitigate the risk of unauthorized disclosure of sensitive information due to physical theft of media.
- (Topic 4)
Email required for business purposes is being stored on employees' personal devices. Which of the following is an IS auditor's BEST recommendation?
Correct Answer:
D
Implementing an email containerization solution on personal devices is the best recommendation for an IS auditor, because it allows the organization to separate and secure the email data from the rest of the device data. Email containerization creates a virtual environment that encrypts and isolates the email data, preventing unauthorized access, leakage, or loss of sensitive information12. Requiring passwords or antivirus protection on personal devices may not be sufficient or enforceable, while prohibiting employees from storing company email on personal devices may not be feasible or practical. References: 1: CISA Review Manual (Digital Version), Chapter 5, Section 5.4.3 2: CISA Online Review Course, Module 5, Lesson 4