- (Topic 4)
Which of the following be of GREATEST concern to an IS auditor reviewing on-site preventive maintenance for an organization’s business-critical server hardware?
Correct Answer:
C
The answer C is correct because preventive maintenance is outsourced to multiple vendors without requiring nondisclosure agreements (NDAs) would be of greatest concern to an IS auditor reviewing on-site preventive maintenance for an organization’s business- critical server hardware. This is because outsourcing preventive maintenance to multiple vendors without NDAs exposes the organization to the risk of unauthorized access, disclosure, or modification of sensitive data and information stored on the servers. NDAs are legal contracts that bind the vendors to protect the confidentiality and security of the data and information they access or handle during the preventive maintenance. Without NDAs, the vendors may not have any obligation or incentive to safeguard the data and information, and they may misuse, leak, or compromise them for malicious or commercial purposes. This could result in financial losses, reputational damage, legal liabilities, or regulatory penalties for the organization.
The other options are not as concerning as option C. Preventive maintenance costs exceed the business allocated budget (option A) is a financial issue that may affect the profitability or efficiency of the organization, but it does not directly impact the security or availability of the server hardware. Preventive maintenance has not been approved by the information system (option B) is a procedural issue that may indicate a lack of coordination or communication between the IT department and the business units, but it does not necessarily affect the quality or effectiveness of the preventive maintenance. The preventive maintenance schedule is based on mean time between failures (MTBF) parameters (option D) is a technical issue that may influence the frequency or timing of the preventive maintenance, but it does not imply any risk or deficiency in the preventive maintenance itself.
References:
✑ What is a Maintenance Audit?
✑ How to audit your preventative maintenance schedule
✑ 5 Step Maintenance Management Program Audit
✑ How do you get effective Preventive Maintenance really?
✑ What is a Planned Preventative Maintenance Audit?
- (Topic 1)
Which of the following is the MOST important benefit of involving IS audit when implementing governance of enterprise IT?
Correct Answer:
D
The most important benefit of involving IS audit when implementing governance of enterprise IT is providing independent and objective feedback to facilitate improvement of IT processes. Governance of enterprise IT is the process of ensuring that IT supports the organization’s strategy, goals, and objectives in an effective, efficient, ethical, and compliant manner. IS audit can provide value to governance of enterprise IT by assessing the alignment of IT with business needs, evaluating the performance and value delivery of IT, identifying risks and issues related to IT, recommending corrective actions and best practices, and monitoring the implementation and effectiveness of IT governance activities. IS audit can also provide assurance that IT governance processes are designed and operating in accordance with relevant standards, frameworks, laws, regulations, and contractual obligations. Identifying relevant roles for an enterprise IT governance framework is a benefit of involving IS audit when implementing governance of enterprise IT, but not the most important one. IS audit can help define and clarify the roles and responsibilities of various stakeholders involved in IT governance, such as board members, senior management, business units, IT function, external parties, etc. IS audit can also help ensure that these roles are aligned with the organization’s strategy, goals, and objectives, and that they have adequate authority, accountability, communication, and reporting mechanisms. However, this benefit is more related to the design phase of IT governance implementation than to the ongoing monitoring and improvement phase. Making decisions regarding risk response and monitoring of residual risk is a benefit of involving IS audit when implementing governance of enterprise IT, but not the most important one. IS audit can help identify and assess the risks associated with IT activities and processes, such as
strategic risks, operational risks, compliance risks, security risks, etc. IS audit can also help evaluate the effectiveness of risk management practices and controls implemented by management to mitigate or reduce these risks. However, this benefit is more related to the assurance function of IS audit than to its advisory function. Verifying that legal, regulatory, and contractual requirements are being met is a benefit of involving IS audit when implementing governance of enterprise IT, but not the most important one. IS audit can help verify that IT activities and processes comply with applicable laws, regulations, and contractual obligations, such as data protection laws, privacy laws, cybersecurity laws, industry standards, service level agreements, etc. IS audit can also help identify and report any instances of noncompliance or violations that could result in legal or reputational consequences for the organization. However, this benefit is more related to the assurance function of IS audit than to its advisory function. References: ISACA CISA Review Manual 27th Edition, page 283
- (Topic 4)
Which of the following is the MOST important consideration when evaluating the data retention policy for a global organization with regional offices in multiple countries?
Correct Answer:
D
The data retention policy for a global organization with regional offices in multiple countries should align with local laws and regulations, as they may vary significantly from one country to another and may impose different requirements and penalties for non-compliance. The policy should also consider the corporate policies and practices, the global best practices, and the business goals and objectives, but these are secondary to the legal compliance. References: CISA Review Manual (Digital Version), Chapter 5: Protection of Information Assets, Section 5.3: Data Classification and Protection
- (Topic 4)
Which of the following is an example of a preventive control for physical access?
Correct Answer:
B
A preventive control is a control that aims to deter or prevent undesirable events from occurring. A fingerprint-based access control system for the building is an example of a preventive control for physical access, as it restricts unauthorized persons from entering the premises. Keeping log entries for all visitors to the building, installing CCTV cameras for all ingress and egress points, and implementing a centralized logging server to record instances of staff logging into workstations are examples of detective controls, which are controls that aim to discover or detect undesirable events that have already occurred. References: IS Audit and Assurance Tools and Techniques, CISA Certification | Certified Information Systems Auditor | ISACA
- (Topic 1)
Which of the following is a social engineering attack method?
Correct Answer:
B
An employee is induced to reveal confidential IP addresses and passwords by answering questions over the phone. This is a social engineering attack method that exploits the trust or curiosity of the employee to obtain sensitive information that can be used to access or compromise the network. According to the web search results, social engineering is a technique that uses psychological manipulation to trick users into making security mistakes or giving away sensitive information1. Phishing, whaling, baiting, and pretexting are some of the common forms of social engineering attacks2. Social engineering attacks are often more effective and profitable than purely technical attacks, as they rely on human error rather than system vulnerabilities