- (Topic 4)
An IS auditor discovers from patch logs that some in-scope systems are not compliant with the regular patching schedule. What should the auditor do NEXT?
Correct Answer:
C
The IS auditor should review the organization’s patch management policy to determine the expected frequency and scope of patching, as well as the roles and responsibilities of the patch management team. This will help the auditor assess the severity and impact of the non-compliance, and identify the root cause and possible remediation actions12. References
1: How to Create a Patch Management Policy: Complete Guide 2: Free Patch Management Policy Template (+Examples)
- (Topic 2)
Which of the following is MOST helpful for measuring benefits realization for a new system?
Correct Answer:
C
This is the most helpful method for measuring benefits realization for a new system, because it involves evaluating the actual outcomes and impacts of the system after it has been implemented and used for a certain period of time. A post-implementation review can compare the actual benefits with the expected benefits that were defined in the business case or the benefits realization plan, and identify any gaps, issues, or opportunities for improvement. A post-implementation review can also assess the effectiveness, efficiency, and satisfaction of the system’s users, stakeholders, and customers, and provide feedback and recommendations for future enhancements or changes.
The other options are not as helpful as post-implementation review for measuring benefits realization for a new system:
✑ Function point analysis. This is a technique that measures the size and complexity
of a software system based on the number and types of functions it provides. Function point analysis can help estimate the cost, effort, and time required to develop, maintain, or enhance a software system, but it does not measure the actual benefits or value that the system delivers to the organization or its users.
✑ Balanced scorecard review. This is a strategic management tool that measures the
performance of an organization or a business unit based on four perspectives: financial, customer, internal process, and learning and growth. A balanced scorecard review can help align the organization’s vision, mission, and goals with its activities and outcomes, but it does not measure the specific benefits or impacts of a new system.
✑ Business impact analysis (BIA). This is a process that identifies and evaluates the potential effects of a disruption or disaster on the organization’s critical business functions and processes. A BIA can help determine the recovery priorities, objectives, and strategies for the organization in case of an emergency, but it does not measure the benefits or value of a new system.
- (Topic 4)
Compared to developing a system in-house, acquiring a software package means that the need for testing by end users is:
Correct Answer:
B
Compared to developing a system in-house, acquiring a software package means that the need for testing by end users is unchanged. This is because end users are still the ultimate customers and beneficiaries of the system, and they need to ensure that the software package meets their requirements, expectations, and satisfaction. End user testing, also known as user acceptance testing (UAT) or beta testing, is the final stage of testing performed by the user or client to determine whether the software can be accepted or not1. End user testing is important for both in-house developed and acquired software packages, as it helps to verify the functionality, usability, performance, and reliability of the system2. End user testing also helps to identify and resolve any defects, errors, or issues that may not have been detected by the developers or vendors3.
Therefore, option B is the correct answer.
Option A is not correct because end user testing is not eliminated by acquiring a software package. Even though the software package may have been tested by the vendor or supplier, it may still have bugs, compatibility issues, or configuration problems that need to be fixed before deployment4. Option C is not correct because end user testing is not increased by acquiring a software package. The scope and extent of end user testing depend on various factors, such as the complexity, criticality, and customization of the system, and not on whether it is developed in-house or acquired. Option D is not correct because end user testing is not reduced by acquiring a software package. The software package may still require modifications or integrations to suit the specific needs and environment of the organization, and these changes need to be tested by the end users. References:
✑ Chapter 4 Methods of Software Acquisition5
✑ What is User Acceptance Testing (UAT): A Complete Guide1
✑ What Is End-to-End Testing? (With How-To and Example)3
✑ How to Evaluate New Software in 5 Steps4
✑ User Acceptance Testing (UAT) in ERP Projects
✑ User Acceptance Testing for Packaged Software
- (Topic 4)
An IS auditor identifies that a legacy application to be decommissioned in three months cannot meet the security requirements established by the current policy. What is the BEST way (or the auditor to address this issue?
Correct Answer:
C
The best way for the auditor to address this issue is to verify management has approved a policy exception to accept the risk. A policy exception is a formal authorization that allows a deviation from the established policy requirements for a specific situation or period of time. A policy exception should be based on a risk assessment that evaluates the impact and likelihood of the potential threats and vulnerabilities, as well as the cost and benefit of the alternative controls. A policy exception should also be documented, approved, and monitored by management.
Recommending the application be patched to meet requirements is not the best way for the auditor to address this issue. Patching the application may not be feasible, cost-effective, or timely, given that the application will be decommissioned in three months. Patching the application may also introduce new risks or errors that could affect the functionality or performance of the application.
Informing the IT director of the policy noncompliance is not the best way for the auditor to address this issue. Informing the IT director of the policy noncompliance may not resolve the issue or mitigate the risk, especially if the IT director is already aware of the situation and has decided to accept it. Informing the IT director of the policy noncompliance may also create unnecessary conflict or tension between the auditor and the auditee.
Taking no action since the application will be decommissioned in three months is not the best way for the auditor to address this issue. Taking no action may expose the organization to significant risks or consequences, such as data breaches, regulatory fines, or reputational damage, if the application is compromised or exploited by malicious actors. Taking no action may also violate the auditor’s professional standards and responsibilities, such as due care, objectivity, and reporting.
References:
✑ ISACA, CISA Review Manual, 27th Edition, 2019, p. 289
✑ ISACA, CISA Review Questions, Answers & Explanations Database - 12 Month Subscription
✑ Cybersecurity Engineering for Legacy Systems: 6 Recommendations - SEI Blog
✑ How to Secure Your Company’s Legacy Applications - iCorps
- (Topic 2)
Which of the following will MOST likely compromise the control provided By a digital signature created using RSA encryption?
Correct Answer:
D
A digital signature is a cryptographic technique that verifies the authenticity and integrity of a message or document, by using a hash function and an asymmetric encryption algorithm. A hash function is a mathematical function that transforms any input data into a fixed-length output value called a digest, which is unique for each input. An asymmetric encryption algorithm uses two keys: a public key and a private key. The public key can be shared with anyone, while the private key must be kept secret by the owner. To create a digital signature, the sender first applies a hash function to the plaintext message to generate a digest. Then, the sender encrypts the digest with their private key to produce the digital signature. To verify the digital signature, the receiver decrypts the digital signature with the sender’s public key to obtain the digest. Then, the receiver applies the same hash function to the plaintext message to generate another digest. If the two digests match, it means that the message has not been altered and that it came from the sender. The security of a digital signature depends on the secrecy of the sender’s private key. If an attacker obtains the sender’s private key, they can create fake digital signatures for any message they want, thus compromising the control provided by the digital signature. Reversing the hash function using the digest is not possible, as hash functions are designed to be one-way functions that cannot be inverted. Altering the plaintext message will result in a different digest after applying the hash function, which will not match with the decrypted digest from the digital signature, thus invalidating the digital signature. Deciphering the receiver’s public key is not relevant, as public keys are meant to be publicly available and do not affect the security of digital signatures.