- (Topic 4)
Aligning IT strategy with business strategy PRIMARILY helps an organization to:
Correct Answer:
A
Aligning IT strategy with business strategy primarily helps an organization to optimize investments in IT. This is because alignment ensures that IT resources and capabilities are aligned with the business goals and priorities, and that IT delivers value to the business in terms of efficiency, effectiveness, innovation, and competitive advantage12. By aligning IT strategy with business strategy, an organization can avoid wasting money and time on IT projects or services that do not support or contribute to the business outcomes3. Alignment also helps to identify and prioritize the most critical and valuable IT initiatives that can
create or optimize business value4.
Therefore, the correct answer to your question is A. optimize investments in IT.
- (Topic 4)
Which of the following provides the BEST evidence that a third-party service provider's information security controls are effective?
Correct Answer:
A
An audit report of the controls by the service provider’s external auditor provides the best evidence that a third-party service provider’s information security controls are effective. An external auditor is an independent and objective party that can assess the design and operating effectiveness of the service provider’s information security controls based on established standards and criteria. An external auditor can also provide an opinion on the adequacy and compliance of the service provider’s information security controls, as well as recommendations for improvement.
Documentation of the service provider’s security configuration controls is a source of evidence that a third-party service provider’s information security controls are effective, but it is not the best evidence. Documentation of the security configuration controls can show the settings and parameters of the service provider’s information systems and networks, but it may not reflect the actual implementation and operation of the controls. Documentation of the security configuration controls may also be outdated, incomplete, or inaccurate.
An interview with the service provider’s information security officer is a source of evidence that a third-party service provider’s information security controls are effective, but it is not the best evidence. An interview with the information security officer can provide insights into the service provider’s information security strategy, policies, and procedures, but it may not verify the actual performance and compliance of the information security controls. An interview with the information security officer may also be biased, subjective, or misleading. A review of the service provider’s policies and procedures is a source of evidence that a third-party service provider’s information security controls are effective, but it is not the best evidence. A review of the policies and procedures can show the service provider’s information security objectives, requirements, and guidelines, but it may not demonstrate the actual execution and enforcement of the information security controls. A review of the policies and procedures may also be insufficient, inconsistent, or outdated.
References:
✑ ISACA, CISA Review Manual, 27th Edition, 2019, p. 284
✑ ISACA, CISA Review Questions, Answers & Explanations Database - 12 Month Subscription
- (Topic 4)
An IS auditor notes that not all security tests were completed for an online sales system recently promoted to production. Which of the following is the auditor's BEST course of action?
Correct Answer:
A
The IS auditor’s best course of action when reviewing the use of an outsourcer for disposal of storage media is to determine exposure to the business. Storage media, such as hard disks, tapes, flash drives, or CDs, may contain sensitive or confidential information that needs to be protected from unauthorized access, disclosure, or misuse. The IS auditor should verify that the outsourcer has a process that appropriately sanitizes the media before disposal, such as wiping, degaussing, shredding, or incinerating, and that the process is effective and compliant with the organization’s policies and standards. The IS auditor should also assess the potential impact and risk to the business if the storage media is not properly sanitized or disposed of, such as data breaches, reputational damage, legal or regulatory penalties, or loss of competitive advantage. The other options are not the best course of action, because they either do not address the root cause of the problem, or they are reactive rather than proactive
measures. References: CISA Review Manual (Digital Version)1, Chapter 5, Section 5.2.7
- (Topic 4)
In a large organization, IT deadlines on important projects have been missed because IT resources are not prioritized properly. Which of the following is the BEST recommendation to address this problem?
Correct Answer:
B
The best recommendation to address the problem of missing IT deadlines on important projects because IT resources are not prioritized properly is to implement project portfolio management (PPM). PPM is the process of analyzing and optimizing the costs, resources, technologies, and processes for all the projects and programs within a portfolio. A portfolio is a collection of projects, programs, and processes that are managed together and aligned with the strategic goals and objectives of the organization. PPM can help the organization to:
✑ Prioritize the most valuable and relevant projects and programs based on their alignment with the organizational strategy, vision, and mission.
✑ Balance the portfolio to ensure that the projects and programs are diversified, feasible, and sustainable, and that they meet the needs and expectations of the stakeholders.
✑ Optimize the allocation, utilization, and coordination of IT resources across the portfolio, such as staff, budget, time, equipment, and software.
✑ Monitor and control the performance and progress of the projects and programs within the portfolio, and evaluate their outcomes and benefits.
By implementing PPM, the organization can improve its IT project delivery and avoid missing deadlines. PPM can also help the organization to increase its efficiency, effectiveness, quality, and value. For more information about PPM, you can refer to the following web search results:
✑ Project Portfolio Management (PPM): The Ultimate Guide - ProjectManager1
✑ A Complete Overview of Project Portfolio Management - Smartsheet2
✑ PPM 101: What Is Project Portfolio Management?3
- (Topic 4)
As part of business continuity planning, which of the following is MOST important to assess when conducting a business impact analysis (B1A)?
Correct Answer:
C
The most important thing to assess when conducting a business impact analysis (BIA) is the completeness of critical asset inventory. This is because the critical asset inventory is the basis for identifying and prioritizing the business processes, functions, and resources that are essential for the continuity of operations. The critical asset inventory should include both tangible and intangible assets, such as hardware, software, data, personnel, facilities, contracts, and reputation. The critical asset inventory should also be updated regularly to reflect any changes in the business environment or needs. References:
✑ CISA Review Manual (Digital Version), Chapter 5, Section 5.41
✑ CISA Online Review Course, Domain 3, Module 3, Lesson 12