- (Topic 4)
An IS auditor learns that an organization's business continuity plan (BCP) has not been updated in the last 18 months and that the organization recently closed a production plant. Which of the following is the auditor's BEST course of action?

1. A. Determine whether the business impact analysis (BIA) is current with the organization's structure and context.
2. B. Determine the types of technologies used at the plant and how they may affect the BCP.
3. C. Perform testing to determine the impact to the recovery time objective (R TO).
4. D. Assess the risk to operations from the closing of the plant.

Correct Answer: A
The IS auditor should first determine whether the business impact analysis (BIA) is current with the organization’s structure and context. The BIA is a critical component of the BCP and should reflect the current state of the organization. If the BIA is not up-to-date, it may not accurately reflect the impact of a disruption to the organization’s operations, including the closure of a production plant12.
References: ISACA’s Information Systems Auditor Study Materials1

- (Topic 1)
An online retailer is receiving customer complaints about receiving different items from what they ordered on the organization's website. The root cause has been traced to poor data quality. Despite efforts to clean erroneous data from the system, multiple data quality issues continue to occur. Which of the following recommendations would be the BEST way to reduce the likelihood of future occurrences?

1. A. Assign responsibility for improving data quality.
2. B. Invest in additional employee training for data entry.
3. C. Outsource data cleansing activities to reliable third parties.
4. D. Implement business rules to validate employee data entry.

Correct Answer: D
Implementing business rules to validate employee data entry is the best way to reduce the likelihood of future occurrences of poor data quality that cause customer complaints about receiving different items from what they ordered on the organization’s website. Business rules are logical statements that define the conditions and actions for data validation, such as checking for data completeness, accuracy, consistency, and integrity. Assigning responsibility for improving data quality, investing in additional
employee training for data entry, and outsourcing data cleansing activities to reliable third parties are also possible ways to improve data quality, but they are not as effective as implementing business rules to validate employee data entry. References: CISA Review Manual (Digital Version), Chapter 4, Section 4.3.1

- (Topic 4)
An IS auditor finds a segregation of duties issue in an enterprise resource planning (ERP) system. Which of the following is the BEST way to prevent the misconfiguration from recurring?

1. A. Monitoring access rights on a regular basis
2. B. Referencing a standard user-access matrix
3. C. Granting user access using a role-based model
4. D. Correcting the segregation of duties conflicts

Correct Answer: C
The best way to prevent the misconfiguration from recurring is to grant user access using a role-based model. A role-based access control (RBAC) model is an access control method that assigns permissions to end-users based on their role within the organization1. RBAC provides fine-grained control, offering a simple, manageable approach to access management that is less error-prone than individually assigning permissions1. RBAC also enforces the principle of least privilege, which means that users only have the minimum access required to perform their tasks2.
A role-based model can help prevent segregation of duties (SoD) issues in an ERP system by restricting user access to conflicting activities within the application. SoD is a central issue for enterprises to ensure compliance with laws and regulations, and to reduce the risk of fraud and unauthorized transactions3. SoD requires that no single individual or group of individuals should have control over two or more parts of a process or an asset3. For example, a user who can create and approve purchase orders should not be able to process payments or modify vendor records.
By using a role-based model, user access provisioning is based on the needs of a group (e.g., accounting department) based on common responsibilities and needs1. This means each role has a given set of permissions, and individuals can be assigned to one or more roles. For example, you may designate a user as an accounts payable clerk, an accounts receivable clerk, or a financial manager, and limit access to specific resources or
tasks. The user-role and role-permissions relationships make it easy to perform role assignment because individual users no longer have unique access rights, rather they have privileges that conform to the permissions assigned to their specific role or job function1. The other options are not the best way to prevent the misconfiguration from recurring. Monitoring access rights on a regular basis (option A) is a detective control that can help identify SoD issues after they occur, but it does not prevent them from happening in the first place. Referencing a standard user-access matrix (option B) is a tool that can help document and analyze user access rights, but it does not ensure that the user access rights are configured correctly or consistently. Correcting the segregation of duties conflicts (option D) is a corrective action that can resolve SoD issues once they are detected, but it does not prevent them from happening again.
References: 3: Implementing Segregation of Duties: A Practical Experience Based on Best Practices 1: What is Role-Based Access Control (RBAC)? Examples, Benefits, and More 2: What is Azure role-based access control (Azure RBAC)?

- (Topic 3)
Which of the following would provide an IS auditor with the GREATEST assurance that data disposal controls support business strategic objectives?

1. A. Media recycling policy
2. B. Media sanitization policy
3. C. Media labeling policy
4. D. Media shredding policy

Correct Answer: B
Data disposal controls are the measures that ensure that data are securely and permanently erased or destroyed when they are no longer needed or authorized to be retained. Data disposal controls support business strategic objectives by reducing the risk of data breaches, complying with data privacy regulations, optimizing the use of storage resources, and enhancing the reputation and trust of the organization1.
A media sanitization policy is a document that defines the roles, responsibilities, procedures, and standards for sanitizing different types of media that contain sensitive or confidential data. Media sanitization is the process of removing or modifying data on a media device to make it unreadable or unrecoverable by any means. Media sanitization can be achieved by various methods, such as overwriting, degaussing, encryption, or physical destruction2.
A media sanitization policy would provide an IS auditor with the greatest assurance that data disposal controls support business strategic objectives because it demonstrates that the organization has a clear and consistent approach to protect its data from unauthorized access or disclosure throughout the data life cycle. A media sanitization policy also helps the organization to comply with various data privacy regulations, such as the EU General Data Protection Regulation (GDPR), the US Health Insurance Portability and Accountability Act (HIPAA), or the Payment Card Industry Data Security Standard (PCI DSS), that require proper disposal of personal or sensitive data3.
The other options are not as effective as a media sanitization policy in providing assurance that data disposal controls support business strategic objectives. A media recycling policy is a document that defines the criteria and procedures for reusing media devices that have been sanitized or erased. A media recycling policy can help the organization to save costs and reduce environmental impact, but it does not address how the data are disposed of in the first place4. A media labeling policy is a document that defines the rules and standards for labeling media devices that contain sensitive or confidential data. A media labeling policy can help the organization to identify and classify its data assets, but it does not specify how the data are sanitized or destroyed when they are no longer needed. A media shredding policy is a document that defines the methods and procedures for physically destroying media devices that contain sensitive or confidential data. A media shredding policy can be a part of a media sanitization policy, but it is not sufficient to cover all types of media devices or data disposal scenarios.
References:
✑ ISACA, CISA Review Manual, 27th Edition, 2019
✑ ISACA, CISA Review Questions, Answers & Explanations Database - 12 Month Subscription
✑ Secure Data Disposal and Destruction: 6 Methods to Follow1
✑ Why (and How to) Dispose of Digital Data2
✑ What is Data Disposition? The Complete Guide3
✑ Data Disposition: What is it and why should it be part of your data retention policy?

- (Topic 4)
Which of the following is MOST important for the successful establishment of a security vulnerability management program?

1. A. A robust tabletop exercise plan
2. B. A comprehensive asset inventory
3. C. A tested incident response plan
4. D. An approved patching policy

Correct Answer: B
A comprehensive asset inventory is the most important factor for the successful establishment of a security vulnerability management program. A security vulnerability management program is a systematic process of identifying, assessing, prioritizing, and remediating vulnerabilities in the organization’s IT environment1. A comprehensive asset inventory is a complete and accurate record of all the hardware, software, and network components that the organization owns or uses2. A comprehensive asset inventory helps the organization to:
✑ Know what assets are in scope for vulnerability scanning and assessment3.
✑ Identify the vulnerabilities that affect each asset and their severity level4.
✑ Prioritize the remediation of vulnerabilities based on the criticality and value of each asset.
✑ Track the status and progress of vulnerability remediation for each asset.
✑ Measure the effectiveness and maturity of the vulnerability management program. A robust tabletop exercise plan is a simulated scenario that tests the organization’s preparedness and response capabilities for a potential cyberattack or incident. A tabletop exercise plan is useful for validating and improving the organization’s incident response plan, but it is not essential for establishing a security vulnerability management program. A tested incident response plan is a documented process that defines the roles,
responsibilities, and actions of the organization’s personnel in the event of a cyberattack or incident. A tested incident response plan is important for minimizing the impact and restoring normal operations after a security breach, but it is not critical for establishing a security vulnerability management program.
An approved patching policy is a set of rules and guidelines that governs how the organization applies patches and updates to its IT systems and applications. An approved patching policy is a key component of the remediation phase of the vulnerability management program, but it is not sufficient for establishing a security vulnerability management program.