Free ISACA CISA Übungsprüfungen - Seite 32 von 55

Question #311

What is the Most critical finding when reviewing an organization’s information security management?

A . No dedicated security officer
B . No official charier for the information security management system
C . No periodic assessments to identify threats and vulnerabilities
D . No employee awareness training and education program

Question #312

Recovery facilities providing a redundant combination of Internet connections to the local communications loop is an example of which type of telecommunications continuity?

A . Voice recovery
B . Alternative routing
C . Long-haul network diversity
D . Last-mile circuit protection

Lösung einblenden Lösung ausblenden

Question #313

During which process is regression testing MOST commonly used?

A . System modification
B . Unit testing
C . Stress testing
D . Program development

Lösung einblenden Lösung ausblenden

Question #314

Which of the following is the MOST important consideration when evaluating the data retention policy for a global organization with regional offices in multiple countries?

A . The policy aligns with corporate policies and practices.
B . The policy aligns with global best practices.
C . The policy aligns with business goals and objectives.
D . The policy aligns with local laws and regulations.

Lösung einblenden Lösung ausblenden

Question #315

Which of the following BEST describes the role of a document owner when implementing a data classification policy in an organization?

A . Classifies documents to correctly reflect the level of sensitivity of information they contain
B . Defines the conditions under which documents containing sensitive information may be transmitted
C . Classifies documents in accordance with industry standards and best practices
D . Ensures documents are handled in accordance With the sensitivity of information they contain

Lösung einblenden Lösung ausblenden

Richtige Antwort: A
A

Explanation:

The role of a document owner when implementing a data classification policy in an organization is to classify documents to correctly reflect the level of sensitivity of information they contain. A document owner is the person who is ultimately responsible for the creation, maintenance, and protection of a document, usually a member of senior management or a business unit1. A data classification policy is a plan that defines how the organization categorizes its data based on its value, risk, and regulatory requirements, and how it handles and secures each data category2.

According to the data classification policy template by Netwrix3, one of the roles and responsibilities of the document owner is to assign data classification labels based on the data’s potential impact level. Data classification labels are tags or markings that indicate the sensitivity level of the data, such as public, internal, confidential, or restricted. The document owner should apply the data classification labels to the documents that contain the data, either manually or automatically, using tools and methods such as metadata, watermarks, headers, footers, or encryption. The document owner should also review and update the data classification labels periodically or whenever there is a change in the data’s sensitivity level.

By classifying documents to correctly reflect the level of sensitivity of information they contain, the document owner can help to ensure that the documents are handled in accordance with the data classification policy. This means that the documents are stored, accessed, shared, transmitted, and disposed of in a secure and appropriate manner, based on the rules and controls defined for each data category. This can also help to prevent data loss, leakage, or breach incidents that may cause harm or damage to the organization or its stakeholders.

Therefore, option A is the correct answer.

References:

Data Classification Policy: Definition, Examples, & Free Template2

Data Classification Policy Template – Netwrix3

Data Classification and Handling Policy – University of Hull1

Question #316

A disaster recovery plan (DRP) should include steps for:

A . assessing and quantifying risk.
B . negotiating contracts with disaster planning consultants.
C . identifying application control requirements.
D . obtaining replacement supplies.

Lösung einblenden Lösung ausblenden

Richtige Antwort: D
D

Explanation:

A disaster recovery plan (DRP) is a set of detailed, documented guidelines that outline a business’ critical assets and explain how the organization will respond to unplanned incidents. Unplanned incidents or disasters typically include cyberattacks, system failures, power outages, natural disasters, equipment failures, or infrastructure damage1. A DRP aims to minimize the impact of a disaster on the business continuity, data integrity, and service delivery of the organization. A DRP also helps the organization recover from a disaster as quickly and efficiently as possible.

A DRP should include steps for obtaining replacement supplies, as this is an essential part of restoring the normal operation of the organization after a disaster. Replacement supplies may include hardware, software, data, network components, office equipment, or other resources that are needed to resume the business functions and processes that were disrupted by the disaster. Obtaining replacement supplies may involve contacting vendors, suppliers, or partners; activating backup or alternative systems; or purchasing or renting new equipment. A DRP should identify the sources, locations, and costs of the replacement supplies, as well as the procedures and responsibilities for acquiring and installing them.

The other three options are not steps that a DRP should include, as they are either part of the pre-disaster planning process or not directly related to the disaster recovery objectives. Assessing and quantifying risk is a step that should be done before creating a DRP, as it helps identify the potential threats and vulnerabilities that could affect the organization and determine the likelihood and impact of each scenario2. Negotiating contracts with disaster planning consultants is also a pre-disaster activity that may help the organization design, implement, test, and maintain a DRP with external expertise and guidance3. Identifying application control requirements is not a step in a DRP, but rather a part of the application development and maintenance process that ensures the quality, security, and reliability of the software applications used by the organization.

Therefore, obtaining replacement supplies is the correct answer.

References:

What is a Disaster Recovery Plan? + Complete Checklist

Risk Assessment – ISACA

Disaster Recovery Planning – ISACA

[Application Controls – ISACA]

Question #317

Management receives information indicating a high level of risk associated with potential flooding near the organization’s data center within the next few years. As a result, a decision has been made to move data center operations to another facility on higher ground.

Which approach has been adopted?

A . Risk avoidance
B . Risk transfer
C . Risk acceptance
D . Risk reduction

Lösung einblenden Lösung ausblenden

Question #318

Which of the following is MOST helpful for evaluating benefits realized by IT projects?

A . Benchmarking IT project management practices with industry peers
B . Evaluating compliance with key security controls
C . Comparing planned versus actual return on investment (ROI)
D . Reviewing system development life cycle (SDLC) processes

Lösung einblenden Lösung ausblenden

Question #319

When developing customer-facing IT applications, in which stage of the system development life cycle (SDLC) is it MOST beneficial to consider data privacy principles?

A . Systems design and architecture
B . Software selection and acquisition
C . User acceptance testing (UAT)
D . Requirements definition

Lösung einblenden Lösung ausblenden

Question #320

Due to system limitations, segregation of duties (SoD) cannot be enforced in an accounts payable system.

Which of the following is the IS auditor’s BEST recommendation for a compensating control?

A . Require written authorization for all payment transactions
B . Restrict payment authorization to senior staff members.
C . Reconcile payment transactions with invoices.
D . Review payment transaction history

Lösung einblenden Lösung ausblenden

Richtige Antwort: A
A

Explanation:

Requiring written authorization for all payment transactions is the IS auditor’s best recommendation for a compensating control in an environment where segregation of duties (SoD) cannot be enforced in an accounts payable system. SoD is a principle that requires different individuals or functions to perform different tasks or roles in a business process, such as initiating, approving, recording and reconciling transactions. SoD reduces the risk of errors, fraud and misuse of resources by preventing any single person or function from having excessive or conflicting authority or responsibility. A compensating control is a control that mitigates or reduces the risk associated with the absence or weakness of another control. Requiring written authorization for all payment transactions is a compensating control that provides an independent verification and approval of each transaction before it is processed by the accounts payable system. This control can help to detect and prevent unauthorized, duplicate or erroneous payments, and to ensure compliance with policies and procedures. The other options are not as effective as option A, as they do not provide an independent verification or approval of payment transactions. Restricting payment authorization to senior staff members is a control that limits the number of people who can authorize payments, but it does not prevent them from initiating or processing payments themselves, which could violate SoD. Reconciling payment transactions with invoices is a control that verifies that the payments match the invoices, but it does not prevent unauthorized, duplicate or erroneous payments from being processed by the accounts payable system. Reviewing payment transaction history is a control that monitors and analyzes the payment transactions after they have been processed by the accounts payable system, but it does not prevent unauthorized, duplicate or erroneous payments from occurring in the first place.

References: CISA Review Manual (Digital Version), Chapter 5: Protection of Information Assets, Section 5.2: Logical Access.