CISA Exam Dumps - Certified Information Systems Auditor

Prior to a follow-up engagement, if an IS auditor learns that management has decided to accept a level of residual risk related to an audit finding without remediation, the IS auditor should report the issue to IS audit management. This is because IS audit management is responsible for ensuring that audit findings are properly communicated and resolved. Accepting management’s decision and continuing the follow-up would not address the IS auditor’s concern. Reporting the disagreement to the board or executive management would be premature and inappropriate without consulting IS audit management first. References: CISA Review Manual (Digital Version), Chapter 1, Section 1.6

The best recommendation to prevent unauthorized access to a highly sensitive data center by piggybacking or tailgating is to use an airlock entrance. An airlock entrance is a type of access control system that consists of two doors that are interlocked, so that only one door can be opened at a time. This prevents an unauthorized person from following an authorized person into the data center without being detected. An airlock entrance can also be integrated with other security measures, such as biometrics, card readers, or PIN pads, to verify the identity and authorization of each person entering the data center.

Biometrics (option A) is a method of verifying the identity of a person based on their physical or behavioral characteristics, such as fingerprints, iris scans, or voice recognition. Biometrics can provide a high level of security, but they are not sufficient to prevent piggybacking or tailgating, as an unauthorized person can still follow an authorized person who has been authenticated by the biometric system.

Procedures for escorting visitors (option B) is a policy that requires all visitors to the data center to be accompanied by an authorized employee at all times. This can help prevent unauthorized access by visitors, but it does not address the risk of piggybacking or tailgating by other employees or contractors who may have legitimate access to the building but not to the data center.

Intruder alarms (option D) are devices that detect and alert when an unauthorized person enters a restricted area. Intruder alarms can provide a deterrent and a response mechanism for unauthorized access, but they are not effective in preventing piggybacking or tailgating, as they rely on the detection of the intruder after they have already entered the data center.

Enterprise Architecture (EA) documentation primarily includes strategic and operational blueprints outlining the evolution of IT infrastructure to align with business goals. Roadmaps showing the evolution from current state to future state (C) are essential for understanding how the organization’s IT environment will change over time to support business strategy.

Other options:

Contact information for key resources (A) is more of an operational or administrative document rather than an EA component.

Detailed encryption standards (B) would typically be found in security policies or system-specific documentation rather than in EA documentation.

Protocols used to communicate between systems (D) are typically documented within network or system architecture diagrams rather than high-level EA documentation.

The first step in ensuring secure configuration of new IT assets is to establish the baseline configuration requirements those assets must meet. ISACA guidance supports the use of documented security configuration standards, secure baselines, and hardening requirements before deployment. Without predefined hardening standards, vulnerability scanning or remediation lacks a clear benchmark for what “secure” should look like.

Option B is correct because defining and implementing hardening standards establishes the secure baseline for systems, operating systems, applications, and devices. ISACA material notes that resources should adhere to a minimum-security baseline composed of standard security configurations, and secure configurations should be documented and maintained. This makes hardening standards the logical and control-oriented first step.

Option A is not first. Identifying and remediating vulnerabilities is important, but this activity should follow the establishment of hardening standards. Otherwise, there is no approved baseline against which to assess and remediate deviations. In CISA logic, standards come before testing against standards.

Option C is also not first for the same reason. Vulnerability scanning is an assessment technique, but organizations must first define the secure configuration baseline or hardening standard to know what they expect from the asset. Scanning should validate configuration and identify weaknesses after standards have been established.

Option D is clearly incorrect because purchasing tools is not the starting point of good control design. Tools may support implementation and verification, but governance requires that standards be defined first. In ISACA terms, sound control begins with policy, standards, and procedures, not with tool acquisition.

Therefore, the best answer is B because secure configuration starts with defining and applying hardening standards, which then enable scanning, validation, and remediation activities.

References (Official ISACA):

ISACA-linked guidance, A Look at CIS Controls Version 7.1 — “Establish Secure Configurations” and maintain documented security configuration standards.

ISACA, Best Practices for Auditable Security Controls — all resources should adhere to a minimum-security baseline of standard security configurations.

ISACA, Can Hardening Reduce Cyberrisk? — highlights hardening systems and infrastructure to reduce risk.

ISACA, Digital Businesses Need Tailored Security Solutions and Services — refers to minimum baseline hardening standards and guidelines.

 The IS auditor’s first action after discovering an option in a database that allows the administrator to directly modify any table should be to determine whether the audit trail is secured and reviewed. This is because direct modification of database tables can pose a significant risk to data integrity, security, and accountability. An audit trail is a record of all changes made to database tables, including who made them, when they were made, and what was changed. An audit trail can help to detect unauthorized or erroneous changes, provide evidence for investigations or audits, and support data recovery or restoration. The IS auditor should assess whether the audit trail is protected from tampering or deletion, and whether it is regularly reviewed for anomalies or exceptions.

Outsourcing the development of an e-banking solution when in-house technical expertise is not available can significantly reduce start-up costs. This is because the organization can avoid the expenses associated with hiring and training a full-time development team, purchasing necessary hardware and software, and maintaining the system1. While outsourcing can also potentially reduce the risk of system downtime, increase the ability to adapt the system, and provide direct oversight of risks, these benefits are not as immediate or guaranteed as the cost savings123.