CISA Exam Dumps - Certified Information Systems Auditor

The first step when creating a data classification program is to develop a policy (D). A data classification policy is a document that defines the purpose, scope, objectives, roles, responsibilities, and procedures of the data classification program. A data classification policy is essential for establishing the governance framework, standards, and guidelines for the data classification process. A data classification policy also helps to communicate the expectations and benefits of the data classification program to the stakeholders, such as data owners, users, custodians, and auditors12.

Categorizing and prioritizing data (A) is not the first step when creating a data classification program, but the third step. Categorizing and prioritizing data involves defining and applying the criteria and labels for classifying data based on its sensitivity, value, and risk. For example, data can be categorized into public, internal, confidential, or restricted levels. Categorizing and prioritizing data helps to identify and protect the most critical and sensitive data assets of the organization12.

Developing data process maps (B) is not the first step when creating a data classification program, but the fourth step. Developing data process maps involves documenting and analyzing the flow and lifecycle of data within the organization. Data process maps show how data is created, collected, stored, processed, transmitted, used, shared, archived, and disposed of. Developing data process maps helps to understand the context and dependencies of data, as well as to identify and mitigate any potential risks or issues related to data quality, security, or compliance12.

Categorizing information by owner © is not the first step when creating a data classification program, but the second step. Categorizing information by owner involves assigning roles and responsibilities for each type of data based on its ownership and stewardship. Data owners are the individuals or entities that have the authority and accountability for the data. Data stewards are the individuals or entities that have the operational responsibility for managing and maintaining the data. Data custodians are the individuals or entities that have the technical responsibility for implementing and enforcing the security and access controls for the data12.

Controls related to authorized modifications to production programs are best tested by tracing modifications from the original request for change forward to the executable program, as this ensures that the change management process was followed and that the modifications were approved, documented, tested, and implemented correctly. Tracing modifications from the executable program back to the original request for change may not reveal any unauthorized or undocumented changes that occurred during the process. Testing only the authorizations to implement the new program or reviewing only the actual lines of source code changed in the program are not sufficient to test the controls related to authorized modifications, as they do not cover the entire change management process. References: CISA Review Manual (Digital Version), Chapter 4: Information Systems Operations, Maintenance and Service Management, Section 4.2: Change Management

The most critical factor for the success of an information security program is management’s commitment to information security. Management’s commitment to information security means that the senior management supports, sponsors, funds, monitors and enforces the information security program within the organization. Management’s commitment to information security also demonstrates leadership, sets the tone and culture, and establishes the strategic direction and objectives for information security. User accountability for information security, alignment of information security with IT objectives, and integration of business and information security are also important factors for the success of an information security program, but they are not as critical as management’s commitment to information security, as they depend on or derive from it. References: Info Technology and Systems Resources | COBIT, Risk, Governance … - ISACA, IT Governance and Process Maturity

The programmer having access to the production programs is a control weakness that would have contributed most to the problem of unauthorized changes to key fields in a payroll system report. This is because it violates the principle of segregation of duties, which requires that different individuals or groups perform different functions related to system development, testing, implementation, and operation. Allowing programmers to access production programs increases the risk of errors, fraud, or malicious actions that may compromise the integrity, availability, or confidentiality of the system or its data. The other options are not as significant as having access to production programs, as they relate to other aspects of system development or maintenance, such as user involvement in testing (which affects user satisfaction and acceptance), user requirements documentation (which affects system functionalityand quality), and payroll files control (which affects data security and accuracy). References: CISA Review Manual (Digital Version), Domain 3: Information Systems Acquisition, Development and Implementation, Section 3.2 Project Management Practices

An audit universe is a comprehensive list of all the auditable entities, processes, and activities within an organization. It helps the IS auditor to identify the scope, objectives, and priorities of the audit plan, as well as the resources and methodologies required to conduct the audits. An audit universe can also help the IS auditor to ensure that all the key risks, controls, and regulations are covered by the audit plan, and that there are no gaps or overlaps in the audit coverage.

The first activity that the IS auditor should perform when preparing a plan for audits to be carried out over a specified period is to determine the audit universe. This involves defining the criteria and methods for identifying and categorizing the auditable units, such as by business function, process, system, location, or risk level. The IS auditor should also consult with the management and otherstakeholders to obtain their input and expectations for the audit plan. The IS auditor should then document and validate the audit universe, and update it regularly to reflect any changes in the organization’s structure, operations, or environment.

The other three activities are also important for preparing an audit plan, but they should be performed after determining the audit universe. Allocating audit resources involves assigning staff, time, budget, and tools to each audit based on their complexity, priority, and availability. Prioritizing risks involves assessing the likelihood and impact of each risk associated with each auditable unit, and ranking them according to their significance and urgency. Reviewing prior audit reports involves analyzing the findings, recommendations, and actions from previous audits related to each auditable unit, and evaluating their current status and relevance.

Therefore, determining the audit universe is the best answer.

The best audit evidence that a firewall is configured in compliance with the organization’s security policy is to review the rule base. The rule base is a set of rules that defines the criteria for allowing or denying network traffic through the firewall. By reviewing the rule base, the auditor can verify if the firewall configuration matches the security policy requirements and objectives. Analyzing how the configuration changes are performed, analyzing log files, and performing penetration testingare useful audit techniques, but they do not provide direct evidence of the firewall configuration compliance. References: CISA Review Manual (Digital Version)1, page 383.

Comprehensive and Detailed in-Depth Explanation:

A passive attack involves monitoring or listening without altering data or system operations. Eavesdropping is a classic example, where attackers intercept data without affecting the transmission.

Keystroke logging (Option A) and phishing (Option D) are active attacks. Piggybacking (Option B) involves unauthorized access and is also active.

ISACA CISA Reference: Domain 5 - Protection of Information Assets