CISA Exam Dumps - Certified Information Systems Auditor

Full disk encryption (FDE) is a means of protecting information by encrypting all of thedata on a disk, including temporary files, programs, and system files1. FDE is best suited for addressing the risk scenario of physical theft of media on which information is stored, as it prevents unauthorized access to the data even if the device is lost or stolen2. FDE does not prevent data leakage as a result of employees leaving to work for competitors, as they may still have access to the data while using the device or copy the data to another device before leaving. FDE does not prevent noncompliance fines related to storage of regulated information, as it does not ensure that the data is stored in accordance with the applicable laws and regulations. FDE does not prevent unauthorized logical access to information through an application interface, as it does not control the access rights and permissions of users and applications. *References: According to the ISACA IT Audit and Assurance Standards, Guidelines and Tools and Techniques for IS Audit and Assurance Professionals, section 2402 Planning, “The IS audit and assurance professional should identify and assess risk relevant to the area under review.” 3 Oneof the risk factors to consider is “the sensitivity of information processed, stored or transmitted by the system” 3. FDE is one of the possible controls to mitigate the risk of unauthorized disclosure of sensitive information due to physical theft of media.

The most effective method for detecting the presence of an unauthorized wireless access point on an internal network is A. Continuous network monitoring. This is because continuous network monitoring can capture and analyze all the wireless traffic in the network and identify any rogue or spoofed devices that may be connected to the network without authorization. Continuous network monitoring can also alert the system administrator of any suspicious or anomalous activities on the network and help to locate and remove the unauthorized wireless access point quickly.

Periodic network vulnerability assessments (B) can also help to detect unauthorized wireless access points, but they are not as effective as continuous network monitoring, because they are performed at fixed intervals and may miss some devices that are added or removed between the assessments. Review of electronic access logs © can provide some information about the devices that access the network, but they may not be able to detect devices that use fake or stolen credentials or devices that do not generate any logs. Physical security reviews (D) can help to prevent unauthorized physical access to the network ports or devices, but they may not be able to detect wireless access points that are hidden or disguised as legitimate devices.

Substantive testing is the most important type of testing during software license audits, as it provides evidence of the accuracy and completeness of the software inventory and licensing records. Substantive testing involves examiningtransactions, balances, and other data to verify their validity, existence, accuracy, and valuation. Compliance testing, on the other hand, is more focused on assessing the adequacy and effectiveness of internal controls over software licensing, such as policies, procedures,and monitoring mechanisms. Compliance testing alone cannot provide sufficient assurance that the software license audit objectives are met, as itdoes notverify the actual software usage and compliance status. Judgmental sampling and stop-or-go sampling are methods of selecting samples for testing, not types of testing themselves. *References: According to the ISACA IT Audit and Assurance Standards, Guidelines and Tools and Techniques for IS Audit and Assurance Professionals, section 1206 Testing, “The IS audit and assurance professional should perform sufficient testing to obtain sufficient appropriate evidence to support conclusions reached.” 1 The section also defines substantive testing as “testing performed to obtain audit evidence to detect material misstatements in transactions orbalances” and compliance testing as “testing performed to obtain audit evidence on theoperating effectiveness of controls.” 1 According to the ISACA IT Audit and Assurance Guideline G15 Software License Management, “The objective of a software license auditis to provide management with an independent assessment relating to compliance with software license agreements.” 2 The guideline also states that “substantive tests should be performed on a sample basis to verify that all software installed on devices within scope has been appropriately licensed.” 2

The primary benefit of using a dry-pipe fire-suppression system rather than a wet-pipe system is that a dry-pipe system has a decreased risk of leakage, as the pipes are filled with pressurized air or nitrogen instead of water until the system is activated. A wet-pipe system has a higher risk of leakage, corrosion, and freezing. A dry-pipe system is not more effective at suppressing flames, as it uses the same water-based suppressant as a wet-pipe system. A dry-pipe system does not allow more time to abort release of the suppressant, as it has a delay of only a few seconds before the water is released. A dry-pipe system does not disperse dry chemical suppressants exclusively, as it uses water as the primary suppressant. References: CISA Review Manual (Digital Version), Chapter 5, Section 5.2.3

The data retention policy for a global organization with regional offices in multiple countries should align with local laws and regulations, as they may vary significantly from one country to another and may impose different requirements and penalties for non-compliance. The policy should also consider the corporate policies and practices, the global best practices, and the business goals and objectives, but these are secondary to the legal compliance. References: CISA Review Manual (Digital Version), Chapter 5: Protection of InformationAssets, Section 5.3: Data Classification and Protection

Reviewing and evaluating application test cases is the most effective use of an IS auditor’s time during the evaluation of controls over a major application development project. Application test cases are designed to verify that the application meets the functional and non-functional requirements and specifications. They also help to identify and correct any errors, defects, or vulnerabilities in the application before it is deployed. By reviewing and evaluating the test cases, the IS auditor can assess the quality, reliability, security, and performance of the application and provide recommendations for improvement. 

A compliance gap analysis is a detailed review of an organization’s current state of compliance against a specific regulation or standard. It helps identify the areas and controls that are not meeting the requirements, assess their risk levels, and determine the corrective actions that can be taken to achieve compliance12. A compliance gap analysis is the most useful tool for an IS auditor to review when auditing against a new regulation, as it provides a clear and comprehensive picture of the compliance status, gaps, and remediation plan of the organization.

References

1: Information Security Architecture: Gap Assessment and Prioritization - ISACA

2: How to perform Compliance Gap Analysis? - Sprinto

Involving the application owner early in the audit planning process is the best way to contribute to the quality of an audit of a business-critical application. The application owner has a deep understanding of the application and its business context, which can provide valuable insights for the audit. Early involvement can also help ensure that the audit is aligned with the business objectives and risks, and that any potential issues are identified and addressed promptly12.