CISA Exam Dumps - Certified Information Systems Auditor

The best reason to implement a data retention policy is to limit the liability associated with storing and protecting information. A data retention policy is a business’ established protocol for maintaining information, typically defining what data needs to be retained, the format in which it should be kept, how long it should be stored for, whether it should eventually be archived or deleted, who has the authority to dispose of it, and what procedure to follow in the event of a policy violation1. A data retention policy can help an organization to:

Comply with legal and regulatory requirements that mandate the retention and disposal of certain types of data, such as financial records, health records, or personal data

Reduce the risk of data breaches, theft, loss, or corruption by minimizing the amount of data stored and ensuring proper security measures are in place

Save costs and resources by optimizing the use of storage space and reducing the need for backup and recovery operations

Enhance operational efficiency and performance by eliminating unnecessary or outdated data and improving data quality and accessibility

Support business continuity and disaster recovery plans by ensuring critical data is available and recoverable in case of an emergency

Facilitate audit trails and investigations by providing evidence of data authenticity, integrity, and provenance

Therefore, by implementing a data retention policy, an organization can limit its liability associated with storing and protecting information, as well as improve its data governance and management practices.

The executive management concern that could be addressed by the implementation of a security metrics dashboard is the effectiveness of the security program. A security metrics dashboard is a tool that provides a visual representation of key performance indicators (KPIs) and key risk indicators (KRIs) related to the organization’s information security objectives and activities. A security metrics dashboard can help executive management monitor and evaluate the performance and value delivery of the security program, identify strengths and weaknesses, assess compliance with policies and standards, and support decision making and improvement initiatives. Security incidents vs. industry benchmarks, total number of hours budgeted to security, and total number of false positives are not executive management concerns that could be addressed by the implementation of a security metrics dashboard. These are more operational or technical aspects of information security that could be measured and reported by other means, such as incident reports, budget reports, or log analysis. References: [ISACA CISA Review Manual 27th Edition], page 302

Evidence collection is the process of identifying, acquiring, preserving, and documenting digital evidence from various sources, such as computers, networks, mobile devices, or cloud services, that can be used to support the investigation and prosecution of cybercrimes. Evidence collection is an IS auditor’s primary focus when evaluating the response process for cybercrimes, because it determines the quality and validity of the evidence that can be used to prove or disprove the facts of the case, identify the perpetrators, and recover the losses. Evidence collection should follow the standards and best practices for digital forensics, such as ISO/IEC 270371, which provide guidelines for ensuring the integrity, authenticity, reliability, and admissibility of the evidence2.

The other possible options are:

A. Communication with law enforcement: This is the process of reporting, cooperating, and coordinating with law enforcement agencies that have the jurisdiction and authority to investigate and prosecute cybercrimes. Communication with law enforcement is an important aspect of the response process for cybercrimes, but it is not an IS auditor’s primary focus when evaluating it. Communication with law enforcement depends on the legal and regulatory requirements, the nature and severity of the incident, and the organizational policies and procedures. Communication with law enforcement should be done after evidence collection, to avoid compromising or contaminating the evidence3.

B. Notification to regulators: This is the process of informing and updating the relevant regulatory bodies or authorities that oversee or supervise the organization’s activities or industry sector about the cybercrime incident. Notification to regulators is an important aspect of the response process for cybercrimes, but it is not an IS auditor’s primary focus when evaluating it. Notification to regulators depends on the legal and regulatory requirements, the nature and impact of the incident, and the organizational policies and procedures. Notification to regulators should be doneafter evidence collection, to avoid disclosing sensitiveor confidential information4.

C. Root cause analysis: This is the process of identifying and analyzing the underlying factors or causes that led to or contributed to the cybercrime incident. Root cause analysis is an important aspect of the response process for cybercrimes, but it is not an IS auditor’s primary focus when evaluating it. Root cause analysis helps to prevent or mitigate future incidents, improve security controls and processes, and learn from mistakes. Root cause analysis should be done after evidence collection, to avoid interfering with or affecting theinvestigation5.

The scanning will not degrade system performance. This is the most important consideration when establishing vulnerability scanning on critical IT infrastructure, because any degradation of system performance could affect the availability, reliability, and functionality of the IT services that depend on the infrastructure. Scanning during non-peak hours (A) could reduce the impact of scanning on system performance, but it does not guarantee that the scanning will not cause any degradation. Scanning followed by penetration testing (B) could provide more in-depth information about the vulnerabilities and their exploitability, but it does not address the potential impact of scanning on system performance. Scanning cost-effectiveness © is a relevant factor for choosing a scanning service or tool, but it is not as important as ensuring that the scanning will not compromise the system performance.

In cloud environments, responsibility for controls is split between the provider and the customer. The division depends on the service model (IaaS, PaaS, SaaS). Misunderstanding the shared responsibility model can create gaps in control coverage, where critical risks may not be managed by either party. SLA penalties (A) are contractual issues, not audit priorities. Availability reports (B) and business process redesign (D) are relevant but not as fundamental as defining control ownership. ISACA’s cloud audit guidelines stress that proper scoping begins with understanding shared responsibilities to avoid assurance gaps.

References (ISACA): ISACA Cloud Computing Audit Program; ISACA Journal – Shared Responsibility in Cloud.

To reduce false positive alerts, it is essential to carefully configure a limited set of rules tailored to the organization ' s specific data loss prevention needs. This ensures that the DLP tool accurately identifies true positives and reduces the occurrence of false alarms.

References

ISACA CISA Review Manual 27th Edition, Page 304-305 (DLP Tool Configuration)

A comprehensive asset inventory is the most important factor for the successful establishment of a security vulnerability management program. A security vulnerability management program is a systematic process of identifying, assessing, prioritizing, and remediating vulnerabilities in the organization’s IT environment1. A comprehensive asset inventory is a complete and accurate record of all the hardware, software, and network components that the organization owns or uses2. A comprehensive asset inventory helps the organization to:

Know what assets are in scope for vulnerability scanning and assessment3.

Identify the vulnerabilities that affect each asset and their severity level4.

Prioritize the remediation of vulnerabilities based on the criticality and value of each asset.

Track the status and progress of vulnerability remediation for each asset.

Measure the effectiveness and maturity of the vulnerability management program.

A robust tabletop exercise plan is a simulated scenario that tests the organization’s preparedness and response capabilities for a potential cyberattack or incident. A tabletop exercise plan is useful for validating and improving the organization’s incident response plan, but it is not essential for establishing a security vulnerability management program.

A tested incident response plan is a documented process that defines the roles, responsibilities, and actions of the organization’s personnel in the event of a cyberattack or incident. A tested incident response plan is important for minimizing the impact and restoring normal operations after a security breach, but it is not critical for establishing a security vulnerability management program.

An approved patching policy is a set of rules and guidelines that governs how the organization applies patches and updates to its IT systems and applications. An approved patching policy is a key component of the remediation phase of the vulnerability management program, but it is not sufficient for establishing a security vulnerability management program.