CISA Exam Dumps - Certified Information Systems Auditor

The auditor’s best course of action is to document the finding and explain the risk of having administrator accounts with inappropriate security settings. This is because the auditor’s role is to identify and report the issues, not to fix them or request others to fix them. The auditor should also communicate the impact of the finding, such as the possibility of unauthorized access, data tampering, or denial of service attacks. The auditor should not assume the responsibility of the IT manager or the DBA, who are in charge of changing the security parameters or disabling the accounts. References:

CISA Review Manual (Digital Version), Chapter 4, Section 4.2.21

CISA Online Review Course, Domain 1, Module 3, Lesson 32

The best way to detect unauthorized copies of licensed software on systems is to conduct periodic software scanning. Software scanning is a process of using specialized tools or programs to scan the systems and identify the software installed, the license status, the usage, and the compliance with the software policies and agreements. Software scanning can help to detect any unauthorized, unlicensed, or illegal copies of software on the systems, as well as any discrepancies or violations of the software licenses. Software scanning can also help to optimize the software inventory, reduce the software costs, and improve the security and performance of the systems12.

Some examples of software scanning tools are:

Microsoft Software Inventory Analyzer (MSIA): A free tool that scans Windows-based computers and servers and generates reports on the Microsoft products installed, such as operating systems, applications, and updates3.

Belarc Advisor: A free tool that scans Windows-based computers and generates reports onthe hardware and software installed, including license keys, versions, usage, and security status4.

Lansweeper: A paid tool that scans Windows, Linux, Mac, and other network devices and generates reports on the hardware and software inventory, license compliance, configuration, and vulnerabilities5.

To conduct periodic software scanning, you need to:

Choose a suitable software scanning tool that meets your needs and budget.

Define the scope and frequency of the software scanning, such as which systems to scan, how often to scan, and what information to collect.

Configure and run the software scanning tool according to the instructions and settings.

Review and analyze the software scanning reports and identify any unauthorized copies of licensed software on the systems.

Take appropriate actions to remove or regularize the unauthorized copies of licensed software on the systems.

Document and report the results and findings of the software scanning.

Quantum algorithms, such as Shor’s algorithm, can factor large prime numbers exponentially faster than classical computers, threatening the security of RSA and elliptic-curve cryptography. Similarly, Grover’s algorithm reduces the effective strength of symmetric key algorithms by half, requiring larger key sizes. While post-quantum cryptography is being developed, current algorithms may become obsolete once practical quantum computers exist. Options B, C, and D are incorrect because quantum does not inherently improve encryption, nor is training the key issue—it is the fundamental breakage of cryptographic assumptions.

References (ISACA): ISACA Journal – Cryptographic Risks and Quantum Computing; CISA Review Manual, Cryptography.

The answer D is correct because the best way for the auditor to confirm the change log is complete is to take the last change from the system and trace it back to the log. A change log is a record of all the changes that have been made to a system, such as software updates, bug fixes, configuration modifications, etc. A change log should contain information such as the date and time of the change, the description and purpose of the change, the person or service who made the change, and the approval status of the change. A complete change log helps to ensure that the system is secure, reliable, and compliant with the relevant standards and regulations.

An IS auditor evaluating the change management process must select a sample from the change log to verify that the changes are properly authorized, documented, tested, and implemented. However, before selecting a sample, the auditor must ensure that the change log is complete and accurate, meaning that it contains all the changes that have been made to the system and that there are no missing, duplicated, or falsified entries. To do this, the auditor can use a technique called backward tracing, which involves taking the last change from the system and tracing it back to the log. This way, the auditor can check if the change is recorded in the log with all the relevant details and if there are any gaps or inconsistencies in the log. If the last change from the system is not found in the log or does not match with the log entry, it indicates that the change log is incomplete or inaccurate.

The other options are not as good as option D. Interviewing change management personnel about completeness (option A) is not a reliable way to confirm the change log is complete because it relies on subjective opinions and self-reported information, which may not be truthful or accurate. Taking an item from the log and tracing it back to the system (option B) is a technique called forward tracing, which can be used to verify that a specific change in the log has been implemented in the system. However, this technique does not confirm that all changes in the system are recorded in the log. Obtaining management attestation of completeness (option C) is not a sufficient way to confirm the change log is complete because it does not provide any evidence or verification of completeness. Management attestation may also be biased or influenced by conflicts of interest.

Integration testing is the best way to ensure that an application is performing according to its specifications, because it tests the interaction and compatibility of different modules or components of the application. Unit testing, pilot testing and system testing are also important, but they do not cover the whole functionality and integration of the application as well as integration testing does. References: CISA Review Manual (Digital Version)1, Chapter 4, Section 4.2.3

 The first step for the security incident response team after an IS security attack is reported is to perform a damage assessment. This involves identifying the scope, impact and root cause of the incident, as well as collecting and preserving evidence for further analysis and investigation. Reporting results to management, documenting lessons learned and prioritizing resources for corrective action are important steps, but they should be done after the damage assessment is completed. References: CISA Review Manual (DigitalVersion), Chapter 6, Section 6.31

The business impact analysis (BIA) is a critical component of an organization ' s business continuity planning (BCP) process. The most concerning issue is when system criticality information is provided only by the IT manager (Option B). This presents a risk of bias or incomplete analysis, as business units must also provide input to ensure a comprehensive assessment.

ISACA CISA Reference: According to ISACA’s BCP and DRP guidelines, BIA should involve input from multiple business functions, including finance, operations, and risk management, rather than relying solely on IT.

Risk Implication: Without broader business input, the criticality of systems may be misclassified, leading to incorrect recovery priorities and potential business disruption.

Alternative Choices:

Option A: While a risk assessment is important, a BIA can still be completed without it and later validated.

Option C: The use of questionnaires is a valid method if responses are verified.

Option D: Lack of executive sign-off is concerning but does not directly impact the accuracy of system criticality assessment.