he design of an incident management process should include prioritization criteria to ensure that incidents are handled according to their impact and urgency. Without prioritization criteria, the organization may not be able to allocate resources effectively and respond to incidents in a timely manner. Expected time to resolve incidents, service management standards, and metrics reporting are important aspects of incident management, but they are not as critical as prioritization criteria for the design of the process. References: ISACA Journal Article: Incident Management: A Practical Approach

The most effective method for detecting the presence of an unauthorized wireless access point on an internal network is A. Continuous network monitoring. This is because continuous network monitoring can capture and analyze all the wireless traffic in the network and identify any rogue or spoofed devices that may be connected to the network without authorization. Continuous network monitoring can also alert the system administrator of any suspicious or anomalous activities on the network and help to locate and remove the unauthorized wireless access point quickly.
Periodic network vulnerability assessments (B) can also help to detect unauthorized wireless access points, but they are not as effective as continuous network monitoring, because they are performed at fixed intervals and may miss some devices that are added or removed between the assessments. Review of electronic access logs can provide some information about the devices that access the network, but they may not be able to detect devices that use fake or stolen credentials or devices that do not generate any logs. Physical security reviews (D) can help to prevent unauthorized physical access to the network ports or devices, but they may not be able to detect wireless access points that are hidden or disguised as legitimate devices.

The primary reason an IS auditor would recommend replacing universal PIN codes with an RFID access card system at a data center is to improve traceability (A). Traceability is the ability to track and monitor the activities and movements of individuals or objects within a system or environment. Traceability is important for ensuring security, accountability, and compliance in a data center, where sensitive and critical data are stored and processed.
An RFID access card system can improve traceability by using RFID technology to verify and record the identity and access of each user who enters or exits the data center. RFID stands for Radio Frequency Identification, and it enables wireless communication between a reader and an RFID tag. An RFID tag is installed in a door key card or fob, which users use to gain access to the data center. An RFID reader is installed near the door, and it contains an antenna that receives data transmitted by the RFID tag. A control panel is a computer server that reads and interprets the data passed along by the RFID reader. A database is a storage system that stores the data collected by the control panel1.
An RFID access card system can provide several benefits for traceability, such as123:
It can uniquely identify each user and their access level, and prevent unauthorized access or impersonation.
It can record the date, time, and duration of each user's access, and generate logs and reports for auditing purposes.
It can monitor the location and status of each user within the data center, and alert security personnel in case of any anomalies or emergencies.
It can integrate with other security systems, such as cameras, alarms, or biometrics, to enhance verification and protection.
A universal PIN code system, on the other hand, can compromise traceability by using a single or shared personal identification number (PIN) to grant access to multiple users. A universal PIN code system can pose several risks for traceability, such as4:
It can be easily guessed, stolen, shared, or compromised by malicious actors or insiders.
It can not distinguish between different users or their access levels, and allow unauthorized or excessive access.
It can not record or track the activities or movements of each user within the data center, and create gaps or errors in the audit trail.
It can not integrate with other security systems, and provide limited verification and protection.
Therefore, an IS auditor would recommend replacing universal PIN codes with an RFID access card system at a data center to improve traceability.
References:
RFID Access Control Guide: 4 Best RFID Access Control Systems - ButterflyMX Choosing Card Technology in 2023 | ICT RFID Vs Magnetic Key Cards: What's The Difference? - Go Safer Security RFID vs Barcode - Advantages, Disadvantages & Differences

The only thing that can be provided by asymmetric encryption is nonrepudiation. Nonrepudiation is the ability to prove that a message or transaction was originated or authorized by a specific party. Asymmetric encryption uses a pair of keys: a public key and a private key. The public key can be shared with anyone, while the private key is kept secret by the owner. If a message is encrypted with the sender's private key, only the sender's public key can decrypt it. This proves that the message was sent by the sender and not by anyone else. This is called digital signature and it provides nonrepudiation. Asymmetric encryption can also provide information privacy by encrypting a message with the receiver's public key, so that only the receiver's private key can decrypt it. However, information privacy can also be provided by symmetric encryption, which uses a single key to encrypt and decrypt messages. References:
* CISA Review Manual (Digital Version), Chapter 5, Section 5.21
* CISA Online Review Course, Domain 3, Module 2, Lesson 12

The IS auditor's next course of action should be to report this control process weakness to senior management, as it may indicate a lack of oversight and accountability for the reporting system. Read-only users may have access to sensitive or confidential information that should be restricted or monitored. Periodic reviews of read-only users are a good practice to ensure that the access rights are still valid and appropriate for the users' roles and responsibilities. Reporting this weakness to senior management will also allow them to take corrective actions or implement compensating controls if needed.
Option A is incorrect because reviewing the list of end users and evaluating for authorization is not the IS auditor's responsibility, but rather the system owner's or administrator's. The IS auditor should only verify that such reviews are performed and documented by the responsible parties.
Option C is incorrect because verifying management's approval for this exemption is not sufficient to address the control process weakness. Even if there is a valid reason for not performing periodic reviews of read-only users, the IS auditor should still report this as a potential risk and recommend mitigating controls.
Option D is incorrect because obtaining a verbal confirmation from IT for this exemption is not adequate evidence or documentation. The IS auditor should obtain written approval from management and verify that it is aligned with the organization's policies and standards.
References:
CISA Review Manual (Digital Version)1, Chapter 1: The Process of Auditing Information Systems, Section
1.4: Audit Evidence, p. 31-32.
CISA Review Manual (Print Version), Chapter 1: The Process of Auditing Information Systems, Section 1.4:
Audit Evidence, p. 31-32.
CISA Online Review Course2, Module 1: The Process of Auditing Information Systems, Lesson 4: Audit Evidence, slide 9-10.
CISA Questions, Answers & Explanations Database3, Question ID: QAE_CISA_710.