An IS auditor wants to verify alignment of the organization's business continuity plan (BCP) with the business strategy. Which of the following would be MOST helpful to review?
Correct Answer: B
Comprehensive and Detailed Step-by-Step Explanation: To ensure that theBCP aligns with business strategy, aBusiness Impact Analysis (BIA)is the most valuable resource. * Option A (Incorrect):DRP testing resultsshow how wellsystems recover, but they do notestablish strategic alignmentwith business priorities. * Option B (Correct):ABIA identifies critical processes, financial impact, and business priorities, ensuring that theBCP is alignedwith strategic goals. * Option C (Incorrect):Thecorporate risk management policyis broader and does not focus onbusiness continuity priorities. * Option D (Incorrect):KPIs measure performance, but they do notdefine business continuity needs. Reference:ISACA CISA Review Manual -Domain 4: Information Systems Operations and Business Resilience- CoversBCP, BIA, and business continuity alignment.
CISA Exam Question 592
Which type of review is MOST important to conduct when an IS auditor is informed that a recent internal exploitation of a bug has been discovered in a business application?
Correct Answer: C
The type of review that is most important to conduct when an IS auditor is informed that a recent internal exploitation of a bug has been discovered in a business application is C. Forensic audit. A forensic audit is a type ofaudit that involves collecting, analyzing, and preserving evidence of fraud, corruption, or other illegal or unethical activities1. A forensic audit can help the IS auditor to identify and document the source, scope, and impact of the exploitation, as well as the perpetrators, motives, and methods involved. A forensic audit can also help the IS auditor to provide recommendations for preventing or mitigating future exploitations, and to support any legal actions or investigations that may arise from the incident2.
CISA Exam Question 593
A new regulation in one country of a global organization has recently prohibited cross-border transfer of personal data. An IS auditor has been asked to determine the organization's level of exposure In the affected country. Which of the following would be MOST helpful in making this assessment?
Correct Answer: D
Identifying business processes associated with personal data exchange with the affected jurisdiction is the most helpful activity in making an assessment of the organization's level of exposure in the affected country. An IS auditor should understand how the organization's business operations and functions rely on or involve the cross-border transfer of personal data, as well as the potential impacts and risks of the new regulation on the business continuity and compliance. The other options are less helpful activities that may provide additional information or context for the assessment, but not its primary focus. References: * CISA Review Manual (Digital Version), Chapter 7, Section 7.4.21 * CISA Review Questions, Answers & Explanations Database, Question ID 221
CISA Exam Question 594
Which of the following methods BEST enforces data leakage prevention in a multi-tenant cloud environment?
Correct Answer: D
Data leakage prevention (DLP) is the process of preventing unauthorized access, disclosure, or transfer of sensitive data. In a multi-tenant cloud environment, where multiple customers share the same infrastructure and resources, DLP is a critical challenge. One of the best methods to enforce DLP in such an environment is to require tenants to implement data classification policies. Data classification policies define the types and levels of sensitivity of data, and the corresponding security controls and measures to protect them. By implementing data classification policies, tenants can ensure that their data is properly labeled, encrypted, segregated, and monitored according to their specific requirements and compliance standards. This can help prevent data leakage from accidental or malicious actions by other tenants, cloud service providers, or external parties. References: * 2: How Do I Secure my Data in a Multi-Tenant Cloud Environment? | Thales * 3: Protecting Sensitive Customer Data in a Cloud-Based Multi-Tenant Environment | Saturn Cloud * 4: Microsoft 365 isolation controls - Microsoft Service Assurance
CISA Exam Question 595
Which of the following should be of GREATEST concern to an IS auditor performing a review of information security controls?
Correct Answer: D
The auditor should be most concerned about the information security policy not being approved by the policy owner. This is because the policy owner is the person who has the authority and accountability for ensuring that the policy is implemented and enforced. Without the policy owner's approval, the policy may not reflect the organization's objectives, risks, and compliance requirements. The policy owner is usually a senior executive or a board member who has a stake in the information security governance. The other options are less critical than the policy owner's approval, although they may also indicate some weaknesses in the policy development and maintenance process. References: * CISA Review Manual (Digital Version), Chapter 1, Section 1.21 * CISA Online Review Course, Domain 5, Module 1, Lesson 12
