A new system is being developed by a vendor for a consumer service organization. The vendor will provide its proprietary software once system development is completed Which of the following is the MOST important requirement to include In the vendor contract to ensure continuity?
Correct Answer: C
Source code for the software must be placed in escrow is the most important requirement to include in the vendor contract to ensure continuity. Source code is the original code of a software program that can be modified or enhanced by programmers. Placing source code in escrow means depositing it with a trusted third party who can release it to the customer under certain conditions, such as vendor bankruptcy, breach of contract, or failure to provide support. This can help to ensure continuity of the software product and its maintenance in case of vendor unavailability or dispute. The other options are less important requirements to include in the vendor contract, as they may involve support availability, disaster recovery plan, or staff training. References: * CISA Review Manual (Digital Version), Chapter 5, Section 5.51 * CISA Review Questions, Answers & Explanations Database, Question ID228
CISA Exam Question 627
If a source code is not recompiled when program changes are implemented, which of the following is a compensating control to ensure synchronization of source and object?
Correct Answer: C
Source code synchronization is the process of ensuring that the source code and the object code (the compiled version of the source code) are consistent and up-to-date1. When program changes are implemented, the source code should be recompiled to generate a new object code that reflects the changes. However, if the source code is not recompiled, there is a risk that the object code may be outdated or incorrect. A compensating control is a measure that reduces the risk of an existing control weakness or deficiency2. A compensating control for source code synchronization is to compare the date stamping of the source and object code. Date stamping is a method of recording the date and time when a file is created or modified3. By comparing the date stamping of the source and object code, one can verify if they are synchronized or not. If the date stamping of the source code is newer than the object code, it means that the source code has been changed but not recompiled. If the date stamping of the object code is newer than the source code, it means that the object code has been compiled from a different source code. If the date stamping of both files are identical, it means that they are synchronized.
CISA Exam Question 628
Which of the following should be identified FIRST during the risk assessment process?
Correct Answer: C
The risk assessment process involves identifying the information assets that are at risk, analyzing the threats and vulnerabilities that could affect them, evaluating the impact and likelihood of a risk event, and determining the appropriate controls to mitigate the risk. The first step is to identify the information assets, as they are the objects of protection and the basis for the rest of the process. Without knowing what assets are at risk, it is not possible to assess their value, exposure, or protection level. References: ISACA Frameworks: Blueprints for Success
CISA Exam Question 629
Which of the following would BEST help to ensure that an incident receives attention from appropriate personnel in a timely manner?
Correct Answer: D
Implementing incident escalation procedures is the best way to ensure that an incident receives attention from appropriate personnel in a timely manner, because it defines the roles and responsibilities, communication channels, and escalation criteria for handlingdifferent types of incidents34. Incident escalation procedures help to prioritize and coordinate the response efforts and ensure that the incident is resolved by the most qualified and authorized personnel. Completing the incident management log, broadcasting an emergency message, and requiring a dedicated incident response team are not sufficient to ensure that an incident receives attention from appropriate personnel in a timely manner, because they do not specify how to escalate the incident based onits severity, impact,or complexity. References: 3: CISA Review Manual (Digital Version), Chapter 6, Section 6.3.2 4: CISA Online Review Course, Module 6, Lesson 3
CISA Exam Question 630
Which of the following is MOST important to review during the project initiation phase of developing and deploying a new application?
Correct Answer: A
User requirements are the foundation of any successful application. Properly defining what the application needs to do and how it should serve users is critical before moving into design or development. References: Project Management Methodologies (Agile, Waterfall, etc.): All major methodologies emphasize the criticality of understanding user requirements during the initial project phases. Software Development Lifecycle (SDLC): Requirements gathering is a cornerstone of the initiation phase within the SDLC. ISACA Resources: While not explicitly tied to a CISA document, ISACA's emphasis on governance and aligning IT with business objectives reinforces the importance of starting with clear user requirements.
