Encryption is the process of transforming information into an unreadable form using a secret key, so that only authorized parties can access it. Encryption would protect the confidentiality of information sent in email messages, as it would prevent unauthorized parties from intercepting and reading the messages. Secure Hash Algorithm 1 (SHA-1) is a cryptographic hash function that produces a fixed-length output from an input.
SHA-1 does not encrypt information, but rather verifies its integrity by detecting any changes or modifications. Digital signatures are electronic signatures that use encryption and hash functions to authenticate the identity of the sender and the integrity of the message. Digital signatures do not protect the confidentiality of information, but rather ensure its authenticity and non-repudiation. Digital certificates are electronic documents that contain the public key and identity information of an entity, such as a person, organization or device. Digital certificates are issued by trusted third parties called certificate authorities (CAs). Digital certificates do not protect the confidentiality of information, but rather enable secure communication and encryption by verifying the identity and public key of an entity. References:
* : [Encryption Definition]
* : [Secure Hash Algorithm 1 (SHA-1) Definition]
* : [Digital Signature Definition]
* : [Digital Certificate Definition]

The greatest concern for an IS auditor reviewing contracts for licensed software that executes a critical business process is that software escrow was not negotiated. Software escrow is an arrangement where a third-party holds a copy of the source code and documentation of a licensed software in a secure location. The software escrow agreement specifies the conditions under which the licensee can access the escrowed materials, such as in case of bankruptcy, termination, or breach of contract by the licensor. Software escrow is important for ensuring the continuity and availability of a critical business process that depends on a licensed software. Without software escrow, the licensee may face significant risks and challenges in maintaining, modifying, or recovering the software in case of any disruption or dispute with the licensor. References:
* CISA Review Manual (Digital Version)
* CISA Questions, Answers & Explanations Database

The best approach from a risk management perspective when implementing a large and complex data center IT infrastructure is to use a deployment plan based on sequenced phases, as this will allow the organization to break down the project into manageable and measurable stages, and to monitor and control the progress, quality, and outcomes of each phase12. A phased deployment plan can also help to reduce the risks of errors, failures, or disruptions that could affect the entire infrastructure, and to implement corrective actions or contingency plans as needed34.
References
1: Data Center Project Planning: A Guide to Success2 2: Data Center Project Planning: A Guide to Success4 3: Data Center Migration: A Step-by-Step Guide3 4: Data Center Migration: A Step-by-Step Guide1

The most significant risk from not testing patches before putting them into production is the lack of system integrity. Patches are software updates that fix bugs, vulnerabilities or performance issues in an application system. However, patches may also introduce new errors, conflicts or compatibility issues that could affect the functionality, reliability or security of the system4. By not testing patches before putting them into production, the organization exposes itself to the risk of system failures, data corruption or unauthorized access. Loss of application support, outdated system documentation and developer access to production are also risks from not testing patches, but they are not as significant as the lack of system integrity. References:
* CISA Review Manual, 27th Edition, page 2951
* CISA Review Questions, Answers & Explanations Database - 12 Month Subscription

A nondisclosure agreement (NDA) is the best way to protect an organization's proprietary code during a joint- development activity involving a third party. An NDA is a legal contract that binds the parties involved in a joint-development activity to keep confidential any information, data or materials that are shared or exchanged during the activity. An NDA specifies what constitutes confidential information, how it can be used, disclosed or protected, how long it remains confidential, what are the exceptions and remedies for breach of confidentiality, and other terms and conditions. An NDA can help to protect an organization's proprietary code from being copied, modified, distributed or exploited by unauthorized parties without its consent or knowledge. The other options are not as effective as option B, as they do not address confidentiality issues specifically. A statement of work (SOW) is a document that defines the scope, objectives, deliverables, tasks, roles, responsibilities, timelines and costs of a joint-development activity, but it does not cover confidentiality issues explicitly. A service level agreement (SLA) is a document that defines the quality, performance and availability standards and metrics for a service provided by one party to another party in a joint-development activity, but it does not cover confidentiality issues explicitly. A privacy agreement is a document that defines how personal information collected from customers or users is collected, used, disclosed and protected by one party or both parties in a joint-development activity, but it does not cover confidentiality issues related to proprietary code. References: CISA Review Manual (Digital Version) , Chapter 3: Information Systems Acquisition, Development & Implementation, Section 3.2: Project Management Practices.