Isaca CISA Dumps

The contract does not contain a right-to-audit clause.

An operational level agreement (OLA) was not negotiated.

Several vendor deliverables missed the commitment date.

Software escrow was not negotiated.

Process and resource inefficiencies

Irregularities and illegal acts

Noncompliance with organizational policies

Misalignment with business objectives

Unit testing

Pilot testing

System testing

Integration testing

Level of stakeholder satisfaction with the scope of planned IT projects

Percentage of enterprise risk assessments that include IT-related risk

Percentage of stat satisfied with their IT-related roles

Frequency of business process capability maturity assessments

The security weakness facilitating the attack was not identified.

The attack was not automatically blocked by the intrusion detection system (IDS).

The attack could not be traced back to the originating person.

Appropriate response documentation was not maintained.

Establishing a well-designed framework for network servirces.

Finding performance metrics that can be measured properly

Ensuring that network components are not modified by the client

Reducing the number of entry points into the network

There are documented compensating controls over the business processes.

The risk acceptances were previously reviewed and approved by appropriate senior management

The business environment has not significantly changed since the risk acceptances were approved.

The risk acceptances with issues reflect a small percentage of the total population

Project segments are established.

The work is separated into phases.

The work is separated into sprints.

Project milestones are created.

Limiting access to the data files based on frequency of use

Obtaining formal agreement by users to comply with the data classification policy

Applying access controls determined by the data owner

Using scripted access control lists to prevent unauthorized access to the server

Inability of the network intrusion detection system (IDS) to monitor virtual server-lo-server communications

Vulnerability in the virtualization platform affecting multiple hosts

Data center environmental controls not aligning with new configuration

System documentation not being updated to reflect changes in the environment

Inform potentially affected customers of the security breach

Notify business management of the security breach.

Research the validity of the alerted breach

Engage a third party to independently evaluate the alerted breach.

Required approvals at each life cycle step

Date and time stamping of source and object code

Access controls for source libraries

Release-to-release comparison of source code

Restricting evidence access to professionally certified forensic investigators

Documenting evidence handling by personnel throughout the forensic investigation

Performing investigative procedures on the original hard drives rather than images of the hard drives

Engaging an independent third party to perform the forensic investigation

Review the documentation of recant changes to implement sequential order numbering.

Inquire with management if the system has been configured and tested to generate sequential order numbers.

Inspect the system settings and transaction logs to determine if sequential order numbers are generated.

Examine a sample of system generated purchase orders obtained from management

The quality of the data is not monitored.

Imported data is not disposed frequently.

The transfer protocol is not encrypted.

The transfer protocol does not require authentication.

Explain the impact to disaster recovery.

Explain the impact to resource requirements.

Explain the impact to incident management.

Explain the impact to backup scheduling.

Monitor and restrict vendor activities

Issues an access card to the vendor.

Conceal data devices and information labels

Restrict use of portable and wireless devices.

Analyze a new application that moots the current re

Perform an analysis to determine the business risk

Bring the escrow version up to date.

Develop a maintenance plan to support the application using the existing code

Approved test scripts and results prior to implementation

Written procedures defining processes and controls

Approved project scope document

A review of tabletop exercise results

each information asset is to a assigned to a different classification.

the security criteria are clearly documented for each classification

Senior IT managers are identified as information owner.

the information owner is required to approve access to the asset

Ensure sufficient audit resources are allocated,

Communicate audit results organization-wide.

Ensure ownership is assigned.

Test corrective actions upon completion.

Notify law enforcement of the finding.

Require the third party to notify customers.

The audit report with a significant finding.

Notify audit management of the finding.

Leverage the work performed by external audit for the internal audit testing.

Ensure both the internal and external auditors perform the work simultaneously.

Request that the external audit team leverage the internal audit work.

Roll forward the general controls audit to the subsequent audit year.

Media recycling policy

Media sanitization policy

Media labeling policy

Media shredding policy

Server room access history

Emergency change records

IT security incidents

Penetration test results

Service level agreement (SLA)

Hardware change management policy

Vendor memo indicating problem correction

An up-to-date RACI chart

System flowchart

Data flow diagram

Process flowchart

Entity-relationship diagram

Ensuring unauthorized individuals do not tamper with evidence after it has been captured

Ensuring evidence is sufficient to support audit conclusions

Ensuring appropriate statistical sampling methods were used

Ensuring evidence is labeled to show it was obtained from an approved source

Future compatibility of the application.

Proposed functionality of the application.

Controls incorporated into the system specifications.

Development methodology employed.

Limiting the size of file attachments being sent via email

Automatically deleting emails older than one year

Moving emails to a virtual email vault after 30 days

Allowing employees to store large emails on flash drives

is more effective at suppressing flames.

allows more time to abort release of the suppressant.

has a decreased risk of leakage.

disperses dry chemical suppressants exclusively.

Frequent testing of backups

Annual walk-through testing

Periodic risk assessment

Full operational test

Data conversion was performed using manual processes.

Backups of the old system and data are not available online.

Unauthorized data modifications occurred during conversion.

The change management process was not formally documented

Consulted

Informed

Responsible

Accountable

Annual sign-off of acceptable use policy

Regular monitoring of user access logs

Security awareness training

Formalized disciplinary action

establish criteria for reviewing alerts.

recruit more monitoring personnel.

reduce the firewall rules.

fine tune the intrusion detection system (IDS).

Identifying relevant roles for an enterprise IT governance framework

Making decisions regarding risk response and monitoring of residual risk

Verifying that legal, regulatory, and contractual requirements are being met

Providing independent and objective feedback to facilitate improvement of IT processes

application test cases.

acceptance testing.

cost-benefit analysis.

project plans.

Inherent risk is eliminated.

Residual risk is minimized.

Control risk is minimized.

Overall risk is quantified.

The system does not have a maintenance plan.

The system contains several minor defects.

The system deployment was delayed by three weeks.

The system was over budget by 15%.

Inability to close unused ports on critical servers

Inability to identify unused licenses within the organization

Inability to deploy updated security patches

Inability to determine the cost of deployed software

Program documentation

Access control tables

Data flow diagrams

Field naming conventions

Require employees to attend security awareness training.

Password protect critical data files.

Configure to auto-wipe after multiple failed access attempts.

Enable device auto-lock function.

Real-time audit software

Performance data

Quality assurance (QA) reviews

Participative management techniques

Update of security information event management (SIEM) rules

Regular review of the network security policy

Completeness of network asset inventory

Location of intrusion detection systems (IDS)

the Internet.

the demilitarized zone (DMZ).

the organization's web server.

the organization's network.

Determining the scope of the assessment

Performing detailed test procedures

Evaluating changes to the risk environment

Understanding the business process

allocation of resources during an emergency.

frequency of system testing.

differences in IS policies and procedures.

maintenance of hardware and software compatibility.

Invoking the disaster recovery plan (DRP)

Backing up data frequently

Paying the ransom

Requiring password changes for administrative accounts

The process does not require specifying the physical locations of assets.

Process ownership has not been established.

The process does not include asset review.

Identification of asset value is not included in the process.

To determine whether project objectives in the business case have been achieved

To ensure key stakeholder sign-off has been obtained

To align project objectives with business needs

To document lessons learned to improve future project delivery

Compliance with action plans resulting from recent audits

Compliance with local laws and regulations

Compliance with industry standards and best practice

Compliance with the organization's policies and procedures

assessing and quantifying risk.

negotiating contracts with disaster planning consultants.

identifying application control requirements.

obtaining replacement supplies.

Implement data loss prevention (DLP) software

Review perimeter firewall logs

Provide ongoing information security awareness training

Establish behavioral analytics monitoring

provide test consistency.

provide more flexibility.

replace all manual test processes.

reduce the time to review code.

Insufficient processes to track ownership of each EUC application?

Insufficient processes to lest for version control

Lack of awareness training for EUC users

Lack of defined criteria for EUC applications

computer room closest to the uninterruptible power supply (UPS) module

computer room closest to the server computers

system administrators office

booth used by the building security personnel

Target architecture is defined at a technical level.

The previous year's IT strategic goals were not achieved.

Strategic IT goals are derived solely from the latest market trends.

Financial estimates of new initiatives are disclosed within the document.

A lessons-learned session was never conducted.

The projects 10% budget overrun was not reported to senior management.

Measurable benefits were not defined.

Monthly dashboards did not always contain deliverables.

The information security policy has not been approved by the chief audit executive (CAE).

The information security policy does not include mobile device provisions

The information security policy is not frequently reviewed

The information security policy has not been approved by the policy owner

Readily available resources such as domains and risk and control methodologies

Comprehensive coverage of fundamental and critical risk and control areas for IT governance

Fewer resources expended on trial-and-error attempts to fine-tune implementation methodologies

Wide acceptance by different business and support units with IT governance objectives

Average time between incidents

Incident alert meantime

Number of incidents reported

Incident resolution meantime

Deviation detection

Cluster sampling

Random sampling

Classification

Data storage costs

Data classification

Vendor cloud certification

Service level agreements (SLAs)

Detective control

Preventive control

Corrective control

Administrative control

Report the variance immediately to the audit committee

Request an explanation of the variance from the auditee

Increase the sample size to 100% of the population

Exclude the transaction from the sample population

Analyzing the root cause of the outage to ensure the incident will not reoccur

Restoring the system to operational state as quickly as possible

Ensuring all resolution steps are fully documented prior to returning the

system to service

Rolling back the unsuccessful change to the previous state

Parallel changeover

Modular changeover

Phased operation

Pilot operation

Analyzing how the configuration changes are performed

Analyzing log files

Reviewing the rule base

Performing penetration testing

Monitoring tools are configured to alert in case of downtime

A comprehensive security review is performed every quarter.

Data for different tenants is segregated by database schema

Tenants are required to implement data classification polices

Proficiency

Due professional care

Sufficient evidence

Reporting

stakeholder expectations were identified

vendor product offered a viable solution.

user requirements were met.

test scenarios reflected operating activities.

To prevent confidential data loss

To comply with legal and regulatory requirements

To identify data at rest and data in transit for encryption

To provide options to individuals regarding use of their data

IT value analysis

Prior audit reports

IT balanced scorecard

Vulnerability assessment report

To ensure the conclusions are adequately supported

To ensure adequate sampling methods were used during fieldwork

To ensure the work is properly documented and filed

To ensure the work is conducted according to industry standards

After a full processing cycle

Immediately after deployment

After the warranty period

Prior to the annual performance review

Key performance indicator (KPI) monitoring

Change management

Configuration management

Quality assurance (QA)

Establishing a risk appetite

Establishing a risk management framework

Validating enterprise risk management (ERM)

Operating the risk management framework

Backup media are not reviewed before disposal.

Degaussing is used instead of physical shredding.

Backup media are disposed before the end of the retention period

Hardware is not destroyed by a certified vendor.

Security cameras deployed outside main entrance

Antistatic mats deployed at the computer room entrance

Muddy footprints directly inside the emergency exit

Fencing around facility is two meters high

Perform substantive testing of terminated users' access rights.

Perform a review of terminated users' account activity

Communicate risks to the application owner.

Conclude that IT general controls ate ineffective.

Ensure that the facts presented in the report are correct

Communicate the recommendations lo senior management

Specify implementation dates for the recommendations.

Request input in determining corrective action.

To improve key availability metrics

To reduce costs associates with backups

To increase backup resiliency and redundancy

To minimize the backup time and resources

has adequate security.

logs ail database records.

Is accessible online

does not impact operational efficiency

forecast technology trends

establish the capacity of network communication links

identify the extent to which components need to be upgraded

determine business transaction volumes.

IT strategies are communicated to all Business stakeholders

Organizational strategies are communicated to the chief information officer (CIO).

Business stakeholders are Involved In approving the IT strategy.

The chief information officer (CIO) is involved In approving the organizational strategies

Guest operating systems are updated monthly

The hypervisor is updated quarterly.

A variety of guest operating systems operate on one virtual server

Antivirus software has been implemented on the guest operating system only.

Securing information assets in accordance with the classification assigned

Validating that assets are protected according to assigned classification

Ensuring classification levels align with regulatory guidelines

Defining classification levels for information assets within the organization

A training program is in place to promote information security awareness.

A framework is in place to measure risks and track effectiveness.

Information security policies and procedures are established.

The program meets regulatory and compliance requirements.

Information security program plans

Penetration test results

Risk assessment results

Industry benchmarks

Use automatic document classification based on content.

Have IT security staff conduct targeted training for data owners.

Publish the data classification policy on the corporate web portal.

Conduct awareness presentations and seminars for information classification policies.

System event correlation report

Database log

Change log

Security incident and event management (SIEM) report

be approved by management.

be measurable in percentages.

be changed frequently to reflect organizational strategy.

have a target value.

Findings from prior audits

Results of a risk assessment

An inventory of personal devices to be connected to the corporate network

Policies including BYOD acceptable user statements

document the exception in an audit report.

review security incident reports.

identify compensating controls.

notify the audit committee.

Verifying that access privileges have been reviewed

investigating access rights for expiration dates

Updating the continuity plan for critical resources

Updating the security policy

File layouts

Data architecture

System/process flowchart

Source code documentation

Data migration is not part of the contracted activities.

The replacement is occurring near year-end reporting

The user department will manage access rights.

Testing was performed by the third-party consultant

risk management review

control self-assessment (CSA).

service level agreement (SLA).

balanced scorecard.

Expected deliverables meeting project deadlines

Sign-off from the IT team

Ongoing participation by relevant stakeholders

Quality assurance (OA) review

The policy includes a strong risk-based approach.

The retention period allows for review during the year-end audit.

The retention period complies with data owner responsibilities.

The total transaction amount has no impact on financial reporting

Ensure compliance with the data classification policy.

Protect the plan from unauthorized alteration.

Comply with business continuity best practice.

Reduce the risk of data leakage that could lead to an attack.

Terminated staff

Unauthorized access

Deleted log data

Hacktivists