- (Topic 3)
An IS auditor is reviewing processes for importing market price data from external data providers. Which of the following findings should the auditor consider MOST critical?

1. A. The quality of the data is not monitored.
2. B. Imported data is not disposed frequently.
3. C. The transfer protocol is not encrypted.
4. D. The transfer protocol does not require authentication.

Correct Answer: A
The most critical finding that the IS auditor should consider when reviewing processes for importing market price data from external data providers is that the quality of the data is not monitored. This is because market price data is essential for financial transactions, risk management, valuation and reporting, and any errors or inaccuracies in the data can have significant impact on the organization’s performance, reputation and compliance. The IS auditor should ensure that the organization has established quality criteria and controls for the imported data, such as validity, completeness, timeliness, consistency and accuracy, and that the data is regularly checked and verified against these criteria. The other findings are also important, but not as critical as data quality. References: CISA Review Manual (Digital Version)1, Chapter 5, Section 5.2.7

- (Topic 4)
During a pre-deployment assessment, what is the BEST indication that a business case will lead to the achievement of business objectives?

1. A. The business case reflects stakeholder requirements.
2. B. The business case is based on a proven methodology.
3. C. The business case passed a quality review by an independent party.
4. D. The business case identifies specific plans for cost allocation.

Correct Answer: A
During a pre-deployment assessment, the best indication that a business case will lead to the achievement of business objectives is that the business case reflects stakeholder requirements. A business case is a document that explains the rationale, benefits, costs, and risks of a proposed project or initiative. A business case should align with the strategic goals and vision of the organization and address the needs and expectations of the stakeholders who are involved in or affected by the project12. Stakeholder requirements are the conditions or capabilities that stakeholders expect from a project or its outcomes. Stakeholders can include customers, users, employees, managers, suppliers, regulators, and others who have an interest or stake in the project. Stakeholder requirements should be identified, analyzed, prioritized, validated, and documented throughout the project lifecycle34.
The business case should reflect stakeholder requirements because they provide the basis for defining the project scope, objectives, deliverables, quality standards, success criteria, and benefits realization. By reflecting stakeholder requirements, the business case can demonstrate how the project will add value to the organization and its stakeholders, justify the investment and resources required for the project, and facilitate the decision-making and approval process for the project5 .
Therefore, during a pre-deployment assessment, an IS auditor should look for evidence that the business case reflects stakeholder requirements as the best indication that the business case will lead to the achievement of business objectives.
References:
✑ How to Write a Business Case (Template Included) - ProjectManager
✑ How to Write a Business Case | Smartsheet
✑ What are Stakeholder Requirements? | PM Study Circle
✑ Stakeholder Requirements - Project Management Knowledge
✑ Business Case vs Business Requirements - Difference Between
✑ [Business Case Development - Project Management Docs]

- (Topic 2)
Which of the following is the MOST important reason to classify a disaster recovery plan (DRP) as confidential?

1. A. Ensure compliance with the data classification policy.
2. B. Protect the plan from unauthorized alteration.
3. C. Comply with business continuity best practice.
4. D. Reduce the risk of data leakage that could lead to an attack.

Correct Answer: D
The most important reason to classify a disaster recovery plan (DRP) as confidential is to reduce the risk of data leakage that could lead to an attack. A DRP contains sensitive information about the organization’s IT infrastructure, systems, processes, and procedures for recovering from a disaster. If this information falls into the wrong hands, it could be exploited by malicious actors to launch targeted attacks, sabotage recovery efforts, or extort ransom. Therefore, a DRP should be protected from unauthorized access, disclosure, modification, or destruction.
The other options are not as important as reducing the risk of data leakage that could lead to an attack:
✑ Ensuring compliance with the data classification policy is a good practice, but it is not a sufficient reason to classify a DRP as confidential. The data classification policy should reflect the level of risk and impact associated with each type of data, and a DRP should be classified as confidential based on its potential harm if compromised.
✑ Protecting the plan from unauthorized alteration is a valid concern, but it is not a primary reason to classify a DRP as confidential. A DRP should be protected from unauthorized alteration by implementing access controls, audit trails, version control, and change management processes. Classifying a DRP as confidential may deter some unauthorized alterations, but it does not prevent them.
✑ Complying with business continuity best practice is a desirable goal, but it is not a compelling reason to classify a DRP as confidential. Business continuity best practice may recommend classifying a DRP as confidential, but it does not mandate it. The decision to classify a DRP as confidential should be based on a risk assessment and a cost-benefit analysis.

- (Topic 4)
Demonstrated support from which of the following roles in an organization has the MOST influence over information security governance?

1. A. Chief information security officer (CISO)
2. B. Information security steering committee
3. C. Board of directors
4. D. Chief information officer (CIO)

Correct Answer: C
Information security governance is the subset of enterprise governance that provides strategic direction, ensures that objectives are achieved, manages risk appropriately, uses organizational resources responsibly, and monitors the success or failure of the enterprise security program. Information security governance is essential for ensuring that an organization’s information assets are protected from internal and external threats, and that the organization complies with relevant laws and standards.
Demonstrated support from which of the following roles in an organization has the most influence over information security governance? The answer is C, the board of directors. The board of directors is the highest governing body of an organization, responsible for overseeing its strategic direction, performance, and accountability. The board of directors sets the tone at the top for information security governance by:
✑ Establishing a clear vision, mission, and values for information security
✑ Approving and reviewing information security policies and standards
✑ Allocating sufficient resources and budget for information security
✑ Appointing and empowering a chief information security officer (CISO) or equivalent role
✑ Holding management accountable for information security performance and compliance
✑ Communicating and promoting information security awareness and culture The board of directors has the most influence over information security governance because it has the ultimate authority and responsibility for ensuring that information security is aligned with the organization’s business objectives, risks, and stakeholder expectations.
References:
✑ 10: What is Information Security Governance? — RiskOptics - Reciprocity
✑ 11: Information Security Governance and Risk Management | Moss Adams
✑ 12: ISO/IEC 27014:2020 - Information security, cybersecurity and privacy …

- (Topic 4)
Which of the following is an IS auditor's BEST recommendation to protect an organization from attacks when its file server needs to be accessible to external users?

1. A. Enforce a secure tunnel connection.
2. B. Enhance internal firewalls.
3. C. Set up a demilitarized zone (DMZ).
4. D. Implement a secure protocol.

Correct Answer: C
A demilitarized zone (DMZ) is a network segment that is separated from the internal network and the external network, such as the internet, by firewalls or other security devices. A DMZ provides an extra layer of security for the organization’s internal network by isolating the servers and services that need to be accessible to external users, such as a file server, from the rest of the network. A DMZ also prevents external users from accessing the internal network directly, as they have to go through two firewalls to reach it. Therefore, setting up a DMZ is an IS auditor’s best recommendation to protect an organization from attacks when its file server needs to be accessible to external users12. The other possible options are:
✑ Enforce a secure tunnel connection: This means that the organization requires external users to establish a secure and encrypted connection, such as a virtual private network (VPN), to access its file server. This can provide some level of security and privacy for the data transmission, but it does not protect the file server or the internal network from attacks if the connection is compromised or if the external users are malicious. Therefore, enforcing a secure tunnel connection is not an IS auditor’s best recommendation to protect an organization from attacks when its file server needs to be accessible to external users3.
✑ Enhance internal firewalls: This means that the organization improves the security and performance of its internal firewalls, which are devices that filter and control the network traffic between different segments of the network. This can provide some level of protection for the internal network from unauthorized or malicious access, but it does not protect the file server or the external network from attacks if the file server is exposed to the internet or if the external network is compromised. Therefore, enhancing internal firewalls is not an IS auditor’s best recommendation to protect an organization from attacks when its file server needs to be accessible to external users4.
✑ Implement a secure protocol: This means that the organization uses a secure and standardized protocol, such as Secure File Transfer Protocol (SFTP) or Secure Shell (SSH), to transfer files between its file server and external users. This can provide some level of security and integrity for the data transmission, but it does not protect the file server or the internal network from attacks if the protocol is exploited or if the external users are malicious. Therefore, implementing a secure protocol is not an IS auditor’s best recommendation to protect an organization from attacks when its file server needs to be accessible to external
users5. References: 1: What Is a DMZ Network and Why Would You Use It? |
Fortinet 2: Demilitarised zone (DMZ) | Cyber.gov.au 3: What Is VPN Tunneling? |
Fortinet 4: Firewall - Wikipedia 5: Secure Shell - Wikipedia