Pass the Isaca Isaca Certification CISA Questions and answers with CertsForce

Comprehensive and Detailed in-Depth Explanation:

During the preliminary phase, the auditor ' s goal is to understand the key areas of the business process to identify potential risks and areas that need deeper examination. This understanding helps in planning the audit effectively.

Identifying weaknesses (Option A) occurs later, while optimization (Option B) and resource understanding (Option D) are not primary objectives at this stage.

ISACA CISA Reference: Domain 1 - Information System Auditing Process

The best way to prevent accepting bad data from a third-party service provider is to implement business rules to reject invalid data. Business rules are logical statements that define the data quality requirements and standards for the organization. By implementing business rules, the organization can ensure that only data that meets the predefined criteria is accepted into the enterprise data warehouse. Obtaining error codes indicating failed data feeds, purchasing data cleansing tools from a reputable vendor, and appointing data quality champions across the organization are useful measures to improve data quality, but they do not prevent accepting bad data in the first place. References: ISACA Journal Article: Data Quality Management

The greatest concern to an IS auditor conducting an audit of an organization that recently experienced a ransomware attack is that backups were only performed within the local network. This means that the backups could have been encrypted or deleted by the ransomware, making it impossible to restore the data and systems without paying the ransom or losing the data. Backups are a critical part of the recovery process from a ransomware attack, and they should be performed frequently, securely, and off-site or in the cloud to ensure their availability and integrity.

The other options are not as concerning as option C, although they may also indicate some security weaknesses. Antivirus software was unable to prevent the attack even though it was properly updated, but this is not surprising given that ransomware variants are constantly evolving and antivirus software may not be able to detect them all. The most recent security patches were not tested prior to implementation, but this is a trade-off between security and availability that may be justified depending on the severity and urgency of the patches. Employees were not trained on cybersecurity policies and procedures, but this is a preventive measure that may not have prevented the attack if it was initiated by other means such as phishing or exploiting vulnerabilities.

Comprehensive and Detailed Explanation:

The most concerning issue in DLP implementations is when tuning has never been completed.

DLP solutions require fine-tuning to properly recognize sensitive data patterns and avoid false positives/false negatives.

If tuning is incomplete, the solution will either block legitimate business processes (too restrictive) or fail to detect actual leaks (too permissive).

Now let’s break down the options:

Option A: Server support limitations may be an issue, but DLP is primarily endpoint-focused here.

Option B: Implementing blocking mode without tuning can cause disruptions, but it is not as bad as never completing tuning.

Option D: Running in monitoring mode is acceptable in early stages of deployment (testing phase).

Therefore, never completing tuning (C) represents a fundamental control weakness and is the greatest concern.

???? ISACA Reference: CISA Review Manual 27th Edition, Domain 5, section on data leakage prevention and monitoring tools.

When an employee is terminated for fraudulent activity, the first priority is to immediately prevent further unauthorized or malicious activity. In ISACA guidance, terminated employees’ access rights should be removed promptly and effective controls must ensure they lose system access at termination. This makes disabling logical access the most immediate and appropriate first step.

Option C is correct because logical access allows the former employee to continue using systems, data, email, applications, or remote connections. If access is not disabled immediately, the organization remains exposed to sabotage, data theft, fraud continuation, or destruction of evidence. ISACA sources explicitly state that terminated employees should lose all access rights and that access restriction should occur immediately after departure.

Option A may be necessary as part of a fraud investigation, but it is not the first step. Reviewing approved transactions is investigative and retrospective; the organization must first contain the risk by cutting off access. In CISA exam logic, immediate risk containment generally comes before investigation.

Option B may also be appropriate from a physical security and HR perspective, especially if there is concern about confrontation or physical removal. However, from an IT audit and information security perspective, the most urgent action is disabling logical access because damage can occur remotely and instantly if access remains active.

Option D can be relevant for preserving evidence, but it still does not come before access removal. Evidence preservation is important, yet the first control priority is to stop ongoing access and prevent further compromise.

Therefore, the best answer is C because immediate revocation of system access is the first and most critical action when terminating an employee for fraudulent activity.

References (Official ISACA):

ISACA Journal, Mitigating IT Risks for Logical Access — effective controls should ensure terminated employees lose all access rights.

ISACA, Secure Management of Former Employee Data: A Practical Approach — “Immediate Access Restriction” as step 1 after employee departure.

ISACA Journal, What Every CISO Must Know About SSH Keys — access should be terminated when no longer needed.

The greatest indicator that the cybersecurity policy may need to be revised is a significant increase in approved exceptions. This implies that the policy is not aligned with the current business needs and risks, and that it may be too restrictive or outdated. The other options are not necessarily indicators of a need for policy revision, as they may be due to other factors such as changes in the externalenvironment, audit scope or methodology. References: CISA Review Manual (Digital Version), Chapter 5, Section 5.21

 Secure code reviews as part of a continuous deployment program are preventive controls. Preventive controls are controls that aim to prevent or avoid undesirable events or outcomes from occurring, such as errors, defects, or incidents. Secure code reviews are activities that examine and evaluate the source code of a software or application to identify and eliminate any vulnerabilities, flaws, or weaknesses that may compromise its security, functionality, or performance. Secure code reviews as part of a continuous deployment program can help prevent or avoid security issues or incidents from occurring by ensuring that the code is secure and compliant before it is deployed to production. The other options are not correct types of controls for secure code reviews as part of a continuous deployment program, as they have different meanings and functions. Detective controls are controls that aim to detect or discover undesirable events or outcomes that have occurred, such as errors, defects, or incidents. Logical controls are controls that use software or hardware mechanisms to regulate or restrict access to IT resources, such as data, systems, or networks. Corrective controls are controls that aim to correct or rectify undesirable events or outcomes that have occurred, such as errors, defects, or incidents. References: CISA Review Manual (Digital Version), Chapter 3, Section 3.2

The IS auditor’s next step after determining that many terminated users’ accounts were not disabled is to perform a review of terminated users’ account activity. This means that the IS auditor should check whether any of the terminated users’ accounts were accessed or used after their termination date, which could indicate unauthorized or fraudulent activity. The IS auditor should also assess the impact and risk of such activity on the confidentiality, integrity, and availability of IT resources and data. The other options are not as appropriate as performing a review of terminated users’ account activity, as they do not provide sufficient evidence or assurance of the extent and effect of the problem. References: CISA Review Manual, 27th Edition, page 240

According to the ISACA’s Information Security Governance Guidance for Boards of Directors and Executive Management, the highest level of maturity of an information security program is Level 5: Optimized, which means that the program is aligned with the business objectives and strategy, and continuously monitors and improves its performance and effectiveness. A framework is in place to measure risks and track effectiveness, and the program is proactive, adaptive, and innovative.

The other options represent lower levels of maturity:

A training program is in place to promote information security awareness. This is Level 2: Repeatable, which means that the program has some basic policies and procedures, and provides awareness training to employees.

Information security policies and procedures are established. This is Level 3: Defined, which means that the program has formalized policies and procedures, and assigns roles and responsibilities for information security.

The program meets regulatory and compliance requirements. This is Level 4: Managed, which means that the program has established metrics and reporting mechanisms, and complies with relevant laws and regulations.

The greatest risk associated with the situation of business units purchasing cloud-based applications without IT support is that the applications may not reasonably protect data. Cloud-based applications are software applications that run on the internet, rather than on a local device or network. Cloud-based applications offer manybenefits, such as scalability, accessibility, and cost-effectiveness, but they also pose many challenges and risks, especially for data security1.

Data security is the process of protecting data from unauthorized access, use, modification, disclosure, or destruction. Data security is essential for ensuring the confidentiality, integrity, and availability of data, as well as complying with legal and regulatory requirements. Data security is especially important for cloud-based applications, as data are stored and processed on remote servers that are owned and managed by third-party cloud service providers (CSPs)2.

When business units purchase cloud-based applications without IT support, they may not be aware of or follow the best practices and standards for data security in the cloud. They may not performadequate risk assessments, vendor evaluations, contract reviews, or audits to ensure that the CSPs and the applications meet the organization’s data security policies and expectations. They may not implement appropriate data encryption, backup, recovery, or disposal methods to protect the data in transit and at rest. They may not monitor or control the access and usage of the data by internal or external users. They may not report or respond to any data breaches or incidents that may occur3.

These actions or inactions may expose the organization’s data to various threats and vulnerabilities in the cloud, such as cyberattacks, human errors, malicious insiders, misconfigurations, or legal disputes. These threats and vulnerabilities may result in data loss, leakage, corruption, or compromise, which may have serious consequences for theorganization’s reputation, operations, performance, compliance, and liability4.

Therefore, it is essential that business units consult and collaborate with IT support before purchasing any cloud-based applications, and follow the organization’s guidelines and procedures for cloud security. IT support can help business units to select and use cloud-based applications that are suitable and secure for their needs and objectives.

The most important input during the planning phase for an audit on the implementation of a bring your own device (BYOD) program is policies including BYOD acceptable user statements. Policies are documents that define the organization’s objectives, requirements, expectations, and responsibilities regarding a specific topic or area. BYOD policies should include acceptable user statements that specify what types of personal devices are allowed to connect to the corporate network, what security measures must be implemented on those devices, what data can be accessed or stored on those devices, what actions must be taken in case of device loss or theft, and what consequences will apply for non-compliance. Policies including BYOD acceptable user statements can provide an IS auditor with a clear understanding of the scope, criteria, and objectivesof the BYOD program audit. Findings from prior audits, results of a risk assessment, and an inventory of personal devices to be connected to the corporate network are also useful inputs for planning a BYOD program audit, but they are not as important as policies including BYOD acceptable user statements. References: ISACA CISA Review Manual 27th Edition, page 381.

A digital signature is a mathematical algorithm that validates the authenticity and integrity of a message or document by generating a unique hash of the message or document and encrypting it using the sender’s private key1. The primary reason for using a digital signature is to authenticate the sender of a message, as only the sender has access to their private key and can produce a valid signature2. A digital signature also verifies the integrity of the data, as any modification to the message or document will result in a different hash value and invalidate the signature1. However, a digital signature does not provide availability or confidentiality to the transmission, as it does not prevent denial-of-service attacks or encrypt the entire message or document3.

References

1: Understanding Digital Signatures | CISA

2: Signature Verification | CISA

3: SECFND: Digital Signatures from Skillsoft | NICCS

The best course of action for an IS auditor when an auditee is unable to close all audit recommendations by the time of the follow-up audit is to evaluate the residual risk due to open issues. Residual risk is the risk that remains after the implementation of controls or mitigating actions. Evaluating the residual risk due to open issues can help the IS auditor assess the impact and likelihood of the potential threats and vulnerabilities that have not been addressed by the auditee, as well as the adequacy and effectiveness of the existing controls or mitigating actions. Evaluating the residual risk due to open issues can also help the IS auditor prioritize and communicate the open issues to the auditee and other stakeholders, such as senior management or audit committee, and recommend appropriate actions or escalation procedures.

Ensuring the open issues are retained in the audit results is a course of action for an IS auditor when an auditee is unable to close all audit recommendations by the time of the follow-up audit, but it is not the best one. Ensuring the open issues are retained in the audit results can help the IS auditor document and report the status and progress of the audit recommendations, as well as provide a basis for future follow-up audits. However, ensuring the open issues are retained in the audit results does not provide an analysis or evaluation of the residual risk due to open issues, which is more important for informing decision-making and action-taking.

Terminating the follow-up because open issues are not resolved is not a course of action for an IS auditor when an auditee is unable to close all audit recommendations by the time of the follow-up audit, but rather a consequence or outcome of it. Terminating the follow-up because open issues are not resolved may indicate that the auditee has failed to comply with the agreed-upon actions or deadlines, or that the IS auditor has encountered significant obstacles or resistance from the auditee. Terminating the follow-up because open issues are not resolved may also trigger further actions or sanctions from the IS auditor or other authorities, such as issuing a qualified or adverse opinion, withholding certification, or imposing penalties.

Recommending compensating controls for open issues is not a course of action for an IS auditor when an auditee is unable to close all audit recommendations by the time of the follow-up audit, but rather a possible outcome or result of it. Compensating controls are alternative or additional controls that are implemented to reduce or eliminate the risk associated with a weakness or deficiency in another control. Recommending compensating controls for open issues may be appropriate when the auditee is unable to implement the original audit recommendations due to technical, operational,financial, or other constraints, and when the compensating controls can provide a similar or equivalent level of assurance. However, recommending compensating controls for open issues requires a prior evaluation of the residual risk due to open issues, which is more important for determining whether compensating controls are necessary and feasible.

Stress testing is a type of performance testing that evaluates how a system behaves under extreme load conditions, such as high user traffic, large data volumes, or limited resources. It is useful for identifying potential bottlenecks, errors, or failures that may affect the system’s functionality or availability. Stress testing during the quality assurance (QA) phase would have identified the concern of users complaining that a newly released ERP system is functioning too slowly. The other options are not as relevant for this concern, as they relate to different aspects of testing, such as regression testing (verifying that existing functionality is not affected by new changes), interface testing (verifying that the system interacts correctly with other systems or components), or integration testing (verifying that the system works as a whole after combining different modules or units). References: CISA Review Manual (Digital Version), Domain 5: Protection of Information Assets, Section 5.4 Testing Techniques1

 The auditor should first escalate to audit management to discuss the audit plan. This is because the audit plan should be based on a risk assessment and aligned with the organization’s objectives and strategies. The auditor should not accept the CIO’s request without proper justification and approval from the audit management, who are responsible for ensuring the audit plan’s quality and independence. The auditor should also communicate the potential risks and implications of not conducting IS audits in the upcoming year, such as missing new or emerging threats, vulnerabilities, or compliance issues. References:

CISA Review Manual (Digital Version), Chapter 2, Section 2.11

CISA Online Review Course, Domain 1, Module 1, Lesson 22

 The first thing that should be done when an intrusion into an organization network is detected is to identify nodes that have been compromised. Identifying nodes that have been compromised is a critical step in responding to an intrusion, as it helps determine the scope, impact, and source of the attack, and enables the implementation of appropriate containment and recovery measures. The other options are not the first things that should be done when an intrusion into an organization network is detected, as they may be premature or ineffective without identifying nodes that have been compromised. Blocking all compromised network nodes is a containment measure that can help isolate and prevent the spread of the attack, but it may not be possible or feasible without identifying nodes that have been compromised. Contacting law enforcement is a reporting measure that can help seek external assistance and comply with legal obligations, but it may not be necessary or appropriate without identifying nodes that have been compromised. Notifying senior management is a communication measure that can help inform and escalate the incident, but it may not be urgent or accurate without identifying nodes that have been compromised. References: CISA Review Manual (Digital Version), Chapter 4, Section 4.2.2

 The chain of custody has not been documented is a finding that should be of greatest concern for an IS auditor reviewing a forensic analysis process of an organization that has suffered a cyber attack. The chain of custody is a record of who handled, accessed, or modified the evidence during a forensic investigation. Documenting the chain of custody is essential to preserve the integrity, authenticity, and admissibility of the evidence in a court of law. The other options are less concerning findings that may not affect the validity or reliability of the forensic analysis process. References:

CISAReview Manual (Digital Version), Chapter 7, Section 7.51

CISA Review Questions, Answers and Explanations Database, Question ID 220

 The greatest concern for an IS auditor when a post-implementation review was conducted by issuing a survey to users is that the survey questions did not address the scope of the business case. A post-implementation review is a process of evaluating the outcomes and benefits of a project after it has been completed and implemented. A post-implementation review can help to assess whether the project met its objectives, delivered its expected value, and satisfied its stakeholders1. A survey is a method of collecting feedback and opinions from users or other stakeholders about their experience and satisfaction with the project. Asurvey can help to measure the user acceptance, usability, and functionality of the project deliverables2. A business case is a document that justifies the need for a project based on its expected benefits, costs, risks, and alternatives. A business case defines the scope,objectives, and requirements of the project and provides a basis for its approval and initiation3. Therefore, an IS auditor should be concerned if the survey questions did not address the scope of the business case, as it may indicate that the post-implementation review was not comprehensive, relevant, or aligned with the project goals. The other options are less concerning or incorrect because:

A. The survey results were not presented in detail to management is not a great concern for an IS auditor when a post-implementation review was conducted by issuing a survey to users, as it is more of a communication or reporting issue than an audit issue. While presenting the survey results in detail to management may help to inform them about the project performance and outcomes, it does not affect the validity or quality of the post-implementation review itself.

C. The survey form template did not allow additional feedback to be provided is not a great concern for an IS auditor when a post-implementation review was conducted by issuing a survey to users, as it is more of a design or format issue than an audit issue. While allowing additional feedback to be provided may help to capture more insights or suggestions from users, it does not affect the validity or quality of the post-implementation review itself.

D. The survey was issued to employees a month after implementation is not a great concern for an IS auditor when a post-implementation review was conducted by issuing a survey to users, as it is more of a timing or scheduling issue than an audit issue. While issuing the survey to employees sooner after implementation may help to collect more accurate and timely feedback from users, it does not affect the validity or quality of the post-implementation review itself. References: Post ImplementationReview - ISACA, Survey - ISACA, Business Case - ISACA

A business impact analysis (BIA) is a process that identifies and evaluates the potential effects of disruptions to critical business operations as a result of a disaster, accident or emergency. A BIA should include an inventory of relevant business processes that support the organization’s strategic objectives and are essential for its continuity. The inventory should also identify the dependencies, interdependencies, recovery priorities and time frames for each business process. Policies for business procurement, documentation of application configurations and results of business resumption planning efforts are not as useful as an inventory of relevant business processes for performing a BIA. References:

 Business Impact Analysis (BIA) Definition

 Business Impact Analysis (BIA) | ISACA

A certificate authority (CA) is critical in a public key cryptographic system for mitigating man-in-the-middle (MITM) attacks. It ensures that public keys are authentic by issuing digital certificates, which bind a public key to an entity. The CA’s role in verifying identities and providing trust anchors prevents attackers from spoofing keys.

Strong Encryption Algorithms (Option A):Encryption ensures confidentiality but does not address spoofing risks.

Kerberos Authentication (Option B):Useful for mutual authentication but not central to public key infrastructure (PKI).

Registration Authority (Option C):Supports the CA but does not directly prevent MITM attacks.

 A black box penetration test is a type of security assessment that simulates an attack on a system or network without any prior knowledge of its configuration or architecture. The main objective of this test is to identify vulnerabilities and weaknesses that can be exploited by external or internal threat actors. To plan a black box penetration test, it is most important to ensure that the environment and penetration test scope have been determined. This means that the tester and the client organization have agreed on the boundaries, objectives, methods, and deliverables of the test, as well as the legal and ethical aspects of the engagement. Without a clear definition of the environment and scope, the test may not be effective, efficient, or compliant with relevant standards and regulations. Additionally, the tester may cause unintended damage or disruption to the client’s systems or networks, or violate their privacy or security policies.

The best way to track organizational data in a BYOD environment is to enroll the personal devices in the organization’s mobile device management (MDM) program. This will allow the organization to monitor, control, and secure the data on the devices remotely. Employees must also report lost or stolen devices and sign the acceptable use policy, but these are not sufficient to enable tracking of data. References: Info Technology and Systems Resources |COBIT, Risk, Governance … - ISACA, section “Book IT Control Objectives for Sarbanes-Oxley, 4th Edition | Digital | English”

Open-source solutions provide flexibility and reduce vendor lock-in, allowing organizations to modify, enhance, and support software independently.

Option A (Incorrect):Open-source software often lacksformalizedsupport levels compared to proprietary solutions, which provide structured SLAs (Service Level Agreements).

Option B (Incorrect):While some open-source solutions are user-friendly, implementation complexity depends on the software and required customization.

Option C (Correct):A key benefit of open-source solutions is thefreedom from vendor dependence. Organizations can customize the software, hire independent developers, or switch providers without being locked into a specific vendor ' s ecosystem.

Option D (Incorrect):Security in open-source software depends on the community and organization managing the solution. Some open-source tools have excellent security, while others may require additional hardening.

The best way for an organization to mitigate the risk associated with third-party application performance is to utilize performance monitoring tools to verify service level agreements (SLAs). Performance monitoring tools are software or hardware devices that measure and report the performance of an application or system, such as speed, availability, reliability, etc. Performance monitoring tools can help mitigate the risk associated with third-party application performance, by allowing the organization to verify whether the third-party provider is meeting the SLAs, which are contracts or agreements that define the expected level and quality of service for an application or system. Performance monitoring tools can also help identify and resolve any performance issues or problems that may arise from the third-party application. Ensuring the third party allocates adequate resources to meet requirements is a possible way to mitigate the risk associated with third-party application performance, but it is not the best one, as it may not be feasible or effective depending on the availability, cost, and suitability of the resources. Using analytics within the internal audit function is a possible way to mitigate the risk associated with third-party application performance, but it is not the best one, as it may not be timely or relevant depending on the frequency, scope, and quality of the analytics. Conducting a capacity planning exercise is a possible way to mitigate the risk associated with third-party application performance, but it is not the best one, as it may not be accurate or reliable depending on the assumptions, methods, and data used for the capacity planning.

 The most significant risk in virtualizing the server environment without making any other changes to the network or security infrastructure is the inability of the network intrusion detection system (IDS) to monitor virtual server-to-server communications. This can create blind spots for the IDS and allow malicious traffic to bypass detection. A vulnerability in the virtualization platform affecting multiple hosts is a potential risk, but not necessarily more significant than the loss of visibility. Data center environmental controls not aligning with new configuration or system documentation not being updated to reflect changes in the environment are operational issues, not security issues. References: ISACA, CISA Review Manual, 27th Edition, 2018, page 373

 The best detective control for a job scheduling process involving data transmission is job failure alerts that are automatically generated and routed to support personnel. Job failure alerts are notifications that indicate when a scheduled job or task fails to execute or complete successfully, such as due to errors, interruptions, or delays. Job failure alerts can help detect and correct any issues or anomalies in the job scheduling process involving data transmission by informing and alerting the support personnel who can investigate and resolve the problem. The other options are not as effective as job failure alerts in detecting issues or anomalies in the job scheduling process involving data transmission, as they do not provide timely or specific information or feedback. Metrics denoting the volume of monthly job failures are reported and reviewed by senior management is a reporting technique that can help measure and improve the performance and reliability of the job scheduling process, but it does not provide immediate or detailed information on individual job failures. Jobs are scheduled to be completed daily and data is transmitted using a Secure File Transfer Protocol (SFTP) is a preventive control that can help ensure the timeliness and security of the job scheduling process involving data transmission, but it does not detect any issues or anomalies that may occur during the process. Jobs are scheduled and a log of this activity is retained for subsequent review is a logging technique that can help record and track the status and results of the job scheduling process involving data transmission, but it does not provide real-time or proactive information on job failures. References: CISA Review Manual (Digital Version), Chapter 3, Section 3.2

The first step in auditing a data communication system is to determine the business use and types of messages to be transmitted. This is because the auditor needs to understand the purpose, scope, and objectives of the data communication system, as well as the nature, volume, and sensitivity of the data being transmitted. This will help the auditor to identify the risks, controls, and audit criteria for the data communication system. Traffic volumes and response-time criteria, physical security for network equipment, and the level of redundancy in the various communication paths are important aspects of a data communication system, but they are not the first step in auditing it. They depend on the business use and types of messages to be transmitted, and they may vary according to different scenarios and requirements. References: CISA Review Manual (Digital Version), [ISACA Auditing Standards]

Social engineering tests are the most effective way toassess real-world security awarenessby measuring employees ' ability to recognize and resist security threats.

Review the Results of Social Engineering Tests (Correct Answer – A)

Simulated phishing attacks and pretexting exercises measure actual employee behavior.

Provides actionable insights into weaknesses in security awareness.

Example:If employees frequently click on phishing emails, the awareness program is ineffective.

Evaluate Management Survey Results (Incorrect – B)

Management perception is subjective and does not reflect actual employee behavior.

Interview Employees (Incorrect – C)

Employees may provide inaccurate or rehearsed responses.

Review Security Training Quiz Results (Incorrect – D)

Tests knowledge but does not measure practical application.

 The IS auditor should be most concerned about the lack of follow-up education for staff members who failed the phishing simulation test. Phishing simulation tests are designed to assess the level of awareness and susceptibility of staff members to phishing attacks, and to provide feedback and training to improve their security behavior. If staff members who failed the test do not receive follow-up education, they will not learn from their mistakes and may continue to fall victim to real phishing attacks, which could compromise the security of the organization.

The other options are less concerning for the IS auditor:

Test results were not communicated to staff members. This is not ideal, as staff members should receive feedback on their performance and learn from the test results. However, this does not necessarily mean that they did not receive any training or education on how to avoid phishing attacks.

Staff members were not notified about the test beforehand. This is a common practice for phishing simulation tests, as it mimics the real-world scenario where staff members do not know when they will receive a phishing email. The purpose of the test is to measure their spontaneous reaction and awareness, not their preparedness or compliance.

Security awareness training was not provided prior to the test. This is not a major concern, as the test can serve as a baseline measurement of the current level of awareness and susceptibility of staff members, and as a starting point for providing tailored training and education based on the test results.

When a program release needs to be backed out of production, the changes introduced by that release must be removed from the source code to ensure the system returns to its prior state. This approach ensures that the source code reflects the stable version without the problematic changes.

References

ISACA CISA Review Manual 27th Edition, Page 244-245 (Change Management)

The most effective method for detecting the presence of an unauthorized wireless access point on an internal network is A. Continuous network monitoring. This is because continuous network monitoring can capture and analyze all the wireless traffic in the network and identify any rogue or spoofed devices that may be connected to the network without authorization. Continuous network monitoring can also alert the system administrator of any suspicious or anomalous activities on the network and help to locate and remove the unauthorized wireless access point quickly.

Periodic network vulnerability assessments (B) can also help to detect unauthorized wireless access points, but they are not as effective as continuous network monitoring, because they are performed at fixed intervals and may miss some devices that are added or removed between the assessments. Review of electronic access logs © can provide some information about the devices that access the network, but they may not be able to detect devices that use fake or stolen credentials or devices that do not generate any logs. Physical security reviews (D) can help to prevent unauthorized physical access to the network ports or devices, but they may not be able to detect wireless access points that are hidden or disguised as legitimate devices.

The most important factor to ensure that electronic evidence collected during a forensic investigation will be admissible in future legal proceedings is to document evidence handling by personnel throughout the forensic investigation. Documentation is essential to establish the chain of custody, prove the integrity and authenticity of the evidence, and demonstrate compliance with legal and ethical standards. Documentation should include information such as the date, time, location, source, destination, method, purpose, result, and authorization of each action performed on the evidence. Documentation should also include any observations, findings, assumptions, limitations, or exceptions encountered during the investigation. References:

CISA Review Manual (Digital Version)

CISA Questions, Answers and Explanations Database

A biometric access device installed at the entrance to a facility is a type of preventive control. Preventive controls are designed to deter or prevent undesirable events from occurring12. They are proactive measures that aim to inhibit incidents before they happen12. In this case, the biometric access device prevents unauthorized individuals from gaining access to the facility by requiring unique biological characteristics for authentication12.

The primary factor to determine system criticality within an organization is the maximum allowable downtime (MAD). MAD is the maximum time frame during which recovery must become effective before an outage compromises the ability of an organization to achieve its business objectives and/or survival. MAD reflects the business impact of a system outage onthe organization’s operations, reputation, compliance, and finances. MAD can help to prioritize system recovery efforts, allocate resources, and establish recovery objectives.

When an IS auditor discovers a security weakness in the database configuration, the next course of action should be to identify existing mitigating controls. This involves assessing whether any controls are already in place to address the weakness and mitigate the risk. Understanding the current state of controls helps the auditor determine the severity of the issue and whether additional corrective actions are necessary1. References: 1(https://www.isaca.org/resources/insights-and-expertise/audit-programs-and-tools)

The activities that should be separated are initiating and closing error logs. This is a segregation-of-duties issue. The same person who opens an error record should not also have sole authority to close it, because that creates an opportunity to suppress incidents, conceal inadequate investigation, or bypass proper resolution and review. ISACA guidance regularly stresses the importance of segregation of duties as a foundational control principle.

Option A is correct because separating initiation from closure helps ensure independent review, proper follow-up, and accountability in the incident process. This aligns with classic CISA logic: one role records or raises the issue, while another role validates resolution and closure.

Option B is less compelling because collecting and analyzing logs are closely related operational security activities and are often performed within the same monitoring function.

Option C is also less appropriate to separate in this context because identifying root causes and recommending workarounds are naturally linked problem-management activities. ISACA guidance on root cause analysis connects these activities to incident and problem handling.

Option D is not the best answer because recording and classifying incidents are typically performed together at intake or triage. Separating them would usually add process friction without the same control benefit as separating initiation from closure.

Therefore, A is the best answer because it best reflects appropriate segregation of duties in incident handling.

References (Official ISACA):

ISACA Journal, IS Audit Basics: Trust but Verify — highlights the importance of segregation of duties.

ISACA Journal, Trends, Challenges and Strategies for Effective Audit in a Rapidly Changing Landscape — reinforces segregation of duties as a continuing control requirement.

ISACA Journal, Resilient GRC: Tackling Contemporary Challenges With a Robust Delivery Model — discusses bias and segregation-of-duties concerns.

ISACA, Root Cause Analysis / ISACA Glossary — supports the linkage between root cause analysis and incident/problem processes.