CISA Exam Dumps - Certified Information Systems Auditor

The greatest concern to an IS auditor reviewing an organization’s method to transport sensitive data between offices is that the method relies exclusively on the use of public key infrastructure (PKI). PKI is a set of tools and procedures that are used to create, manage, and revoke digital certificates and public keys for encryption and authentication1. PKI can provide secure and trustworthy communication over the internet, but it also has some limitations and risks that need to be considered.

One of the main limitations of PKI is that it depends on the trustworthiness and security of the certificate authority (CA), which is the entity that issues and verifies the digital certificates2. If the CA is compromised or malicious, it can issue fake or fraudulent certificates that can be used to impersonate legitimate parties or intercept sensitive data. For example, in 2011, a hacker breached the CA DigiNotar and issued hundreds of rogue certificates for domains such as Google, Yahoo, and Microsoft3. This allowed the hacker to conduct man-in-the-middle attacks and spy on the online activities of users in Iran3.

Another limitation of PKI is that it requires a complex and costly infrastructure to maintain and operate. PKI involves multiple components, such as servers, software, hardware, policies, and procedures, that need to be configured, updated, and monitored regularly1. PKI also requires a high level of technical expertise and coordination among different parties, such as users, administrators, CAs, and registration authorities (RAs)1. PKI can be vulnerable to human errors or negligence that can compromise its security or functionality. For example, in 2018, a software bug in Apple’s macOS High Sierra caused the system to accept any certificate as valid without checking its validity period. This could have allowed attackers to use expired or revoked certificates to bypass security checks.

Therefore, an IS auditor should be concerned if an organization relies exclusively on PKI for transporting sensitive data between offices. PKI can provide a high level of security and trust, but it also has some inherent risks and challenges that need to be addressed. An IS auditor should evaluate whether the organization has implemented adequate controls and measures to ensure the reliability and integrity of its PKI system. An IS auditor should also consider whether the organization has alternative or complementary methods for securing its data transmission, such as using symmetric encryption algorithms or digital signatures. Symmetric encryption algorithms use the same key for both encryption and decryption, which can offer faster performance and lower overhead than asymmetric encryption algorithms used by PKI4. Digital signatures use cryptographic techniques to verify the identity and authenticity of the sender and the integrity of the data5.

 Leveraging an IT governance framework is the best way to enable alignment of IT with business objectives, as it provides a set of principles, standards, processes, and practices that guide the effective delivery of IT services that support the organization’s strategy and goals. Benchmarking against peer organizations, developing key performance indicators (KPIs), and completing an IT risk assessment are useful activities that can help measure and improve the performance and value of IT, but they are not sufficient to ensure alignment without a governance framework. References: CISA Review Manual (Digital Version), Chapter 1: Information Systems Auditing Process, Section 1.2: IT Governance

The most appropriate population to sample from when testing for remediation of findings identified in an organization’s user provisioning process is all users provisioned after the final audit report was issued. This is because the final audit report is the official document that communicates the audit findings, recommendations, and action plans to the management and other stakeholders. It also establishes a baseline for measuring the progress and effectiveness of the remediation efforts. Therefore, sampling from the users provisioned after the final audit report was issued would provide the most relevant and reliable evidence of whether the audit issues have been resolved or not.

The other options are not as appropriate as option C, as they may not reflect the actual status of the remediation efforts. All users provisioned after the finding was originally identified may include users who were provisioned before the final audit report was issued, which may not capture the full impact of the remediation actions. All users provisioned after management resolved the audit issue may not be accurate, as management’s resolution may not be verified or validated by an independent party. All users who have followed user provisioning processes provided by management may not be representative, as there may be exceptions or deviations from the processes that could affect the remediation results.

References:

6: What Is User Provisioning? Definition, Process and Best Practices - Spiceworks

7: What Is User Provisioning? All You Need to Know in One Place - G2

8: What is User Account Provisioning? - Tools4ever

9: What Is Provisioning and Deprovisioning? | Okta

 A primary responsibility of an IT steering committee is prioritizing IT projects in accordance with business requirements, as this ensures that IT resources are allocated to support the strategic objectives and needs of the organization. Reviewing periodic IT risk assessments, validating and monitoring the skill sets of IT department staff, and establishing IT budgets for the business are important activities, but they are not the primary responsibility of an IT steering committee. They may be delegated to other IT governance bodies or functions within the organization. References: CISA Review Manual (Digital Version), Chapter 1: Information Systems Auditing Process, Section 1.2: IT Governance

The concept of materiality is most important for an IS auditor to apply when planning an audit engagement, because it helps the auditor to determine the scope, objectives, procedures and resources of the audit. Materiality is the degree to which an omission or misstatement of information could affect the users’ decisions or the achievement of the audit objectives. By applying the concept of materiality, the auditor can focus on the most significant and relevant areas of the audit and avoid wasting time and effort on trivial or immaterial matters. The other options are not as important as planning an audit engagement, because they are either based on or affected by the materiality assessment done during the planning phase. References:

ISACA, CISA Review Manual, 27th Edition, chapter 1, section 1.31

ISACA, IT Audit and Assurance Standards, Guidelines and Tools and Techniques for IS Audit and Assurance Professionals, section 12022

The best solution for ensuring secure remote access to corporate resources is to use a virtual private network (VPN), as this creates an encrypted tunnel between the user’s device and the corporate network, preventing unauthorized interception or modification of data in transit. Additional firewall rules may help to restrict access to certain ports or protocols, but they do not provide encryption or authentication. Multi-factor authentication may help to verify the identity of the user, but it does not protect the data in transit. Virtual desktop may help to provide a consistent user interface and access to applications, but it does not ensure the security of the communication channel. References: CISA Review Manual (Digital Version), Chapter 5: Protection of Information Assets, Section 5.2: Network Security Devices and Technologies

 The most important thing to determine when conducting a post-implementation review is whether success criteria have been achieved. A post-implementation review is a process of evaluating the results and outcomes of a project or initiative after it has been completed and implemented. The success criteria are the measurable indicators that define what constitutes a successful project or initiative in terms of its objectives, benefits, quality, performance, and stakeholder satisfaction. The IS auditor should verify whether the success criteria have been achieved by comparing the actual results and outcomes with the expected or planned ones, and by assessing whether they meet or exceed the expectations and requirements of the stakeholders. The IS auditor should also identify any gaps, issues, or risks that may affect the sustainability or scalability of the project or initiative, and provide recommendations for improvement or remediation. The other options are not as important as determining whether success criteria have been achieved when conducting a post-implementation review, because they either focus on specific aspects or components of the project or initiative rather than the overall value proposition, or they are part of the pre-implementation or implementation phases rather than the post-implementation phase. References: CISA Review Manual (Digital Version)1, Chapter 4, Section 4.2.3

The best way to provide assurance of the integrity of a firewall log is to ensure that the log cannot be modified. A firewall log is a record of the traffic and events that occur at the firewall, which is a device or software that controls and filters the incoming and outgoing network traffic based on predefined rules and policies. The integrity of a firewall log means that the log is accurate, complete, consistent, and valid, and that it has not been altered, deleted, or corrupted by unauthorized or malicious parties. The IS auditor should verify that the firewall log has adequate controls to prevent or detect any modification of the log, such as encryption, hashing, digital signatures, write-once media, or tamper-evident seals. The other options are not as effective as ensuring that the log cannot be modified, because they either do not address the integrity of the log data, or they are monitoring or retention measures rather than preventive or detective controls. References: CISA Review Manual (Digital Version)1, Chapter 5, Section 5.2.4