CISA Exam Dumps - Certified Information Systems Auditor

A mobile device awareness program would best enable an organization to address the security risks associated with a recently implemented bring your own device (BYOD) strategy. A mobile device awareness program is a set of activities that aim to educate and inform the employees about the benefits, challenges, and best practices of using their personal mobile devices for work purposes. A mobile device awareness program can help the organization to:

Communicate the organization’s policies and expectations regarding BYOD, such as which devices are allowed, what data can be accessed or stored, and what security measures are required.

Raise the employees’ awareness of the potential threats and vulnerabilities that affect their mobile devices, such as malware, phishing, data leakage, or device loss.

Provide the employees with guidance and tips on how to protect their mobile devices and the organization’s data, such as using strong passwords, encryption, antivirus software, remote wipe, or VPN.

Encourage the employees to report any incidents or issues related to their mobile devices, such as suspicious messages, unauthorized access, or device damage.

A mobile device awareness program can help the organization to reduce the security risks associated with BYOD by enhancing the employees’ knowledge, skills, and behavior in using their mobile devices securely and responsibly. Amobile device awareness program can also help the organization to comply with relevant regulations and standards that governdata privacy and security in the cloud1.

The other options are not as effective as a mobile device awareness program in enabling an organization to address the security risks associated with BYOD. Option A, mobile device tracking program, is a tool that allows the organization to monitor and locate the employees’ mobile devices in case of loss or theft. However, this tool may not prevent or detect other types of security risks, such as malware infection or data breach. Option B, mobile device upgrade program, is a process that ensures that the employees’ mobile devices are running the latest versions of operating systems and applications. However, this process may not address other aspects of security, such as user behavior or data protection. Option C, mobile device testing program, is a method that verifies the functionality and compatibility of the employees’ mobile devices with the organization’s systems and networks. However, this method may not cover all the scenarios or factors that may affect the security of the mobile devices or the organization’s data2.

References:

Mobile Device Security Awareness Topics3

Security Awareness Top Ten Topics - #8 Mobile Devices

 The auditor’s primary concern when capacity management for a key system is being performed by IT with no input from the business would be an unanticipated increase in business’s capacity needs. This could result in performance degradation, service disruption or customer dissatisfaction if IT is not able to provide sufficient capacity to meet the business demand. Failure to maximize the use of equipment, cost of excessive data center storage capacity or impact to future business project funding are secondary concerns that relate to resource optimization or budget allocation, but not to service delivery or customer satisfaction. References: ISACA, CISA Review Manual, 27th Edition, 2018, page 374

The best course of action for an IS auditor who finds that some critical recommendations have not been implemented is to evaluate senior management’s acceptance of the risk. The IS auditor should understand the reasons why the recommendations have not been implemented and the implications for the organization’s risk exposure. The IS auditor should also verify that senior management has formally acknowledged and accepted the residual risk and has documented the rationale and justification for their decision. The IS auditor should communicate the findings and the risk acceptance to the audit committee and other relevant stakeholders. References:

CISA Review Manual (Digital Version)

CISA Questions, Answers & Explanations Database

One of the challenges in developing a SLA for network services is finding performance metrics that can be measured properly and reflect the quality of service expected by the customer. Establishing a well-designed framework for network services is not a challenge, but a good practice. Ensuring that network components are not modified by the client or reducing the number of entry points into the network are security issues, not SLA issues. References: ISACA, CISA Review Manual, 27th Edition, 2018, page 333

 An IS auditor should be concerned because deleting the files logically does not overwrite the files’ physical data. Deleting a file from a hard disk only removes the reference or pointer to the file from the file system, but does not erase the actual data stored on the disk sectors. The deleted data can still be recovered using special tools or techniques until it is overwritten by new data. This poses a risk of data leakage, theft, or misuse if the hard disk falls into the wrong hands. To securely dispose of a system containing sensitive data, the hard disk should be wiped or sanitized using methods that overwrite or destroy the physical data beyond recovery. References:

CISA Review Manual (Digital Version)

CISA Questions, Answers & Explanations Database

 The most critical finding that the IS auditor should consider when reviewing processes for importing market price data from external data providers is that the quality of the data is not monitored. This is because market price data is essential for financial transactions, risk management, valuation and reporting, and any errors or inaccuracies in the data can have significant impact on the organization’s performance, reputation and compliance. The IS auditor should ensure that the organization has established quality criteria and controls for the imported data, such as validity, completeness,timeliness, consistency and accuracy, and that the data is regularly checked and verified against these criteria. The other findings are also important, but not as critical as data quality. References: CISA Review Manual (Digital Version)1, Chapter 5, Section 5.2.7

The most appropriate control to prevent unauthorized retrieval of confidential information stored in a business application system is to enforce an internal data access policy. A data access policy defines who can access what data, under what conditions and for what purposes. It also specifies the roles and responsibilities of data owners, custodians and users, as well as the security measures and controls to protect data confidentiality, integrity and availability. By enforcing a data access policy, the organization can ensure that only authorized personnel can retrieve confidential informationfrom the business application system. Applying single sign-on for access control, implementing segregation of duties and enforcing the use of digital signatures are also useful controls, but they are not sufficient to prevent unauthorized data retrieval without a clear and comprehensive data access policy. References:

CISA Review Manual, 27th Edition, page 2301

CISA Review Questions, Answers & Explanations Database - 12 Month Subscription2

The most critical factor for the effective implementation of IT governance is a supportive corporate culture. A supportive corporate culture is one that fosters collaboration, communication and commitment among all stakeholders involved in IT governance processes. A supportive corporate culture also promotes a shared vision, values and goals for IT governance across the organization. Strong risk management practices, internal auditor commitment or documented policies are important elements for IT governance implementation, but they are not sufficient without a supportive corporate culture. References: ISACA, CISA Review Manual, 27th Edition, 2018, page 41