Last Updated on December 13, 2021 by Admin 3

CISA : Certified Information Systems Auditor : Part 92

  1. During the design of a business continuity plan, the business impact analysis (BIA) identifies critical processes and supporting applications. This will PRIMARILY influence the:

    • responsibility for maintaining the business continuity plan.
    • criteria for selecting a recovery site provider.
    • recovery strategy.
    • responsibilities of key personnel.

    Explanation: 
    The most appropriate strategy is selected based on the relative risk level and criticality identified in the business impact analysis (BIA.) The other choices are made after the selection or design of the appropriate recovery strategy.

  2. During a review of a business continuity plan, an IS auditor noticed that the point at which a situation is declared to be a crisis has not been defined. The MAJOR risk associated with this is that:

    • assessment of the situation may be delayed.
    • execution of the disaster recovery plan could be impacted.
    • notification of the teams might not occur.
    • potential crisis recognition might be ineffective.
    Explanation:
    Execution of the business continuity plan would be impacted if the organization does not know when to declare a crisis. Choices A, C and D are steps that must be performed to know whether to declare a crisis. Problem and severity assessment would provide information necessary in declaring a disaster. Once a potential crisis is recognized, the teams responsible for crisis management need to be notified. Delaying this step until a disaster has been declared would negate the effect of having response teams. Potential crisis recognition is the first step in responding to a disaster.
  3. An organization has just completed their annual risk assessment. Regarding the business continuity plan, what should an IS auditor recommend as the next step for the organization?

    • Review and evaluate the business continuity plan for adequacy
    • Perform a full simulation of the business continuity plan
    • Train and educate employees regarding the business continuity plan
    • Notify critical contacts in the business continuity plan
    Explanation: 
    The business continuity plan should be reviewed every time a risk assessment is completed for the organization. Training of the employees and a simulation should be performed after the business continuity plan has been deemed adequate for the organization. There is no reason to notify the business continuity plan contacts at this time.
  4. Integrating business continuity planning (BCP) into an IT project aids in:

    • the retrofitting of the business continuity requirements.
    • the development of a more comprehensive set of requirements.
    • the development of a transaction flowchart.
    • ensuring the application meets the user’s needs.
    Explanation: 
    Integrating business continuity planning (BCP) into the development process ensures complete coverage of the requirements through each phase of the project. Retrofitting of the business continuity plan’s requirements occurs when BCP is not integrating into the development methodology. Transaction flowcharts aid in analyzing an application’s controls. A business continuity plan will not directly address the detailed processing needs of the users.
  5. While observing a full simulation of the business continuity plan, an IS auditor notices that the notification systems within the organizational facilities could be severely impacted by infra structural damage. The BEST recommendation the IS auditor can provide to the organization is to ensure:

    • the salvage team is trained to use the notification system.
    • the notification system provides for the recovery of the backup.
    • redundancies are built into the notification system.
    • the notification systems are stored in a vault.
    Explanation: 
    If the notification system has been severely impacted by the damage, redundancy would be the best control. The salvage team would not be able to use a severely damaged notification system, even if they are trained to use it. The recovery of the backups has no bearing on the notification system and storing the notification system in a vault would be of little value if the building is damaged.
  6. The activation of an enterprise’s business continuity plan should be based on predetermined criteria that address the:

    • duration of the outage.
    • type of outage.
    • probability of the outage.
    • cause of the outage.
    Explanation: 
    The initiation of a business continuity plan (action) should primarily be based on the maximum period for which a business function can be disrupted before the disruption threatens the achievement of organizational objectives.
  7. An organization has outsourced its wide area network (WAN) to a third-party service provider. Under these circumstances, which of the following is the PRIMARY task the IS auditor should perform during an audit of business continuity (BCP) and disaster recovery planning (DRP)?

    • Review whether the service provider’s BCP process is aligned with the organization’s BCP and contractual obligations.
    • Review whether the service level agreement (SLA) contains a penalty clause in case of failure to meet the level of service in case of a disaster.
    • Review the methodology adopted by the organization in choosing the service provider.
    • Review the accreditation of the third-party service provider’s staff.
    Explanation: 
    Reviewing whether the service provider’s business continuity plan (BCP) process is aligned with the organization’s BCP and contractual obligations is the correct answer since an adverse effect or disruption to the business of the service provider has a direct bearing on the organization and its customers. Reviewing whether the service level agreement (SLA) contains a penalty clause in case of failure to meet the level of service in case of a disaster is not the correct answer since the presence of penalty clauses, although an essential element of a SLA, is not a primary concern.
    Choices C and D are possible concerns, but of lesser importance.
  8. An IS auditor can verify that an organization’s business continuity plan (BCP) is effective by reviewing the:

    • alignment of the BCP with industry best practices.
    • results of business continuity tests performed by IS and end-user personnel.
    • off-site facility, its contents, security and environmental controls.
    • annual financial cost of the BCP activities versus the expected benefit of implementation of the plan.
    Explanation:

    The effectiveness of the business continuity plan (BCP) can best be evaluated by reviewing the results from previous business continuity tests for thoroughness and accuracy in accomplishing their stated objectives. All other choices do not provide the assurance of the effectiveness of the BCP.

  9. To optimize an organization’s business contingency plan (BCP), an IS auditor should recommend conducting a business impact analysis (BlA) in order to determine:

    • the business processes that generate the most financial value for the organization and therefore must be recovered first.
    • the priorities and order for recovery to ensure alignment with the organization’s business strategy.
    • the business processes that must be recovered following a disaster to ensure the organization’s survival.
    • he priorities and order of recovery which will recover the greatest number of systems in the shortest time frame.
    Explanation:​
    To ensure the organization’s survival following a disaster, it is important to recover the most critical business processes first, it is a common mistake to overemphasize value (A) rather than urgency. For example, while the processing of incoming mortgage loan payments is important from a financial perspective, it could be delayed for a few days in the event of a disaster. On the other hand, wiring funds to close on a loan, while not generating direct revenue, is far more critical because of the possibility of regulatory problems, customer complaints and reputation issues. Choices B and D are not correct because neither the long-term business strategy nor the mere number of recovered systems has a direct impact at this point in time.
  10. A financial services organization is developing and documenting business continuity measures. In which of the following cases would an IS auditor MOST likely raise an issue?

    • The organization uses good practice guidelines instead of industry standards and relies on external advisors to ensure the adequacy of the methodology.
    • The business continuity capabilities are planned around a carefully selected set of scenarios which describe events that might happen with a reasonable probability.
    • The recovery time objectives (RTOs) do not take IT disaster recovery constraints into account, such as personnel or system dependencies during the recovery phase.
    • The organization plans to rent a shared alternate site with emergency workplaces which has only enough room for half of the normal staff.
    Explanation:
    It is a common mistake to use scenario planning for business continuity. The problem is that it is impossible to plan and document actions for every possible scenario. Planning for just selected scenarios denies the fact that even improbable events can cause an organization to break down. Best practice planning addresses the four possible areas of impact in a disaster: premises, people, systems, and suppliers and other dependencies. All scenarios can be reduced to these four categories and can be handled simultaneously. There are very few special scenarios which justify an additional separate analysis, it is a good idea to use best practices and external advice for such an important topic, especially since knowledge of the right level of preparedness and the judgment about adequacy of the measures taken is not available in every organization. The recovery time objectives (RTOs) are based on the essential business processes required to ensure the organization’s survival, therefore it would be inappropriate for them to be based on IT capabilities. Best practice guidelines recommend having 20%-40% of normal capacity available at an emergency site; therefore, a value of 50% would not be a problem if there are no additional factors.
  11. A medium-sized organization, whose IT disaster recovery measures have been in place and regularly tested for years, has just developed a formal business continuity plan (BCP). A basic BCP tabletop exercise has been performed successfully. Which testing should an IS auditor recommend be performed NEXT to verify the adequacy of the new BCP?

    • Full-scale test with relocation of all departments, including IT, to the contingency site
    • Walk-through test of a series of predefined scenarios with all critical personnel involved
    • IT disaster recovery test with business departments involved in testing the critical applications
    • Functional test of a scenario with limited IT involvement
    Explanation:
    After a tabletop exercise has been performed, the next step would be a functional test, which includes the mobilization of staff to exercise the administrative and organizational functions of a recovery. Since the IT part of the recovery has been tested for years, it would be more efficient to verify and optimize the business continuity plan (BCP) before actually involving IT in a full-scale test. The full-scale test would be the last step of the verification process before entering into a regular annual testing schedule. A full-scale test in the situation described might fail because it would be the first time that the plan is actually exercised, and a number of resources (including IT) and time would be wasted. The walk- through test is the most basic type of testing. Its intention is to make key staff familiar with the plan and discuss critical plan elements, rather than verifying its adequacy. The recovery of applications should always be verified and approved by the business instead of being purely IT-driven. A disaster recovery test would not help in verifying the administrative and organizational parts of the BCP which are not IT-related.
  12. Everything not explicitly permitted is forbidden has which of the following kinds of tradeoff?

    • it improves security at a cost in functionality.
    • it improves functionality at a cost in security.
    • it improves security at a cost in system performance.
    • it improves performance at a cost in functionality.
    • None of the choices.
    Explanation:
    “Everything not explicitly permitted is forbidden (default deny) improves security at a cost in functionality. This is a good approach if you have lots of security threats. On the other hand, “”Everything not explicitly forbidden is permitted”” (default permit) allows greater functionality by sacrificing security. This is only a good approach in an environment where security threats are non- existent or negligible.”
  13. Default permit is only a good approach in an environment where:

    • security threats are non-existent or negligible. 
    • security threats are non-negligible.
    • security threats are serious and severe.
    • users are trained.
    • None of the choices.
    Explanation:
    “Everything not explicitly permitted is forbidden (default deny) improves security at a cost in functionality. This is a good approach if you have lots of security threats. On the other hand, “”Everything not explicitly forbidden is permitted”” (default permit) allows greater functionality by sacrificing security. This is only a good approach in an environment where security threats are non- existent or negligible.”
  14. Talking about the different approaches to security in computing, the principle of regarding the computer system itself as largely an untrusted system emphasizes:

    • most privilege
    • full privilege
    • least privilege
    • null privilege
    • None of the choices.
    Explanation:
    There are two different approaches to security in computing. One focuses mainly on external threats, and generally treats the computer system itself as a trusted system. The other regards the computer system itself as largely an untrusted system, and redesigns it to make it more secure in a number of ways.
    This technique enforces the principle of least privilege to great extent, where an entity has only the privileges that are needed for its function.
  15. Which of the following refers to the proving of mathematical theorems by a computer program?

    • Analytical theorem proving
    • Automated technology proving
    • Automated theorem processing
    • Automated theorem proving
    • None of the choices.
    Explanation:
    Automated theorem proving (ATP) is the proving of mathematical theorems by a computer program. Depending on the underlying logic, the problem of deciding the validity of a theorem varies from trivial to impossible. Commercial use of automated theorem proving is mostly concentrated in integrated circuit design and verification.
  16. Which of the following BEST describes the concept of “”defense in depth””?

    • more than one subsystem needs to be compromised to compromise the security of the system and the information it holds.
    • multiple firewalls are implemented.
    • multiple firewalls and multiple network OS are implemented.
    • intrusion detection and firewall filtering are required.
    • None of the choices.
    Explanation:
    “With 0″”defense in depth””, more than one subsystem needs to be compromised to compromise the security of the system and the information it holds. Subsystems should default to secure settings, and wherever possible should be designed to “”fail secure”” rather than “”fail insecure””.”
  17. “Under the concept of “”defense in depth””, subsystems should be designed to:”

    • “”fail insecure”””
    • “”fail secure”””
    • “”react to attack”””
    • “”react to failure”””
    • None of the choices.
    Explanation: 
    “With 0″”defense in depth””, more than one subsystem needs to be compromised to compromise the security of the system and the information it holds. Subsystems should default to secure settings, and wherever possible should be designed to “”fail secure”” rather than “”fail insecure””.
  18. Security should ALWAYS be an all or nothing issue.

    • True
    • True for trusted systems only
    • True for untrusted systems only
    • False
    • None of the choices.
    Explanation: 
    Security should not be an all or nothing issue. The designers and operators of systems should assume that security breaches are inevitable in the long term. Full audit trails should be kept of system activity, so that when a security breach occurs, the mechanism and extent of the breach can be determined.
  19. The ‘trusted systems’ approach has been predominant in the design of:

    • many earlier Microsoft OS products
    • the IBM AS/400 series
    • the SUN Solaris series
    • most OS products in the market
    • None of the choices.
    Explanation: 
    The ‘trusted systems’ approach has been predominant in the design of many Microsoft OS products, due to the long-standing Microsoft policy of emphasizing functionality and ‘ease of use’.
  20. Which of the following terms generally refers to small programs designed to take advantage of a software flaw that has been discovered?

    • exploit
    • patch
    • quick fix
    • service pack
    • malware
    • None of the choices.
    Explanation: 
    “The term “”exploit”” generally refers to small programs designed to take advantage of a software flaw that has been discovered, either remote or local. The code from the exploit program is frequently reused in trojan horses and computer viruses. In some cases, a vulnerability can lie in a certain programs processing of a specific file type, such as a non-executable media file.”