Section: Protection of Information Assets
Explanation:
RAID level 1 provides disk mirroring. Data written to one disk are also written to another disk. Users in the network access data in the first disk; if disk one fails, the second disk takes over. This redundancy ensures the availability of data. RAID level 1 does not improve performance, has no relevance to authentication and does nothing to provide for data confidentiality.

Explanation/Reference:
Explanation:
Threats exploit vulnerabilities to cause loss or damage to the organization and its assets.

Explanation/Reference:
The correct sequence of BRP benchmarking is PLAN, RESEARCH, OBSERVE, ANALYZE, ADOPT and IMPROVE.
For your exam you should know the information below:
Overview of Business Process Reengineering
One of the principles in business that remains constant is the need to improve your processes and procedures. Most trade magazines today contain discussions of the detailed planning necessary for implementing change in an organization. The concept of change must be accepted as a fundamental principle. Terms such as business evolution and continuous improvement ricochet around the room in business meetings. It's a fact that organizations which fail to change are destined to perish.
As a CISA, you must be prepared to investigate whether process changes within the organization are accounted for with proper documentation. All internal control frameworks require that management be held responsible for safeguarding all the assets belonging to their organization. Management is also responsible for increasing revenue.
BPR Application Steps
ISACA cites six basic steps in their general approach to BPR. These six steps are simply an extension of Stewart's Plan-Do-Check-Act model for managing projects:
Envision -Visualize a need (envision). Develop an estimate of the ROI created by the proposed change.
Elaborate on the benefit with a preliminary project plan to gain sponsorship from the organization. The plan should define the areas to be reviewed and clarify the desired result at the end of the project (aka end state objective). The deliverables of the envision phase include the following:
Project champion working with the steering committee to gain top management approval Brief description of project scope, goals, and objectives description of the specific deliverables from this project with a preliminary charter to evidence management's approval, the project may proceed into the initiation phase.
Initiate -This phase involves setting BPR goals with the sponsor. Focus on planning the collection of detailed evidence necessary to build the subsequent BPR plan for redesigning the process. Deliverables in the initiation phase include the following:
Identifying internal and external requirements (project specifications) Business case explaining why this project makes sense (justification) and the estimated return on investment compared to the total cost (net ROI) Formal project plan with budget, schedule, staffing plan, procurement plan, deliverables, and project risk analysis Level of authority the BPR project manager will hold and the composition of any support committee or task force that will be required From the profit and loss (P&L) statement, identify the item line number that money will be debited from to pay for this project and identify the specific P&L line number that the financial return will later appear under (to provide strict monitoring of the ROI performance) Formal project charter signed by the sponsors It's important to realize that some BPR projects will proceed to their planned conclusion and others may be halted because of insufficient evidence. After a plan is formally approved, the BPR project may proceed to the diagnostic phase.
Diagnose Document existing processes. Now it's time to see what is working and identify the source of each requirement. Each process step is reviewed to calculate the value it creates. The goal of the diagnostic phase is to gain a better understanding of existing processes. The data collected in the diagnostic phase forms the basis of all planning decisions:
Detailed documentation of the existing process
Performance measurement of individual steps in the process
Evidence of specific process steps that add customer value
Identification of process steps that don't add value
Definition of attributes that create value and quality
Put in the extra effort to do a good job of collecting and analyzing the evidence. All future assumptions will be based on evidence from the diagnostic phase.
Redesign- Using the evidence from the diagnostic phase, it's time to develop the new process.
This will take several planning iterations to ensure that the strategic objectives are met. The formal redesign plans will be reviewed by sponsors and stakeholders. A final plan will be presented to the steering committee for approval. Here's an example of deliverables from the redesign phase.
Comparison of the envisioned objective to actual specifications
Analysis of alternatives (AoA)
Prototyping and testing of the redesigned process
Formal documentation of the final design
The project will need formal approval to proceed into the reconstruction phase. Otherwise, the redesign is halted pending further scrutiny while comparing the proposed design with available evidence. Insufficient evidence warrants halting the project.
Reconstruct With formal approval received, it's time to begin the implementation phase.
The current processes are deconstructed and reassembled according to the plan. Reconstruction may be in the form of a parallel process, modular changes, or complete transition. Each method presents a unique risk and reward opportunity. Deliverables from this phase include the following:
Conversion plan with dependencies in time sequence
Change control management
Execution of conversion plan with progress monitoring
Training of users and support personnel
Pilot implementation to ensure a smooth migration Formal approval by the sponsor.
The reconstructed process must be formally approved by management to witness their consent for fitness of use. IT governance dictates that executive management shall be held responsible for any failures and receive recognition for exceptional results. System performance will be evaluated again after entering production use.
Evaluate (post evaluation) The reconstructed process is monitored to ensure that it works and is producing the strategic value as forecast in the original justification.
Comparison of original forecast to actual performance Identification of lessons learned Total quality management plan to maintain the new process A method of continuous improvement is implemented to track the original goals against actual process performance. Annual reevaluation is needed to adapt new requirements or new opportunities.
Benchmarking as a BPR Tool
Benchmarking is the process of comparing performance data (aka metrics). It can be used to evaluate business processes that are under consideration for reengineering. Performance data may be obtained by using a self-assessment or by auditing for compliance against a standard (reference standard). Evidence captured during the diagnostic phase is considered the key to identifying areas for performance improvement and documenting obstacles. ISACA offers the following general guidelines for performing benchmarks:
Plan Identify the critical processes and create measurement techniques to grade the processes.
Research Use information about the process and collect regular data (samples) to build a baseline for comparison. Consider input from your customers and use analogous data from other industries.
Observe Gather internal data and external data from a benchmark partner to aid the comparison results.
Benchmark data can also be compared against published standards.
Analyze Look for root cause-effect relationships and other dependencies in the process. Use predefined tools and procedures to collate the data collected from all available sources.
Adapt Translate the findings into hypotheses of how these findings will help or hurt strategic business goals. Design a pilot test to prove or disprove the hypotheses.
Improve Implement a prototype of the new processes. Study the impact and note any unexpected results.
Revise the process by using controlled change management. Measure the process results again. Use reestablished procedures such as total quality management for continuous improvement.
The following answers are incorrect:
The other options specified does not represent the correct sequence of BRP benchmarking steps.
The following reference(s) were/was used to create this question:
CISA review manual 2014 page number 219 to 211
CISA certified information system auditor study guide Second Edition Page Number 154 to 158

Advanced Encryption Standard (AES), a public algorithm that supports keys from 128 to 256 bits in size, not only provides good security, but provides speed and versatility across a variety of computer platforms. AES runs securely and efficiently on large computers, desktop computers and even small devices such as smart cards. DES is not considered a strong cryptographic solution since its entire key space can be brute forced by large computer systems within a relatively short period of time. Triple DES can take up to three times longer than DES to perform encryption and decryption. RSA keys are large numbers that are suitable only for short messages, such as the creation of a digital signature.

Section: Governance and Management of IT
Explanation/Reference:
Check - Study the actual results (measured and collected in "DO" above) and compare against the
expected results (targets or goals from the "PLAN") to ascertain any differences. Look for deviation in
implementation from the plan and also look for the appropriateness and completeness of the plan to enable
the execution, i.e., "Do". Charting data can make this much easier to see trends over several PDCA cycles
and in order to convert the collected data into information. Information is what you need for the next step
"ACT".
For your exam you should know the information below:
PDCA (plan-do-check-act or plan-do-check-adjust) is an iterative four-step management method used in
business for the control and continuous improvement of processes and products. It is also known as the
Deming circle/cycle/wheel, Stewart cycle, control circle/cycle, or plan-do-study-act (PDSA). Another
version of this PDCA cycle is OPDCA. The added "O" stands for observation or as some versions say
"Grasp the current condition."
The steps in each successive PDCA cycle are:

PLAN
Establish the objectives and processes necessary to deliver results in accordance with the expected output
(the target or goals). By establishing output expectations, the completeness and accuracy of the spec is
also a part of the targeted improvement. When possible start on a small scale to test possible effects.
DO
Implement the plan, execute the process, make the product. Collect data for charting and analysis in the
following "CHECK" and "ACT" steps.
CHECK
Study the actual results (measured and collected in "DO" above) and compare against the expected results
(targets or goals from the "PLAN") to ascertain any differences. Look for deviation in implementation from
the plan and also look for the appropriateness and completeness of the plan to enable the execution, i.e.,
"Do". Charting data can make this much easier to see trends over several PDCA cycles and in order to
convert the collected data into information. Information is what you need for the next step "ACT".
ACT
Request corrective actions on significant differences between actual and planned results. Analyze the
differences to determine their root causes. Determine where to apply changes that will include
improvement of the process or product. When a pass through these four steps does not result in the need
to improve, the scope to which PDCA is applied may be refined to plan and improve with more detail in the
next iteration of the cycle, or attention needs to be placed in a different stage of the process.
The following answers are incorrect:
PLAN - Establish the objectives and processes necessary to deliver results in accordance with the
expected output (the target or goals).
DO - Implement the plan, execute the process, make the product. Collect data for charting and analysis in
the following "CHECK" and "ACT" steps.
ACT -Request corrective actions on significant differences between actual and planned results. Analyze the
differences to determine their root causes. Determine where to apply changes that will include
improvement of the process or product
The following reference(s) were/was used to create this question:
CISA review manual 2014 page number 107