While evaluating the data classification process of an organization, an IS auditor's PRIMARY focus should be on whether:
Correct Answer: C
Question 232
The use of access control lists (ACLs) is the MOST effective method to mitigate security risk for routers because they: (Identify Correct answer and related explanation/references from CISA Certification - Information Systems Auditor official Manual or book)
Correct Answer: B
The use of access control lists (ACLs) can limit Telnet and traffic from the open Internet, and they act as filters between the world and the network. This makes them effective in mitigating security risk for routers as they can restrict unauthorized access to the network and protect it from external threats.
Question 233
Which of the following is MOST useful to an IS auditor performing a review of access controls for a document management system?
Correct Answer: B
A system-generated list of staff and their project assignments, roles, and responsibilities is the most useful to an IS auditor performing a review of access controls for a document management system (DMS). A DMS is a system used to create, store, manage, and track electronic documents and images of paper-based documents through software1. Access controls are the mechanisms that regulate who can access, modify, or delete documents in a DMS, and under what conditions2. A system-generated list of staff and their project assignments, roles, and responsibilities helps the IS auditor to verify the appropriateness, accuracy, and completeness of the access rights granted to different users or groups of users in the DMS, based on the principle of least privilege and the segregation of duties23. Policies and procedures for managing documents provided by department heads (A) are not the most useful to an IS auditor performing a review of access controls for a DMS. Policies and procedures are the documents that define the rules, standards, and guidelines for managing documents in a DMS, such as the document lifecycle, retention, classification, security, etc1. Policies and procedures are important to establish the expectations and requirements for document management, but they do not provide sufficient evidence or assurance of the actual implementation and effectiveness of the access controls in the DMS. Previous audit reports related to other departments' use of the same system are not the most useful to an IS auditor performing a review of access controls for a DMS. Previous audit reports are the documents that summarize the findings, conclusions, and recommendations of previous audits conducted on the same or similar systems or processes4. Previous audit reports are useful to identify the common or recurring issues, risks, or gaps in the access controls of the DMS, as well as the best practices or lessons learned from other departments. However, previous audit reports do not reflect the current state or performance of the access controls in the DMS, and they may not be relevant or applicable to the specific department or scope of the current audit. Information provided by the audit team lead on the authentication systems used by the department (D) are not the most useful to an IS auditor performing a review of access controls for a DMS. Authentication systems are the systems that verify the identity and credentials of the users who attempt to access the DMS, such as passwords, tokens, biometrics, etc2. Authentication systems are important to ensure the integrity and accountability of the users who access the DMS, but they do not provide sufficient information or assurance of the authorization and restriction of the users who access the DMS. Authorization and restriction are the aspects of access control that determine what actions or operations the users can perform on the documents in the DMS, such as read, write, edit, delete, etc2.
Question 234
In a 24/7 processing environment, a database contains several privileged application accounts with passwords set to "never expire.' Which of the following recommendations would BEST address the risk with minimal disruption to the business?
Correct Answer: C
Question 235
Stress testing should ideally be earned out under a:
