Explanation
A system electronic log is the most useful source of information for an IS auditor to review all access attempts to a video-monitored and proximity card-controlled communications room. A system electronic log can provide accurate and detailed records of the date, time, card number, and status (success or failure) of each access attempt. A system electronic log can also be easily searched, filtered, and analyzed by the auditor to identify any unauthorized or suspicious access attempts.
A manual sign-in and sign-out log is not as reliable or useful as a system electronic log, because it depends on the honesty and compliance of the users. A manual log can be easily manipulated, forged, or omitted by the users or intruders. A manual log also does not capture the status of each access attempt, and it can be difficult to verify the identity of the users based on their signatures.
An alarm system with CCTV is not as useful as a system electronic log, because it only captures the events that trigger the alarm, such as unauthorized or forced entry. An alarm system with CCTV does not provide a complete record of all access attempts, and it can be affected by factors such as camera angle, lighting, and resolution. An alarm system with CCTV also requires more time and effort to review the video footage by the auditor.
A security incident log is not as useful as a system electronic log, because it only records the incidents that are reported by the users or detected by the security staff. A security incident log does not provide a comprehensive record of all access attempts, and it can be incomplete or inaccurate depending on the reporting and detection mechanisms. A security incident log also does not capture the details of each access attempt, such as the card number and status.
References:
ISACA CISA Review Manual 27th Edition (2019), page 247
ISACA CISA Certified Information Systems Auditor Exam ... - PUPUWEB

Section: The process of Auditing Information System
Explanation/Reference:
Risk acceptance is the practice of accepting certain risk(s), typically based on a business decision that may
also weigh the cost versus the benefit of dealing with the risk in another way.
For your exam you should know below information about risk assessment and treatment:
A risk assessment, which is a tool for risk management, is a method of identifying vulnerabilities and
threats and assessing the possible impacts to determine where to implement security controls. A risk
assessment is carried out, and the results are analyzed. Risk analysis is used to ensure that security is
cost-effective, relevant, timely, and responsive to threats. Security can be quite complex, even for well-
versed security professionals, and it is easy to apply too much security, not enough security, or the wrong
security controls, and to spend too much money in the process without attaining the necessary objectives.
Risk analysis helps companies prioritize their risks and shows
management the amount of resources that should be applied to protecting against those risks in a sensible
manner.
A risk analysis has four main goals:
Identify assets and their value to the organization.
Identify vulnerabilities and threats.
Quantify the probability and business impact of these potential threats.
Provide an economic balance between the impact of the threat and the cost
of the countermeasure.
Treating Risk
Risk Mitigation
Risk mitigation is the practice of the elimination of, or the significant decrease in the level of risk presented.
Examples of risk mitigation can be seen in everyday life and are readily apparent in the information
technology world. Risk Mitigation involves applying appropriate control to reduce risk. For example, to
lessen the risk of exposing personal and financial information that is highly sensitive and confidential
organizations put countermeasures in place, such as firewalls, intrusion detection/prevention systems, and
other mechanisms, to deter malicious outsiders from accessing this highly sensitive information. In the
underage driver example, risk mitigation could take the form of driver education for the youth or
establishing a policy not allowing the young driver to use a cell phone while driving, or not letting youth of a
certain age have more than one friend in the car as a passenger at any given time.
Risk Transfer
Risk transfer is the practice of passing on the risk in question to another entity, such as an insurance
company. Let us look at one of the examples that were presented above in a different way. The family is
evaluating whether to permit an underage driver to use the family car. The family decides that it is
important for the youth to be mobile, so it transfers the financial risk of a youth being in an accident to the
insurance company, which provides the family with auto insurance.
It is important to note that the transfer of risk may be accompanied by a cost. This is certainly true for the
insurance example presented earlier, and can be seen in other insurance instances, such as liability
insurance for a vendor or the insurance taken out by companies to protect against hardware and software
theft or destruction. This may also be true if an organization must purchase and implement security
controls in order to make their organization less desirable to attack. It is important to remember that not all
risk can be transferred. While financial risk is simple to transfer through insurance, reputational risk may
almost never be fully transferred.
Risk Avoidance
Risk avoidance is the practice of coming up with alternatives so that the risk in question is not realized. For
example, have you ever heard a friend, or parents of a friend, complain about the costs of insuring an
underage driver? How about the risks that many of these children face as they become mobile? Some of
these families will decide that the child in question will not be allowed to drive the family car, but will rather
wait until he or she is of legal age (i.e., 18 years of age) before committing to owning, insuring, and driving
a motor vehicle.
In this case, the family has chosen to avoid the risks (and any associated benefits) associated with an
underage driver, such as poor driving performance or the cost of insurance for the child. Although this
choice may be available for some situations, it is not available for all. Imagine a global retailer who,
knowing the risks associated with doing business on the Internet, decides to avoid the practice. This
decision will likely cost the company a significant amount of its revenue (if, indeed, the company has
products or services that consumers wish to purchase). In addition, the decision may require the company
to build or lease a site in each of the locations, globally, for which it wishes to continue business. This could
have a catastrophic effect on the company's ability to continue business operations
Risk Acceptance
In some cases, it may be prudent for an organization to simply accept the risk that is presented in certain
scenarios. Risk acceptance is the practice of accepting certain risk(s), typically based on a business
decision that may also weigh the cost versus the benefit of dealing with the risk in another way.
For example, an executive may be confronted with risks identified during the course of a risk assessment
for their organization. These risks have been prioritized by high, medium, and low impact to the
organization. The executive notes that in order to mitigate or transfer the low-level risks, significant costs
could be involved. Mitigation might involve the hiring of additional highly skilled personnel and the purchase
of new hardware, software, and office equipment, while transference of the risk to an insurance company
would require premium payments. The
executive then further notes that minimal impact to the organization would occur if any of the reported low-
level threats were realized. Therefore, he or she (rightly) concludes that it is wiser for the organization to
forgo the costs and accept the risk. In the young driver example, risk acceptance could be based on the
observation that the youngster has demonstrated the responsibility and maturity to warrant the parent's
trust in his or her judgment.
The following answers are incorrect:
Risk Transfer - Risk transfer is the practice of passing on the risk in question to another entity, such as an
insurance company. Let us look at one of the examples that were presented above in a different way.
Risk Avoidance - Risk avoidance is the practice of coming up with alternatives so that the risk in question is
not realized.
Risk Mitigation -Risk mitigation is the practice of the elimination of, or the significant decrease in the level of
risk presented.
The following reference(s) were/was used to create this question:
CISA Review Manual 2014 Page number 51
and
Official ISC2 guide to CISSP CBK 3rd edition page number 534-539

Explanation
The most important prerequisite for the protection of physical information assets in a data center is a complete and accurate list of information assets that have been deployed. Information assets are any data, devices, systems, or software that have value for the organization and need to be protected from unauthorized access, use, disclosure, modification, or destruction4. A data center is a facility that houses various information assets such as servers, storage devices, network equipment, etc., that support the organization's IT operations and services5. A complete and accurate list of information assets that have been deployed in a data center can help to identify and classify the assets based on their importance, sensitivity, or criticality for the organization. This can help to determine the appropriate level of protection and security measures that need to be applied to each asset. A complete and accurate list of information assets can also help to track and monitor the location, status, ownership, usage, configuration, maintenance, etc., of each asset. This can help to prevent or detect any unauthorized or inappropriate changes or movements of assets that may compromise their security or integrity. Segregation of duties between staff ordering and staff receiving information assets, availability and testing of onsite backup generators, and knowledge of the IT staff regarding data protection requirements are also important prerequisites for the protection of physical information assets in a data center, but not as important as a complete and accurate list of information assets that have been deployed. These factors are more related to the implementation and maintenance of security controls and procedures that depend on having a complete and accurate list of information assets as a starting point. References: ISACA CISA Review Manual 27th Edition, page 308

Section: Governance and Management of IT

The most important consideration when making a decision to invest in a hot site is the Maximum Tolerable Downtime (MTD). This is the maximum amount of time a system can be down before it affects the organization's operations or customer service. Other considerations, such as Recovery Time Objective (RTO) and Recovery Point Objective (RPO), are also important, but MTD is the most important factor when considering investing in a hot site.