What process is used to validate a subject's identity?
Correct Answer: D
Explanation/Reference: Authentication is used to validate a subject's identity.
Question 192
In which of the following situations is it MOST appropriate to implement data mirroring as the recovery strategy?
Correct Answer: C
Explanation/Reference: Explanation: A recovery point objective (RPO) indicates the latest point in time at which it is acceptable to recover the datA. If the RPO is low, data mirroring should be implemented as the data recovery strategy. The recovery time objective (RTO) is an indicator of the disaster tolerance. The lower the RTO, the lower the disaster tolerance. Therefore, choice C is the correct answer.
Question 193
Which of the following should an IS auditor recommend be done FIRST when an organization is made aware of a new regulation that is likely to impact IT security requirements?
Correct Answer: B
Explanation The first thing that an IS auditor should recommend when an organization is made aware of a new regulation that is likely to impact IT security requirements is to determine which systems and IT-related processes may be impacted. This is because the impact assessment is a crucial step to understand the scope and magnitude of the changes that the new regulation may entail, as well as the potential risks and gaps that need to be addressed. The impact assessment can help the organization to prioritize and plan the necessary actions and resources to comply with the new regulation in a timely and effective manner12. Updating security policies based on the new regulation is not the first thing to do, because it requires a clear understanding of the impact and implications of the new regulation, which can only be obtained after conducting an impact assessment. Updating security policies without an impact assessment may result in incomplete, inconsistent, or ineffective policies that may not meet the regulatory requirements or the organizational needs12. Evaluating how security awareness and training content may be impacted is not the first thing to do, because it is a secondary or supporting activity that depends on the results of the impact assessment and the policy updates. Evaluating security awareness and training content without an impact assessment or policy updates may result in inaccurate, outdated, or irrelevant content that may not reflect the regulatory requirements or the organizational expectations34. Reviewing the design and effectiveness of existing IT controls is not the first thing to do, because it is a monitoring or assurance activity that follows the implementation of the changes based on the impact assessment and the policy updates. Reviewing IT controls without an impact assessment or policy updates may result in misleading, incomplete, or invalid findings that may not capture the regulatory requirements or the organizational performance
Question 194
An IS auditor notes that due to the small size of the organization, human resources staff can create new employees in the payroll system as well as process payroll. Which of the following is the BEST recommendation to address this situation?
Correct Answer: C
Question 195
Which of the following layer of an enterprise data flow architecture is concerned with basic data communication?
Correct Answer: C
Explanation/Reference: Internet/Intranet layer - This layer is concerned with basic data communication. Included here are browser based user interface and TCP/IP networking. For CISA exam you should know below information about business intelligence: Business intelligence(BI) is a broad field of IT encompasses the collection and analysis of information to assist decision making and assess organizational performance. To deliver effective BI, organizations need to design and implement a data architecture. The complete data architecture consists of two components The enterprise data flow architecture (EDFA) A logical data architecture Various layers/components of this data flow architecture are as follows: Presentation/desktop access layer - This is where end users directly deal with information. This layer includes familiar desktop tools such as spreadsheets, direct querying tools, reporting and analysis suits offered by vendors such as Congas and business objects, and purpose built application such as balanced source cards and digital dashboards. Data Source Layer - Enterprise information derives from number of sources: Operational data - Data captured and maintained by an organization's existing systems, and usually held in system-specific database or flat files. External Data - Data provided to an organization by external sources. This could include data such as customer demographic and market share information. Nonoperational data - Information needed by end user that is not currently maintained in a computer accessible format. Core data warehouse -This is where all the data of interest to an organization is captured and organized to assist reporting and analysis. DWs are normally instituted as large relational databases. A property constituted DW should support three basic form of an inquiry. Drilling up and drilling down - Using dimension of interest to the business, it should be possible to aggregate data as well as drill down. Attributes available at the more granular levels of the warehouse can also be used to refine the analysis. Drill across - Use common attributes to access a cross section of information in the warehouse such as sum sales across all product lines by customer and group of customers according to length of association with the company. Historical Analysis - The warehouse should support this by holding historical, time variant data. An example of historical analysis would be to report monthly store sales and then repeat the analysis using only customer who were preexisting at the start of the year in order to separate the effective new customer from the ability to generate repeat business with existing customers. Data Mart Layer- Data mart represents subset of information from the core DW selected and organized to meet the needs of a particular business unit or business line. Data mart can be relational databases or some form on-line analytical processing (OLAP) data structure. Data Staging and quality layer -This layer is responsible for data copying, transformation into DW format and quality control. It is particularly important that only reliable data into core DW. This layer needs to be able to deal with problems periodically thrown by operational systems such as change to account number format and reuse of old accounts and customer numbers. Data Access Layer -This layer operates to connect the data storage and quality layer with data stores in the data source layer and, in the process, avoiding the need to know to know exactly how these data stores are organized. Technology now permits SQL access to data even if it is not stored in a relational database. Data Preparation layer -This layer is concerned with the assembly and preparation of data for loading into data marts. The usual practice is to per-calculate the values that are loaded into OLAP data repositories to increase access speed. Data mining is concern with exploring large volume of data to determine patterns and trends of information. Data mining often identifies patterns that are counterintuitive due to number and complexity of data relationships. Data quality needs to be very high to not corrupt the result. Metadata repository layer - Metadata are data about data. The information held in metadata layer needs to extend beyond data structure names and formats to provide detail on business purpose and context. The metadata layer should be comprehensive in scope, covering data as they flow between the various layers, including documenting transformation and validation rules. Warehouse Management Layer -The function of this layer is the scheduling of the tasks necessary to build and maintain the DW and populate data marts. This layer is also involved in administration of security. Application messaging layer -This layer is concerned with transporting information between the various layers. In addition to business data, this layer encompasses generation, storage and targeted communication of control messages. Internet/Intranet layer - This layer is concerned with basic data communication. Included here are browser based user interface and TCP/IP networking. Various analysis models used by data architects/ analysis follows: Activity or swim-lane diagram - De-construct business processes. Entity relationship diagram -Depict data entities and how they relate. These data analysis methods obviously play an important part in developing an enterprise data model. However, it is also crucial that knowledgeable business operative are involved in the process. This way proper understanding can be obtained of the business purpose and context of the data. This also mitigates the risk of replication of suboptimal data configuration from existing systems and database into DW. The following were incorrect answers: Desktop access layer or presentation layer is where end users directly deal with information. This layer includes familiar desktop tools such as spreadsheets, direct querying tools, reporting and analysis suits offered by vendors such as Congas and business objects, and purpose built application such as balanced source cards and digital dashboards. Data preparation layer -This layer is concerned with the assembly and preparation of data for loading into data marts. The usual practice is to per-calculate the values that are loaded into OLAP data repositories to increase access speed. Data access layer - his layer operates to connect the data storage and quality layer with data stores in the data source layer and, in the process, avoiding the need to know to know exactly how these data stores are organized. Technology now permits SQL access to data even if it is not stored in a relational database. The following reference(s) were/was used to create this question: CISA review manual 2014 Page number 188
