Which of the following can only be provided by asymmetric encryption?
Correct Answer: D
The only thing that can be provided by asymmetric encryption is nonrepudiation. Nonrepudiation is the ability to prove that a message or transaction was originated or authorized by a specific party. Asymmetric encryption uses a pair of keys: a public key and a private key. The public key can be shared with anyone, while the private key is kept secret by the owner. If a message is encrypted with the sender's private key, only the sender's public key can decrypt it. This proves that the message was sent by the sender and not by anyone else. This is called digital signature and it provides nonrepudiation. Asymmetric encryption can also provide information privacy by encrypting a message with the receiver's public key, so that only the receiver's private key can decrypt it. However, information privacy can also be provided by symmetric encryption, which uses a single key to encrypt and decrypt messages. References: * CISA Review Manual (Digital Version), Chapter 5, Section 5.21 * CISA Online Review Course, Domain 3, Module 2, Lesson 12
Question 607
Which of the following BEST contributes to the quality of an audit of a business-critical application?
Correct Answer: D
Explanation Involving the application owner early in the audit planning process is the best way to contribute to the quality of an audit of a business-critical application. The application owner has a deep understanding of the application and its business context, which can provide valuable insights for the audit. Early involvement can also help ensure that the audit is aligned with the business objectives and risks, and that any potential issues are identified and addressed promptly12. References: Business Critical Applications: An In-Depth Look Framework for Audit Quality - IFAC
Question 608
An IS auditor can verify that an organization's business continuity plan (BCP) is effective by reviewing the:
Correct Answer: B
The effectiveness of the business continuity plan (BCP) can best be evaluated by reviewing the results from previous business continuity tests for thoroughness and accuracy in accomplishing their stated objectives. All other choices do not provide the assurance of the effectiveness of the BCP.
Question 609
Identify the INCORRECT statement from below mentioned testing types
Correct Answer: A
Section: Information System Acquisition, Development and Implementation Explanation Explanation/Reference: The word INCORRECT is the keyword used in this question. You need to find out the incorrect option specified above. The term recovery testing is incorrectly defined in the above options. The correct description of recovery testing is: Recovery Testing - Checking the system's ability to recover after a software or hardware failure For CISA exam you should know below types of testing: Unit Testing - The testing of an individual program or module. Unit testing uses set of test cases that focus on control structure of procedural design. These tests ensure internal operation of the programs according to the specification. Interface or integration testing - A hardware or software test that evaluates the connection of two or more components that pass information from one area to another. The objective it to take unit tested module and build an integrated structure dictated by design. The term integration testing is also referred to tests that verify and validate functioning of the application under test with other systems, where a set of data is transferred from one system to another. System Testing - A series of tests designed to ensure that modified programs, objects, database schema, etc , which collectively constitute a new or modified system, function properly. These test procedures are often performed in a non-production test/development environment by software developers designated as a test team. The following specific analysis may be carried out during system testing. Recovery Testing - Checking the system's ability to recover after a software or hardware failure. Security Testing - Making sure the modified/new system includes provisions for appropriate access control and does not introduce any security holes that might compromise other systems. Load Testing - Testing an application with large quantities of data to evaluate its performance during peak hour. Volume testing - Studying the impact on the application by testing with an incremental volume of records to determine the maximum volume of records that application can process. Stress Testing - Studying the impact on the application by testing with an incremental umber of concurrent users/services on the application to determine maximum number of concurrent user/service the application can process. Performance Testing - Comparing the system performance to other equivalent systems using well defined benchmarks. Final Acceptance Testing -It has two major parts: Quality Assurance Testing(QAT) focusing on the technical aspect of the application and User acceptance testing focusing on functional aspect of the application. QAT focuses on documented specifications and the technology employed. It verifies that application works as documented by testing the logical design and the technology itself. It also ensures that the application meet the documented technical specifications and deliverables. QAT is performed primarily by IS department. The participation of end user is minimal and on request. QAT does not focus on functionality testing. UAT supports the process of ensuring that the system is production ready and satisfies all documented requirements. The methods include: Definition of test strategies and procedure. Design of test cases and scenarios Execution of the tests. Utilization of the result to verify system readiness. Acceptance criteria are defined criteria that a deliverable must meet to satisfy the predefined needs of the user. A UAT plan must be documented for the final test of the completed system. The tests are written from a user's perspective and should test the system in a manner as close to production possible. The following were incorrect answers: The other options presented contains valid definitions. The following reference(s) were/was used to create this question: CISA review manual 2014 Page number 166
Question 610
Which of the following MOST efficiently protects computer equipment against short-term reductions in electrical power?
