Which of the following is the BEST recommendation for the establishment of an information security policy?
Correct Answer: C
Question 887
An internal audit team is deciding whether to use an audit management application hosted by a third party in a different country. What should be the MOST important consideration related to the uploading of payroll audit documentation in the hosted application?
Correct Answer: C
Explanation This is because privacy regulations are laws or rules that protect the personal information of individuals from unauthorized access, use, disclosure, or transfer by third parties. Payroll audit documentation may contain sensitive and confidential data, such as employee names, salaries, benefits, taxes, deductions, and bank accounts. If the audit management application is hosted by a third party in a different country, the organization may need to comply with the privacy regulations of both its own country and the host country, as well as any international or regional agreements or frameworks that apply. Privacy regulations may impose various requirements and obligations on the organization, such as obtaining consent from the data subjects, implementing appropriate security measures, notifying data breaches, and ensuring data quality and accuracy. Privacy regulations may also grant various rights to the data subjects, such as accessing, correcting, deleting, or transferring their data. Failing to comply with privacy regulations may expose the organization to significant risks and consequences, such as legal actions, fines, sanctions, reputational damage, or loss of trust. Some examples of privacy regulations affecting the organization are: The General Data Protection Regulation (GDPR), which is a comprehensive and strict privacy regulation that applies to any organization that processes personal data of individuals in the European Union (EU) or offers goods or services to them, regardless of where the organization or the data is located1. The California Consumer Privacy Act (CCPA), which is a broad and influential privacy regulation that applies to any organization that collects personal information of California residents and meets certain thresholds of revenue, data volume, or data sharing2. The Health Insurance Portability and Accountability Act (HIPAA), which is a sector-specific privacy regulation that applies to any organization that handles protected health information (PHI) of individuals in the United States, such as health care providers, health plans, or health care clearinghouses3. Therefore, before using an audit management application hosted by a third party in a different country, the internal audit team should conduct a thorough assessment of the privacy regulations affecting the organization and ensure that they have adequate policies, procedures, and controls in place to comply with them.
Question 888
Which of the following is the PRIMARY reason for an IS auditor to conduct post-implementation reviews?
Correct Answer: A
The primary reason for an IS auditor to conduct post-implementation reviews is to determine whether project objectives in the business case have been achieved. A post-implementation review is an audit activity that evaluates whether a project has delivered its expected outcomes or benefits in accordance with its objectives, scope, budget, and schedule. A business case is a document that defines and justifies the need, value, and feasibility of a project. A post-implementation review can help assess whether project objectives in the business case have been achieved by comparing actual results with planned expectations and identifying any gaps or deviations. The other options are not primary reasons for conducting post-implementation reviews, as they do not measure whether project objectives in the business case have been achieved. Ensuring key stakeholder sign-off has been obtained is a project closure activity that confirms that all project deliverables have been completed and accepted by key stakeholders, but it does not evaluate whether project objectives in the business case have been achieved. Aligning project objectives with business needs is a project initiation activity that ensures that the project is aligned with the organization's strategy, goals, and priorities, but it does not evaluate whether project objectives in the business case have been achieved. Documenting lessons learned to improve future project delivery is a project learning activity that captures and shares the knowledge, experience, and feedback gained from the project, but it does not evaluate whether project objectives in the business case have been achieved. References: CISA Review Manual (Digital Version), Chapter 3, Section 3.3
Question 889
When conducting a review of security incident management, an IS auditor found there are no defined escalation processes. All incidents are managed by the service desk. Which of the following should be the auditor's PRIMARY concern?
Correct Answer: B
Section: The process of Auditing Information System
Question 890
Which of the following would an IS auditor consider to be the MOST important to review when conducting a business continuity audit?
Correct Answer: D
Explanation/Reference: Explanation: Without data to process, all other components of the recovery effort are in vain. Even in the absence of a plan, recovery efforts of any type would not be practical without data to process.
