Which of the following is a benefit of the DevOps development methodology?
Correct Answer: D
Question 902
An off-site processing facility should be easily identifiable externally because easy identification helps ensure smoother recovery. True or false?
Correct Answer: B
Section: Protection of Information Assets Explanation: An off-site processing facility should not be easily identifiable externally because easy identification would create an additional vulnerability for sabotage.
Question 903
To install backdoors, hackers generally prefer to use:
Correct Answer: A
Explanation/Reference: Explanation: A backdoor is a method of bypassing normal authentication procedures. Many computer manufacturers used to preinstall backdoors on their systems to provide technical support for customers. Hackers typically use backdoors to secure remote access to a computer, while attempting to remain hidden from casual inspection. To install backdoors, hackers prefer to use either Trojan horse or computer worm.
Question 904
During an audit of a reciprocal disaster recovery agreement between two companies, the IS auditor would be MOST concerned with the:
Correct Answer: A
Explanation During an audit of a reciprocal disaster recovery agreement between two companies, the IS auditor would be most concerned with the allocation of resources during an emergency. A reciprocal disaster recovery agreement is an arrangement by which one organization agrees to use another's resources in the event of a business continuity event or incident. The IS auditor would need to ensure that both parties have clearly defined their roles and responsibilities, their resource requirements, their priority levels, their communication channels, and their escalation procedures in case of a disaster. The IS auditor would also need to verify that both parties have tested their agreement and have updated it regularly to reflect any changes in their business environments. The frequency of system testing is not as critical as the allocation of resources during an emergency, because system testing can be performed periodically or on demand, while resource allocation is a dynamic and complex process that requires careful planning and coordination. The differences in IS policies and procedures are not as critical as the allocation of resources during an emergency, because both parties can agree on common standards and protocols for their disaster recovery operations, or they can adapt their policies and procedures to suit each other's needs. The maintenance of hardware and software compatibility is not as critical as the allocation of resources during an emergency, because both parties can use compatible or interoperable systems, or they can use virtualization or cloud computing technologies to overcome any compatibility issues. References: ISACA CISA Review Manual 27th Edition, page 281
Question 905
What is MOST important to verify during an external assessment of network vulnerability?
Correct Answer: C
Explanation An external assessment of network vulnerability is a process of identifying and evaluating the weaknesses and risks that affect the security and availability of a network from an outsider's perspective. The most important factor to verify during this process is the completeness of network asset inventory, which is a list of all the devices, systems, and software that are connected to or part of the network. A complete and accurate network asset inventory can help identify the scope and boundaries of the network, the potential attack vectors and entry points, the critical assets and dependencies, and the existing security controls and gaps. Without a complete network asset inventory, an external assessment of network vulnerability may miss some important assets or vulnerabilities, leading to inaccurate or incomplete results and recommendations. References: 1 explains what is an external vulnerability scan and why it is important to have a complete network asset inventory. 2 provides a guide on how to conduct a full network vulnerability assessment and emphasizes the importance of knowing the network assets. 3 compares internal and external vulnerability scanning and highlights the need for a comprehensive network asset inventory for both types.
