CISA - Certified Information Systems Auditor Practice Questions: Protection of Information Assets Domain

Correct Answer: A

Explanation: The most significant risk of not having a documented incident response plan is a delayed response to security incidents. Without a clear plan, the organization may struggle to respond quickly and effectively, potentially exacerbating the impact of the incident. While financial penalties (B), inability to identify root causes (C), and lack of awareness (D) are concerns, the immediate risk is the delay in response.

Correct Answer: C

Explanation: The IS auditor should verify that access rights are reviewed and updated regularly to ensure the effectiveness of RBAC, as roles and responsibilities may change over time. Option A ensures alignment but does not address ongoing effectiveness. Option B is about awareness, not access control. Option D is important for monitoring but does not directly verify RBAC effectiveness.

Correct Answer: B

Explanation: Reviewing the configuration settings of the access control system (Option B) is crucial to ensure it is functioning effectively. This involves verifying that the system is configured according to the organization's security policies and that it enforces appropriate access controls. The incident response plan (Option A) and business continuity plan (Option C) are important but not directly related to the access control system's effectiveness. Service level agreements (Option D) are more about vendor performance than system functionality.

Correct Answer: B

Explanation: B is correct because without procedures for handling insider threats, these threats may not be detected or mitigated effectively, posing a significant security risk. A is incorrect because compliance issues are secondary to the risk of undetected threats. C is incorrect because reputational damage is a potential consequence, not the primary risk. D is incorrect because the relevance of the IRP is not directly related to the omission of insider threat procedures.

Correct Answer: D

Explanation: The primary focus should be on verifying that user access rights are granted on a need-to-know basis to ensure that sensitive information is only accessible to authorized individuals. While logging, alignment with business objectives, and documentation are important, they do not directly address the effectiveness of access controls.

Correct Answer: A

Explanation: The primary focus of the audit should be to check if all data is classified according to the policy (A). Proper classification is essential for the policy's effectiveness in protecting information assets. While alignment with industry standards (B), staff training (C), and reclassification procedures (D) are important, the key measure of effectiveness is whether data is actually classified as required.

Correct Answer: B

Explanation: B is correct because without logging access to the data center, it is impossible to track who has entered and exited, which is a fundamental aspect of physical security. A is incorrect because while location is important, it does not directly relate to the control of access. C is incorrect because backup power, while important, is not a primary concern of physical security. D is incorrect because fire suppression, while important, is secondary to access control.

Correct Answer: B

Explanation: The most important consideration is the IDS's capability to provide real-time alerts, as timely detection is crucial for responding to and mitigating security incidents. Option A is important for operational integration but secondary to core functionality. Option C is relevant for long-term support but not as critical as detection capability. Option D is a financial consideration but does not directly assess the IDS's effectiveness.

Correct Answer: C

Explanation: The primary focus when evaluating the effectiveness of a data classification policy is to ensure there are controls in place to enforce the policy. Without enforcement mechanisms, the policy may not be effectively implemented, regardless of how well it is communicated or how frequently it is reviewed. While alignment with industry best practices (A), communication (B), and regular updates (D) are important, they do not guarantee enforcement.

Correct Answer: A

Explanation: The most significant risk is a delayed response to security incidents, which can lead to increased damage and impact on the organization. Clearly defining roles and responsibilities ensures timely and effective incident response. While compliance, costs, and reporting are important, they are secondary to the immediate impact of delayed responses.