Category ISACA

A key tenet of the Agile approach to software project management is team learning and the use of team learning to refine project management and software development processes as the project progresses. One of the best ways to achieve this is that, atthe end of each iteration, the team considers and documents what worked well and what could have worked better, and identifies improvements to be implemented in subsequent iterations. CMM and Agile really sit at opposite poles. CMM places heavy emphasis on predefined formal processes and formal project management and software development deliverables. Agile projects, by contrast, rely on refinement of process as dictated by the particular needs of the project and team dynamics. Additionally, less importance is placed on formal paper-based deliverables, with the preference being effective informal communication within the team and with key outside contributors. Agile projects produce releasable software in short iterations, typically ranging from 4 to 8 weeks. This, in itself, instills considerable performance discipline within the team. This, combined with short daily meetings to agree on what the team is doing and the identification of any impediments, renders task-level tracking against a schedule redundant. Agile projects do make use of suitable development tools; however, tools are not seen as the primary means of achieving productivity. Team harmony, effective communications and collective ability to solve challenges are of

Section: Governance and Management of IT

Section: Information System Operations, Maintenance and Support
Explanation:
Copper cable is very simple to install and easy to tap. It is used mostly for short distance and supports voice and data.
For your exam you should know below information about transmission media:
Copper Cable
Copper cable is very simple to install and easy to tap. It is used mostly for short distance and supports voice and data.
Copper has been used in electric wiring since the invention of the electromagnet and the telegraph in the
1820s.The invention of the telephone in 1876 created further demand for copper wire as an electrical conductor.
Copper is the electrical conductor in many categories of electrical wiring. Copper wire is used in power generation, power transmission, power distribution, telecommunications, electronics circuitry, and countless types of electrical equipment. Copper and its alloys are also used to make electrical contacts. Electrical wiring in buildings is the most important market for the copper industry. Roughly half of all copper mined is used to manufacture electrical wire and cable conductors.
Copper Cable

Coaxial cable
Coaxial cable, or coax (pronounced ‘ko.aks), is a type of cable that has an inner conductor surrounded by a tubular insulating layer, surrounded by a tubular conducting shield. Many coaxial cables also have an insulating outer sheath or jacket. The term coaxial comes from the inner conductor and the outer shield sharing a geometric axis. Coaxial cable was invented by English engineer and mathematician Oliver Heaviside, who patented the design in 1880.Coaxial cable differs from other shielded cable used for carrying lower-frequency signals, such as audio signals, in that the dimensions of the cable are controlled to give a precise, constant conductor spacing, which is needed for it to function efficiently as a radio frequency transmission line.
Coaxial cable is expensive and does not support many LAN’s. It supports data and video.

Coaxial Cable
Fiber optics
An optical fiber cable is a cable containing one or more optical fibers that are used to carry light. The optical fiber elements are typically individually coated with plastic layers and contained in a protective tube suitable for the environment where the cable will be deployed. Different types of cable are used for different applications, for example long distance telecommunication, or providing a high-speed data connection between different parts of a building.
Fiber optics used for long distance, hard to splice, not vulnerable to cross talk and difficult to tap. It supports voice data, image and video.
Fiber Optics

Radio System
Radio systems are used for short distance, cheap and easy to intercept.
Radio is the radiation (wireless transmission) of electromagnetic signals through the atmosphere or free space.
Information, such as sound, is carried by systematically changing (modulating) some property of the radiated waves, such as their amplitude, frequency, phase, or pulse width. When radio waves strike an electrical conductor, the oscillating fields induce an alternating current in the conductor. The information in the waves can be extracted and transformed back into its original form.
Microwave radio system
Microwave transmission refers to the technology of transmitting information or energy by the use of radio waves whose wavelengths are conveniently measured in small numbers of centimeter; these are called microwaves.
Microwaves are widely used for point-to-point communications because their small wavelength allows conveniently-sized antennas to direct them in narrow beams, which can be pointed directly at the receiving antenna. This allows nearby microwave equipment to use the same frequencies without interfering with each other, as lower frequency radio waves do. Another advantage is that the high frequency of microwaves gives the microwave band a very large information-carrying capacity; the microwave band has a bandwidth 30 times that of all the rest of the radio spectrum below it. A disadvantage is that microwaves are limited to line of sight propagation; they cannot pass around hills or mountains as lower frequency radio waves can.
Microwave radio transmission is commonly used in point-to-point communication systems on the surface of the Earth, in satellite communications, and in deep space radio communications. Other parts of the microwave radio band are used for radars, radio navigation systems, sensor systems, and radio astronomy.
Microwave radio systems are carriers for voice data signal, cheap and easy to tap.
Microwave Radio System

Satellite Radio Link
Satellite radio is a radio service broadcast from satellites primarily to cars, with the signal broadcast nationwide, across a much wider geographical area than terrestrial radio stations. It is available by subscription, mostly commercial free, and offers subscribers more stations and a wider variety of programming options than terrestrial radio.
Satellite radio link uses transponder to send information and easy to intercept.
The following answers are incorrect:
Fiber optics – Fiber optics cables are used for long distance, hard to splice, not vulnerable to cross talk and difficult to tap. It supports voice data, image and video.
Radio System – Radio systems are used for short distance, cheap and easy to tap.
Satellite Radio Link – Satellite radio link uses transponder to send information and easy to tap.
Reference:
CISA review manual 2014 page number 265

Section: Protection of Information Assets

The best way to protect sensitive information such as personally identifiable information (PII) stored in a particular data format while allowing the software developers to use it in development and test environments is data masking. Data masking is a technique that replaces or obscures sensitive data elements with fictitious or modified data elements that retain the original format and characteristics of the data. Data masking can help protect sensitive information such as PII stored in a particular data format while allowing the software developers to use it in development and test environments by preventing the exposure or disclosure of the real data values without affecting the functionality or performance of the software or application. The other options are not as effective as data masking in protecting sensitive information such as PII stored in a particular data format while allowing the software developers to use it in development and test environments, as they have different limitations or drawbacks. Data tokenization is a technique that replaces sensitive data elements with non-sensitive tokens that have no intrinsic value or meaning. Data tokenization can protect sensitive information such as PII from unauthorized access or theft, but it may not retain the original format and characteristics of the data, which may affect the functionality or performance of the software or application.
Data encryption is a technique that transforms sensitive data elements into unreadable or unintelligible ciphertext using an algorithm and a key. Data encryption can protect sensitive information such as PII from unauthorized access or modification, but it requires decryption to restore the original data values, which may introduce additional complexity or overhead to the software development process. Data abstraction is a technique that hides the details or complexity of data structures or operations from users or programmers by providing a simplified representation or interface. Data abstraction can help improve the usability or maintainability of software or applications, but it does not protect sensitive information such as PII from exposure or disclosure. References: CISA Review Manual (Digital Version), Chapter 5, Section 5.3.2

Validation checks are a type of data quality control that helps to ensure the integrity of data for a system interface. Validation checks verify that the data entered or transferred between systems is correct, consistent, and conforms to predefined rules or standards. Validation checks can prevent or detect errors, anomalies, or inconsistencies in the data that may affect the system’s functionality, performance, or security.
Option C is correct because validation checks are a common and effective method of ensuring data integrity for a system interface. Validation checks can be performed at various stages of the data lifecycle, such as input, processing, output, or storage. Validation checks can also be applied to different types of data, such as data types, codes, ranges, formats, consistency, and uniqueness.
Option A is incorrect because system interface testing is a type of software testing that verifies the interaction between two separate systems or components of a system. System interface testing does not directly ensure the integrity of data for a system interface, but rather the functionality and reliability of the interface itself. System interface testing may use validation checks as part of its test cases, but it is not the same as validation checks.
Option B is incorrect because user acceptance testing (UAT) is a type of software testing that evaluates whether the system meets the user’s expectations and requirements. UAT does not directly ensure the integrity of data for a system interface, but rather the usability and acceptability of the system from the user’s perspective. UAT may use validation checks as part of its test scenarios, but it is not the same as validation checks.
Option D is incorrect because audit logs are records of events and activities that occur within a system or network. Audit logs do not directly ensure the integrity of data for a system interface, but rather provide evidence and accountability for the system’s operations and security. Audit logs may use validation checks as part of their analysis or reporting, but they are not the same as validation checks.
References:
* CISA Online Review Course1, Module 5: Protection of Information Assets, Lesson 4: Data Quality Management, slide 5-6.
* CISA Review Manual (Digital Version)2, Chapter 5: Protection of Information Assets, Section 5.3: Data Quality Management, p. 281-282.
* CISA Review Manual (Print Version), Chapter 5: Protection of Information Assets, Section 5.3: Data Quality Management, p. 281-282.
* CISA Questions, Answers & Explanations Database3, Question ID: QAE_CISA_722.
* Data Validation – Overview, Types, Practical Examples4
* Data Validity: The Best Practice for Your Business5
* Validation – Data validation6
* What is Data Validation? Types, Techniques, Tools7

Anti-malware tool audit logs would provide an IS auditor with the best evidence of continuous compliance with the global organization’s policy that states that all workstations must be scanned for malware each day. Anti-malware tool audit logs are records that capture the activities and events related to the anti-malware software installed on the workstations, such as scan schedules, scan results, updates, alerts, and actions taken1. These logs can help the IS auditor to verify that the anti-malware software is functioning properly, that the scans are performed regularly and effectively, and that any malware incidents are detected and resolved in a timely manner2. Anti-malware tool audit logs can also help the IS auditor to identify any gaps or weaknesses in the anti-malware policy or implementation, and to provide recommendations for improvement3.
The other options are not the best evidence of continuous compliance with the anti-malware policy. Penetration testing results are reports that show the vulnerabilities and risks of the workstations and network from an external or internal attacker’s perspective4. While penetration testing can help to assess the security posture and resilience of the organization, it does not provide information on the daily anti-malware scans or their outcomes. Management attestation is a statement or declaration from the management that they have complied with the anti-malware policy5. While management attestation can demonstrate commitment and accountability, it does not provide objective or verifiable evidence of compliance. Recent malware scan reports are documents that show the summary or details of the latest anti-malware scans performed on the workstations. While recent malware scan reports can indicate the current status and performance of the anti-malware software, they do not provide historical or comprehensive evidence of compliance.
References:
* Malwarebytes Anti-Malware (MBAM) log collection and threat reports …
* Malicious Behavior Detection using Windows Audit Logs
* PCI Requirement 5.2 – Ensure all Anti-Virus Mechanisms are Current …
* Management Attestation – an overview | ScienceDirect Topics
* How to Read a Malware Scan Report | Techwalla

Section: Protection of Information Assets
Explanation/Reference:
In network security, a screened subnet firewall is a variation of the dual-homed gateway and screened host
firewall. It can be used to separate components of the firewall onto separate systems, thereby achieving
greater throughput and flexibility, although at some cost to simplicity. As each component system of the
screened subnet firewall needs to implement only a specific task, each system is less complex to
configure.
A screened subnet firewall is often used to establish a demilitarized zone (DMZ).
Below are few examples of Firewall implementations:
Screened host Firewall
Utilizing a packet filtering router and a bastion host, this approach implements a basic network layer
security and application server security.
An intruder in this configuration has to penetrate two separate systems before the security of the private
network can be compromised
This firewall system is configured with the bastion host connected to the private network with a packet
filtering router between internet and the bastion host
Dual-homed Firewall
A firewall system that has two or more network interface, each of which is connected to a different network
In a firewall configuration, a dual homed firewall system usually acts to block or filter some or all of the
traffic trying to pass between the network
A dual-homed firewall system is more restrictive form of screened-host firewall system
Demilitarize Zone (DMZ) or screened-subnet firewall
Utilizing two packet filtering routers and a bastion host
This approach creates the most secure firewall system since it supports network and application level
security while defining a separate DMZ network
Typically, DMZs are configured to limit access from the internet and organization’s private network.
The following were incorrect answers:
The other types of firewall mentioned in the option do not utilize two packet filtering routers and a bastion
host.
The following reference(s) were/was used to create this question:
CISA review manual 2014 Page number 346

Any data that is transmitted over a network is at some risk of being eavesdropped, or even modified by a malicious person. Even machines that operate as a closed system can be eavesdropped upon via monitoring the faint electromagnetic transmissions generated by the hardware such as TEMPEST.

Explanation
The best evidence of an IT strategy correction’s effectiveness is the synchronization of IT activities with corporate objectives. The IT strategy correction is a process of reviewing and adjusting the IT strategy to ensure that it aligns with and supports the corporate strategy and objectives. The synchronization of IT activities with corporate objectives means that the IT activities are consistent with and contribute to the achievement of the corporate goals and vision. The IS auditor can measure and evaluate the IT strategy correction’s effectiveness by comparing the IT activities with the corporate objectives, and assessing whether they are aligned, integrated, and coordinated. The other options are not as good evidence of an IT strategy correction’s effectiveness, because they either do not reflect the alignment of IT and business, or they are inputs or outputs of the IT strategy correction process rather than outcomes or results. References: CISA Review Manual (Digital Version)1, Chapter 1, Section 1.2.1

Section: Protection of Information Assets
Explanation:
Choices A, B and C are incorrect because none of them are related to the area being audited. In reviewing the proposed application, the auditor should ensure that the products to be purchased are compatible with the current or planned OS. Regarding choice, A, if the OS is currently being used, it is compatible with the existing hardware platform, because if it is not it would not operate properly. In choice B, the planned OS updates should be scheduled to minimize negative impacts on the organization. For choice C, the installed OS should be equipped with the most recent versions and updates (with sufficient history and stability).

Accuracy of source data is a prerequisite for the quality of the data in a data warehouse. Credibility of the data source, accurate extraction processes and accurate transformation routines are all important, but would not change inaccurate data intoquality (accurate) data.

Section: Protection of Information Assets
Explanation:
Failure of a network backbone will result in the failure of the complete network and impact the ability of all users to access information on the network. The nonavailability of an alternate PBX system will result in users not being able to make or receive telephone calls or faxes; however, users may have alternate means of communication, such as a mobile phone or e-mail. Lack of backup systems for user PCs will impact only the specific users, not all users. Failure of the access card system impacts the ability to maintain records of the users who are entering the specified work areas; however, this could be mitigated by manual monitoring controls.

Section: Protection of Information Assets
Explanation:
When implementing continuous-monitoring systems, an IS auditor’s first step is to identify high-risk areas within the organization.