Isaca Updated CISA Exam Questions and Answers by hania

Linking incidents to problem management activities would most effectively help to reduce the number of repeated incidents in an organization, because problem management aims to identify and eliminate the root causes of incidents and prevent their recurrence. Testing incident response plans, prioritizing incidents, and training incident management teams are all good practices, but they do not directly address the issue of repeated incidents. References: ISACA ITAF 3rd Edition Section 3600

Data disposal controls are the measures that ensure that data are securely and permanently erased or destroyed when they are no longer needed or authorized to be retained. Data disposal controls support business strategic objectives by reducing the risk of data breaches, complying with data privacy regulations, optimizing the use of storage resources, and enhancing the reputation and trust of the organization1.

A media sanitization policy is a document that defines the roles, responsibilities, procedures, and standards for sanitizing different types of media that contain sensitive or confidential data. Media sanitization is the process of removing or modifying data on a media device to make it unreadable or unrecoverable by any means. Media sanitization can be achieved by various methods, such as overwriting, degaussing, encryption, or physical destruction2.

A media sanitization policy would provide an IS auditor with the greatest assurance that data disposal controls support business strategic objectives because it demonstrates that the organization has a clear and consistent approach to protect its data from unauthorized access or disclosure throughout the data life cycle. A media sanitization policy also helps the organization to comply with various data privacy regulations, such as the EU General Data Protection Regulation (GDPR), the US Health Insurance Portability and Accountability Act (HIPAA), or the Payment Card Industry Data Security Standard (PCI DSS), that require proper disposal of personal or sensitive data3.

The other options are not as effective as a media sanitization policy in providing assurance that data disposal controls support business strategic objectives. A media recycling policy is a document that defines the criteria and procedures for reusing media devices that have been sanitized or erased. A media recycling policy can help the organization to save costs and reduce environmental impact, but it does not address how the data are disposed of in the first place4. A media labeling policy is a document that defines the rules and standards for labeling media devices that contain sensitive or confidential data. A media labeling policy can help the organization to identify and classify its data assets, but it does not specify how the data are sanitized or destroyed when they are no longer needed. A media shredding policy is a document that defines the methods and procedures for physically destroying media devices that contain sensitive or confidential data. A media shredding policy can be a part of a media sanitization policy, but it is not sufficient to cover all types of media devices or data disposal scenarios.

References:

ISACA, CISA Review Manual, 27th Edition, 2019

ISACA, CISA Review Questions, Answers & Explanations Database - 12 Month Subscription

Secure Data Disposal and Destruction: 6 Methods to Follow1

Why (and How to) Dispose of Digital Data2

What is Data Disposition? The Complete Guide3

Data Disposition: What is it and why should it be part of your data retention policy?

The greatest risk associated with the situation of business units purchasing cloud-based applications without IT support is that the applications may not reasonably protect data. Cloud-based applications are software applications that run on the internet, rather than on a local device or network. Cloud-based applications offer many benefits, such as scalability, accessibility, and cost-effectiveness, but they also pose many challenges and risks, especially for data security1.

Data security is the process of protecting data from unauthorized access, use, modification, disclosure, or destruction. Data security is essential for ensuring the confidentiality, integrity, and availability of data, as well as complying with legal and regulatory requirements. Data security is especially important for cloud-based applications, as data are stored and processed on remote servers that are owned and managed by third-party cloud service providers (CSPs)2.

When business units purchase cloud-based applications without IT support, they may not be aware of or follow the best practices and standards for data security in the cloud. They may not perform adequate risk assessments, vendor evaluations, contract reviews, or audits to ensure that the CSPs and the applications meet the organization’s data security policies and expectations. They may not implement appropriate data encryption, backup, recovery, or disposal methods to protect the data in transit and at rest. They may not monitor or control the access and usage of the data by internal or external users. They may not report or respond to any data breaches or incidents that may occur3.

These actions or inactions may expose the organization’s data to various threats and vulnerabilities in the cloud, such as cyberattacks, human errors, malicious insiders, misconfigurations, or legal disputes. These threats and vulnerabilities may result in data loss, leakage, corruption, or compromise, which may have serious consequences for the organization’s reputation, operations, performance, compliance, and liability4.

Therefore, it is essential that business units consult and collaborate with IT support before purchasing any cloud-based applications, and follow the organization’s guidelines and procedures for cloud security. IT support can help business units to select and use cloud-based applications that are suitable and secure for their needs and objectives.

References:

Top 5 Risks With Cloud Software and How to Mitigate Them4

Mitigate risks and secure your cloud-native applications3

12 Risks, Threats & Vulnerabilities in Moving to the Cloud2

Best Practices to Manage Risks in the Cloud1

The mitigating factor that would most significantly minimize the impact of not renewing IT risk acceptances in a timely manner is having documented compensating controls over the business processes. Compensating controls are alternative controls that reduce or eliminate the risk when the primary control is not feasible or cost-effective. The other factors, such as previous approval by senior management, unchanged business environment, and small percentage of issues, do not mitigate the risk as effectively as compensating controls. References: ISACA CISA Review Manual 27th Edition Chapter 1