Pass ISACA CISA exam Dumps 100 Pass Guarantee With Latest Demo [Q143-Q159]

Authenticating the site to be surfed is the primary goal of a web certificate. Authentication of a user is achieved through passwords and not by a web site certificate. The site certificate does not prevent hacking nor does it authenticate a person.

Section: Protection of Information Assets
Explanation:
Choice A would prevent or detect the use of an unauthorized interest rate. Choice B informs the manager
after the fact that a change was made, thereby making it possible for transactions to use an unauthorized
rate prior to management review. Choices C and D do not prevent the clerk from entering an unauthorized
rate change.

Section: Protection of Information Assets

Explanation/Reference:
PERMANENTLY is the keyword used in the question. You need to find out data removal method which remove data permanently from magnetic media.
Degaussing is the most effective method out of all provided choices to erase sensitive data on magnetic media provided magnetic media is not require to be reuse. Some degausses can destroy drives. The security professional should exercise caution when recommending or using degausses on media for reuse.
A device that performs degaussing generates a coercive magnetic force that reduces the magnetic flux density of the storage media to zero. This magnetic force is what properly erases data from media. Data are stored on magnetic media by the representation of the polarization of the atoms. Degaussing changes this polarization (magnetic alignment) by using a type of large magnet to bring it back to its original flux (magnetic alignment).
For your exam you should know the information below:
When media is to be reassigned (a form of object reuse), it is important that all residual data is carefully removed.
Simply deleting files or formatting the media does not actually remove the information. File deletion and media formatting often simply remove the pointers to the information. Providing assurance for object reuse requires specialized tools and techniques according to the type of media on which the data resides.
Specialized hardware devices known as degausses can be used to erase data saved to magnetic media.
The measure of the amount of energy needed to reduce the magnetic field on the media to zero is known as coercivity. It is important to make sure that the coercivity of the degasser is of sufficient strength to meet object reuse requirements when erasing data. If a degasser is used with insufficient coercivity, then a remanence of the data will exist.
Remanence is the measure of the existing magnetic field on the media; it is the residue that remains after an object is degaussed or written over. Data is still recoverable even when the remanence is small. While data remanence exists, there is no assurance of safe object reuse. Some degausses can destroy drives.
The security professional should exercise caution when recommending or using degausses on media for reuse.
Software tools also exist that can provide object reuse assurance. These tools overwrite every sector of magnetic media with a random or predetermined bit pattern. Overwrite methods are effective for all forms of electronic media with the exception of read-only optical media. There is a drawback to using overwrite software. During normal write operations with magnetic media, the head of the drive moves back-and-forth across the media as data is written. The track of the head does not usually follow the exact path each time.
The result is a miniscule amount of data remanence with each pass. With specialized equipment, it is possible to read data that has been overwritten.
To provide higher assurance in this case, it is necessary to overwrite each sector multiple times. Security practitioners should keep in mind that a one-time pass may be acceptable for noncritical information, but sensitive data should be overwritten with multiple passes. Overwrite software can also be used to clear the sectors within solid-state media such as USB thumb drives. It is suggested that physical destruction methods such as incineration or secure recycling should be considered for solid-state media that is no longer used.
The last form of preventing unauthorized access to sensitive data is media destruction. Shredding, burning, grinding, and pulverizing are common methods of physically destroying media. Degaussing can also be a form of media destruction. High-power degausses are so strong in some cases that they can literally bend and warp the platters in a hard drive.
Shredding and burning are effective destruction methods for non-rigid magnetic media. Indeed, some shredders are capable of shredding some rigid media such as an optical disk. This may be an effective alternative for any optical media containing nonsensitive information due to the residue size remaining after feeding the disk into the machine.
However, the residue size might be too large for media containing sensitive information. Alternatively, grinding and pulverizing are acceptable choices for rigid and solid-state media. Specialized devices are available for grinding the face of optical media that either sufficiently scratches the surface to render the media unreadable or actually grinds off the data layer of the disk. Several services also exist which will collect drives, destroy them on site if requested and provide certification of completion. It will be the responsibility of the security professional to help, select, and maintain the most appropriate solutions for media cleansing and disposal.
The following answers are incorrect:
Overwrite every sector of magnetic media with pattern of 1’s and 0’s-Less effective than degaussing provided magnetic media is not require to be reuse.
Format magnetic media – Formatting magnetic media does not erase all data. Data can be recoverable after formatting using software tools.
Delete File allocation table-It will not erase all data. Data can be recoverable using software tools.
The following reference(s) were/was used to create this question:
CISA review manual 2014 Page number 338
Official ISC2 guide to CISSP CBK 3rd Edition Page number 720.
NEW QUESTIONS

Procedures are processes an IS auditor may follow in an audit engagement. In determining the appropriateness of any specific procedure, an IS auditor should use professional judgment appropriate to the specific circumstances. Professional judgment involves a subjective and often qualitative evaluation of conditions arising in the course of an audit. Judgment addresses a grey area where binary (yes/no) decisions are not appropriate and the auditor’s past experience plays a key role in making a judgment. ISACA’s guidelines provide information on how to meet the standards when performing IS audit work. Identifying material weaknesses is the result of appropriate competence, experience and thoroughness in planning and executing the audit and not of professional judgment. Professional judgment is not a primary input to the financial aspects of the audit.

Section: Information System Operations, Maintenance and Support

Explanation/Reference:
CDs and DVDs are least affected by static current so it is not as important to store them into anti-static bags.
CDs and DVDs Storage protection recommendations:
Handle by edges or by hole in the middle
Be careful not to bend the CD or DVD
Avoid long term exposure to bright light
Store in a hard jewel case, not is soft sleeves
Also, you should know the media storage precautions listed below in preparation for the CISA exam:
USB and portable hard drive
Avoid high temperature, humidity extremes and strong magnetic field
Tape Cartridges
Store Cartridges vertically
Store cartridges in a protective container for transport
Write-protect cartridges immediately
Hard Drive
Store hard drives in anti-static bags, and be sure that person removing them from bag is static free If the original box and padding for the hard drive is available, use it for shipping If the hard drive has been in a cold environment, bring it to room temperature prior to installing and using it The following reference(s) were/was used to create this question:
Reference used – CISA review manual 2014. Page number 338

Section: Information System Operations, Maintenance and Support

Explanation
For an organization that has plans to implement web-based trading, it would be most important for an IS auditor to verify that the organization’s information security plan includes security requirements for the new application. Security requirements are statements that define what security features and functions are needed to protect the confidentiality, integrity, and availability of the web-based trading application and its data. Security requirements should be identified and documented during the planning phase of the application development life cycle, before any design or coding activities take place. Attributes for system passwords, security training prior to implementation, and firewall configuration for the web server are also important aspects of information security, but they are not as essential as security requirements for ensuring that the web-based trading application meets its security objectives.

Section: Protection of Information Assets
Explanation:
The integration of IS and business staff in projects is an operational issue and should be considered while reviewing the short-range plan. A strategic plan would provide a framework for the IS short-range plan.
Choices B, C and D are areas covered by a strategic plan.

Wi-Fi Protected Access (WPA) 2 implements most of the requirements of the IEEE 802.11i standard. The Advanced Encryption Standard (AESJ used in WPA2 provides better security. Also, WPA2 supports both the Extensible Authentication Protocol and the preshared secret key authentication model. Implementing Wired Equivalent Privacy (WEP) is incorrect since it can be cracked within minutes. WEP uses a static key which has to be communicated to all authorized users, thus management is difficult. Also, there is a greater vulnerability if the static key is not changed at regular intervals. The practice of allowing access based on Media Access Control (MAC) is not a solution since MAC addresses can be spoofed by attackers to gain access to the network. Disabling open broadcast of service set identifiers (SSID) is not the correct answer as they cannot handle access control.

Explanation
The most concerning issue associated with a data center’s CCTV surveillance cameras is that the recordings are not regularly reviewed. This means that any unauthorized access, theft, vandalism, or other security incidents may go unnoticed and unreported. CCTV recordings are a valuable source of evidence and deterrence for data center security, and they should be monitored and audited periodically to ensure compliance with policies and regulations. If the recordings are not reviewed, the data center may face legal, financial, or reputational risks in case of a security breach or an audit failure.
The other options are less concerning because they do not directly affect the security of the data center. CCTV cameras are not required to be installed in break rooms, as they are not critical areas for data protection. CCTV records can be deleted after one year, as long as they comply with the data retention policy of the organization and the applicable laws. CCTV footage does not need to be recorded 24 x 7, as long as there is sufficient coverage of the data center during operational hours and when access is granted to authorized personnel.
References:
ISACA Journal Article: Physical security of a data center1
Data Center Security: Checklist and Best Practices | Kisi2
Video Surveillance Best Practices | Taylored Systems

Explanation/Reference:
Explanation:
Prior audit reports are considered of lesser value to an IS auditor attempting to gain an understanding of an organization’s IT process than evidence directly collected.

Explanation/Reference:
Explanation:
Regression testing should use data from previous tests to obtain accurate conclusions regarding the effects of changes or corrections to a program, and ensuring that those changes and corrections have not introduced new errors.