CISA - Domain 3 Questions
An organization has implemented an online customer help desk application using a software as a service (SaaS) operating model. An IS auditor is asked to recommend the best control to monitor the service level agreement (SLA) with the SaaS vendor as it relates to availab...
CISA - Domain 3 Questions
An organization has implemented an online customer help desk application using a
software as a service (SaaS) operating model. An IS auditor is asked to recommend
the best control to monitor the service level agreement (SLA) with the SaaS vendor
as it relates to availability. What is the BEST recommendation that the IS auditor can
provide?
a) Ask the SaaS vendor to provide a weekly report on application uptime.
b) Implement an online polling tool to monitor the application and record outages.
c) Log all application outages reported by users and aggregate the outage time
weekly.
d) Contract an independent third party to provide weekly reports on application
uptime. - Answer- Implement an online polling tool to monitor and record application
outages is correct. This is the best option for an organization to monitor the software
as a service application availability. Comparing internal reports with the vendor's
service level agreement (SLA) reports would ensure that the vendor's monitoring of
the SLA is accurate and that all conflicts are appropriately resolved.
Ask the software as a service (SaaS) vendor to provide a weekly report on
application uptime is incorrect. Weekly application availability reports are useful, but
these reports represent only the vendor's perspective. While monitoring these
reports, the organization can raise concerns of inaccuracy; however, without internal
monitoring, such concerns cannot be substantiated.
Log all application outages reported by users and aggregate the outage time weekly
is incorrect. Logging the outage times reported by users is helpful but does not give
a true picture of all outages of the online application. Some outages may go
unreported, especially if the outages are intermittent.
Contract an independent third party to provide weekly reports on application uptime
is incorrect. Contracting a third party to implement availability monitoring is not a
cost-effective option. Additionally, this results in a shift from monitoring the SaaS
vendor to monitoring the third party.
Which of the following would an IS auditor consider to be the MOST important to
review when conducting a disaster recovery audit?
a) A hot site is contracted for and available as needed.
b) A business continuity manual is available and current.
c) Insurance coverage is adequate and premiums are current.
d) Data backups are performed timely and stored offsite. - Answer- Data backups
are performed timely and stored offsite is correct. Without data to process, all other
components of the recovery effort are in vain. Even in the absence of a plan,
recovery efforts of any type would not be practical without data to process.
A hot site is contracted for and available as needed is incorrect. A hot site is
important, but it is of no use if there are no data backups for it.
A business continuity manual is available and current is incorrect. A business
continuity manual is advisable but not most important in a disaster recovery audit.
Insurance coverage is adequate and premiums are current is incorrect. Insurance
coverage should be adequate to cover costs but is not as important as having the
data backup.
, During the audit of a database server, which of the following would be considered
the GREATEST exposure?
a) The password on the administrator account does not expire.
b) Default global security settings for the database remain unchanged.
c) Old data have not been purged.
d) Database activity is not fully logged. - Answer- Default global security settings for
the database remain unchanged is correct. Default security settings for the database
could allow issues such as blank user passwords or passwords that were the same
as the username.
The password on the administrator account does not expire is incorrect. A non-
expiring password is a risk and an exposure but not as serious a risk as a weak
password or the continued use of default settings.
Old data have not been purged is incorrect. Failure to purge old data may present a
performance issue but is not an immediate security concern.
Database activity is not fully logged is incorrect. Logging all database activity is a
potential risk but not as serious a risk as default settings.
What is the BEST backup strategy for a large database with data supporting online
sales?
a) Weekly full backup with daily incremental backup
b) Daily full backup
c) Clustered servers
d) Mirrored hard disks - Answer- Mirrored hard disks is correct. This will ensure that
all data are backed up to more than one disk so that a failure of one disk will not
result in loss of data.
Weekly full backup and daily incremental backup is incorrect. This is a poor backup
strategy for online transactions. Because this system supports online sales it can be
difficult to recreate lost data and this solution may result in a loss of up to one day's
worth of data.
Daily full backup is incorrect. A full backup normally requires a couple of hours, and
therefore, it can be impractical to conduct a full backup every day.
Clustered servers is incorrect. These provide a redundant processing capability but
are not a backup.
Which of the following business continuity plan tests involves participation of relevant
members of the crisis management/response team to practice proper coordination?
a) Tabletop
b) Functional
c) Full-scale
d) Deskcheck - Answer- Tabletop is correct. The primary purpose of tabletop testing
is to practice proper coordination because it involves all or some of the crisis team
members and is focused more on coordination and communication issues than on
technical process details.
Functional is incorrect. Functional testing involves mobilization of personnel and
resources at various geographic sites. This is a more in-depth functional test and not
primarily focused on coordination and communication.
Full-scale is incorrect. Full-scale testing involves enterprisewide participation and full
involvement of external organizations.
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller Freshy. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $11.99. You're not tied to anything after your purchase.
