Explanation/Reference:
Explanation:
Of the three major types of off-site processing facilities (hot, warm, and cold), a cold site is characterized by at least providing for electricity and HVAC. A warm site improves upon this by providing for redundant equipment and software that can be made operational within a short time.

In the case of a deviation from the predefined procedures, an IS auditor should first ensure that the procedure followed for acquiring the software is consistent with the business objectives and has been approved by the appropriate authorities. The other choices are not the first actions an IS auditor should take. They are steps that may or may not be taken after determining that the procedure used to acquire the software had been approved.

Section: Protection of Information Assets
Explanation:
The ISACA IS Auditing Guideline G15 on planning the IS audit states, ‘An assessment of risk should be
made to provide reasonable assurance that material items will be adequately covered during the audit
work. This assessment should identify areas with a relatively high risk of the existence of material
problems.’ Definite assurance that material items will be covered during the audit work is an impractical
proposition. Reasonable assurance that all items will be covered during the audit work is not the correct
answer, as material items need to be covered, not all items.

Input/output controls should be implemented for both the sending and receiving applications in an integrated systems environment

Explanation/Reference:
Explanation:
Trojan horses are malicious or damaging code hidden within an authorized computer program. Hackers use Trojans to mastermind DDOS attacks that affect computers that access the same Internet site at the same moment, resulting in overloaded site servers that may no longer be able to process legitimate requests. Logic bombs are programs designed to destroy or modify data at a specific time in the future.
Phishing is an attack, normally via e-mail, pretending to be an authorized person or organization requesting information. Spyware is a program that picks up information from PC drives by making copies of their contents.

Explanation/Reference:
Explanation:
Deleting and formatting does not completely erase the data but only marks the sectors that contained files as being free. There are tools available over the Internet which allow one to reconstruct most of a hard disk’s contents. Overwriting a hard disk at the sector level would completely erase data, directories, indices and master file tables. Reformatting is not necessary since all contents are destroyed. Overwriting several times makes useless some forensic measures which are able to reconstruct former contents of newly overwritten sectors by analyzing special magnetic features of the platter’s surface. While hole-punching does not delete file contents, the hard disk cannot be used anymore, especially when head parking zones and track zero information are impacted. Reconstructing data would be extremely expensive since all analysis must be performed under a clean room atmosphere and is only possible within a short time frame or until the surface is corroded. Data reconstruction from shredded hard disks is virtually impossible, especially when the scrap is mixed with other metal parts. If the transport can be secured and the destruction be proved as described in the option, this is a valid method of disposal.

Explanation/Reference:
Explanation:
By digitally signing all e-mail messages, the receiver will be able to validate the authenticity of the sender.
Encrypting all e-mail messages would ensure that only the intended recipient will be able to open the message; however, it would not ensure the authenticity of the sender. Compressing all e-mail messages would reduce the size of the message, but would not ensure the authenticity. Password protecting all e- mail messages would ensure that only those who have the password would be able toopen the message; however, it would not ensure the authenticity of the sender.

User account access controls and cryptography can protect systems files and data, respectively. On the other hand, firewalls are by far the most common prevention systems from a network security perspective as they can shield access to internal network services, and block certain kinds of attacks through packet filtering.

Explanation/Reference:
Explanation:
Direct access attacks make use of common consumer devices that can be used to transfer data surreptitiously. Someone gaining physical access to a computer can install all manner of devices to compromise security, including operating system modifications, software worms, keyboard loggers, and covert listening devices. The attacker can also easily download large quantities of data onto backup media or portable devices.

Section: Protection of Information Assets
Explanation:
Time stamps are an effective control for detecting duplicate transactions such as payments made or
received.

Section: Protection of Information Assets
Explanation: Unless properly controlled, flash memory provides an avenue for anyone to copy any content
with ease. The contents stored in flash memory are not volatile. Backing up flash memory data is not a
control concern, as the data are sometimes stored as a backup. Flash memory will be accessed through a
PC rather than any other peripheral; therefore, compatibility is not an issue.

Explanation/Reference:
Confidentiality supports the principle of “least privilege” by providing that only authorized individuals, processes, or systems should have access to information on a need-to-know basis.
The level of access that an authorized individual should have is at the level necessary for them to do their job. In recent years, much press has been dedicated to the privacy of information and the need to protect it from individuals, who may be able to commit crimes by viewing the information.
Identity theft is the act of assuming one’s identity through knowledge of confidential information obtained from various sources.
An important measure to ensure confidentiality of information is data classification. This helps to determine who should have access to the information (public, internal use only, or confidential). Identification, authentication, and authorization through access controls are practices that support maintaining the confidentiality of information.
A sample control for protecting confidentiality is to encrypt information. Encryption of information limits the usability of the information in the event it is accessible to an unauthorized person.
For your exam you should know the information below:
Integrity
Integrity is the principle that information should be protected from intentional, unauthorized, or accidental changes.
Information stored in files, databases, systems, and networks must be relied upon to accurately process transactions and provide accurate information for business decision making. Controls are put in place to ensure that information is modified through accepted practices.
Sample controls include management controls such as segregation of duties, approval checkpoints in the systems development life cycle, and implementation of testing practices that assist in providing information integrity. Well-formed transactions and security of the update programs provide consistent methods of applying changes to systems. Limiting update access to those individuals with a need to access limits the exposure to intentional and unintentional modification.
Availability
Availability is the principle that ensures that information is available and accessible to users when needed.
The two primary areas affecting the availability of systems are:
1. Denial-of-Service attacks and
2. Loss of service due to a disaster, which could be man-made (e.g., poor capacity planning resulting in system crash, outdated hardware, and poor testing resulting in system crash after upgrade) or natural (e.g., earthquake, tornado, blackout, hurricane, fire, and flood).
In either case, the end user does not have access to information needed to conduct business. The criticality of the system to the user and its importance to the survival of the organization will determine how significant the impact of the extended downtime becomes. The lack of appropriate security controls can increase the risk of viruses, destruction of data, external penetrations, or denial-of-service (DOS) attacks.
Such events can prevent the system from being used by normal users.
CIA
The following answers are incorrect:
Integrity- Integrity is the principle that information should be protected from intentional, unauthorized, or accidental changes.
Availability – Availability is the principle that ensures that information is available and accessible to users when needed.
Accuracy – Accuracy is not a valid CIA attribute.

Following reference(s) were/was used to create this question:
CISA review manual 2014 Page number 314
Official ISC2 guide to CISSP CBK 3rd Edition Page number350

Section: Information System Acquisition, Development and Implementation

Section: Protection of Information Assets
Explanation:
If the IS auditor finds that there are effective staging and job set up processes, this can be accepted as a compensating control. Choice B is a detective control while choices C and D are corrective controls, none of which would serve as good compensating controls.

Explanation/Reference:
Explanation:
A business case can and should be used throughout the life cycle of the product. It serves as an anchor for new (management) personnel, helps to maintain focus and provides valuable information on estimates vs.
actuals. Questions like, ‘why do we do that,”what was the original intent’ and ‘how did we perform against the plan’ can be answered, and lessons for developing future business cases can be learned. During the development phase of a project one should always validate the business case, as it is a good management instrument. After finishing a project and entering production, the business case and all the completed research are valuable sources of information that should be kept for further reference

Section: The process of Auditing Information System