Isaca Updated CISA Exam Questions and Answers by giorgio

Implementing incident escalation procedures is the best way to ensure that an incident receives attention from appropriate personnel in a timely manner, because it defines the roles and responsibilities, communication channels, and escalation criteria for handling different types of incidents34. Incident escalation procedures help to prioritize and coordinate the response efforts and ensure that the incident is resolved by the most qualified and authorized personnel. Completing the incident management log, broadcasting an emergency message, and requiring a dedicated incident response team are not sufficient to ensure that an incident receives attention from appropriate personnel in a timely manner, because they do not specify how to escalate the incident based on its severity, impact, or complexity. References: 3: CISA Review Manual (Digital Version), Chapter 6, Section 6.3.2 4: CISA Online Review Course, Module 6, Lesson 3

In reviewing the IT strategic plan, the IS auditor should consider whether it identifies the major IT initiatives that are aligned with the organization’s vision, mission, and objectives, and that support the business strategy and priorities12. The major IT initiatives should also be realistic, measurable, and achievable, and should have clear timelines, budgets, and responsibilities34.

References

1: IT Strategy Template for a Successful Strategic Plan | Gartner2 2: IT Strategy Template for a Successful Strategic Plan | Gartner4 3: Conduct a Strategic Plan Review & Assessment - Governance3 4: Time To Conduct A Strategy Review? Here’s How To Get Started1

The greatest concern when reviewing an IT strategic plan is B. The plan does not support relevant organizational goals. This is because an IT strategic plan should align and integrate the IT goals and objectives with the organization’s overall strategy and vision, and ensure that IT supports and enables the business processes and functions1. If the IT strategic plan does not support relevant organizational goals, it may lead to:

• Suboptimal or negative outcomes and value for the organization, as IT investments and initiatives may not align with the organization’s priorities, needs, or expectations1.
• Conflicts or inconsistencies between IT and business functions, as IT may not deliver the expected level of service, quality, or performance2.
• Wasted or inefficient use of resources, as IT may spend time, money, or effort on projects or activities that are not relevant or beneficial for the organization2.

 The finding that should be of greatest concern to an IS auditor assessing the effectiveness of an organization’s vulnerability scanning program is that results are not reported to individuals with authority to ensure resolution. This indicates a lack of accountability and communication for vulnerability management, which may result in unresolved or delayed remediation of identified vulnerabilities. This may expose the organization to increased risk of cyberattacks or breaches. The other findings are also concerning, but not as much as this one, because they may affect the completeness, accuracy or timeliness of the vulnerability scanning process, but not necessarily its effectiveness. References:

• ISACA, CISA Review Manual, 27th Edition, chapter 4, section 4.41
• ISACA, COBIT 2019 Framework: Introduction and Methodology, section 3.2