Isaca Updated CISA Exam Questions and Answers by hamish

If an IS auditor suspects that independence may not have been maintained in past audits, the best course of action is to inform audit management. Audit management has the responsibility and authority to address such issues. They can review the situation, determine if there was indeed a lack of independence, and decide on the appropriate actions to take123. While informing senior management, reevaluating internal controls, and re-performing past audits might be necessary at some point, the first step should be to inform audit management.

Sending a copy of the transaction logs to offsite storage on a daily basis would minimize the risk of losing transactions as a result of a disaster. This is because offsite storage provides a backup of the data that can be recovered in case of a catastrophic event that destroys or damages the onsite data. Storing a copy of the transaction logs onsite in a fireproof vault (B) would not protect the data from other types of disasters, such as floods, earthquakes, or theft. Encrypting © or signing (D) a copy of the transaction logs and storing them on a local server would not prevent the loss of data if the server is affected by the disaster. Encryption and digital signatures are security measures that protect the confidentiality and integrity of the data, but not the availability.

Multi-tenancy within the same database (B) presents the greatest risk of data leakage in the cloud environment, because it means that multiple customers share the same physical database and resources. This can lead to data isolation and security issues, such as unauthorized access, cross-tenant attacks, or data leakage due to misconfiguration or human error. To prevent data leakage in a multi-tenant database, cloud providers need to implement strict access control policies, encryption, isolation mechanisms, and auditing tools.

Lack of data retention policy (A) is not the greatest risk of data leakage in the cloud environment, because it mainly affects the availability and compliance of data, not its confidentiality or integrity. Data retention policy defines how long data should be stored and when it should be deleted or archived. Without a data retention policy, cloud customers may face legal or regulatory issues, storage costs, or performance degradation.

Lack of role-based access © is not the greatest risk of data leakage in the cloud environment, because it can be mitigated by implementing proper authentication and authorization mechanisms. Role-based access control (RBAC) is a security model that assigns permissions and privileges to users based on their roles and responsibilities. Without RBAC, cloud customers may face unauthorized access, privilege escalation, or data misuse.

Expiration of security certificate (D) is not the greatest risk of data leakage in the cloud environment, because it can be easily detected and renewed. A security certificate is a digital document that verifies the identity and authenticity of a website or service. It also enables secure communication using encryption. If a security certificate expires, it may cause trust issues, warning messages, or connection errors, but not necessarily data leakage.

References:

• 7 Ways to Prevent Data Leaks in the Cloud | OTAVA®
• An analysis of data leakage and prevention techniques in cloud environment

A firewall between internal network segments improves security and reduces risk by inspecting all traffic flowing between network segments and applying security policies. This will prevent unauthorized or malicious access, data leakage, or network attacks from compromising the network resources or data. Logging all packets passing through network segments may provide audit trails and evidence, but not prevent or mitigate security incidents. Monitoring and reporting on sessions between network participants may help to identify anomalous or suspicious activities, but not block or filter them. Ensuring all connecting systems have appropriate security controls enabled may enhance the overall network security posture, but not isolate or segregate different network segments. References: Info Technology & Systems Resources | COBIT, Risk, Governance … - ISACA, section “Book COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution | Digital | English”