Isaca Updated CISA Exam Questions and Answers by fabian

 The IS audit manager should specifically review the detailed evidence of the successes and weaknesses of all contingency testing to substantiate the conclusions of the audit of the corporate disaster recovery test. This is because the detailed evidence can provide the audit manager with a clear and objective picture of how well the disaster recovery plan was executed, what issues or gaps were encountered, and what recommendations or actions were taken to address them. The detailed evidence can also help the audit manager to verify the accuracy, completeness, and validity of the audit findings, as well as to evaluate the adequacy and effectiveness of the disaster recovery controls.

The other options are not as specific or relevant as the detailed evidence of all contingency testing. Overviews of interviews between data center personnel and the auditor may provide some useful information, but they are not sufficient to substantiate the conclusions without supporting evidence from the actual testing. Prior audit reports involving other corporate disaster recovery audits may provide some benchmarking or comparison data, but they are not directly related to the current audit scope and objectives. Summary memos reflecting audit opinions regarding noted weaknesses may provide some high-level insights, but they are not enough to substantiate the conclusions without detailed evidence to back them up.

IS auditors primarily provide assurance and oversight. In this context, independent reviews ensure that those responsible for the renovation project are meeting their obligations, following best practices, and managing risks appropriately.

The best recommendation is database segmentation. If liability depends on the number of individuals whose PII is exposed, the organization should reduce the amount of data that could be compromised in any single breach event. Segmenting databases or separating sensitive data domains limits blast radius and can reduce the number of records exposed in a single incident. ISACA guidance supports isolating high-value assets and tightening internal controls as a way to reduce exposure and improve resilience.

Option A is correct because segmentation limits concentration risk. Instead of keeping all customer data in one broadly exposed logical store, segmentation helps confine access and reduce how many records a single compromise can reach. This directly supports limiting breach impact and, in this case, potential liability tied to the number of affected individuals. This conclusion is an inference from ISACA’s risk-reduction principles around isolation, exposure control, and documenting exposure.

Option B is incorrect because database normalization improves data structure and reduces redundancy; it is not primarily a breach-liability reduction control.

Option C is incorrect because database harmonization is about consistency or integration across datasets, not limiting exposure in a breach.

Option D is incorrect because database optimization focuses on performance and efficiency, not on minimizing the number of PII records exposed in a security incident.

Therefore, A is the best answer because segmentation is the option that most directly reduces the scope of exposure in a breach and therefore helps limit liability based on affected individuals.

References (Official ISACA):

ISACA, Best Practices for Setting Up a Cybersecurity Operations Center — recommends prioritizing assets and isolating high-value asset networks.

ISACA Journal, Reporting on GDPR Compliance to the Board — emphasizes documenting exposure and relevant risk controls for privacy risk reporting.

ISACA Journal, Practical Data Security and Privacy for GDPR and CCPA — supports governance approaches to limiting privacy exposure. (Referenced conceptually from prior ISACA privacy guidance.)