Isaca Updated CISA Exam Questions and Answers by ivy-rae

File transfer protocol (FTP) is a service that allows users to transfer files between computers over a network. If enabled within firewall rules, FTP would present the greatest risk, as it can expose sensitive data to unauthorized access, modification, or deletion. FTP does not provide encryption or authentication, which makes it vulnerable to eavesdropping, spoofing, and tampering attacks. Simple mail transfer protocol (SMTP), simple object access protocol (SOAP), and hypertext transfer protocol (HTTP) are also services that can be used to exchange data over a network, but they have more security features than FTP, such as encryption, authentication, or validation. References: CISA Review Manual (Digital Version)

The first step is to identify at-risk assets. Before an organization can assess impact, estimate damage, or evaluate likelihood, it must first determine which assets are exposed to the zero-day vulnerability. ISACA risk guidance emphasizes asset identification and security categorization as foundational steps in risk assessment. In other words, you cannot meaningfully assess risk until you know what systems, applications, or services are affected.

Option A is correct because scoping the exposure comes first. Once at-risk assets are identified, the organization can prioritize remediation and then evaluate impact and likelihood in a focused way. ISACA’s vulnerability and risk-related material supports risk-based prioritization built on asset visibility and understanding which systems are exposed.

Option B is not first because impact assessment depends on knowing which assets are vulnerable and how critical they are. Without that scope, impact analysis is incomplete.

Option C is also not first. Likelihood matters in risk analysis, but it comes after identifying the vulnerable environment and relevant exposure. ISACA’s risk discussions place likelihood estimation after identifying assets, threats, and vulnerabilities.

Option D is similar to impact assessment and likewise depends on first knowing which assets are in scope. Estimating damage without scoping exposure would be premature.

Therefore, A is the best answer because identifying the affected assets is the necessary first step in managing the impact of a newly discovered zero-day vulnerability.

References (Official ISACA):

ISACA Journal, IT Asset Valuation, Risk Assessment and Control Implementation Model — asset identification and categorization precede likelihood and impact assessment.

ISACA, Using a Risk-Based Approach to Prioritize Vulnerability Remediation — supports risk-based prioritization after exposure is understood.

ISACA, Fortifying the Operational Technology Sector: Battle-Tested Cyber Resilience Strategies — emphasizes identifying exploitable weaknesses and exposed assets.

ISACA Journal, Understanding Cybersecurity Risk — likelihood and impact are part of the risk model after threats/vulnerabilities are established.

The management decision that presents the greatest risk associated with data leakage is not providing security awareness training to staff. This is because staff are often the weakest link in the information security chain, and they may unintentionally or maliciously leak sensitive data through various channels, such as email, social media, cloud storage, or removable media. Security awareness training is essential to educate staff on the importance of protecting data, the policies and procedures for handling data, and the best practices for preventing and reporting data leakage incidents. Not requiring desktops to be encrypted, allowing staff to work remotely, and not updating security policies in the past year are also management decisions that may increase the risk of data leakage, but they are not as significant as not providing security awareness training to staff. Encryption, remote work, and security policies are technical or administrative controls that can be implemented or enforced by management, but they cannot fully prevent or mitigate human errors or malicious actions by staff. References: CISA Review Manual (Digital Version), [ISACA Privacy Principles and Program Management Guide]

The best way for an IS auditor to understand the software benefits to the organization would be to review the business case, which is a document that provides the justification and rationale for acquiring a software solution based on its expected costs, benefits, risks, and alignment with the organization’s goals and strategies. The business case helps to evaluate the feasibility and viability of the software acquisition and to support the decision-making process. A feasibility study is a document that analyzes the technical, operational, economic, legal, and social aspects of a software solution to determine its feasibility and suitability for the organization’s needs, but it does not necessarily provide a clear indication of the software benefits to the organization. A request for proposal (RFP) is a document that solicits proposals from potential vendors or suppliers for a software solution based on the organization’s requirements and specifications, but it does not necessarily provide a clear indication of the software benefits to the organization. The alignment with IT strategy is a factor that influences the software acquisition processand ensures that the software solution supports and enables the organization’s IT strategy, but it is not a document that can be reviewed by an IS auditor to understand the software benefits to the organization. References: CISA Review Manual(Digital Version), Chapter 3: Information Systems Acquisition, Development and Implementation, Section 3.1: Business Case Development