Isaca Updated CISA Exam Questions and Answers by reign

The most important thing to define within a disaster recovery plan (DRP) is the roles and responsibilities for recovery team members, as this ensures that everyone knows what to do, who to report to, and how to communicate in the event of a disaster. A business continuity plan (BCP) is a broader document that covers the overall strategy and objectives for maintaining or resuming business operations after a disaster. Test results for backup data restoration are important to verify the integrity and availability of backup data, but they are not part of the DRP itself. A comprehensive list of disaster recovery scenarios and priorities is useful to identify the potential risks and impacts of different types of disasters, but it is not as critical as defining the roles and responsibilities for recovery team members. References: CISA Review Manual (Digital Version), Chapter 4: Information Systems Operations, Maintenance and Service Management, Section 4.3: Disaster Recovery Planning1

 The best option for ensuring confidentiality through the use of asymmetric encryption is to encrypt a message with the recipient’s public key (option A). This is because:

• Asymmetric encryption, also known as public-key cryptography, is a type of encryption that uses a pair of keys to encrypt and decrypt data. The pair of keys includes a public key, which can be shared with anyone, and a private key, which is kept secret by the owner12.
• In asymmetric encryption, the sender uses the recipient’s public key to encrypt the data. The recipient then uses their private key to decrypt the data. This approach allows for secure communication between two parties without the need for both parties to have the same secret key12.
• Encrypting a message with the recipient’s public key ensures that only the recipient can decrypt it with their private key. This provides confidentiality, which means that the message is protected from unauthorized access or disclosure12.
• Encrypting a message with the sender’s private key (option B) does not ensure confidentiality, but rather authentication, which means that the message can be verified as coming from the sender. This is because anyone can decrypt the message with the sender’s public key, but only the sender can encrypt it with their private key12.
• Encrypting a message with the sender’s public key (option C) or the recipient’s private key (option D) does not make sense, as it would render the message unreadable by both parties. This is because neither party has the corresponding key to decrypt it12.

Therefore, the best option for ensuring confidentiality through the use of asymmetric encryption is to encrypt a message with the recipient’s public key (option A), as this ensures that only the recipient can decrypt it with their private key.

References: 1: What is asymmetric encryption? | Asymmetric vs. symmetric … - Cloudflare 2: What is Asymmetric Encryption? - GeeksforGeeks

 The greatest benefit of adopting an international IT governance framework rather than establishing a new framework based on the actual situation of a specific organization is wide acceptance by different business and support units with IT governance objectives. An international IT governance framework, such as COBIT, provides a common language and understanding for IT governance among various stakeholders, such as management, users, auditors and regulators. This facilitates alignment, communication and collaboration among them. Readily available resources, comprehensive coverage and fewer resources expended are also benefits of adopting an international IT governance framework, but they are not the greatest benefit. References: CISA Review Manual (Digital Version) , Chapter 1, Section 1.3.1.

 The IS audit manager should specifically review the detailed evidence of the successes and weaknesses of all contingency testing to substantiate the conclusions of the audit of the corporate disaster recovery test. This is because the detailed evidence can provide the audit manager with a clear and objective picture of how well the disaster recovery plan was executed, what issues or gaps were encountered, and what recommendations or actions were taken to address them. The detailed evidence can also help the audit manager to verify the accuracy, completeness, and validity of the audit findings, as well as to evaluate the adequacy and effectiveness of the disaster recovery controls.

The other options are not as specific or relevant as the detailed evidence of all contingency testing. Overviews of interviews between data center personnel and the auditor may provide some useful information, but they are not sufficient to substantiate the conclusions without supporting evidence from the actual testing. Prior audit reports involving other corporate disaster recovery audits may provide some benchmarking or comparison data, but they are not directly related to the current audit scope and objectives. Summary memos reflecting audit opinions regarding noted weaknesses may provide some high-level insights, but they are not enough to substantiate the conclusions without detailed evidence to back them up.

References:

• ISACA, CISA Review Manual, 27th Edition, 2019, p. 2411
• Disaster Recovery Audit Work Program2