Isaca Updated CISA Exam Questions and Answers by rachel

The most important task for an IS auditor to perform after the merger of two organizations is to verify that access privileges have been reviewed. Access privileges are the permissions granted to users, groups, or roles to access, modify, or manage IT resources, such as systems, applications, data, or networks. After a merger, the IS auditor should ensure that the access privileges of both organizations are aligned with the new business objectives, policies, and processes, and that there are no conflicts, overlaps, or gaps in the access rights. The IS auditor should also verify that the access privileges are based on the principle of least privilege, which means that users are granted only the minimum level of access required to perform their tasks.

The other options are not as important as verifying that access privileges have been reviewed:

Investigating access rights for expiration dates is a useful task, but it is not the most important one. Expiration dates are the dates when access rights are automatically revoked or suspended after a certain period of time or after a specific event. The IS auditor should check that the expiration dates are set appropriately and enforced consistently, but this is not as critical as reviewing the access privileges themselves.

Updating the continuity plan for critical resources is a necessary task, but it is not the most urgent one. A continuity plan is a document that outlines the procedures and actions to be taken in the event of a disruption or disaster that affects the availability of IT resources. The IS auditor should update the continuity plan to reflect the changes and dependencies introduced by the merger, but this can be done after verifying that the access privileges are secure and compliant.

Updating the security policy is an essential task, but it is not the most immediate one. A security policy is a document that defines the rules and guidelines for securing IT resources and protecting information assets. The IS auditor should update the security policy to incorporate the best practices and standards of both organizations, and to address any new risks or threats posed by the merger, but this can be done after verifying that the access privileges are aligned with the policy.

A Web Application Firewall (WAF) (A) is the best control to mitigate SQL injection attacks because it can detect and block malicious SQL queries before they reach the application. WAFs analyze incoming requests, filter SQL injection attempts, and provide an additional layer of security for web applications.

Other options:

SQL server hardening (B) improves security but does not specifically address SQL injection.

Patch management (C) is necessary but does not provide immediate protection against new SQL injection attacks.

Physical controls (D) are unrelated to application-layer threats like SQL injection.

Ensuring access rules agree with policies is an information systems security officer’s primary responsibility for business process applications. An information systems security officer should verifythat the access controls implemented for the business process applications are consistent with the organization’s security policy and objectives. The other options are not the primary responsibility of an information systems security officer, but rather the tasks of an application owner, a senior management, or a business analyst. References:

CISA Review Manual (Digital Version), Chapter 7, Section 7.3.11

CISA Review Questions, Answers and Explanations Database, Question ID 208

The best answer is C. Periodically restoring backup media for key databases.

ISACA guidance is very clear that backup restoration should be tested periodically. A backup is only useful if it can actually be restored successfully within business needs. Organizations sometimes assume that because backups exist, recovery is assured, but ISACA specifically warns that recovery procedures and restoration capability must be tested.

Option A is important for resilience, but offsite storage does not prove the backup is recoverable. Option B helps administration and tracking, but inventory alone does not validate restorability. Option D protects confidentiality of backup data, but it does not ensure successful recovery. The strongest control for recoverability is periodic test restoration.

References (Official ISACA):

ISACA, Ensuring Data Security: The Importance of Cloud Backups and Drill Testing

ISACA Journal, Governance of Key Aspects of System Patch Management — recommends periodic testing of backup restoration.

ISACA Journal, IS Audit Basics: Backup and Recovery