Practice Free CISA Exam Online Questions
Question #151
Which of the following is the PRIMARY benefit of a tabletop exercise for an incident response plan?
- A . It demonstrates the maturity of the incident response program.
- B . It reduces the likelihood of an incident occurring.
- C . It identifies deficiencies in the operating environment.
- D . It increases confidence in the team’s response readiness.
Correct Answer: D
D
Explanation:
The primary benefit of a tabletop exercise for an incident response plan is to increase confidence in the team’s response readiness (D). A tabletop exercise is a simulated scenario that tests the effectiveness and efficiency of the incident response plan and team. It allows the team to practice their roles and responsibilities, review their procedures and tools, and identify and resolve any gaps or issues in their response process. A tabletop exercise can help the team to improve their skills, knowledge, and communication, and to prepare for real incidents1.
D
Explanation:
The primary benefit of a tabletop exercise for an incident response plan is to increase confidence in the team’s response readiness (D). A tabletop exercise is a simulated scenario that tests the effectiveness and efficiency of the incident response plan and team. It allows the team to practice their roles and responsibilities, review their procedures and tools, and identify and resolve any gaps or issues in their response process. A tabletop exercise can help the team to improve their skills, knowledge, and communication, and to prepare for real incidents1.
Question #152
Which of the following BEST describes a digital signature?
- A . It is under control of the receiver.
- B . It is capable of authorization.
- C . It dynamically validates modifications of data.
- D . It is unique to the sender using it.
Correct Answer: D
D
Explanation:
A digital signature is a type of electronic signature that uses cryptographic techniques to provide authentication, integrity, and non-repudiation of digital documents. A digital signature is created by applying a mathematical function (called a hash function) to the document and then encrypting the result with the sender’s private key. The encrypted hash, along with the sender’s public key and other information, forms the digital signature. The receiver can verify the digital signature by decrypting it with the sender’s public key and comparing the hash with the one computed from the document. If they match, it means that the document has not been altered and that it was signed by the owner of the private key.
Option D is correct because a digital signature is unique to the sender using it, as it depends on the sender’s private key, which only the sender knows and controls. No one else can create a valid digital signature with the same private key, and no one can forge or modify a digital signature without being detected.
Option A is incorrect because a digital signature is not under control of the receiver, but rather under control of the sender. The receiver can only verify the digital signature, but cannot create or modify it.
Option B is incorrect because a digital signature is not capable of authorization, but rather capable of authentication. Authorization is the process of granting or denying access to resources based on predefined rules or policies. Authentication is the process of verifying the identity or legitimacy of a person or entity. A digital signature can authenticate the sender of a document, but it cannot authorize what actions the receiver can perform on the document.
Option C is incorrect because a digital signature does not dynamically validate modifications of data, but rather statically validates the integrity of data. A digital signature is based on a snapshot of the document at the time of signing, and any subsequent changes to the document will invalidate the digital signature. A digital signature does not monitor or update itself based on data modifications.
Reference: CISA Online Review Course1, Module 5: Protection of Information Assets, Lesson 2: Encryption Basics, slide 13-14.
CISA Review Manual (Digital Version)2, Chapter 5: Protection of Information Assets, Section 5.2: Encryption Basics, p. 273-274.
CISA Review Manual (Print Version), Chapter 5: Protection of Information Assets, Section 5.2: Encryption Basics, p. 273-274.
CISA Questions, Answers & Explanations Database3, Question ID: QAE_CISA_712.
What Is a Digital Signature (and How Does it Work)1.
What are digital signatures and certificates?2 Digital Signature Definition3
Examples and uses of electronic signatures4
What is an Electronic Signature?5
D
Explanation:
A digital signature is a type of electronic signature that uses cryptographic techniques to provide authentication, integrity, and non-repudiation of digital documents. A digital signature is created by applying a mathematical function (called a hash function) to the document and then encrypting the result with the sender’s private key. The encrypted hash, along with the sender’s public key and other information, forms the digital signature. The receiver can verify the digital signature by decrypting it with the sender’s public key and comparing the hash with the one computed from the document. If they match, it means that the document has not been altered and that it was signed by the owner of the private key.
Option D is correct because a digital signature is unique to the sender using it, as it depends on the sender’s private key, which only the sender knows and controls. No one else can create a valid digital signature with the same private key, and no one can forge or modify a digital signature without being detected.
Option A is incorrect because a digital signature is not under control of the receiver, but rather under control of the sender. The receiver can only verify the digital signature, but cannot create or modify it.
Option B is incorrect because a digital signature is not capable of authorization, but rather capable of authentication. Authorization is the process of granting or denying access to resources based on predefined rules or policies. Authentication is the process of verifying the identity or legitimacy of a person or entity. A digital signature can authenticate the sender of a document, but it cannot authorize what actions the receiver can perform on the document.
Option C is incorrect because a digital signature does not dynamically validate modifications of data, but rather statically validates the integrity of data. A digital signature is based on a snapshot of the document at the time of signing, and any subsequent changes to the document will invalidate the digital signature. A digital signature does not monitor or update itself based on data modifications.
Reference: CISA Online Review Course1, Module 5: Protection of Information Assets, Lesson 2: Encryption Basics, slide 13-14.
CISA Review Manual (Digital Version)2, Chapter 5: Protection of Information Assets, Section 5.2: Encryption Basics, p. 273-274.
CISA Review Manual (Print Version), Chapter 5: Protection of Information Assets, Section 5.2: Encryption Basics, p. 273-274.
CISA Questions, Answers & Explanations Database3, Question ID: QAE_CISA_712.
What Is a Digital Signature (and How Does it Work)1.
What are digital signatures and certificates?2 Digital Signature Definition3
Examples and uses of electronic signatures4
What is an Electronic Signature?5
Question #153
An IS auditor has been asked to advise on measures to improve IT governance within the organization.
Which of the following IS the BEST recommendation?
- A . Benchmark organizational performance against industry peers
- B . Implement key performance indicators (KPIs).
- C . Require executive management to draft IT strategy
- D . Implement annual third-party audits.
Correct Answer: C
C
Explanation:
The best recommendation to improve IT governance within the organization is C. Require executive management to draft IT strategy. IT governance is the process of establishing and maintaining the policies, roles, responsibilities, and accountabilities for managing technology risks within an organization1. One of the key objectives of IT governance is to ensure alignment and integration between technology and business strategies, leading to optimal outcomes and value creation1. Therefore, it is essential that executive management, who are responsible for setting the vision, mission, and goals of the organization, are also involved in drafting the IT strategy that supports and enables them. By requiring executive management to draft IT strategy, the organization can:
Ensure that the IT strategy is consistent and coherent with the business strategy, and reflects the organization’s priorities, values, and culture2.
Enhance communication and collaboration between IT and business functions, and foster a shared understanding and commitment to the IT strategy2.
Increase accountability and transparency for IT performance and outcomes, and ensure that IT investments are aligned with the organization’s risk appetite and value proposition2.
C
Explanation:
The best recommendation to improve IT governance within the organization is C. Require executive management to draft IT strategy. IT governance is the process of establishing and maintaining the policies, roles, responsibilities, and accountabilities for managing technology risks within an organization1. One of the key objectives of IT governance is to ensure alignment and integration between technology and business strategies, leading to optimal outcomes and value creation1. Therefore, it is essential that executive management, who are responsible for setting the vision, mission, and goals of the organization, are also involved in drafting the IT strategy that supports and enables them. By requiring executive management to draft IT strategy, the organization can:
Ensure that the IT strategy is consistent and coherent with the business strategy, and reflects the organization’s priorities, values, and culture2.
Enhance communication and collaboration between IT and business functions, and foster a shared understanding and commitment to the IT strategy2.
Increase accountability and transparency for IT performance and outcomes, and ensure that IT investments are aligned with the organization’s risk appetite and value proposition2.
Question #154
Which of the following is MOST useful for determining whether the goals of IT are aligned with the organization’s goals?
- A . Balanced scorecard
- B . Enterprise dashboard
- C . Enterprise architecture (EA)
- D . Key performance indicators (KPIs)
Correct Answer: A
A
Explanation:
The most useful tool for determining whether the goals of IT are aligned with the organization’s goals is a balanced scorecard. A balanced scorecard is a strategic management system that translates an organization’s vision and mission into a set of objectives and measures across four perspectives: financial, customer, internal process, and learning and growth. A balanced scorecard helps align IT goals with organizational goals by linking them to a common strategy map that shows how IT contributes to value creation and performance improvement in each perspective. A balanced scorecard also helps monitor and evaluate IT performance against predefined targets and indicators.
Enterprise dashboard, enterprise architecture (EA), and key performance indicators (KPIs) are not the most useful tools for determining whether the goals of IT are aligned with the organization’s goals. These tools may help communicate, design, or measure IT goals or activities, but they do not provide a comprehensive framework for aligning IT goals with organizational goals across multiple dimensions.
A
Explanation:
The most useful tool for determining whether the goals of IT are aligned with the organization’s goals is a balanced scorecard. A balanced scorecard is a strategic management system that translates an organization’s vision and mission into a set of objectives and measures across four perspectives: financial, customer, internal process, and learning and growth. A balanced scorecard helps align IT goals with organizational goals by linking them to a common strategy map that shows how IT contributes to value creation and performance improvement in each perspective. A balanced scorecard also helps monitor and evaluate IT performance against predefined targets and indicators.
Enterprise dashboard, enterprise architecture (EA), and key performance indicators (KPIs) are not the most useful tools for determining whether the goals of IT are aligned with the organization’s goals. These tools may help communicate, design, or measure IT goals or activities, but they do not provide a comprehensive framework for aligning IT goals with organizational goals across multiple dimensions.
Question #155
Which of the following should be the FIRST step when developing a data loss prevention (DLP) solution for a large organization?
- A . Conduct a data inventory and classification exercise.
- B . Identify approved data workflows across the enterprise_
- C . Conduct a threat analysis against sensitive data usage.
- D . Create the DLP policies and templates
Correct Answer: A
A
Explanation:
The first step when developing a DLP solution for a large organization is to conduct a data inventory and classification exercise. This step involves identifying and locating all the data assets that the organization owns, generates, or handles, and assigning them to different categories based on their sensitivity, value, and regulatory requirements1. Data inventory and classification is essential for DLP because it helps to determine the scope and objectives of the DLP solution, as well as the appropriate level of protection and monitoring for each data category2. Data inventory and classification also enables the organization to prioritize its DLP efforts based on the risk and impact of data loss or leakage3.
Option B is not correct because identifying approved data workflows across the enterprise is a subsequent step after conducting data inventory and classification. Data workflows are the processes and channels through which data are created, stored, accessed, shared, or transmitted within or outside the organization4. Identifying approved data workflows helps to define the normal and legitimate use of data, as well as to detect and prevent unauthorized or anomalous data activities5. However, before identifying approved data workflows, the organization needs to know what data it has and how it should be classified.
Option C is not correct because conducting a threat analysis against sensitive data usage is another subsequent step after conducting data inventory and classification. Threat analysis is the process of identifying and assessing the potential sources, methods, and impacts of data loss or leakage incidents. Threat analysis helps to design and implement effective DLP controls and countermeasures based on the risk profile of each data category. However, before conducting threat analysis, the organization needs to know what data it has and how it should be classified.
Option D is not correct because creating the DLP policies and templates is the final step after conducting data inventory and classification, identifying approved data workflows, and conducting threat analysis. DLP policies and templates are the rules and configurations that specify how the DLP solution should monitor, detect, report, and respond to data loss or leakage events. DLP policies and templates should be aligned with the organization’s business needs, regulatory obligations, and risk appetite. However, before creating the DLP policies and templates, the organization needs to know what data it has, how it should be classified, how it should be used, and what threats it faces.
Reference: Data Inventory & Classification: The First Step in Data Protection1
Data Classification: What It Is And Why You Need It2
How to Prioritize Your Data Loss Prevention Strategy in 20203
What Is Data Workflow? Definition & Examples4
How to Identify Data Workflows for Your Business5
Threat Analysis: A Comprehensive Guide for Beginners
How to Conduct a Threat Assessment for Your Business
What Is Data Loss Prevention (DLP)? Definition & Examples
How to Create Effective Data Loss Prevention Policies
A
Explanation:
The first step when developing a DLP solution for a large organization is to conduct a data inventory and classification exercise. This step involves identifying and locating all the data assets that the organization owns, generates, or handles, and assigning them to different categories based on their sensitivity, value, and regulatory requirements1. Data inventory and classification is essential for DLP because it helps to determine the scope and objectives of the DLP solution, as well as the appropriate level of protection and monitoring for each data category2. Data inventory and classification also enables the organization to prioritize its DLP efforts based on the risk and impact of data loss or leakage3.
Option B is not correct because identifying approved data workflows across the enterprise is a subsequent step after conducting data inventory and classification. Data workflows are the processes and channels through which data are created, stored, accessed, shared, or transmitted within or outside the organization4. Identifying approved data workflows helps to define the normal and legitimate use of data, as well as to detect and prevent unauthorized or anomalous data activities5. However, before identifying approved data workflows, the organization needs to know what data it has and how it should be classified.
Option C is not correct because conducting a threat analysis against sensitive data usage is another subsequent step after conducting data inventory and classification. Threat analysis is the process of identifying and assessing the potential sources, methods, and impacts of data loss or leakage incidents. Threat analysis helps to design and implement effective DLP controls and countermeasures based on the risk profile of each data category. However, before conducting threat analysis, the organization needs to know what data it has and how it should be classified.
Option D is not correct because creating the DLP policies and templates is the final step after conducting data inventory and classification, identifying approved data workflows, and conducting threat analysis. DLP policies and templates are the rules and configurations that specify how the DLP solution should monitor, detect, report, and respond to data loss or leakage events. DLP policies and templates should be aligned with the organization’s business needs, regulatory obligations, and risk appetite. However, before creating the DLP policies and templates, the organization needs to know what data it has, how it should be classified, how it should be used, and what threats it faces.
Reference: Data Inventory & Classification: The First Step in Data Protection1
Data Classification: What It Is And Why You Need It2
How to Prioritize Your Data Loss Prevention Strategy in 20203
What Is Data Workflow? Definition & Examples4
How to Identify Data Workflows for Your Business5
Threat Analysis: A Comprehensive Guide for Beginners
How to Conduct a Threat Assessment for Your Business
What Is Data Loss Prevention (DLP)? Definition & Examples
How to Create Effective Data Loss Prevention Policies
Question #156
Which of the following findings should be of GREATEST concern to an IS auditor assessing the risk associated with end-user computing (EUC) in an organization?
- A . Insufficient processes to track ownership of each EUC application?
- B . Insufficient processes to lest for version control
- C . Lack of awareness training for EUC users
- D . Lack of defined criteria for EUC applications
Correct Answer: D
D
Explanation:
The finding that should be of greatest concern to an IS auditor assessing the risk associated with end-user computing (EUC) in an organization is the lack of defined criteria for EUC applications. EUC applications are applications that are developed and maintained by end-users, rather than by IT professionals, to support their business functions and processes. Examples of EUC applications include spreadsheets, databases, reports, and scripts. The lack of defined criteria for EUC applications means that the organization does not have clear and consistent standards or guidelines to identify, classify, and manage EUC applications.
This can lead to various risks, such as:
Inaccurate or unreliable data and results from EUC applications that are not validated, verified, or tested
Unauthorized or inappropriate access or use of EUC applications that are not secured, controlled, or monitored
Inconsistent or incompatible data and results from EUC applications that are not integrated, documented, or updated
Loss or corruption of data and results from EUC applications that are not backed up, recovered, or archived
Therefore, the IS auditor should be most concerned about the lack of defined criteria for EUC applications, as it can affect the quality, integrity, and availability of the EUC applications and the data they produce.
Insufficient processes to track ownership of each EUC application is a finding that should be of concern to an IS auditor assessing the risk associated with EUC in an organization, but it is not the greatest concern. The ownership of an EUC application refers to the person or group who is responsible for creating, maintaining, and using the EUC application. Insufficient processes to track ownership of each EUC application means that the organization does not have adequate mechanisms or records to identify and communicate who owns each EUC application.
This can lead to risks, such as:
Lack of accountability or ownership for the quality and accuracy of the EUC application and its data
Lack of support or maintenance for the EUC application when the owner leaves or changes roles
Lack of awareness or training for the users of the EUC application on its purpose and functionality
However, these risks are less severe than those caused by the lack of defined criteria for EUC applications.
Insufficient processes to test for version control is a finding that should be of concern to an IS auditor assessing the risk associated with EUC in an organization, but it is not the greatest concern. Version control is a process that tracks and manages the changes made to an EUC application over time. Insufficient processes to test for version control means that the organization does not have adequate procedures or tools to ensure that the changes made to an EUC application are authorized, documented, and tested.
This can lead to risks, such as:
Errors or inconsistencies in the data and results from different versions of the EUC application
Conflicts or confusion among the users of the EUC application on which version is current or correct
Loss or overwrite of data and results from previous versions of the EUC application
However, these risks are less severe than those caused by the lack of defined criteria for EUC applications.
Lack of awareness training for EUC users is a finding that should be of concern to an IS auditor assessing the risk associated with EUC in an organization, but it is not the greatest concern. Awareness training for EUC users is a process that educates and informs the users of the EUC applications on their roles, responsibilities, and risks. Lack of awareness training for EUC users means that the organization does not have adequate programs or materials to raise the knowledge and skills of the users on how to use and manage the EUC applications effectively and securely. This can lead to risks, such as:
Misuse or abuse of the EUC applications by users who are not aware of their impact or implications
Non-compliance or violation of policies or regulations by users who are not aware of their requirements or expectations
Dissatisfaction or frustration among users who are not aware of their benefits or limitations
However, these risks are less severe than those caused by the lack of defined criteria for EUC applications.
Reference: End-user computing – Wikipedia 1
How to Manage the Risks Associated with End User Computing 2
Managing end user computing risks – KPMG UK 3
D
Explanation:
The finding that should be of greatest concern to an IS auditor assessing the risk associated with end-user computing (EUC) in an organization is the lack of defined criteria for EUC applications. EUC applications are applications that are developed and maintained by end-users, rather than by IT professionals, to support their business functions and processes. Examples of EUC applications include spreadsheets, databases, reports, and scripts. The lack of defined criteria for EUC applications means that the organization does not have clear and consistent standards or guidelines to identify, classify, and manage EUC applications.
This can lead to various risks, such as:
Inaccurate or unreliable data and results from EUC applications that are not validated, verified, or tested
Unauthorized or inappropriate access or use of EUC applications that are not secured, controlled, or monitored
Inconsistent or incompatible data and results from EUC applications that are not integrated, documented, or updated
Loss or corruption of data and results from EUC applications that are not backed up, recovered, or archived
Therefore, the IS auditor should be most concerned about the lack of defined criteria for EUC applications, as it can affect the quality, integrity, and availability of the EUC applications and the data they produce.
Insufficient processes to track ownership of each EUC application is a finding that should be of concern to an IS auditor assessing the risk associated with EUC in an organization, but it is not the greatest concern. The ownership of an EUC application refers to the person or group who is responsible for creating, maintaining, and using the EUC application. Insufficient processes to track ownership of each EUC application means that the organization does not have adequate mechanisms or records to identify and communicate who owns each EUC application.
This can lead to risks, such as:
Lack of accountability or ownership for the quality and accuracy of the EUC application and its data
Lack of support or maintenance for the EUC application when the owner leaves or changes roles
Lack of awareness or training for the users of the EUC application on its purpose and functionality
However, these risks are less severe than those caused by the lack of defined criteria for EUC applications.
Insufficient processes to test for version control is a finding that should be of concern to an IS auditor assessing the risk associated with EUC in an organization, but it is not the greatest concern. Version control is a process that tracks and manages the changes made to an EUC application over time. Insufficient processes to test for version control means that the organization does not have adequate procedures or tools to ensure that the changes made to an EUC application are authorized, documented, and tested.
This can lead to risks, such as:
Errors or inconsistencies in the data and results from different versions of the EUC application
Conflicts or confusion among the users of the EUC application on which version is current or correct
Loss or overwrite of data and results from previous versions of the EUC application
However, these risks are less severe than those caused by the lack of defined criteria for EUC applications.
Lack of awareness training for EUC users is a finding that should be of concern to an IS auditor assessing the risk associated with EUC in an organization, but it is not the greatest concern. Awareness training for EUC users is a process that educates and informs the users of the EUC applications on their roles, responsibilities, and risks. Lack of awareness training for EUC users means that the organization does not have adequate programs or materials to raise the knowledge and skills of the users on how to use and manage the EUC applications effectively and securely. This can lead to risks, such as:
Misuse or abuse of the EUC applications by users who are not aware of their impact or implications
Non-compliance or violation of policies or regulations by users who are not aware of their requirements or expectations
Dissatisfaction or frustration among users who are not aware of their benefits or limitations
However, these risks are less severe than those caused by the lack of defined criteria for EUC applications.
Reference: End-user computing – Wikipedia 1
How to Manage the Risks Associated with End User Computing 2
Managing end user computing risks – KPMG UK 3
Question #157
If a source code is not recompiled when program changes are implemented, which of the following is a compensating control to ensure synchronization of source and object?
- A . Comparison of object and executable code
- B . Review of audit trail of compile dates
- C . Comparison of date stamping of source and object code
- D . Review of developer comments in executable code
Correct Answer: C
C
Explanation:
Source code synchronization is the process of ensuring that the source code and the object code (the compiled version of the source code) are consistent and up-to-date1. When program changes are implemented, the source code should be recompiled to generate a new object code that reflects the changes. However, if the source code is not recompiled, there is a risk that the object code may be outdated or incorrect. A compensating control is a measure that reduces the risk of an existing control weakness or deficiency2. A compensating control for source code synchronization is to compare the date stamping of the source and object code. Date stamping is a method of recording the date and time when a file is created or modified3. By comparing the date stamping of the source and object code, one can verify if they are synchronized or not. If the date stamping of the source code is newer than the object code, it means that the source code has been changed but not recompiled. If the date stamping of the object code is newer than the source code, it means that the object code has been compiled from a different source code. If the date stamping of both files are identical, it means that they are synchronized.
C
Explanation:
Source code synchronization is the process of ensuring that the source code and the object code (the compiled version of the source code) are consistent and up-to-date1. When program changes are implemented, the source code should be recompiled to generate a new object code that reflects the changes. However, if the source code is not recompiled, there is a risk that the object code may be outdated or incorrect. A compensating control is a measure that reduces the risk of an existing control weakness or deficiency2. A compensating control for source code synchronization is to compare the date stamping of the source and object code. Date stamping is a method of recording the date and time when a file is created or modified3. By comparing the date stamping of the source and object code, one can verify if they are synchronized or not. If the date stamping of the source code is newer than the object code, it means that the source code has been changed but not recompiled. If the date stamping of the object code is newer than the source code, it means that the object code has been compiled from a different source code. If the date stamping of both files are identical, it means that they are synchronized.
Question #158
Which of the following is the PRIMARY role of the IS auditor m an organization’s information classification process?
- A . Securing information assets in accordance with the classification assigned
- B . Validating that assets are protected according to assigned classification
- C . Ensuring classification levels align with regulatory guidelines
- D . Defining classification levels for information assets within the organization
Correct Answer: B
B
Explanation:
Validating that assets are protected according to assigned classification is the primary role of the IS auditor in an organization’s information classification process. An IS auditor should evaluate whether the information security controls are adequate and effective in safeguarding the information assets based on their classification levels. The other options are not the primary role of the IS auditor, but rather the responsibilities of the information owners, custodians, or security managers.
Reference: CISA Review Manual (Digital Version), Chapter 6, Section 6.2.31
CISA Review Questions, Answers & Explanations Database, Question ID 206
B
Explanation:
Validating that assets are protected according to assigned classification is the primary role of the IS auditor in an organization’s information classification process. An IS auditor should evaluate whether the information security controls are adequate and effective in safeguarding the information assets based on their classification levels. The other options are not the primary role of the IS auditor, but rather the responsibilities of the information owners, custodians, or security managers.
Reference: CISA Review Manual (Digital Version), Chapter 6, Section 6.2.31
CISA Review Questions, Answers & Explanations Database, Question ID 206
Question #159
An organization allows programmers to change production systems in emergency situations without seeking prior approval.
Which of the following controls should an IS auditor consider MOST important?
- A . Programmers’ subsequent reports
- B . Limited number of super users
- C . Operator logs
- D . Automated log of changes
Correct Answer: D
Question #160
A firewall between internal network segments improves security and reduces risk by:
- A . Jogging all packets passing through network segments
- B . inspecting all traffic flowing between network segments and applying security policies
- C . monitoring and reporting on sessions between network participants
- D . ensuring all connecting systems have appropriate security controls enabled.
Correct Answer: B
B
Explanation:
A firewall between internal network segments improves security and reduces risk by inspecting all traffic flowing between network segments and applying security policies. This will prevent unauthorized or malicious access, data leakage, or network attacks from compromising the network resources or data. Logging all packets passing through network segments may provide audit trails and evidence, but not prevent or mitigate security incidents. Monitoring and reporting on sessions between network participants may help to identify anomalous or suspicious activities, but not block or filter them. Ensuring all connecting systems have appropriate security controls enabled may enhance the overall network security posture, but not isolate or segregate different network segments.
Reference: Info Technology & Systems Resources | COBIT, Risk, Governance … – ISACA, section “Book COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution | Digital | English”
B
Explanation:
A firewall between internal network segments improves security and reduces risk by inspecting all traffic flowing between network segments and applying security policies. This will prevent unauthorized or malicious access, data leakage, or network attacks from compromising the network resources or data. Logging all packets passing through network segments may provide audit trails and evidence, but not prevent or mitigate security incidents. Monitoring and reporting on sessions between network participants may help to identify anomalous or suspicious activities, but not block or filter them. Ensuring all connecting systems have appropriate security controls enabled may enhance the overall network security posture, but not isolate or segregate different network segments.
Reference: Info Technology & Systems Resources | COBIT, Risk, Governance … – ISACA, section “Book COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution | Digital | English”