Most Recent Isaca CISA Exam Dumps

The best answer is C. Periodically restoring backup media for key databases.

ISACA guidance is very clear that backup restoration should be tested periodically. A backup is only useful if it can actually be restored successfully within business needs. Organizations sometimes assume that because backups exist, recovery is assured, but ISACA specifically warns that recovery procedures and restoration capability must be tested.

Option A is important for resilience, but offsite storage does not prove the backup is recoverable. Option B helps administration and tracking, but inventory alone does not validate restorability. Option D protects confidentiality of backup data, but it does not ensure successful recovery. The strongest control for recoverability is periodic test restoration.

References (Official ISACA):

ISACA, Ensuring Data Security: The Importance of Cloud Backups and Drill Testing

ISACA Journal, Governance of Key Aspects of System Patch Management --- recommends periodic testing of backup restoration.

ISACA Journal, IS Audit Basics: Backup and Recovery

The best recommendation to address the risk of privileged application accounts with passwords set to never expire in a 24/7 processing environment is to introduce database access monitoring into the environment. Database access monitoring is a security control that tracks and records all activities and transactions performed on a database, especially by privileged users or accounts. Database access monitoring can help address the risk of privileged application accounts with passwords set to never expire by detecting and alerting any unauthorized or abnormal access or actions on the database. The other options are not as effective as database access monitoring in addressing the risk, as they may cause disruption to the business or violate the access management policy. Modifying applications to no longer require direct access to the database is a complex and costly solution that may affect the functionality or performance of the applications, and it may not be feasible or practical in a 24/7 processing environment. Modifying the access management policy to make allowances for application accounts is a risky solution that may create exceptions or loopholes in the policy, and it may not comply with the best practices or standards for password management. Scheduling downtime to implement password changes is a disruptive solution that may affect the availability or continuity of the systems or applications, and it may not be acceptable or possible in a 24/7 processing environment.Reference:CISA Review Manual (Digital Version), Chapter 5, Section 5.2.4

Support should be given the greatest consideration when implementing the use of an open-source product, as open-source software may not have the same level of technical support, maintenance, and updates as proprietary software1.Open-source software users may have to rely on the community of developers and users, online forums, or third-party vendors for support, which may not be timely, reliable, or consistent2.Therefore, before implementing an open-source product, users should evaluate the availability and quality of support options, such as documentation, forums, mailing lists, bug trackers, chat channels, etc.3

A strongQA functionrequires anindependentreview of changes toavoid biasandensure objectivity.

Option A (Correct):Ifdevelopers review their own changes, there is ahigh risk of biasand overlooking issues, making this the greatest concern. This violatesseparation of dutiesandbest practices for quality assurance.

Option B (Incorrect):Peer reviews within the same teamreduce risksincefresh eyesreview the changes, though it is not as strong as an external review.

Option C (Incorrect):Havingdevelopers from a separate teamreview the code providesbetter objectivityand reduces risks associated withself-review.

Option D (Incorrect):Whilenon-developers may lack technical expertise, their review ensuresindependence, making it a stronger control than self-review.

Effective governance over IT infrastructure is indicated by the ability to deliver continuous, reliable performance12.This is because good governance ensures that IT investments support business objectives and produce measurable results towards achieving their strategies2.It involves implementing management and internal controls, strengthening security, financial controls, risk mitigation, and inspection and compliance obligations3. While security awareness programs, the number of servers, and the number of security incidents can be aspects of IT governance, they are not the best indicators of its effectiveness.

The Value of IT Governance - ISACA

What is IT governance? A formal way to align IT and business strategy | CIO

Robust Governance - KPMG Global