Isaca CISA Online Access

A comprehensive asset inventory is the most important factor for the successful establishment of a security vulnerability management program. A security vulnerability management program is a systematic process of identifying, assessing, prioritizing, and remediating vulnerabilities in the organization’s IT environment1. A comprehensive asset inventory is a complete and accurate record of all the hardware, software, and network components that the organization owns or uses2. A comprehensive asset inventory helps the organization to:

Know what assets are in scope for vulnerability scanning and assessment3.

Identify the vulnerabilities that affect each asset and their severity level4.

Prioritize the remediation of vulnerabilities based on the criticality and value of each asset.

Track the status and progress of vulnerability remediation for each asset.

Measure the effectiveness and maturity of the vulnerability management program.

A robust tabletop exercise plan is a simulated scenario that tests the organization’s preparedness and response capabilities for a potential cyberattack or incident. A tabletop exercise plan is useful for validating and improving the organization’s incident response plan, but it is not essential for establishing a security vulnerability management program.

A tested incident response plan is a documented process that defines the roles, responsibilities, and actions of the organization’s personnel in the event of a cyberattack or incident. A tested incident response plan is important for minimizing the impact and restoring normal operations after a security breach, but it is not critical for establishing a security vulnerability management program.

An approved patching policy is a set of rules and guidelines that governs how the organization applies patches and updates to its IT systems and applications. An approved patching policy is a key component of the remediation phase of the vulnerability management program, but it is not sufficient for establishing a security vulnerability management program.

The recovery time objective (RTO) is the most important consideration when making a decision to invest in a hot site due to service criticality. The RTO is the maximum acceptable time that an IT service or process can be unavailable or disrupted before it causes significant damage to the business operations and objectives. A hot site is a fully equipped and operational backup facility that can be activated immediately in the event of a disaster or disruption. A hot site can help an organization achieve a very low RTO, as it can resume the service with minimal or no downtime. The maximum tolerable downtime (MTD) is the maximum acceptable time that an IT service or process can be unavailable or disrupted before it causes intolerable damage to the business operations and objectives. The MTD is usually longer than the RTO, as it represents the worst-case scenario. The recovery point objective (RPO) is the maximum acceptable amount of data loss that an IT service or process can tolerate in the event of a disaster or disruption. The RPO is measured in terms of time, such as hours or minutes, and indicates how frequently the data should be backed up or replicated. The mean time to repair (MTTR) is the average time that it takes to restore an IT service or process after a failure ordisruption. The MTTR is a measure of the efficiency and effectiveness of the recovery process, but it does not reflect the service criticality or the business impact. References: IS Audit and Assurance Tools and Techniques, CISA Certification | Certified Information Systems Auditor | ISACA

Data caching is the most likely cause of poor performance, data inconsistency and integrity issues in an IT application, because it involves storing frequently accessed data in a temporary memory location (cache) to reduce the latency and bandwidth consumption of retrieving data from the original source. However, data caching can also introduce problems such as stale data (when the cache is not updated with changes made to the original source), cache coherence (when multiple caches store copies of the same data and need to be synchronized), and cache corruption (when the cache is damaged or tampered with).

Database clustering is not a likely cause of poor performance, data inconsistency and integrity issues, because it involves distributing data across multiple servers or nodes to improve availability, scalability and load balancing of database operations. Database clustering can also enhance data consistency and integrity by using replication and synchronization mechanisms to ensure that all nodes have the same view of the data.

Reindexing of the database table is not a likely cause of poor performance, data inconsistency and integrity issues, because it involves rebuilding or reorganizing indexes on tables or views to improve query performance and reduce fragmentation of index pages. Reindexing can also improve data consistency and integrity by ensuring that indexes reflect the current state of the data in the tables or views.

Load balancing is not a likely cause of poor performance, data inconsistency and integrity issues, because it involves distributing workloads across multiple servers or resources to optimize resource utilization, throughput and response time of applications. Load balancing can also enhance data consistency and integrity by using algorithms and protocols to route requests to the most appropriate server or resource based on availability, capacity and performance.

References:

Data Caching

Database Clustering

Reindexing Database Tables in SQL Server

[Load Balancing]

The primary objective of implementing privacy-related controls within an organization is to comply with legal and regulatory requirements that protect the rights and interests of individuals whose personal data are collected, processed, stored, shared or disposed by the organization. Privacy-related controls are based on principles such as lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality and accountability. These principles aim to ensure that personal data are processed in a manner that respects the privacy of individuals and complies with the applicable laws and regulations in different jurisdictions. Preventing confidential data loss, identifying data at rest and data in transit for encryption, and providing options to individuals regarding use of their data are examples of specific privacy-related controls that support the primary objective of compliance. References: Privacy Regulatory Lookup Tool, CDPSE Official Review Manual, 2nd Edition