Which of the following requires a consensus by key stakeholders on IT strategic goals and objectives?
Correct Answer: D
Question 622
An IS auditor is evaluating an enterprise resource planning (ERP) migration from local systems to the cloud. Who should be responsible for the data classification in this project?
Correct Answer: C
Explanation The best option for the question is C, information owner. This is because: The information owner is the person or entity that has the authority and responsibility for the business processes and functions that collect, use, store, and dispose of data1. The information owner is accountable for ensuring that the data is handled in compliance with the applicable laws, regulations, policies, and standards, such as the GDPR and the PIPEDA1234. The information owner is in the best position to determine the purpose and necessity of collecting and retaining data, as well as the risks and benefits associated with it1. The information owner should consult with other stakeholders, such as the risk manager, the database administrator (DBA), and the privacy manager, to establish and implement appropriate data classification policies and procedures2. Data classification is the process of organizing data in groups based on their attributes and characteristics, and then assigning class labels that describe a set of attributes that hold true for the corresponding data sets345. Data classification helps organizations to identify, manage, protect, and understand their data, as well as to comply with modern data privacy regulations345. Data classification also helps to determine appropriate user access levels, which means defining who can access, modify, share, or delete data based on their roles, responsibilities, and needs345. Therefore, the information owner should be responsible for the data classification in an ERP migration project from local systems to the cloud (option C), as they have the authority and accountability for the data and its protection. The other options are not correct because: The information security officer (option A) is responsible for overseeing and coordinating the security policies and practices of the organization that involve data6. The information security officer should advise and assist the information owner on the best practices and standards for data security, but not determine the data classification. The database administrator (DBA) (option B) is responsible for installing, configuring, monitoring, maintaining, and improving the performance of databases and data stores that contain data5. The DBA should support the information owner in implementing and enforcing the data classification policies and procedures, but not determine them. The data architect (option D) is responsible for designing, modeling, and documenting the logical and physical structures of databases and data stores that contain data7. The data architect should collaborate with the information owner in creating and maintaining the data classification schema and metadata, but not determine them.
Question 623
Coding standards provide which of the following?
Correct Answer: D
Coding standards provide field naming conventions, which are rules for naming variables, constants, functions, classes, and other elements in a program. Coding standards help to ensure consistency, readability, maintainability, and portability of code. Program documentation, access control tables, and data flow diagrams are not part of coding standards. References: CISA Review Manual (Digital Version), Chapter 4, Section 4.3.1
Question 624
Which of the following is the initial step in creating a firewall policy?
Correct Answer: B
Identification of the applications required across the network should be identified first. After identification, depending on the physical location of these applications in the network and the network model, the person in charge will be able to understand the need for, and possible methods of, controlling access to these applications. Identifying methods to protect against identified vulnerabilities and their comparative cost-benefit analysis is the third step. Having identified the applications, the next step is to identify vulnerabilities (weaknesses) associated with the network applications. The next step is to analyze the application traffic and create a matrix showing how each type of traffic will be protected.
Question 625
Which of the following is the PRIMARY objective when encrypting a database?
