CIA IIA-CIA-Part3 Book

The auditor's observation indicates that backup media is stored on-site in the data center, which is a major risk in disaster recovery and business continuity planning (BCP). Best practices recommend storing backup media off-site to prevent data loss due to fires, floods, cyberattacks, or other disasters affecting the primary site.

Off-Site Storage Reduces Disaster Risks:

Keeping backups only at the primary data center means that any physical disaster (fire, flood, theft, or power surge) can destroy both primary and backup data.

Best practices require off-site or cloud-based backup storage to ensure data recovery in case of emergencies.

Regulatory and Compliance Considerations:

IIA Standard 2110 (Governance): Emphasizes disaster recovery policies to protect critical IT assets.

ISO/IEC 27001 (Information Security Management System): Recommends storing backups in a geographically separate location.

NIST SP 800-34 (Contingency Planning Guide for Federal Information Systems): Requires off-site storage to ensure effective disaster recovery.

Why the Other Options Are Incorrect:

B. Backup procedures are adequate and appropriate according to best practices: ❌

Incorrect, as on-site-only storage violates best practices for disaster recovery.

C. Backup media is not properly indexed, as backup media should be indexed by system, not date: ❌

While indexing is important, the main issue here is improper storage, not indexing methods.

D. Backup schedule is not sufficient, as full backup should be conducted daily: ❌

Backup frequency depends on business needs; a weekly backup is common for many organizations.

However, the biggest concern here is lack of off-site storage, not frequency.

IIA GTAG (Global Technology Audit Guide) on Business Continuity and Disaster Recovery: Recommends off-site storage for backups.

ISO/IEC 27001 – Information Security Controls (A.12.3.1): Requires backup data to be securely stored off-site.

COBIT 5 Framework – DSS04 (Manage Continuity): Supports off-site backups for IT continuity.

Step-by-Step Justification:IIA References:Thus, the correct answer is A. Backup media is not properly stored, as the storage facility should be off-site. ✅

If an organization has an immediate need for servers but lacks time for a capital acquisition, the best solution is Infrastructure as a Service (IaaS).

On-Demand Computing Power: IaaS provides virtual servers, storage, and networking resources on a pay-as-you-go basis, eliminating the need for capital purchases.

Scalability & Flexibility: The organization can quickly deploy the necessary infrastructure without long procurement processes.

Reduced IT Management Overhead: The cloud provider manages the hardware, while the organization manages the applications and data.

Option B (Platform as a Service – PaaS): PaaS offers a development environment for building applications, not infrastructure (e.g., servers and networking).

Option C (Enterprise as a Service – EaaS): EaaS is not a standard cloud service model recognized by NIST (National Institute of Standards and Technology) or ISO 17788.

Option D (Software as a Service – SaaS): SaaS provides software applications over the internet (e.g., Gmail, Microsoft 365) but does not address server needs.

IIA’s Global Technology Audit Guide (GTAG) on Cloud Computing emphasizes IaaS as a viable solution for organizations requiring immediate infrastructure deployment.

NIST Special Publication 800-145 (Cloud Computing Definition) defines IaaS as a method to deliver computing resources efficiently without physical acquisition.

IIA Standard 2110 – IT Governance: Highlights the importance of agile IT solutions for meeting business needs, including cloud computing.

Why Option A is Correct (IaaS):Why Other Options Are Incorrect:IIA References:Thus, the most appropriate answer is A. Infrastructure as a Service (IaaS).

A router and a switch serve different functions in a network.

A router is responsible for connecting multiple networks together and directing data packets between them. It determines the best path for data to travel using IP addresses.

A switch, on the other hand, operates within a single network and connects devices like computers, printers, and servers. It uses MAC addresses to forward data within the local network (LAN).

A. A router operates at layer two, while a switch operates at layer three of the OSI model – Incorrect. A switch operates at Layer 2 (Data Link Layer), while a router operates at Layer 3 (Network Layer).

B. A router transmits data through frames, while a switch sends data through packets – Incorrect. Switches use frames at Layer 2, while routers use packets at Layer 3.

C. A router connects networks, while a switch connects devices within a network (Correct Answer) – This correctly differentiates their functions.

D. A router uses a media access control (MAC) address during the transmission of data, while a switch uses an internet protocol (IP) address – Incorrect. A switch uses MAC addresses, and a router uses IP addresses.

IIA GTAG 17 – Auditing IT Governance discusses network security and the role of routers and switches.

COBIT 2019 – DSS01 (Managed Operations) emphasizes secure and efficient network management.

NIST SP 800-53 – Security Controls for IT Systems includes guidelines on network architecture and device functionality.

Explanation of Each Option:IIA References:

Understanding Information Security Responsibilities:

Executive management sets the overall strategy and ensures resources are allocated for information security.

Internal auditors provide independent assurance on security effectiveness.

The board provides oversight and ensures that security risks are managed appropriately.

Line management is responsible for day-to-day operations, including the review and monitoring of security controls to ensure compliance with security policies.

Why Reviewing and Monitoring Security Controls is a Line Management Function:

Line management directly oversees operational security measures, ensuring that established controls are functioning effectively.

They address security gaps, enforce security policies, and report issues to senior management when necessary.

This aligns with IIA Standard 2120 – Risk Management, which requires management to implement and monitor risk mitigation controls.

Why Other Options Are Incorrect:

B. Dedicate sufficient security resources: This is the responsibility of executive management, as they control resource allocation.

C. Provide oversight to the security function: The board and executive management provide oversight, not line management.

D. Assess information control environments: Internal auditors assess control environments, ensuring compliance and effectiveness.

IIA Standards and References:

IIA Standard 2110 – Governance: Emphasizes the board’s role in overseeing security.

IIA Standard 2120 – Risk Management: States that management must monitor security risks.

IIA GTAG (Global Technology Audit Guide) on Information Security (2016): Outlines that line management is responsible for monitoring security controls on a daily basis.

Thus, the correct answer is A: Review and monitor security controls.