Isaca Certification CISA Book

The best way to evaluate the effectiveness of a newly developed application is to review acceptance testing results. Acceptance testing is a process of verifying that the application meets the specified requirements and expectations of the users and stakeholders. Acceptance testing results can provide evidence of the functionality, usability, reliability, performance, security and quality of the application. Performing a post-implementation review, analyzing load testing results, and performing a secure code review are also important activities for evaluating an application, but they are not as comprehensive or conclusive as acceptance testing results.

Tabletop exercises are a type of simulation used to test an organization’s incident response plan12. They involve key stakeholders in a hypothetical scenario to see how they would respond12. This allows management to assess the effectiveness of the incident response process and identify areas for improvement12. Regularly conducting these exercises ensures that the organization is prepared for a real incident and that the incident response process remains effective over time12.

 Implementing solutions to correct defects is a responsibility of the development function, not the quality assurance (QA) function. The QA function should ensure that the development process follows the established standards and methodologies, and that the defects are identified and reported. The QA function should not be involved in fixing the defects, as this would compromise its independence and objectivity. The other options are valid responsibilities of the QA function, and they should not raise concern for an IS auditor. References: CISA Review Manual (Digital Version) 1, page 300.

The role of a document owner when implementing a data classification policy in an organization is to classify documents to correctly reflect the level of sensitivity of information they contain. A document owner is the person who is ultimately responsible for the creation, maintenance, and protection of a document, usually a member of senior management or a business unit1. A data classification policy is a plan that defines how the organization categorizesits data based on its value, risk, and regulatory requirements, and how it handles and secures each data category2.

According to the data classification policy template by Netwrix3, one of the roles and responsibilities of the document owner is to assign data classification labels based on the data’s potential impact level. Data classification labels are tags or markings that indicate the sensitivity level of the data, such as public, internal, confidential, or restricted. The document owner should apply the data classification labels to the documents that contain the data, either manually or automatically, using tools and methods such as metadata, watermarks, headers, footers, or encryption. The document owner should also review and update the data classification labels periodically or whenever there is a change in the data’s sensitivity level.

By classifying documents to correctly reflect the level of sensitivity of information they contain, the document owner can help to ensure that the documents are handled in accordance with the data classification policy. This means that the documents are stored, accessed, shared, transmitted, and disposed of in a secure and appropriate manner, based on the rules and controls defined for each data category. This can also help to prevent data loss, leakage, or breach incidents that may cause harm or damage to the organization or its stakeholders.

Therefore, option A is the correct answer.