Is the real CISA exam as vague as the practice questions?

From ISACA Q&A DB:

During an audit of a telecommunications system, an IS auditor finds that the risk of intercepting data transmitted to and from remote sites is very high. The MOST effective control for reducing this exposure is:

A. encryption
B. callback modems
C. message authentication
D. dedicated leased lines

I chose D because that provides a private point to point connection between the remote sites that is hard to intercept.

ISACA's answer was A. with an explanation of "Encryption of data is the most secure method of protecting confidential data from exposure"

ISACAs explanation of why D is incorrect was "It is more difficult to intercept traffic traversing a dedicated leased line than it is to intercept data on a shared network, but the only way to really protect the confidentiality of data is to encrypt it"

The question does not mention anything about the confidentiality of the data, but does mention risk of interception is high and wanted to know the best way to reduce that exposure... As I understand it, encrypting data does not reduce the risk of interception, it reduces the risk of confidential data being read by an unauthorized party. A dedicated leased line reduces the risk of data (encrypted or not) from being intercepted since it would require a direct tap into a private line.

I will admit not all questions are like this as I am doing well as I go through the database but the inconsistency of the questions makes it harder, or least makes me second guess, what the correct answer is as I think to myself "gee, I wonder what assumption I need to make here to get to the right answer?".

Hopefully the real test is less ambiguous.

Find more posts tagged with

Comments

wd40

To me the clear answer is A.

I think if the data is encrypted in a proper way then basically some bits are intercepted and not data.

If you tap into a leased line without encryption then you have a problem, of course you can have both, encrypted data over a leased line.

Regarding the exam, you will see some weird questions, but ISACA will do some magical calculations to weed out the results of these weird questions.

636-555-3226

FWIW, with other ISACA tests I've taken I'm fairly certain the Q&A database is made up at least in part of questions from past real tests that didn't test well. In other words, it is my theory that the question you (shouldn't have) directly written down here was used on a test a few years ago. For whatever reason everybody did a bad job on that question (so 25% of people picked A, 25% B, 25% D, 25%D) so they pulled it from the real test bank and put it in the practice test bank.

Translating that, a lot of the practice questions might not be the best phrased or have the clearest answers, so you can expect to have a few duds in there. Hopefully that likewise means the real questions aren't as vague or ambiguous.....

Mike7

the inconsistency of the questions

That is because you are reading the questions at a surface level without going into the implications, i.e. the impact.

IS auditor finds that the risk of intercepting data transmitted to and from remote sites is very high.

What is the risk of data interception to an auditor? The risk concerns confidentiality.
So do you reduce the risk of interception or reduce the risk of data leakage?
To an auditor, ensuring confidentiality is the desired goal.
So how do we reduce the risk?

encrypting data does not reduce the risk of interception, it reduces the risk of confidential data being read by an unauthorized party

Yes, you can intercept the encrypted traffic but are you able to read the data?
Unless you can crack the encryption, the confidentiality risk is very minimal. It may be slightly more difficult to intercept leased line traffic, but you need to think about physical security. Someone can still walk into your remote site exchange and tap into your unencrypted traffic and read the data.

So which way is more effective to ensure confidentiality? Physical security (leased line) or technical security (encryption)?

Hopefully the real test is less ambiguous.

Sorry bro. This is your typical ISACA question.

It is very clear and not ambiguous if you have the right mindset. Read the questions from the perspective of an IT auditor before answering them.

TheFORCE

Its obviously A. No other amswer comes close.

dustervoice

Information on dedicated lease line can be intercepted and read by your ISP if not encrypted. So the correct answer is A. To be honest, this is one of the more clearer isaca questions. Ive seen some that makes absolutely no sense.

Aaronsmity

Thanks for the input and explanations... it does make sense, especially within the context of risk vs impact as Mike depicted but I still would not be surprised to see ISACA change this question or the answer though - wouldn't be the first time as I have already came across an exact same question whose answer was changed from one year to the next in the DB "http://www.techexams.net/forums/isaca-cisa-cism/103352-pattern-questions-cisa.html#post935893"

636-555-3226

Aaronsmity wrote: »

From ISACA Q&A DB:

During an audit of a telecommunications system, an IS auditor finds that the risk of intercepting data transmitted to and from remote sites is very high. The MOST effective control for reducing this exposure is:

A. encryption
B. callback modems
C. message authentication
D. dedicated leased lines

I disagree with everybody saying it's CLEARLY A. The question quite specifically states the risk regards data being intercepted. The question is how do you reduce the risk of data being intercepted. Yes, encryption will help AFTER the data is intercepted, but it doesn't do jack for controlling the initial risk of data being intercepted. I can see the argument for the answer being D for dedicated leased lines. Yes, the ISP can intercept the data, but not many other people will be able to, so a dedicated leased line will help reduce the overall risk of data being intercepted.

Mike7

Just have to read questions "the ISACA way". I once talked to someone who was responsible for CISA exam questions.
As I understand, the questions are contributed by experienced practitioners so the answers are from their perspective.
The answers may change from time to time because of industry trends or different contributors.

If you are an auditor/risk manager, will you suggest leased line or encryption to top management ?

What questions will management ask? "what is the impact from data interception?" "data breach implications" "which option is more cost effective and yet meet compliance requirements?" "what is the current industry practice?"

As it is, the current trend is encryption. And there are certain regulations that require data to be encrypted "in transit" and "at rest".

the ISP can intercept the data, but not many other people will be able to,

In a previous engagement, the dedicated leased lines are network cables going into a network router at a customer site. Not fiber. Someone can tap into this network.

dustervoice

When I looked up the definition of Exposure I see

Exposure:
1. The state of having no protection from something harmful
2: The revelation of something secret

Regarding the question, the Exposure of concern is the confidentiality of the information not the interception. I think after taking a few isaca exams you know exactly what they are looking for but like i said before i've seen questions 10 times worse than this. In the real world the best answer would be both A&D.

itsexamtime

I hope to god that the questions are written better on the real test. I would say that 40% of the practice questions are super vague or totally SUBJECTIVE to the person writing the question. Many times I feel that the answer and explanation they give is wrong. I have been in this field many years and UNDERSTAND every single question, but since they used vague answers/questions and "BEST", "MOST", etc it gets way too subjective.

dustervoice

They are written the same way on the real thing... thats why theyve provided practise questions so you can become familiar with the tone and style and think the ISACA way. Good luck mate

itsexamtime

Thanks for the heads up. I'll probably fail then because I disagree with alot of what they say. I have 10+ years of experience, CISSP and CCNA, and these test bank questions make me want to scream at the stupidity 40% of the time.

coffeeisgood

besides the official Q&A in the study guide (& separate) Q&A.... any study questions worth a look?

(another manual?, CCCure? suggestions welcome)

matt18e

I would have picked A, but yes, I felt that the questions on the actual exam were even more vague than the practice questions... I passed the CISSP on the first try after taking a 9 day crash course and then taking the test the following Monday. I took a 2 week ISACA sponsored CISM course last December and studied off and on for almost 6 months. I took the June 11, 2016 test. I felt much more comfortable coming out of the CISSP. The CISM test was more difficult to me. Hopefully I'll find out in the next week or so if I passed.