Really confused about multiple questions in the ISACA's official question database
I am really confused about multiple things on the official question database
It seems like some (almsot 25%) questions and answers are simply contradicting each other
I just want to share something that I encountered today
I was trying to figure out the right answer to a question which looked really similar to another question which I answered incorrectly couple of days ago
The question was asking about the most effective method to prevent a developer from making unauthorised changes to production data
Below 2 possible answers were present in both answers
1. Ask the developer to sign a letter or an NDA not to miss-use the data
2. Log the programmer access to production environment and ask his/her supervisor to review it regularly
In the first question the answer was the first choice and the justification stated that contractual or written agreements are the best way to control developer behaviour furthermore, the justification for not choosing second answer was simply explained as access reviews not being as effective as the first option and added that access reviews can only be considered as a detective control
In another question very (similar to the first one), access reviews was suggested as the best option
I have seen many contradicting questions and answers (or scenarios) in the study guide, it really looks like some questions were designed by 2 completely different teams with 2 completely different mindsets
As a CISSP certified IS Manager, I know the importance of getting in the mind set of the certification agency but I am really disappointed to say ISACA is nowhere close to ISC2 in relation to setting their standards as it looks like they havent event made up their mind on how to approach various complex business and IT solutions
It seems like some (almsot 25%) questions and answers are simply contradicting each other
I just want to share something that I encountered today
I was trying to figure out the right answer to a question which looked really similar to another question which I answered incorrectly couple of days ago
The question was asking about the most effective method to prevent a developer from making unauthorised changes to production data
Below 2 possible answers were present in both answers
1. Ask the developer to sign a letter or an NDA not to miss-use the data
2. Log the programmer access to production environment and ask his/her supervisor to review it regularly
In the first question the answer was the first choice and the justification stated that contractual or written agreements are the best way to control developer behaviour furthermore, the justification for not choosing second answer was simply explained as access reviews not being as effective as the first option and added that access reviews can only be considered as a detective control
In another question very (similar to the first one), access reviews was suggested as the best option
I have seen many contradicting questions and answers (or scenarios) in the study guide, it really looks like some questions were designed by 2 completely different teams with 2 completely different mindsets
As a CISSP certified IS Manager, I know the importance of getting in the mind set of the certification agency but I am really disappointed to say ISACA is nowhere close to ISC2 in relation to setting their standards as it looks like they havent event made up their mind on how to approach various complex business and IT solutions
Comments
The log review option (an audit control) does not prevent misuse from occurring (unless you were to also consider it a deterrent control) and only detects that misuse has occurred and educates the programmer about misuse after the fact.
The key point is the word "prevent" to pick the slightly better option. The NDA would be better at proactively preventing data misuse than a process that catches data misuse only after it has happened.
Forum Admin at www.techexams.net
--
LinkedIn: www.linkedin.com/in/jamesdmurray
Twitter: www.twitter.com/jdmurray
I would have posted screenshots of both questions here but it might be in violation of terms and conditions of ISACA
Forum Admin at www.techexams.net
--
LinkedIn: www.linkedin.com/in/jamesdmurray
Twitter: www.twitter.com/jdmurray