Really confused about multiple questions in the ISACA's official question database

Hunter85Hunter85 Member Posts: 60 ■■■□□□□□□□
I am really confused about multiple things on the official question database

It seems like some (almsot 25%) questions and answers are simply contradicting each other

I just want to share something that I encountered today

I was trying to figure out the right answer to a question which looked really similar to another question which I answered incorrectly couple of days ago

The question was asking about the most effective method to prevent a developer from making unauthorised changes to production data

Below 2 possible answers were present in both answers

1. Ask the developer to sign a letter or an NDA not to miss-use the data
2. Log the programmer access to production environment and ask his/her supervisor to review it regularly

In the first question the answer was the first choice and the justification stated that contractual or written agreements are the best way to control developer behaviour furthermore, the justification for not choosing second answer was simply explained as access reviews not being as effective as the first option and added that access reviews can only be considered as a detective control

In another question very (similar to the first one), access reviews was suggested as the best option

I have seen many contradicting questions and answers (or scenarios) in the study guide, it really looks like some questions were designed by 2 completely different teams with 2 completely different mindsets

 As a CISSP certified IS Manager, I know the importance of getting in the mind set of the certification agency but I am really disappointed to say ISACA is nowhere close to ISC2 in relation to setting their standards as it looks like they havent event made up their mind on how to approach various complex business and IT solutions


  • Options
    JDMurrayJDMurray Admin Posts: 13,031 Admin
    I would guess that the NDA option (an administrative control) has the effect of making the programmer aware of what data misuse is and explicitly states what the programmer should and should not do to avoid misusing data.

    The log review option (an audit control) does not prevent misuse from occurring (unless you were to also consider it a deterrent control) and only detects that misuse has occurred and educates the programmer about misuse after the fact.

    The key point is the word "prevent" to pick the slightly better option. The NDA would be better at proactively preventing data misuse than a process that catches data misuse only after it has happened.
  • Options
    Hunter85Hunter85 Member Posts: 60 ■■■□□□□□□□
    I agree with you but the answer (according to the second question) is log and review access

    I would have posted screenshots of both questions here but it might be in violation of terms and conditions of ISACA 
  • Options
    JDMurrayJDMurray Admin Posts: 13,031 Admin
    You didn't post the second question so I can't give an opinion of why the correct answer is correct.
  • Options
    SirkassadSirkassad Member Posts: 43 ■■■□□□□□□□
    quick sanity check - Is the Isaca official question DB the one that costs $400?  That's crazy expensive.
  • Options
    HOWWHOWW Registered Users Posts: 7 ■■■□□□□□□□
    edited September 2020
    I have the QAE book. It's the same way. The ISACA products only leave you more confused because there is a lack of consistency throughout.  The review manual is also the same way. As an example, there are four different sentences in the book that all state a unique definition of what the "Objectives of the Security Program" are (chapter 1 and 3). In chapter 1 I found three different definitions of Governance. Sometimes objectives labelled are goals, goals are objectives, sometimes either are 'desired outcomes' (objectives) or 'outcomes' (goals). You have to guess if they are talking about the Corporate objectives or the Security Objectives, Security governance or corporate governance, etc., etc. 
  • Options
    scascscasc Member Posts: 462 ■■■■■■■□□□
    The reasoning behind point 1 being accepted as ISACA's answer is because it is a preventive control whilst the other one is detective. Personally dont agree with it as the control is weaker but passing ISACA exams means doing this their way, or at least the way the question writer intended. I have a friend who goes to Chicago every year to meet up with the other writers who all agree/disagree with the questions/answers. Seems like they all preferred the NDA!
    AWS, Azure, GCP, ISC2, GIAC, ISACA, TOGAF, SABSA, EC-Council, Comptia...
Sign In or Register to comment.