Really confused about multiple questions in the ISACA's official question database

Hunter85Hunter85 Member Posts: 60 ■■■□□□□□□□
I am really confused about multiple things on the official question database

It seems like some (almsot 25%) questions and answers are simply contradicting each other

I just want to share something that I encountered today

I was trying to figure out the right answer to a question which looked really similar to another question which I answered incorrectly couple of days ago

The question was asking about the most effective method to prevent a developer from making unauthorised changes to production data

Below 2 possible answers were present in both answers

1. Ask the developer to sign a letter or an NDA not to miss-use the data
2. Log the programmer access to production environment and ask his/her supervisor to review it regularly

In the first question the answer was the first choice and the justification stated that contractual or written agreements are the best way to control developer behaviour furthermore, the justification for not choosing second answer was simply explained as access reviews not being as effective as the first option and added that access reviews can only be considered as a detective control

In another question very (similar to the first one), access reviews was suggested as the best option

I have seen many contradicting questions and answers (or scenarios) in the study guide, it really looks like some questions were designed by 2 completely different teams with 2 completely different mindsets

 As a CISSP certified IS Manager, I know the importance of getting in the mind set of the certification agency but I am really disappointed to say ISACA is nowhere close to ISC2 in relation to setting their standards as it looks like they havent event made up their mind on how to approach various complex business and IT solutions

Comments

  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 11,767 Admin
    I would guess that the NDA option (an administrative control) has the effect of making the programmer aware of what data misuse is and explicitly states what the programmer should and should not do to avoid misusing data.

    The log review option (an audit control) does not prevent misuse from occurring (unless you were to also consider it a deterrent control) and only detects that misuse has occurred and educates the programmer about misuse after the fact.

    The key point is the word "prevent" to pick the slightly better option. The NDA would be better at proactively preventing data misuse than a process that catches data misuse only after it has happened.
  • Hunter85Hunter85 Member Posts: 60 ■■■□□□□□□□
    I agree with you but the answer (according to the second question) is log and review access

    I would have posted screenshots of both questions here but it might be in violation of terms and conditions of ISACA 
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 11,767 Admin
    You didn't post the second question so I can't give an opinion of why the correct answer is correct.
  • SirkassadSirkassad Member Posts: 42 ■■■□□□□□□□
    quick sanity check - Is the Isaca official question DB the one that costs $400?  That's crazy expensive.
Sign In or Register to comment.