+ Reply to Thread
Results 1 to 15 of 15
  1. Junior Member
    Join Date
    Oct 2013
    Posts
    14

    Certifications
    CISA, Associate of ISC2, Security+, Network+
    #1

    Default Is the real CISA exam as vague as the practice questions?

    From ISACA Q&A DB:

    During an audit of a telecommunications system, an IS auditor finds that the risk of intercepting data transmitted to and from remote sites is very high. The MOST effective control for reducing this exposure is:

    A. encryption
    B. callback modems
    C. message authentication
    D. dedicated leased lines

    I chose D because that provides a private point to point connection between the remote sites that is hard to intercept.

    ISACA's answer was A. with an explanation of "Encryption of data is the most secure method of protecting confidential data from exposure"

    ISACAs explanation of why D is incorrect was "It is more difficult to intercept traffic traversing a dedicated leased line than it is to intercept data on a shared network, but the only way to really protect the confidentiality of data is to encrypt it"

    The question does not mention anything about the confidentiality of the data, but does mention risk of interception is high and wanted to know the best way to reduce that exposure... As I understand it, encrypting data does not reduce the risk of interception, it reduces the risk of confidential data being read by an unauthorized party. A dedicated leased line reduces the risk of data (encrypted or not) from being intercepted since it would require a direct tap into a private line.

    I will admit not all questions are like this as I am doing well as I go through the database but the inconsistency of the questions makes it harder, or least makes me second guess, what the correct answer is as I think to myself "gee, I wonder what assumption I need to make here to get to the right answer?".

    Hopefully the real test is less ambiguous.
    Last edited by Aaronsmity; 05-27-2016 at 03:51 PM.
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member wd40's Avatar
    Join Date
    May 2007
    Location
    Bahrain
    Posts
    903

    Certifications
    CISA, eJPT, CompTIA x 6, MCP, MCTS
    #2
    To me the clear answer is A.

    I think if the data is encrypted in a proper way then basically some bits are intercepted and not data.

    If you tap into a leased line without encryption then you have a problem, of course you can have both, encrypted data over a leased line.

    Regarding the exam, you will see some weird questions, but ISACA will do some magical calculations to weed out the results of these weird questions.
    Reply With Quote Quote  

  4. Senior Member 636-555-3226's Avatar
    Join Date
    Jul 2015
    Posts
    862

    Certifications
    Lots of security certifications, yet the more I learn, the further I have to go...
    #3
    FWIW, with other ISACA tests I've taken I'm fairly certain the Q&A database is made up at least in part of questions from past real tests that didn't test well. In other words, it is my theory that the question you (shouldn't have) directly written down here was used on a test a few years ago. For whatever reason everybody did a bad job on that question (so 25% of people picked A, 25% B, 25% D, 25%D) so they pulled it from the real test bank and put it in the practice test bank.

    Translating that, a lot of the practice questions might not be the best phrased or have the clearest answers, so you can expect to have a few duds in there. Hopefully that likewise means the real questions aren't as vague or ambiguous.....
    Reply With Quote Quote  

  5. Senior Member
    Join Date
    Jul 2015
    Location
    Island on the other side of Pacific pond
    Posts
    942

    Certifications
    C****, C***, C**
    #4
    the inconsistency of the questions
    That is because you are reading the questions at a surface level without going into the implications, i.e. the impact.

    IS auditor finds that the risk of intercepting data transmitted to and from remote sites is very high.
    What is the risk of data interception to an auditor? The risk concerns confidentiality.
    So do you reduce the risk of interception or reduce the risk of data leakage?
    To an auditor, ensuring confidentiality is the desired goal.
    So how do we reduce the risk?

    encrypting data does not reduce the risk of interception, it reduces the risk of confidential data being read by an unauthorized party
    Yes, you can intercept the encrypted traffic but are you able to read the data?
    Unless you can crack the encryption, the confidentiality risk is very minimal. It may be slightly more difficult to intercept leased line traffic, but you need to think about physical security. Someone can still walk into your remote site exchange and tap into your unencrypted traffic and read the data.

    So which way is more effective to ensure confidentiality? Physical security (leased line) or technical security (encryption)?

    Hopefully the real test is less ambiguous.
    Sorry bro. This is your typical ISACA question.
    It is very clear and not ambiguous if you have the right mindset. Read the questions from the perspective of an IT auditor before answering them.
    Last edited by Mike7; 05-28-2016 at 01:09 AM.
    Reply With Quote Quote  

  6. Senior Member
    Join Date
    May 2006
    Posts
    1,863

    Certifications
    CISSP, CCSP, eJPT, ITIL,PA ACE,Qualys Certified Specialist, A+
    #5
    Its obviously A. No other amswer comes close.
    Reply With Quote Quote  

  7. Senior Member
    Join Date
    Apr 2014
    Location
    South Florida
    Posts
    857

    Certifications
    CISSP, CISM, CISA, CRISC
    #6
    Information on dedicated lease line can be intercepted and read by your ISP if not encrypted. So the correct answer is A. To be honest, this is one of the more clearer isaca questions. Ive seen some that makes absolutely no sense.
    Last edited by dustervoice; 05-28-2016 at 11:26 AM.
    Reply With Quote Quote  

  8. Junior Member
    Join Date
    Oct 2013
    Posts
    14

    Certifications
    CISA, Associate of ISC2, Security+, Network+
    #7
    Thanks for the input and explanations... it does make sense, especially within the context of risk vs impact as Mike depicted but I still would not be surprised to see ISACA change this question or the answer though - wouldn't be the first time as I have already came across an exact same question whose answer was changed from one year to the next in the DB "http://www.techexams.net/forums/isaca-cisa-cism/103352-pattern-questions-cisa.html#post935893"
    Last edited by Aaronsmity; 05-28-2016 at 11:58 AM.
    Reply With Quote Quote  

  9. Senior Member 636-555-3226's Avatar
    Join Date
    Jul 2015
    Posts
    862

    Certifications
    Lots of security certifications, yet the more I learn, the further I have to go...
    #8
    Quote Originally Posted by Aaronsmity View Post
    From ISACA Q&A DB:

    During an audit of a telecommunications system, an IS auditor finds that the risk of intercepting data transmitted to and from remote sites is very high. The MOST effective control for reducing this exposure is:

    A. encryption
    B. callback modems
    C. message authentication
    D. dedicated leased lines
    I disagree with everybody saying it's CLEARLY A. The question quite specifically states the risk regards data being intercepted. The question is how do you reduce the risk of data being intercepted. Yes, encryption will help AFTER the data is intercepted, but it doesn't do jack for controlling the initial risk of data being intercepted. I can see the argument for the answer being D for dedicated leased lines. Yes, the ISP can intercept the data, but not many other people will be able to, so a dedicated leased line will help reduce the overall risk of data being intercepted.
    Reply With Quote Quote  

  10. Senior Member
    Join Date
    Jul 2015
    Location
    Island on the other side of Pacific pond
    Posts
    942

    Certifications
    C****, C***, C**
    #9
    Just have to read questions "the ISACA way". I once talked to someone who was responsible for CISA exam questions.
    As I understand, the questions are contributed by experienced practitioners so the answers are from their perspective.
    The answers may change from time to time because of industry trends or different contributors.

    If you are an auditor/risk manager, will you suggest leased line or encryption to top management ?

    What questions will management ask? "what is the impact from data interception?" "data breach implications" "which option is more cost effective and yet meet compliance requirements?" "what is the current industry practice?"

    As it is, the current trend is encryption. And there are certain regulations that require data to be encrypted "in transit" and "at rest".

    the ISP can intercept the data, but not many other people will be able to,
    In a previous engagement, the dedicated leased lines are network cables going into a network router at a customer site. Not fiber. Someone can tap into this network.
    Last edited by Mike7; 05-28-2016 at 03:20 PM.
    Reply With Quote Quote  

  11. Senior Member
    Join Date
    Apr 2014
    Location
    South Florida
    Posts
    857

    Certifications
    CISSP, CISM, CISA, CRISC
    #10
    When I looked up the definition of Exposure I see

    Exposure:
    1. The state of having no protection from something harmful
    2: The revelation of something secret


    Regarding the question, the Exposure of concern is the confidentiality of the information not the interception. I think after taking a few isaca exams you know exactly what they are looking for but like i said before i've seen questions 10 times worse than this. In the real world the best answer would be both A&D.
    Reply With Quote Quote  

  12. Junior Member Registered Member
    Join Date
    Feb 2016
    Posts
    4
    #11
    I hope to god that the questions are written better on the real test. I would say that 40% of the practice questions are super vague or totally SUBJECTIVE to the person writing the question. Many times I feel that the answer and explanation they give is wrong. I have been in this field many years and UNDERSTAND every single question, but since they used vague answers/questions and "BEST", "MOST", etc it gets way too subjective.
    Reply With Quote Quote  

  13. Senior Member
    Join Date
    Apr 2014
    Location
    South Florida
    Posts
    857

    Certifications
    CISSP, CISM, CISA, CRISC
    #12
    They are written the same way on the real thing... thats why theyve provided practise questions so you can become familiar with the tone and style and think the ISACA way. Good luck mate
    Reply With Quote Quote  

  14. Junior Member Registered Member
    Join Date
    Feb 2016
    Posts
    4
    #13
    Thanks for the heads up. I'll probably fail then because I disagree with alot of what they say. I have 10+ years of experience, CISSP and CCNA, and these test bank questions make me want to scream at the stupidity 40% of the time.
    Reply With Quote Quote  

  15. Senior Member coffeeisgood's Avatar
    Join Date
    Apr 2016
    Location
    padded walls surround & protect me
    Posts
    132

    Certifications
    CISSP, CISA, CISM, Sec+
    #14
    besides the official Q&A in the study guide (& separate) Q&A.... any study questions worth a look?

    (another manual?, CCCure? suggestions welcome)
    Reply With Quote Quote  

  16. Junior Member
    Join Date
    Dec 2015
    Posts
    18

    Certifications
    CISM, CISSP, GNFA, GCIH, CEH, CCNP R/S, CCNA R/S, CCNA Sec, Splunk Certified Power User, Splunk Certified User, ITIL Foundation
    #15
    I would have picked A, but yes, I felt that the questions on the actual exam were even more vague than the practice questions... I passed the CISSP on the first try after taking a 9 day crash course and then taking the test the following Monday. I took a 2 week ISACA sponsored CISM course last December and studied off and on for almost 6 months. I took the June 11, 2016 test. I felt much more comfortable coming out of the CISSP. The CISM test was more difficult to me. Hopefully I'll find out in the next week or so if I passed.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks