Exam CISA topic 1 question 5 discussion

This is a typiclal ISACA thinking. : The most concerning issue with regards to CCTV surveillance cameras is that CCTV recordings are not regularly reviewed. It is essential for an IS auditor to ensure that recordings are frequently reviewed to ensure that the security of the data center is properly maintained. Additionally, the IS auditor should ensure that CCTV footage is recorded 24 x 7, and records should not be deleted until all necessary procedures are taken. Lastly, CCTV cameras should be installed in break rooms, as these are areas where confidential information may be discussed.

C. CCTV footage is not recorded 24 x 7 is the most critical concern because gaps in surveillance could allow unauthorized or malicious activities to occur without detection or evidence. Continuous recording is essential for maintaining a complete audit trail and ensuring security incidents can be investigated. Comparisons: A. CCTV recordings are not regularly reviewed – This is an issue, as it could delay the detection of incidents. However, not recording at all times is a more fundamental gap. B. CCTV records are deleted after one year – A one-year retention period is typically sufficient for most security and audit needs, unless specific regulations require longer. D. CCTV cameras are not installed in break rooms – Surveillance in break rooms is generally not necessary and could violate employee privacy norms. This is not a concern.

If surveillance is not continuous, malicious activity can occur during unmonitored periods — making detection or evidence gathering impossible

While C is very tempting answer, the option should be A, there is no point of keeping a recording on, if these are not being monitored. This is a typical case of ISACA way of thinking.

I was torn between A and C. Then I remembered that often in data centres there are motion activated CCTV cameras, which only start recording if they've detected a motion. 1 year is sufficient time for maintaining the records. As for break rooms, I think it might not even be legal in some cases to have CCTV cameras there (e.g. under GDPR).

I think the answer is C. Since there is no incident, no one will review the record. So for me, recording everything first 24/7, then reviewing upon needs or incidents.

The lack of regular review of CCTV recordings means that security incidents may not be detected in a timely manner​​.

Among the given options, the issue that should be of MOST concern to an IS auditor when reviewing a data center's closed circuit television (CCTV) surveillance cameras is: C. CCTV footage is not recorded 24 x 7. The continuous recording of CCTV footage is crucial for maintaining security and ensuring that any security incidents or breaches can be properly investigated. If the CCTV cameras are not recording 24 x 7, there can be significant gaps in the surveillance coverage, leaving the data center vulnerable to undetected security incidents or unauthorized access.

Answer: A

not being reviewed is the most concern for me

Answer is C

recording 24 x 7 of course a concern, but have you ever reviewed the CCTV recording even if the recording is done 8 hours ?

You don't need to record everything in your data center 24 hours a day. To reduce the amount of review, you can install a motion detector to record only when motion occurs. So the answer is A.

Only if review of recordings means the live viewing by security can A be the correct answer. Otherwise, the correct answer is C.

Why is review more important than the records?

C. CCTV footage is not recorded 24 x 7

Who regulary revie recordings from CCTV? Only live viewing by security make sens and then 24/7 is crucial, or reviewing after incident when also 24/7 is crucial.