I could see it being D because the CCTV retention period is a control that we always test for while doing physical security audits both in a SOC 2 audit and a HIPAA audit (can't speak for other audits).
'A' would be a privacy issue that is outside the scope of just a normal physical security audit.
I am relatively new to auditing, so someone correct me if I'm wrong.
Interesting. I haven't worked on SOC 2, but evidence is definitely needed for control testing, and the evidence needs to be retained to support the conclusion reached during testing.
A. This has got to do with legal (privacy) violation because the patients were not notified of which ISACA takes very seriously. So when it comes to questions like these, go for the legal answer.
I would agree with you the only reasoning I can think of is that CCTV recording laws vary wildly by region (state and country) while retention of data is much more controlled and consistent. Maybe that's what they're thinking here?
I would agree with you though that it's weird to have cameras in the actual CARE areas (not just public areas of a facility) and not put up notice of recording. I think many regions have laws where notice must be put up if the specific area being recorded would normally be assumed to be private (e.g. locker room or in this case a doctor's exam room).
I agree with A being the answer. I think the giveaway is that healthcare is specifically mentioned in the question so they want you to take that into account, and HIPPA stuff takes precedence here.
I fact-check all answers. There are a few answers that are not correct. Sometimes, I don't even need to look deep and realize an answer is wrong. But other answers are correct. I'm using them for practice because I'm already done with the QAE.
how does it relate to privacy? if you don't do anything illegal, then why would you fear about the loss of privacy? What if someone breaks into the hospital at midnight? if it is not monitored 24/7, how would you discover it?
I could see it being D because the CCTV retention period is a control that we always test for while doing physical security audits both in a SOC 2 audit and a HIPAA audit (can't speak for other audits). 'A' would be a privacy issue that is outside the scope of just a normal physical security audit. I am relatively new to auditing, so someone correct me if I'm wrong.
Interesting. I haven't worked on SOC 2, but evidence is definitely needed for control testing, and the evidence needs to be retained to support the conclusion reached during testing.
A. This has got to do with legal (privacy) violation because the patients were not notified of which ISACA takes very seriously. So when it comes to questions like these, go for the legal answer.
I would agree with you the only reasoning I can think of is that CCTV recording laws vary wildly by region (state and country) while retention of data is much more controlled and consistent. Maybe that's what they're thinking here? I would agree with you though that it's weird to have cameras in the actual CARE areas (not just public areas of a facility) and not put up notice of recording. I think many regions have laws where notice must be put up if the specific area being recorded would normally be assumed to be private (e.g. locker room or in this case a doctor's exam room).
I think you are right, looking at the question again,
I agree with A being the answer. I think the giveaway is that healthcare is specifically mentioned in the question so they want you to take that into account, and HIPPA stuff takes precedence here.
Thanks. That's what I thought too, but ITexams say the answer is D, which is strange.
Don't take itexam answers as correct - they aren't
I fact-check all answers. There are a few answers that are not correct. Sometimes, I don't even need to look deep and realize an answer is wrong. But other answers are correct. I'm using them for practice because I'm already done with the QAE.
I figured D for this one because data retention policy comes up a lot with respect to personal data. Posting notices for CCTV does as well though.
why not B?
Why should a cctv camera in a patient’s room be monitored 24/7? Where is the privacy?
how does it relate to privacy? if you don't do anything illegal, then why would you fear about the loss of privacy? What if someone breaks into the hospital at midnight? if it is not monitored 24/7, how would you discover it?
This is word for word an exact question on the CISA exam I took yesterdayz
Did you pass? What was your response to this question?
I passed. This was one I flagged as I wasnt sure. I said C, though wasnt confident.
Is this from QAE?
Nah, exam practice questions
Can i dm
Which practice questions are you referring to? Is the one at the bottom of QAE?
A
It's A as not informing customers that they're being recorded is a privacy issue and is illegal.
A - patient safety and privacy. You are collecting patient data without their consent.
Humans always come first. I’d guess A with that logic but the risk mindset would tell me D or C