The best way to detect that a distributed denial of service (DDoS) attack is occurring is to use automated monitoring of logs. A DDoS attack disrupts the operations of a server, service, or network byflooding it with unwanted Internet traffic2. Automated monitoring of logs can help pinpoint potentialDDoS attacks by analyzing network traffic patterns, monitoring traffic spikes or other unusual activity, and alertingadministrators or security teams of any anomalies or malicious requests, protocols, or IP blocks3.
Automated monitoring of logs can also help identify the source, type, and impact of the DDoS attack, and provide evidence for further investigation or mitigation.
The other options are not as effective as automated monitoring of logs for detecting DDoS attacks. Customer service complaints are an indirect and delayed indicator of a DDoS attack, as they rely onusers reporting problems with accessing a website or service. Customer service complaints may also be caused by other factors unrelated to DDoS attacks, such as server errors or network issues. Server crashes are an extreme and undesirable indicator of a DDoS attack, as they indicate that the server has already been overwhelmed by the attack and has stopped functioning. Server crashes may also result in data loss or corruption, service disruption, or reputational damage. Penetration testing is a proactive and preventive measure for assessing the security posture of a system or network, but it does not detect ongoing DDoS attacks. Penetration testing may involve simulating DDoS attacks to test the resilience or vulnerability of a system or network, but it does not monitor real-time traffic or identify actual attackers.
References:
* ISACA CISA Review Manual 27th Edition (2019), page 254
* How to prevent DDoS attacks | Methods and tools | Cloudflare2
* Understanding Denial-of-Service Attacks | CISA3

The charging method for IS resources is the way that the IS function allocates its costs to the users or business units that consume its services. The charging method can affect the behavior and incentives of the users and the IS function, as well as the efficiency and effectiveness of the IS resources. Therefore, choosing an appropriate charging method is an important decision for the IS function and its stakeholders.
One of the possible charging methods is to charge specific costs that can be tied back to specific usage. This means that the IS function tracks and measures the actual consumption of each user or business unit for each IS service, and charges them accordingly. For example, if a user uses 10 GB of storage space, 5 hours of CPU time, and 100 MB of network bandwidth, the IS function will charge them based on the unit costs of these resources. This charging method has the advantage of encouraging the most efficient use of IS resources, as it provides clear and accurate feedback to the users about their consumption and costs, and motivates them to optimize their usage and avoid waste or overuse. This charging method also aligns the interests of the IS function and the users, as both parties benefit from reducing costs and improving efficiency.
The other possible charging methods are:
* Total utilization to achieve full operating capacity: This means that the IS function charges a fixed amount to each user or business unit based on their proportion of the total operating capacity of the IS resources. For example, if a user or business unit has 10% of the total computing power allocated to them, they will pay 10% of the total IS costs. This charging method has the disadvantage of discouraging efficient use of IS resources, as it does not reflect the actual consumption or usage of each user or business unit, and does not provide any incentive to reduce costs or improve efficiency. This charging method also creates a mismatch between the interests of the IS function and the users, as the IS function benefits from increasing costs and capacity, while the users bear the burden of paying for them.
* Residual income in excess of actual incurred costs: This means that the IS function charges a markup or profit margin on top of its actual incurred costs to each user or business unit. For example, if a user or business unit consumes $100 worth of IS resources, the IS function will charge them $120, where $20 is the residual income for the IS function. This charging method has the disadvantage of discouraging efficient use of IS resources, as it increases the costs for the users and reduces their value for money.
This charging method also creates a conflict between the interests of the IS function and the users, as the IS function benefits from increasing costs and profits, while the users suffer from paying more than they should.
* Allocations based on the ability to absorb charges: This means that the IS function charges different amounts to different users or business units based on their ability to pay or their profitability. For example, if a user or business unit is more profitable or has a higher budget than another user or business unit, they will pay more for the same amount of IS resources. This charging method has the disadvantage of discouraging efficient use of IS resources, as it does not reflect the actual consumption or usage of each user or business unit, and does not provide any incentive to reduce costs or improve efficiency. This charging method also creates an unfair and arbitrary distribution of costs among the users or business units, as some pay more than others for no valid reason. References: 1: Charging Methods for IT Services - IT Process Wiki 2: IT Chargeback Methods - CIO Wiki 3: IT Chargeback - Wikipedia

Change management is the process of planning, implementing, monitoring, and evaluating changes to an organization's information systems and related components. Change management aims to ensure that changes are aligned with the business objectives, minimize risks and disruptions, and maximize benefits and value.
One of the key aspects of change management is measuring its effectiveness, which means assessing whether the changes have achieved the desired outcomes and met the expectations of the stakeholders. There are various indicators that can be used to measure change management effectiveness, such as time, cost, quality, scope, satisfaction, and performance.
Among the four options given, the most appropriate indicator of change management effectiveness is the number of incidents resulting from changes. An incident is an unplanned event or interruption that affects the normal operation or service delivery of an information system. Incidents can be caused by various factors, such as errors, defects, failures, malfunctions, or malicious attacks. Incidents can have negative impacts on the organization, such as loss of data, productivity, reputation, or revenue.
The number of incidents resulting from changes is a direct measure of how well the changes have been planned, implemented, monitored, and evaluated. A high number of incidents indicates that the changes have not been properly tested, verified, communicated, or controlled. A low number of incidents indicates that the changes have been executed smoothly and successfully. Therefore, the number of incidents resulting from changes reflects the quality and effectiveness of the change management process.
The other three options are not as appropriate indicators of change management effectiveness as the number of incidents resulting from changes. The time lag between changes to the configuration and the update of records is a measure of how timely and accurate the configuration management process is. Configuration management is a subset of change management that focuses on identifying, documenting, and controlling the configuration items (CIs) that make up an information system. The time lag between changes and updates of documentation materials is a measure of how well the documentation process is aligned with the change management process. Documentation is an important aspect of change management that provides information and guidance to the stakeholders involved in or affected by the changes. The number of system software changes is a measure of how frequently and extensively the system software is modified or updated. System software changes are a type of change that affects the operating system, middleware, or utilities that support an information system.
While these three indicators are relevant and useful for measuring certain aspects of change management, they do not directly measure the outcomes or impacts of the changes on the organization. They are more related to the inputs or activities of change management than to its outputs or results. Therefore, they are not as appropriate indicators of change management effectiveness as the number of incidents resulting from changes.
References:
* Metrics for Measuring Change Management - Prosci
* How to Measure Change Management Effectiveness: Metrics, Tools & Processes
* Metrics for Measuring Change Management 2023 - Zendesk

An IT balanced scorecard is primarily used for measuring IT strategic performance. An IT balanced scorecard is a framework that translates the IT strategy into measurable objectives, indicators, targets, and initiatives across four perspectives: financial, customer, internal process, and learning and growth. An IT balanced scorecard helps to monitor and evaluate how well the IT function is delivering value to the organization, achieving its strategic goals, and improving its capabilities and competencies. The other options are not the primary uses of an IT balanced scorecard, because they either focus on specific aspects of IT rather than the overall performance, or they are not directly related to the IT strategy. References: CISA Review Manual (Digital Version)1, Chapter 1, Section 1.2.3