Practice CISA Protection of Information Assets questions with full explanations on every answer.
Start practicing
Protection of Information Assets — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
An IS auditor is reviewing the logical access controls for a financial application. The auditor notices that user access reviews are performed annually by the application owner, but there is no documentation indicating that managers confirm the continued need for access. Which of the following is the MOST significant risk associated with this finding?
2During an audit of the information security program, the IS auditor reviews the organization's information security policy. Which of the following is the PRIMARY purpose of an information security policy?
3An IS auditor is reviewing the privileged access management (PAM) process. The auditor finds that shared administrative accounts are used for critical system maintenance and that passwords are changed quarterly. Which of the following is the BEST recommendation to mitigate the risk of audit trail loss?
4An IS auditor is evaluating the effectiveness of a security awareness program. Which of the following metrics would BEST indicate that the program is achieving its objectives?
5An organization uses a public key infrastructure (PKI) to issue digital certificates. The IS auditor is reviewing the certificate lifecycle management. Which of the following is the GREATEST risk if certificate revocation lists (CRLs) are not updated in a timely manner?
6An IS auditor is reviewing the physical access controls at a data center. Which of the following is the MOST effective control to prevent tailgating?
7During a review of the incident management process, the IS auditor finds that the incident response (IR) team conducts tabletop exercises annually, but the scenarios are limited to malware outbreaks. Which of the following should be the auditor's GREATEST concern?
8An IS auditor is reviewing the organization's encryption key management program. Which of the following is the MOST critical control to ensure the confidentiality of encrypted data in the event of a key compromise?
9An IS auditor is assessing the effectiveness of network segmentation for a payment card processing environment. Which of the following is the PRIMARY benefit of network segmentation in meeting PCI DSS requirements?
10An organization processes personal data of EU residents and has implemented pseudonymisation as a privacy control. The IS auditor is reviewing the effectiveness of this control in meeting GDPR requirements. Which of the following is the MOST important limitation of pseudonymisation?
11An IS auditor is reviewing the process for granting access to a critical financial system. The auditor finds that access requests are approved by the system owner but there is no segregation between the request and approval functions for emergency access. Which of the following is the BEST control to mitigate this risk?
12An IS auditor is reviewing the vulnerability management program. The auditor notes that a critical vulnerability was identified in a production system six months ago and has not been patched due to a business impact assessment. Which of the following should the auditor examine NEXT?
13An IS auditor is reviewing the organization's data inventory process for privacy compliance. Which TWO of the following are the MOST important elements that should be included in the data inventory?
14During a firewall rule review, an IS auditor identifies several rules that allow any-to-any traffic. Which THREE of the following should the auditor recommend as the MOST appropriate actions?
15An IS auditor is reviewing the process for granting access to a sensitive financial application. Which TWO of the following are the MOST important controls to ensure appropriate access?
16An IS auditor is reviewing an organization's logical access control processes. Which of the following is the primary purpose of conducting regular user access recertifications?
17During an audit of an organization's information security programme, the IS auditor finds that the security awareness training completion rate is 95% but phishing simulation tests show a 30% failure rate. What should the auditor recommend?
18An IS auditor is reviewing firewall rule sets and discovers a rule that permits any source IP to access the internal database server on TCP port 1433 (Microsoft SQL). The rule was documented as a temporary measure but has been in place for 18 months. What is the auditor's BEST course of action?
19An organization is implementing a privileged access management (PAM) solution. Which of the following is the PRIMARY benefit of using a PAM tool?
20An IS auditor is reviewing physical access controls at a data center. Which of the following controls is MOST effective for preventing tailgating?
21During a review of encryption practices, the IS auditor finds that an organization uses the same encryption key for all customer data at rest. What is the PRIMARY concern?
22An IS auditor is evaluating the patch management process. The auditor notes that critical security patches are applied within 30 days, but the policy requires 7 days. The IT manager states that the delay is due to testing requirements. What should the auditor recommend?
23An organization has implemented a key management program. Which of the following is the MOST critical control for ensuring the security of cryptographic keys?
24An IS auditor is reviewing the incident response (IR) process. Which of the following is the BEST way to test the effectiveness of the IR plan?
25During a privacy audit, the IS auditor discovers that the organization does not have a complete data inventory. What is the PRIMARY risk associated with this finding?
26An IS auditor is reviewing a penetration test report that shows a critical vulnerability in a web application. The IT manager states that the vulnerability will not be fixed because it requires significant code changes and the application is being decommissioned in six months. What should the auditor do?
27An organization uses shared accounts for system administration. Which of the following is the MOST significant audit concern?
28An IS auditor is assessing network security controls. Which TWO of the following are key elements of a firewall rule review?
29An organization is implementing a privacy program to comply with GDPR. Which THREE of the following are essential elements for managing cross-border data transfers?
30During an audit of physical security, the IS auditor observes that employees frequently leave confidential documents on their desks overnight. Which TWO controls should the auditor recommend?
31An IS auditor is reviewing the logical access controls for a critical financial application. Which of the following is the MOST important control to ensure that user access rights remain appropriate over time?
32During an audit of a healthcare organization's information security program, the IS auditor finds that the security awareness training is conducted only at hire. Which of the following is the MOST significant risk associated with this practice?
33An IS auditor is reviewing the process for granting privileged access in a large organization. Which of the following findings should be of MOST concern?
34During an audit of network security controls, the IS auditor reviews firewall rule sets and identifies a rule that allows any-to-any traffic from the internal network to the Internet. The rule has a business justification. What is the auditor's BEST recommendation?
35An IS auditor is reviewing the key management program for an organization's encryption systems. Which of the following is the MOST critical control to ensure the security of encryption keys?
36Which of the following is the PRIMARY purpose of conducting a privacy impact assessment (PIA)?
37During an audit of the incident management process, the IS auditor finds that tabletop exercises have not been conducted in the past two years. What is the MOST significant risk associated with this finding?
38An IS auditor is reviewing an organization's vulnerability management program. The auditor notes that a critical vulnerability in a key application has not been patched for 90 days, and there is no documented risk acceptance. What should the auditor do FIRST?
39An organization has implemented a clean desk policy. Which of the following is the BEST audit procedure to verify compliance?
40Which of the following is the PRIMARY objective of a penetration test?
41An IS auditor is reviewing the physical access controls at a data center. Which of the following is the MOST effective control to prevent tailgating?
42During an audit of a public key infrastructure (PKI), the IS auditor finds that certificate revocation lists (CRLs) are only updated weekly. Which of the following is the MOST significant risk?
43An IS auditor is assessing the data inventory of a financial institution to ensure compliance with privacy regulations. Which TWO of the following are essential elements that should be included in the data inventory?
44During an audit of the incident response process, the IS auditor finds that the organization relies on shared accounts for system administration. Which TWO of the following are the MOST significant risks associated with shared accounts?
45An IS auditor is reviewing the organization's incident management process. Which THREE of the following are essential components of an effective incident response plan?
46An IS auditor is reviewing the physical access controls at a data center. Which of the following is the MOST effective control to prevent tailgating?
47An IS auditor is reviewing the user access recertification process. Which of the following findings would MOST concern the auditor regarding the effectiveness of access reviews?
48During a review of the patch management process, the IS auditor finds that critical security patches are applied within 30 days, but the policy requires application within 7 days. The IT manager argues that the delay is due to testing requirements. What should the auditor recommend?
49An IS auditor is reviewing the password policy for a system that processes sensitive financial data. Which of the following is the MOST effective control to mitigate the risk of password cracking?
50An organization is implementing a key management program to protect encryption keys. Which of the following is the MOST important control to ensure the security of cryptographic keys?
51An IS auditor is reviewing the firewall rule base. Which of the following findings would be of MOST concern?
52An IS auditor is evaluating the incident response (IR) plan. Which of the following is the BEST indicator that the plan is effective?
53During an audit of privacy controls, the IS auditor discovers that the organization processes personal data of EU residents but has not appointed a Data Protection Officer (DPO). Which regulation is MOST likely being violated?
54An organization has implemented a security awareness training program. Which of the following metrics would BEST indicate that the program is effective?
55An IS auditor is reviewing logical access controls for a critical application. Which of the following is the MOST important control to detect unauthorized access?
56An organization is implementing a public key infrastructure (PKI) to support digital certificates. Which of the following is the MOST critical control to ensure the integrity of the certificate lifecycle?
57An IS auditor is reviewing a vulnerability scan report and finds that a critical vulnerability on a web server has been open for 90 days beyond the remediation SLA. The system owner states that the vulnerability cannot be patched because it would break a legacy application. What should the auditor recommend?
58An IS auditor is reviewing the privileged access management (PAM) process. Which TWO of the following are the MOST effective controls to prevent misuse of privileged accounts?
59An organization is planning to implement a data loss prevention (DLP) solution to protect sensitive data. Which THREE of the following are essential steps to ensure the effectiveness of the DLP program?
60An IS auditor is assessing the organization's compliance with privacy regulations regarding cross-border data transfers. Which TWO of the following are acceptable mechanisms to legitimize such transfers under the GDPR?
61An IS auditor is reviewing the access recertification process for a financial application. The process requires users' managers to confirm access rights quarterly. Which of the following findings should MOST concern the auditor?
62During a review of firewall rule sets, an IS auditor finds a rule that allows any source IP to access any destination IP on TCP port 443. Which of the following should the auditor do FIRST?
63Which of the following is the PRIMARY purpose of conducting a privacy impact assessment (PIA) before implementing a new system that processes personal data?
64An IS auditor is reviewing an organization's key management program. Which of the following is the GREATEST risk associated with using a single key for both encryption and decryption of sensitive data?
65Which of the following is the BEST indicator of the effectiveness of a security awareness program?
66An IS auditor is reviewing the incident response (IR) process. Which of the following is the MOST important characteristic of an effective tabletop exercise?
67An organization uses shared accounts for system administration. Which of the following is the BEST control to mitigate the risk of non-repudiation?
68During an audit of patch management, the IS auditor notes that several critical patches have not been applied within the defined SLA. Which of the following is the BEST approach to evaluate the risk acceptance of these unpatched vulnerabilities?
69Which of the following is the PRIMARY reason for implementing network segmentation?
70An IS auditor is reviewing the logical access controls for a critical database. Which of the following findings should be considered the HIGHEST risk?
71An organization has a clean desk policy. Which of the following is the BEST audit procedure to test compliance with this policy?
72An IS auditor is evaluating the encryption strategy for a healthcare organization subject to HIPAA. Which of the following is the MOST significant risk if the organization relies solely on encryption as a safe harbor?
73An IS auditor is reviewing the physical access controls at a data center. Which TWO of the following are the MOST effective controls to prevent unauthorized tailgating?
74An organization is implementing a public key infrastructure (PKI) to issue digital certificates for internal applications. Which THREE of the following are essential elements of PKI governance that an IS auditor should review?
75An IS auditor is reviewing the data subject rights fulfillment process for GDPR compliance. Which TWO of the following are required to be completed within the one-month response period?
76An IS auditor is reviewing the access recertification process for a financial institution. The process requires users and their managers to confirm access rights quarterly. During the review, the auditor finds that recertifications are consistently completed late, with an average delay of 45 days. Additionally, terminated employees' access is not always removed promptly, and there are no compensating controls. Which of the following is the MOST significant risk arising from these findings?
77During a review of firewall rule sets, an IS auditor identifies a rule that allows 'any-any' traffic from an internal subnet to the DMZ. The rule was implemented six months ago based on a business request that has since been completed. The firewall administrator explains that the rule was kept for convenience. Which of the following is the BEST audit recommendation?
78An IS auditor is evaluating the encryption key management program of a healthcare organization that processes protected health information (PHI). The organization uses a mix of symmetric and asymmetric keys. Which TWO of the following are key management practices that should be addressed to ensure effective protection of PHI?
79During an audit of incident management processes, the IS auditor reviews past incident reports and conducts interviews. The organization recently experienced a ransomware attack that encrypted critical systems. The incident response team was able to contain the attack but struggled with forensic collection due to lack of pre-defined procedures. Which TWO of the following should the auditor recommend as the HIGHEST priority improvements?
80An IS auditor is reviewing physical security controls at a data center. The data center hosts critical servers and uses a badge access system with PINs, CCTV cameras, and a mantrap entry. The auditor observes that employees sometimes hold the door open for others without badging. Which TWO of the following are the MOST effective controls to address this tailgating risk?
81An IS auditor is assessing the vulnerability management program of a financial services company. The auditor reviews the latest vulnerability scan report and finds that several critical vulnerabilities have not been patched within the defined SLA of 30 days. The IT manager explains that patches could not be applied due to compatibility issues with legacy applications, and risk acceptance has been documented for some but not all. Which THREE of the following are the MOST appropriate audit findings?
82An IS auditor is reviewing the logical access controls for a cloud-based HR system. The system contains sensitive employee data. The auditor notes that user provisioning is performed by the HR department without IT involvement, and there is no formal access request or approval process. Which THREE of the following are the MOST significant risks?
83An IS auditor is evaluating the privacy controls of an e-commerce company that collects and processes personal data from customers in multiple jurisdictions, including the European Union (GDPR). The company has a data inventory but has not conducted a privacy impact assessment (PIA) for a new customer analytics platform that processes sensitive data. Which THREE of the following are the MOST critical deficiencies that the auditor should report?
The Protection of Information Assets domain covers the key concepts tested in this area of the CISA exam blueprint published by ISACA. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CISA domains — no account required.
The Courseiva CISA question bank contains 83 questions in the Protection of Information Assets domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Protection of Information Assets domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included