Practice CISA Protection of Information Assets questions with full explanations on every answer.
Start practicing
Protection of Information Assets — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
An organization is implementing a data loss prevention (DLP) solution. Which of the following is the BEST approach to reduce false positives during initial deployment?
2During an audit, an IS auditor finds that the organization uses a cloud-based identity provider (IdP) for single sign-on (SSO) but does not enforce multi-factor authentication (MFA) for all users. Which of the following is the BEST recommendation to reduce risk?
3An organization has implemented role-based access control (RBAC). Which of the following is the PRIMARY benefit of RBAC?
4An IS auditor is reviewing an organization's data classification policy. Which of the following findings is MOST critical?
5A company is implementing a privileged access management (PAM) system. Which of the following is the MOST important control to prevent lateral movement after a privileged account is compromised?
6An organization wants to ensure that data is not retained longer than necessary. Which of the following is the BEST control to implement?
7During a penetration test, a tester discovers that an application stores passwords using a reversible encryption algorithm. Which of the following is the BEST remediation?
8An organization uses a third-party cloud service for data storage. Which of the following is the BEST way to ensure data confidentiality in the event of a cloud provider breach?
9Which of the following is the PRIMARY purpose of a data classification scheme?
10Which TWO of the following are effective controls to prevent unauthorized access to sensitive data in a database? (Choose two.)
11Which THREE of the following are key components of an effective information security awareness program? (Choose three.)
12Which TWO of the following are examples of administrative controls for information security? (Choose two.)
13Based on the exhibit, which user account poses the HIGHEST security risk?
14Based on the exhibit, which of the following is the MOST likely result of the current firewall configuration?
15Based on the exhibit, what is the security risk of this bucket policy?
16You are an IS auditor reviewing the remote access configuration for a medium-sized enterprise. The company uses a VPN concentrator to allow employees to connect from home. The VPN is configured with IPsec using pre-shared keys (PSK) and requires no multi-factor authentication. Employees use company-issued laptops with full disk encryption. The VPN logs show that connections are coming from a wide range of IP addresses, including some from countries where the company has no business operations. The IT manager argues that the PSK is changed monthly and that full disk encryption mitigates any risk. However, during the audit, you find that the PSK is stored in a shared document on an internal file server accessible to all employees. Additionally, the VPN concentrator uses a single PSK for all users. Which of the following is the MOST critical finding?
17You are an IS auditor for a financial institution that processes credit card payments. The organization uses a key management system (KMS) to store encryption keys for point-of-sale (POS) data. The KMS is a hardware security module (HSM) located in a secured data center. The audit reveals that the HSM is administered by two individuals who both have full access to the HSM, including the ability to export keys. The organization has a policy requiring split knowledge and dual control for key management, but in practice, the two administrators often perform key ceremonies alone due to scheduling conflicts. The logs show that one administrator exported a key last month without the other present, and the export was approved via email by the other administrator after the fact. Which of the following is the BEST corrective action?
18An organization is implementing a data loss prevention (DLP) solution. Which of the following is the BEST approach to minimize false positives while ensuring sensitive data is protected?
19A security architect is designing a data classification schema for a multinational corporation. Which combination of factors is MOST critical for determining the classification level of a data asset?
20A company's security policy requires that all laptops have full disk encryption. During an audit, it is discovered that several laptops have encryption enabled but the recovery keys are stored on the local drive. What is the MOST significant risk?
21An organization is planning to deploy a web application firewall (WAF) to protect a critical application. Which deployment mode should be used to ensure that the WAF can block malicious traffic without introducing a single point of failure?
22Which TWO are primary objectives of an identity and access management (IAM) program? (Select exactly 2.)
23Which THREE are commonly used techniques to protect sensitive data in a cloud environment? (Select exactly 3.)
24Based on the exhibit, what is the MOST likely compliance issue requiring immediate remediation?
25A healthcare organization has implemented a data classification policy with three levels: Public, Internal, and Restricted. The IT department recently received a report of a potential data breach. An internal auditor discovered that a database containing Protected Health Information (PHI) classified as Restricted was accessible via a web application that did not enforce encryption in transit. The web application uses HTTPS, but the auditor found that the connection was downgraded to HTTP due to a misconfiguration in the load balancer. Additionally, the database logs show that an external IP address queried the database for thousands of patient records over a two-hour period. The database was configured to allow only specific internal application servers, but the firewall rule was incorrectly set to allow connections from any IP address. The security team needs to determine the most effective immediate action to prevent further unauthorized access and protect the data. Which course of action should the security team take FIRST?
26An organization is implementing a data loss prevention (DLP) solution. Which TWO of the following are key considerations for effective DLP deployment?
27Refer to the exhibit. A security analyst notices that users on the INSIDE network (10.1.1.0/24) can browse HTTPS websites but cannot resolve domain names. What is the most likely cause?
28A multinational corporation is deploying a new cloud-based collaboration platform for its 5,000 employees. The platform will store sensitive project data and intellectual property. The CISO mandates that all data must be encrypted at rest and in transit, and that access must be controlled via the company's identity provider (IdP) using SAML 2.0. During a pilot with the R&D department, the security team discovers that the platform's audit logs do not record failed login attempts from the IdP. The platform vendor states that the IdP is responsible for authentication, so the platform only logs successful assertions. The CISO is concerned about the lack of visibility into brute-force attacks. The company already has a SIEM that receives logs from the IdP and other sources. What is the BEST course of action?
29Order the steps for responding to a security incident in the correct sequence.
30Arrange the steps to set up a virtual private network (VPN) for remote access in the correct order.
31Match each security control to its category.
32Match each regulatory standard to its focus area.
33Which of the following is the PRIMARY benefit of using a hardware security module (HSM) for key management?
34An organization uses risk-based authentication (RBA) for user access. Which of the following factors would MOST likely trigger a step-up authentication?
35An IS auditor reviews the disposal process of hard drives. Which of the following methods provides the HIGHEST assurance that data cannot be recovered?
36When implementing a data classification policy, which of the following roles is PRIMARILY responsible for assigning classification labels to data?
37Which of the following is the MOST effective control to prevent unauthorized USB devices from connecting to corporate workstations?
38During an audit of a privileged access management (PAM) system, the auditor finds that privileged sessions are recorded but not reviewed. What is the primary risk?
39An organization is implementing a data masking solution for a non-production database. Which of the following is the MOST important requirement?
40Which of the following is the BEST indicator that an organization's data security governance is effective?
41What is the FIRST step in implementing an identity and access management (IAM) program?
42Which TWO of the following are considered essential components of an information security policy framework? (Choose two.)
43Which TWO of the following are the MOST effective controls to prevent unauthorized access to a data center's server room? (Choose two.)
44Which THREE of the following are commonly used data encryption standards? (Choose three.)
45An organization uses the access list above on its perimeter firewall. Which of the following is a valid conclusion?
46An organization has the S3 bucket policy shown. Which of the following is the MOST likely intent of this policy?
47An IS auditor reviews the log entry above. Which of the following is the MOST likely cause of the authentication failure?
48A financial institution is implementing a data classification policy. Which of the following is the most important factor in determining the classification level of a data asset?
49An organization uses role-based access control (RBAC). An employee is transferred to a new department. According to best practices, what should be done regarding the employee's access rights?
50A company is migrating its customer database to a public cloud provider. Which of the following encryption strategies best protects data while minimizing performance impact on queries?
51An organization wants to protect its intellectual property from unauthorized disclosure via email. Which control should be implemented?
52A security auditor discovers that a server has been compromised due to an unpatched vulnerability. Which of the following would have most effectively prevented this incident?
53A multinational corporation is implementing a bring your own device (BYOD) policy. Which of the following is the most important security control to ensure corporate data is protected on employee devices?
54During an incident response, the IT team isolates a compromised system from the network. Which of the following is the primary purpose of this action?
55A company is implementing a cloud-based identity and access management (IAM) system. Which of the following best describes the principle of least privilege in this context?
56A company stores sensitive customer data in a database. To comply with privacy regulations, the data must be anonymized for analytics. Which technique provides the strongest anonymization while preserving data utility?
57Which TWO of the following are key components of an effective information security awareness program?
58Which THREE of the following are commonly accepted practices for securing mobile devices in an enterprise environment?
59Which TWO of the following are primary objectives of a data loss prevention (DLP) strategy?
60Refer to the exhibit. An auditor reviews the ACL and notes that it allows traffic from a specific host while blocking other IPs in the same subnet. What is the most likely security issue?
61Refer to the exhibit. An auditor finds that users are able to reuse previous passwords easily. Which setting should be modified to address this weakness?
62Refer to the exhibit. During a penetration test, a security analyst captures this SAML response. Which of the following security weaknesses is most evident?
63An organization is implementing a data loss prevention (DLP) solution. Which of the following is the MOST important step to ensure the DLP rules are effective?
64During a security assessment, an auditor discovers that employees are sharing passwords to access a critical system. Which of the following controls would BEST mitigate this risk?
65A company is designing a public cloud-based application that processes highly sensitive personal data. Which of the following data protection strategies provides the STRONGEST assurance that data remains confidential even if the cloud provider's infrastructure is compromised?
66An IT manager is reviewing the access control model for a financial application. The policy requires that no single person can approve a transaction. Which access control principle does this policy enforce?
67A company's security policy requires that all laptops have full-disk encryption. During an audit, 10% of laptops are found without encryption. Which of the following is the MOST effective corrective action?
68An organization plan to integrate a third-party payment gateway into its e-commerce platform. Which of the following is the MOST critical security control to implement before going live?
69A small business wants to protect customer data stored on a local file server. Which of the following is the MOST cost-effective control to prevent unauthorized access?
70An auditor is reviewing the encryption strategy for a healthcare application that stores protected health information (PHI) in a database. The database currently uses transparent data encryption (TDE). What is a key risk associated with TDE?
71An organization has implemented a role-based access control (RBAC) system. A user complains that they cannot access a file needed to complete a critical task. The file's permission indicates that only the 'Manager' role has read access. The user is assigned to the 'Analyst' role. Which of the following is the BEST course of action?
72Which of the following are effective controls to protect sensitive data in use? (Choose TWO.)
73Which of the following are key considerations when implementing a data classification policy? (Choose THREE.)
74An organization has implemented a database activity monitoring (DAM) solution. Which of the following are BEST practices for tuning the DAM to reduce false positives? (Choose TWO.)
75Refer to the exhibit. A CISA is reviewing this S3 bucket policy. What is the PRIMARY security concern?
76Refer to the exhibit. An auditor notices this log entry during a review. The user john.doe does not have a legitimate business need to access executive salaries. Which of the following is the MOST likely control failure?
77Refer to the exhibit. A CISA is analyzing these logs. What is the MOST likely security incident?
78A financial institution is deploying a data loss prevention (DLP) solution. Which of the following is the MOST important prerequisite to ensure the DLP can effectively detect sensitive data?
79A company requires employees to use smart cards for facility access. Which additional control would BEST prevent tailgating?
80An organization is migrating sensitive customer data to a public cloud. Which of the following encryption strategies provides the STRONGEST protection against data exposure to the cloud provider?
81During a security audit, it was found that users in the finance department have unnecessary access to HR payroll data. Which access control principle has been violated?
82An organization experiences a ransomware attack that encrypts critical files. Which of the following is the BEST recovery strategy to minimize data loss?
83A company uses role-based access control (RBAC). An employee moves from one department to another but retains some previous access due to overlapping role permissions. This condition is known as:
84An organization is implementing a data retention policy for personally identifiable information (PII) to comply with GDPR. Which of the following is the MOST appropriate approach?
85An organization is evaluating a cloud-based identity as a service (IDaaS) for single sign-on (SSO). Which of the following security concerns is MOST critical to address?
86Which of the following is the PRIMARY purpose of conducting a penetration test?
87Refer to the exhibit. Which of the following services is accessible from the internet to host 10.1.1.100?
88Refer to the exhibit. Which of the following statements is TRUE regarding this S3 bucket policy?
89Refer to the exhibit. This log entry MOST likely indicates:
90Which TWO of the following are physical security controls to prevent unauthorized access to a data center?
91Which TWO of the following are examples of administrative controls for information security?
92Which THREE of the following are essential components of a data classification program?
93A small business wants to protect customer data collected through its e-commerce website. Which control is most appropriate for protecting the data at rest and in transit?
94After a security incident, an organization discovers that an employee accessed sensitive files without authorization. Which of the following is the most effective preventive control to reduce the risk of such unauthorized access?
95A multinational company must comply with GDPR and local data protection laws when transferring personal data from the EU to a subsidiary in the US. Which transfer mechanism is most commonly accepted as providing adequate protection?
96An organization has a policy requiring strong passwords. Which additional control is most effective at preventing credential stuffing attacks?
97A company is migrating its applications to a public IaaS cloud. What is the primary concern for protecting data in this environment?
98During an information systems audit, the IS auditor finds that data classification labels are not consistently applied across the organization. What is the most likely root cause of this issue?
99Which physical security control is most effective for preventing unauthorized individuals from tailgating into a data center?
100An organization uses role-based access control (RBAC) for its enterprise resource planning (ERP) system. What is the greatest risk if user role assignments are not reviewed regularly?
101A company's endpoint protection solution alerts on a file that is digitally signed by a trusted software vendor but exhibits malicious behavior on execution. What type of threat does this scenario most likely depict?
102Which TWO of the following are primary objectives of information classification? (Choose two.)
103Which TWO of the following are examples of detective controls? (Choose two.)
104Which THREE are core components of a comprehensive identity and access management (IAM) system? (Choose three.)
105Refer to the exhibit. The IAM policy is intended to allow only requests originating from account 123456789012 to perform any S3 actions. Why does the policy NOT achieve this objective?
106Refer to the exhibit. An auditor finds that the file 'sensitive.txt' has world-writable permissions. Which of the following is the most appropriate remediation action?
107An organization has recently implemented a cloud-based identity provider (IdP) for single sign-on (SSO) across all SaaS applications. Users authenticate using their corporate credentials via SAML 2.0. After a week, the IT security team notices a significant increase in failed login attempts from various IP addresses targeting a specific user account. The helpdesk reports that the user, a senior executive, has not complained about any issues. The security team investigates and finds that the account lockout policy is set to 5 failed attempts within 15 minutes, after which the account is locked for 30 minutes. The failed attempts are occurring in bursts of 4, then stopping, then resuming from different IPs. The organization uses conditional access policies that require MFA from unknown locations. However, the failed attempts appear to be stopped at the authentication prompt and never reach the MFA stage. What is the most likely explanation and the best course of action?
108An organization is implementing a data classification policy and needs to assign ownership for sensitive data. Which of the following is the most appropriate role to assign as the data owner?
109A multinational corporation is deploying a data loss prevention (DLP) solution across its network. The DLP system must be configured to prevent the exfiltration of personally identifiable information (PII) while minimizing false positives. Which approach is most effective?
110An organization's mobile device management (MDM) policy requires that all corporate data on employee-owned smartphones be protected. Which control best ensures that corporate data can be remotely wiped without affecting personal data?
111During a security audit, it is discovered that a database containing customer credit card numbers is not encrypted at rest. The database is used by a legacy application that cannot be modified. Which compensating control most effectively reduces the risk?
112An organization stores sensitive research data in a cloud storage service. The data must be encrypted at rest and in transit, and the organization wants to maintain control over encryption keys. Which solution best meets these requirements?
113Which TWO controls are most effective for protecting data at rest on a database server? (Choose two.)
114Which TWO are primary criteria for classifying information assets within an organization? (Choose two.)
115Which THREE are indicators of a possible data exfiltration attempt via the network? (Choose three.)
116A financial services organization recently experienced a data breach where customer financial records were exfiltrated. The investigation reveals that an attacker gained access through a compromised privileged account belonging to a database administrator. The attacker used valid credentials to log into the database server and then exported a large volume of data using native database tools. The security team notes that the organization has multi-factor authentication (MFA) enabled for all remote access, but the database server was accessed from an internal IP address. The organization also has a data loss prevention (DLP) system, but it did not alert on the export because the traffic was encrypted. The database activity monitoring (DAM) system did log the export, but alerts were not reviewed due to high volume and many false positives. Which of the following would have been most effective in preventing this breach?
117A healthcare organization is required to comply with HIPAA regulations for protecting electronic protected health information (ePHI). The organization uses a cloud-based electronic health record (EHR) system. During a compliance audit, it is discovered that some employees are accessing patient records without a legitimate business need. The EHR system logs all access, but there is no automated process to review logs or detect anomalous behavior. The organization has implemented role-based access control (RBAC) and requires strong passwords, but unauthorized access continues. The IT manager proposes implementing a security information and event management (SIEM) system to collect and correlate logs. However, the budget is limited. Which additional control would be most cost-effective to reduce unauthorized access to patient records?
118A small manufacturing company uses a network-attached storage (NAS) device to store design files, financial records, and employee data. The NAS is backed up weekly to an external hard drive that is stored in the same office. The company has no encryption on the NAS or the backup drive. One weekend, the office is burglarized, and both the NAS and the backup drive are stolen. The company had no remote backup. Which of the following would have best protected the data in this scenario?
119An e-commerce company stores customer payment card data in a tokenized database. The tokenization system replaces credit card numbers with tokens, and the actual card numbers are stored in a separate, highly restricted vault. The company is audited for Payment Card Industry Data Security Standard (PCI DSS) compliance. During the audit, it is discovered that the tokenization system sometimes fails due to high load, causing the application to fall back to storing actual card numbers temporarily. This fallback mechanism was not documented or approved. The company also uses the same encryption key for the vault as for other non-sensitive data. The auditor identifies several non-compliances. Which of the following should the company prioritize to remediate?
120A multinational corporation's data center in the European Union (EU) stores personal data of EU citizens. The company must comply with the General Data Protection Regulation (GDPR), which requires that personal data be protected and that data subjects have the right to erasure ('right to be forgotten'). The company's IT team uses a centralized identity management system that stores user credentials and personal data in an active directory (AD) forest. The AD forest is replicated across multiple data centers worldwide, including a non-EU country. The data protection officer (DPO) is concerned that personal data might be inadvertently replicated to jurisdictions without adequate protection. Which of the following is the most effective way to address this concern?
121A university's research department stores sensitive research data on a file server that is shared among faculty and graduate students. The server is accessible from the campus network and via VPN for remote access. Recently, a student downloaded a large dataset containing personally identifiable information (PII) of research subjects to a personal laptop. The laptop was later stolen. The university's incident response team determines that the student had legitimate access to the data for research purposes. Which control would have most effectively prevented the data exposure?
122A software development company uses a cloud-based source code repository (e.g., GitHub) to store proprietary code. The company has two-factor authentication (2FA) enabled for all accounts. A developer's personal computer was infected with malware that stole the developer's session cookies and local credentials. The attacker used the stolen session to access the code repository and exfiltrated the entire codebase. The company's security team reviews the incident and notes that the repository has audit logging, but the logs were not monitored in real time. The team wants to implement additional controls to prevent a similar incident. Which control would have been most effective in preventing the exfiltration?
123You are an information security manager for a global financial services company. The organization maintains a hybrid infrastructure with critical customer data stored on an on-premises Oracle database server (DB-SRV-01) and in an AWS S3 bucket (customer-data-prod). At 10:00 AM, the security operations center (SOC) alerts you to an anomalous outbound data transfer from DB-SRV-01 to an unknown IP address in a high-risk country. The transfer started at 9:45 AM and involves 500 MB of data, likely including personally identifiable information (PII). The SOC has already quarantined the server's network egress by blocking all outbound traffic from DB-SRV-01, but the server remains connected to the internal production network. Meanwhile, a separate analysis indicates that the S3 bucket has been accessed via an IAM key that was stolen from a compromised developer workstation three days ago. The key has not been rotated. The incident response team is preparing to act. The primary objective is to protect information assets and minimize data exposure. Given this scenario, which of the following actions should the team take FIRST?
The Protection of Information Assets domain covers the key concepts tested in this area of the CISA exam blueprint published by ISACA. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CISA domains — no account required.
The Courseiva CISA question bank contains 123 questions in the Protection of Information Assets domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Protection of Information Assets domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included