Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Protection of Information Assets practice sets

CISA Protection of Information Assets • Complete Question Bank

CISA Protection of Information Assets — All Questions With Answers

Complete CISA Protection of Information Assets question bank — all 0 questions with answers and detailed explanations.

83
Questions
Free
No signup
Certifications/CISA/Practice Test/Protection of Information Assets/All Questions
Question 1mediummultiple choice
Read the full Protection of Information Assets explanation →

An IS auditor is reviewing the logical access controls for a financial application. The auditor notices that user access reviews are performed annually by the application owner, but there is no documentation indicating that managers confirm the continued need for access. Which of the following is the MOST significant risk associated with this finding?

Question 2easymultiple choice
Read the full Protection of Information Assets explanation →

During an audit of the information security program, the IS auditor reviews the organization's information security policy. Which of the following is the PRIMARY purpose of an information security policy?

Question 3hardmultiple choice
Read the full Protection of Information Assets explanation →

An IS auditor is reviewing the privileged access management (PAM) process. The auditor finds that shared administrative accounts are used for critical system maintenance and that passwords are changed quarterly. Which of the following is the BEST recommendation to mitigate the risk of audit trail loss?

Question 4mediummultiple choice
Read the full Protection of Information Assets explanation →

An IS auditor is evaluating the effectiveness of a security awareness program. Which of the following metrics would BEST indicate that the program is achieving its objectives?

Question 5mediummultiple choice
Read the full Protection of Information Assets explanation →

An organization uses a public key infrastructure (PKI) to issue digital certificates. The IS auditor is reviewing the certificate lifecycle management. Which of the following is the GREATEST risk if certificate revocation lists (CRLs) are not updated in a timely manner?

Question 6easymultiple choice
Read the full Protection of Information Assets explanation →

An IS auditor is reviewing the physical access controls at a data center. Which of the following is the MOST effective control to prevent tailgating?

Question 7hardmultiple choice
Read the full Protection of Information Assets explanation →

During a review of the incident management process, the IS auditor finds that the incident response (IR) team conducts tabletop exercises annually, but the scenarios are limited to malware outbreaks. Which of the following should be the auditor's GREATEST concern?

Question 8mediummultiple choice
Read the full Protection of Information Assets explanation →

An IS auditor is reviewing the organization's encryption key management program. Which of the following is the MOST critical control to ensure the confidentiality of encrypted data in the event of a key compromise?

Question 9easymultiple choice
Read the full Protection of Information Assets explanation →

An IS auditor is assessing the effectiveness of network segmentation for a payment card processing environment. Which of the following is the PRIMARY benefit of network segmentation in meeting PCI DSS requirements?

Question 10hardmultiple choice
Read the full Protection of Information Assets explanation →

An organization processes personal data of EU residents and has implemented pseudonymisation as a privacy control. The IS auditor is reviewing the effectiveness of this control in meeting GDPR requirements. Which of the following is the MOST important limitation of pseudonymisation?

Question 11mediummultiple choice
Read the full Protection of Information Assets explanation →

An IS auditor is reviewing the process for granting access to a critical financial system. The auditor finds that access requests are approved by the system owner but there is no segregation between the request and approval functions for emergency access. Which of the following is the BEST control to mitigate this risk?

Question 12mediummultiple choice
Read the full Protection of Information Assets explanation →

An IS auditor is reviewing the vulnerability management program. The auditor notes that a critical vulnerability was identified in a production system six months ago and has not been patched due to a business impact assessment. Which of the following should the auditor examine NEXT?

Question 13mediummulti select
Read the full Protection of Information Assets explanation →

An IS auditor is reviewing the organization's data inventory process for privacy compliance. Which TWO of the following are the MOST important elements that should be included in the data inventory?

Question 14hardmulti select
Read the full Protection of Information Assets explanation →

During a firewall rule review, an IS auditor identifies several rules that allow any-to-any traffic. Which THREE of the following should the auditor recommend as the MOST appropriate actions?

Question 15easymulti select
Read the full Protection of Information Assets explanation →

An IS auditor is reviewing the process for granting access to a sensitive financial application. Which TWO of the following are the MOST important controls to ensure appropriate access?

Question 16easymultiple choice
Read the full Protection of Information Assets explanation →

An IS auditor is reviewing an organization's logical access control processes. Which of the following is the primary purpose of conducting regular user access recertifications?

Question 17mediummultiple choice
Read the full Protection of Information Assets explanation →

During an audit of an organization's information security programme, the IS auditor finds that the security awareness training completion rate is 95% but phishing simulation tests show a 30% failure rate. What should the auditor recommend?

Question 18hardmultiple choice
Read the full Protection of Information Assets explanation →

An IS auditor is reviewing firewall rule sets and discovers a rule that permits any source IP to access the internal database server on TCP port 1433 (Microsoft SQL). The rule was documented as a temporary measure but has been in place for 18 months. What is the auditor's BEST course of action?

Question 19mediummultiple choice
Read the full Protection of Information Assets explanation →

An organization is implementing a privileged access management (PAM) solution. Which of the following is the PRIMARY benefit of using a PAM tool?

Question 20easymultiple choice
Read the full Protection of Information Assets explanation →

An IS auditor is reviewing physical access controls at a data center. Which of the following controls is MOST effective for preventing tailgating?

Question 21mediummultiple choice
Read the full Protection of Information Assets explanation →

During a review of encryption practices, the IS auditor finds that an organization uses the same encryption key for all customer data at rest. What is the PRIMARY concern?

Question 22hardmultiple choice
Read the full Protection of Information Assets explanation →

An IS auditor is evaluating the patch management process. The auditor notes that critical security patches are applied within 30 days, but the policy requires 7 days. The IT manager states that the delay is due to testing requirements. What should the auditor recommend?

Question 23mediummultiple choice
Read the full Protection of Information Assets explanation →

An organization has implemented a key management program. Which of the following is the MOST critical control for ensuring the security of cryptographic keys?

Question 24easymultiple choice
Read the full Protection of Information Assets explanation →

An IS auditor is reviewing the incident response (IR) process. Which of the following is the BEST way to test the effectiveness of the IR plan?

Question 25mediummultiple choice
Read the full Protection of Information Assets explanation →

During a privacy audit, the IS auditor discovers that the organization does not have a complete data inventory. What is the PRIMARY risk associated with this finding?

Question 26hardmultiple choice
Read the full Protection of Information Assets explanation →

An IS auditor is reviewing a penetration test report that shows a critical vulnerability in a web application. The IT manager states that the vulnerability will not be fixed because it requires significant code changes and the application is being decommissioned in six months. What should the auditor do?

Question 27mediummultiple choice
Read the full Protection of Information Assets explanation →

An organization uses shared accounts for system administration. Which of the following is the MOST significant audit concern?

Question 28mediummulti select
Read the full Protection of Information Assets explanation →

An IS auditor is assessing network security controls. Which TWO of the following are key elements of a firewall rule review?

Question 29hardmulti select
Read the full Protection of Information Assets explanation →

An organization is implementing a privacy program to comply with GDPR. Which THREE of the following are essential elements for managing cross-border data transfers?

Question 30easymulti select
Read the full Protection of Information Assets explanation →

During an audit of physical security, the IS auditor observes that employees frequently leave confidential documents on their desks overnight. Which TWO controls should the auditor recommend?

Question 31easymultiple choice
Read the full Protection of Information Assets explanation →

An IS auditor is reviewing the logical access controls for a critical financial application. Which of the following is the MOST important control to ensure that user access rights remain appropriate over time?

Question 32mediummultiple choice
Read the full Protection of Information Assets explanation →

During an audit of a healthcare organization's information security program, the IS auditor finds that the security awareness training is conducted only at hire. Which of the following is the MOST significant risk associated with this practice?

Question 33mediummultiple choice
Read the full Protection of Information Assets explanation →

An IS auditor is reviewing the process for granting privileged access in a large organization. Which of the following findings should be of MOST concern?

Question 34hardmultiple choice
Read the full Protection of Information Assets explanation →

During an audit of network security controls, the IS auditor reviews firewall rule sets and identifies a rule that allows any-to-any traffic from the internal network to the Internet. The rule has a business justification. What is the auditor's BEST recommendation?

Question 35mediummultiple choice
Read the full Protection of Information Assets explanation →

An IS auditor is reviewing the key management program for an organization's encryption systems. Which of the following is the MOST critical control to ensure the security of encryption keys?

Question 36easymultiple choice
Read the full Protection of Information Assets explanation →

Which of the following is the PRIMARY purpose of conducting a privacy impact assessment (PIA)?

Question 37mediummultiple choice
Read the full Protection of Information Assets explanation →

During an audit of the incident management process, the IS auditor finds that tabletop exercises have not been conducted in the past two years. What is the MOST significant risk associated with this finding?

Question 38hardmultiple choice
Read the full Protection of Information Assets explanation →

An IS auditor is reviewing an organization's vulnerability management program. The auditor notes that a critical vulnerability in a key application has not been patched for 90 days, and there is no documented risk acceptance. What should the auditor do FIRST?

Question 39mediummultiple choice
Read the full Protection of Information Assets explanation →

An organization has implemented a clean desk policy. Which of the following is the BEST audit procedure to verify compliance?

Question 40easymultiple choice
Read the full Protection of Information Assets explanation →

Which of the following is the PRIMARY objective of a penetration test?

Question 41mediummultiple choice
Read the full Protection of Information Assets explanation →

An IS auditor is reviewing the physical access controls at a data center. Which of the following is the MOST effective control to prevent tailgating?

Question 42hardmultiple choice
Read the full Protection of Information Assets explanation →

During an audit of a public key infrastructure (PKI), the IS auditor finds that certificate revocation lists (CRLs) are only updated weekly. Which of the following is the MOST significant risk?

Question 43mediummulti select
Read the full Protection of Information Assets explanation →

An IS auditor is assessing the data inventory of a financial institution to ensure compliance with privacy regulations. Which TWO of the following are essential elements that should be included in the data inventory?

Question 44mediummulti select
Read the full Protection of Information Assets explanation →

During an audit of the incident response process, the IS auditor finds that the organization relies on shared accounts for system administration. Which TWO of the following are the MOST significant risks associated with shared accounts?

Question 45hardmulti select
Read the full Protection of Information Assets explanation →

An IS auditor is reviewing the organization's incident management process. Which THREE of the following are essential components of an effective incident response plan?

Question 46easymultiple choice
Read the full Protection of Information Assets explanation →

An IS auditor is reviewing the physical access controls at a data center. Which of the following is the MOST effective control to prevent tailgating?

Question 47mediummultiple choice
Read the full Protection of Information Assets explanation →

An IS auditor is reviewing the user access recertification process. Which of the following findings would MOST concern the auditor regarding the effectiveness of access reviews?

Question 48mediummultiple choice
Read the full Protection of Information Assets explanation →

During a review of the patch management process, the IS auditor finds that critical security patches are applied within 30 days, but the policy requires application within 7 days. The IT manager argues that the delay is due to testing requirements. What should the auditor recommend?

Question 49hardmultiple choice
Read the full Protection of Information Assets explanation →

An IS auditor is reviewing the password policy for a system that processes sensitive financial data. Which of the following is the MOST effective control to mitigate the risk of password cracking?

Question 50easymultiple choice
Read the full Protection of Information Assets explanation →

An organization is implementing a key management program to protect encryption keys. Which of the following is the MOST important control to ensure the security of cryptographic keys?

Question 51mediummultiple choice
Read the full Protection of Information Assets explanation →

An IS auditor is reviewing the firewall rule base. Which of the following findings would be of MOST concern?

Question 52mediummultiple choice
Read the full Protection of Information Assets explanation →

An IS auditor is evaluating the incident response (IR) plan. Which of the following is the BEST indicator that the plan is effective?

Question 53hardmultiple choice
Read the full Protection of Information Assets explanation →

During an audit of privacy controls, the IS auditor discovers that the organization processes personal data of EU residents but has not appointed a Data Protection Officer (DPO). Which regulation is MOST likely being violated?

Question 54easymultiple choice
Read the full Protection of Information Assets explanation →

An organization has implemented a security awareness training program. Which of the following metrics would BEST indicate that the program is effective?

Question 55mediummultiple choice
Read the full Protection of Information Assets explanation →

An IS auditor is reviewing logical access controls for a critical application. Which of the following is the MOST important control to detect unauthorized access?

Question 56mediummultiple choice
Read the full Protection of Information Assets explanation →

An organization is implementing a public key infrastructure (PKI) to support digital certificates. Which of the following is the MOST critical control to ensure the integrity of the certificate lifecycle?

Question 57hardmultiple choice
Read the full Protection of Information Assets explanation →

An IS auditor is reviewing a vulnerability scan report and finds that a critical vulnerability on a web server has been open for 90 days beyond the remediation SLA. The system owner states that the vulnerability cannot be patched because it would break a legacy application. What should the auditor recommend?

Question 58mediummulti select
Read the full Protection of Information Assets explanation →

An IS auditor is reviewing the privileged access management (PAM) process. Which TWO of the following are the MOST effective controls to prevent misuse of privileged accounts?

Question 59hardmulti select
Read the full Protection of Information Assets explanation →

An organization is planning to implement a data loss prevention (DLP) solution to protect sensitive data. Which THREE of the following are essential steps to ensure the effectiveness of the DLP program?

Question 60mediummulti select
Read the full Protection of Information Assets explanation →

An IS auditor is assessing the organization's compliance with privacy regulations regarding cross-border data transfers. Which TWO of the following are acceptable mechanisms to legitimize such transfers under the GDPR?

Question 61mediummultiple choice
Read the full Protection of Information Assets explanation →

An IS auditor is reviewing the access recertification process for a financial application. The process requires users' managers to confirm access rights quarterly. Which of the following findings should MOST concern the auditor?

Question 62mediummultiple choice
Read the full Protection of Information Assets explanation →

During a review of firewall rule sets, an IS auditor finds a rule that allows any source IP to access any destination IP on TCP port 443. Which of the following should the auditor do FIRST?

Question 63easymultiple choice
Read the full Protection of Information Assets explanation →

Which of the following is the PRIMARY purpose of conducting a privacy impact assessment (PIA) before implementing a new system that processes personal data?

Question 64hardmultiple choice
Read the full Protection of Information Assets explanation →

An IS auditor is reviewing an organization's key management program. Which of the following is the GREATEST risk associated with using a single key for both encryption and decryption of sensitive data?

Question 65easymultiple choice
Read the full Protection of Information Assets explanation →

Which of the following is the BEST indicator of the effectiveness of a security awareness program?

Question 66mediummultiple choice
Read the full Protection of Information Assets explanation →

An IS auditor is reviewing the incident response (IR) process. Which of the following is the MOST important characteristic of an effective tabletop exercise?

Question 67mediummultiple choice
Read the full Protection of Information Assets explanation →

An organization uses shared accounts for system administration. Which of the following is the BEST control to mitigate the risk of non-repudiation?

Question 68hardmultiple choice
Read the full Protection of Information Assets explanation →

During an audit of patch management, the IS auditor notes that several critical patches have not been applied within the defined SLA. Which of the following is the BEST approach to evaluate the risk acceptance of these unpatched vulnerabilities?

Question 69easymultiple choice
Read the full Protection of Information Assets explanation →

Which of the following is the PRIMARY reason for implementing network segmentation?

Question 70mediummultiple choice
Read the full Protection of Information Assets explanation →

An IS auditor is reviewing the logical access controls for a critical database. Which of the following findings should be considered the HIGHEST risk?

Question 71mediummultiple choice
Read the full Protection of Information Assets explanation →

An organization has a clean desk policy. Which of the following is the BEST audit procedure to test compliance with this policy?

Question 72hardmultiple choice
Read the full Protection of Information Assets explanation →

An IS auditor is evaluating the encryption strategy for a healthcare organization subject to HIPAA. Which of the following is the MOST significant risk if the organization relies solely on encryption as a safe harbor?

Question 73mediummulti select
Read the full Protection of Information Assets explanation →

An IS auditor is reviewing the physical access controls at a data center. Which TWO of the following are the MOST effective controls to prevent unauthorized tailgating?

Question 74hardmulti select
Read the full Protection of Information Assets explanation →

An organization is implementing a public key infrastructure (PKI) to issue digital certificates for internal applications. Which THREE of the following are essential elements of PKI governance that an IS auditor should review?

Question 75mediummulti select
Read the full Protection of Information Assets explanation →

An IS auditor is reviewing the data subject rights fulfillment process for GDPR compliance. Which TWO of the following are required to be completed within the one-month response period?

Question 76mediummultiple choice
Read the full Protection of Information Assets explanation →

An IS auditor is reviewing the access recertification process for a financial institution. The process requires users and their managers to confirm access rights quarterly. During the review, the auditor finds that recertifications are consistently completed late, with an average delay of 45 days. Additionally, terminated employees' access is not always removed promptly, and there are no compensating controls. Which of the following is the MOST significant risk arising from these findings?

Question 77hardmultiple choice
Review the full subnetting walkthrough →

During a review of firewall rule sets, an IS auditor identifies a rule that allows 'any-any' traffic from an internal subnet to the DMZ. The rule was implemented six months ago based on a business request that has since been completed. The firewall administrator explains that the rule was kept for convenience. Which of the following is the BEST audit recommendation?

Question 78mediummulti select
Read the full Protection of Information Assets explanation →

An IS auditor is evaluating the encryption key management program of a healthcare organization that processes protected health information (PHI). The organization uses a mix of symmetric and asymmetric keys. Which TWO of the following are key management practices that should be addressed to ensure effective protection of PHI?

Question 79hardmulti select
Read the full Protection of Information Assets explanation →

During an audit of incident management processes, the IS auditor reviews past incident reports and conducts interviews. The organization recently experienced a ransomware attack that encrypted critical systems. The incident response team was able to contain the attack but struggled with forensic collection due to lack of pre-defined procedures. Which TWO of the following should the auditor recommend as the HIGHEST priority improvements?

Question 80easymulti select
Read the full Protection of Information Assets explanation →

An IS auditor is reviewing physical security controls at a data center. The data center hosts critical servers and uses a badge access system with PINs, CCTV cameras, and a mantrap entry. The auditor observes that employees sometimes hold the door open for others without badging. Which TWO of the following are the MOST effective controls to address this tailgating risk?

Question 81mediummulti select
Read the full Protection of Information Assets explanation →

An IS auditor is assessing the vulnerability management program of a financial services company. The auditor reviews the latest vulnerability scan report and finds that several critical vulnerabilities have not been patched within the defined SLA of 30 days. The IT manager explains that patches could not be applied due to compatibility issues with legacy applications, and risk acceptance has been documented for some but not all. Which THREE of the following are the MOST appropriate audit findings?

Question 82easymulti select
Read the full Protection of Information Assets explanation →

An IS auditor is reviewing the logical access controls for a cloud-based HR system. The system contains sensitive employee data. The auditor notes that user provisioning is performed by the HR department without IT involvement, and there is no formal access request or approval process. Which THREE of the following are the MOST significant risks?

Question 83mediummulti select
Read the full Protection of Information Assets explanation →

An IS auditor is evaluating the privacy controls of an e-commerce company that collects and processes personal data from customers in multiple jurisdictions, including the European Union (GDPR). The company has a data inventory but has not conducted a privacy impact assessment (PIA) for a new customer analytics platform that processes sensitive data. Which THREE of the following are the MOST critical deficiencies that the auditor should report?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CISA Practice Test 1 — 25 Questions→CISA Practice Test 2 — 25 Questions→CISA Practice Test 3 — 25 Questions→CISA Practice Test 4 — 25 Questions→CISA Practice Test 5 — 25 Questions→CISA Practice Exam 1 — 20 Questions→CISA Practice Exam 2 — 20 Questions→CISA Practice Exam 3 — 20 Questions→CISA Practice Exam 4 — 20 Questions→Free CISA Practice Test 1 — 30 Questions→Free CISA Practice Test 2 — 30 Questions→Free CISA Practice Test 3 — 30 Questions→CISA Practice Questions 1 — 50 Questions→CISA Practice Questions 2 — 50 Questions→CISA Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Governance and Management of ITInformation Systems Acquisition, Development and ImplementationInformation Systems Operations and Business ResilienceInformation System Auditing ProcessInformation Systems Acquisition, Development, and ImplementationProtection of Information Assets

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Protection of Information Assets setsAll Protection of Information Assets questionsCISA Practice Hub