Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Protection of Information Assets practice sets

CISA Protection of Information Assets • Complete Question Bank

CISA Protection of Information Assets — All Questions With Answers

Complete CISA Protection of Information Assets question bank — all 0 questions with answers and detailed explanations.

123
Questions
Free
No signup
Certifications/CISA/Practice Test/Protection of Information Assets/All Questions
Question 1mediummultiple choice
Read the full Protection of Information Assets explanation →

An organization is implementing a data loss prevention (DLP) solution. Which of the following is the BEST approach to reduce false positives during initial deployment?

Question 2hardmultiple choice
Read the full Protection of Information Assets explanation →

During an audit, an IS auditor finds that the organization uses a cloud-based identity provider (IdP) for single sign-on (SSO) but does not enforce multi-factor authentication (MFA) for all users. Which of the following is the BEST recommendation to reduce risk?

Question 3easymultiple choice
Read the full Protection of Information Assets explanation →

An organization has implemented role-based access control (RBAC). Which of the following is the PRIMARY benefit of RBAC?

Question 4mediummultiple choice
Read the full Protection of Information Assets explanation →

An IS auditor is reviewing an organization's data classification policy. Which of the following findings is MOST critical?

Question 5hardmultiple choice
Read the full Protection of Information Assets explanation →

A company is implementing a privileged access management (PAM) system. Which of the following is the MOST important control to prevent lateral movement after a privileged account is compromised?

Question 6easymultiple choice
Read the full Protection of Information Assets explanation →

An organization wants to ensure that data is not retained longer than necessary. Which of the following is the BEST control to implement?

Question 7mediummultiple choice
Read the full Protection of Information Assets explanation →

During a penetration test, a tester discovers that an application stores passwords using a reversible encryption algorithm. Which of the following is the BEST remediation?

Question 8hardmultiple choice
Read the full Protection of Information Assets explanation →

An organization uses a third-party cloud service for data storage. Which of the following is the BEST way to ensure data confidentiality in the event of a cloud provider breach?

Question 9easymultiple choice
Read the full Protection of Information Assets explanation →

Which of the following is the PRIMARY purpose of a data classification scheme?

Question 10mediummulti select
Read the full Protection of Information Assets explanation →

Which TWO of the following are effective controls to prevent unauthorized access to sensitive data in a database? (Choose two.)

Question 11hardmulti select
Read the full Protection of Information Assets explanation →

Which THREE of the following are key components of an effective information security awareness program? (Choose three.)

Question 12easymulti select
Read the full Protection of Information Assets explanation →

Which TWO of the following are examples of administrative controls for information security? (Choose two.)

Question 13mediummultiple choice
Read the full Protection of Information Assets explanation →

Based on the exhibit, which user account poses the HIGHEST security risk?

Exhibit

Refer to the exhibit.

```
# cat /etc/shadow | grep -E "^(root|admin|test):"
root:$6$xyz...$abc:18000:0:99999:7:::
admin:!:18001:0:99999:7:::
test:$6$def...$ghi:18001:0:99999:7:::
```
Question 14hardmultiple choice
Read the full Protection of Information Assets explanation →

Based on the exhibit, which of the following is the MOST likely result of the current firewall configuration?

Exhibit

Refer to the exhibit.

```
# iptables -L -n -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       192.168.1.0/24       0.0.0.0/0            tcp dpt:443
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
```
Question 15easymultiple choice
Read the full Protection of Information Assets explanation →

Based on the exhibit, what is the security risk of this bucket policy?

Network Topology
# s3api get-bucket-policybucket example-bucketRefer to the exhibit.```"Policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":\"s3:GetObject\",\"Resource\":\"arn:aws:s3:::example-bucket/*\"}]}"
Question 16hardmultiple choice
Read the full VPN explanation →

You are an IS auditor reviewing the remote access configuration for a medium-sized enterprise. The company uses a VPN concentrator to allow employees to connect from home. The VPN is configured with IPsec using pre-shared keys (PSK) and requires no multi-factor authentication. Employees use company-issued laptops with full disk encryption. The VPN logs show that connections are coming from a wide range of IP addresses, including some from countries where the company has no business operations. The IT manager argues that the PSK is changed monthly and that full disk encryption mitigates any risk. However, during the audit, you find that the PSK is stored in a shared document on an internal file server accessible to all employees. Additionally, the VPN concentrator uses a single PSK for all users. Which of the following is the MOST critical finding?

Question 17mediummultiple choice
Read the full Protection of Information Assets explanation →

You are an IS auditor for a financial institution that processes credit card payments. The organization uses a key management system (KMS) to store encryption keys for point-of-sale (POS) data. The KMS is a hardware security module (HSM) located in a secured data center. The audit reveals that the HSM is administered by two individuals who both have full access to the HSM, including the ability to export keys. The organization has a policy requiring split knowledge and dual control for key management, but in practice, the two administrators often perform key ceremonies alone due to scheduling conflicts. The logs show that one administrator exported a key last month without the other present, and the export was approved via email by the other administrator after the fact. Which of the following is the BEST corrective action?

Question 18mediummultiple choice
Read the full Protection of Information Assets explanation →

An organization is implementing a data loss prevention (DLP) solution. Which of the following is the BEST approach to minimize false positives while ensuring sensitive data is protected?

Question 19hardmultiple choice
Read the full NAT/PAT explanation →

A security architect is designing a data classification schema for a multinational corporation. Which combination of factors is MOST critical for determining the classification level of a data asset?

Question 20easymultiple choice
Read the full Protection of Information Assets explanation →

A company's security policy requires that all laptops have full disk encryption. During an audit, it is discovered that several laptops have encryption enabled but the recovery keys are stored on the local drive. What is the MOST significant risk?

Question 21mediummultiple choice
Read the full Protection of Information Assets explanation →

An organization is planning to deploy a web application firewall (WAF) to protect a critical application. Which deployment mode should be used to ensure that the WAF can block malicious traffic without introducing a single point of failure?

Question 22hardmulti select
Read the full Protection of Information Assets explanation →

Which TWO are primary objectives of an identity and access management (IAM) program? (Select exactly 2.)

Question 23mediummulti select
Read the full Protection of Information Assets explanation →

Which THREE are commonly used techniques to protect sensitive data in a cloud environment? (Select exactly 3.)

Question 24hardmultiple choice
Read the full Protection of Information Assets explanation →

Based on the exhibit, what is the MOST likely compliance issue requiring immediate remediation?

Exhibit

Refer to the exhibit.

```
[Storage Policy: HR_Data]
Retention: 7 years
Encryption: AES-256
Access: Restricted (HR Managers only)
Backup: Daily, stored in Offsite Vault
Last Compliance Check: 2023-02-15
Status: Non-compliant (Reason: Backup media not encrypted)
```
Question 25hardmultiple choice
Read the full NAT/PAT explanation →

A healthcare organization has implemented a data classification policy with three levels: Public, Internal, and Restricted. The IT department recently received a report of a potential data breach. An internal auditor discovered that a database containing Protected Health Information (PHI) classified as Restricted was accessible via a web application that did not enforce encryption in transit. The web application uses HTTPS, but the auditor found that the connection was downgraded to HTTP due to a misconfiguration in the load balancer. Additionally, the database logs show that an external IP address queried the database for thousands of patient records over a two-hour period. The database was configured to allow only specific internal application servers, but the firewall rule was incorrectly set to allow connections from any IP address. The security team needs to determine the most effective immediate action to prevent further unauthorized access and protect the data. Which course of action should the security team take FIRST?

Question 26easymulti select
Read the full Protection of Information Assets explanation →

An organization is implementing a data loss prevention (DLP) solution. Which TWO of the following are key considerations for effective DLP deployment?

Question 27hardmultiple choice
Read the full Protection of Information Assets explanation →

Refer to the exhibit. A security analyst notices that users on the INSIDE network (10.1.1.0/24) can browse HTTPS websites but cannot resolve domain names. What is the most likely cause?

Exhibit

Refer to the exhibit.

Exhibit: Firewall rule excerpt (Cisco ASA)

access-list INSIDE extended permit tcp 10.1.1.0 255.255.255.0 any eq 443
access-list INSIDE extended permit udp 10.1.1.0 255.255.255.0 host 10.2.2.10 eq 53
access-list INSIDE extended deny ip any any

interface GigabitEthernet0/0
 nameif INSIDE
 security-level 100
 ip address 10.1.1.1 255.255.255.0

interface GigabitEthernet0/1
 nameif OUTSIDE
 security-level 0
 ip address 192.168.1.1 255.255.255.0

route OUTSIDE 0.0.0.0 0.0.0.0 192.168.1.254 1
Question 28mediummultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is deploying a new cloud-based collaboration platform for its 5,000 employees. The platform will store sensitive project data and intellectual property. The CISO mandates that all data must be encrypted at rest and in transit, and that access must be controlled via the company's identity provider (IdP) using SAML 2.0. During a pilot with the R&D department, the security team discovers that the platform's audit logs do not record failed login attempts from the IdP. The platform vendor states that the IdP is responsible for authentication, so the platform only logs successful assertions. The CISO is concerned about the lack of visibility into brute-force attacks. The company already has a SIEM that receives logs from the IdP and other sources. What is the BEST course of action?

Question 29mediumdrag order
Read the full Protection of Information Assets explanation →

Order the steps for responding to a security incident in the correct sequence.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 30mediumdrag order
Read the full VPN explanation →

Arrange the steps to set up a virtual private network (VPN) for remote access in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 31mediummatching
Read the full Protection of Information Assets explanation →

Match each security control to its category.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Preventive

Detective

Corrective

Administrative

Technical

Question 32mediummatching
Read the full Protection of Information Assets explanation →

Match each regulatory standard to its focus area.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Financial reporting controls

Payment card data security

Health information privacy

Personal data protection

Question 33easymultiple choice
Read the full Protection of Information Assets explanation →

Which of the following is the PRIMARY benefit of using a hardware security module (HSM) for key management?

Question 34mediummultiple choice
Read the full Protection of Information Assets explanation →

An organization uses risk-based authentication (RBA) for user access. Which of the following factors would MOST likely trigger a step-up authentication?

Question 35hardmultiple choice
Read the full Protection of Information Assets explanation →

An IS auditor reviews the disposal process of hard drives. Which of the following methods provides the HIGHEST assurance that data cannot be recovered?

Question 36easymultiple choice
Read the full Protection of Information Assets explanation →

When implementing a data classification policy, which of the following roles is PRIMARILY responsible for assigning classification labels to data?

Question 37mediummultiple choice
Read the full Protection of Information Assets explanation →

Which of the following is the MOST effective control to prevent unauthorized USB devices from connecting to corporate workstations?

Question 38hardmultiple choice
Read the full Protection of Information Assets explanation →

During an audit of a privileged access management (PAM) system, the auditor finds that privileged sessions are recorded but not reviewed. What is the primary risk?

Question 39mediummultiple choice
Read the full Protection of Information Assets explanation →

An organization is implementing a data masking solution for a non-production database. Which of the following is the MOST important requirement?

Question 40hardmultiple choice
Read the full Protection of Information Assets explanation →

Which of the following is the BEST indicator that an organization's data security governance is effective?

Question 41easymultiple choice
Read the full Protection of Information Assets explanation →

What is the FIRST step in implementing an identity and access management (IAM) program?

Question 42mediummulti select
Read the full Protection of Information Assets explanation →

Which TWO of the following are considered essential components of an information security policy framework? (Choose two.)

Question 43hardmulti select
Read the full Protection of Information Assets explanation →

Which TWO of the following are the MOST effective controls to prevent unauthorized access to a data center's server room? (Choose two.)

Question 44easymulti select
Read the full Protection of Information Assets explanation →

Which THREE of the following are commonly used data encryption standards? (Choose three.)

Question 45easymultiple choice
Read the full Protection of Information Assets explanation →

An organization uses the access list above on its perimeter firewall. Which of the following is a valid conclusion?

Exhibit

Refer to the exhibit.
```
# show access-lists
Extended IP access list 101
    10 permit tcp 192.168.1.0 0.0.0.255 any eq 443
    20 permit tcp 192.168.2.0 0.0.0.255 any eq 80
    30 deny ip any any log
```
Question 46mediummultiple choice
Read the full Protection of Information Assets explanation →

An organization has the S3 bucket policy shown. Which of the following is the MOST likely intent of this policy?

Exhibit

Refer to the exhibit.
```
{
  "PolicyName": "DataRetentionPolicy",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "s3:DeleteObject",
      "Resource": "arn:aws:s3:::corporate-data-archive/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}
```
Question 47hardmultiple choice
Read the full Protection of Information Assets explanation →

An IS auditor reviews the log entry above. Which of the following is the MOST likely cause of the authentication failure?

Exhibit

Refer to the exhibit.
```
[Error] Authentication failed for user 'john.doe' from IP 10.0.0.5.
Timestamp: 2024-03-21 14:32:15 UTC
Log Source: RADIUS Server
Additional Info: Invalid certificate CN in client certificate.
```
Question 48easymultiple choice
Read the full Protection of Information Assets explanation →

A financial institution is implementing a data classification policy. Which of the following is the most important factor in determining the classification level of a data asset?

Question 49mediummultiple choice
Read the full Protection of Information Assets explanation →

An organization uses role-based access control (RBAC). An employee is transferred to a new department. According to best practices, what should be done regarding the employee's access rights?

Question 50hardmultiple choice
Read the full Protection of Information Assets explanation →

A company is migrating its customer database to a public cloud provider. Which of the following encryption strategies best protects data while minimizing performance impact on queries?

Question 51easymultiple choice
Read the full Protection of Information Assets explanation →

An organization wants to protect its intellectual property from unauthorized disclosure via email. Which control should be implemented?

Question 52mediummultiple choice
Read the full NAT/PAT explanation →

A security auditor discovers that a server has been compromised due to an unpatched vulnerability. Which of the following would have most effectively prevented this incident?

Question 53hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is implementing a bring your own device (BYOD) policy. Which of the following is the most important security control to ensure corporate data is protected on employee devices?

Question 54easymultiple choice
Read the full Protection of Information Assets explanation →

During an incident response, the IT team isolates a compromised system from the network. Which of the following is the primary purpose of this action?

Question 55mediummultiple choice
Read the full Protection of Information Assets explanation →

A company is implementing a cloud-based identity and access management (IAM) system. Which of the following best describes the principle of least privilege in this context?

Question 56hardmultiple choice
Read the full Protection of Information Assets explanation →

A company stores sensitive customer data in a database. To comply with privacy regulations, the data must be anonymized for analytics. Which technique provides the strongest anonymization while preserving data utility?

Question 57easymulti select
Read the full Protection of Information Assets explanation →

Which TWO of the following are key components of an effective information security awareness program?

Question 58mediummulti select
Read the full Protection of Information Assets explanation →

Which THREE of the following are commonly accepted practices for securing mobile devices in an enterprise environment?

Question 59hardmulti select
Read the full Protection of Information Assets explanation →

Which TWO of the following are primary objectives of a data loss prevention (DLP) strategy?

Question 60easymultiple choice
Study the full ACL explanation →

Refer to the exhibit. An auditor reviews the ACL and notes that it allows traffic from a specific host while blocking other IPs in the same subnet. What is the most likely security issue?

Exhibit

Access Control List (ACL) applied to interface GigabitEthernet0/0:
permit ip host 10.0.0.1 any
deny ip 10.0.0.0/24 any
permit ip any any
Question 61mediummultiple choice
Read the full Protection of Information Assets explanation →

Refer to the exhibit. An auditor finds that users are able to reuse previous passwords easily. Which setting should be modified to address this weakness?

Exhibit

Configuration snippet from a Windows server security policy:
Password Policy:
Enforce password history: 5 passwords remembered
Maximum password age: 90 days
Minimum password age: 1 day
Minimum password length: 8 characters
Complexity requirements: Enabled
Account Lockout Policy:
Account lockout threshold: 5 invalid logon attempts
Account lockout duration: 15 minutes
Reset account lockout counter after: 15 minutes
Question 62hardmultiple choice
Read the full Protection of Information Assets explanation →

Refer to the exhibit. During a penetration test, a security analyst captures this SAML response. Which of the following security weaknesses is most evident?

Exhibit

SAML 2.0 Response excerpt:
<saml:Assertion>
  <saml:Subject>
    <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">user@example.com</saml:NameID>
  </saml:Subject>
  <saml:Conditions NotBefore="2024-01-01T00:00:00Z" NotOnOrAfter="2024-01-01T00:00:30Z" />
  <saml:AuthnStatement>
    <saml:AuthnContext>
      <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
    </saml:AuthnContext>
  </saml:AuthnStatement>
</saml:Assertion>
Question 63easymultiple choice
Read the full Protection of Information Assets explanation →

An organization is implementing a data loss prevention (DLP) solution. Which of the following is the MOST important step to ensure the DLP rules are effective?

Question 64easymultiple choice
Read the full Protection of Information Assets explanation →

During a security assessment, an auditor discovers that employees are sharing passwords to access a critical system. Which of the following controls would BEST mitigate this risk?

Question 65hardmultiple choice
Read the full Protection of Information Assets explanation →

A company is designing a public cloud-based application that processes highly sensitive personal data. Which of the following data protection strategies provides the STRONGEST assurance that data remains confidential even if the cloud provider's infrastructure is compromised?

Question 66mediummultiple choice
Read the full Protection of Information Assets explanation →

An IT manager is reviewing the access control model for a financial application. The policy requires that no single person can approve a transaction. Which access control principle does this policy enforce?

Question 67mediummultiple choice
Read the full Protection of Information Assets explanation →

A company's security policy requires that all laptops have full-disk encryption. During an audit, 10% of laptops are found without encryption. Which of the following is the MOST effective corrective action?

Question 68hardmultiple choice
Read the full Protection of Information Assets explanation →

An organization plan to integrate a third-party payment gateway into its e-commerce platform. Which of the following is the MOST critical security control to implement before going live?

Question 69easymultiple choice
Read the full Protection of Information Assets explanation →

A small business wants to protect customer data stored on a local file server. Which of the following is the MOST cost-effective control to prevent unauthorized access?

Question 70mediummultiple choice
Read the full Protection of Information Assets explanation →

An auditor is reviewing the encryption strategy for a healthcare application that stores protected health information (PHI) in a database. The database currently uses transparent data encryption (TDE). What is a key risk associated with TDE?

Question 71hardmultiple choice
Read the full Protection of Information Assets explanation →

An organization has implemented a role-based access control (RBAC) system. A user complains that they cannot access a file needed to complete a critical task. The file's permission indicates that only the 'Manager' role has read access. The user is assigned to the 'Analyst' role. Which of the following is the BEST course of action?

Question 72easymulti select
Read the full Protection of Information Assets explanation →

Which of the following are effective controls to protect sensitive data in use? (Choose TWO.)

Question 73mediummulti select
Read the full Protection of Information Assets explanation →

Which of the following are key considerations when implementing a data classification policy? (Choose THREE.)

Question 74hardmulti select
Read the full Protection of Information Assets explanation →

An organization has implemented a database activity monitoring (DAM) solution. Which of the following are BEST practices for tuning the DAM to reduce false positives? (Choose TWO.)

Question 75easymultiple choice
Read the full Protection of Information Assets explanation →

Refer to the exhibit. A CISA is reviewing this S3 bucket policy. What is the PRIMARY security concern?

Exhibit

Refer to the exhibit.

Exhibit:
Configuration file for an Amazon S3 bucket policy:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*"
    }
  ]
}
Question 76mediummultiple choice
Read the full Protection of Information Assets explanation →

Refer to the exhibit. An auditor notices this log entry during a review. The user john.doe does not have a legitimate business need to access executive salaries. Which of the following is the MOST likely control failure?

Exhibit

Refer to the exhibit.

Exhibit:
Output from a database audit log:
Timestamp: 2024-03-15 14:23:45
User: john.doe
Action: SELECT
Table: Employee_salaries
Rows: 500
Source_IP: 10.0.0.15
Query: SELECT salary FROM Employee_salaries WHERE department = 'Executive'
Question 77hardmultiple choice
Read the full Protection of Information Assets explanation →

Refer to the exhibit. A CISA is analyzing these logs. What is the MOST likely security incident?

Exhibit

Refer to the exhibit.

Exhibit:
Extract from a server audit log:
[2024-03-20 08:12:34] User: admin (privileged) executed: cmd.exe /c "taskkill /F /IM svchost.exe"
[2024-03-20 08:12:37] System event: Service 'Windows Update' stopped unexpectedly.
[2024-03-20 08:12:40] System event: Security Center service stopped.
[2024-03-20 08:12:45] Network connection from 10.0.0.50 to 203.0.113.5 on port 4444 (outbound) established.
Question 78easymultiple choice
Read the full Protection of Information Assets explanation →

A financial institution is deploying a data loss prevention (DLP) solution. Which of the following is the MOST important prerequisite to ensure the DLP can effectively detect sensitive data?

Question 79easymultiple choice
Read the full Protection of Information Assets explanation →

A company requires employees to use smart cards for facility access. Which additional control would BEST prevent tailgating?

Question 80mediummultiple choice
Read the full Protection of Information Assets explanation →

An organization is migrating sensitive customer data to a public cloud. Which of the following encryption strategies provides the STRONGEST protection against data exposure to the cloud provider?

Question 81easymultiple choice
Read the full Protection of Information Assets explanation →

During a security audit, it was found that users in the finance department have unnecessary access to HR payroll data. Which access control principle has been violated?

Question 82mediummultiple choice
Read the full Protection of Information Assets explanation →

An organization experiences a ransomware attack that encrypts critical files. Which of the following is the BEST recovery strategy to minimize data loss?

Question 83hardmultiple choice
Read the full Protection of Information Assets explanation →

A company uses role-based access control (RBAC). An employee moves from one department to another but retains some previous access due to overlapping role permissions. This condition is known as:

Question 84hardmultiple choice
Read the full Protection of Information Assets explanation →

An organization is implementing a data retention policy for personally identifiable information (PII) to comply with GDPR. Which of the following is the MOST appropriate approach?

Question 85hardmultiple choice
Read the full Protection of Information Assets explanation →

An organization is evaluating a cloud-based identity as a service (IDaaS) for single sign-on (SSO). Which of the following security concerns is MOST critical to address?

Question 86easymultiple choice
Read the full Protection of Information Assets explanation →

Which of the following is the PRIMARY purpose of conducting a penetration test?

Question 87mediummultiple choice
Read the full Protection of Information Assets explanation →

Refer to the exhibit. Which of the following services is accessible from the internet to host 10.1.1.100?

Exhibit

access-list 100 permit tcp any host 10.1.1.100 eq 443
access-list 100 permit tcp any host 10.1.1.100 eq 22
access-list 100 deny ip any any
Question 88mediummultiple choice
Read the full Protection of Information Assets explanation →

Refer to the exhibit. Which of the following statements is TRUE regarding this S3 bucket policy?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::confidential-bucket/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "true"
        }
      }
    }
  ]
}
Question 89hardmultiple choice
Read the full Protection of Information Assets explanation →

Refer to the exhibit. This log entry MOST likely indicates:

Exhibit

Event 4648: A logon was attempted using explicit credentials.
Subject: Account Name: svc_backup
Target Account: KORP\administrator
Target Server: FILESRV01
Process Name: C:\Windows\System32\wbem\wmiprvse.exe
Question 90mediummulti select
Read the full Protection of Information Assets explanation →

Which TWO of the following are physical security controls to prevent unauthorized access to a data center?

Question 91easymulti select
Read the full Protection of Information Assets explanation →

Which TWO of the following are examples of administrative controls for information security?

Question 92hardmulti select
Read the full Protection of Information Assets explanation →

Which THREE of the following are essential components of a data classification program?

Question 93easymultiple choice
Read the full Protection of Information Assets explanation →

A small business wants to protect customer data collected through its e-commerce website. Which control is most appropriate for protecting the data at rest and in transit?

Question 94mediummultiple choice
Read the full Protection of Information Assets explanation →

After a security incident, an organization discovers that an employee accessed sensitive files without authorization. Which of the following is the most effective preventive control to reduce the risk of such unauthorized access?

Question 95hardmultiple choice
Read the full NAT/PAT explanation →

A multinational company must comply with GDPR and local data protection laws when transferring personal data from the EU to a subsidiary in the US. Which transfer mechanism is most commonly accepted as providing adequate protection?

Question 96easymultiple choice
Read the full Protection of Information Assets explanation →

An organization has a policy requiring strong passwords. Which additional control is most effective at preventing credential stuffing attacks?

Question 97mediummultiple choice
Read the full Protection of Information Assets explanation →

A company is migrating its applications to a public IaaS cloud. What is the primary concern for protecting data in this environment?

Question 98hardmultiple choice
Read the full Protection of Information Assets explanation →

During an information systems audit, the IS auditor finds that data classification labels are not consistently applied across the organization. What is the most likely root cause of this issue?

Question 99easymultiple choice
Read the full Protection of Information Assets explanation →

Which physical security control is most effective for preventing unauthorized individuals from tailgating into a data center?

Question 100mediummultiple choice
Read the full Protection of Information Assets explanation →

An organization uses role-based access control (RBAC) for its enterprise resource planning (ERP) system. What is the greatest risk if user role assignments are not reviewed regularly?

Question 101hardmultiple choice
Read the full Protection of Information Assets explanation →

A company's endpoint protection solution alerts on a file that is digitally signed by a trusted software vendor but exhibits malicious behavior on execution. What type of threat does this scenario most likely depict?

Question 102easymulti select
Read the full Protection of Information Assets explanation →

Which TWO of the following are primary objectives of information classification? (Choose two.)

Question 103mediummulti select
Read the full Protection of Information Assets explanation →

Which TWO of the following are examples of detective controls? (Choose two.)

Question 104hardmulti select
Read the full Protection of Information Assets explanation →

Which THREE are core components of a comprehensive identity and access management (IAM) system? (Choose three.)

Question 105mediummultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. The IAM policy is intended to allow only requests originating from account 123456789012 to perform any S3 actions. Why does the policy NOT achieve this objective?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:SourceAccount": "123456789012"
        }
      }
    }
  ]
}
Question 106easymultiple choice
Read the full Protection of Information Assets explanation →

Refer to the exhibit. An auditor finds that the file 'sensitive.txt' has world-writable permissions. Which of the following is the most appropriate remediation action?

Exhibit

-rw-rw-rw- 1 root root 1024 Jan 1 12:00 sensitive.txt
Question 107hardmultiple choice
Read the full NAT/PAT explanation →

An organization has recently implemented a cloud-based identity provider (IdP) for single sign-on (SSO) across all SaaS applications. Users authenticate using their corporate credentials via SAML 2.0. After a week, the IT security team notices a significant increase in failed login attempts from various IP addresses targeting a specific user account. The helpdesk reports that the user, a senior executive, has not complained about any issues. The security team investigates and finds that the account lockout policy is set to 5 failed attempts within 15 minutes, after which the account is locked for 30 minutes. The failed attempts are occurring in bursts of 4, then stopping, then resuming from different IPs. The organization uses conditional access policies that require MFA from unknown locations. However, the failed attempts appear to be stopped at the authentication prompt and never reach the MFA stage. What is the most likely explanation and the best course of action?

Question 108mediummultiple choice
Read the full Protection of Information Assets explanation →

An organization is implementing a data classification policy and needs to assign ownership for sensitive data. Which of the following is the most appropriate role to assign as the data owner?

Question 109hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is deploying a data loss prevention (DLP) solution across its network. The DLP system must be configured to prevent the exfiltration of personally identifiable information (PII) while minimizing false positives. Which approach is most effective?

Question 110easymultiple choice
Read the full Protection of Information Assets explanation →

An organization's mobile device management (MDM) policy requires that all corporate data on employee-owned smartphones be protected. Which control best ensures that corporate data can be remotely wiped without affecting personal data?

Question 111mediummultiple choice
Read the full Protection of Information Assets explanation →

During a security audit, it is discovered that a database containing customer credit card numbers is not encrypted at rest. The database is used by a legacy application that cannot be modified. Which compensating control most effectively reduces the risk?

Question 112hardmultiple choice
Read the full Protection of Information Assets explanation →

An organization stores sensitive research data in a cloud storage service. The data must be encrypted at rest and in transit, and the organization wants to maintain control over encryption keys. Which solution best meets these requirements?

Question 113mediummulti select
Read the full Protection of Information Assets explanation →

Which TWO controls are most effective for protecting data at rest on a database server? (Choose two.)

Question 114easymulti select
Read the full Protection of Information Assets explanation →

Which TWO are primary criteria for classifying information assets within an organization? (Choose two.)

Question 115hardmulti select
Read the full Protection of Information Assets explanation →

Which THREE are indicators of a possible data exfiltration attempt via the network? (Choose three.)

Question 116hardmultiple choice
Read the full NAT/PAT explanation →

A financial services organization recently experienced a data breach where customer financial records were exfiltrated. The investigation reveals that an attacker gained access through a compromised privileged account belonging to a database administrator. The attacker used valid credentials to log into the database server and then exported a large volume of data using native database tools. The security team notes that the organization has multi-factor authentication (MFA) enabled for all remote access, but the database server was accessed from an internal IP address. The organization also has a data loss prevention (DLP) system, but it did not alert on the export because the traffic was encrypted. The database activity monitoring (DAM) system did log the export, but alerts were not reviewed due to high volume and many false positives. Which of the following would have been most effective in preventing this breach?

Question 117mediummultiple choice
Read the full NAT/PAT explanation →

A healthcare organization is required to comply with HIPAA regulations for protecting electronic protected health information (ePHI). The organization uses a cloud-based electronic health record (EHR) system. During a compliance audit, it is discovered that some employees are accessing patient records without a legitimate business need. The EHR system logs all access, but there is no automated process to review logs or detect anomalous behavior. The organization has implemented role-based access control (RBAC) and requires strong passwords, but unauthorized access continues. The IT manager proposes implementing a security information and event management (SIEM) system to collect and correlate logs. However, the budget is limited. Which additional control would be most cost-effective to reduce unauthorized access to patient records?

Question 118easymultiple choice
Read the full Protection of Information Assets explanation →

A small manufacturing company uses a network-attached storage (NAS) device to store design files, financial records, and employee data. The NAS is backed up weekly to an external hard drive that is stored in the same office. The company has no encryption on the NAS or the backup drive. One weekend, the office is burglarized, and both the NAS and the backup drive are stolen. The company had no remote backup. Which of the following would have best protected the data in this scenario?

Question 119mediummultiple choice
Read the full Protection of Information Assets explanation →

An e-commerce company stores customer payment card data in a tokenized database. The tokenization system replaces credit card numbers with tokens, and the actual card numbers are stored in a separate, highly restricted vault. The company is audited for Payment Card Industry Data Security Standard (PCI DSS) compliance. During the audit, it is discovered that the tokenization system sometimes fails due to high load, causing the application to fall back to storing actual card numbers temporarily. This fallback mechanism was not documented or approved. The company also uses the same encryption key for the vault as for other non-sensitive data. The auditor identifies several non-compliances. Which of the following should the company prioritize to remediate?

Question 120hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation's data center in the European Union (EU) stores personal data of EU citizens. The company must comply with the General Data Protection Regulation (GDPR), which requires that personal data be protected and that data subjects have the right to erasure ('right to be forgotten'). The company's IT team uses a centralized identity management system that stores user credentials and personal data in an active directory (AD) forest. The AD forest is replicated across multiple data centers worldwide, including a non-EU country. The data protection officer (DPO) is concerned that personal data might be inadvertently replicated to jurisdictions without adequate protection. Which of the following is the most effective way to address this concern?

Question 121easymultiple choice
Read the full VPN explanation →

A university's research department stores sensitive research data on a file server that is shared among faculty and graduate students. The server is accessible from the campus network and via VPN for remote access. Recently, a student downloaded a large dataset containing personally identifiable information (PII) of research subjects to a personal laptop. The laptop was later stolen. The university's incident response team determines that the student had legitimate access to the data for research purposes. Which control would have most effectively prevented the data exposure?

Question 122mediummultiple choice
Read the full Protection of Information Assets explanation →

A software development company uses a cloud-based source code repository (e.g., GitHub) to store proprietary code. The company has two-factor authentication (2FA) enabled for all accounts. A developer's personal computer was infected with malware that stole the developer's session cookies and local credentials. The attacker used the stolen session to access the code repository and exfiltrated the entire codebase. The company's security team reviews the incident and notes that the repository has audit logging, but the logs were not monitored in real time. The team wants to implement additional controls to prevent a similar incident. Which control would have been most effective in preventing the exfiltration?

Question 123mediummultiple choice
Read the full Protection of Information Assets explanation →

You are an information security manager for a global financial services company. The organization maintains a hybrid infrastructure with critical customer data stored on an on-premises Oracle database server (DB-SRV-01) and in an AWS S3 bucket (customer-data-prod). At 10:00 AM, the security operations center (SOC) alerts you to an anomalous outbound data transfer from DB-SRV-01 to an unknown IP address in a high-risk country. The transfer started at 9:45 AM and involves 500 MB of data, likely including personally identifiable information (PII). The SOC has already quarantined the server's network egress by blocking all outbound traffic from DB-SRV-01, but the server remains connected to the internal production network. Meanwhile, a separate analysis indicates that the S3 bucket has been accessed via an IAM key that was stolen from a compromised developer workstation three days ago. The key has not been rotated. The incident response team is preparing to act. The primary objective is to protect information assets and minimize data exposure. Given this scenario, which of the following actions should the team take FIRST?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CISA Practice Test 1 — 10 Questions→CISA Practice Test 2 — 10 Questions→CISA Practice Test 3 — 10 Questions→CISA Practice Test 4 — 10 Questions→CISA Practice Test 5 — 10 Questions→CISA Practice Exam 1 — 20 Questions→CISA Practice Exam 2 — 20 Questions→CISA Practice Exam 3 — 20 Questions→CISA Practice Exam 4 — 20 Questions→Free CISA Practice Test 1 — 30 Questions→Free CISA Practice Test 2 — 30 Questions→Free CISA Practice Test 3 — 30 Questions→CISA Practice Questions 1 — 50 Questions→CISA Practice Questions 2 — 50 Questions→CISA Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Governance and Management of ITInformation Systems Acquisition, Development and ImplementationInformation Systems Operations and Business ResilienceProtection of Information AssetsInformation System Auditing Process

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Protection of Information Assets setsAll Protection of Information Assets questionsCISA Practice Hub