CCNA Protection of Information Assets Questions

48 of 123 questions · Page 2/2 · Protection of Information Assets · Answers revealed

76
MCQhard

A security architect is designing a data classification schema for a multinational corporation. Which combination of factors is MOST critical for determining the classification level of a data asset?

A.Data volume and storage location.
B.Data format and encryption status.
C.Data creation date and last access time.
D.Legal, regulatory, and business impact if disclosed.
AnswerD

These are the core factors in determining classification.

Why this answer

The classification level of a data asset is primarily determined by the potential harm that could result from its unauthorized disclosure, modification, or loss. Legal, regulatory, and business impact factors—such as compliance with GDPR, HIPAA, or PCI DSS—directly dictate the required confidentiality, integrity, and availability controls. Without assessing these impacts, any classification scheme would be arbitrary and fail to align with organizational risk tolerance.

Exam trap

ISACA often tests the misconception that technical attributes (like encryption or storage location) determine classification, when in reality classification is a business-driven risk decision based on the impact of disclosure.

How to eliminate wrong answers

Option A is wrong because data volume and storage location influence operational decisions (e.g., replication, latency) but do not define the sensitivity or criticality of the data itself; a single record of PII can be far more sensitive than terabytes of public data. Option B is wrong because data format and encryption status are technical controls applied after classification, not criteria for determining the classification level; encryption status can change without altering the inherent sensitivity of the data. Option C is wrong because creation date and last access time are metadata useful for lifecycle management (e.g., retention policies) but irrelevant to the intrinsic value or risk of the data asset.

77
Multi-Selecthard

Which TWO of the following are the MOST effective controls to prevent unauthorized access to a data center's server room? (Choose two.)

Select 2 answers
A.Server rack locks
B.Mantrap entry
C.CCTV monitoring
D.Visitor logbook
E.Biometric authentication on door
AnswersB, E

Mantrap prevents tailgating and unauthorized entry.

Why this answer

Options A and D are correct because biometric authentication and mantrap entry are preventive physical controls. Option B is incorrect as CCTV is detective. Option C is incorrect as visitor logbook is administrative.

Option E is incorrect as rack locks are secondary to room access.

78
MCQmedium

After a security incident, an organization discovers that an employee accessed sensitive files without authorization. Which of the following is the most effective preventive control to reduce the risk of such unauthorized access?

A.Deploying a data loss prevention (DLP) solution.
B.Implementing background checks on all employees.
C.Conducting regular access reviews and recertification.
D.Enforcing strong password policies.
AnswerC

Access reviews help identify and revoke unnecessary permissions, directly reducing the risk of unauthorized access.

Why this answer

Regular access reviews and recertification (Option C) are the most effective preventive control because they ensure that user permissions are periodically validated against current job roles and business needs. By systematically revoking excessive or outdated entitlements, this process directly reduces the attack surface for unauthorized access, addressing the root cause of privilege creep rather than merely detecting or deterring misuse.

Exam trap

The trap here is that candidates often confuse preventive controls with detective or deterrent controls, selecting DLP (a detective/corrective control) or strong passwords (an authentication control) instead of recognizing that access recertification directly prevents unauthorized access by removing excessive permissions before they can be exploited.

How to eliminate wrong answers

Option A is wrong because a Data Loss Prevention (DLP) solution is primarily a detective and corrective control that monitors and blocks data exfiltration after access has occurred; it does not prevent the initial unauthorized access to sensitive files. Option B is wrong because background checks are a pre-employment screening control that assesses trustworthiness but do not prevent an already-hired employee from subsequently accessing files without authorization. Option D is wrong because enforcing strong password policies only strengthens authentication at the point of login; it does not prevent an authorized user from abusing their legitimate credentials to access files they should not see, which is the core issue in this scenario.

79
Multi-Selectmedium

Which TWO of the following are physical security controls to prevent unauthorized access to a data center?

Select 2 answers
A.Uninterruptible power supply
B.Cable locks
C.Mantrap
D.Biometric readers
E.Fire suppression system
AnswersC, D

Mantraps prevent tailgating and unauthorized entry.

Why this answer

Mantraps and biometric readers are physical access controls. Fire suppression and UPS are environmental controls. Cable locks secure equipment but do not prevent entry to the data center.

80
MCQhard

A healthcare organization has implemented a data classification policy with three levels: Public, Internal, and Restricted. The IT department recently received a report of a potential data breach. An internal auditor discovered that a database containing Protected Health Information (PHI) classified as Restricted was accessible via a web application that did not enforce encryption in transit. The web application uses HTTPS, but the auditor found that the connection was downgraded to HTTP due to a misconfiguration in the load balancer. Additionally, the database logs show that an external IP address queried the database for thousands of patient records over a two-hour period. The database was configured to allow only specific internal application servers, but the firewall rule was incorrectly set to allow connections from any IP address. The security team needs to determine the most effective immediate action to prevent further unauthorized access and protect the data. Which course of action should the security team take FIRST?

A.Correct the firewall rule to restrict database access to only the application servers.
B.Redesign the network architecture to place the database in a separate subnet.
C.Block the external IP address at the network perimeter.
D.Apply a security patch to the web application to enforce HTTPS.
AnswerA

Directly addresses the misconfiguration that allowed exposure.

Why this answer

The firewall rule is the root cause of the unauthorized access — it allowed connections from any IP address, directly enabling the external attacker to query the database. Correcting this rule immediately cuts off all external access to the database, stopping the ongoing breach at the network layer. This is the most effective immediate action because it addresses the misconfiguration that allowed the attack to succeed, regardless of the encryption or web application issues.

Exam trap

The trap here is that candidates focus on the encryption downgrade (HTTPS to HTTP) or the external IP address, but the core vulnerability is the misconfigured firewall rule that allows any IP to access the database directly — a classic 'defense in depth' failure where the network layer control was missing.

How to eliminate wrong answers

Option B is wrong because redesigning the network architecture (e.g., placing the database in a separate subnet) is a longer-term security improvement, not an immediate action to stop the current unauthorized access. Option C is wrong because blocking the external IP address is a reactive, temporary measure — the attacker can easily change IP addresses, and it does not fix the underlying misconfigured firewall rule that allows any IP to connect. Option D is wrong because applying a security patch to enforce HTTPS would prevent future downgrade attacks but does not address the fact that the database is already exposed to any IP address; the attacker can still query the database directly without using the web application.

81
MCQhard

An organization uses a third-party cloud service for data storage. Which of the following is the BEST way to ensure data confidentiality in the event of a cloud provider breach?

A.Rely on the cloud provider's encryption at rest
B.Use TLS for data in transit
C.Implement client-side encryption before uploading data
D.Deploy a cloud access security broker (CASB) with DLP
AnswerC

Client-side encryption ensures only the organization controls keys.

Why this answer

Client-side encryption ensures that data is encrypted before it leaves the organization's control, so the cloud provider never has access to the plaintext or the encryption keys. In the event of a provider breach, the encrypted data remains confidential because only the organization holds the keys to decrypt it. This is the only option that guarantees confidentiality regardless of the cloud provider's security posture.

Exam trap

ISACA often tests the distinction between encryption at rest (provider-managed) and client-side encryption, where candidates mistakenly assume that any encryption at rest is sufficient to protect against a provider breach.

How to eliminate wrong answers

Option A is wrong because relying on the cloud provider's encryption at rest means the provider manages the encryption keys; if the provider is breached, an attacker could potentially access those keys or the decrypted data. Option B is wrong because TLS protects data only while it is in transit between the client and the cloud; once the data reaches the cloud storage, it is no longer protected by TLS and would be exposed in a breach. Option D is wrong because a CASB with DLP can monitor and enforce policies but does not encrypt the data itself; if the cloud provider is breached, the stored data (even if monitored) remains in plaintext or provider-managed encrypted form and could be accessed by the attacker.

82
MCQeasy

A company requires employees to use smart cards for facility access. Which additional control would BEST prevent tailgating?

A.Require biometric authentication
B.Use keypad locks on doors
C.Conduct random audits of access logs
D.Install mantraps at entry points
AnswerD

Mantraps create a physical barrier that allows only one authenticated person to enter at a time, preventing tailgating.

Why this answer

Mantraps prevent tailgating by allowing only one person per authentication. Biometrics address identity, not tailgating. Random audits are detective.

Keypad locks are simple and do not prevent tailgating.

83
Multi-Selectmedium

Which TWO of the following are examples of detective controls? (Choose two.)

Select 2 answers
A.Firewall rules that block unauthorized traffic.
B.Regular review of security incident logs.
C.Intrusion detection system (IDS) alerts.
D.Encryption of sensitive data at rest.
E.Access control lists (ACLs) on network devices.
AnswersB, C

Log review is a detective control that identifies past events.

Why this answer

Intrusion detection systems (A) and review of security incident logs (C) are detective controls that identify events after they occur.

84
MCQmedium

An e-commerce company stores customer payment card data in a tokenized database. The tokenization system replaces credit card numbers with tokens, and the actual card numbers are stored in a separate, highly restricted vault. The company is audited for Payment Card Industry Data Security Standard (PCI DSS) compliance. During the audit, it is discovered that the tokenization system sometimes fails due to high load, causing the application to fall back to storing actual card numbers temporarily. This fallback mechanism was not documented or approved. The company also uses the same encryption key for the vault as for other non-sensitive data. The auditor identifies several non-compliances. Which of the following should the company prioritize to remediate?

A.Replace the tokenization system with end-to-end encryption
B.Remove the fallback mechanism and ensure the tokenization system has appropriate redundancy
C.Use a separate encryption key for the vault
D.Increase the capacity of the tokenization server to handle peak loads
AnswerB

Eliminating the fallback prevents storage of raw card numbers.

Why this answer

Option D is correct because the fallback mechanism directly exposes cardholder data, violating PCI DSS requirement to protect stored card data. Correcting this eliminates the risk. Option A is important but not as immediate.

Option B (redundancy) is a performance issue. Option C (key separation) is also critical, but the fallback is a direct data exposure.

85
MCQhard

You are an IS auditor reviewing the remote access configuration for a medium-sized enterprise. The company uses a VPN concentrator to allow employees to connect from home. The VPN is configured with IPsec using pre-shared keys (PSK) and requires no multi-factor authentication. Employees use company-issued laptops with full disk encryption. The VPN logs show that connections are coming from a wide range of IP addresses, including some from countries where the company has no business operations. The IT manager argues that the PSK is changed monthly and that full disk encryption mitigates any risk. However, during the audit, you find that the PSK is stored in a shared document on an internal file server accessible to all employees. Additionally, the VPN concentrator uses a single PSK for all users. Which of the following is the MOST critical finding?

A.The PSK is changed monthly, but the change interval is too long
B.The VPN uses a single pre-shared key for all users, increasing the risk of widespread compromise
C.Full disk encryption on laptops is not sufficient to protect VPN credentials
D.VPN connections from unexpected countries indicate possible unauthorized access
AnswerB

Single PSK creates a single point of failure.

Why this answer

The use of a single pre-shared key (PSK) for all VPN users is the most critical finding because it creates a single point of failure: if that key is compromised, an attacker can impersonate any authorized user and gain full network access. The fact that the PSK is stored in a shared document accessible to all employees dramatically increases the likelihood of exposure, and changing it monthly does not remediate the fundamental lack of user-level authentication. Without per-user credentials or multi-factor authentication, the VPN concentrator cannot distinguish between legitimate employees and an attacker who possesses the shared key.

Exam trap

The trap here is that candidates focus on the visible symptom (unexpected IP addresses) or the partial control (monthly PSK rotation) rather than recognizing that a single shared secret for all users is a fundamental architectural flaw that undermines all other controls.

How to eliminate wrong answers

Option A is wrong because the monthly PSK change interval is not the core issue; even a daily change would not fix the lack of per-user authentication and the risk of a single shared secret being exposed. Option C is wrong because full disk encryption protects data at rest on the laptop, but it does not protect the PSK when it is stored in a shared document on a file server or when it is transmitted or used during VPN authentication. Option D is wrong while connections from unexpected countries are suspicious and warrant investigation, they are not as critical as the fundamental authentication weakness; the single PSK means that any external attacker who obtains the key can connect from anywhere, making the geographic anomaly a symptom rather than the root cause.

86
MCQmedium

An organization has the S3 bucket policy shown. Which of the following is the MOST likely intent of this policy?

A.Prevent deletion of objects from the bucket over unencrypted connections.
B.Prevent all deletion of objects from the bucket.
C.Prevent access to the bucket over HTTP.
D.Allow deletion only over HTTPS.
AnswerA

The policy denies s3:DeleteObject when SecureTransport is false.

Why this answer

Option A is correct because the policy denies DeleteObject when the request is not over HTTPS (SecureTransport false), thereby blocking deletion over HTTP but allowing deletion over HTTPS. Option B is incorrect because deletion over HTTPS is still allowed. Option C is incorrect because other actions like read are not restricted.

Option D is incorrect because it does not specifically allow deletion only over HTTPS; it denies over HTTP, so deletion over HTTPS is allowed implicitly.

87
MCQmedium

Refer to the exhibit. Which of the following services is accessible from the internet to host 10.1.1.100?

A.HTTP only
B.Telnet only
C.HTTPS and SSH
D.FTP only
AnswerC

Ports 443 (HTTPS) and 22 (SSH) are explicitly permitted.

Why this answer

The exhibit shows an access control list (ACL) permitting TCP ports 443 (HTTPS) and 22 (SSH) from any source to host 10.1.1.100. Since the ACL is applied inbound on the internet-facing interface, only HTTPS and SSH traffic are allowed through to that host. Therefore, option C is correct.

Exam trap

The trap here is that candidates often confuse HTTP with HTTPS or Telnet with SSH, assuming that if one is allowed, the other must also be allowed, but the ACL explicitly permits only the specific port numbers listed.

How to eliminate wrong answers

Option A is wrong because HTTP (port 80) is not permitted by the ACL; only HTTPS (port 443) is allowed, so HTTP alone is not accessible. Option B is wrong because Telnet (port 23) is not listed in the ACL; only SSH (port 22) is permitted for remote access. Option D is wrong because FTP (ports 20/21) is not permitted by the ACL; no FTP traffic is allowed to reach host 10.1.1.100.

88
MCQeasy

An organization has a policy requiring strong passwords. Which additional control is most effective at preventing credential stuffing attacks?

A.Increasing password length and complexity requirements.
B.Implementing account lockout after 3 failed attempts.
C.Requiring multi-factor authentication (MFA) for all logins.
D.Conducting annual security awareness training.
AnswerC

MFA renders stolen passwords useless as the second factor is required for access.

Why this answer

Multi-factor authentication (MFA) stops attackers who have stolen passwords because they cannot provide the second factor.

89
MCQmedium

An auditor is reviewing the encryption strategy for a healthcare application that stores protected health information (PHI) in a database. The database currently uses transparent data encryption (TDE). What is a key risk associated with TDE?

A.It requires complex key management
B.It significantly degrades database performance
C.It does not protect against privileged database users
D.It cannot be used with column-level encryption
AnswerC

TDE encrypts data at rest but decrypts when accessed by authorized users, so DBA's can still see data.

Why this answer

TDE generally does not protect data from users with database admin privileges because the decryption occurs at the database level and authorized users can access plaintext. Option A is wrong because performance impact is typically minor. Option C is wrong because key management is a consideration but not the key risk related to user access.

Option D is wrong because TDE can be implemented.

90
Multi-Selecteasy

Which TWO of the following are examples of administrative controls for information security?

Select 2 answers
A.Intrusion detection system
B.Firewall configuration
C.Access control policy
D.Encryption algorithms
E.Security awareness training
AnswersC, E

Policies are administrative controls that define rules and procedures.

Why this answer

Access control policy is an administrative control because it defines the rules, roles, and responsibilities for granting or restricting access to information assets. It is a documented directive that governs user behavior and management processes, not a technical mechanism. Administrative controls are management-level safeguards, such as policies, procedures, and training, that guide the implementation of technical and physical controls.

Exam trap

ISACA often tests the distinction between administrative, technical, and physical controls, and the trap here is that candidates confuse policy documents (administrative) with the technical mechanisms that implement them, such as firewalls or encryption.

91
MCQmedium

During a penetration test, a tester discovers that an application stores passwords using a reversible encryption algorithm. Which of the following is the BEST remediation?

A.Use MD5 hashing with a salt
B.Replace the encryption algorithm with AES-256
C.Implement a strong one-way hashing algorithm such as bcrypt
D.Add a random salt before encryption
AnswerC

bcrypt is designed for password storage.

Why this answer

Storing passwords using reversible encryption is fundamentally flawed because any encryption key can be compromised, allowing an attacker to decrypt all passwords. The best remediation is to use a strong, one-way hashing algorithm like bcrypt, which is designed to be computationally expensive and includes a built-in salt to resist rainbow table attacks and brute-force attempts. Unlike encryption, hashing is irreversible, so even if the database is breached, the original passwords cannot be recovered.

Exam trap

The trap here is that candidates confuse encryption with hashing, thinking that a strong encryption algorithm like AES-256 is sufficient for password storage, when in fact any reversible method is insecure for this purpose.

How to eliminate wrong answers

Option A is wrong because MD5 is a broken hashing algorithm that is vulnerable to collision attacks and fast brute-force computation; even with a salt, it is not considered secure for password storage. Option B is wrong because AES-256 is a symmetric encryption algorithm, not a hashing algorithm; replacing one reversible encryption with another still leaves passwords recoverable if the encryption key is compromised. Option D is wrong because adding a salt before encryption does not address the core issue—the passwords remain reversible and can be decrypted if the key is obtained.

92
MCQhard

A company is implementing a privileged access management (PAM) system. Which of the following is the MOST important control to prevent lateral movement after a privileged account is compromised?

A.Implement just-in-time (JIT) privilege elevation
B.Enforce multi-factor authentication for all privileged accounts
C.Monitor and record all privileged sessions
D.Rotate passwords after each use
AnswerA

JIT reduces exposure time.

Why this answer

Just-in-time (JIT) privilege elevation is the most important control to prevent lateral movement because it eliminates standing privileged access. By granting temporary, time-bound privileges only when needed, JIT reduces the attack surface and ensures that even if an attacker compromises a privileged account, they cannot use those credentials to move laterally to other systems after the access window expires. This directly addresses the root cause of lateral movement: persistent privileged credentials that can be reused across the network.

Exam trap

The trap here is that candidates often choose MFA (option B) because it is a well-known security best practice, but they fail to recognize that MFA does not prevent lateral movement after the account is already compromised—it only protects against unauthorized initial access.

How to eliminate wrong answers

Option B is wrong because multi-factor authentication (MFA) is a strong authentication control that can prevent initial compromise, but it does not prevent lateral movement once the account is already compromised (e.g., via session hijacking or token theft). Option C is wrong because monitoring and recording privileged sessions is a detective control that helps identify lateral movement after it occurs, but it does not prevent it. Option D is wrong because rotating passwords after each use (password cycling) reduces the window of credential reuse but still leaves the account with standing privileges during the session; an attacker can still move laterally within that session before the password is rotated.

93
MCQhard

Based on the exhibit, which of the following is the MOST likely result of the current firewall configuration?

A.Remote SSH connections are permitted from any IP address
B.SSH access is restricted to the internal network
C.HTTPS traffic from the internal network is blocked
D.HTTPS traffic from the internet is allowed
AnswerA

Rule 1 allows SSH from anywhere.

Why this answer

The exhibit shows an access control list (ACL) that permits TCP traffic on port 22 (SSH) from any source IP address (0.0.0.0/0) to the destination IP address of the firewall's external interface. Since there is no source restriction, remote SSH connections are allowed from any IP address on the internet. This is a significant security risk because it exposes the firewall's management interface to brute-force attacks from the entire internet.

Exam trap

ISACA often tests the concept that an ACL with a permit statement for a specific service from 'any' source overrides any implicit deny, and candidates may mistakenly think that the implicit deny blocks all traffic, forgetting that explicit permits take precedence.

How to eliminate wrong answers

Option B is wrong because the ACL explicitly permits SSH from any source (0.0.0.0/0), not just the internal network; there is no rule restricting SSH to internal IP ranges. Option C is wrong because the ACL does not block HTTPS (TCP port 443) traffic from the internal network; in fact, there is no deny rule for HTTPS from internal sources, and the implicit deny at the end of the ACL only blocks traffic not explicitly permitted, but the question asks about the 'current firewall configuration' which includes the implicit deny, but HTTPS from internal is not explicitly blocked—it would be allowed if a permit rule existed for it, but the exhibit only shows SSH rules, so HTTPS from internal is not affected by this ACL. Option D is wrong because the ACL does not contain any permit rule for HTTPS (TCP port 443) from the internet; without an explicit permit, the implicit deny at the end of the ACL blocks all HTTPS traffic from the internet.

94
Multi-Selecthard

An organization has implemented a database activity monitoring (DAM) solution. Which of the following are BEST practices for tuning the DAM to reduce false positives? (Choose TWO.)

Select 2 answers
A.Implement exclusions for routine maintenance activities
B.Enable alerts for all database queries
C.Increase the sensitivity of all detection rules
D.Review alerts in real-time only
E.Define a baseline of normal user behavior
AnswersA, E

Excluding known safe activities reduces false positives.

Why this answer

Implementing exclusions for routine maintenance activities (Option A) is a best practice because these activities often generate predictable database queries that are not indicative of security threats. By excluding them, the DAM solution avoids alerting on benign operations, thereby reducing false positives without compromising security coverage.

Exam trap

The trap here is that candidates may think increasing sensitivity (Option C) improves detection, but it actually amplifies false positives, whereas the correct approach is to establish a baseline (Option E) and exclude known benign activities (Option A).

95
Multi-Selecthard

Which THREE are indicators of a possible data exfiltration attempt via the network? (Choose three.)

Select 3 answers
A.Use of unauthorized encryption or tunneling protocols
B.Unusual outbound data transfer volumes during non-business hours
C.Increase in phishing emails targeting executives
D.Repeated access attempts to sensitive databases by unauthorized users
E.Large number of HTTPS connections to legitimate cloud services
AnswersA, B, D

Unauthorized encryption can hide exfiltration.

Why this answer

Option A is correct because data exfiltration often involves bypassing security controls by using unauthorized encryption or tunneling protocols (e.g., SSH over port 443, IPsec over UDP, or custom VPNs) to hide malicious traffic within legitimate-looking flows. Such protocols can encapsulate stolen data and evade deep packet inspection (DPI) or data loss prevention (DLP) systems, making them a strong indicator of exfiltration attempts.

Exam trap

ISACA often tests the distinction between precursors to an attack (like phishing) and actual indicators of exfiltration (like unauthorized tunneling or unusual outbound volumes), so candidates mistakenly choose phishing because it is a common attack vector, but it is not a network-level exfiltration indicator.

96
Multi-Selectmedium

Which TWO controls are most effective for protecting data at rest on a database server? (Choose two.)

Select 2 answers
A.Placing the database server behind a firewall
B.Enforcing role-based access control (RBAC)
C.Implementing transparent data encryption (TDE)
D.Enabling SSL/TLS for client connections
E.Using file-level encryption on the database files
AnswersB, C

RBAC ensures only authorized users can access data.

Why this answer

Role-based access control (RBAC) restricts data access to authorized users based on their roles, directly preventing unauthorized viewing or modification of data at rest. Transparent data encryption (TDE) encrypts the database files at the storage level, ensuring that even if the physical media is stolen, the data remains unreadable without the encryption keys. Both controls address the core requirement of protecting data while it is stored on the database server.

Exam trap

The trap here is that candidates often confuse network controls (firewall, SSL/TLS) with data-at-rest protection, mistakenly thinking perimeter security or transport encryption secures stored data, when in fact they only protect data in motion or the network layer.

97
MCQeasy

Which physical security control is most effective for preventing unauthorized individuals from tailgating into a data center?

A.Mantrap (dual-door interlocking system).
B.Security guards at the entrance.
C.Closed-circuit television (CCTV) surveillance.
D.Biometric fingerprint readers.
AnswerA

A mantrap requires entry through one door before the second opens, forcing single occupancy and preventing tailgating.

Why this answer

A mantrap, or dual-door interlocking system, is the most effective physical security control against tailgating because it physically isolates individuals in a small vestibule where both doors cannot be opened simultaneously. This forces authentication and verification for each person before the second door unlocks, preventing an unauthorized person from following an authorized individual through a single entry point.

Exam trap

The trap here is that candidates often choose biometric readers or CCTV because they associate them with high security, but fail to recognize that tailgating exploits the gap between authentication and physical passage, which only a mantrap's interlocking doors can mechanically enforce.

How to eliminate wrong answers

Option B is wrong because security guards, while useful for monitoring and deterrence, are prone to human error, distraction, or social engineering, and cannot guarantee prevention of tailgating in high-traffic scenarios. Option C is wrong because CCTV surveillance is a detective control that records events for after-the-fact review, not a preventive control that stops tailgating in real time. Option D is wrong because biometric fingerprint readers authenticate identity but do not prevent a second person from entering immediately after an authorized user without their own authentication.

98
MCQmedium

You are an information security manager for a global financial services company. The organization maintains a hybrid infrastructure with critical customer data stored on an on-premises Oracle database server (DB-SRV-01) and in an AWS S3 bucket (customer-data-prod). At 10:00 AM, the security operations center (SOC) alerts you to an anomalous outbound data transfer from DB-SRV-01 to an unknown IP address in a high-risk country. The transfer started at 9:45 AM and involves 500 MB of data, likely including personally identifiable information (PII). The SOC has already quarantined the server's network egress by blocking all outbound traffic from DB-SRV-01, but the server remains connected to the internal production network. Meanwhile, a separate analysis indicates that the S3 bucket has been accessed via an IAM key that was stolen from a compromised developer workstation three days ago. The key has not been rotated. The incident response team is preparing to act. The primary objective is to protect information assets and minimize data exposure. Given this scenario, which of the following actions should the team take FIRST?

A.Restore DB-SRV-01 from a clean backup taken before the incident and change the IAM keys for the S3 bucket.
B.Notify the appropriate data protection authority within the required 72-hour timeframe.
C.Patch the Oracle database server to the latest version to close any known vulnerabilities.
D.Isolate DB-SRV-01 from the internal network by disconnecting its network cable or disabling the virtual switch port.
AnswerD

Isolating the server halts any ongoing data exfiltration and prevents the attacker from moving laterally to other systems. This preserves the system state for forensic analysis while containing the breach.

Why this answer

Option C is correct because immediately isolating the affected server from the internal network is the most critical first step to prevent lateral movement and further data exfiltration. Option A is incorrect because patching the server without understanding the attack vector could destroy forensic evidence and may not address the active compromise. Option B is incorrect because notifying the data protection authority is a legal requirement but not an immediate containment action.

Option D is incorrect because restoring from backup would eliminate any forensic evidence and may reintroduce the same vulnerability, and it does not address the S3 bucket issue.

99
MCQeasy

Refer to the exhibit. A CISA is reviewing this S3 bucket policy. What is the PRIMARY security concern?

A.The bucket is configured for public read access
B.Encryption is not enforced on the bucket
C.The policy allows unauthorized write access
D.Versioning is not enabled on the bucket
AnswerA

The policy grants anonymous read access to all objects.

Why this answer

The bucket policy explicitly grants `s3:GetObject` to `Principal: "*"` with `Effect: "Allow"`, which means any unauthenticated user on the internet can read objects in the bucket. This is a classic misconfiguration that leads to public read access, exposing sensitive data. While encryption and versioning are important security controls, the immediate and most severe risk is unauthorized data disclosure via public read.

Exam trap

ISACA often tests the distinction between 'public read' and 'public write' — candidates may incorrectly assume the policy allows write access because it uses `"*"`, but the action is specifically `s3:GetObject`, so only read is permitted.

How to eliminate wrong answers

Option B is wrong because the policy does not mention encryption at all; while encryption enforcement is a best practice, the policy's explicit public read grant is a more direct and critical security concern. Option C is wrong because the policy only grants `s3:GetObject` (read) and does not include `s3:PutObject` or any write action, so unauthorized write access is not permitted by this policy. Option D is wrong because versioning is a data protection and recovery feature, not a security control that prevents unauthorized access; the lack of versioning does not create an immediate exposure risk like public read does.

100
MCQhard

An IS auditor reviews the disposal process of hard drives. Which of the following methods provides the HIGHEST assurance that data cannot be recovered?

A.Physical shredding.
B.Overwriting with zeros.
C.Degaussing.
D.Quick format.
AnswerA

Shredding destroys the physical media, ensuring data cannot be recovered.

Why this answer

Option C is correct because physical shredding destroys the media, making data recovery virtually impossible. Option A is incorrect because quick format only removes file pointers. Option B is incorrect because degaussing may not work on SSDs.

Option D is incorrect because overwriting may leave residual data.

101
Multi-Selecteasy

Which TWO of the following are primary objectives of information classification? (Choose two.)

Select 2 answers
A.Simplify network architecture by segmenting data.
B.Determine appropriate access controls and protection requirements.
C.Improve system performance by prioritizing critical data.
D.Ensure compliance with legal and regulatory requirements.
E.Reduce storage costs by identifying duplicate data.
AnswersB, D

Classification helps define who needs access and what controls apply.

Why this answer

Information classification is a foundational security process that assigns sensitivity labels (e.g., public, internal, confidential, restricted) to data assets. Its primary objectives are to determine the appropriate access controls and protection requirements for each classification level (Option B) and to ensure compliance with legal and regulatory requirements such as GDPR, HIPAA, or PCI DSS (Option D). These objectives directly drive the implementation of security controls like encryption, access control lists (ACLs), and data loss prevention (DLP) policies.

Exam trap

The trap here is that candidates confuse the secondary benefits of classification (like improved storage management or network design) with its primary objectives, which are strictly about determining protection requirements and ensuring compliance.

102
MCQeasy

A small manufacturing company uses a network-attached storage (NAS) device to store design files, financial records, and employee data. The NAS is backed up weekly to an external hard drive that is stored in the same office. The company has no encryption on the NAS or the backup drive. One weekend, the office is burglarized, and both the NAS and the backup drive are stolen. The company had no remote backup. Which of the following would have best protected the data in this scenario?

A.Enabling full-disk encryption on the NAS
B.Implementing strong passwords and user authentication on the NAS
C.Storing a backup offsite in a secure location
D.Installing a security camera and alarm system
AnswerA

Encryption renders data unreadable without the key.

Why this answer

Full-disk encryption (FDE) on the NAS would render the data unreadable without the decryption key, even if the physical device is stolen. Since the backup drive was also unencrypted and stored in the same location, both were equally vulnerable. FDE protects data at rest, which is the primary risk in a theft scenario where physical access is obtained.

Exam trap

The trap here is that candidates often choose offsite backup (Option C) because it is a best practice for disaster recovery, but the question specifically asks for protection of the data in a theft scenario where both the primary and backup are stolen together, making encryption the only effective control.

How to eliminate wrong answers

Option B is wrong because strong passwords and user authentication protect against unauthorized logical access over the network, but they do nothing to protect data once the physical device is stolen and the attacker can bypass the OS by directly reading the disks. Option C is wrong because storing a backup offsite would protect the backup from being stolen in the same burglary, but it does not protect the primary NAS data that was also stolen; the question asks for the best protection of the data in this scenario, and offsite backup alone leaves the primary copy exposed. Option D is wrong because security cameras and alarm systems are physical deterrents that may reduce the risk of theft, but they do not protect the data if the theft still occurs; they are preventive controls, not data protection controls.

103
MCQhard

A multinational corporation's data center in the European Union (EU) stores personal data of EU citizens. The company must comply with the General Data Protection Regulation (GDPR), which requires that personal data be protected and that data subjects have the right to erasure ('right to be forgotten'). The company's IT team uses a centralized identity management system that stores user credentials and personal data in an active directory (AD) forest. The AD forest is replicated across multiple data centers worldwide, including a non-EU country. The data protection officer (DPO) is concerned that personal data might be inadvertently replicated to jurisdictions without adequate protection. Which of the following is the most effective way to address this concern?

A.Pseudonymize all personal data before storing it in AD
B.Encrypt all personal data at rest and in transit, with keys held solely within the EU
C.Implement data residency controls to ensure EU personal data is only stored and processed within the EU
D.Obtain explicit consent from all EU data subjects for international data transfer
AnswerC

Technical controls can enforce geographic boundaries for data replication.

Why this answer

Option C is correct because GDPR mandates that personal data of EU citizens must not be transferred to countries without adequate protection unless specific safeguards are in place. Implementing data residency controls ensures that EU personal data is stored and processed only within the EU, preventing inadvertent replication to non-EU jurisdictions via AD replication. This directly addresses the DPO's concern by enforcing geographic boundaries on data storage and processing.

Exam trap

The trap here is that candidates often confuse encryption (Option B) with data residency, thinking encryption alone prevents data exposure, but encryption does not stop replication and may still allow data to be stored in non-EU jurisdictions where it could be subject to local access laws.

How to eliminate wrong answers

Option A is wrong because pseudonymization reduces identifiability but does not prevent data from being replicated to non-EU jurisdictions; the pseudonymized data remains personal data under GDPR and could still be subject to inadequate protection. Option B is wrong because encryption protects data confidentiality but does not prevent replication; if keys are held solely within the EU, the data can still be replicated to non-EU servers, and the encrypted data may be accessible if the key management is compromised or if the encryption is bypassed during replication. Option D is wrong because explicit consent for international data transfer is a possible lawful basis but is not the most effective technical control; it does not prevent inadvertent replication and can be withdrawn by data subjects, making it unreliable for ongoing compliance.

104
Multi-Selecteasy

Which TWO of the following are key components of an effective information security awareness program?

Select 2 answers
A.Periodic review of security logs
B.Annual password change policy
C.Mandatory training for all employees
D.Regular vulnerability scans
E.Phishing simulation exercises
AnswersC, E

Correct. Training is the foundation of an awareness program.

Why this answer

Option C is correct because mandatory training for all employees ensures that every user understands their security responsibilities, recognizes threats like phishing, and follows organizational policies. This is a foundational element of an awareness program as defined by frameworks such as NIST SP 800-50, which emphasizes that awareness and training must be tailored to roles and delivered to all personnel. Without mandatory participation, coverage gaps leave the organization vulnerable to social engineering and policy violations.

Exam trap

The trap here is that candidates confuse operational security controls (like log reviews and vulnerability scans) with awareness program components, but the exam specifically tests the distinction between technical controls and human-focused training activities.

105
MCQhard

During an audit, an IS auditor finds that the organization uses a cloud-based identity provider (IdP) for single sign-on (SSO) but does not enforce multi-factor authentication (MFA) for all users. Which of the following is the BEST recommendation to reduce risk?

A.Require MFA only for external-facing applications
B.Disable SSO and require separate passwords for each application
C.Reduce session timeout to 15 minutes
D.Enforce MFA for all users accessing any application
AnswerD

Comprehensive MFA reduces risk of unauthorized access.

Why this answer

Enforcing MFA for all users accessing any application is the best recommendation because it directly addresses the lack of a second authentication factor, which is the primary control to mitigate credential theft and unauthorized access. In a cloud-based IdP SSO environment, a single compromised password grants access to all integrated applications, so MFA must be applied universally to protect the entire trust boundary, not just external-facing apps. This aligns with NIST SP 800-63B and zero-trust principles, ensuring that every authentication request is verified with something the user knows and something they have.

Exam trap

The trap here is that candidates often choose Option A (MFA only for external-facing apps) because they mistakenly believe internal apps are safe behind a corporate network perimeter, failing to recognize that cloud-based SSO eliminates network boundaries and that the IdP is the single point of authentication for all apps.

How to eliminate wrong answers

Option A is wrong because requiring MFA only for external-facing applications leaves internal applications vulnerable to lateral movement if an attacker gains access via a compromised credential, as the IdP does not differentiate between internal and external apps in its SSO token issuance. Option B is wrong because disabling SSO and requiring separate passwords for each application increases password fatigue, encourages weak password reuse, and eliminates the security benefits of centralized identity management, such as consistent policy enforcement and automated deprovisioning. Option C is wrong because reducing session timeout to 15 minutes only limits the window of exposure for an active session but does not prevent an attacker from authenticating with a stolen password; it is a compensating control, not a preventive one, and does not address the root cause of missing MFA.

106
MCQhard

A company is designing a public cloud-based application that processes highly sensitive personal data. Which of the following data protection strategies provides the STRONGEST assurance that data remains confidential even if the cloud provider's infrastructure is compromised?

A.Use server-side encryption with cloud provider managed keys
B.Implement client-side encryption with customer managed keys
C.Enable encryption in transit using TLS 1.3
D.Apply data masking at the application layer
AnswerB

Data encrypted before leaving client; provider never has keys, ensuring confidentiality even if provider breached.

Why this answer

Client-side encryption with customer managed keys ensures that data is encrypted before it leaves the client environment, and the cloud provider never has access to the plaintext data or the encryption keys. Even if the cloud provider's infrastructure is fully compromised, the attacker cannot decrypt the data because the keys are never stored or processed by the provider. This provides the strongest assurance of confidentiality because the data remains encrypted end-to-end, independent of the provider's security controls.

Exam trap

The trap here is that candidates often confuse 'encryption at rest' (server-side) with 'end-to-end confidentiality' and assume that any encryption managed by the cloud provider is sufficient, failing to recognize that provider-managed keys are still accessible to the provider and thus vulnerable in a provider compromise scenario.

How to eliminate wrong answers

Option A is wrong because server-side encryption with cloud provider managed keys means the cloud provider holds the encryption keys and performs the encryption/decryption on its infrastructure; if the provider's infrastructure is compromised, an attacker could access both the encrypted data and the keys, breaking confidentiality. Option C is wrong because encryption in transit (TLS 1.3) only protects data while it is moving between the client and the cloud, not at rest; once the data reaches the provider's storage, it is no longer protected by TLS, and a compromise of the provider's infrastructure would expose the plaintext data. Option D is wrong because data masking at the application layer only obscures data for display or processing within the application but does not encrypt the underlying stored data; if the provider's infrastructure is compromised, the actual sensitive data stored in the database remains in plaintext and can be exfiltrated.

107
MCQeasy

A financial institution is implementing a data classification policy. Which of the following is the most important factor in determining the classification level of a data asset?

A.The sensitivity and criticality to business operations
B.The cost of acquiring the data
C.The format of the data (structured vs unstructured)
D.The storage location of the data
AnswerA

Correct. Sensitivity and criticality determine the required level of protection.

Why this answer

The classification level of a data asset is determined by its sensitivity and criticality to business operations because these factors directly drive the required confidentiality, integrity, and availability controls. For example, personally identifiable information (PII) or financial transaction records require higher classification due to regulatory mandates (e.g., GDPR, PCI DSS) and the potential for severe business impact if compromised. Cost, format, or location are secondary attributes that do not inherently define the risk profile or protection needs of the data.

Exam trap

The trap here is that candidates confuse operational attributes (cost, format, location) with the foundational risk-based criteria (sensitivity and criticality) that actually define classification levels in information security governance.

How to eliminate wrong answers

Option B is wrong because the cost of acquiring data is a financial metric unrelated to its inherent risk or the controls needed; data can be cheap to acquire yet highly sensitive (e.g., a leaked password list). Option C is wrong because the format (structured vs unstructured) affects storage and processing methods but does not dictate classification level; both formats can contain equally sensitive information (e.g., structured credit card numbers vs unstructured email containing trade secrets). Option D is wrong because storage location (e.g., on-premises vs cloud) influences security architecture but is a deployment decision, not a determinant of the data's inherent sensitivity or criticality to business operations.

108
Multi-Selecteasy

Which TWO of the following are examples of administrative controls for information security? (Choose two.)

Select 2 answers
A.Encryption of data at rest
B.Biometric access controls
C.Incident response policy
D.Security awareness training
E.Firewall configuration
AnswersC, D

Policy is an administrative control.

Why this answer

Option C is correct because an incident response policy is a documented set of procedures that defines roles, responsibilities, and steps to be taken when a security incident occurs. This is an administrative control as it governs human behavior and organizational processes, not technology. It aligns with the CISA domain of Protection of Information Assets by establishing a framework for detecting, responding to, and recovering from security events.

Exam trap

The trap here is that candidates often confuse administrative controls with technical or physical controls, mistakenly selecting encryption or firewall configuration because they are common security measures, but the CISA exam specifically tests the distinction that administrative controls are policy-based and people-focused, not technology-based.

109
MCQmedium

A company is migrating its applications to a public IaaS cloud. What is the primary concern for protecting data in this environment?

A.Regularly patching the operating system and applications.
B.Using only hardened virtual machine images from the provider.
C.Ensuring encryption keys are stored in the cloud provider's key management service.
D.Properly configuring security groups and access control lists (ACLs) to limit network access.
AnswerD

Misconfigured security groups can expose resources to the internet, leading to unauthorized access. This is the top risk in IaaS.

Why this answer

In an IaaS public cloud, the customer retains responsibility for securing the network layer, including virtual firewalls. Security groups (stateful) and ACLs (stateless) are the primary mechanisms to enforce least-privilege network access, which directly protects data from unauthorized exposure over the network. This aligns with the shared responsibility model where the provider secures the physical infrastructure, but the customer must control traffic to their instances.

Exam trap

The trap here is that candidates often focus on encryption or patching as the universal answer for data protection, but in an IaaS shared responsibility model, the primary concern is controlling network access because the cloud provider does not manage the customer's virtual network boundaries.

How to eliminate wrong answers

Option A is wrong because patching the OS and applications is a critical security practice but it addresses vulnerability management, not the primary concern for protecting data in transit or at rest from network-based attacks in a shared IaaS environment. Option B is wrong because using hardened VM images is a good baseline for reducing initial attack surface, but it does not control ongoing network access or data flow, which is the primary data protection concern. Option C is wrong because storing encryption keys in the provider's KMS can be part of a data-at-rest protection strategy, but it does not address the primary concern of controlling network access to the data; moreover, key management is a shared responsibility and storing keys in the provider's KMS may introduce trust and availability risks if not combined with proper access controls.

110
MCQhard

An organization stores sensitive research data in a cloud storage service. The data must be encrypted at rest and in transit, and the organization wants to maintain control over encryption keys. Which solution best meets these requirements?

A.Use a cloud hardware security module (HSM) to generate keys
B.Implement client-side encryption using a customer-managed key vault
C.Enable HTTPS for all data transfers
D.Use server-side encryption with AWS S3 managed keys (SSE-S3)
AnswerB

Client-side encryption ensures data is encrypted before reaching the cloud, and keys are controlled by the organization.

Why this answer

Client-side encryption with a customer-managed key vault ensures data is encrypted before it leaves the client environment, so the cloud provider never has access to plaintext or the encryption keys. This satisfies both at-rest and in-transit encryption requirements while giving the organization full control over key management, unlike server-side options where the provider manages at least part of the key lifecycle.

Exam trap

The trap here is that candidates often confuse server-side encryption with customer-managed keys (e.g., SSE-KMS or SSE-C) as giving full control, but those still allow the cloud provider to process the data server-side, whereas client-side encryption ensures the provider never has access to plaintext.

How to eliminate wrong answers

Option A is wrong because a cloud HSM generates and stores keys within the cloud provider's infrastructure; while the customer controls the keys, the provider still has physical access to the HSM, and the data is typically encrypted server-side, meaning the provider could theoretically access plaintext. Option C is wrong because HTTPS only protects data in transit; it does not address encryption at rest, leaving stored data vulnerable if the cloud storage bucket is compromised. Option D is wrong because SSE-S3 uses AWS-managed keys, meaning the cloud provider controls key management and can decrypt the data, violating the requirement for the organization to maintain control over encryption keys.

111
MCQmedium

A company's security policy requires that all laptops have full-disk encryption. During an audit, 10% of laptops are found without encryption. Which of the following is the MOST effective corrective action?

A.Require users to manually enable encryption
B.Distribute encryption keys to users
C.Conduct security awareness training on encryption
D.Deploy centralized endpoint management to enforce encryption
AnswerD

Automated enforcement ensures all laptops comply with policy.

Why this answer

Centralized endpoint management (e.g., Microsoft Intune, SCCM, or a third-party MDM) allows administrators to enforce full-disk encryption (such as BitLocker or FileVault) via policy, automatically encrypting non-compliant laptops and preventing users from disabling encryption. This is the most effective corrective action because it addresses the root cause—lack of enforcement—rather than relying on user action or manual processes.

Exam trap

The trap here is that candidates may choose security awareness training (Option C) as a 'best practice' for policy compliance, but the CISA exam emphasizes that technical controls (enforcement via endpoint management) are more effective than administrative controls for ensuring consistent security configuration.

How to eliminate wrong answers

Option A is wrong because requiring users to manually enable encryption relies on user compliance, which has already failed (10% non-compliance), and provides no mechanism to verify or enforce the action. Option B is wrong because distributing encryption keys to users does not ensure encryption is enabled; keys are only useful after encryption is applied, and this action could introduce security risks if keys are mishandled. Option C is wrong because security awareness training, while beneficial for education, does not enforce technical controls and is unlikely to remediate existing non-compliant laptops; it addresses behavior rather than the technical gap.

112
MCQhard

A company uses role-based access control (RBAC). An employee moves from one department to another but retains some previous access due to overlapping role permissions. This condition is known as:

A.Access aggregation
B.Privilege creep
C.Segregation of duties conflict
D.Entitlement explosion
AnswerB

Privilege creep is the gradual accumulation of access rights beyond what is needed, often due to role changes.

Why this answer

Privilege creep occurs when an employee accumulates access rights over time, often due to role changes or lateral moves, without corresponding removal of previous permissions. In RBAC, overlapping role permissions can cause this condition when old role memberships are not revoked, leading to excessive entitlements that violate the principle of least privilege.

Exam trap

The trap here is confusing privilege creep with access aggregation, as both involve excessive permissions, but privilege creep specifically results from role changes over time rather than combining separate low-level privileges into a high-risk action.

How to eliminate wrong answers

Option A is wrong because access aggregation refers to combining multiple low-level privileges to perform a high-risk action, not the gradual accumulation of permissions from role changes. Option C is wrong because segregation of duties conflict involves a single user having incompatible roles that could enable fraud, not simply retaining previous access due to overlapping permissions. Option D is wrong because entitlement explosion describes a rapid, uncontrolled increase in permissions across many users, often due to misconfigured role hierarchies or automated provisioning, not the gradual creep from individual role changes.

113
MCQeasy

During a security assessment, an auditor discovers that employees are sharing passwords to access a critical system. Which of the following controls would BEST mitigate this risk?

A.Provide security awareness training
B.Implement multi-factor authentication
C.Log all authentication attempts
D.Enforce complex password policies
AnswerB

MFA requires additional factors, reducing the effectiveness of shared passwords.

Why this answer

Multi-factor authentication (MFA) mitigates the risk of password sharing because even if credentials are shared, an attacker cannot authenticate without the second factor (e.g., a one-time passcode from a hardware token or authenticator app). MFA decouples authentication from a single shared secret, making shared passwords insufficient for access. This directly addresses the root cause—reliance on passwords alone—rather than attempting to prevent sharing behavior.

Exam trap

The trap here is that candidates confuse 'preventing password sharing' with 'detecting or discouraging it,' and choose awareness training or logging, when the only control that technically renders shared passwords useless is multi-factor authentication.

How to eliminate wrong answers

Option A is wrong because security awareness training relies on voluntary compliance and does not technically prevent password sharing; it only educates users, leaving the vulnerability intact. Option C is wrong because logging authentication attempts is a detective control that records incidents after they occur, not a preventive control that stops password sharing from granting access. Option D is wrong because enforcing complex password policies does not prevent sharing; users can still share a complex password, and the policy does not verify the identity of the person entering it.

114
Multi-Selectmedium

Which THREE are commonly used techniques to protect sensitive data in a cloud environment? (Select exactly 3.)

Select 3 answers
A.Code obfuscation for application logic.
B.Network segmentation between tiers.
C.Tokenization of sensitive fields.
D.Encryption at rest and in transit.
E.Data masking for non-production environments.
AnswersC, D, E

Replaces sensitive data with tokens.

Why this answer

Tokenization replaces sensitive data (e.g., credit card numbers) with a non-sensitive placeholder (token) that has no exploitable value. This technique is commonly used in cloud environments to reduce the scope of compliance (e.g., PCI DSS) because the token can be stored and processed without exposing the original sensitive value, even if the cloud storage is compromised.

Exam trap

ISACA often tests the distinction between data protection techniques (like encryption, tokenization, and masking) and general security controls (like network segmentation or code obfuscation), leading candidates to mistakenly select network segmentation as a data protection method.

115
MCQeasy

A university's research department stores sensitive research data on a file server that is shared among faculty and graduate students. The server is accessible from the campus network and via VPN for remote access. Recently, a student downloaded a large dataset containing personally identifiable information (PII) of research subjects to a personal laptop. The laptop was later stolen. The university's incident response team determines that the student had legitimate access to the data for research purposes. Which control would have most effectively prevented the data exposure?

A.Require full-disk encryption on all laptops
B.Restrict VPN access to only university-issued devices
C.Conduct annual access reviews for the file server
D.Implement a DLP solution that restricts downloads of sensitive data to unmanaged devices
AnswerD

DLP can block transfer of sensitive data to unauthorized devices.

Why this answer

Option C is correct because data loss prevention (DLP) can detect and block the transfer of sensitive data to unapproved devices, such as a personal laptop. Option A (laptop encryption) would protect data on the stolen laptop but did not prevent the download. Option B (firewall) might block the connection but the student used VPN.

Option D (access review) is periodic and would not prevent the action.

116
Multi-Selecteasy

Which TWO are primary criteria for classifying information assets within an organization? (Choose two.)

Select 2 answers
A.The format of the data (structured vs. unstructured)
B.The age of the data
C.Business impact if the data is lost or disclosed
D.Physical storage location of the data
E.Legal and regulatory requirements
AnswersC, E

Impact determines sensitivity level.

Why this answer

Business impact if the data is lost or disclosed (Option C) is a primary criterion because classification directly depends on the potential harm to the organization—confidentiality, integrity, and availability breaches drive the classification level (e.g., public, internal, confidential, restricted). Legal and regulatory requirements (Option E) are also primary because they mandate specific classification labels and handling controls (e.g., GDPR for PII, HIPAA for PHI, PCI DSS for cardholder data) that override internal business impact assessments. These two factors form the core of any information classification policy, as they dictate the protective measures required.

Exam trap

The trap here is that candidates confuse operational attributes (format, age, location) with the foundational drivers of classification (business impact and legal/regulatory requirements), leading them to select options that describe how data is stored rather than why it needs protection.

117
Matchingmedium

Match each security control to its category.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Preventive

Detective

Corrective

Administrative

Technical

Why these pairings

Controls are classified by function.

118
MCQmedium

Which of the following is the MOST effective control to prevent unauthorized USB devices from connecting to corporate workstations?

A.Device control software that blocks non-approved USB devices.
B.User awareness training.
C.Physical security guards.
D.Encrypting all USB devices.
AnswerA

Technical enforcement is most effective.

Why this answer

Device control software (e.g., endpoint DLP or USB whitelisting tools) operates at the OS kernel or driver level to enforce a hardware ID or vendor ID allowlist, blocking any USB device not explicitly approved. This is the only option that provides a preventive, automated, and continuous control against unauthorized USB connections, regardless of user behavior or physical access.

Exam trap

The trap here is that candidates often confuse encryption (which protects data confidentiality) with access control (which prevents connection), or overestimate the effectiveness of training and physical security against a technical bypass like USB autorun or BadUSB.

How to eliminate wrong answers

Option B is wrong because user awareness training is a detective/deterrent control that relies on human compliance and does not technically prevent a USB device from being recognized by the operating system. Option C is wrong because physical security guards control physical access to the facility but cannot prevent an insider from plugging an unauthorized USB device into a workstation already inside the perimeter. Option D is wrong because encrypting USB devices protects data at rest on the device but does nothing to prevent the device from being connected to a corporate workstation in the first place.

119
MCQeasy

Refer to the exhibit. An auditor reviews the ACL and notes that it allows traffic from a specific host while blocking other IPs in the same subnet. What is the most likely security issue?

A.The ACL blocks all traffic from the subnet except the host, which is desired.
B.The ACL is misconfigured because the permit any at the end bypasses the deny.
C.The ACL allows all traffic from the specific host, which is a risk.
D.The ACL should be reversed to deny first.
AnswerB

Correct. The permit any at the end makes the deny rule redundant, allowing all traffic from the subnet.

Why this answer

Option B is correct because the ACL has a 'permit any' statement at the end, which overrides the preceding 'deny' statements. In Cisco ACLs, packets are processed sequentially from top to bottom; once a match is found, no further rules are evaluated. Therefore, the 'deny' for the subnet is never reached, and all traffic (including from the blocked subnet) is permitted, defeating the intended restriction.

Exam trap

The trap here is that candidates assume that a 'deny' statement earlier in the ACL will block traffic regardless of later 'permit any' statements, but Cisco ACLs process rules sequentially and the first match wins, so the 'permit any' overrides the deny.

How to eliminate wrong answers

Option A is wrong because the ACL does not block all traffic from the subnet except the host; the 'permit any' at the end permits all traffic, including from the subnet, so the desired behavior is not achieved. Option C is wrong because allowing traffic from the specific host is the intended function, not a risk; the real issue is that the 'permit any' allows unintended traffic. Option D is wrong because reversing the order (deny first) is not the core problem; the issue is the presence of the 'permit any' statement that bypasses the deny, not the sequence of existing rules.

120
MCQmedium

Refer to the exhibit. The IAM policy is intended to allow only requests originating from account 123456789012 to perform any S3 actions. Why does the policy NOT achieve this objective?

A.The Resource element is set to "*", which allows all actions on all resources regardless of the condition.
B.The condition key 'aws:SourceAccount' only applies when the request is made from another account; it does not restrict access to resources owned by the same account.
C.The policy should include a Deny statement for all other accounts to be effective.
D.The Version element is incorrect and should be updated to the latest version.
AnswerB

The condition key is misapplied; it does not limit the S3 resources to those in the specified account.

Why this answer

Option B is correct because the 'aws:SourceAccount' condition key is designed for use in resource-based policies (like S3 bucket policies) to prevent cross-account confusion of resources. It does not restrict access within the same account; it only validates the source account when the request originates from a different account. Since the policy is an IAM identity-based policy (attached to a user/role), the 'aws:SourceAccount' condition is not evaluated for same-account requests, so any principal in account 123456789012 can still perform S3 actions without being restricted by this condition.

Exam trap

The trap here is that candidates assume 'aws:SourceAccount' works identically in both identity-based and resource-based policies, but it only restricts cross-account access and has no effect on same-account requests, leading to a false sense of security.

How to eliminate wrong answers

Option A is wrong because the Resource element set to '*' is valid in an IAM identity-based policy and does not inherently cause the policy to fail; the issue is with the condition key, not the resource wildcard. Option C is wrong because adding a Deny statement for other accounts is unnecessary and would not fix the core problem—the condition key 'aws:SourceAccount' is already intended to restrict access, but it does not apply to same-account requests. Option D is wrong because the Version element (e.g., '2012-10-17') is correct and does not affect the policy's logic; the latest version is not required for functionality.

121
MCQmedium

A software development company uses a cloud-based source code repository (e.g., GitHub) to store proprietary code. The company has two-factor authentication (2FA) enabled for all accounts. A developer's personal computer was infected with malware that stole the developer's session cookies and local credentials. The attacker used the stolen session to access the code repository and exfiltrated the entire codebase. The company's security team reviews the incident and notes that the repository has audit logging, but the logs were not monitored in real time. The team wants to implement additional controls to prevent a similar incident. Which control would have been most effective in preventing the exfiltration?

A.Use a SIEM to alert on unusual access patterns in real time
B.Enforce code signing for all commits
C.Require access to the code repository only from company-managed IP addresses
D.Implement a shorter session timeout for the code repository
AnswerC

IP whitelisting prevents access from unauthorized locations.

Why this answer

Option C is correct because restricting access to the code repository to only company-managed IP addresses (e.g., via a VPN or a corporate NAT gateway) would have prevented the attacker from using the stolen session cookies from an external, non-corporate IP. Even though the attacker had valid session tokens, the repository's access control list (ACL) would have blocked the connection at the network layer, stopping the exfiltration before it could begin. This control addresses the root cause—unauthorized network origin—rather than relying on detection or session management alone.

Exam trap

The trap here is that candidates often choose a detective or session-management control (like SIEM or shorter timeout) because they focus on the stolen session cookies, but the most effective preventive control is one that restricts the network origin of access, which the attacker cannot bypass without a corporate IP.

How to eliminate wrong answers

Option A is wrong because a SIEM alerting on unusual access patterns is a detective control, not a preventive one; it would not stop the exfiltration in real time, especially if the attacker mimicked normal developer behavior. Option B is wrong because code signing ensures the integrity and authenticity of commits but does not prevent an attacker from cloning or exfiltrating the repository; it protects against tampered code, not unauthorized access. Option D is wrong because a shorter session timeout would only reduce the window of opportunity for an attacker using stolen cookies, but it would not prevent the exfiltration if the attacker acted within the valid session window; the session was already compromised.

122
Multi-Selectmedium

Which TWO of the following are considered essential components of an information security policy framework? (Choose two.)

Select 2 answers
A.Data classification policy
B.Business continuity plan
C.Incident response plan
D.Network architecture diagram
E.Acceptable use policy
AnswersA, E

Establishes data sensitivity categories.

Why this answer

A data classification policy is essential because it defines how information assets are categorized based on sensitivity and criticality (e.g., public, internal, confidential, restricted). This classification directly drives the selection and enforcement of appropriate security controls, such as encryption standards (e.g., AES-256 for confidential data) and access control mechanisms (e.g., role-based access control). Without it, security measures cannot be consistently applied across the organization, leading to gaps in protection.

Exam trap

ISACA often tests the distinction between policies (high-level rules) and operational plans or technical artifacts, so candidates mistakenly select BCP or incident response plans as policy components because they are security-related, but they are not part of the policy framework itself.

123
MCQeasy

A financial institution is deploying a data loss prevention (DLP) solution. Which of the following is the MOST important prerequisite to ensure the DLP can effectively detect sensitive data?

A.Configuring incident response procedures
B.Installing endpoint agents on all devices
C.Implementing network segmentation
D.Performing a data classification exercise
AnswerD

Data classification identifies and labels sensitive data, allowing DLP to detect it accurately.

Why this answer

A DLP solution detects sensitive data by matching content against predefined patterns or rules. Without a data classification exercise, the organization cannot define what constitutes 'sensitive data' (e.g., PII, PCI, IP), making the DLP blind to what it should monitor. Classification provides the taxonomy and metadata (e.g., labels, tags) that the DLP engine uses to trigger alerts or blocks, ensuring detection is both accurate and aligned with policy.

Exam trap

ISACA often tests the misconception that deploying agents or configuring network controls is the first step, but the trap here is that technical controls are useless without first defining what data is sensitive through classification.

How to eliminate wrong answers

Option A is wrong because incident response procedures are reactive steps taken after a DLP alert is generated, not a prerequisite for detection itself; configuring them before classification would leave the DLP without a detection baseline. Option B is wrong because endpoint agents are a deployment method for DLP, but without knowing what data is sensitive, agents cannot be configured to scan for the correct content or patterns. Option C is wrong because network segmentation controls data flow between zones but does not define what data is sensitive; a DLP can still fail to detect sensitive data crossing segments if it lacks classification rules.

← PreviousPage 2 of 2 · 123 questions total

Ready to test yourself?

Try a timed practice session using only Protection of Information Assets questions.