CCNA Cisa Information Protection Questions

75 of 83 questions · Page 1/2 · Cisa Information Protection topic · Answers revealed

1
Multi-Selecthard

An organization is implementing a privacy program to comply with GDPR. Which THREE of the following are essential elements for managing cross-border data transfers?

Select 3 answers
A.Standard Contractual Clauses (SCCs)
B.Data Protection Impact Assessment (DPIA)
C.Adequacy decision by the European Commission
D.Binding Corporate Rules (BCRs)
E.Data encryption at rest
AnswersA, C, D

SCCs are a legal mechanism for data transfers.

Why this answer

Under GDPR, cross-border data transfers require appropriate safeguards such as Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or an adequacy decision by the European Commission.

2
MCQmedium

During a review of firewall rule sets, an IS auditor finds a rule that allows any source IP to access any destination IP on TCP port 443. Which of the following should the auditor do FIRST?

A.Test whether the rule is actually being used.
B.Escalate the finding to senior management.
C.Determine if the rule has a documented business justification.
D.Recommend immediate removal of the rule.
AnswerC

The auditor should first check if the rule is authorized and necessary.

Why this answer

The first step is to verify the business justification for the rule, as it may be necessary for a specific application.

3
MCQmedium

An IS auditor is reviewing the process for granting privileged access in a large organization. Which of the following findings should be of MOST concern?

A.Privileged access is granted without approval from the system owner
B.Privileged accounts are not monitored in real-time
C.Privileged access is reviewed quarterly
D.There is no segregation of duties for privileged users
AnswerA

Lack of proper authorization increases the risk of inappropriate privilege assignment.

Why this answer

Privileged access requests must be properly authorized to prevent unauthorized elevation of privileges.

4
MCQeasy

Which of the following is the PRIMARY purpose of conducting a privacy impact assessment (PIA)?

A.To document the data processing activities
B.To obtain consent from data subjects
C.To ensure compliance with data protection laws
D.To identify privacy risks and recommend mitigations
AnswerD

The PIA is a risk management tool focused on privacy risks.

Why this answer

A PIA identifies and mitigates privacy risks associated with the processing of personal data.

5
Multi-Selecthard

An organization is implementing a public key infrastructure (PKI) to issue digital certificates for internal applications. Which THREE of the following are essential elements of PKI governance that an IS auditor should review?

Select 3 answers
A.Certificate lifecycle management procedures (issuance, renewal, revocation).
B.Certificate revocation list (CRL) distribution points.
C.Certificate policy (CP) defining the legal and technical requirements.
D.Key length and algorithm specifications.
E.Number of certificates issued per month.
AnswersA, B, C

Lifecycle management is a core governance component.

Why this answer

PKI governance includes CA policies, certificate lifecycle management, and revocation mechanisms.

6
MCQmedium

An organization uses shared accounts for system administration. Which of the following is the MOST significant audit concern?

A.Increased complexity of password management
B.Lack of individual accountability and audit trail
C.Violation of segregation of duties
D.Higher risk of password sharing outside the team
AnswerB

This is the primary concern with shared accounts.

Why this answer

Shared accounts make it impossible to attribute actions to specific individuals, leading to loss of audit trail and non-repudiation. This is critical for forensic investigations and accountability.

7
Multi-Selecthard

An IS auditor is reviewing the organization's incident management process. Which THREE of the following are essential components of an effective incident response plan?

Select 3 answers
A.Defined roles and responsibilities for the incident response team
B.Procedures for evidence collection and chain of custody
C.Communication procedures for internal and external stakeholders
D.A list of all employees and their contact information
E.A detailed technical guide for each software application
AnswersA, B, C

Clear roles ensure coordinated response.

Why this answer

An effective IR plan must include clear roles, communication procedures, and criteria for escalation and severity classification to ensure timely and coordinated response.

8
Multi-Selectmedium

An IS auditor is assessing network security controls. Which TWO of the following are key elements of a firewall rule review?

Select 2 answers
A.Checking for default passwords on firewall
B.Verifying that each rule has a business justification
C.Comparing actual rules to documented rules
D.Testing firewall failover capabilities
E.Reviewing firewall performance metrics
AnswersB, C

Ensures rules are necessary and not overly permissive.

Why this answer

A firewall rule review should compare documented rules with actual configured rules and verify business justifications for each rule.

9
MCQhard

During an audit of network security controls, the IS auditor reviews firewall rule sets and identifies a rule that allows any-to-any traffic from the internal network to the Internet. The rule has a business justification. What is the auditor's BEST recommendation?

A.Add an intrusion prevention system (IPS) to monitor the traffic
B.Require all traffic to go through a proxy server
C.Implement a more restrictive rule set based on specific IP addresses and ports
D.Accept the risk because there is a business justification
AnswerC

This reduces the attack surface while meeting business needs.

Why this answer

Overly permissive rules should be tightened to reduce risk; the auditor should recommend implementing more specific rules based on actual needs.

10
MCQmedium

During an audit of a healthcare organization's information security program, the IS auditor finds that the security awareness training is conducted only at hire. Which of the following is the MOST significant risk associated with this practice?

A.Failure to comply with regulatory data protection requirements
B.Employees may not be aware of new security threats and vulnerabilities
C.Increased cost of incident response due to lack of preparedness
D.Increased likelihood of password sharing among employees
AnswerB

One-time training becomes outdated as threats evolve, leaving employees unprepared.

Why this answer

Without ongoing training, employees are less likely to stay informed about evolving threats, increasing the risk of security incidents due to human error.

11
MCQhard

During an audit of patch management, the IS auditor notes that several critical patches have not been applied within the defined SLA. Which of the following is the BEST approach to evaluate the risk acceptance of these unpatched vulnerabilities?

A.Compute the aggregate risk score using a vulnerability management tool.
B.Review the risk acceptance documentation approved by the system owner and CISO.
C.Recommend immediate application of all missing patches.
D.Verify that the patches are not applicable to the environment.
AnswerB

Proper risk acceptance includes documented justification, compensating controls, and management approval.

Why this answer

Risk acceptance should be formally documented with compensating controls and management sign-off.

12
MCQmedium

An IS auditor is reviewing the process for granting access to a critical financial system. The auditor finds that access requests are approved by the system owner but there is no segregation between the request and approval functions for emergency access. Which of the following is the BEST control to mitigate this risk?

A.Implement a break-glass procedure with post-event review
B.Require two-factor authentication for emergency access
C.Disable emergency access and require standard approval
D.Log all emergency access activities without review
AnswerA

Break-glass allows emergency access and then reviews the action to ensure it was justified.

Why this answer

For emergency access, a break-glass procedure with post-event review ensures that urgent access is granted quickly but is later reviewed for appropriateness and accountability.

13
MCQmedium

An organization uses shared accounts for system administration. Which of the following is the BEST control to mitigate the risk of non-repudiation?

A.Changing the shared account password after each use.
B.Logging all commands executed by the shared account.
C.Requiring two-factor authentication for the shared account.
D.Implementing a privileged access management (PAM) solution with session recording.
AnswerD

PAM provides individual authentication, session recording, and audit trails, ensuring accountability.

Why this answer

To ensure accountability, individual user authentication must be implemented before granting privileged access.

14
MCQeasy

An organization has implemented a security awareness training program. Which of the following metrics would BEST indicate that the program is effective?

A.Percentage of employees who completed the training
B.Average score on post-training quiz
C.Number of reported phishing emails
D.Reduction in the number of successful phishing attacks
AnswerD

This shows that training has changed employee behavior and reduced risk.

Why this answer

A reduced number of successful phishing attacks indicates that employees are applying the training to recognize and avoid threats. The other metrics are useful but less direct indicators of behavioral change.

15
MCQeasy

An IS auditor is reviewing the logical access controls for a critical financial application. Which of the following is the MOST important control to ensure that user access rights remain appropriate over time?

A.Conducting periodic access recertification
B.Implementing single sign-on (SSO)
C.Enforcing password complexity rules
D.Using role-based access control (RBAC)
AnswerA

Access recertification is a key control to verify that users still need their assigned access.

Why this answer

Periodic access recertification ensures that users' access rights are reviewed and confirmed by managers, reducing the risk of excessive or inappropriate access.

16
MCQmedium

An organization uses a public key infrastructure (PKI) to issue digital certificates. The IS auditor is reviewing the certificate lifecycle management. Which of the following is the GREATEST risk if certificate revocation lists (CRLs) are not updated in a timely manner?

A.Certificate authorities may lose their root key
B.Compromised certificates could still be used to establish trust
C.Certificates may expire without renewal
D.Users may not be able to verify certificate signatures
AnswerB

Delayed CRL updates mean revoked certificates are still considered valid, enabling misuse.

Why this answer

If CRLs are stale, revoked certificates may still be trusted, allowing unauthorized parties to impersonate legitimate entities or access encrypted data.

17
MCQeasy

An organization is implementing a key management program to protect encryption keys. Which of the following is the MOST important control to ensure the security of cryptographic keys?

A.Separating key management duties
B.Storing keys in a hardware security module (HSM)
C.Regular key rotation
D.Encrypting keys with a master key
AnswerB

HSMs provide physical and logical protection for keys.

Why this answer

Using a hardware security module (HSM) provides tamper-resistant storage and management of keys, which is the most important control for key security. Other controls are important but secondary.

18
MCQhard

During an audit of a public key infrastructure (PKI), the IS auditor finds that certificate revocation lists (CRLs) are only updated weekly. Which of the following is the MOST significant risk?

A.Certificate authorities may become unavailable
B.Revoked certificates may be accepted as valid
C.Increased network traffic due to large CRLs
D.Users may experience delays in certificate validation
AnswerB

The purpose of CRLs is to prevent use of revoked certificates; infrequent updates create a window of vulnerability.

Why this answer

Delays in CRL updates increase the window during which a revoked certificate may be accepted, potentially allowing unauthorized access.

19
Multi-Selectmedium

An IS auditor is assessing the data inventory of a financial institution to ensure compliance with privacy regulations. Which TWO of the following are essential elements that should be included in the data inventory?

Select 2 answers
A.The encryption algorithm used to protect the data
B.The location (systems and physical) where PII is stored
C.The cost of storing the data
D.The retention period for each type of PII
E.The names of all employees who process the data
AnswersB, D

Knowing where PII resides is fundamental to protecting it.

Why this answer

A data inventory should identify where PII is stored and the business purpose for processing, as these are critical for managing privacy risks.

20
MCQmedium

An organization is implementing a public key infrastructure (PKI) to support digital certificates. Which of the following is the MOST critical control to ensure the integrity of the certificate lifecycle?

A.Use of hardware security modules for key generation
B.Regular publication of certificate revocation lists (CRLs)
C.Establishment of a certificate policy (CP) and certification practice statement (CPS)
D.Secure storage of the root CA private key
AnswerC

The CP and CPS provide the framework for all PKI operations.

Why this answer

A robust certificate policy (CP) and certification practice statement (CPS) define the rules and procedures for certificate management, ensuring consistency and security. Other controls are important but are defined within the CP/CPS.

21
MCQmedium

An organization has implemented a key management program. Which of the following is the MOST critical control for ensuring the security of cryptographic keys?

A.Secure key storage (e.g., HSM)
B.Key rotation policy
C.Key generation in a secure environment
D.Key destruction procedures
AnswerA

Protecting keys from theft is foundational.

Why this answer

Secure key storage, such as using a hardware security module (HSM) or key vault, is critical to prevent unauthorized access to keys. Without secure storage, other controls are less effective.

22
Multi-Selecteasy

An IS auditor is reviewing the process for granting access to a sensitive financial application. Which TWO of the following are the MOST important controls to ensure appropriate access?

Select 2 answers
A.Use of biometric authentication
B.Single sign-on for all applications
C.Quarterly recertification of access by managers
D.Automatic provisioning upon employee hire
E.Access requests approved by the data owner
AnswersC, E

Recertification ensures that access is still needed.

Why this answer

Formal approval from the data owner ensures that access is authorized based on business need, and periodic recertification ensures that access remains appropriate over time.

23
MCQeasy

An IS auditor is reviewing an organization's logical access control processes. Which of the following is the primary purpose of conducting regular user access recertifications?

A.To identify inactive user accounts
B.To verify that users' access rights remain appropriate for their roles
C.To ensure compliance with password policies
D.To enforce segregation of duties
AnswerB

This is the core objective of access recertification.

Why this answer

User access recertifications confirm that current access rights are still appropriate for users' job functions and that no excessive privileges exist. This ensures the principle of least privilege.

24
Multi-Selectmedium

An IS auditor is assessing the vulnerability management program of a financial services company. The auditor reviews the latest vulnerability scan report and finds that several critical vulnerabilities have not been patched within the defined SLA of 30 days. The IT manager explains that patches could not be applied due to compatibility issues with legacy applications, and risk acceptance has been documented for some but not all. Which THREE of the following are the MOST appropriate audit findings?

Select 3 answers
A.Vulnerability scan reports are not reviewed by management
B.Risk acceptance is not documented for all unpatched critical vulnerabilities
C.The patching SLA may be unrealistic for legacy systems
D.The vulnerability scanning schedule may not cover all assets
E.Critical vulnerabilities are not being patched within the defined SLA
AnswersB, C, D

Lack of risk acceptance for known vulnerabilities is a control deficiency.

Why this answer

The auditor should identify that some vulnerabilities lack formal risk acceptance, that the SLA may need adjustment for legacy systems, and that scan reports may not accurately reflect the current status. While patch deployment is important, the immediate findings relate to documentation and SLA adequacy.

25
MCQeasy

An IS auditor is reviewing physical access controls at a data center. Which of the following controls is MOST effective for preventing tailgating?

A.CCTV cameras
B.Visitor log
C.Mantrap
D.Biometric readers
AnswerC

A mantrap physically prevents multiple people from entering together.

Why this answer

A mantrap is a small room with two interlocking doors that prevents tailgating because only one person can pass through at a time.

26
MCQmedium

An IS auditor is reviewing the incident response (IR) process. Which of the following is the MOST important characteristic of an effective tabletop exercise?

A.It measures the technical skills of the IR team.
B.It uses a realistic scenario based on current threats.
C.It involves all relevant stakeholders in a discussion format.
D.It is conducted without prior notice to participants.
AnswerC

Involving key personnel and promoting discussion tests coordination and decision-making.

Why this answer

Tabletop exercises should focus on testing decision-making and communication, not just technical steps.

27
MCQhard

An IS auditor is reviewing a penetration test report that shows a critical vulnerability in a web application. The IT manager states that the vulnerability will not be fixed because it requires significant code changes and the application is being decommissioned in six months. What should the auditor do?

A.Accept the decision as business risk acceptance
B.Escalate to senior management as a critical finding
C.Recommend immediate decommissioning of the application
D.Verify that the risk has been formally accepted and compensating controls are implemented
AnswerD

This ensures the risk is managed appropriately.

Why this answer

The auditor should verify that the risk is formally accepted by management and that compensating controls are in place to protect the application until decommissioning.

28
MCQmedium

An organization has implemented a clean desk policy. Which of the following is the BEST audit procedure to verify compliance?

A.Reviewing security camera footage of office areas
B.Reviewing the policy document and employee acknowledgments
C.Interviewing employees about the policy
D.Conducting unannounced inspections of workstations
AnswerD

Unannounced inspections reveal actual adherence to the policy.

Why this answer

Surprise walkthroughs provide a realistic view of daily compliance, unlike scheduled inspections.

29
MCQhard

During a review of firewall rule sets, an IS auditor identifies a rule that allows 'any-any' traffic from an internal subnet to the DMZ. The rule was implemented six months ago based on a business request that has since been completed. The firewall administrator explains that the rule was kept for convenience. Which of the following is the BEST audit recommendation?

A.Conduct a penetration test to assess the risk
B.Remove the rule immediately and verify no impact
C.Document the rule with a risk acceptance signed by management
D.Modify the rule to allow only specific ports and protocols
AnswerB

Since the business request is completed, the rule should be removed to reduce risk.

Why this answer

Keeping a rule after the business need has ended violates the principle of least privilege. The best recommendation is to remove the rule immediately, as retaining it increases risk without justification.

30
MCQeasy

Which of the following is the BEST indicator of the effectiveness of a security awareness program?

A.Reduction in the number of successful phishing attacks.
B.Positive feedback from employees about the training.
C.Number of employees who completed the training.
D.Average test scores on post-training assessments.
AnswerA

This directly measures improved security behavior.

Why this answer

A decrease in successful phishing attacks demonstrates behavioral change.

31
MCQmedium

An IS auditor is reviewing the firewall rule base. Which of the following findings would be of MOST concern?

A.A rule that has not been reviewed for 18 months
B.A rule that permits traffic from a specific IP to a database server on port 1433
C.A rule that allows any source IP to access a critical server on port 443
D.A rule that allows any service from the Internet to the internal network
AnswerD

This is a classic any-any rule that bypasses security.

Why this answer

An allow rule from any to any (any-any) is overly permissive and poses a significant security risk. The other options are also problems but are less severe than a wide-open rule.

32
MCQmedium

An IS auditor is reviewing the key management program for an organization's encryption systems. Which of the following is the MOST critical control to ensure the security of encryption keys?

A.Storing keys on hardware security modules (HSMs)
B.Using strong encryption algorithms
C.Ensuring keys are backed up
D.Implementing key rotation at defined intervals
AnswerD

Rotating keys reduces the window of exposure if a key is compromised.

Why this answer

Regular key rotation limits the amount of data compromised if a key is exposed.

33
Multi-Selecteasy

During an audit of physical security, the IS auditor observes that employees frequently leave confidential documents on their desks overnight. Which TWO controls should the auditor recommend?

Select 2 answers
A.Deploy additional CCTV cameras
B.Conduct security awareness training
C.Implement a clean desk policy
D.Implement a visitor management system
E.Install motion detectors
AnswersB, C

Training reinforces the policy and its importance.

Why this answer

A clean desk policy requires employees to secure documents at end of day, and a security awareness program reminds them of the policy and consequences.

34
MCQhard

An organization processes personal data of EU residents and has implemented pseudonymisation as a privacy control. The IS auditor is reviewing the effectiveness of this control in meeting GDPR requirements. Which of the following is the MOST important limitation of pseudonymisation?

A.Pseudonymisation eliminates the need for data subject rights
B.Pseudonymisation is not recognized by GDPR
C.Pseudonymisation cannot be applied to structured data
D.Pseudonymised data is still considered personal data under GDPR
AnswerD

Pseudonymisation reduces risks but does not remove the data from GDPR scope; it is still personal data.

Why this answer

Pseudonymisation reduces the link between data and an individual but does not fully anonymize the data; the pseudonymised data remains personal data if the pseudonym can be reversed using additional information held separately.

35
MCQmedium

An organization is implementing a privileged access management (PAM) solution. Which of the following is the PRIMARY benefit of using a PAM tool?

A.Elimination of shared accounts by providing individual credentials
B.Enforcement of segregation of duties between IT and security teams
C.Automated password resets for user accounts
D.Centralized management and monitoring of privileged account usage
AnswerD

This is the primary function of PAM.

Why this answer

PAM tools primarily help control and monitor the use of privileged accounts, thus reducing the risk of misuse by enforcing policies like session recording and just-in-time access.

36
MCQeasy

An IS auditor is reviewing the physical access controls at a data center. Which of the following is the MOST effective control to prevent tailgating?

A.Security guards at the entrance
B.CCTV cameras at the entrance
C.Mantrap
D.Biometric readers at all entrances
AnswerC

A mantrap physically prevents tailgating by allowing only one person through at a time.

Why this answer

A mantrap requires one person to enter at a time and prevents unauthorized individuals from following an authorized person through a door.

37
MCQeasy

An IS auditor is reviewing the incident response (IR) process. Which of the following is the BEST way to test the effectiveness of the IR plan?

A.Checking the availability of forensic tools
B.Interviewing the IR team
C.Conducting a tabletop exercise
D.Reviewing IR policies and procedures
AnswerC

This tests the plan in a controlled environment.

Why this answer

Tabletop exercises simulate real incidents and allow the team to practice their response, revealing gaps in the plan and coordination.

38
MCQeasy

Which of the following is the PRIMARY reason for implementing network segmentation?

A.To comply with licensing requirements.
B.To simplify IP address management.
C.To contain security breaches and limit lateral movement.
D.To improve network performance.
AnswerC

Segmentation restricts an attacker's ability to move within the network.

Why this answer

Segmentation limits the spread of attacks by isolating sensitive systems.

39
MCQhard

An IS auditor is evaluating the encryption strategy for a healthcare organization subject to HIPAA. Which of the following is the MOST significant risk if the organization relies solely on encryption as a safe harbor?

A.Encryption keys are stored on the same server as the encrypted data.
B.The encryption algorithm used is not FIPS 140-2 validated.
C.Encryption is not applied to all ePHI in transit.
D.The encryption key rotation policy is not documented.
AnswerA

If keys are co-located, encryption can be easily bypassed, and safe harbor may not apply.

Why this answer

Encryption safe harbor only applies if encryption meets specific standards; gaps in key management can invalidate safe harbor.

40
Multi-Selectmedium

An IS auditor is reviewing the physical access controls at a data center. Which TWO of the following are the MOST effective controls to prevent unauthorized tailgating?

Select 2 answers
A.CCTV cameras at entry points.
B.Security guards checking badges.
C.Mantrap with interlocking doors.
D.Turnstiles that allow only one person per authentication.
E.Biometric authentication.
AnswersC, D

Mantraps physically prevent tailgating.

Why this answer

Mantraps and turnstiles are designed to prevent tailgating by allowing only one person per entry.

41
MCQmedium

An IS auditor is reviewing the organization's encryption key management program. Which of the following is the MOST critical control to ensure the confidentiality of encrypted data in the event of a key compromise?

A.Key rotation at regular intervals
B.Key generation using a strong random number generator
C.Key destruction procedures for retired keys
D.Key distribution via secure channels
AnswerA

Rotating keys limits the amount of data exposed if a key is compromised.

Why this answer

Key rotation ensures that if a key is compromised, only data encrypted with that key after a certain point is at risk; data encrypted with previous keys remains protected if those keys are properly destroyed.

42
MCQhard

An IS auditor is reviewing a vulnerability scan report and finds that a critical vulnerability on a web server has been open for 90 days beyond the remediation SLA. The system owner states that the vulnerability cannot be patched because it would break a legacy application. What should the auditor recommend?

A.Require the system owner to sign a risk acceptance form
B.Escalate the issue to the board of directors
C.Implement compensating controls and close the finding
D.Recommend decommissioning the web server
AnswerA

Formal risk acceptance documents the decision and accountability.

Why this answer

The appropriate action is to formally accept the risk through a documented risk acceptance process, with sign-off from management. This ensures accountability and awareness. The other options are either premature or inappropriate.

43
MCQmedium

An IS auditor is reviewing the user access recertification process. Which of the following findings would MOST concern the auditor regarding the effectiveness of access reviews?

A.The recertification report includes all users with active accounts
B.Reviews are performed quarterly instead of annually
C.Some users did not respond to the recertification request within the deadline
D.Managers approve all access requests without verifying job requirements
AnswerD

This shows that the review is not meaningful; access may not be justified.

Why this answer

If managers approve access without verifying actual job requirements, the recertification process is ineffective. This indicates a rubber-stamping issue. The other options are less critical or address different aspects.

44
Multi-Selecteasy

An IS auditor is reviewing the logical access controls for a cloud-based HR system. The system contains sensitive employee data. The auditor notes that user provisioning is performed by the HR department without IT involvement, and there is no formal access request or approval process. Which THREE of the following are the MOST significant risks?

Select 3 answers
A.There is no audit trail of who granted access and why
B.Segregation of duties between HR and IT is not maintained
C.Password policies may not be enforced
D.Users may be granted excessive privileges beyond their job requirements
E.User accounts may not be locked after multiple failed login attempts
AnswersA, B, D

Lack of formal process means no accountability.

Why this answer

Without formal access controls, users may receive excessive privileges, there is no audit trail for access grants, and segregation of duties is violated. While password security and user lockout are relevant, the primary risks stem from the lack of control over provisioning.

45
MCQmedium

An IS auditor is reviewing the physical access controls at a data center. Which of the following is the MOST effective control to prevent tailgating?

A.Mantrap with two interlocking doors
B.Biometric access controls
C.CCTV cameras at entrances
D.Security guards at the entrance
AnswerA

A mantrap physically enforces single passage.

Why this answer

A mantrap allows only one person to pass at a time, preventing unauthorized individuals from following an authorized person.

46
MCQmedium

An IS auditor is reviewing the access recertification process for a financial application. The process requires users' managers to confirm access rights quarterly. Which of the following findings should MOST concern the auditor?

A.Access rights are recertified annually instead of quarterly.
B.There is no process to act on access changes identified during recertification.
C.Recertification forms are completed by users themselves rather than managers.
D.Recertification results are not documented or retained.
AnswerB

Without remediation, recertification is ineffective; the auditor should be most concerned about the lack of follow-up.

Why this answer

The recertification process should include a timely follow-up on access changes. Without this, outdated permissions may persist, increasing risk.

47
Multi-Selectmedium

During an audit of the incident response process, the IS auditor finds that the organization relies on shared accounts for system administration. Which TWO of the following are the MOST significant risks associated with shared accounts?

Select 2 answers
A.Increased complexity in password management
B.Lack of individual accountability for actions performed
C.Increased overhead for account provisioning
D.Audit trails may not be reliable for forensic investigations
E.Higher likelihood of password sharing outside the authorized group
AnswersB, D

Without unique IDs, it's impossible to know who performed a specific action.

Why this answer

Shared accounts make it difficult to attribute actions to specific individuals and can lead to loss of audit trail, increasing the risk of undetected misuse.

48
MCQmedium

An IS auditor is evaluating the incident response (IR) plan. Which of the following is the BEST indicator that the plan is effective?

A.The plan is approved by senior management
B.The plan is updated annually
C.Lessons learned from tabletop exercises are incorporated into the plan
D.The plan includes contact information for key stakeholders
AnswerC

This shows continuous improvement and practical testing.

Why this answer

Lessons learned from tabletop exercises demonstrate that the plan is tested and improved. Other options are components but do not directly indicate effectiveness.

49
Multi-Selectmedium

An IS auditor is reviewing the privileged access management (PAM) process. Which TWO of the following are the MOST effective controls to prevent misuse of privileged accounts?

Select 2 answers
A.Session recording and monitoring of privileged activities
B.Implementation of just-in-time (JIT) privileged access
C.Quarterly review of privileged account access
D.Assignment of generic administrative accounts to multiple users
E.Use of shared passwords for emergency access
AnswersA, B

Provides accountability and deterrence.

Why this answer

Session recording and monitoring (A) allows review of actions, and just-in-time (JIT) access (D) grants temporary privileges, reducing the window for misuse. Shared passwords (B) and generic accounts (C) increase risk, and quarterly reviews (E) are detective but not preventive.

50
MCQmedium

During a review of the patch management process, the IS auditor finds that critical security patches are applied within 30 days, but the policy requires application within 7 days. The IT manager argues that the delay is due to testing requirements. What should the auditor recommend?

A.Escalate to senior management immediately
B.Update the policy to allow 30 days for critical patches
C.Require risk acceptance documentation for each patch that misses the SLA
D.Accept the delay as necessary for stability
AnswerC

This ensures management formally accepts the residual risk.

Why this answer

The best course is to document the risk acceptance for each delayed patch, ensuring management is aware and accepts the risk. This formalizes the deviation and maintains accountability.

51
MCQmedium

During a privacy audit, the IS auditor discovers that the organization does not have a complete data inventory. What is the PRIMARY risk associated with this finding?

A.Increased likelihood of data breaches
B.Inability to fulfill data subject access requests within required timeframes
C.Higher costs for data storage
D.Difficulty in encrypting data at rest
AnswerB

This is a direct consequence of not knowing where PII resides.

Why this answer

Without knowing where PII is stored and processed, the organization cannot effectively protect it, respond to data subject requests, or ensure compliance with privacy regulations like GDPR.

52
MCQhard

An IS auditor is reviewing an organization's key management program. Which of the following is the GREATEST risk associated with using a single key for both encryption and decryption of sensitive data?

A.The key management system cannot generate such a key.
B.The key may be more easily guessed by attackers.
C.Non-repudiation cannot be achieved.
D.Key rotation requires re-encrypting all data encrypted with that key.
AnswerD

This operational difficulty may lead to prolonged use of a compromised key.

Why this answer

Symmetric keys must be protected; if compromised, both confidentiality and integrity are at risk. However, the primary risk is the inability to rotate keys without re-encrypting all data, leading to potential exposure if the key is compromised.

53
Multi-Selecthard

During a firewall rule review, an IS auditor identifies several rules that allow any-to-any traffic. Which THREE of the following should the auditor recommend as the MOST appropriate actions?

Select 3 answers
A.Obtain business justification for each any-to-any rule
B.Replace any-to-any rules with specific source/destination rules
C.Immediately delete all any-to-any rules without review
D.Increase logging for any-to-any rules to detect misuse
E.Remove any-to-any rules that lack business justification
AnswersA, B, E

Understanding why the rule exists is the first step.

Why this answer

Overly permissive rules should be reviewed to determine if they are needed, and if so, should be tightened. If no business justification exists, they should be removed. If needed, they should be replaced with specific rules.

54
MCQmedium

An organization has a clean desk policy. Which of the following is the BEST audit procedure to test compliance with this policy?

A.Interview employees about their understanding of the policy.
B.Review security awareness training records.
C.Review incident reports related to lost documents.
D.Conduct unannounced walkthroughs of work areas.
AnswerD

Unannounced walkthroughs reveal actual compliance.

Why this answer

Direct observation provides the most reliable evidence of compliance.

55
Multi-Selecthard

An organization is planning to implement a data loss prevention (DLP) solution to protect sensitive data. Which THREE of the following are essential steps to ensure the effectiveness of the DLP program?

Select 3 answers
A.Encrypting all data at rest and in transit
B.Classifying data based on sensitivity
C.Monitoring and tuning DLP rules regularly
D.Training all employees on data handling procedures
E.Defining DLP policies and rules
AnswersB, C, E

Data classification is prerequisite for DLP rules.

Why this answer

Classifying data (A) is foundational to know what to protect. Defining policies (B) dictates rules. Monitoring and tuning (D) ensures policies are effective.

Encrypting all data (C) is not always feasible or appropriate. Training (E) is important but not an essential step for DLP effectiveness.

56
MCQmedium

An IS auditor is reviewing logical access controls for a critical application. Which of the following is the MOST important control to detect unauthorized access?

A.Strong password policy
B.Audit logging of access attempts
C.Monthly access recertification
D.Role-based access control (RBAC)
AnswerB

Logs provide a record that can be reviewed to identify unauthorized access.

Why this answer

Audit logs of successful and failed access attempts provide the evidence needed to detect unauthorized access. Other controls prevent or limit access but do not detect it after the fact.

57
MCQmedium

An IS auditor is evaluating the effectiveness of a security awareness program. Which of the following metrics would BEST indicate that the program is achieving its objectives?

A.Scores on post-training quizzes
B.Reduction in the number of successful phishing attacks
C.Percentage of employees who completed the annual training
D.Number of security incidents reported by employees
AnswerB

This directly measures behavior change and the effectiveness of training.

Why this answer

A reduction in the number of successful phishing attacks over time demonstrates that employees are better at recognizing and reporting phishing attempts, indicating improved security awareness.

58
MCQhard

An IS auditor is reviewing the password policy for a system that processes sensitive financial data. Which of the following is the MOST effective control to mitigate the risk of password cracking?

A.Implement account lockout after 5 failed attempts
B.Require passwords of at least 12 characters with complexity
C.Maintain a password history to prevent reuse
D.Enforce two-factor authentication for all users
AnswerA

Lockout stops brute-force attacks by limiting the number of attempts.

Why this answer

Account lockout after a few failed attempts is the most effective control to prevent brute-force password cracking. Complexity and length help but do not prevent automated attacks; 2FA is strong but not specifically for cracking; password history prevents reuse but not cracking.

59
MCQeasy

An IS auditor is assessing the effectiveness of network segmentation for a payment card processing environment. Which of the following is the PRIMARY benefit of network segmentation in meeting PCI DSS requirements?

A.Reduced scope of the PCI DSS assessment
B.Improved network performance
C.Elimination of the need for firewalls
D.Simplified patch management
AnswerA

Segmentation allows the cardholder data environment to be isolated, reducing the number of systems that must be compliant.

Why this answer

Network segmentation reduces the scope of the PCI DSS assessment by isolating the cardholder data environment from other networks, so only systems that handle card data need to comply with PCI DSS.

60
MCQmedium

An IS auditor is reviewing the vulnerability management program. The auditor notes that a critical vulnerability was identified in a production system six months ago and has not been patched due to a business impact assessment. Which of the following should the auditor examine NEXT?

A.The technical details of the vulnerability
B.The patch deployment schedule for the next quarter
C.Whether a formal risk acceptance and compensating controls are in place
D.The vendor's patch release notes
AnswerC

If the organization decided not to patch, there should be documented risk acceptance and compensating controls.

Why this answer

The auditor should verify that the risk acceptance is formally documented and approved by the appropriate management, including compensating controls, to ensure the risk is managed.

61
MCQhard

An IS auditor is reviewing firewall rule sets and discovers a rule that permits any source IP to access the internal database server on TCP port 1433 (Microsoft SQL). The rule was documented as a temporary measure but has been in place for 18 months. What is the auditor's BEST course of action?

A.Report the issue to senior management as a critical finding
B.Recommend immediate removal of the rule
C.Accept the risk as a compensating control
D.Determine if there is a business justification for the rule and, if not, recommend removal or restriction to specific IPs
AnswerD

This approach ensures that necessary access is maintained while reducing risk.

Why this answer

Overly permissive rules that are not justified create significant risk. The auditor should first confirm the business need and then recommend removal or tightening of the rule. If no valid justification exists, the rule should be removed.

62
MCQhard

An IS auditor is reviewing an organization's vulnerability management program. The auditor notes that a critical vulnerability in a key application has not been patched for 90 days, and there is no documented risk acceptance. What should the auditor do FIRST?

A.Report the finding as a non-compliance with the patch management policy
B.Discuss with management the absence of a risk acceptance
C.Escalate the issue to senior management immediately
D.Determine if compensating controls exist to mitigate the vulnerability
AnswerD

Compensating controls may reduce risk; the auditor should evaluate them before making a recommendation.

Why this answer

The auditor should determine if compensating controls are in place to mitigate the risk, as this information is essential to assess the residual risk.

63
MCQhard

During an audit of privacy controls, the IS auditor discovers that the organization processes personal data of EU residents but has not appointed a Data Protection Officer (DPO). Which regulation is MOST likely being violated?

A.PCI DSS
B.SOX
C.HIPAA
D.GDPR
AnswerD

GDPR mandates a DPO under certain conditions, which likely apply here.

Why this answer

GDPR requires mandatory appointment of a DPO for organizations that process special categories of data or engage in large-scale systematic monitoring. The other regulations do not have a DPO requirement.

64
MCQmedium

An IS auditor is reviewing the access recertification process for a financial institution. The process requires users and their managers to confirm access rights quarterly. During the review, the auditor finds that recertifications are consistently completed late, with an average delay of 45 days. Additionally, terminated employees' access is not always removed promptly, and there are no compensating controls. Which of the following is the MOST significant risk arising from these findings?

A.Increased likelihood of audit findings for non-compliance with internal policies
B.Difficulty in tracking user access history
C.Higher probability of unauthorized access to sensitive information
D.Potential loss of audit trails for access changes
AnswerC

Delayed recertification and failure to promptly remove terminated employees' access increase the risk of unauthorized access.

Why this answer

The greatest risk from delayed access recertification and late removal of terminated employees is that unauthorized users may retain access, leading to potential data breaches or fraudulent activities. While audit trails and policy violations are concerns, the primary risk is unauthorized access.

65
Multi-Selectmedium

An IS auditor is reviewing the organization's data inventory process for privacy compliance. Which TWO of the following are the MOST important elements that should be included in the data inventory?

Select 2 answers
A.Data elements or fields containing personal data
B.Data classification labels
C.Location of personal data storage and processing
D.Data retention periods
E.Data subject consent status
AnswersA, C

Identifying specific data fields helps in mapping and protection.

Why this answer

Data inventory must identify what personal data is held, where it is stored, and how it flows. Legal basis and retention are also important, but location and data elements are foundational.

66
MCQeasy

Which of the following is the PRIMARY purpose of conducting a privacy impact assessment (PIA) before implementing a new system that processes personal data?

A.To document data flows for audit purposes.
B.To identify and mitigate privacy risks.
C.To obtain consent from data subjects.
D.To ensure compliance with data protection regulations.
AnswerB

PIA systematically assesses privacy risks and proposes mitigations.

Why this answer

PIA aims to identify and mitigate privacy risks early in the project lifecycle.

67
Multi-Selectmedium

An IS auditor is assessing the organization's compliance with privacy regulations regarding cross-border data transfers. Which TWO of the following are acceptable mechanisms to legitimize such transfers under the GDPR?

Select 3 answers
A.Binding corporate rules (BCRs) approved by a supervisory authority
B.Encryption of data prior to transfer
C.Standard contractual clauses (SCCs) adopted by the European Commission
D.Adequacy decision by the European Commission for the recipient country
E.Explicit consent from the data subjects
AnswersA, C, D

BCRs are a valid mechanism for intra-group transfers.

Why this answer

Standard contractual clauses (SCCs) and binding corporate rules (BCRs) are recognized mechanisms under GDPR. Adequacy decisions cover some countries. Consent alone is not sufficient if other safeguards are missing; encryption does not legitimize the transfer.

68
MCQeasy

An IS auditor is reviewing the physical access controls at a data center. Which of the following is the MOST effective control to prevent tailgating?

A.Badge access system with PIN
B.Visitor sign-in log
C.Mantrap entry system
D.CCTV surveillance at entrances
AnswerC

A mantrap physically restricts entry to one person at a time, preventing tailgating.

Why this answer

A mantrap is a small room with two sets of interlocking doors, designed to prevent tailgating by allowing only one person to enter at a time. CCTV, badge access, and visitor logs are supportive but do not directly prevent tailgating.

69
MCQeasy

Which of the following is the PRIMARY objective of a penetration test?

A.To test the incident response capability
B.To validate the effectiveness of security controls
C.To ensure compliance with security standards
D.To identify vulnerabilities that could be exploited by an attacker
AnswerD

The primary goal is to discover exploitable vulnerabilities.

Why this answer

Penetration testing aims to identify exploitable vulnerabilities that could be used by an attacker.

70
Multi-Selectmedium

An IS auditor is reviewing the data subject rights fulfillment process for GDPR compliance. Which TWO of the following are required to be completed within the one-month response period?

Select 2 answers
A.Right to erasure (deleting personal data).
B.Right to object to processing (ceasing processing).
C.Right to rectification (correcting inaccurate data).
D.Right of access (providing a copy of personal data).
E.Right to data portability (transferring data to another controller).
AnswersA, D

Erasure requests must be addressed without undue delay, generally within one month.

Why this answer

GDPR requires responses to access requests and erasure requests within one month, subject to certain conditions.

71
MCQmedium

An IS auditor is reviewing the logical access controls for a financial application. The auditor notices that user access reviews are performed annually by the application owner, but there is no documentation indicating that managers confirm the continued need for access. Which of the following is the MOST significant risk associated with this finding?

A.Unauthorized access to sensitive data due to excessive privileges
B.Increased likelihood of successful social engineering attacks
C.Non-compliance with regulatory requirements for access controls
D.Inability to detect insider threats in a timely manner
AnswerA

Without manager confirmation, users may retain access they no longer need, increasing the risk of unauthorized access.

Why this answer

Without manager confirmation, access may remain for users who no longer need it, leading to segregation of duties conflicts or unauthorized access. Annual reviews without manager sign-off increase the risk that access is not appropriately revoked when roles change.

72
MCQmedium

An IS auditor is reviewing the logical access controls for a critical database. Which of the following findings should be considered the HIGHEST risk?

A.Database administrators share a common user ID for maintenance tasks.
B.The default 'sa' account is enabled with the default password.
C.Access rights are reviewed on an annual basis.
D.The database has not undergone a vulnerability scan in six months.
AnswerB

Default accounts with default passwords are a critical vulnerability.

Why this answer

Default passwords are a well-known vulnerability that can be easily exploited.

73
MCQmedium

During an audit of the incident management process, the IS auditor finds that tabletop exercises have not been conducted in the past two years. What is the MOST significant risk associated with this finding?

A.The organization may fail to detect an incident in a timely manner
B.The organization may not comply with regulatory reporting requirements
C.The incident response plan may be outdated
D.Employees may not know their roles during an incident
AnswerD

Tabletop exercises help familiarize team members with their responsibilities.

Why this answer

Without regular testing, the incident response team may not be prepared to effectively handle a real incident.

74
MCQhard

During a review of the incident management process, the IS auditor finds that the incident response (IR) team conducts tabletop exercises annually, but the scenarios are limited to malware outbreaks. Which of the following should be the auditor's GREATEST concern?

A.The IR team may not have adequate forensic capabilities
B.The exercises are not conducted quarterly
C.The IR team is not following the defined procedures
D.The IR plan may not address all relevant incident types
AnswerD

If exercises only cover malware, other incident types may not be tested, leaving gaps in preparedness.

Why this answer

Limited scenarios mean the IR team may not be prepared for other types of incidents, such as data breaches or insider threats, which require different response procedures.

75
MCQmedium

During a review of encryption practices, the IS auditor finds that an organization uses the same encryption key for all customer data at rest. What is the PRIMARY concern?

A.Performance degradation due to key reuse
B.Inability to revoke access to specific data
C.Non-compliance with GDPR pseudonymization requirements
D.Increased risk of data exposure if the key is compromised
AnswerD

A single key compromise exposes all encrypted data.

Why this answer

Using a single key for all data increases the impact of key compromise. If the key is compromised, all data becomes accessible. Key management should include key rotation and different keys for different data sets.

Page 1 of 2 · 83 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Cisa Information Protection questions.