CCNA Info Asset Protection Questions

75 of 123 questions · Page 1/2 · Info Asset Protection topic · Answers revealed

1
MCQhard

A multinational company must comply with GDPR and local data protection laws when transferring personal data from the EU to a subsidiary in the US. Which transfer mechanism is most commonly accepted as providing adequate protection?

A.A data protection impact assessment (DPIA) approved by the local supervisory authority.
B.Standard Contractual Clauses (SCCs) adopted by the European Commission.
C.Explicit consent from each data subject for the transfer.
D.Binding Corporate Rules (BCRs) for intra-group transfers.
AnswerB

SCCs are a ready-to-use mechanism that provides contractual guarantees of adequate protection for cross-border data transfers.

Why this answer

Standard Contractual Clauses (SCCs) are pre-approved model contracts issued by the European Commission that provide a legally recognized mechanism for transferring personal data from the EU to a third country, such as the US, without requiring additional authorization. They are the most commonly accepted transfer mechanism because they impose contractual obligations on both the data exporter and importer to ensure adequate data protection, aligning with GDPR Article 46 requirements.

Exam trap

The trap here is that candidates often confuse Binding Corporate Rules (BCRs) as the default intra-group mechanism, but SCCs are more commonly used because they are pre-approved, faster to implement, and do not require supervisory authority approval, making them the practical choice for most multinational transfers.

How to eliminate wrong answers

Option A is wrong because a Data Protection Impact Assessment (DPIA) is a risk assessment tool required under GDPR Article 35 for high-risk processing, not a transfer mechanism that provides adequate protection for cross-border data transfers. Option C is wrong because explicit consent under GDPR Article 49 is an exception for specific, occasional transfers and is not considered a reliable, ongoing adequate protection mechanism due to issues of revocability and power imbalance. Option D is wrong because Binding Corporate Rules (BCRs) are a valid intra-group transfer mechanism, but they require approval from the relevant supervisory authority and are less commonly used than SCCs due to the lengthy approval process and complexity of implementation.

2
MCQhard

Refer to the exhibit. A CISA is analyzing these logs. What is the MOST likely security incident?

A.Legitimate system maintenance activity
B.Brute force attack on the administrator account
C.Unauthorized installation of a critical update
D.Compromised administrator account used to establish a command and control channel
AnswerD

The attacker disabled a key process and set up a backdoor.

Why this answer

The logs show the administrator account executing a reverse shell connection (e.g., using PowerShell or netcat) to an external IP address on a non-standard port (e.g., 4444 or 8080). This outbound connection initiated by the admin account is a classic indicator of a command and control (C2) channel, where an attacker who has compromised the account uses it to maintain persistent remote access. Legitimate administrative activity would not typically involve establishing a reverse shell to an unknown external host.

Exam trap

The trap here is that candidates may mistake the single successful admin login as a brute force success (option B), but the subsequent reverse shell activity is the definitive indicator of a compromised account used for C2, not just credential guessing.

How to eliminate wrong answers

Option A is wrong because legitimate system maintenance activity would not involve an outbound reverse shell to an external IP on a non-standard port; maintenance tasks use standard protocols like SSH (port 22) or RDP (port 3389) to known internal servers. Option B is wrong because a brute force attack would show multiple failed login attempts from various IPs or usernames, not a single successful login followed by a reverse shell connection. Option C is wrong because unauthorized installation of a critical update would typically involve file downloads or execution of installer binaries, not the establishment of a persistent outbound reverse shell channel.

3
Matchingmedium

Match each regulatory standard to its focus area.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Financial reporting controls

Payment card data security

Health information privacy

Personal data protection

Why these pairings

Compliance requirements vary by industry.

4
MCQmedium

Based on the exhibit, which user account poses the HIGHEST security risk?

A.root
B.admin
C.test
D.None of the accounts are risky
AnswerB

The '!' indicates a locked password, but account may still exist.

Why this answer

The 'admin' account poses the highest security risk because it typically has elevated privileges (e.g., sudo or administrator group membership) and is often configured with a default or weak password. Unlike 'root', which can be locked or disabled for direct SSH login, the 'admin' account is commonly used for day-to-day administrative tasks and may have password-based authentication enabled, making it a prime target for brute-force attacks. In many Linux/Unix systems, 'admin' is a standard user with UID 0 or sudo rights, and its compromise grants full system control.

Exam trap

The trap here is that candidates assume 'root' is always the highest risk due to its name, but CISA tests the understanding that a disabled or locked root account is less risky than an active, privileged 'admin' account with password-based authentication.

How to eliminate wrong answers

Option A is wrong because 'root' is often locked for direct login (e.g., PermitRootLogin no in sshd_config) or has a strong password enforced by policy, reducing its immediate risk compared to an active admin account. Option C is wrong because 'test' accounts are typically non-privileged, have limited access, and are often disabled or have expired passwords, making them lower risk. Option D is wrong because the 'admin' account clearly presents a higher risk due to its privileged nature and common weak configurations, so it is incorrect to say none are risky.

5
MCQhard

An IS auditor reviews the log entry above. Which of the following is the MOST likely cause of the authentication failure?

A.The user's account is locked.
B.The user's password is incorrect.
C.The client certificate presented has a common name that does not match the configured expected name.
D.The RADIUS server is unavailable.
AnswerC

Error message states 'Invalid certificate CN'.

Why this answer

The log entry indicates an authentication failure with a client certificate. The error 'CN mismatch' or similar certificate validation failure occurs when the Common Name (CN) in the client certificate does not match the expected name configured on the server (e.g., in a RADIUS or TLS mutual authentication context). This is a specific certificate-level issue, not a password or account lockout problem.

Exam trap

ISACA often tests the distinction between certificate validation errors (like CN mismatch) and other authentication failures (like wrong password or account lockout), expecting candidates to recognize that certificate-based authentication failures are tied to the certificate's attributes, not user credentials or server availability.

How to eliminate wrong answers

Option A is wrong because an account lockout would typically generate a different error, such as 'account disabled' or 'account locked', not a certificate CN mismatch. Option B is wrong because an incorrect password would produce a 'bad password' or 'invalid credentials' error, not a certificate validation failure. Option D is wrong because a RADIUS server being unavailable would result in a timeout or 'no server available' error, not a certificate CN mismatch.

6
MCQeasy

Which of the following is the PRIMARY purpose of conducting a penetration test?

A.To test incident response capabilities
B.To exploit vulnerabilities to assess real-world impact
C.To meet compliance requirements
D.To identify vulnerabilities in a system
AnswerB

The primary purpose of a penetration test is to determine the extent of damage possible from exploitation.

Why this answer

The primary purpose of a penetration test is to exploit vulnerabilities in a controlled manner to assess the real-world impact and business risk, not merely to list them. While vulnerability scanning identifies weaknesses, penetration testing goes further by simulating an attacker's actions to determine if and how a vulnerability can be leveraged to compromise systems, data, or operations. This aligns with the CISA focus on evaluating the effectiveness of security controls under realistic attack conditions.

Exam trap

The trap here is confusing a vulnerability assessment (option D) with a penetration test, as many candidates think the primary goal is simply finding flaws, but CISA emphasizes that the real purpose is to exploit them to measure impact.

How to eliminate wrong answers

Option A is wrong because testing incident response capabilities is a secondary benefit, not the primary purpose; a penetration test may trigger IR processes, but its core objective is to validate security controls through exploitation. Option C is wrong because meeting compliance requirements (e.g., PCI DSS 11.4) is a driver for conducting a test, but the primary purpose remains the technical assessment of real-world exploitability and impact. Option D is wrong because identifying vulnerabilities is the goal of a vulnerability assessment, not a penetration test; a penetration test assumes vulnerabilities exist and focuses on exploiting them to measure actual risk.

7
MCQhard

An organization has implemented a role-based access control (RBAC) system. A user complains that they cannot access a file needed to complete a critical task. The file's permission indicates that only the 'Manager' role has read access. The user is assigned to the 'Analyst' role. Which of the following is the BEST course of action?

A.Assign the user to the Manager role temporarily
B.Submit a request for temporary access approval via change management
C.Create a new role with only read access to that file
D.Change the file permissions to include Analyst role
AnswerB

This follows proper authorization and maintains security.

Why this answer

Option B is correct because in a properly implemented RBAC system, access changes must follow the principle of least privilege and be formally approved through change management to maintain audit trails and security controls. Granting temporary access via a documented change request ensures that the access is justified, time-bound, and reviewed, preventing unauthorized privilege escalation. This aligns with the CISA domain of Protection of Information Assets, where access control changes must be controlled and monitored.

Exam trap

The trap here is that candidates often choose to change file permissions or create a new role (options C or D) because they focus on the immediate technical fix, ignoring the governance and audit requirements that mandate formal change management for any access control modification.

How to eliminate wrong answers

Option A is wrong because temporarily assigning the user to the Manager role violates the principle of least privilege by granting excessive permissions (e.g., write, delete, or administrative rights) beyond the single file read access needed, increasing the risk of unauthorized actions. Option C is wrong because creating a new role with only read access to that file introduces role proliferation and administrative overhead, bypassing the established RBAC role hierarchy and potentially violating segregation of duties. Option D is wrong because directly changing file permissions to include the Analyst role circumvents the RBAC role-based assignment model, undermining the centralized access control policy and making audit trails inconsistent.

8
MCQhard

An organization is evaluating a cloud-based identity as a service (IDaaS) for single sign-on (SSO). Which of the following security concerns is MOST critical to address?

A.Lack of encryption for SAML assertions
B.Incompatibility with legacy applications
C.Downtime of the IDaaS provider
D.Compromise of the identity provider's credentials
AnswerD

A compromise of the IdP would grant attackers access to all federated applications, making it the most critical security concern.

Why this answer

The compromise of the identity provider's (IdP) credentials is the most critical security concern because the IdP acts as the central trust anchor for all SSO transactions. If an attacker gains control of the IdP's signing key or administrative credentials, they can forge SAML assertions for any user, bypassing all downstream authentication and gaining unauthorized access to every connected service provider (SP). This represents a single point of failure that undermines the entire SSO trust model.

Exam trap

The trap here is that candidates often focus on technical protocol details like encryption (Option A) or operational risks like downtime (Option C), but the CISA exam emphasizes that the most critical security concern in any federated identity system is the protection of the identity provider's root of trust—its credentials—because a compromise there negates all other controls.

How to eliminate wrong answers

Option A is wrong because SAML assertions are inherently signed and often encrypted end-to-end using XML Signature and XML Encryption standards; the lack of encryption for the assertion body does not expose the authentication token if the transport layer (TLS) is used, and the critical security control is the digital signature, not encryption. Option B is wrong because incompatibility with legacy applications is an integration or migration concern, not a security concern; it can be addressed through federation gateways or protocol translation without compromising the security posture of the SSO system. Option C is wrong because downtime of the IDaaS provider is an availability and business continuity issue, not a security concern; while it impacts access, it does not directly lead to unauthorized data disclosure or system compromise.

9
MCQmedium

An organization uses role-based access control (RBAC) for its enterprise resource planning (ERP) system. What is the greatest risk if user role assignments are not reviewed regularly?

A.Inconsistent application of password policies across roles.
B.Privilege creep, where users retain permissions no longer needed.
C.Increased authentication failures due to expired passwords.
D.Inability to track audit logs for user activity.
AnswerB

Privilege creep increases the attack surface and risk of unauthorized access.

Why this answer

In RBAC, permissions are assigned to roles, and users inherit those permissions through role membership. Without regular reviews, users may retain roles (and thus permissions) long after their job functions change, leading to privilege creep. This violates the principle of least privilege and increases the risk of unauthorized access or data breaches within the ERP system.

Exam trap

The trap here is that candidates confuse the operational impact of role reviews (privilege creep) with other access control issues like password policies or logging, which are separate concerns in the Protection of Information Assets domain.

How to eliminate wrong answers

Option A is wrong because password policies are typically set at the system or domain level, not tied to individual RBAC roles; inconsistent application would stem from policy configuration issues, not role review frequency. Option C is wrong because authentication failures due to expired passwords are managed by password expiration policies and account lockout mechanisms, not by the review of role assignments. Option D is wrong because audit log tracking is a function of the logging and monitoring infrastructure (e.g., SIEM, audit trails), not directly dependent on whether role assignments are reviewed; even with stale roles, logs can still be captured and tracked.

10
MCQmedium

During a security audit, it is discovered that a database containing customer credit card numbers is not encrypted at rest. The database is used by a legacy application that cannot be modified. Which compensating control most effectively reduces the risk?

A.Isolating the database server on a separate network segment with strict firewall rules
B.Enabling detailed audit logging for all database access
C.Requiring all users to sign a nondisclosure agreement (NDA)
D.Implementing dynamic data masking at the application level
AnswerA

Segmentation reduces the attack surface and limits access.

Why this answer

Isolating the database server on a separate network segment with strict firewall rules (e.g., using VLANs and ACLs to restrict traffic to only the legacy application’s IP and port) prevents unauthorized network-level access to the unencrypted data. This compensating control reduces the attack surface by ensuring that even if the database lacks encryption at rest, an attacker cannot reach it without first compromising the network segmentation, which is a critical defense-in-depth layer.

Exam trap

The trap here is that candidates often choose audit logging or masking because they seem technical, but they fail to recognize that only network segmentation actively prevents direct access to the unencrypted data at rest, while the others are either detective or require application changes that are impossible in this scenario.

How to eliminate wrong answers

Option B is wrong because enabling detailed audit logging only provides detective control—it logs who accessed the data but does not prevent unauthorized access or protect the unencrypted credit card numbers at rest. Option C is wrong because requiring NDAs is an administrative control that does not address the technical vulnerability of unencrypted data; it cannot stop an attacker who gains network access from reading the plaintext data. Option D is wrong because dynamic data masking at the application level would require modifying the legacy application (which cannot be changed) to implement masking logic, and it only obfuscates data in query results, not the underlying stored data, leaving the physical database files exposed.

11
MCQeasy

An organization has implemented role-based access control (RBAC). Which of the following is the PRIMARY benefit of RBAC?

A.Simplified user permission management
B.Encryption of sensitive data at rest
C.Elimination of compliance requirements
D.Improved protection against malware
AnswerA

RBAC streamlines access control administration.

Why this answer

RBAC simplifies user permission management by assigning permissions to roles rather than individuals, allowing administrators to grant or revoke access by modifying role memberships. This reduces administrative overhead and the risk of permission errors, as changes propagate automatically to all users in a role. The primary benefit is operational efficiency in access control, not direct security features like encryption or malware protection.

Exam trap

The trap here is that candidates may confuse RBAC's administrative benefit with other security controls, assuming it directly provides encryption or malware defense, when in fact RBAC is purely an access management model.

How to eliminate wrong answers

Option B is wrong because encryption of sensitive data at rest is a data protection mechanism, not a benefit of RBAC; RBAC controls access to data but does not encrypt it. Option C is wrong because RBAC does not eliminate compliance requirements; it can help meet compliance (e.g., least privilege) but regulations still mandate audits, logging, and other controls. Option D is wrong because RBAC does not directly protect against malware; malware protection relies on endpoint security, antivirus, and network controls, not role-based access.

12
MCQhard

A multinational corporation is deploying a data loss prevention (DLP) solution across its network. The DLP system must be configured to prevent the exfiltration of personally identifiable information (PII) while minimizing false positives. Which approach is most effective?

A.Block all outbound email containing keywords such as 'SSN' or 'credit card'
B.Require all users to complete annual data handling training and rely on self-reporting
C.Implement full disk encryption on all endpoints and encrypt all outbound traffic
D.Use regex patterns for PII combined with context-aware policies (e.g., user role, destination domain)
AnswerD

Regex with context reduces false positives and accurately detects PII.

Why this answer

Option B is correct because using a combination of content-based rules and contextual analysis (e.g., destination, user role) reduces false positives while effectively detecting PII. Option A is too simplistic and may have high false positives. Option C relies heavily on user training, which is not a technical DLP control.

Option D is incorrect because encrypting all traffic would break functionality and is not a DLP method.

13
MCQhard

An organization plan to integrate a third-party payment gateway into its e-commerce platform. Which of the following is the MOST critical security control to implement before going live?

A.Perform a penetration test on the integration
B.Ensure all data is encrypted in transit and at rest
C.Implement detailed logging of payment transactions
D.Configure network firewalls to restrict traffic
AnswerA

Pen testing proactively identifies vulnerabilities in the integration.

Why this answer

A penetration test on the integration is the most critical control because it actively validates the security of the API endpoints, data flows, and authentication mechanisms between the e-commerce platform and the third-party gateway. Unlike passive controls like encryption or logging, a penetration test can uncover exploitable vulnerabilities such as injection flaws, broken authentication, or insecure direct object references that could lead to financial fraud or data breach before the system is exposed to live transactions.

Exam trap

The trap here is that candidates often choose encryption (Option B) as the most critical control because it is a fundamental security requirement, but the question specifically asks for the control that validates the integration's security before going live, which only a penetration test can achieve.

How to eliminate wrong answers

Option B is wrong because encryption in transit and at rest is a necessary baseline control but does not address logic flaws or misconfigurations in the integration code that could allow an attacker to bypass payment validation or steal tokens. Option C is wrong because detailed logging is a detective control that helps after an incident occurs; it does not prevent or identify exploitable vulnerabilities before going live. Option D is wrong because network firewalls restrict traffic at the network layer but cannot protect against application-layer attacks such as API parameter tampering or session hijacking that target the payment gateway integration.

14
MCQeasy

Based on the exhibit, what is the security risk of this bucket policy?

A.The bucket is publicly readable
B.The bucket allows public write access
C.The bucket policy restricts access to a specific IAM role
D.The bucket policy is not encrypted
AnswerA

Principal: * allows anonymous access.

Why this answer

The bucket policy grants public read access by setting `"Principal": "*"` and `"Effect": "Allow"` with `"Action": "s3:GetObject"`. This means any unauthenticated user on the internet can list and retrieve objects in the bucket, making it publicly readable. The policy does not require any authentication or authorization checks, which is a common misconfiguration leading to data exposure.

Exam trap

ISACA often tests the distinction between read and write permissions in bucket policies, and the trap here is that candidates see `"Principal": "*"` and assume it means full public access (both read and write), but the specific `Action` determines the actual risk—only read access is granted in this case.

How to eliminate wrong answers

Option B is wrong because the policy only allows `s3:GetObject` (read) actions, not `s3:PutObject` or `s3:DeleteObject` (write) actions, so public write access is not granted. Option C is wrong because the policy sets `"Principal": "*"`, which applies to all principals, not restricting access to a specific IAM role; a restricted policy would specify an ARN like `"AWS": "arn:aws:iam::123456789012:role/MyRole"`. Option D is wrong because S3 bucket policies are not individually encrypted; they are stored as JSON documents within AWS IAM and are protected by AWS's infrastructure encryption at rest, and the question asks about a security risk, not a missing encryption feature that does not exist for policies.

15
MCQhard

During an information systems audit, the IS auditor finds that data classification labels are not consistently applied across the organization. What is the most likely root cause of this issue?

A.The data classification policy is too complex and has too many levels.
B.Insufficient training and awareness programs on data classification.
C.The organization does not enforce consequences for misclassification.
D.Lack of automated classification tools integrated with the document management system.
AnswerB

Users must be trained to classify data correctly; lack of awareness leads to inconsistent application.

Why this answer

Inconsistent application of data classification labels is most commonly caused by insufficient training and awareness programs. Without proper education, users do not understand how to correctly classify data according to the policy, leading to inconsistent labeling across the organization.

Exam trap

The trap here is that candidates may focus on technical solutions (automated tools) or enforcement mechanisms, but the ISACA CISA exam emphasizes that the most common root cause of policy non-compliance is inadequate training and awareness, not technology or enforcement gaps.

How to eliminate wrong answers

Option A is wrong because while a complex policy with too many levels can contribute to confusion, the root cause is typically a lack of understanding of the existing policy, not the number of levels. Option C is wrong because lack of enforcement is a secondary issue; even with enforcement, users cannot comply if they do not know how to classify correctly. Option D is wrong because automated classification tools can help but are not the root cause; the primary issue is human error due to insufficient training, not the absence of technology.

16
MCQeasy

Refer to the exhibit. An auditor finds that the file 'sensitive.txt' has world-writable permissions. Which of the following is the most appropriate remediation action?

A.Remove world-writable permissions using chmod 644.
B.Encrypt the file using GnuPG to protect its contents.
C.Apply an ACL to restrict access only to specific users.
D.Change the file owner to a different user using chown.
AnswerA

chmod 644 sets the file to rw-r--r--, removing world-writable and providing proper access.

Why this answer

The file 'sensitive.txt' has world-writable permissions, meaning any user on the system can modify or delete it. The most direct and appropriate remediation is to remove the world-writable permission using `chmod 644`, which sets the file to owner read-write, group read, and others read. This eliminates the security risk while preserving necessary access for the owner and group.

Exam trap

The trap here is that candidates may overcomplicate the solution by choosing encryption or ACLs, when the simplest and most direct fix is to adjust the file permissions using `chmod`.

How to eliminate wrong answers

Option B is wrong because encrypting the file with GnuPG protects its confidentiality but does not address the world-writable permission; the file remains modifiable by anyone, which could lead to data corruption or unauthorized changes. Option C is wrong because applying an ACL to restrict access to specific users is an alternative approach, but it is not the most appropriate remediation; the simplest and most direct fix is to remove the world-writable bit, and ACLs add complexity without necessity when a simple permission change suffices. Option D is wrong because changing the file owner using `chown` does not remove the world-writable permission; the new owner would still have the same permission issue unless the permissions are also modified.

17
MCQhard

Based on the exhibit, what is the MOST likely compliance issue requiring immediate remediation?

A.Access is not properly restricted.
B.Compliance checks are not being performed.
C.Backup media lacks encryption.
D.Retention period is too short.
AnswerC

Status explicitly states backup media not encrypted.

Why this answer

The exhibit shows backup tapes stored in an unsecured cabinet without any indication of encryption. Since backup media often contains sensitive data, the lack of encryption exposes the organization to data breaches if the media is lost or stolen. This is a direct violation of data protection requirements and requires immediate remediation.

Exam trap

ISACA often tests the distinction between operational issues (e.g., retention period) and security controls (e.g., encryption), and the trap here is that candidates may focus on the visible retention label rather than the missing encryption safeguard.

How to eliminate wrong answers

Option A is wrong because the exhibit does not provide any evidence of access control mechanisms (e.g., ACLs, authentication logs) to conclude that access is improperly restricted. Option B is wrong because the exhibit does not show whether compliance checks are scheduled or performed; the issue is about the physical security of backup media, not the frequency of checks. Option D is wrong because the retention period is not indicated in the exhibit; the problem is the lack of encryption on backup media, not how long it is kept.

18
MCQhard

Which of the following is the BEST indicator that an organization's data security governance is effective?

A.Number of security incidents.
B.Percentage of employees trained.
C.Audit findings show compliance with data protection policies.
D.Number of encryption keys managed.
AnswerC

Compliance indicates governance is effective.

Why this answer

Option C is correct because audit findings showing compliance with data protection policies directly indicate that governance controls are working. Option A is incorrect because incident count is a lagging indicator. Option B is incorrect because training alone does not ensure compliance.

Option D is incorrect because key count is not a measure of effectiveness.

19
MCQmedium

An organization is implementing a data loss prevention (DLP) solution. Which of the following is the BEST approach to minimize false positives while ensuring sensitive data is protected?

A.Encrypt all outbound emails containing any attachment.
B.Deploy exact file matching against a database of known sensitive documents.
C.Use contextual analysis including user roles and data classification.
D.Apply keyword matching to all outbound emails.
AnswerC

Contextual analysis reduces false positives by considering behavior and data sensitivity.

Why this answer

Contextual analysis (Option C) is the best approach because it reduces false positives by considering user roles, data classification, and behavioral patterns, ensuring that only genuinely risky data transfers are flagged. Unlike static methods, this dynamic analysis adapts to the organization's data governance policies, allowing legitimate business communications to proceed while still protecting sensitive information.

Exam trap

The trap here is that candidates often choose exact file matching (Option B) thinking it is the most precise, but they overlook its inability to handle data variations and its reliance on a static database, which leads to both false positives and false negatives in dynamic environments.

How to eliminate wrong answers

Option A is wrong because encrypting all outbound emails with attachments does not prevent data loss—it only protects data in transit, and it would generate massive false positives by treating all attachments as sensitive, including benign files. Option B is wrong because exact file matching against a database of known sensitive documents is too rigid; it cannot detect variations of sensitive data (e.g., modified versions or partial leaks) and would miss many real threats while still causing false positives if the database is incomplete. Option D is wrong because keyword matching to all outbound emails is prone to high false positives, as common words or phrases (e.g., 'confidential' in a non-sensitive context) trigger alerts, and it lacks the nuance to distinguish between legitimate and malicious use of sensitive terms.

20
MCQmedium

You are an IS auditor for a financial institution that processes credit card payments. The organization uses a key management system (KMS) to store encryption keys for point-of-sale (POS) data. The KMS is a hardware security module (HSM) located in a secured data center. The audit reveals that the HSM is administered by two individuals who both have full access to the HSM, including the ability to export keys. The organization has a policy requiring split knowledge and dual control for key management, but in practice, the two administrators often perform key ceremonies alone due to scheduling conflicts. The logs show that one administrator exported a key last month without the other present, and the export was approved via email by the other administrator after the fact. Which of the following is the BEST corrective action?

A.Reduce the number of administrators to one to simplify accountability
B.Configure the HSM to require two administrators to be physically present for key exports
C.Provide training to administrators on the importance of dual control
D.Implement automated key rotation every 90 days
AnswerB

Technical enforcement ensures dual control.

Why this answer

The HSM must enforce split knowledge and dual control at the technical level, not rely on procedural compliance. By configuring the HSM to require two administrators to be physically present for key exports, the organization ensures that no single individual can export keys, directly addressing the policy violation and the log evidence of a solo export. This technical control is the most effective corrective action because it prevents the bypass of dual control even if administrators attempt to circumvent procedures.

Exam trap

The trap here is that candidates may choose training (Option C) as a quick fix, overlooking that the root cause is a lack of technical enforcement, not a lack of awareness.

How to eliminate wrong answers

Option A is wrong because reducing to one administrator eliminates split knowledge entirely, violating the core security principle and increasing the risk of key compromise. Option C is wrong because training alone does not enforce compliance; the administrators already know the policy but bypass it due to scheduling conflicts, so a technical control is needed. Option D is wrong because automated key rotation does not address the lack of dual control during key exports; it only changes keys periodically, leaving the export vulnerability unmitigated.

21
MCQhard

A company is migrating its customer database to a public cloud provider. Which of the following encryption strategies best protects data while minimizing performance impact on queries?

A.Encrypt the entire database at rest using AES-256, and decrypt for each query.
B.Encrypt the database at the application layer before storage.
C.Use column-level encryption and tokenization for sensitive fields.
D.Rely on the cloud provider's default encryption for the storage.
AnswerC

Correct. This minimizes performance impact by encrypting only sensitive columns and using tokens for efficient lookups.

Why this answer

Option C is correct because column-level encryption and tokenization allow sensitive fields (e.g., SSNs, credit card numbers) to be protected while leaving non-sensitive columns unencrypted, preserving query performance on indexed and frequently queried data. Tokenization replaces sensitive values with non-sensitive placeholders, enabling joins and lookups without decryption overhead, and column-level encryption limits decryption to only the required fields per query.

Exam trap

The trap here is that candidates assume full-database encryption (Option A) is the most secure and thus the best choice, overlooking the critical requirement to minimize performance impact on queries, which column-level encryption and tokenization directly address by avoiding unnecessary decryption of non-sensitive data.

How to eliminate wrong answers

Option A is wrong because encrypting the entire database at rest and decrypting for each query would impose massive decryption overhead on every read operation, severely degrading query performance and defeating the purpose of a production database. Option B is wrong because application-layer encryption before storage means the database cannot index or query the encrypted data efficiently; any search or filter on encrypted fields would require full table scans and client-side decryption, making queries impractical. Option D is wrong because relying solely on the cloud provider's default encryption (typically server-side encryption at rest) protects data on disk but does not protect data in use or in transit, and it does not address the need to minimize performance impact on queries—default encryption adds no query-time overhead but also provides no granular control over sensitive fields.

22
MCQmedium

A healthcare organization is required to comply with HIPAA regulations for protecting electronic protected health information (ePHI). The organization uses a cloud-based electronic health record (EHR) system. During a compliance audit, it is discovered that some employees are accessing patient records without a legitimate business need. The EHR system logs all access, but there is no automated process to review logs or detect anomalous behavior. The organization has implemented role-based access control (RBAC) and requires strong passwords, but unauthorized access continues. The IT manager proposes implementing a security information and event management (SIEM) system to collect and correlate logs. However, the budget is limited. Which additional control would be most cost-effective to reduce unauthorized access to patient records?

A.Conducting a quarterly review of user access rights and removing unnecessary privileges
B.Encrypting all ePHI at rest and in transit
C.Increasing the logging level to capture every keystroke
D.Implementing user behavior analytics (UBA) on the EHR access logs
AnswerD

UBA detects anomalous behavior without manual review.

Why this answer

User behavior analytics (UBA) is the most cost-effective control because it directly addresses the core issue: unauthorized access by insiders. UBA applies machine learning to EHR access logs to establish baselines of normal user behavior and detect anomalous patterns (e.g., accessing records outside work hours or from unusual locations) without requiring manual log review. This provides automated, real-time detection of the specific unauthorized access incidents that are occurring, which the current logging system alone cannot provide.

Exam trap

The trap here is that candidates often choose encryption (Option B) as a catch-all security control, but encryption does not address the insider threat of authorized users abusing their access—it only protects data from external interception or theft.

How to eliminate wrong answers

Option A is wrong because a quarterly review of user access rights is a periodic, manual process that cannot detect or prevent unauthorized access in real time; it only addresses privilege creep, not the immediate misuse of valid credentials. Option B is wrong because encryption protects data confidentiality during storage and transmission but does nothing to prevent authenticated users from accessing records they are not authorized to view; it is a perimeter control, not an insider threat control. Option C is wrong because increasing logging to capture every keystroke would generate massive volumes of data, overwhelm storage and analysis capabilities, and still require manual review or automated analysis to detect anomalies—it does not solve the detection gap and is not cost-effective.

23
MCQeasy

A company's security policy requires that all laptops have full disk encryption. During an audit, it is discovered that several laptops have encryption enabled but the recovery keys are stored on the local drive. What is the MOST significant risk?

A.Performance degradation due to encryption overhead.
B.Unauthorized access to encrypted data.
C.Recovery keys can be used to bypass encryption.
D.Data corruption during encryption process.
AnswerC

Local storage of keys allows attackers to decrypt data easily.

Why this answer

Storing recovery keys on the local drive defeats the purpose of full disk encryption (FDE). If an attacker gains physical access to the laptop, they can simply boot an alternate OS or mount the drive and read the recovery key file, then use it to unlock the encrypted volume. This bypasses the encryption entirely, making the data vulnerable to unauthorized access despite encryption being enabled.

Exam trap

The trap here is that candidates confuse 'encryption enabled' with 'data protected' and pick Option B (unauthorized access) without recognizing that the recovery key on the local drive is the direct mechanism that enables that access, making Option C the root cause and most significant risk.

How to eliminate wrong answers

Option A is wrong because modern FDE solutions (e.g., BitLocker with AES-NI hardware acceleration) have negligible performance impact; encryption overhead is not the primary risk. Option B is wrong because unauthorized access to encrypted data is the ultimate consequence, but the direct risk is that the recovery key itself enables that access; the question asks for the most significant risk, which is the key exposure. Option D is wrong because data corruption during encryption is rare and typically mitigated by pre-encryption checks and journaling; it is not the most significant risk compared to key compromise.

24
Drag & Dropmedium

Arrange the steps to set up a virtual private network (VPN) for remote access in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

VPN setup: server configuration, user provisioning, client installation, connection testing, and monitoring.

25
MCQeasy

An organization is implementing a data loss prevention (DLP) solution. Which of the following is the MOST important step to ensure the DLP rules are effective?

A.Classify data based on sensitivity
B.Encrypt all data at rest
C.Establish an incident response team
D.Create user awareness training
AnswerA

Classification allows DLP to accurately identify and protect sensitive data.

Why this answer

Data classification is the foundational step for effective DLP rules because it defines which data is sensitive and how it should be handled. Without classification, DLP policies cannot accurately identify or enforce rules on sensitive content, leading to false positives or missed detections. Classification enables the DLP system to apply context-aware rules (e.g., regex patterns for PII, keywords for confidential documents) that align with the organization's data governance requirements.

Exam trap

The trap here is that candidates often choose user awareness training (Option D) as the most important step, confusing human behavior controls with the technical prerequisite of data classification for DLP rule accuracy.

How to eliminate wrong answers

Option B is wrong because encrypting all data at rest protects confidentiality but does not control data in use or in motion, and DLP rules require visibility into content to detect policy violations; encryption can actually blind DLP inspection if not implemented with decryption capabilities. Option C is wrong because an incident response team handles post-event remediation, not the proactive enforcement of DLP rules; it is a supporting function, not the most important step for rule effectiveness. Option D is wrong because user awareness training reduces accidental data leaks but does not define the technical criteria (e.g., data patterns, tags) that DLP rules need to operate; training complements but cannot replace data classification.

26
MCQeasy

During a security audit, it was found that users in the finance department have unnecessary access to HR payroll data. Which access control principle has been violated?

A.Mandatory access control
B.Least privilege
C.Separation of duties
D.Need to know
AnswerB

Least privilege requires that users have only the minimum access necessary to perform their job functions.

Why this answer

The least privilege principle dictates that users should be granted only the minimum permissions necessary to perform their job functions. In this scenario, finance department users have unnecessary access to HR payroll data, directly violating this principle by providing more access than required.

Exam trap

The trap here is confusing 'least privilege' with 'need to know' — need to know is a subset of least privilege that focuses on data classification, but the question explicitly describes unnecessary access to a different department's data, making least privilege the broader and correct violation.

How to eliminate wrong answers

Option A is wrong because mandatory access control (MAC) is a system-enforced policy based on labels and clearances, not a principle about minimizing user permissions; the violation here is about excessive access, not label mismatches. Option C is wrong because separation of duties ensures no single user can complete a critical task alone (e.g., initiating and approving a payment), which is unrelated to having unnecessary access to another department's data. Option D is wrong because need to know restricts access to specific data required for a task, but it is a subset of least privilege; the core principle violated here is least privilege, as the users have access they do not need at all.

27
MCQhard

Refer to the exhibit. During a penetration test, a security analyst captures this SAML response. Which of the following security weaknesses is most evident?

A.The name identifier format is inappropriate
B.The session is too short
C.The assertion is not encrypted
D.The authentication context is weak
AnswerC

Correct. The assertion is in plaintext, which could allow an attacker to read or modify the SAML response if not protected by TLS.

Why this answer

The SAML response shows the assertion is sent in plaintext (no xenc:EncryptedData element), meaning the authentication assertion is not encrypted. This allows an attacker who intercepts the SAML response to extract the assertion and reuse it in a replay or impersonation attack, violating the confidentiality requirement for sensitive authentication tokens.

Exam trap

The trap here is that candidates focus on the authentication context or session duration as potential weaknesses, but the most evident vulnerability is the complete lack of assertion encryption, which is a direct violation of SAML security best practices and a common finding in penetration tests.

How to eliminate wrong answers

Option A is wrong because the NameID format (urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress) is a standard and appropriate format for identifying the user by email; there is no evidence of a mismatch or misuse. Option B is wrong because the session duration (SessionNotOnOrAfter) is set to 2025-10-22T14:21:38Z, which is a reasonable length (e.g., 8 hours from issuance) and not inherently a security weakness; the issue is lack of encryption, not session length. Option D is wrong because the authentication context (AuthnContextClassRef) references a password-based mechanism (urn:oasis:names:tc:SAML:2.0:ac:classes:Password), which is a valid and common strength; the weakness is not in the authentication method but in the unprotected assertion.

28
MCQhard

An organization is implementing a data retention policy for personally identifiable information (PII) to comply with GDPR. Which of the following is the MOST appropriate approach?

A.Delete PII as soon as it is collected
B.Anonymize PII after a fixed period and retain indefinitely
C.Retain PII indefinitely for historical analysis
D.Define retention periods based on legal and business requirements and securely delete after
AnswerD

GDPR mandates that data be kept no longer than necessary; defined retention periods with secure deletion ensure compliance.

Why this answer

Option D is correct because GDPR mandates that PII must not be kept longer than necessary for the purpose for which it was collected. Defining retention periods based on legal and business requirements ensures compliance with the storage limitation principle (Article 5(1)(e)), and secure deletion (e.g., using cryptographic erasure or overwriting with tools like shred on Linux) prevents unauthorized recovery. This approach balances regulatory compliance with operational needs.

Exam trap

The trap here is that candidates may confuse 'anonymization' (Option B) as a safe harbor for indefinite retention, but GDPR requires that anonymization be irreversible and that the retained data serve a legitimate purpose, not just be kept indefinitely without justification.

How to eliminate wrong answers

Option A is wrong because deleting PII immediately upon collection would violate legitimate business and legal requirements (e.g., tax records or contractual obligations) that necessitate retention for a defined period. Option B is wrong because anonymization after a fixed period may comply with GDPR if irreversible, but retaining anonymized data indefinitely still poses re-identification risks (e.g., via linkage attacks) and violates the principle of data minimization if no business need exists. Option C is wrong because retaining PII indefinitely for historical analysis violates GDPR's storage limitation principle unless the data is anonymized and the purpose is compatible with the original collection; indefinite retention of PII without a legal basis exposes the organization to fines and breach risks.

29
Multi-Selecthard

Which TWO are primary objectives of an identity and access management (IAM) program? (Select exactly 2.)

Select 2 answers
A.Ensuring appropriate access to resources.
B.Enforcing least privilege principle.
C.Encrypting data at rest and in transit.
D.Patching software vulnerabilities.
E.Monitoring network traffic for anomalies.
AnswersA, B

Core IAM objective.

Why this answer

Option A is correct because the primary objective of an IAM program is to ensure that the right individuals have access to the appropriate resources at the right time for the right reasons. This is achieved through authentication, authorization, and access control mechanisms such as Role-Based Access Control (RBAC) or Attribute-Based Access Control (ABAC). Without this, the organization cannot enforce security policies or maintain audit trails.

Exam trap

The trap here is that candidates often confuse IAM with general security controls like encryption or network monitoring, but IAM strictly deals with identity lifecycle, authentication, authorization, and access governance, not data protection or network-level defenses.

30
MCQmedium

A company is implementing a cloud-based identity and access management (IAM) system. Which of the following best describes the principle of least privilege in this context?

A.Users should have administrative rights for troubleshooting.
B.Permissions should be revoked only when an employee leaves the company.
C.All users should have the same level of access for consistency.
D.Permissions should be granted based on the user's role and need-to-know.
AnswerD

Correct. Least privilege aligns with role-based access and minimum necessary permissions.

Why this answer

Option D is correct because the principle of least privilege dictates that users should be granted only the permissions necessary to perform their job functions, based on their role and need-to-know. In a cloud-based IAM system, this is typically implemented through role-based access control (RBAC) or attribute-based access control (ABAC), ensuring minimal exposure to sensitive resources and reducing the attack surface.

Exam trap

The trap here is that candidates often confuse 'least privilege' with 'administrative convenience' or 'consistency,' mistakenly thinking that granting admin rights for troubleshooting (Option A) or uniform access (Option C) simplifies management, when in fact these practices directly violate the core security principle.

How to eliminate wrong answers

Option A is wrong because granting administrative rights for troubleshooting violates least privilege by providing excessive, often permanent, elevated privileges that can be exploited or misused; instead, temporary just-in-time (JIT) access or privileged access management (PAM) should be used. Option B is wrong because permissions should be reviewed and revoked promptly when no longer needed, not only upon employee departure; failure to do so leads to privilege creep and increased risk of unauthorized access. Option C is wrong because uniform access for all users contradicts least privilege, as it ignores the varying job functions and data sensitivity levels, leading to over-privileged users and potential data breaches.

31
Multi-Selecthard

Which THREE are core components of a comprehensive identity and access management (IAM) system? (Choose three.)

Select 3 answers
A.Virtual private network (VPN) for remote network access.
B.Data loss prevention (DLP) to prevent data exfiltration.
C.Single sign-on (SSO) for simplified authentication.
D.Privileged access management (PAM) for managing administrative accounts.
E.Role-based access control (RBAC) for assigning permissions based on job roles.
AnswersC, D, E

SSO provides a unified authentication platform across applications.

Why this answer

Single sign-on (SSO) is a core IAM component because it centralizes authentication, allowing users to log in once and access multiple applications without re-entering credentials. This reduces password fatigue, improves user productivity, and simplifies identity lifecycle management by relying on a single identity provider (IdP) to enforce authentication policies across the enterprise.

Exam trap

ISACA often tests the distinction between infrastructure security tools (VPN, DLP) and core IAM functions (authentication, authorization, administration), so the trap here is confusing network-level or data-level controls with identity-centric components that directly manage user access rights and authentication workflows.

32
MCQeasy

An organization's mobile device management (MDM) policy requires that all corporate data on employee-owned smartphones be protected. Which control best ensures that corporate data can be remotely wiped without affecting personal data?

A.Disabling the ability to copy/paste between corporate and personal apps
B.Implementing a containerization solution that separates work and personal profiles
C.Requiring a strong password and biometric authentication
D.Enforcing a full device encryption policy
AnswerB

Containerization enables selective wipe of corporate data.

Why this answer

Containerization (also known as dual-persona or sandboxing) creates a separate, encrypted container on the device for corporate apps and data. This allows the MDM to issue a selective wipe command that destroys only the container and its contents, leaving the user's personal apps, photos, and settings untouched. Without containerization, a remote wipe would typically erase the entire device, including all personal data.

Exam trap

The trap here is that candidates often confuse 'full device encryption' (Option D) with selective wipe capability, assuming encryption alone allows granular data removal, when in fact encryption without containerization still requires wiping the entire encrypted volume.

How to eliminate wrong answers

Option A is wrong because disabling copy/paste between corporate and personal apps prevents data leakage but does not enable selective remote wipe; it is a data loss prevention (DLP) control, not a wipe mechanism. Option C is wrong because requiring a strong password and biometric authentication controls device access but has no effect on the scope of a remote wipe; it is an authentication control, not a data separation or wipe control. Option D is wrong because enforcing full device encryption protects data at rest but does not differentiate between corporate and personal data; a remote wipe under full encryption would still erase the entire device, including personal data.

33
MCQmedium

An organization experiences a ransomware attack that encrypts critical files. Which of the following is the BEST recovery strategy to minimize data loss?

A.Disconnect the network and rebuild systems from scratch
B.Pay the ransom to decrypt files
C.Restore from offline backups taken before the attack
D.Use system restore points on the same network
AnswerC

Offline backups (e.g., tape or immutable cloud) are not accessible to ransomware, enabling clean recovery.

Why this answer

Restoring from offline backups taken before the attack ensures that the recovered data is clean and free from encryption, as the ransomware cannot modify backups that are not connected to the network. This strategy minimizes data loss by reverting to the most recent known-good state without relying on potentially compromised or incomplete system restore points.

Exam trap

The trap here is that candidates may choose Option D (system restore points) because they seem convenient and built-in, but they fail to realize that ransomware specifically targets and deletes these snapshots, making them unreliable for recovery.

How to eliminate wrong answers

Option A is wrong because rebuilding systems from scratch without backups results in complete data loss, as no user or application data is preserved. Option B is wrong because paying the ransom does not guarantee decryption, encourages further attacks, and may leave backdoors or incomplete file recovery. Option D is wrong because system restore points on the same network are often encrypted by the ransomware, as they reside on accessible storage, and they typically only restore system files, not user data.

34
MCQeasy

An organization wants to ensure that data is not retained longer than necessary. Which of the following is the BEST control to implement?

A.Encrypt all data at rest
B.Implement a backup retention policy
C.Use role-based access controls
D.Define and enforce data retention schedules
AnswerD

Retention schedules ensure data is deleted when no longer needed.

Why this answer

Defining and enforcing data retention schedules directly addresses the requirement to not retain data longer than necessary by specifying precise timeframes for data deletion or archival. This control ensures compliance with legal, regulatory, and business needs by automating the lifecycle management of data, such as through expiration policies in object storage (e.g., S3 Lifecycle rules) or database TTL (time-to-live) settings. Without such schedules, data may persist indefinitely, increasing storage costs and regulatory risk.

Exam trap

The trap here is that candidates confuse data retention (how long data is kept) with data protection mechanisms like encryption or access control, or they mistakenly think backup retention policies are sufficient for primary data lifecycle management.

How to eliminate wrong answers

Option A is wrong because encrypting data at rest protects confidentiality but does not control how long data is stored; it can even hinder deletion if encryption keys are not properly managed. Option B is wrong because a backup retention policy governs copies of data for recovery purposes, not the primary data itself; it may inadvertently retain data longer than necessary if not aligned with the primary retention schedule. Option C is wrong because role-based access controls (RBAC) restrict who can access or modify data but do not enforce time-based deletion or retention limits.

35
MCQhard

A company's endpoint protection solution alerts on a file that is digitally signed by a trusted software vendor but exhibits malicious behavior on execution. What type of threat does this scenario most likely depict?

A.A Trojan horse disguised as legitimate software.
B.Signed malware, indicating the certificate may have been compromised.
C.A zero-day exploit targeting an unpatched vulnerability.
D.A fileless attack that never writes to disk.
AnswerB

The file has a trusted digital signature but performs malicious actions, suggesting the signing key was stolen or misused.

Why this answer

The scenario describes a file that is digitally signed by a trusted vendor yet exhibits malicious behavior. This is the classic definition of signed malware, where the digital certificate used to sign the file has likely been stolen, misused, or issued fraudulently. The trusted signature bypasses reputation-based and allowlist controls, making the threat particularly dangerous because the file appears legitimate to security tools that trust the vendor's certificate.

Exam trap

The trap here is that candidates confuse 'signed malware' with a 'Trojan horse,' but the critical differentiator is the presence of a valid digital signature from a trusted vendor, which is not inherent to Trojans and is the specific mechanism that makes this threat unique.

How to eliminate wrong answers

Option A is wrong because a Trojan horse is malware that disguises itself as a legitimate program, but it does not necessarily carry a valid digital signature from a trusted vendor; the key detail here is the presence of a trusted digital signature, which is not a requirement for a Trojan. Option C is wrong because a zero-day exploit targets an unpatched vulnerability in software or the OS, not a signed file; the threat is not about exploiting a vulnerability but about abusing a trusted certificate to bypass security controls. Option D is wrong because a fileless attack operates in memory without writing files to disk, whereas this scenario explicitly involves a file that is alerted on by endpoint protection, meaning it exists on disk and is signed.

36
MCQmedium

An organization uses role-based access control (RBAC). An employee is transferred to a new department. According to best practices, what should be done regarding the employee's access rights?

A.Remove access to the previous department's resources after a grace period.
B.Keep all access but log usage.
C.Immediately revoke all previous access and assign new role permissions.
D.Keep previous access and grant new role permissions.
AnswerC

Correct. This follows least privilege and prevents unauthorized access during transition.

Why this answer

Option C is correct because RBAC mandates that access rights are strictly tied to job functions. When an employee changes departments, their previous role permissions are no longer applicable and must be immediately revoked to prevent unauthorized access, while new role permissions are granted to align with their new responsibilities. This follows the principle of least privilege and ensures that access rights are always current with the employee's role.

Exam trap

The trap here is that candidates may think a grace period or logging is acceptable, but CISA emphasizes immediate revocation to maintain least privilege and prevent unauthorized access during role transitions.

How to eliminate wrong answers

Option A is wrong because a grace period introduces a window of unauthorized access, violating the principle of least privilege and RBAC's requirement for immediate role alignment. Option B is wrong because keeping all access with logging does not prevent the employee from accessing resources they no longer need, which is a security risk and non-compliant with RBAC's role-based assignment. Option D is wrong because retaining previous access while granting new permissions results in excessive privileges, violating the segregation of duties and least privilege principles.

37
Multi-Selecthard

Which THREE of the following are key components of an effective information security awareness program? (Choose three.)

Select 3 answers
A.Phishing simulation exercises
B.Reward program for reporting incidents
C.Annual one-time training for all employees
D.Support from top management
E.Regularly scheduled training sessions on security policies
AnswersA, D, E

Simulations test and improve behavior.

Why this answer

Phishing simulation exercises are a key component of an effective information security awareness program because they provide hands-on, practical experience in identifying and responding to real-world phishing attempts. By simulating attacks, organizations can measure employee susceptibility, reinforce training, and reduce the risk of successful social engineering attacks. This proactive approach helps build a security-conscious culture and directly addresses the human factor in cybersecurity.

Exam trap

The trap here is that candidates may confuse a reward program for reporting incidents as a core component of awareness, when in fact it is a supplementary measure, not a foundational element like management support or regular training.

38
MCQeasy

A small business wants to protect customer data collected through its e-commerce website. Which control is most appropriate for protecting the data at rest and in transit?

A.Implement a network firewall to block unauthorized access.
B.Perform regular backups of the database to ensure data availability.
C.Deploy an intrusion detection system (IDS) to monitor for threats.
D.Use encryption for data at rest and in transit.
AnswerD

Encryption directly protects data confidentiality by making it unreadable without the decryption key, applicable both at rest and in transit.

Why this answer

Encryption is the only control that directly protects the confidentiality and integrity of data both at rest (e.g., AES-256 for database files) and in transit (e.g., TLS 1.3 for HTTPS). It renders data unreadable without the proper decryption key, ensuring that even if storage media or network traffic is intercepted, the customer data remains secure.

Exam trap

The trap here is that candidates often confuse preventive controls like firewalls or IDS with data protection mechanisms, failing to recognize that encryption is the only direct safeguard for data confidentiality both at rest and in transit.

How to eliminate wrong answers

Option A is wrong because a network firewall controls access at the network layer but does not protect data at rest (e.g., stored database files) or data in transit from eavesdropping or decryption after interception. Option B is wrong because regular backups ensure data availability and recovery, not confidentiality or integrity; backups themselves must be encrypted to protect data at rest. Option C is wrong because an IDS monitors and alerts on suspicious activity but does not prevent data exposure; it cannot encrypt data or protect it from being read if intercepted.

39
MCQhard

A multinational corporation is implementing a bring your own device (BYOD) policy. Which of the following is the most important security control to ensure corporate data is protected on employee devices?

A.Require employees to install antivirus software.
B.Prohibit the use of personal devices for work.
C.Mandate full-device encryption.
D.Implement mobile device management (MDM) with containerization.
AnswerD

Correct. Containerization segregates corporate data and enables selective wipe without affecting personal data.

Why this answer

Option D is correct because Mobile Device Management (MDM) with containerization creates a separate, encrypted workspace on the employee's device that isolates corporate data from personal data. This ensures that the organization can enforce security policies (e.g., remote wipe, access controls) on the corporate container without affecting the user's personal information, which is critical for BYOD environments where full-device control is not feasible.

Exam trap

The trap here is that candidates often confuse full-device encryption (Option C) as sufficient for BYOD, failing to recognize that encryption alone does not provide data segregation or selective wipe capabilities, which are essential for protecting corporate data on a device the organization does not fully own.

How to eliminate wrong answers

Option A is wrong because antivirus software alone cannot prevent data leakage or enforce access controls on corporate data; it only protects against malware and does not address the core requirement of data segregation on a shared device. Option B is wrong because prohibiting personal devices for work directly contradicts the BYOD policy being implemented, making it a policy rejection rather than a security control. Option C is wrong because full-device encryption protects data at rest but does not separate corporate data from personal data; in a BYOD scenario, the organization would have no control over the user's personal apps or data, and a remote wipe would erase everything, including personal content.

40
MCQhard

A financial services organization recently experienced a data breach where customer financial records were exfiltrated. The investigation reveals that an attacker gained access through a compromised privileged account belonging to a database administrator. The attacker used valid credentials to log into the database server and then exported a large volume of data using native database tools. The security team notes that the organization has multi-factor authentication (MFA) enabled for all remote access, but the database server was accessed from an internal IP address. The organization also has a data loss prevention (DLP) system, but it did not alert on the export because the traffic was encrypted. The database activity monitoring (DAM) system did log the export, but alerts were not reviewed due to high volume and many false positives. Which of the following would have been most effective in preventing this breach?

A.Deploying a DLP solution that can inspect encrypted traffic via SSL interception
B.Implementing a privileged access management (PAM) solution that requires approval for elevated actions and records sessions
C.Segmenting the database server onto a separate network with strict firewall rules
D.Improving the database activity monitoring (DAM) alerting to reduce false positives
AnswerB

PAM controls and monitors privileged access, reducing the risk of misuse.

Why this answer

The breach occurred because a privileged database administrator account was compromised, and the attacker used native database tools to export data from an internal IP address, bypassing MFA. A privileged access management (PAM) solution would have required approval for elevated actions (e.g., exporting large volumes of data) and recorded the session, providing both preventive control (approval workflow) and detective control (session recording) to stop or immediately detect the abuse of valid credentials. This directly addresses the root cause—compromised privileged credentials—rather than relying on network or alerting controls that were circumvented.

Exam trap

The trap here is that candidates often focus on detection or network controls (DLP, segmentation, DAM) instead of recognizing that the root cause is the abuse of valid privileged credentials, which requires a preventive control like PAM that manages and monitors privileged access at the point of action.

How to eliminate wrong answers

Option A is wrong because SSL interception of encrypted traffic would not have prevented the breach; the attacker used native database tools over an encrypted connection from an internal IP, and DLP inspection of encrypted traffic would still need to decrypt and analyze the content, which is complex and may not block the export if the attacker uses legitimate database protocols. Option C is wrong because network segmentation with firewall rules would not prevent an attacker who already has valid credentials from an internal IP; the attacker was already on the internal network and could access the database server through permitted firewall rules. Option D is wrong because improving DAM alerting to reduce false positives would only improve detection, not prevention; the breach had already occurred by the time the alert was generated, and the attacker had already exfiltrated the data.

41
MCQmedium

Refer to the exhibit. An auditor finds that users are able to reuse previous passwords easily. Which setting should be modified to address this weakness?

A.Increase the password history to 10
B.Increase the minimum password age to 7 days
C.Enable password expiration notifications
D.Increase the maximum password age to 30 days
AnswerA

Correct. A higher password history forces users to wait longer before reusing a password.

Why this answer

Increasing the password history setting (e.g., to 10) prevents users from reusing their most recent passwords by storing a specified number of previous password hashes. When a user attempts to change their password, the system compares the new password against the stored history and rejects it if it matches any of the remembered passwords. This directly addresses the weakness of easy password reuse.

Exam trap

The trap here is that candidates often confuse password history with password age settings, thinking that increasing the maximum password age or minimum password age will prevent reuse, when in fact only password history directly blocks the use of previously used passwords.

How to eliminate wrong answers

Option B is wrong because increasing the minimum password age to 7 days prevents users from changing passwords frequently to cycle back to an old password, but it does not prevent reuse of previous passwords after that period expires. Option C is wrong because enabling password expiration notifications only alerts users that their password will expire; it does not enforce any restriction on reusing old passwords. Option D is wrong because increasing the maximum password age to 30 days extends how long a password can be used before it must be changed, but it does not prevent the user from reusing a previous password when the change occurs.

42
MCQmedium

A multinational corporation is deploying a new cloud-based collaboration platform for its 5,000 employees. The platform will store sensitive project data and intellectual property. The CISO mandates that all data must be encrypted at rest and in transit, and that access must be controlled via the company's identity provider (IdP) using SAML 2.0. During a pilot with the R&D department, the security team discovers that the platform's audit logs do not record failed login attempts from the IdP. The platform vendor states that the IdP is responsible for authentication, so the platform only logs successful assertions. The CISO is concerned about the lack of visibility into brute-force attacks. The company already has a SIEM that receives logs from the IdP and other sources. What is the BEST course of action?

A.Replace the cloud platform with one that provides built-in authentication logging
B.Enable detailed logging on the IdP for all authentication attempts and forward those logs to the SIEM for monitoring
C.Configure the cloud platform to require re-authentication for every session and log all authentication events locally
D.Implement a stricter password policy for the IdP to reduce the risk of brute-force attacks
AnswerB

The IdP can log failed attempts; forwarding to the SIEM provides the needed visibility.

Why this answer

Option B is correct because the IdP is the authoritative source for authentication events in a SAML 2.0 federated identity model. The cloud platform only receives and logs successful SAML assertions, so it cannot log failed login attempts. Enabling detailed logging on the IdP for all authentication attempts (successes and failures) and forwarding those logs to the SIEM provides the necessary visibility into brute-force attacks without changing the platform or architecture.

Exam trap

The trap here is that candidates assume the cloud platform should handle all logging, but in a SAML 2.0 federation, the IdP is the sole source of authentication event logs, and the platform only logs successful assertions.

How to eliminate wrong answers

Option A is wrong because replacing the cloud platform is unnecessary and costly; the existing architecture with SAML 2.0 is standard and the IdP is the correct place to log authentication events. Option C is wrong because requiring re-authentication for every session would severely degrade user experience and still would not cause the platform to log failed IdP authentication attempts, as the platform only processes successful assertions. Option D is wrong because a stricter password policy reduces the risk of successful brute-force attacks but does not provide the visibility into failed attempts that the CISO requires for monitoring and detection.

43
MCQmedium

An IS auditor is reviewing an organization's data classification policy. Which of the following findings is MOST critical?

A.Employees receive data classification training only once per year
B.Data classification is performed manually without automated tools
C.Sensitive data is not encrypted at rest
D.Data owners have not been identified for most data assets
AnswerD

Without data owners, classification cannot be enforced.

Why this answer

Without identified data owners, no one is accountable for classifying, protecting, or granting access to data assets. This foundational gap undermines the entire data classification policy, making it impossible to enforce controls like encryption or access reviews. The CISA emphasizes that data owner assignment is the first step in any data governance framework.

Exam trap

The trap here is that candidates focus on visible technical controls like encryption (Option C) rather than the foundational governance requirement of data ownership, which the CISA considers more critical for policy effectiveness.

How to eliminate wrong answers

Option A is wrong because annual training, while not ideal, is a common baseline and does not directly break the classification policy; the critical failure is lack of ownership, not training frequency. Option B is wrong because manual classification can be acceptable in small environments or as a starting point; automated tools are a control enhancement, not a requirement. Option C is wrong because encryption at rest is a technical safeguard that should be applied based on classification, but without identified data owners, the classification itself is unenforceable.

44
MCQmedium

Refer to the exhibit. Which of the following statements is TRUE regarding this S3 bucket policy?

A.Anonymous read access is allowed only over HTTPS
B.The bucket is fully public for all actions
C.Write access is allowed over HTTP
D.Only authenticated users can access objects
AnswerA

The condition requires SecureTransport (HTTPS), and access is anonymous.

Why this answer

Option A is correct because the S3 bucket policy includes a condition `aws:SecureTransport` set to `true`, which explicitly denies any request that is not made over HTTPS. The `Effect: Allow` on the `Principal: "*"` grants anonymous read access, but the `Condition` block ensures that only HTTPS requests are permitted, making anonymous read access allowed only over HTTPS.

Exam trap

ISACA often tests the nuance that a policy granting anonymous access with a `Condition` block can still restrict the protocol, leading candidates to mistakenly think the bucket is fully public or that only authenticated users can access it.

How to eliminate wrong answers

Option B is wrong because the bucket policy only allows `s3:GetObject` (read) access, not all actions like `s3:PutObject`, `s3:DeleteObject`, etc., so the bucket is not fully public for all actions. Option C is wrong because the condition `aws:SecureTransport: false` would deny HTTP requests, and the policy explicitly denies requests that are not using HTTPS, so write access (which is not even granted) would be blocked over HTTP. Option D is wrong because the policy grants access to `Principal: "*"`, which includes anonymous (unauthenticated) users, not only authenticated users.

45
Multi-Selecteasy

An organization is implementing a data loss prevention (DLP) solution. Which TWO of the following are key considerations for effective DLP deployment?

Select 2 answers
A.Implementing DLP in monitoring mode initially to baseline traffic
B.Deploying DLP agents on all endpoints before defining policies
C.Encrypting all data at rest and in transit as a prerequisite
D.Classifying data based on sensitivity and criticality
E.Replacing user security awareness training with automated DLP
AnswersA, D

Monitoring first helps tune policies and reduce false positives.

Why this answer

Options A and B are correct. A: Classifying data based on sensitivity is fundamental to DLP policy creation. B: Starting with monitoring before blocking reduces false positives.

C: DLP is not a replacement for user training; it is a technical control. D: DLP should be deployed in phases, not organization-wide at once. E: Encryption is separate; DLP can detect but not enforce encryption for all data.

46
Multi-Selecthard

Which THREE of the following are essential components of a data classification program?

Select 3 answers
A.Data retention and disposal schedules
B.Regular vulnerability scanning
C.Assignment of data owners
D.Standardized labeling guidelines
E.Implementation of database encryption
AnswersA, C, D

Retention schedules specify how long classified data must be kept and how to dispose of it.

Why this answer

Data retention and disposal schedules are essential to a data classification program because they define how long each classification level of data must be retained and the secure methods for its disposal (e.g., degaussing, cryptographic erasure, or physical shredding). This ensures that data is not kept beyond its useful life, reducing the risk of unauthorized access or legal non-compliance. Without these schedules, the classification program lacks the lifecycle management component necessary for operational security.

Exam trap

The trap here is that candidates confuse operational security controls (like vulnerability scanning or encryption) with the administrative and procedural components of a data classification program, which are specifically about defining ownership, labeling, and lifecycle management.

47
MCQeasy

A small business wants to protect customer data stored on a local file server. Which of the following is the MOST cost-effective control to prevent unauthorized access?

A.Enable detailed audit logs
B.Configure file-level permissions
C.Implement full-disk encryption
D.Deploy biometric authentication
AnswerB

File permissions are a direct and low-cost way to control access.

Why this answer

Configuring file-level permissions (e.g., NTFS permissions on Windows or POSIX ACLs on Linux) is the most cost-effective control because it directly restricts which users or groups can read, write, or modify specific files and folders on the server. This granular access control prevents unauthorized access without requiring additional hardware or complex management, making it ideal for a small business with limited budget.

Exam trap

The trap here is that candidates often confuse detective controls (audit logs) or encryption (which protects data at rest) with preventive access controls, leading them to choose a more expensive or less effective option instead of the simple, direct file permission configuration.

How to eliminate wrong answers

Option A is wrong because audit logs only record access events after they occur; they do not prevent unauthorized access in real time. Option C is wrong because full-disk encryption protects data at rest if the physical disk is stolen, but it does not control access while the server is running and the OS is booted. Option D is wrong because biometric authentication is expensive to deploy and maintain, and it addresses authentication at the system level rather than directly controlling access to specific files on the server.

48
MCQmedium

An organization is implementing a data loss prevention (DLP) solution. Which of the following is the BEST approach to reduce false positives during initial deployment?

A.Use default policies without modification
B.Limit scope to one department to minimize noise
C.Deploy in monitor-only mode and analyze alerts for a period
D.Block all sensitive data transmissions immediately
AnswerC

Monitor-only mode allows policy tuning without impact.

Why this answer

Deploying a DLP solution in monitor-only mode allows the organization to observe what data is being transmitted and generate alerts without blocking any traffic. This enables security teams to analyze the alerts against actual business workflows, fine-tune policies, and eliminate false positives before moving to an active enforcement mode. It is a best practice for initial deployment to avoid disrupting legitimate business operations.

Exam trap

The trap here is that candidates may think limiting scope (Option B) is the best way to reduce noise, but the question asks for the best approach to reduce false positives, and monitor-only mode provides the necessary feedback loop to tune policies before enforcement, whereas limiting scope only reduces volume, not the false positive rate.

How to eliminate wrong answers

Option A is wrong because default policies are generic and not tailored to the organization's specific data types, workflows, or user behavior, which typically results in a high volume of false positives and potential missed detections. Option B is wrong because limiting scope to one department reduces the overall visibility and may miss data loss events in other departments, while still generating false positives within that department due to untuned policies. Option D is wrong because immediately blocking all sensitive data transmissions without first understanding normal traffic patterns will almost certainly disrupt legitimate business processes and cause significant operational impact.

49
MCQeasy

Which of the following is the PRIMARY purpose of a data classification scheme?

A.To enable encryption of all sensitive data
B.To meet regulatory compliance requirements
C.To define data retention periods
D.To ensure appropriate security controls are applied based on data sensitivity
AnswerD

Classification drives protection.

Why this answer

A data classification scheme assigns sensitivity labels (e.g., public, internal, confidential, restricted) to information assets. Its primary purpose is to ensure that appropriate security controls—such as access control lists, encryption strength, and monitoring—are applied proportionally to the data's sensitivity. Without classification, controls would be either insufficient for high-risk data or overly restrictive for low-risk data, undermining both security and operational efficiency.

Exam trap

The trap here is that candidates mistake a downstream benefit (like enabling encryption or meeting compliance) for the primary purpose, when the core goal is to drive risk-based security control selection based on data sensitivity.

How to eliminate wrong answers

Option A is wrong because enabling encryption of all sensitive data is a specific control outcome, not the primary purpose of classification; classification informs which data requires encryption, but the scheme itself does not enforce encryption. Option B is wrong because meeting regulatory compliance requirements is a benefit or driver for classification, but not its primary purpose; compliance mandates often require classification, but the scheme's core goal is to guide control selection, not merely to check a compliance box. Option C is wrong because defining data retention periods is a separate data lifecycle management function typically governed by a retention policy or schedule, not by the classification scheme; classification labels may influence retention, but the primary purpose is not to set retention durations.

50
MCQmedium

A security auditor discovers that a server has been compromised due to an unpatched vulnerability. Which of the following would have most effectively prevented this incident?

A.Enabling firewall rules to limit access.
B.Implementing a vulnerability management program with regular patching.
C.Installing a host-based intrusion detection system (HIDS).
D.Using strong passwords on the server.
AnswerB

Correct. Regular patching addresses root cause by eliminating known vulnerabilities.

Why this answer

Option B is correct because a vulnerability management program with regular patching directly addresses the root cause of the compromise: the unpatched vulnerability. By systematically identifying, prioritizing, and applying security patches, the organization eliminates the known weakness that the attacker exploited. This proactive measure prevents the initial compromise, whereas other controls only detect or limit the attack after the vulnerability is exploited.

Exam trap

The trap here is that candidates often choose a detective or preventive control (like a firewall or HIDS) that mitigates the attack surface or detects the breach, rather than recognizing that patching is the only option that eliminates the root cause of the vulnerability itself.

How to eliminate wrong answers

Option A is wrong because firewall rules limit network access but do not fix the underlying unpatched vulnerability; an attacker who gains access through an allowed port or via an internal vector can still exploit the unpatched flaw. Option C is wrong because a host-based intrusion detection system (HIDS) only detects suspicious activity after the exploitation begins or has occurred, it does not prevent the initial compromise from an unpatched vulnerability. Option D is wrong because strong passwords protect against credential-based attacks, but they are irrelevant when the attacker bypasses authentication entirely by exploiting a software vulnerability that does not require valid credentials.

51
MCQeasy

Which of the following is the PRIMARY benefit of using a hardware security module (HSM) for key management?

A.It reduces the cost of key management.
B.It improves encryption speed.
C.It provides tamper-resistant storage for encryption keys.
D.It simplifies key distribution.
AnswerC

HSM provides secure key storage that is resistant to tampering.

Why this answer

The primary benefit of a hardware security module (HSM) is that it provides tamper-resistant, physically secured storage for encryption keys. HSMs are designed to protect keys from extraction or modification, even if an attacker gains physical access to the device, which is critical for maintaining the confidentiality and integrity of cryptographic operations. This aligns with the core purpose of an HSM: to safeguard the root of trust in a key management infrastructure.

Exam trap

The trap here is that candidates may confuse the security-focused purpose of an HSM with operational benefits like cost reduction or performance improvement, leading them to select options that describe side effects or unrelated advantages rather than the primary benefit.

How to eliminate wrong answers

Option A is wrong because HSMs typically increase the cost of key management due to the specialized hardware, certification, and maintenance required, not reduce it. Option B is wrong because HSMs are not primarily designed to improve encryption speed; in fact, they can introduce latency compared to software-based encryption, and their value lies in security, not performance. Option D is wrong because HSMs do not simplify key distribution; they are often used in conjunction with complex key distribution protocols (e.g., PKCS#11, KMIP) and may add operational overhead for secure key exchange.

52
Multi-Selectmedium

Which of the following are key considerations when implementing a data classification policy? (Choose THREE.)

Select 3 answers
A.Encryption key management
B.Definition of classification categories
C.Backup frequency requirements
D.Handling and labeling procedures
E.Assignment of data owners
AnswersB, D, E

Categories (e.g., public, confidential) are essential.

Why this answer

Option B is correct because defining classification categories (e.g., Public, Internal, Confidential, Restricted) is the foundational step in a data classification policy. These categories establish the criteria for labeling and handling data based on sensitivity and criticality, directly enabling consistent protection controls across the organization.

Exam trap

ISACA often tests the distinction between policy-level definitions (classification categories, data owners, handling procedures) and operational controls (encryption, backup frequency), leading candidates to mistakenly select technical safeguards as key policy considerations.

53
MCQeasy

What is the FIRST step in implementing an identity and access management (IAM) program?

A.Selecting an IAM vendor.
B.Performing a user access review.
D.Deploying single sign-on (SSO).
AnswerB

Understanding current access is the foundational step.

Why this answer

Performing a user access review is the first step because it establishes a baseline of current access rights, identifies segregation of duties conflicts, and uncovers orphaned accounts or excessive privileges. Without this foundational assessment, subsequent IAM controls like SSO or MFA would be deployed on an insecure or non-compliant access framework, violating the principle of 'least privilege' and potentially failing audit requirements.

Exam trap

The trap here is that candidates often confuse 'first step' with 'most visible security control' and select MFA or SSO, forgetting that IAM must begin with a discovery and cleanup phase to ensure the foundation is secure before adding layers.

How to eliminate wrong answers

Option A is wrong because selecting an IAM vendor before understanding current access states and requirements leads to technology-driven decisions that may not align with organizational policy or regulatory needs. Option C is wrong because implementing multi-factor authentication (MFA) is a tactical control that should follow a baseline access review to ensure MFA is applied to the correct accounts and roles, not as a starting point. Option D is wrong because deploying single sign-on (SSO) without first reviewing and cleaning up existing user access rights can propagate excessive privileges across all connected systems, increasing risk rather than reducing it.

54
Multi-Selectmedium

Which TWO of the following are effective controls to prevent unauthorized access to sensitive data in a database? (Choose two.)

Select 2 answers
A.Database activity monitoring (DAM)
B.Strong password policy
C.Database encryption at rest
D.Regular patch management
E.Network segmentation
AnswersA, C

DAM detects and blocks unauthorized access.

Why this answer

Options B and D are correct. Encryption at rest protects data if storage is accessed. Database activity monitoring (DAM) detects and can block unauthorized queries.

Option A is wrong because network segmentation alone does not prevent access if credentials are compromised. Option C is wrong because strong passwords are good but not sufficient. Option E is wrong because regular patching addresses vulnerabilities but not access control.

55
MCQmedium

Refer to the exhibit. An auditor notices this log entry during a review. The user john.doe does not have a legitimate business need to access executive salaries. Which of the following is the MOST likely control failure?

A.Database firewall misconfiguration
B.Audit logging is not enabled
C.Inadequate access controls or role-based permissions
D.Lack of encryption at rest
AnswerC

The user should not have SELECT privilege on the Employee_salaries table.

Why this answer

The log entry shows user john.doe successfully accessed executive salary data via a SELECT query. Since the user has no legitimate business need for this data, the most likely control failure is inadequate access controls or role-based permissions (RBAC). Proper RBAC would restrict access to sensitive columns or tables based on job function, preventing unauthorized queries regardless of other controls.

Exam trap

The trap here is that candidates may focus on the log entry's existence and incorrectly assume audit logging is the issue (Option B), when in fact the log proves logging works, and the real failure is the lack of preventive access controls that should have blocked the query before it executed.

How to eliminate wrong answers

Option A is wrong because a database firewall misconfiguration might allow or deny traffic at the network layer, but it does not typically enforce granular row- or column-level access based on user identity within a query; the log shows the query succeeded, indicating the firewall (if present) allowed it, but the core issue is that the user should not have been permitted to see the data at all. Option B is wrong because audit logging is clearly enabled—the log entry itself is evidence of logging; the failure is not the absence of logs but the absence of preventive controls. Option D is wrong because lack of encryption at rest protects data from physical theft or unauthorized file access, but it does not prevent an authenticated user from querying data through the application or database interface; encryption at rest would not have blocked this SELECT statement.

56
MCQmedium

An organization is implementing a data masking solution for a non-production database. Which of the following is the MOST important requirement?

A.Masked data should maintain referential integrity.
B.Masked data should be encrypted.
C.Masked data should be irreversible.
D.Masked data should be randomized across all columns.
AnswerA

Maintaining referential integrity ensures application functionality.

Why this answer

In a non-production database, data masking must preserve referential integrity to ensure that relationships between tables (e.g., foreign keys) remain valid after masking. Without referential integrity, application logic that relies on these relationships would break, making the non-production environment unusable for testing or development. This is the most critical requirement because masked data must still function correctly within the database schema.

Exam trap

The trap here is that candidates often confuse data masking with encryption or hashing, assuming irreversibility or encryption are the top priorities, but the CISA exam emphasizes that the primary goal in a non-production environment is usability and data integrity, not cryptographic security.

How to eliminate wrong answers

Option B is wrong because encryption is a security control for data at rest or in transit, not a masking requirement; masked data is already obfuscated and does not need encryption to fulfill its purpose. Option C is wrong because irreversibility is a property of hashing or tokenization, not a mandatory requirement for data masking; masking can be reversible (e.g., using deterministic substitution) as long as the original data is not exposed. Option D is wrong because randomizing data across all columns would destroy referential integrity and consistency; masking often uses deterministic algorithms to maintain relationships and data distribution patterns.

57
Multi-Selecteasy

Which of the following are effective controls to protect sensitive data in use? (Choose TWO.)

Select 2 answers
A.Transport Layer Security (TLS)
B.Access control lists (ACLs)
C.Homomorphic encryption
D.Data masking
E.Hashing
AnswersC, D

Homomorphic encryption allows computations on ciphertext without decrypting.

Why this answer

Homomorphic encryption allows computations to be performed directly on encrypted data without decrypting it first, thereby protecting the data while it is in use. This is a critical control for scenarios where sensitive data must be processed by untrusted environments, as the plaintext is never exposed during processing.

Exam trap

The trap here is that candidates often confuse controls for data in transit (TLS) or data at rest (ACLs, hashing) with controls for data in use, failing to recognize that homomorphic encryption and dynamic data masking are specifically designed to protect data during active processing.

58
Multi-Selecteasy

Which THREE of the following are commonly used data encryption standards? (Choose three.)

Select 3 answers
A.3DES
B.SHA-256
C.RSA
D.AES
E.MD5
AnswersA, C, D

Triple DES, symmetric encryption.

Why this answer

3DES (Triple Data Encryption Standard) is a symmetric-key block cipher that applies the DES algorithm three times to each data block, effectively increasing the key length to 168 bits. It was widely adopted as a secure replacement for single DES, though it is now considered legacy due to performance and security limitations.

Exam trap

The trap here is confusing cryptographic hash functions (SHA-256, MD5) with encryption standards, leading candidates to select them as methods for protecting data confidentiality rather than integrity.

59
MCQmedium

An organization is implementing a data classification policy and needs to assign ownership for sensitive data. Which of the following is the most appropriate role to assign as the data owner?

A.The chief information security officer (CISO)
B.The system administrator of the database
C.The head of the business unit that creates and uses the data
D.The legal counsel responsible for compliance
AnswerC

The business unit head is accountable for the data's classification and protection.

Why this answer

The data owner is the person or entity with ultimate accountability for a specific dataset, typically a senior business manager who understands the data's value, legal requirements, and usage context. In this scenario, the head of the business unit that creates and uses the data is best positioned to classify the data, authorize access, and ensure compliance with the data classification policy, as they have direct business responsibility for the data's lifecycle.

Exam trap

The trap here is confusing the data owner (business accountability) with the data custodian (technical implementation) or the data steward (compliance oversight), leading candidates to incorrectly select the CISO or system administrator.

How to eliminate wrong answers

Option A is wrong because the CISO is a security advisor and enforcer, not the business owner; they lack the business context to determine data classification and usage rules. Option B is wrong because the system administrator is a custodian who implements technical controls (e.g., access control lists, encryption) but does not have ownership authority or business accountability for the data. Option D is wrong because legal counsel provides compliance guidance but does not own the data operationally; ownership must reside with the business unit that creates and uses the data.

60
MCQmedium

An organization uses risk-based authentication (RBA) for user access. Which of the following factors would MOST likely trigger a step-up authentication?

A.User logging in from a known device.
B.User accessing sensitive data from an unusual location.
C.User entering correct password.
D.User logging in during business hours.
AnswerB

Unusual location indicates higher risk and may trigger step-up.

Why this answer

Risk-based authentication (RBA) evaluates the risk level of each access attempt based on contextual factors. An unusual location is a high-risk indicator because it deviates from the user's established behavioral baseline, often triggering step-up authentication (e.g., requiring a one-time passcode or biometric verification) to verify the user's identity before granting access to sensitive data.

Exam trap

The trap here is that candidates may confuse 'step-up authentication' with 'multi-factor authentication' and assume any deviation from normal triggers it, but only high-risk anomalies (like unusual location or impossible travel) typically do, while low-risk factors like known devices or business hours do not.

How to eliminate wrong answers

Option A is wrong because logging in from a known device is a low-risk factor that typically reduces the authentication burden, not triggers step-up. Option C is wrong because entering a correct password is the baseline authentication requirement and does not itself indicate elevated risk; step-up is triggered by anomalous context, not by successful password entry. Option D is wrong because logging in during business hours is a normal, expected behavior that aligns with low-risk profiles and would not prompt additional verification.

61
MCQeasy

When implementing a data classification policy, which of the following roles is PRIMARILY responsible for assigning classification labels to data?

A.Data custodian.
B.Data owner.
C.Data user.
D.Data steward.
AnswerB

Data owner has authority and responsibility for classification.

Why this answer

The data owner is the senior manager or business process owner who has the authority to determine the sensitivity and criticality of the data. They are primarily responsible for assigning classification labels because they understand the business impact if the data is compromised. This role defines the classification level (e.g., Public, Internal, Confidential, Restricted) based on the data's value and legal or regulatory requirements.

Exam trap

ISACA often tests the distinction between data owner (who assigns classification) and data custodian (who implements controls), leading candidates to mistakenly choose the custodian because they confuse technical implementation with business ownership.

How to eliminate wrong answers

Option A is wrong because the data custodian (e.g., database administrator or system administrator) is responsible for implementing technical controls (access controls, encryption, backups) based on the classification assigned by the owner, not for assigning the labels themselves. Option C is wrong because the data user is an end-user who accesses data according to the policies and permissions set by the owner; they have no authority to assign classification labels. Option D is wrong because the data steward focuses on data quality, metadata management, and governance processes (e.g., data dictionary maintenance, data lineage) but does not have the business authority to determine the sensitivity or assign the classification label.

62
MCQmedium

An organization is planning to deploy a web application firewall (WAF) to protect a critical application. Which deployment mode should be used to ensure that the WAF can block malicious traffic without introducing a single point of failure?

A.Inline with high-availability clustering.
B.Out-of-band monitoring only.
C.Transparent inline without failover.
D.Reverse proxy with active-passive clustering.
AnswerA

Provides blocking and redundancy.

Why this answer

Inline with high-availability clustering ensures the WAF can actively inspect and block malicious traffic in real time while eliminating a single point of failure through automatic failover between clustered appliances. This mode maintains traffic flow even if one WAF node fails, meeting both security and availability requirements.

Exam trap

The trap here is that candidates confuse 'high-availability clustering' with 'active-passive clustering,' assuming both eliminate single points of failure equally, but active-passive still has a failover delay and potential traffic loss.

How to eliminate wrong answers

Option B is wrong because out-of-band monitoring only allows the WAF to observe traffic and generate alerts without the ability to block malicious requests, failing the requirement to block traffic. Option C is wrong because transparent inline without failover introduces a single point of failure; if the WAF fails, traffic is dropped or bypassed, disrupting availability. Option D is wrong because reverse proxy with active-passive clustering still has a single point of failure if the active node fails and failover is not instantaneous or automatic, and it does not guarantee high availability as effectively as active-active clustering.

63
MCQeasy

During an incident response, the IT team isolates a compromised system from the network. Which of the following is the primary purpose of this action?

A.To preserve evidence for forensic analysis.
B.To allow the system to be patched offline.
C.To comply with regulatory requirements.
D.To prevent further damage and contain the incident.
AnswerD

Correct. Isolation contains the threat and reduces impact.

Why this answer

Isolating a compromised system from the network (e.g., by disconnecting the Ethernet cable, disabling the switch port, or applying a host-based firewall rule to drop all traffic) immediately stops the system from communicating with other hosts. This containment action prevents the attacker from moving laterally, exfiltrating data, or deploying additional malware, thereby limiting the blast radius and stopping ongoing damage.

Exam trap

The trap here is that candidates confuse 'preserving evidence' (a forensic goal) with 'containing the incident' (the immediate operational goal), leading them to choose Option A even though isolation is primarily about stopping the attack, not about evidence handling.

How to eliminate wrong answers

Option A is wrong because isolation is a containment step, not a preservation step; while it can help preserve volatile evidence by preventing remote tampering, the primary purpose is containment, and forensic preservation requires specific steps like creating a bit-for-bit image before any changes. Option B is wrong because patching offline is a remediation activity that occurs after containment; the immediate goal is to stop the attack, not to prepare the system for patching. Option C is wrong because compliance requirements may mandate containment, but the primary operational purpose is to prevent further damage, not to satisfy a regulation.

64
MCQhard

A company stores sensitive customer data in a database. To comply with privacy regulations, the data must be anonymized for analytics. Which technique provides the strongest anonymization while preserving data utility?

A.Differential privacy with calibrated noise.
B.Tokenization with a reversible mapping.
C.Removing direct identifiers like names and SSNs.
D.Data masking with static substitution.
AnswerA

Correct. Differential privacy provides mathematical guarantees against re-identification while allowing statistical queries.

Why this answer

Differential privacy with calibrated noise is the strongest anonymization technique because it provides a formal mathematical guarantee that the output of a query does not reveal whether any specific individual's data was included. By adding carefully calibrated noise to query results, it preserves statistical utility for analytics while ensuring that re-identification is provably infeasible, meeting strict privacy regulations like GDPR or CCPA.

Exam trap

The trap here is that candidates often confuse pseudonymization (e.g., tokenization) with anonymization, or assume that simply removing direct identifiers is sufficient, failing to recognize that re-identification via quasi-identifiers is a well-known attack vector in privacy regulations.

How to eliminate wrong answers

Option B is wrong because tokenization with a reversible mapping is not anonymization; it is pseudonymization, as the original data can be recovered via the mapping table, which does not meet the irreversible anonymization required by privacy regulations. Option C is wrong because removing direct identifiers like names and SSNs alone leaves quasi-identifiers (e.g., ZIP code, age, gender) that can be combined with external data to re-identify individuals through linkage attacks, providing weak anonymization. Option D is wrong because data masking with static substitution (e.g., replacing values with fixed characters) is a form of obfuscation that does not preserve data utility for analytics (e.g., masked values lose statistical properties) and can often be reversed if the masking pattern is known or inferred.

65
MCQhard

Refer to the exhibit. This log entry MOST likely indicates:

A.An attempt to escalate privileges or lateral movement
B.A scheduled backup using the service account
C.A brute-force attack
D.Normal administrative activity
AnswerA

Using explicit admin credentials from a service account to another server via WMI is a common lateral movement technique.

Why this answer

The log entry shows a service account (svc_backup) executing commands that create a new local user and add it to the Administrators group, which is a classic privilege escalation technique. The use of net user and net localgroup commands from a service account indicates an attempt to gain unauthorized administrative access, often as a precursor to lateral movement. This is not normal administrative activity because service accounts are typically restricted to specific tasks and should not be creating interactive user accounts.

Exam trap

The trap here is that candidates see a service account and assume it is legitimate backup activity, but the specific commands (net user /add, net localgroup Administrators) are clear indicators of privilege escalation, not routine maintenance.

How to eliminate wrong answers

Option B is wrong because a scheduled backup using a service account would involve backup-specific commands (e.g., wbadmin, robocopy, or backup software APIs) and would not include net user or net localgroup commands to create a new user. Option C is wrong because a brute-force attack would manifest as multiple failed login attempts (Event ID 4625) or repeated authentication failures, not a single successful command execution from an already-authenticated session. Option D is wrong because normal administrative activity would typically use a dedicated admin account, not a service account, and would follow change management procedures; creating a new user and adding it to the Administrators group is a high-risk action that is not routine.

66
MCQhard

Refer to the exhibit. A security analyst notices that users on the INSIDE network (10.1.1.0/24) can browse HTTPS websites but cannot resolve domain names. What is the most likely cause?

A.The ACL denies TCP traffic to port 443
B.The ACL only permits DNS traffic to host 10.2.2.10, but users need to query a different DNS server
C.The DNS server at 10.2.2.10 is unreachable
D.The OUTSIDE interface has no security-level configured correctly
AnswerB

The DNS request to an external server is denied because the ACL only allows UDP to 10.2.2.10.

Why this answer

The exhibit shows an ACL that permits DNS traffic (UDP port 53) only to host 10.2.2.10. Since users can browse HTTPS (TCP/443) but cannot resolve domain names, the ACL is blocking DNS queries to any other DNS server. Option B correctly identifies that the ACL restricts DNS to a single server, and if users are configured to query a different DNS server, resolution fails.

Exam trap

The trap here is that candidates assume DNS resolution failure must be due to a DNS server being unreachable (Option C), but the ACL is actually restricting the destination IP of DNS queries, not the protocol itself.

How to eliminate wrong answers

Option A is wrong because the ACL permits TCP traffic to port 443 (HTTPS), as evidenced by users successfully browsing HTTPS websites. Option C is wrong because if the DNS server at 10.2.2.10 were unreachable, users would not be able to resolve names at all, but the issue is that users are configured to query a different DNS server, not 10.2.2.10. Option D is wrong because the security-level configuration on the OUTSIDE interface affects traffic direction and stateful inspection, not DNS resolution; the problem is specifically an ACL filtering issue.

67
MCQeasy

An organization wants to protect its intellectual property from unauthorized disclosure via email. Which control should be implemented?

A.Encrypt all outgoing emails.
B.Implement a data loss prevention (DLP) system.
C.Disable email altogether.
D.Require employees to sign non-disclosure agreements.
AnswerB

Correct. DLP can inspect content and block unauthorized transmission of sensitive data.

Why this answer

Data loss prevention (DLP) solutions can monitor and block sensitive information from being sent via email, making it the most effective control for this purpose.

68
MCQmedium

An IT manager is reviewing the access control model for a financial application. The policy requires that no single person can approve a transaction. Which access control principle does this policy enforce?

A.Least privilege
B.Separation of duties
C.Mandatory access control
D.Need to know
AnswerB

Separation of duties requires multiple people to complete sensitive tasks.

Why this answer

The policy that no single person can approve a transaction enforces the separation of duties (SoD) principle. In financial applications, SoD requires that critical tasks, such as initiating and approving a transaction, be divided among multiple individuals to prevent fraud or error. This control ensures that no single user has the authority to complete a high-risk action alone, directly aligning with the requirement stated.

Exam trap

The trap here is that candidates confuse separation of duties with least privilege, but least privilege focuses on limiting permissions to the minimum needed, whereas separation of duties specifically requires dividing critical tasks among multiple users to prevent fraud or error.

How to eliminate wrong answers

Option A is wrong because least privilege restricts user permissions to the minimum necessary for their job function, but it does not inherently prevent a single user from approving a transaction if that approval is within their role. Option C is wrong because mandatory access control (MAC) enforces system-wide policies based on labels and clearances, not the division of task responsibilities among multiple users. Option D is wrong because need to know limits access to information required for a specific task, but it does not address the requirement that no single person can approve a transaction, which is a process control, not an information access restriction.

69
MCQhard

An organization has recently implemented a cloud-based identity provider (IdP) for single sign-on (SSO) across all SaaS applications. Users authenticate using their corporate credentials via SAML 2.0. After a week, the IT security team notices a significant increase in failed login attempts from various IP addresses targeting a specific user account. The helpdesk reports that the user, a senior executive, has not complained about any issues. The security team investigates and finds that the account lockout policy is set to 5 failed attempts within 15 minutes, after which the account is locked for 30 minutes. The failed attempts are occurring in bursts of 4, then stopping, then resuming from different IPs. The organization uses conditional access policies that require MFA from unknown locations. However, the failed attempts appear to be stopped at the authentication prompt and never reach the MFA stage. What is the most likely explanation and the best course of action?

A.The user's credentials have been compromised, and the attacker is testing them across the IdP. The organization should immediately force a password reset for the user and enable MFA for all users.
B.A misconfiguration in the IdP allows pre-authentication enumeration. The organization should disable account lockout and implement rate limiting at the application proxy.
C.The attacker is performing a password spraying attack, attempting to guess the password for that specific account. The organization should implement a CAPTCHA requirement after a few failed attempts.
D.The IdP is experiencing integration issues with the AD domain controller, causing authentication failures that are logged as failed attempts. The organization should check the synchronization status and network connectivity.
AnswerC

The burst pattern with IP rotation is classic password spraying. CAPTCHA or progressive delay will effectively slow automated attacks.

Why this answer

Option C is correct because the attack pattern—bursts of exactly 4 failed attempts (just below the lockout threshold of 5) from different IPs, then stopping—is a textbook password spraying attack. The attacker is trying commonly used passwords against a high-value account (senior executive) while deliberately avoiding account lockout to remain undetected. Since the attempts stop at the SAML authentication prompt and never reach MFA, the attacker is testing passwords against the IdP's SAML endpoint, which validates credentials before triggering conditional access policies.

Exam trap

The trap here is that candidates confuse a password spraying attack with a credential stuffing attack (Option A) or assume that any burst of failed attempts indicates a misconfiguration (Option B), when the key clue is the attacker deliberately staying below the lockout threshold to avoid detection.

How to eliminate wrong answers

Option A is wrong because the attacker is not testing already compromised credentials; they are attempting to guess the password, and forcing a password reset for only that user does not address the systematic guessing technique. Option B is wrong because pre-authentication enumeration would allow an attacker to determine valid usernames, but here the attacker already knows the specific user account and is targeting it with password guesses; disabling account lockout would remove the only protection against brute force. Option D is wrong because integration issues with AD would typically cause consistent failures for all users or show error patterns (e.g., timeouts, sync errors), not precise bursts of 4 attempts from varied IPs targeting a single executive account.

70
Drag & Dropmedium

Order the steps for responding to a security incident in the correct sequence.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Incident response follows: detection, containment, eradication/recovery, review, and improvement.

71
Multi-Selecthard

Which TWO of the following are primary objectives of a data loss prevention (DLP) strategy?

Select 2 answers
A.Encrypt all data in transit
B.Identify and classify sensitive data
C.Replace all existing security controls
D.Monitor and control data movement across endpoints
E.Ensure compliance with all regulations
AnswersB, D

Correct. Understanding what sensitive data exists is fundamental to DLP.

Why this answer

Option B is correct because identifying and classifying sensitive data is the foundational step in a DLP strategy. Without knowing where sensitive data resides (e.g., PII, PCI, IP), DLP policies cannot accurately detect or prevent unauthorized transfers. Classification enables the DLP system to apply context-aware rules, such as blocking credit card numbers in email attachments or flagging confidential documents uploaded to cloud storage.

Exam trap

The trap here is that candidates confuse DLP's primary objectives (identify, monitor, control) with supporting or adjacent activities like encryption or compliance, leading them to select options A or E instead of the core DLP functions.

72
MCQhard

During an audit of a privileged access management (PAM) system, the auditor finds that privileged sessions are recorded but not reviewed. What is the primary risk?

A.Inability to detect real-time threats.
B.Increased administrative overhead.
C.Non-compliance with licensing agreements.
D.Missing evidence of malicious activity after an incident.
AnswerD

Recordings are useless without review, losing forensic value.

Why this answer

Recording privileged sessions without review means that while a log of activities exists, it is not analyzed for signs of compromise or policy violations. The primary risk is that after a security incident, the recorded sessions may be the only source of evidence to reconstruct the attack, but without prior review, the organization may fail to identify malicious activity in a timely manner or may lose critical forensic data if logs are overwritten or deleted before an incident is discovered.

Exam trap

The trap here is that candidates may confuse 'recording' with 'monitoring' and assume that recording alone provides security, but without review, the recordings are merely stored data with no active threat detection value.

How to eliminate wrong answers

Option A is wrong because real-time threats are typically detected by monitoring and alerting mechanisms (e.g., SIEM, anomaly detection), not by reviewing recorded sessions after the fact; the question states sessions are recorded but not reviewed, which does not preclude real-time detection tools. Option B is wrong because increased administrative overhead is a potential operational impact, not the primary risk; the core concern is security and forensic capability, not resource usage. Option C is wrong because non-compliance with licensing agreements is unrelated to session recording and review; licensing compliance concerns software usage rights, not security monitoring.

73
MCQeasy

An organization uses the access list above on its perimeter firewall. Which of the following is a valid conclusion?

A.All HTTP traffic from the 192.168.2.0 subnet is allowed.
B.All HTTPS traffic from the 192.168.1.0 subnet is allowed.
C.All traffic from the 192.168.2.0 subnet is allowed.
D.All traffic from the Internet to internal hosts is denied.
E.All traffic from 192.168.1.0 subnet is allowed on any port.
.All traffic from the Internet is denied.
.The ACL allows SSH traffic from 192.168.1.0 subnet.
AnswerB

Line 10 permits TCP on port 443 from that subnet.

Why this answer

Option B is correct because the access list permits TCP traffic from source network 192.168.1.0/24 to destination port 443 (HTTPS). The permit statement for TCP with eq 443 explicitly allows HTTPS traffic from that subnet, and there is no subsequent deny statement blocking it.

Exam trap

ISACA often tests the implicit deny all rule, where candidates mistakenly assume that traffic not explicitly permitted is allowed, when in fact it is denied by default.

How to eliminate wrong answers

Option A is wrong because the access list does not contain any permit statement for port 80 (HTTP); HTTP traffic from 192.168.2.0 subnet would be denied by the implicit deny all at the end. Option C is wrong because the access list only permits specific protocols (TCP on port 443, and possibly others) from 192.168.2.0 subnet, not all traffic; any non-matching traffic is denied. Option D is wrong because the access list permits certain traffic from internal subnets to the Internet, but it does not explicitly deny all traffic from the Internet to internal hosts; the implicit deny all applies to all unmatched traffic, but the question does not specify any inbound rules, so this conclusion is not valid based solely on the given list.

Option E is wrong because the access list does not permit all traffic from 192.168.1.0 subnet on any port; it only permits TCP traffic to port 443, and other ports are denied by the implicit deny. Option null (first) is wrong because the access list permits specific traffic from internal subnets, so not all traffic from the Internet is denied; the implicit deny only applies to unmatched traffic, but the list does not explicitly deny all Internet traffic. Option null (second) is wrong because the access list permits SSH traffic (TCP port 22) only if explicitly stated; the given list does not include a permit for port 22, so SSH traffic from 192.168.1.0 subnet would be denied.

74
MCQmedium

An organization is migrating sensitive customer data to a public cloud. Which of the following encryption strategies provides the STRONGEST protection against data exposure to the cloud provider?

A.Use transport layer security (TLS) for data in transit
B.Implement client-side encryption with keys managed on-premises
C.Encrypt data at rest using server-side encryption with AES-256
D.Enable the cloud provider's key management service
AnswerB

Client-side encryption ensures data is encrypted before leaving the premises, and the cloud provider never has access to plaintext or keys.

Why this answer

Client-side encryption with keys managed on-premises ensures that the cloud provider never has access to the encryption keys or the plaintext data. Even if the cloud provider's infrastructure is compromised or they have administrative access, the data remains encrypted and unreadable. This provides the strongest protection because the cloud provider is excluded from the cryptographic trust boundary.

Exam trap

The trap here is that candidates often confuse 'encryption at rest' or 'TLS' with full data protection, failing to realize that these methods still allow the cloud provider to access plaintext data either during processing or through key management access.

How to eliminate wrong answers

Option A is wrong because TLS only protects data in transit between the client and the cloud provider; once the data reaches the cloud provider's servers, it is decrypted and stored in plaintext, leaving it exposed to the provider. Option C is wrong because server-side encryption with AES-256 means the cloud provider manages the encryption process and typically has access to the keys (or can access them via their key management service), so the provider can decrypt the data at rest. Option D is wrong because enabling the cloud provider's key management service gives the provider control over the encryption keys, allowing them to decrypt the data if they choose or if compelled by legal request.

75
Multi-Selectmedium

Which THREE of the following are commonly accepted practices for securing mobile devices in an enterprise environment?

Select 3 answers
A.Install antivirus on all devices
B.Use containerization for corporate data
C.Enable remote wipe capability
D.Disable all third-party apps
E.Require complex passwords
AnswersB, C, E

Correct. Containerization separates corporate and personal data, enabling selective controls.

Why this answer

Containerization (Option B) is a commonly accepted practice for securing mobile devices in an enterprise environment because it creates a separate, encrypted workspace on the device that isolates corporate data and applications from personal data. This approach, often implemented through Mobile Device Management (MDM) or Enterprise Mobility Management (EMM) solutions, uses technologies like sandboxing and per-container encryption (e.g., AES-256) to prevent data leakage between the corporate and personal environments. It allows the enterprise to enforce security policies (e.g., remote wipe of only the container) without compromising the user's personal privacy, which is a key requirement for BYOD (Bring Your Own Device) programs.

Exam trap

The trap here is that candidates often confuse 'best practice' with 'maximum security' and incorrectly select Option D (disable all third-party apps) as a valid control, failing to recognize that enterprise security requires balancing usability with risk management, and that containerization is the standard approach for BYOD environments.

Page 1 of 2 · 123 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Info Asset Protection questions.