CISA - Certified Information Systems Auditor Protection of Information Assets Questions and Answers

Question 1

An IS auditor discovers that an organization has a data classification policy but has not assigned an owner to each information asset.
Which of the following represents the GREATEST risk associated with this finding?

Accepted Answer

Lack of accountability for ensuring information assets are appropriately protected.

Answer

Inconsistent application of security controls across different systems.

Answer

Increased costs for data storage due to improper data handling.

Answer

Inability to classify new information assets as they are created.

Question 2

An organization needs to encrypt a large database for data-at-rest protection. Performance is a key requirement, and the system processing the data is in a secure, controlled environment. Which of the following encryption methods is MOST appropriate for this scenario?

Accepted Answer

Symmetric encryption

Answer

Asymmetric encryption

Answer

Hashing

Answer

Digital signature

Question 3

Which of the following is the PRIMARY objective of implementing the principle of least privilege within an identity and access management program?

Accepted Answer

To limit the potential damage from a compromised account or insider threat.

Answer

To streamline the user access review and certification process.

Answer

To simplify the access control list (ACL) for network administrators.

Answer

To ensure users can perform all tasks associated with their job role without interruption.

Question 4

An IS auditor is reviewing the disposal process for retired server hard drives that contained highly sensitive proprietary research data. The current process involves reformatting the drives before sending them to an electronics recycler. The auditor's BEST recommendation would be to:

Accepted Answer

implement a process for physical destruction or degaussing prior to disposal.

Answer

overwrite the drives multiple times with random data patterns.

Answer

encrypt the drives using a strong algorithm before reformatting.

Answer

obtain a certificate of destruction from the third-party recycler.

Question 5

Within a Public Key Infrastructure (PKI), what is the primary role of a Certificate Authority (CA)?

Accepted Answer

To act as a trusted third party that binds a public key to a verified entity's identity.

Answer

To securely generate and store the private keys for all entities in the infrastructure.

Answer

To encrypt and decrypt messages exchanged between two communicating parties.

Answer

To define the security policies for certificate usage and key management.

Question 6

A company is concerned that its employees may be accidentally or maliciously sending sensitive customer lists via corporate email to external parties. Which of the following would be the MOST effective control to detect and prevent this specific type of data exfiltration?

Accepted Answer

Implementing a network-based Data Loss Prevention (DLP) solution.

Answer

Implementing end-to-end email encryption.

Answer

Conducting regular security awareness training on data handling.

Answer

Deploying a host-based intrusion prevention system (HIPS) on all workstations.