CISA - Certified Information Systems Auditor Protection of Information Assets Questions and Answers

Question 1

An IS auditor discovers that an organization has a data classification policy but has not assigned an owner to each information asset. Which of the following represents the GREATEST risk associated with this finding?

Accepted Answer

Lack of accountability for ensuring information assets are appropriately protected.

Answer

The primary role of an information asset owner is to be accountable for the protection of that asset. This includes responsibilities like determining the data's classification level and ensuring that adequate security controls are implemented and maintained. Without a designated owner, there is no clear line of accountability, which often leads to assets being unprotected or under-protected.

Question 2

An organization needs to encrypt a large database for data-at-rest protection. Performance is a key requirement, and the system processing the data is in a secure, controlled environment. Which of the following encryption methods is MOST appropriate for this scenario?

Accepted Answer

Symmetric encryption

Answer

Symmetric encryption uses a single key for both encryption and decryption, which is significantly faster and more computationally efficient than asymmetric encryption. This makes it the ideal choice for encrypting large volumes of data, such as entire databases or files at rest.

Question 3

Which of the following is the PRIMARY objective of implementing the principle of least privilege within an identity and access management program?

Accepted Answer

To limit the potential damage from a compromised account or insider threat.

Answer

The principle of least privilege dictates that a user should only be granted the minimum permissions necessary to perform their job functions. Its primary security goal is to reduce the 'attack surface' and limit the 'blast radius' of a security breach. If an account is compromised, the attacker's capabilities are restricted to only that account's minimal permissions, thus containing the potential damage.

Question 4

An IS auditor is reviewing the disposal process for retired server hard drives that contained highly sensitive proprietary research data. The current process involves reformatting the drives before sending them to an electronics recycler. The auditor's BEST recommendation would be to:

Accepted Answer

implement a process for physical destruction or degaussing prior to disposal.

Answer

Standard formatting does not remove data; it only removes file system pointers, leaving the data easily recoverable. For highly sensitive data, a more robust sanitization method is required to render the data infeasible to recover. According to NIST SP 800-88, physical destruction (e.g., shredding, disintegrating) or degaussing (for magnetic media) provides the highest level of assurance that data cannot be reconstructed.

Question 5

Within a Public Key Infrastructure (PKI), what is the primary role of a Certificate Authority (CA)?

Accepted Answer

To act as a trusted third party that binds a public key to a verified entity's identity.

Answer

The fundamental purpose of a Certificate Authority (CA) is to act as a trusted entity that vouches for the identity of a certificate holder. The CA verifies the identity of an individual, server, or organization and then issues a digital certificate that cryptographically binds that identity to a public key, establishing a chain of trust.

CISA - Certified Information Systems Auditor Practice Test

CISA - Certified Information Systems Auditor Practice Test

CISA - Certified Information Systems Auditor Protection of Information Assets Questions and Answers