CISA Data Management and Privacy Controls

Question 1

Which data classification level TYPICALLY requires the most stringent access controls and encryption?

Accepted Answer

Confidential/Restricted

Answer

Confidential or restricted data carries the highest sensitivity, requiring strict access controls, encryption, and audit logging.

Question 2

A data retention policy should PRIMARILY be based on:

Accepted Answer

Legal, regulatory, and business requirements for each data type

Answer

Retention periods must align with applicable laws, regulations, and contractual obligations specific to each data category.

Question 3

The principle of data minimization requires organizations to:

Accepted Answer

Collect and retain only the personal data necessary for a specific purpose

Answer

Data minimization limits collection to only what is needed, reducing privacy risk and regulatory exposure.

Question 4

Which of the following BEST describes data sovereignty?

Accepted Answer

The legal principle that data is subject to the laws of the country in which it is stored

Answer

Data sovereignty means that data stored in a particular country is governed by that country's laws and regulations.

Question 5

A database activity monitoring (DAM) tool PRIMARILY helps an IS auditor by:

Accepted Answer

Providing real-time visibility into who is accessing and modifying database data

Answer

DAM tools capture and analyze all database activity, enabling detection of unauthorized access, privilege abuse, and policy violations.

CISA - Certified Information Systems Auditor Practice Test