Protection of Information Assets for CISA

Sample Practice Questions

1. Question 1

   Which of the following issues associated with a data center's closed circuit television (CCTV) surveillance cameras should be of MOST concern to an IS auditor?
   1. A. CCTV recordings are not regularly reviewed.
   2. B. CCTV records are deleted after one year.
   3. C. CCTV footage is not recorded 24 x 7.
   4. D. CCTV cameras are not installed in break rooms.
   Explanation

   The correct answer is: A. CCTV recordings are not regularly reviewed..

   If CCTV recordings are not regularly reviewed, the surveillance system functions only as a post-incident artifact and not as an effective deterrent or detective control, undermining the rationale for the camera investment because real-time deterrence requires that occupants believe someone is watching. ISO/IEC 27002 control 7.4 and NIST SP 800-53 PE-6 expect ongoing monitoring of physical surveillance. CCTV records being deleted after one year is generally an acceptable retention window for most organizations, and longer retention often violates privacy rules. Lack of 24-hour recording is a coverage concern but may be acceptable for facilities with after-hours physical lockdown and motion-activated alerts. Missing cameras in break rooms is low priority because break rooms typically do not host high-value assets. The absent review of recordings is the operational failure that nullifies the camera investment, which is why it is the auditor's primary concern.

2. Question 2

   To confirm integrity for a hashed message, the receiver should use:
   1. A. the same hashing algorithm as the sender's to create a binary image of the file.
   2. B. a different hashing algorithm from the sender's to create a numerical representation of the file.
   3. C. a different hashing algorithm from the sender's to create a binary image of the file.
   4. D. the same hashing algorithm as the sender's to create a numerical representation of the file.
   Explanation

   The correct answer is: D. the same hashing algorithm as the sender's to create a numerical representation of the file..

   To verify integrity for a hashed message, the receiver must use the same hashing algorithm as the sender to recompute a numerical representation (digest) of the received message and compare it to the sender's hash; matching values confirm the bits arrived unchanged, while a mismatch reveals alteration or corruption in transit. Using a different hashing algorithm would produce a completely different digest by design and break verification entirely, regardless of whether the message was tampered with. Cryptographic hashes such as SHA-256 from the SHA-2 family or SHA-3 produce fixed-length numerical values (256 bits, 384 bits, 512 bits depending on variant), not binary images of the file; the binary-image phrasing in the wrong options reflects a misunderstanding of how hashing works. Same-algorithm, numerical-digest comparison is the integrity verification specified by NIST FIPS 180-4 and ISO/IEC 10118, and it is the only combination that lets the receiver detect changes between transmission and reception.

3. Question 3

   Which of the following should be the FIRST step in managing the impact of a recently discovered zero-day attack?
   1. A. Estimating potential damage
   2. B. Identifying vulnerable assets
   3. C. Evaluating the likelihood of attack
   4. D. Assessing the impact of vulnerabilities
   Explanation

   The correct answer is: B. Identifying vulnerable assets.

   Identifying vulnerable assets is the first step in managing the impact of a discovered zero-day attack because impact, damage, and likelihood all depend on knowing which systems are exposed, and that mapping must happen before any other analysis is meaningful. NIST SP 800-30 and SP 800-40 both begin response activity with exposure scoping. Estimating potential damage requires first knowing the universe of affected assets. Evaluating the likelihood of attack is an academic exercise without knowing which assets are reachable. Assessing the impact of vulnerabilities also depends on the exposure inventory; the asset identification step puts a concrete scope around the response and informs every subsequent prioritization decision the organization must make.

4. Question 4

   Which of the following would be MOST effective to protect information assets in a data center from theft by a vendor?
   1. A. Conceal data devices and information labels.
   2. B. Issue an access card to the vendor.
   3. C. Monitor and restrict vendor activities.
   4. D. Restrict use of portable and wireless devices.
   Explanation

   The correct answer is: C. Monitor and restrict vendor activities..

   Monitoring and restricting vendor activities while they are inside the data center directly prevents theft because the vendor is supervised and cannot remove or access information assets beyond their authorized scope, in line with ISO/IEC 27002 control 7.4 (working in secure areas) and NIST SP 800-53 PE-3 (physical access controls). Active supervision and movement restriction are the operational control that limits the vendor's actions in real time. Concealing data devices and information labels reduces target identification slightly but a determined vendor with physical access can still walk past or pick up unmarked equipment. Issuing an access card identifies the vendor and may log their movement but does not constrain behavior once inside. Restricting use of portable and wireless devices is one narrower control that closes specific exfiltration channels but does not address physical theft. Monitoring and restriction is the comprehensive vendor-theft mitigation.

5. Question 5

   An employee loses a mobile device resulting in loss of sensitive corporate data. Which of the following would have BEST prevented data leakage?
   1. A. Data encryption on the mobile device
   2. B. The triggering of remote data wipe capabilities
   3. C. Awareness training for mobile device users
   4. D. Complex password policy for mobile devices
   Explanation

   The correct answer is: B. The triggering of remote data wipe capabilities.

   Triggering remote data wipe capabilities best prevents data leakage from a lost mobile device because remote wipe actively erases the data once the device is reported lost, regardless of whether the finder has an opportunity to extract content. NIST SP 800-124 mobile device security guidance and most MDM platforms make remote wipe a primary loss-response control. Encryption protects data while the device is at rest but a determined adversary with the device and time may still attempt brute-force, side-channel, or unlock-screen attacks. Awareness training reduces the likelihood of loss but does not respond to actual loss. Complex passwords help but can be defeated; the active erasure of the data via remote wipe is the most direct way to ensure leaked data does not exist on the lost device.

Other CISA domains

• Governance and Management of IT (293 questions)
• Information System Auditing Process (318 questions)
• Information Systems Acquisition, Development and Implementation (276 questions)
• Information Systems Operations and Business Resilience (360 questions)