When applying the Top Threats Analysis methodology following an incident, what is the scope of the technical impact identification step? A. Determine the impact on the controls that were selected by the organization to respond to identified risks. B. Determine the impact on confidentiality, integrity and availability of the information system. C. Determine the impact […]

Which of the following approaches encompasses social engineering of staff, bypassing of physical access controls and penetration testing? A. Blue team B. White box C. Gray box D. Red team Reference: https://www.isaca.org/resources/isaca-journal/issues/2016/volume-5/planning-for-information-security-testinga-practical-approach

An auditor identifies that a CSP received multiple customer inquiries and RFPs during the last month. Which of the following should be the BEST recommendation to reduce the CSP burden? A. CSP can share all security reports with customers to streamline the process. B. CSP can schedule a call with each customer. C. CSP can […]

Policies and procedures shall be established, and supporting business processes and technical measures implemented, for maintenance of several items ensuring continuity and availability of operations and support personnel. Which of the following controls BEST matches this control description? A. Operations Maintenance B. System Development Maintenance C. Equipment Maintenance D. System Maintenance Reference: https://www.sapidata.sm/img/cms/CAIQ_v3-1_2020-01-13.pdf (2)

The PRIMARY objective of an audit initiation meeting with a cloud audit client is to: A. select the methodology of an audit. B. review requested evidence provided by the audit client. C. discuss the scope of the cloud audit. D. identify resource requirements of the cloud audit.

When a client’s business process changes, the CSP SLA should: A. be reviewed, but the SLA cannot be updated. B. not be reviewed, but the cloud contract should be cancelled immediately. C. not be reviewed as the SLA cannot be updated. D. be reviewed and updated if required. Reference: http://www.diva-portal.org/smash/get/diva2:1312384/FULLTEXT01.pdf

SAST testing is performed by: A. scanning the application source code. B. scanning the application interface. C. scanning all infrastructure components. D. performing manual actions to gain control of the application. Explanation: SAST analyzes application code offline. SAST is generally a rules-based test that will scan software code for items such as credentials embedded into […]

Organizations maintain mappings between the different control frameworks they adopt to: A. help identify controls with common assessment status. B. avoid duplication of work when assessing compliance. C. help identify controls with different assessment status. D. start a compliance assessment using latest assessment. Reference: https://www.isaca.org/resources/news-and-trends/industry-news/2019/employing-cobit-2019-for-enterprise-governance-strategy

After finding a vulnerability in an internet-facing server of an organization, a cybersecurity criminal is able to access an encrypted file system and successfully manages to overwrite part of some files with random data. In reference to the Top Threats Analysis methodology, how would you categorize the technical impact of this incident? A. As an […]

Network environments and virtual instances shall be designed and configured to restrict and monitor traffic between trusted and untrusted connections. These configurations shall be reviewed at least annually, and supported by a documented justification for use for all allowed services, protocols, ports, and by compensating controls. Which of the following controls BEST matches this control […]