2025年國(guó)際注冊(cè)信息系統(tǒng)審計(jì)師（CISA）資格考試（英文版）全真模擬試題及答案二1.Single-ChoiceQuestions(1markeach)1.1AnISauditorisreviewingtheconfigurationofanewlydeployedintrusion-preventionsystem(IPS).WhichofthefollowingfindingsrepresentstheHIGHESTrisk?A.TheIPSisplacedbehindthefirewallratherthaninfrontofit.B.TheIPSisconfiguredtofail-closed.C.TheIPSsignaturesethasnotbeenupdatedfor45days.D.TheIPSmanagementinterfaceisaccessibleonlyviaanout-of-bandnetwork.Answer:CExplanation:Anoutdatedsignaturesetallowsknownattackpatternstopassundetected,defeatingtheprimarypurposeoftheIPS.Placementbehindthefirewall(A)isacommonarchitecturechoice,fail-closed(B)isasecuredefault,andout-of-bandmanagement(D)isarecommendedcontrol.1.2Duringapost-implementationreviewofanERPfinancialmodule,theauditornotesthatsegregation-of-dutiesconflictsexistforthe“createvendor”and“approvevendor”functions.WhichcompensatingcontrolBESTmitigatestheriskofvendormasterdatafraud?A.Monthlyreconciliationofthevendorlisttothegeneralledger.B.DualauthorizationforallpaymentsaboveUSD10000.C.Dailyexceptionreportofvendorchangesreviewedbyasupervisornotinvolvedinvendormaintenance.D.Hashtotalsonvendorbatchuploads.Answer:CExplanation:Adailyexceptionreportprovidestimelydetectionofunauthorizedvendorchangesandisperformedbyanindependentparty,directlyaddressingthesegregationissue.1.3Acompany’scloudriskregisterindicatesthattheCSPhasfulldiskencryptionenabledbutdoesnotsupportcustomer-managedkeys.TheauditorisMOSTconcernedwithwhichofthefollowingrisks?A.Dataremanence.B.Vendorlock-in.C.Unauthorizedsubpoenaaccess.D.Cross-tenantdataleakage.Answer:CExplanation:WhentheCSPholdsthekeys,lawfuldatadisclosureviasubpoenacanoccurwithoutthecustomer’sknowledge,creatingconfidentialityriskforsensitivedata.1.4WhichofthefollowingprovidestheSTRONGESTevidencethatavulnerability-managementprogramiseffective?A.PercentageofcriticalpatchesdeployedwithinSLA.B.Numberofvulnerabilitiesdiscoveredperquarter.C.Meantimetodetect(MTTD)fornewvulnerabilities.D.Percentageofsystemsscannedatleastweekly.Answer:AExplanation:SLAcompliancemeasuresactualremediation,whereasB,CandDmeasurediscoveryorcoverage,notcontroleffectiveness.1.5AnISauditorisevaluatingtheuseofroboticprocessautomation(RPA)botsintheaccounts-payableprocess.WhichriskisUNIQUEtoRPAcomparedwithtraditionalITapplications?A.Inadequatechange-managementprocedures.B.Credentialhijackingviathebotidentity.C.Lackofaudittrail.D.Business-logicflaws.Answer:BExplanation:Botsauthenticatewithprivilegedserviceaccounts;ifthosecredentialsarecompromised,attackersinheritthebot’spermissionsacrossmultiplesystems.1.6Azero-trustnetworkarchitectureisbeingpiloted.WhichcontrolBESTdemonstratesthatthe“nevertrust,alwaysverify”principleisoperationalizedforprivilegedusers?A.Jumpserverswithsessionrecording.B.Just-in-time(JIT)elevationapprovedviaworkflowandrevokedautomatically.C.Multi-factorauthentication(MFA)onVPNlogin.D.Annualrecertificationofprivilegedaccounts.Answer:BExplanation:JITelevationenforcescontinuousverificationatthemomentofprivilegeuse,aligningdirectlywithzero-trusttenets.1.7Duringablockchainsmart-contractaudit,theauditorfindsthatthecontractcodeisimmutableandnoupgradeproxypatternisimplemented.TheGREATESTconcernis:A.Gasoptimization.B.Logicbugscannotbepatched.C.Front-runningattacks.D.Privatekeyloss.Answer:BExplanation:Immutabilitypreventscorrectionofdiscoveredvulnerabilities,exposingassetstopotentialexploitationindefinitely.1.8Anorganizationusesadata-loss-prevention(DLP)solutiontomonitoroutbounde-mails.WhichmetricBESTindicatesthattheDLPprogramsupportsregulatorycompliance?A.Percentageoffalsepositives.B.Numberofincidentsescalatedtolegal.C.Percentageofoutbounde-mailsinspected.D.Percentageofpolicyviolationsresolvedwithinregulatorydeadline.Answer:DExplanation:Timelyresolutionwithinlegaldeadlinesdemonstratescomplianceperformance;othermetricsmeasureefficiencyorcoverage.1.9WhichofthefollowingisthePRIMARYadvantageofusingcontinuousauditingmethodologiesoverperiodicauditing?A.Lowercost.B.Real-timeassuranceonkeycontrols.C.Reducedneedforstatisticalsampling.D.Enhancedauditorindependence.Answer:BExplanation:Continuousauditingprovidesfeedbackoncontroleffectivenessclosetothetimeofoccurrence,enablingrapidremediation.1.10AnISauditorreviewingaDevOpspipelineobservesthatstaticapplication-security-testing(SAST)scansareexecutedonlyduringtheintegrationstage.TheBESTrecommendationisto:A.ReplaceSASTwithdynamictesting(DAST).B.ShiftSASTlefttothecommitstage.C.Performmanualcodereviewinstead.D.RunSASTnightly.Answer:BExplanation:Earlydetection(shift-left)reducesremediationcostandpreventsvulnerablecodefromadvancingthroughthepipeline.1.11Acompany’sBYODpolicyrequiresmobiledevicemanagement(MDM)enrollment.EmployeesdiscoveredtheycanbypassMDMbyuninstallingtheprofile.WhichcontrolBESTenforcescompliance?A.Networkaccesscontrol(NAC)blockingnon-enrolleddevices.B.Acceptable-usepolicyacknowledgements.C.Containerizationofcorporatedata.D.Geofencingrestrictions.Answer:AExplanation:NACpreventsnetworkconnectivityfornon-compliantdevices,providingtechnicalenforcement.1.12AnorganizationadoptedNISTSP800-53.TheauditorismappingcontrolstoISO27001.WhichofthefollowingistheGREATESTchallenge?A.Differentcontrolobjectives.B.Differentcontrolassurancelevels.C.Differentcontroltaxonomies.D.Differentrisk-assessmentmethodologies.Answer:CExplanation:Taxonomicdifferences(familiesvs.domains)complicatedirectmapping,evenwhencontrolintentsoverlap.1.13ASOC-as-a-serviceproviderclaims99.999%uptime.Theauditorwantstovalidatetheassertion.WhichdocumentprovidestheMOSTreliableevidence?A.SOC2TypeIIreport.B.Penetration-testsummary.C.Marketingbrochure.D.BCPtestresults.Answer:AExplanation:SOC2TypeIIcontainsauditor-validateduptimemetricsoveradefinedperiod.1.14Adata-centerhasN+1UPSredundancybutsingle-stringpowerdistribution.Theauditorconcludesthat:A.ThedesignmeetsTierIIIrequirements.B.ThedesignmeetsTierIIrequirements.C.ThedesignmeetsTierIVrequirements.D.ThedesignisbelowTierI.Answer:BExplanation:TierIIhasredundantcapacitycomponents(N+1UPS)butsinglepathforpowerdistribution.1.15WhichofthefollowingistheMOSTimportantprerequisiteforimplementingsinglesign-on(SSO)acrossmultipleSaaSapplications?A.Role-basedaccesscontrol(RBAC)B.Centralizedidentitygovernance.C.Security-assertion-markup-language(SAML)support.D.User-provisioningworkflow.Answer:CExplanation:SAML(orequivalentfederationprotocol)istechnicallyrequiredforSSOintegration.1.16AnISauditorisreviewingencryptionkeyescrowprocedures.ThePRIMARYconcernis:A.Keylength.B.Keyexposuretoescrowagent.C.Keyrotationfrequency.D.Algorithmstrength.Answer:BExplanation:Escrowintroducesathird-partycustodian;compromiseoftheescrowagentunderminesconfidentiality.1.17Acompany’sAI-basedfraud-detectionmodelhasaprecisionof98%andrecallof70%.TheauditorisMOSTconcernedwith:A.Highfalse-positiverate.B.Highfalse-negativerate.C.Overfitting.D.Modeldrift.Answer:BExplanation:Lowrecall(70%)implies30%offraudcasesaremissed(falsenegatives),creatingfinancialrisk.1.18WhichofthefollowingBESTdemonstratesthatITstrategyisalignedwithbusinessstrategy?A.ITbalancedscorecardreviewedbytheboardquarterly.B.AnnualITbudgetincrease.C.ITprojectportfoliomappedtobusinessobjectives.D.SLAattainmentabove95%.Answer:CExplanation:ExplicitmappingshowsdirectcontributionofITinvestmentstobusinessgoals.1.19Duringaransomwareincident,theorganizationactivatesitscrisis-communicationplan.Theauditornotesthattheplandoesnotincludepre-approvedtemplatesforcustomernotification.Theriskis:A.Regulatoryfines.B.Reputationaldamage.C.Delayedcontainment.D.Increasedrecoverycost.Answer:BExplanation:Inconsistentordelayedcustomercommunicationerodesstakeholdertrust.1.20Adatabaseadministratorclaimsthattransparentdataencryption(TDE)eliminatestheneedforcolumn-levelencryptionofcredit-cardnumbers.Theauditor’sBESTresponseis:A.TDEprotectsonlydata-at-rest;column-levelencryptionprovidesfiner-grainedaccesscontrol.B.TDEisweakerthanAES-256.C.TDEincreasesCPUoverhead.D.TDEdoesnotsupportkeyrotation.Answer:AExplanation:TDEencryptstheentiredatabasefile;column-levelencryptionrestrictsaccessforspecificusersorapplications.2.Multiple-ChoiceQuestions(2markseach,0.5negative)2.1WhichofthefollowingarePRIMARYobjectivesofasecuresoftware-supply-chainprogram?(Choose3)A.Preventinsertionofmaliciousdependencies.B.Ensurelicensecompliance.C.Enforcecode-reviewmetrics.D.Provideimmutablebuildartifacts.E.Eliminatestaticanalysisfalsepositives.Answer:A,B,D2.2Anorganizationismigratingtoamicro-servicesarchitecture.WhichrisksareINCREASED?(Choose2)A.Service-to-serviceauthenticationcomplexity.B.Attacksurfacereduction.C.Secret-sprawlacrosscontainers.D.Singlepointoffailure.Answer:A,C2.3Whichofthefollowingarevalidcomponentsofazero-knowledgeproof(ZKP)protocol?(Choose2)A.ProverB.CertificateauthorityC.VerifierD.RegistrationauthorityAnswer:A,C2.4Acompany’sprivacynoticemustaddresswhichGDPRprinciples?(Choose3)A.PurposelimitationB.DataminimizationC.StoragelimitationD.AccuracyE.ConfidentialityAnswer:A,B,C2.5Whichtestsshouldbeincludedinadisaster-recoverydrillforacriticalOLTPsystem?(Choose3)A.TransactionintegrityverificationB.NetworklatencysimulationC.RTOmeasurementD.Point-in-timerecoveryvalidationE.ApplicationfunctionalitycheckAnswer:A,C,E3.Scenario-BasedQuestions(5markseach)Scenario1Amultinationalbankoperatesanactive–activedata-centertopologyacrosstwocontinents.Databasereplicationissynchronouswithinthesameregionandasynchronousacrossregions.Duringaplannedfirewallupgrade,theinter-regionlinkexperiences350mslatencyspikes,causingreplicationlag.Thebank’sriskappetitestatesthattherecoverypointobjective(RPO)forcross-regionfailovermustnotexceed5minutes.TheauditorisaskedtoevaluatewhetherthearchitecturestillmeetstheRPOunderdegradednetworkconditions.Required:a.Identifythecontrolweakness.(1mark)b.Calculatethetheoreticaldatalossiftheasynchronouslagreaches5minutes.(1mark)c.Recommendtwocorrectiveactions.(2marks)d.Stateonemetrictheauditorshouldrequesttomonitorongoingcompliance.(1mark)Answer:a.Theasynchronousreplicationlagcanexceed5minunderhighlatency,violatingtheRPO.b.5min×transactionthroughput(e.g.,2000tps)×averagetransactionsize(e.g.,16KB)≈9.6GB.c.(i)Implementadaptivethrottlingthatpausesnon-criticalbatchjobstoprioritizereplicationtraffic.(ii)DeploycompressionandWANoptimizationappliancestoreducelatency.d.Real-timereplicationlaginseconds,visibleontheSOCdashboard,withalertingthresholdat240s(80%of5min).Scenario2AcitygovernmentdeployedIoTsensorsontrafficlightstocollectreal-timecongestiondata.Sensorstransmitover5GtoacloudAPIgateway.AnISauditordiscoveredthatfirmwareupdatesaredeliveredviaunencryptedHTTPandthatdeviceidentityisbasedonMACaddressonly.Anattackercouldspoofsensordata,causingtrafficchaos.Required:a.Listtwospecificthreats.(1mark)b.Identifythemostcriticalvulnerability.(1mark)c.Providethreeremediationstepsrankedbypriority.(3marks)Answer:a.(i)Firmwaredowngradeattack.(ii)Sensordatainjection.b.LackofmutualTLSforfirmwaredownload.c.(1)EnforcemutualTLSbetweensensorandgatewaywithuniqueclientcertificates.(2)Implementcode-signingverificationbeforefirmwareflash.(3)ReplaceMAC-basedauthwithX.509certificatesissuedbyaprivateCA.4.CaseStudy(10marks)Case:FinCloudLtd.,afintechstart-up,operatesacryptocurrencywalletplatform.Theplatformarchitectureincludes:-Webandmobilefrontends-RESTfulAPIlayerrunningonKubernetesinAWSEKS-PostgreSQLclusterwithAES-256encryptionatrest-AWSKMSforkeymanagement-CI/CDpipelineinGitLabSaaS-CustomerassetsstoredincoldwalletssignedbyHSMs-SOC2TypeIIreportavailable,dated14monthsagoTheISauditorengagedbyaprospectiveinvestorhas3weekstoissueanopinionontheadequacyofcontrolsbeforeaUSD20millionSeries-Bclosing.Auditfindingsexcerpt:F1.TheGitLabrepositoryallowsdeveloperstopushdirectlytothemainbranchwithoutmergerequest(MR)approval.F2.Kubernetesrole-basedaccesscontrol(RBAC)grantsthedefaultserviceaccountcluster-adminrights.F3.DatabaseautomatedbackupsareencryptedbutstoredinthesameAWSaccountandregion.F4.TheSOC2reportisstale;nocontinuousauditingisperformed.F5.Cold-walletHSMsrequiredualcontrol,butvideocamerasinthevaulthavebeenofflinefor5weeks.F6.AWSCloudTrailisenabledbutlogsareretainedforonly30days,whereasregulatoryguidancerequires1year.Tasks:a.Foreachfinding,classifytheriskasHIGH,MEDIUMorLOWandjustify.(3marks)b.IdentifythreecompensatingordetectivecontrolsthatcouldtemporarilylowertherisklevelforF2untilremediationiscomplete.(2marks)c.DraftatestproceduretoverifythatF1hasbeenremediated.(2marks)d.CalculatetheresidualriskexposureinmonetarytermsforF6assuming:–Probabilityofregulatoryfine15%–FinerangeUSD100k–500k–Useexpectedvalueat75thpercentile(USD400k).(1mark)e.Providetwogovernancerecommendationsthataddressrootcausesacrossmultiplefindings.(2marks)Answer:a.F1HIGH–unapprovedcodecanintroducevulnerabilitiesorbackdoors.F2HIGH–excessiveprivilegeallowscontainerescapetofullcluster.F3MEDIUM–accountcompromisecoulddestroybothprimaryandbackupdata.F4MEDIUM–staleattestationreducesassurance.F5HIGH–offlinecamerasunderminedual-controlevidence;potentialforkeymisuse.F6MEDIUM–logretentionnon-complianceexposestoregulatorysanction.b.(1)EnableKubernetesauditloggingtoSIEMwithalertingonprivilegeescalation.(2)Implementadmissioncontroller(OPAGatekeeper)blockinghigh-riskAPIcalls.(3)Runnightlycronjoblistingcluster-adminbindingsande-mailreporttoCISO.c.Step1:FromGitLabadminpanel,exportbranch-protectionrulesetformain.Step2:Verify“Developerscannotpush”and“MRrequirestwoapprovals”arechecked.Step3:Selectasampleof30recentcommits;traceeachtoapprovedMRwithevidenceofcode-ownerreview.Step4:Foranyexception,obtainwrittenjustificationandmanagementsign-off.d.Expectedvalue=0.15×400k=USD60k.e.(1)Establishacontinuous-control-monitoringdashboardalignedtoCISbenchmarks,reviewedmonthlybytheauditcommittee.(2)EmbedsecuritychampionsineachScrumteamwithvetopoweroverreleases,reducingrecurrenceofconfigurationdrift.5.Short-AnswerQuestions(3markseach)5.1Explainhow“policyascode”enhancesauditabilityofcloudinfrastructure.Answer:Itencodescompliancerulesinmachine-readablescripts(e.g.,Terraform+Sentinel),enablingautomatedteststhatproducepass/failevidence,timestampedandversion-controlled,therebycreatinganaudittrailthatcanbesampledorcontinuouslymonitored.5.2Distinguishbetween“identification”and“authentication”inthecontextofbiometricsystems.Answer:Identificationanswers“Whoareyou?”bysearchingone-to-manytemplates.Authenticationanswers“AreyoureallyX?”byverifyingone-to-onematchagainstaclaimedidentity.5.3Statetwoquantitativemethodstoestimatetheannualizedlossexpectancy(ALE)ofaransomwareevent.Answer:(i)MonteCarlosimulationusingdistributionsforattackfrequencyandpayoutamounts.(ii)Historicallossextrapolationfromindustrydatasets(e.g.,VERISCommunityDatabase)adjustedforcompanysizeviaregression.6.Drag-and-Match(2markseach)MatchtheNISTCybersecurityFrameworkcategorytotheillustrativeactivity.Writetheletter(A–E)nexttothenumber(6.1–6.5).A.IdentifyB.ProtectC.DetectD.RespondE.Recover6.1Performingassetinventoryclassification–A6.2Implementingdatamaskingfornon-productiondatabases–B6.3ConfiguringaSIEMcorrelationruleforlateralmovement–C6.4Executingaplaybooktoisolateinfectedhosts–D6.5Restoringsystemsfromgold-standardimagesaftercrypto-wipe–E7.Fill-in-the-Blanks(1markeach)7.1Themaximumacceptabledowntimestatedinaservice-levelagreementiscommonlyreferredtoas__________.Answer:theavailabilitywindow(oroutagewindow).7.2The__________algorithmiswidelyusedforsecurekeyexchangewithoutpriorsharedsecrets.Answer:Diffie-Hellman(ECDH).7.3UnderISO27005,theprocessofcomparingrisklevelsagainstriskacceptancecriteriaistermed__________.Answer:riskevaluation.7.4The__________principlelimitstheamountofdatacollectedtowhatisdirectlyrelevantandnecessary.Answer:dataminimization.7.5Inacontainerizedenvironment,the__________namespaceisolatesprocessIDsandpreventsaprocessinsidethecontainerfromseeingprocessesoutside.Answer:PID.8.CalculationQuestion(5marks)ASaaSproviderpromises99.9%monthlyuptime.Duringthelastmonth,theserviceexperienced:-15minoutageduetodatabasefailover-45minoutageduringaDDoSattack-3minofpacketlossat02:00–02:03a.m.onthe5th-8minofscheduledmaintenancewindowpreviouslycommunicated7daysinadvanceTotalminutesinmonth=30×24×60=43200.Downtimeexcludingscheduledmaintenance=15+45+3=63min.Alloweddowntimefor99.9%=0.1%×43200=43.2min.a.DidtheproviderbreachtheSLA?(1mark)b.Ifthepenaltyis5%ofmonthlyfeesper0.1%belowSLA,calculatethepenaltyonaUSD50000subscription.(3marks)c.Stateoneauditproceduretovalidatetheoutageminutes.(1mark)Answer:a.Yes,63min>43.2min.b.Excessdowntime=63–43.2=19.8min≈0.0458%.Penaltytiers:0.1%→5%,so0.0458%→0.0458/0.1×5%=2.29%.Penalty=2.29%×50000=USD1145.c.Obtainrawmonitoringlogsfromindependentnetwork-performance-monitor(NPM)toolandreconciletimestampswithincidenttickets.9.EssayQuestion(10marks)Topic:“ContinuousassuranceinaDevSecOpsenvironmentrequiresashiftfromevidencesamplingtocontroltelemetry.”Discuss,providingexamplesofenablingtechnologies,auditorskill-setchanges,andchallengesforregulatoryacceptance.Limit400words.SampleResponse:Traditionalauditsrelyonperiodicsamplingofartifacts—staticsnapshotspronetostalenessinfastreleasecycles.Continuousassuranceembedstelemetrypipelinesthatstreamcontrolevidenceinnearreal-time.TechnologiessuchasOPA,InSpec,andeBPFagentsexportnormalizedcontrolsignalstoSIEMsordatalakes.AuditorsthenuseSQLorPythontoquery100%ofpopulations,detectingdriftwithinhours.Forexample,anInSpecprofilecanverifythateveryEC2instancemaintainsrequiredencryptionsettingsaftereachautoscalingevent,replacingquarterlymanualspotchecks.Thisshiftdemandsnewcompetencies:auditorsmustscriptqueries,interpretJSONlogs,andunderstandcontainerorchestration.CertificationslikeCISAplusDevOpsbadges(e.g.,AWSSecuritySpecialty)becomevaluable.Regulatoryacceptancelags;inspectorssometimesinsistonpaperevidence.Mitigationinvolvesretainingbothmachine-readablelogsandhuman-readablesummaries,time-stampedandsigned,tosatisfylegalevidencestandards.Continuousassuranceultimatelytransformstheauditorrolefromretrospectivereviewertoreal-timecontrolconsultant,shorteningremediationcyclesandstrengtheningstakeholdertrust.10.Mini-CaseControlSelf-Assessment