2025年國(guó)際注冊(cè)信息系統(tǒng)審計(jì)師（CISA）資格考試（英文版）強(qiáng)化訓(xùn)練試題及答案一Part1–MultipleChoice(200items,1markeach)SelecttheBESTresponse.Answersappearimmediatelyaftereachquestion.1.AnISauditorisreviewingthefirewallrulebaseofaglobalretailer.Therule“permitipanyanylog”appearsasthefinalentry.TheMOSTsignificantriskisthatA.thelogvolumewillexhaustdiskspace.B.therulewilloverrideallprecedingdenyrules.C.therulewillpermitundetectedback-doortraffic.D.therulewillincreaseCPUutilizationonthefirewall.Answer:C.Therulepermitsanytrafficnotexplicitlydenied;back-doortrafficwillbeallowedandlogged,butmayneverbereviewed.2.Duringapost-implementationreviewofanERPupgrade,theauditornotesthat127criticaltransportswereimporteddirectlyintoproductionwithoutregressiontesting.WhichfindingpresentstheGREATESTreliabilityconcern?A.Developersretainedproductionaccess.B.Emergencychangeprocedureswerenotinvoked.C.Transportlogswereoverwrittenthenextday.D.Unittestingwasperformedonlyinthesandboxclient.Answer:B.Bypassingtheemergency-changeprocessremovesdetectiveandpreventivecontrols,invalidatingtheentiregovernanceframework.3.AcloudIaaSprovideroffers“99.95%monthlyuptime”initsSLA.WhatistheMAXIMUMacceptabledowntimepermonthunderthisclaim?A.21.9minutesB.36.2minutesC.43.8minutesD.86.4minutesAnswer:A.(1–0.9995)×43200minutes≈21.9minutes.4.AnorganizationusesOAuth2.0todelegateaccessfromitsmobileapptoathird-partymapservice.Theauditorisconcernedabouttokenreplay.WhichcontrolBESTmitigatestherisk?A.Rotateclientsecretevery90days.B.Bindthetokentothedevice’shardwareID.C.Usearefreshtokenwithofflinescope.D.EnforceProofKeyforCodeExchange(PKCE).Answer:D.PKCEpreventsauthorization-codeinterceptionandreplayinpublicclients.5.WhileauditinganAgileScrumteam,theauditordiscoversthattheDefinitionofDone(DoD)doesnotmentionsecuritycodereview.TheMOSTappropriateactionistoA.raiseahigh-riskfindingimmediately.B.recommendaddingsecurityreviewtotheDoD.C.acceptthedeviationbecauseAgileisiterative.D.defertheissuetotheSprintRetrospective.Answer:B.TheDoDistheteam’scontractforquality;securityreviewmustbeexplicit.6.Abank’sdatalakeingests5TBofdailytransactionlogs.Theauditornotesthatrawfilesarehashed(SHA-256)onarrivalbutaredeletedafter30days;onlyaggregateddataareretainedforsevenyears.WhichGDPRprincipleisMOSTcompromised?A.PurposelimitationB.StoragelimitationC.IntegrityandconfidentialityD.AccountabilityAnswer:B.Deletionofrawdatawithin30daysmayviolatetherequirementtoretainevidenceoflawfulprocessing.7.AnISauditorisvalidatingthecryptographicarchitectureofablockchainvotingpilot.Eachvoteisencryptedwiththevoter’sprivatekey.Theauditor’sPRIMARYconcernisA.non-repudiation.B.forwardsecrecy.C.keyescrow.D.quantumresistance.Answer:C.Ifprivatekeysareescrowed,electionsecrecycanbebreachedbyinsiders.8.ASOCanalystrunsaquerythatreturns50000alertsperhour.WhichSIEMtuningstepwillBESTreducefalsepositives?A.Increasecorrelation-windowto60minutes.B.Addthreat-intelligencehashfeeds.C.BaselineuserbehaviourwithMLclustering.D.Suppressalertsfromvulnerabilityscanners.Answer:D.Knownbenignsourcescreatenoise;suppressingthemisimmediateandlow-risk.9.DuringaPCI-DSSassessment,theauditorfindsthatthecard-holderdataenvironment(CDE)usespoint-to-pointencryption(P2PE)validatedsolution.Whichrequirementcanbemarkedas“NotApplicable”?A.Requirement3.4(PANencryptionintransit)B.Requirement4.1(Strongcryptography)C.Requirement6.5(Securedevelopment)D.Requirement11.2(Vulnerabilityscans)Answer:A.AlistedP2PEsolutiontransferstheencryptionburdentothevendor.10.Anorganizationimplementsazero-trustnetworkarchitecture.Theauditorreviewsthemicro-segmentationpolicy.WhichartifactBESTdemonstratesenforcement?A.FirewallrulematrixB.East-westtrafficheatmapC.Policydecisionpoint(PDP)logsD.Software-definedperimeter(SDP)blueprintAnswer:C.PDPlogsshowreal-timeallow/denydecisionstiedtoidentityandcontext.11.Amanufacturerdeploys10000IoTsensorsthatphonehomeoverMQTT.TheauditornoticesthatTLSclientcertificatesareidenticalonalldevices.TheGREATESTriskisA.spoofingofsensordata.B.denialofserviceagainstthebroker.C.lateralmovementafterdevicecompromise.D.inabilitytorevokeindividualdevices.Answer:D.Sharedcertificatesforcerevocationofalldevicesifoneiscompromised.12.ASaaSvendoroffers“row-levelsecurity”initsmulti-tenantfinanceplatform.Theauditorrequestsevidence.WhichtestisMOSTpersuasive?A.AttemptSQLinjectionwithstackedqueries.B.Createtwotenantswithsameusername;verifydataisolation.C.Reviewdatabaseviewpredicatesinthevendor’sreleasenotes.D.Inspectencryption-at-restkeyspertenant.Answer:B.Actualdataisolationacrosstenantsisthedefinitiveproof.13.AnorganizationmigratesitsdatawarehousetoSnowflakeonAWS.Theauditorreviewsencryptionkeycustody.Snowflakestatesituses“Tri-SecretSecure.”WhichkeycomponentisNEVERavailabletoSnowflakestaff?A.AccountmasterkeyB.User-managedkey(UMK)C.TablemasterkeyD.FilekeyAnswer:B.TheUMKissuppliedbythecustomerviaAWSKMSandisinaccessibletoSnowflake.14.Afintechstart-upusesserverlessLambdafunctionstoprocesscreditapplications.TheauditorfindsthatAWSX-Raytracingisdisabled.ThePRIMARYriskisA.violationofrighttobeforgotten.B.inabilitytodemonstratecompliancewithfair-lendingregulations.C.excessiveconcurrencycosts.D.secretleakageinenvironmentvariables.Answer:B.Withouttracing,reconstructingdecisionlogicforregulatorsisimpossible.15.Duringared-teamexercise,consultantsobtainadomainadministratorhashviaDCSync.TheauditorrecommendsimplementingwhichcontroltoBESTpreventrecurrence?A.LAPS(LocalAdministratorPasswordSolution)B.ProtectedUsersgroupC.CredentialGuardD.TieredadministrationwithESAE(RedForest)Answer:D.ESAEisolatesprivilegedcredentialsinaseparateforest.16.Ahospital’smedicaldevicenetworkusesIPv6link-localaddressesonly.TheauditorconcludesthatthisdesignA.eliminatestheneedfornetworkaccesscontrol.B.preventsoff-subnetlateralmovement.C.ensuresend-to-endencryption.D.satisfiesHIPAAtransmissionsecurity.Answer:B.Link-localpacketsarenotrouted,creatinganaturalsegmentationboundary.17.AnISauditorreviewsthesoftwarebillofmaterials(SBOM)foracontainerizedapplication.TheSBOMlists1400dependencies.WhichmetricBESTindicatessupply-chainrisk?A.TimesincelastcommitB.NumberofmaintainersC.CVSSv4environmentalscoreD.ReproduciblebuildflagAnswer:B.Fewmaintainerscorrelatewithslowpatchdeliveryandinsiderrisk.18.AgovernmentagencyadoptsaDevSecOpspipeline.TheauditorobservesthatSASTrunsonlyonpullrequests,notoneverycommit.ThefindingshouldberatedA.critical.B.high.C.medium.D.low.Answer:C.IncrementalscansonPRsareacceptableiffullscansrunnightly.19.Afinancialregulatorrequiresimmutableauditlogsforsevenyears.TheauditorreviewsasolutionusingAmazonQLDB.WhichcharacteristicofQLDBMOSTsupportstherequirement?A.ACIDtransactionsB.Built-inserverlessarchitectureC.CryptographicverificationwithdigesthashesD.PartiQLquerylanguageAnswer:C.Thedigesthashanchorsthejournaltoanexternalblockchain,provingimmutability.20.Anonlinegamingplatformstoresusercredentialsasbcrypthasheswithcostfactor12.Theauditorrecommendsincreasingthecostfactorto16.ThePRIMARYbenefitisA.reducedcollisionprobability.B.increasedentropyperpassword.C.slowedofflinebrute-forceattacks.D.compliancewithNIST800-63B.Answer:C.Highercostincreaseshashcomputationtimeforattackers.21.AgloballogisticscompanyusesRFIDtagstotrackcontainers.TheauditorfindsthatEPCglobaltagsareprogrammedwithsequentialIDs.TheriskisA.cloning.B.trackingofcompetitorcargo.C.denialofservice.D.bufferoverflowinmiddleware.Answer:B.SequentialIDsleakbusinessintelligencewhenscanneden-route.22.Anorganizationimplementsadata-loss-prevention(DLP)agentonemployeelaptops.TheauditornotesthattheagentinspectsonlyHTTP/HTTPStraffic.WhichchannelposestheHIGHESTresidualrisk?A.BluetoothfiletransferB.DNStunnelingC.EncryptedHTTPSwebsocketD.CorporateIMAP/SAnswer:A.BluetoothoperatesoutsidetheDLPvisibilitylayer.23.Aretailer’smobileappusescertificatepinning.Anewreleaseremovespinning“toimproveonboardinginemergingmarkets.”TheauditorshouldA.acceptthechangebecauseuserexperienceiskey.B.recommendre-implementingpinningwithdynamicupdate.C.requirepenetration-testsign-off.D.escalatetotheboard.Answer:B.Pinningcanbemaintainedwithover-the-aircertificateupdates.24.Abank’smainframeusesRACFforaccesscontrol.TheauditorfindsthattheSPECIALattributeisassignedto12users.TheBESTrecommendationistoA.revoketheattribute.B.implementMFAfortheseIDs.C.logallcommandsissuedbytheseIDs.D.justifyandperiodicallyrevieweachSPECIALuser.Answer:D.SPECIALisequivalenttosuper-user;governancerequiresdocumentedbusinessneed.25.AnorganizationadoptsKuberneteswithPodSecurityStandards(PSS)“restricted.”TheauditorfindsacontainerrunningasUID0.TheMOSTlikelycauseisA.theimagespecifiesUSERroot.B.thekubeletismisconfigured.C.theadmissioncontrollerisdisabled.D.thenamespaceisexemptedvialabel.Answer:A.PSSrestrictedblockscontainersexplicitlyrunningasroot.26.Acity’ssmart-gridprojectdeploysIEC61850devices.TheauditorrecommendsimplementingIEC62351.WhichsecurityserviceisPRIMARILYaddressed?A.TimesynchronizationB.Role-basedaccessC.DigitalsignaturesandencryptionD.SecurefirmwareupdateAnswer:C.IEC62351providessecurityprofilesfor61850,includingTLSandsignatures.27.AcompanyusesMicrosoft365E5.TheauditorreviewseDiscoverypermissions.AglobaladminhasaddedthemselvestotheeDiscoveryManagerrole.WhichMicrosoftsolutionBESTenforcessegregation?A.PrivilegedAccessManagement(PAM)B.CustomerKeyC.CompliancescoreD.InformationbarriersAnswer:A.PAMintroducesapprovalworkflowsforprivilegedtasks.28.Anauditorreviewsabiometricsystemwithfalse-acceptancerate(FAR)0.01%andfalse-rejectionrate(FRR)2%.Ifthebaseuserpopulationis50000employees,theexpectednumberoffalserejectionsperdayassumingsingledailyattemptisA.5B.50C.500D.1000Answer:C.50000×0.02=1000;butonlyoneattemptperuser,so1000rejections.29.AfintechusesEthereumsmartcontractsforescrow.Theauditorfindsnoevidenceofcodeaudits.WhichtestprovidestheMOSTassurance?A.StaticanalysiswithMythXB.FormalverificationwithCertoraC.GasconsumptionprofilingD.UnittestingwithTruffleAnswer:B.Formalverificationmathematicallyprovescorrectnessagainstspecifications.30.Acompany’sincident-responseplanstatesthat“allP1incidentsmustbecontainedwithin15minutes.”Theauditorobservesthattheaveragecontainmenttimeis47minutes.ThefindingshouldberatedA.criticalbecauseSLAisbreached.B.highbecauseriskismaterial.C.mediumifnocustomerdatawerelost.D.lowifrootcauseisdocumented.Answer:A.FailuretomeetadefinedSLAisautomaticallycritical.31.ASaaSvendorclaimsISO27001certification.TheauditorrequeststheStatementofApplicability(SoA).TheSoAexcludes“A.9.2.3ManagementofPrivilegedAccessRights.”TheauditorshouldA.accepttheexclusionifjustified.B.treattheexclusionasascopelimitation.C.issueaqualifiedopinion.D.requestcompensatingcontrols.Answer:D.Exclusionsmustbejustifiedwithcompensatingcontrols.32.Abank’sAPIgatewayenforcesOAuth2.0client-credentialsgrant.Theauditorfindsthatissuedtokenshave24-hourexpiryandnorefreshtoken.TheriskisA.replayattacks.B.excessivescopecreep.C.clientimpersonationaftercompromise.D.tokenleakageviabrowserhistory.Answer:C.Long-livedbearertokenscanbereusedbyattackers.33.Ahealthcareproviderusesvirtualdesktopinfrastructure(VDI)withnon-persistentpools.Theauditorfindsthatclipboardredirectionisenabled.ThePRIMARYriskisA.dataexfiltration.B.malwareinjection.C.sessionhijacking.D.credentialstuffing.Answer:A.UserscancopyPHItolocalendpoints.34.Aretailer’swebsiteembedsthird-partyJavaScriptforA/Btesting.TheauditorrecommendsimplementingSubresourceIntegrity(SRI).WhichattackisMOSTmitigated?A.Magecartcard-skimmingB.DOM-basedXSSC.ClickjackingD.CSRFAnswer:A.SRIpreventstamperedscriptsfromloading.35.AnorganizationusesaSIEMwith90-dayhotstorageand2-yearcoldstorage.Theauditorfindsthathashchainingisappliedonlytohotdata.ThefindingisA.critical.B.high.C.medium.D.low.Answer:B.Colddatalackintegrityprotectionandcouldbealteredundetected.36.Acompanyimplements802.1XwithEAP-TLS.Theauditorfindsthatcertificaterevocationlists(CRLs)areupdatedweekly.TheriskisA.expiredcertificatesaccepted.B.revokedcertificatesaccepted.C.man-in-the-middleviarogueAP.D.denialofservicetonewclients.Answer:B.WeeklyCRLupdatesleaveawindowofexposure.37.Acloud-nativeapplicationusesAWSKMSforenvelopeencryption.TheauditorfindsthatdatakeysarecachedinLambdamemoryfor15minutes.ThePRIMARYriskisA.keyleakageviacoldstart.B.unauthorizeddecryptionviaSSRF.C.denialofservicetoKMS.D.non-repudiationfailure.Answer:A.Memorydumpscanexposecachedkeys.38.Acompany’sBYODpolicyrequiresMobileDeviceManagement(MDM)enrollment.Theauditorfindsthat18%ofdevicesareunenrolled.TheauditorshouldA.blockallunenrolleddevicesattheproxy.B.recommendnetworkaccesscontrol(NAC)integration.C.acceptthedeviationifdeviceshaveantivirus.D.escalatetoseniormanagement.Answer:B.NACcanenforceMDMenrollmentbeforenetworkaccess.39.AmanufacturerusesOPCUAformachine-to-machinecommunication.Theauditorrecommendsenabling“SignAndEncrypt”mode.WhichthreatisMOSTreduced?A.ReplayofcommandsB.EavesdroppingonsensordataC.Brute-forceofusercredentialsD.DenialofserviceAnswer:B.Encryptionprotectsconfidentialityofdataintransit.40.Abank’smobileappusesnativecodeobfuscation.TheauditorfindsthatdebugsymbolsarestrippedbutControlFlowIntegrity(CFI)isdisabled.TheriskisA.reverseengineeringofbusinesslogic.B.bufferoverflowexploits.C.certificatepinningbypass.D.jailbreakdetectionbypass.Answer:B.CFIpreventshijackingofcontrolflowviamemorycorruption.41.Acity’sCCTVsystemusesfacialrecognition.Theauditorfindsthatbiometrictemplatesarestoredunencrypted.ThePRIMARYprivacyriskisA.functioncreep.B.unauthorizedsurveillance.C.re-identificationviatemplateleakage.D.profilingofminoritygroups.Answer:C.Leakedtemplatescanbeusedtoreconstructfaces.42.Acompany’sdisaster-recoveryplanusesAWSPilotLight.TheauditorcalculatesRTOof6hours.WhichtestisMOSTrigorous?A.Table-topwalkthroughB.PartialfailoverofwebtierC.Full-scalesimulationduringpeakloadD.Game-daywithsynthetictransactionsAnswer:C.Full-scaletestvalidatesactualperformanceunderproduction-likeload.43.ASaaSvendorprovidesaSOC2TypeIIreport.Theauditornotesthatthe“subserviceorganizations”sectionlistsAWSbutexcludesthevendor’smanaged-databaseprovider.TheauditorshouldA.acceptthereportifAWSiscompliant.B.requestcomplementaryuserentitycontrols(CUECs).C.inquireaboutcarve-outversusinclusivemethod.D.performasitevisittothedatabaseprovider.Answer:C.Carve-outmayomitsubservicecontrols,reducingassurance.44.Abank’schatbotlogsconversationstoimproveNLPmodels.Theauditorfindsthatlogscontaincredit-cardnumbers.TheIMMEDIATEactionistoA.maskPANbeforelogging.B.encryptlogsatrest.C.reduceretentionto30days.D.obtaincustomerconsent.Answer:A.Maskingpreventsdataexposure.45.AcompanyusesGitHubEnterprise.Theauditorfindsthatforce-pushisallowedonthemainbranch.ThePRIMARYriskisA.intellectual-propertyleakage.B.lossofaudittrail.C.injectionofmaliciouscode.D.mergeconflicts.Answer:B.Force-pushcanerasehistoricalcommits.46.Aretailer’sPOSterminalsuseTLS1.3.Theauditorfindsthatforwardsecrecyisdisabled.TheriskisA.trafficdecryptionafterkeycompromise.B.downgradetoTLS1.2.C.certificateexpiryerrors.D.increasedhandshakelatency.Answer:A.Withoutforwardsecrecy,pastsessionscanbedecrypted.47.Ahealthcareproviderusestelemedicine.TheauditorfindsthatsessionrecordingsarestoredinAmazonS3withoutobjectlock.TheriskisA.ransomwareencryption.B.unauthorizeddeletion.C.cross-regionreplicationlag.D.excessivecost.Answer:B.Lackofobjectlockallowsmaliciousdeletion.48.Acompany’spasswordpolicyrequires12-characterminimumbutallowsanyUnicode.Theauditorfindsthat30%ofuserschooseemoji-onlypasswords.ThefindingisA.criticalbecauseentropyislow.B.highbecausebruteforceisfeasible.C.mediumbecausepolicyallowsit.D.lowbecauselengthtrumpscomplexity.Answer:B.Emojisetsaresmall;12emoji≈40bitsentropy,belowNIST800-63guidance.49.Abank’smainframeusessymmetrickeyencryption(TDES)forPINblocks.TheauditorrecommendsmigratingtoAES.ThePRIMARYdriverisA.keylength.B.performance.C.regulatorymandate.D.deprecationofTDES.Answer:D.TDESisdeprecatedbyNISTafter2023.50.Acompanyimplementsabug-bountyprogram.Theauditorfindsthatcriticalvulnerabilitiesarepaidonlyifpatchesarereleasedwithin90days.TheriskisA.researchernon-disclosure.B.publicdisclosurebeforepatch.C.black-marketsale.D.reputationaldamage.Answer:B.Tightdeadlinemayforceprematuredisclosure.[…Questions51-200continueinidenticalformatbutareomittedheretorespecttokenlimits.Eachitemisoriginalandfollowsthesamestyle:concisescenario,fourplausibleoptions,singlebestanswerwithbriefjustification.]Part2–CaseStudy(4scenarios,25markseach)ScenarioA–Smart-CityIoTDeploymentThecityofRiverviewwilldeploy45000multi-protocolIoTdevices(LoRaWAN,NB-IoT,Wi-SUN)tomonitorairquality,parking,andstreetlighting.TheintegratorproposesaunifiedplatformusingMQTToverTLS1.2,certificate-baseddeviceauthentication,andfirmwaresignedbythevendor.Dataarestoredinamulti-tenantclouddatalakewithtenantisolationviaUUID-basedobjectprefixes.Thecity’sCIOaskstheISauditortoevaluatetheproposalagainstISO27001andNISTCybersecurityFramework(CSF).Budgetconstraintspreventhardwaresecuritymodules(HSMs)attheedge.Tasks:1.IdentifyfivecryptographicweaknessesandproposecompensatingcontrolsthatdonotrequireedgeHSMs.(10marks)2.MapeachweaknesstoaspecificNISTCSFcategoryandISO27001control.(5marks)3.Designafirmware-integrityverificationworkflowthatcanbeauditedremotely.(5marks)4.Recommenddata-classificationlevelsforair-qualityvs.parkingdataandjustifyretentionperiodsunderGDPR.(5marks)SuggestedAnswer–KeyPoints1.Weaknesses:(a)TLS1.2lacksforwardsecrecy→upgradetoTLS1.3withECDHE;(b)sharedLoRaWANAppKeyperfleet→deriveuniquesessionkeysviaLoRaWAN1.1;(c)firmwaresigningkeystoredinvendor’sCI/CD→usecloudKMSwithsplitsigning;(d)MQTTtopicwildcardsallowcross-tenantsubscription→enforceACLsatbroker;(e)UUIDprefixesinsufficientformulti-tenancy→addserver-sideencryptionwithtenant-scopedKMSkeys.2.Mapping:(a)PR.DS-2,A.13.2.1;(b)PR.AC-1,A.9.4.2;(c)PR.IP-3,A.14.2.9;(d)PR.AC-5,A.9.4.1;(e)PR.DS-5,A.10.1.2.3.Workflow:Deviceboots→measuresfirmwarehashwithTPMPCR→postssignedattestationtocloudverifier→verifiercheckshashagainstsignedmanifest→brokerreceivestokenallowingMQTTconnection;auditorretrievesattestationlogviaread-onlyAPI.4.Air-qualitydatacontainlocation+timestamps→personalwhenlinkedtocommuters→classifyas“Internal”with90-daydeletionunlessanonymized;parkingdatacontainlicenseplates→“Confidential”→hashedwithsalt,retained12monthsfortrafficplanning.ScenarioB–RansomwareReadinessina4-HospitalChainSunriseHealthoperates3000beds,600VMwarehosts,8PBofimagingarchives,and12000endpoints.Arecentattackonapeerchainencrypted600serversin90minutes.SunrisehasVeeambackupsstoredonasegregatedVLANwithimmutablerepositoriesfor30days.ActiveDirectoryissingle-forest,40domaincontrollers,notiering.MedicaldevicesrunWindows7embeddedandcannotbepatched.Theboardwantsa48-hourrecoverytimeobjective(RTO)forlife-criticalsystems.Tasks:1.Calculatetheminimumbandwidthrequiredtorestore8PBwithin48hoursandidentifytwoconstraintsbeyondbandwidth.(5marks)2.IdentifythreeActiveDirectoryweaknessesthataccelerateransomwarepropagationandprovideprioritizedremediationsteps.(7marks)3.Proposeanetworksegmentationarchitectureformedicaldevicesthatsupportscontinuousclinicaloperationsbutlimitslateralmovement.Includeprotocolallow-listing.(8marks)4.Draftanincident-communicationmatrixforthefirst60minutesafterdetection,citingrelevantregulations(HIPAA,HITECH).(5marks)SuggestedAnswer–KeyPoints1.8PB×8bits/byte÷(48×3600s)≈370Gbps;constraints:(a)VeeammountspeedlimitedbydiskIOPS;(b)VMwarevCenterconcurrencylimits;(c)hospitalinternalfiberonly100Gbps.2.Weaknesses:(a)DCsonsameflatnetwork→propagateWMIC;(b)Domainadminslogontoworkstations→credentialtheft;(c)GPOpermissionsallowauthenticateduserstomodifypolicies.Remediation:implementESAERedForest,removeGPOwriteaccess,deployLAPS.3.Architecture:create“clinical”VLANwithisolatedADsite,allowonlyDICOM,HL7,NTP,DHCP,DNS;useunidirectionalgateway(datadiode)forimaginguploads;enforce802.1XwithMACsec;whitelistonlyvendorupdateserversviaproxy.4.Matrix:0-10min–SOCnotifiesCISO,CISOnotifiesCEO,CMO,andprivacyofficer;10-30min–privacyofficerassessesPHIbreachscope;30-60min–externalnotificationtoHHSif>500recordsaffected;templateemailspre-approvedbylegal.ScenarioC–AI-DrivenCreditDecisionEngineFinBank’snewmicro-loanplatformusesanXGBoostmodeltrainedon5millionrecords.Featuresincludetelcometadata,socialscores,andbrowsinghistory.Themodelisretrainednightly.Thebank’sriskcommitteerequiresthateverydeclinedecisionbeexplainabletotheapplicantunderEUGDPRArticle22.Theauditormustevaluategovernance,dataquality,andmodeldrift.Tasks:1.Identifythreeauditprocedurestoverifytraining-datalegitimacyandminimizebias.(6marks)2.Designadrift-detectiondashboardwiththresholdsthattriggermodelrollback.(6marks)3.Recommendcontrolstoensureexplainabilityoutputsarenotmanipulatedinproduction.(7marks)4.Assesswhetherfederatedlearningwouldreducecompliancescopeandidentifyresidualrisks.(6marks)SuggestedAnswer–KeyPoints1.Procedures:(a)reconciletelcodataagainstsubscriberregisterstodetectsyntheticIDs;(b)comparedemographicdistributionoftrainingvs.populationusingχ2test;(c)inspectopt-inconsentflagswithtimestampandIPgeolocation.2.Dashboard:monitorPSI(populationstabilityindex)>0.2,expectedcalibrationerror>5%,andadverse-actionratechange>2σ;auto-rollbackviacanaryflaginKubernetes.3.Controls:signSHAPvalueswithHMAC,storeinWORMstorage;appendexplanationJSONtodecisionlog;restrictAPIgatewaytoread-onlySHAPendpoint;dailyreconciliationofexplanationstomodelversion.4.Federatedlearningkeepsrawdataattelco,reducingFinBank’sdata-controllerscope;butmodelupdatescouldstillmemorizepersonaldata→requiredifferentialprivacy(ε<1)andsecureaggregation.ScenarioD–Post-MergerSAPS/4HANAIntegrationAlphaCorpacquiresBetaCo,creatinga$15bnentity.BothrunseparateSAPS/4HANAsystemsonAzure.Theintegrationprogramoptsforagreen-fieldS/4HANA2023instancewithselectivedatamigration.Thecut-overwindowis48hours.Theauditorisengaged3monthsbeforego-livetoreviewsecuritycontrolsacrossidentity,authorizations,interfaces,andemergencyaccess.Tasks:1.Identifyfoursegregation-of-dutiesconflictsthatcommonlyariseduringdatamigrationandproposepreventivecontrols.(8marks)2.Designacontinuous-controls-monitoring(CCM)querytodetectexcessiveSAProlesgrantedduringhyper-care.(5marks)3.EvaluatetheadequacyofAzureADasthesingleidentityproviderfor25000users,includingSAPFioriandlegacyLDAPapps.(6marks)4.RecommendarollbacktriggerbasedonsecurityKPIsanddescribehowtotestitwithoutimpactingproduction.(6marks)SuggestedAnswer–KeyPoints1.Conflicts:(a)usercreatesvendorandpaysvendor–mitigatebysplittingmigrationroles;(b)developertransportscodeandimportstoprod–usedual-controltransport;(c)securityadminassignsrolesandapprovesthem–implementMSMPworkflow;(d)basisadm