2025年國際注冊信息系統(tǒng)審計師（CISA）資格考試（英文版）強化練習題及答案Part1–Multiple-Choice(ChoosetheBESTanswer)1.Duringapost-implementationreviewofanERPpayrollmodule,anISauditornotesthattheemergencyuser“SAP”wasneverdeactivated.Theclientarguesthatthesuperuserisprotectedbyastrong14-characterpassphrasestoredinasealedenvelopeinsidetheCFO’ssafe.WhichofthefollowingpresentstheMOSTcompellingreasontodeactivatetheaccount?A.Thepassphraseischangedonlyonceayear.B.Theaccountbypassesnormalaccess-controllogging.C.Theenvelopecouldbeopenedduringadisaster-recoverytest.D.TheaccountisknowntoeverySAPbasisadministrator.Answer:BExplanation:SAPisahard-codeduserthatwritessecurity-relevanteventstoaproprietarytablebypassingthestandardauditlog.Evenifthepassphraseisstrong,theabsenceofanimmutabletrailviolatesthe“auditability”principle.ChoiceAissecondary;Cisaproceduralrisk;Dismitigatedbydualcontrol.2.AmultinationalbankusesasingleSAMLidentityprovider(IdP)for42cloudapplications.TheCISOplanstorolloutcontinuousadaptiveriskandtrustassessment(CARTA)byfeedingtheIdPlogstreamtoamachine-learningengine.TheISauditorshouldrecommendthatthelogstreamFIRSTbe:A.hashedwithSHA-256toprotectpersonaldata.B.pseudonymizedtoremovedirectidentifiers.C.classifiedunderthebank’sdata-governancepolicy.D.encryptedintransitwithTLS1.3.Answer:CExplanation:Beforetechnicalcontrolsareapplied,thedatamustbeclassifiedtodetermineretention,cross-borderrestrictionsandlawfulbasisforprocessing.Pseudonymizationorencryptioncomeslater.3.Anorganization’sransomwareplaybookrequireswipingandre-imaginginfectedlaptopswithin4h.TheISauditordiscoversthatBitLockerfull-diskencryptionissuspendedautomaticallywhenWindows10entersrecoverymode.WhichfindingposestheGREATESTrisk?A.TheTPMownerpasswordisnotescrowed.B.The256-bitrecoverykeyisstoredinActiveDirectory.C.SuspendingencryptionexposesthevolumemasterkeyinplaintextinRAM.D.Theplaybookomitsforensicsbeforere-imaging.Answer:DExplanation:Withoutimagingthedisk,attributionandroot-causeanalysisareimpossible,violatingforensicreadiness.WhileCistechnicallytrue,theexposureistransientandrequiresphysicalaccess.Missingevidencehaslonger-termimpactonresilienceandinsuranceclaims.4.Asmart-contractauditrevealsthatthe“transferOwnership”functioninanERC-20tokenisprotectedonlybythemodifier“onlyOwner”andemitsnoevent.TheGREATESTconcernis:A.lackofreplayprotection.B.absenceofanaudittrailforownershipchange.C.re-entrancyvulnerability.D.front-runningattack.Answer:BExplanation:Ownershiptransferisacriticalgovernanceaction;theabsenceofaneventlogpreventsexternalmonitoringtoolsandSIEMsfromdetectinghostiletakeovers.Re-entrancyisunlikelyinasingle-functiontransfer.5.AretailertagseverydatabaserowcontainingEUcustomerdatawitha128-bit“data-subject-id”hash.Afteramerger,thehashalgorithmischangedtoSHA-256withoutre-tagginghistoricalrows.AnISauditorshouldconcludethat:A.dataintegrityispreservedbecausebothareNIST-approved.B.datasubjectscannolongerbeuniquelyidentifiedunderGDPR.C.referentialintegritybetweentablesisbroken.D.encryptionstrengthhasincreased,reducingbreachrisk.Answer:CExplanation:Foreign-keyrelationshipsthatrelyonthe128-bithashbecomeorphaned.GDPRidentifiabilityisunaffectedbecausethehashremainsapseudonym.Integrityinthecryptographicsenseisintact,butrelationalintegrityislost.6.ADevOpspipelineusesshort-livedOAuth2.0accesstokens(10min)andrefreshtokens(24h).WhichcontrolBESTmitigatestheriskofaleakedrefreshtokenstoredinaGitHubpublicrepository?A.Rotateclientsecretevery30days.B.Bindrefreshtokentothedevice’sX.509certificatefingerprint.C.Reduceaccess-tokenlifetimeto1min.D.Implementcertificate-basedmutualTLSforthetokenendpoint.Answer:BExplanation:Devicebinding(RFC8705)rendersthestolenrefreshtokenunusableonanyothermachine.Rotatingsecretsdoesnotrevokeissuedtokens;shorteraccess-tokenlifetimelimitsexposurebutnotrefresh-tokenabuse;mTLSprotectsthechannel,notthetoken.7.Ahospital’smedical-devicenetworkissegmentedbyVLAN300.Thefirewallrule“anyany443”isallowedfromVLAN300totheInternetsothatdevicescanpullfirmwareupdates.WhichtestprovidestheSTRONGESTevidencethattheruleisnecessary?A.PacketcaptureshowingTCP443traffictothevendor’sCDN.B.Nmapscanprovingnootherportsareopenoutbound.C.Vendor-signedfirmwaremanifestmatchedagainstSHA-256hashes.D.Logcorrelationprovingnotrafficoccurswhentheruleisdisabled.Answer:DExplanation:Acontrolleddisablementtestdemonstratesfunctionaldependency.Packetcapturesshowusagebutnotnecessity;portscansareinconclusive;manifestsverifyintegrity,notneed.8.AnISauditorreviewingazero-trustarchitecture(ZTA)observesthatmicro-segmentationisenforcedbysoftware-definedperimeter(SDP)gateways.WhichmetricBESTvalidatesthatthecontroliseffective?A.Percentageofeast-westflowsdeniedbydefault.B.MeantimetopatchSDPcontrollers.C.Numberofgatewaysdeployedpersubnet.D.Ratioofencryptedvs.plaintexttraffic.Answer:AExplanation:Zerotrustis“denybydefault”;ahighdenialrateforlateraltrafficprovesthepolicyengineisactive.Patchingtimeisoperational;gatewaydensityisirrelevant;encryptionratiomeasuresconfidentiality,notsegmentation.9.Acloudworkloadprotectionplatform(CWPP)agentblocksaLinuxbinarybecauseitsSHA-256hashisnotontheapprovedlist.Thedeveloperrenamesthefileandrecompileswith“-O0”tochangethehash.TheCWPPstillblocksit.WhichcontrolMOSTlikelycaughtthechange?A.Filesizewhitelist.B.Signedcoderequirement.C.Behavioralanalyticsdetectinggccinvocation.D.Integritymeasurementusingextendedfileattributes.Answer:BExplanation:Acode-signingrequirementvalidatesthepublisher’scertificate,notthehash.Recompilationwithoutsigningfailsvalidation.Filesizecancoincideaccidentally;behavioralanalyticsarepost-execution;extendedattributesarenotattestedbythekernel’sIMApolicy.10.Acentralbank’sCBDCwalletappusesdualcontrol:twoprivate-keysharesarestoredonseparateHSMs,andbothmustsignatransaction.TheISauditoristoldthateachHSMperformsakey-ceremonyauditlog.Toensurenon-repudiation,theauditorshouldverifythat:A.logsarehashedandsignedbytheHSM’sinternalkey.B.HSMsareFIPS140-3Level3certified.C.administratorsusesmartcardstoauthenticatetotheHSM.D.keysharesarerefreshedevery90days.Answer:AExplanation:OnlyanHSM-bornsignatureprovidestamper-evidentevidencethatthelogwascreatedinsidethedevice.CertificationlevelsandsmartcardsprotecttheHSM,notthelog.Keyrefreshisgoodpracticebutunrelatedtonon-repudiationofpastevents.11.ASaaSvendoroffersadata-residencyoption“EU-only”butadmitsthatsupportengineersinIndiamayaccesslogsfortroubleshooting.UnderGDPR,thePRIMARYconcernis:A.absenceofanadequacydecisionforIndia.B.lackofencryptionatrest.C.insufficientnetworksegmentation.D.failuretoconductaDPIA.Answer:AExplanation:Transferstothirdcountriesrequireanadequacydecisionorappropriatesafeguards(Art.46).Encryptionalonedoesnotresolvecross-borderaccessbyhumans.DPIAistriggeredbyhighrisk,notbylocationperse.12.AnorganizationadoptsNISTSP800-207zero-trustprinciples.WhichartifactBESTdemonstratesthat“dynamicauthentication”isinplace?A.SAMLassertionissuedonceperday.B.OAuthtokenboundtoariskscorethatchangesevery5min.C.X.509certificatewith1-yearvalidity.D.IPSectunnelrekeyevery8h.Answer:BExplanation:Dynamicauthenticationadjustsassurancebasedonreal-timerisk.Short-livedrisk-scoredtokensembodythisprinciple.SAMLandcertificatesarestatic;IPSecrekeyingisnetwork-layer.13.Abig-datalakeingests5TBofclick-streamdatadaily.TheISauditornotesthatGDPR“righttobeforgotten”requestsarefulfilledbyoverwritingParquetfileswithnewversions.TheGREATESTriskis:A.residualdataremaininginoldersnapshots.B.excessivewritewearonSSDstorage.C.inconsistencybetweendatalakeanddatawarehouse.D.schemaevolutionbreakingdownstreamETL.Answer:AExplanation:Object-storageversioningandbackupsnapshotsoftenretaindeletedrecords.Overwritingthe“current”Parquetfiledoesnoterasehistoricalcopies,leadingtonon-compliance.14.Acompany’sBring-Your-Own-Device(BYOD)policyrequiresemployeestoinstallamobiledevicemanagement(MDM)profilethatcanwipetheentirephone.Theunionclaimsthepolicyviolatesprivacy.TheISauditor’sBESTrecommendationisto:A.switchtoacontainerizationappthatseparatesworkandpersonaldata.B.removethewipecapabilitytoreduceliability.C.requirecompany-owneddevicesinstead.D.obtainexplicitconsentduringonboarding.Answer:AExplanation:Containerization(e.g.,AndroidWorkProfile)allowsselectivewipeofcorporatedata,preservingpersonalprivacywhilemaintainingcontrol.Consentalonedoesnotremovetheprivacyintrusion;banningBYODmaybecost-prohibitive.15.Ablockchainconsortiumuseson-chainvotingtoupgradesmart-contractlogic.A15%stakeholdercanvetoanychange.AnISauditorshouldconcludethat:A.thegovernancemodelpreventshostileforks.B.a15%whalecouldblocksecuritypatches,creatingdenial-of-service.C.immutabilityguaranteesauditability.D.off-chaincodereviewisunnecessary.Answer:BExplanation:Vetopowerenablesaminoritytofreezeupgrades,includingcriticalpatches.Thisisalivenessfailure,notasafetyfailure.16.ASOCanalystdetectsa3hburstofDNStunnelingfromaserverwhoseoutboundUDP53isotherwiseclosed.ThefirewalllogshowsthepacketsleftviaTCP443.Whichcontrolfailureallowedthetraffic?A.MissingDNS-over-TLSproxy.B.Split-tunnelVPNexposingexternalDNS.C.FirewallruleallowingTCP443toany.D.LackofdeeppacketinspectiononHTTPS.Answer:CExplanation:DNStunnelingoverTCP443(DoHorcustom)ridesonanallowedfirewallrule.Closing443isimpractical;DPIorproxyissecondarytotheallow-allrule.17.Anindustrialcontrolsystem(ICS)usesModbusTCP.ThesitefirewallblocksinboundtrafficbutallowsoutboundModbusfromtheHuman-MachineInterface(HMI)tothedatahistorian.AnISauditornotesthattheHMIcanalsoinitiateoutboundSSH.TheGREATESTriskis:A.exfiltrationoftradesecretsviaSCP.B.lateralmovementiftheHMIiscompromised.C.bufferoverflowinModbusfunctioncode0x08.D.lackofNTPsynchronization.Answer:BExplanation:OutboundSSHprovidesareversetunnelcapabilityforattackers,enablinglateralmovementintotheDMZandOTnetwork.Trade-secrettheftispossiblebutmovementisprerequisite.18.Afintechstart-upstorescredit-cardtokensinaDynamoDBtableencryptedatrestwithAWSKMS.TheKMSkeyrotationissetto365days.ThePCIDSSQSAshould:A.requirerotationevery90days.B.verifythattoken-to-PANmappingisimpossible.C.demandcustomer-managedkeyswith256-bitAES.D.requestproofofsplitknowledgeforKMSCMKs.Answer:BExplanation:TokensarenotPANs;PCIDSSmandatesthattokenizationsystemsensureirreversibilityfornon-authorizedparties.KMSrotationfrequencyisnotprescribed;AWSmanagessplitknowledgeinternally.19.Acompany’sRPAbotslogintoSAPusingasharedgenericaccount“ROBOT_SAP”.Thepasswordisrotatedevery30daysbyascript.WhichcontrolBESTreducestheriskofundetectedfraud?A.ImplementingKerberosconstraineddelegationforbots.B.LoggingeachbotsessionwithauniquecorrelationID.C.Storingthepasswordinacyber-vaultwithcheck-in/check-out.D.Mappingeachbottoadedicatednamedaccount.Answer:DExplanation:Sharedaccountspreventattribution.NamedaccountswithproperRBACprovidenon-repudiation.VaultsandcorrelationIDsarecompensatingbutnotasstrongasuniqueidentities.20.Adata-center’sHVACvendorhasa24/7keypadPINthatisneverchangedbecausetheservicelevelagreement(SLA)requires15minresponsetime.TheISauditor’sPRIMARYconcernis:A.PINcompromiseleadingtophysicalaccess.B.violationoftemperaturethresholds.C.absenceofescortprocedures.D.lackoftwo-factorauthentication.Answer:AExplanation:AstaticPINisequivalenttoanunrevokedcredential.Oncedisclosed,anattackercanenteratwill.Escortand2FAaresecondarymitigations.21.ApenetrationtesterobtainsareverseshellonaworkstationthathasWindowsDefenderreal-timeprotectionenabled.Thetesteruploadsa2kBPowerShellscriptthatdownloadsa200MBpayload.Thescriptisnotflagged.WhichcontrolfailureisMOSTlikely?A.AMSI(AntimalwareScanInterface)isdisabled.B.Defendersignatureupdatesfailbehindaproxy.C.PowerShellconstrainedlanguagemodeisoff.D.ThepayloadisencryptedwithaDefender-whitelistedwrapper.Answer:AExplanation:AMSIinspectsscriptcontentsbeforeexecution.Ifdisabled,Defenderlacksvisibility.Signaturestalenessissecondary;languagemoderestrictsfunctionalitybutnotdetection;whitelistinglargeencryptedfilesisunlikely.22.Acitygovernment’sopen-dataportalpublishesanonymizedtaxi-tripdata.ResearcherscombinethedatawithpublicCCTVtimestampstore-identifydrivers.TheISauditorshouldrecommend:A.removingtimestampscompletely.B.addingLaplaciannoisetolocationdata.C.increasingthek-anonymityparameterto5.D.requiringopt-inconsentfromdrivers.Answer:BExplanation:Differentialprivacy(Laplaciannoise)limitsinferenceaccuracyevenunderauxiliarydata.Removingtimestampshindersutility;k-anonymityisvulnerabletolinkageattacks;consentdoesnotmitigatepublisheddata.23.AKubernetesclusterusescontainerruntimesandboxgVisor.TheISauditornotesthatthe/procfilesystemiswritableinsidethesandbox.TheGREATESTriskis:A.containerescapeviakernelexploit.B.privilegeescalationwithintheapplication.C.violationofCISBenchmarkforKubernetes.D.disclosureofhosthardwaredetails.Answer:BExplanation:gVisorinterceptssyscalls;awritable/procallowsanattackertomodifyprocessparameters(e.g.,core_pattern)insidetheuserspacekernel,escalatingprivilegeswithinthesandboxbutnotescapingtothehost.24.AsoftwarecompanyadoptsSBOM(SoftwareBillofMaterials)generationviaSPDX.Theauditordiscoversthattransitivedependenciesindynamicallylinkedlibrariesaremissing.TheBESTfixisto:A.switchtostaticallylinkedbinaries.B.performcompile-timeinstrumentation.C.usearuntimebinaryanalysistool.D.mandateSPDXJSONforallvendors.Answer:CExplanation:Runtimetools(e.g.,Syft,Grype)enumerateactuallyloadedlibraries,catchingtransitivedependenciesthatstaticmanifestsmiss.Staticlinkingincreasesfootprint;vendormandatesareincomplete.25.Amultinationalperformsmonthlyphishingsimulations.Theclick-throughratedecreasedfrom18%to3%insixmonths,yetcredential-harvestingincidentsdoubled.WhichmetricBESTexplainstheparadox?A.Simulatede-mailsarewhitelistedbytheSEG.B.Usersreportsimulationsbutnotrealphish.C.RealphishuseHTTPSdomainswithvalidcerts.D.SimulationsoccuronFridayswhenstaffaretired.Answer:BExplanation:Usershavelearnedtorecognizesimulationsbutremainblindtoactualthreats,indicatingtrainingbias.Reportingratioisabetterindicatorthanclickrate.Part2–Scenario-Based(Answerthequestionthatfollows)Scenario1Aregionalhospitaloutsourcesmedical-transcriptionservicestoacloudproviderthatusesoffshoretypists.ThehospitaltransmitsvoicefilesviaTLS-encryptedRESTAPItoanS3bucketintheprovider’saccount.TheproviderdownloadsMP3s,transcribes,anduploadsWorddocuments.Arecentbreachnotificationrevealedthatatypistdownloaded1,200filestoapersonallaptopthatwaslaterstolen.Thehospital’sISauditorisaskedtoevaluateresidualrisk.26.WhichcontrolwouldhaveMOSTeffectivelypreventedthebulkdownload?A.IPwhitelistingofhospitalendpoints.B.Cloud-nativedata-loss-prevention(DLP)agentonthetypist’sdesktop.C.SignedURLwith15minexpiryforeachfile.D.Customer-managedAWSKMSdenyingdecryptoutsidehospitalVPC.Answer:CExplanation:Short-livedpre-signedURLsforceon-lineaccessandpreventbulkdownloadbecauseURLsexpire.IPwhitelistingisbrittle;DLPisdetective;KMSdoesnotstopdownloadifdecryptisallowed.27.ThehospitalrequiresBusinessAssociateAgreements(BAA)underHIPAA.Theauditornotestheprovider’sBAAomitsbreach-notificationtimelimit.TheBESTactionisto:A.accepttheriskbecauseHIPAAallows60days.B.demanda24hnotificationclause.C.relyonthehospital’scyber-insurance.D.switchtoaU.S.-onlytranscriptionvendor.Answer:BExplanation:A24hclausealignswithNIST800-66andlimitsharm.HIPAAallows60daystoHHS,butcontractscanbestricter.28.Toensure“minimumnecessary”access,theauditorshouldrecommend:A.role-basedvoice-filefilteringbydepartment.B.maskingpatientnamesinaudio.C.automaticdeletionafter30days.D.encryptionoffilesatrestwithAES-256.Answer:AExplanation:Filteringbydepartmentensurestypistsaccessonlyneededfiles.Maskingaudioisimpractical;deletionisretention;encryptionprotectsconfidentiality,notaccessscope.Scenario2Astockexchangeplanstomigrateitscoretradingenginefromanon-premisemainframetoapubliccloudIaaS.Theengineprocesses40,000messagespersecondwithsub-100μslatency.Regulatoryguidancerequiresaudittrailstobeimmutableandkeptfor7years.29.WhichclouddesigndecisionMOSTthreatensthelatencyrequirement?A.UsingNVMeinstancestorefororder-bookdatabase.B.EnablingVPCFlowLogsoneverysubnet.C.DeployinginasingleAvailabilityZone.D.Relyingonkernel-bypassDPDKinguestOS.Answer:BExplanation:VPCFlowLogsaddmicro-secondsofjitterduetohypervisorinterception.NVMeandDPDKimprovelatency;singleAZisanavailability,notlatency,issue.30.Tosatisfyimmutabilityofauditlogs,theBESTapproachis:A.writelogstoS3withObjectLockincompliancemode.B.replicatelogstoasecondcloudregion.C.enableCloudTrailwithSSE-KMS.D.storelogsoninstance-storeSSDandsnapshothourly.Answer:AExplanation:S3ObjectLock(compliancemode)enforcesWORMfor7yearsandoverridesrootdeletion.CloudTrailaloneismutable;snapshotsarereversiblebyaccountowners.Part3–CaseStudy–LongForm(Readthenarrativeandanswerquestions31–40)NarrativeFinBank,a$50Bassetinstitution,isacquiringMicroBank.Bothrunseparatecore-bankingsystems:FinBankusesFinacleonIBMz/OS;MicroBankusesTemenosTransactonOracleExadata.Theintegrationprogrammustunifycustomerdata,consolidatepaymenthubs(SWIFT,SEPA,FedWire),andretireMicroBank’sdatacenterwithin18months.TheCIOappointsanISauditworkstreamtoprovideassuranceoverthemigration.Keyfacts:?MicroBank’schange-managementprocessallowsemergencyfixestobepromotedwithoutsecondaryapprovaliftheincidentticketis“P1–revenueimpact.”?MicroBank’sencryptionkey-managementusesahome-growntoolstoring3DESkeysinaSQLtablehashedwithMD5.?MicroBank’sActiveDirectoryhas1,400dormantaccounts(nologon>90days)outof3,200total.?FinBank’sSDLCrequiresstatic(SAST)anddynamic(DAST)scansgatedintheCIpipeline;MicroBankreliesonquarterlymanualcodereviews.?MicroBank’slastpenetrationtestwas30monthsago.?Data-classificationpolicylabels“Confidential-Restricted”datarequiringtokenization;yet11%ofaccountsstillstoreplaintextPANs.?MicroBank’sbackuptapesareencryptedwithLTO-4hardwarebutthesymmetrickeyistapedtotheoutsideofeachcartridge.?MicroBank’sdata-centerHVACusesabuilding-managementsystem(BMS)accessibleviaanopenWi-FiSSID“BMS-Guest.”?Theacquisitioncontractallocates0.5%ofthepurchasepricetoacybersecurityescrowfundcontingentonclosingwith“nomaterialopenhigh-riskfindings.”31.WhichfindingrepresentstheHIGHESTinherentriskbeforeintegration?A.11%plaintextPANs.B.Backupkeytapedtocartridge.C.OpenBMSWi-Fi.D.30-month-oldpenetrationtest.Answer:AExplanation:PlaintextPANsexposetheentireportfoliotoregulatoryfines(PCIDSS3.2:5–10centspercard),lawsuits,andransomware.Theotherfindingsareseriousbutlowerfinancialimpact.32.Theauditorrecommendsprioritizingremediationofdormantaccounts.TheMOSTpersuasiveargumentisthatdormantaccounts:A.inflateActiveDirectoryreplicationtraffic.B.violatetheprincipleofleastprivilege.C.areattackvectorsforpassword-spray.D.increasesoftware-licensecost.Answer:CExplanation:Dormantaccountsrarelyhavemonitoredowners,makingthemidealforlateralmovement.Licenseimpactisnegligible;replicationtrafficisminor;privilegeisunknown,notnecessarilyexcessive.33.Toaddresstheemergency-changerisk,theauditorshouldrecommendimplementing:A.automatedpost-changeregressiontestswithin24h.B.dualauthorizationforallP1tickets.C.segregationofdutybetweenincidentresolverandreleaser.D.a48hcooling-offperiodbeforeproductionpush.Answer:CExplanation:Segregationensuresnosinglepersoncanapprovetheirownchange,reducingfraudandmistakes.Dualauthorizationmayslowresponse;regressiontestsaredetective;cooling-offisimpracticalforP1.34.Thekey-managementweakness(MD5-hashed3DES)shouldberemediatedby:A.migratingtoAES-256-GCMwithHSM-backedkeys.B.upgradinghashtoSHA-256andkeeping3DES.C.implementingperiodickey-rotationevery30days.D.tokenizingallPANssokeysbecomeirrelevant.Answer:AExplanation:3DESisdeprecated(NISTSP800-131A),andMD5isbroken.ReplacingwithAES-GCMandHSMsprovidesmodernconfidentialityandoriginauthenticity.Rotationalonedoesnotfixalgorithmicweakness.35.Beforedatamigration,FinBankplanstorunadata-qualityvalidation.WhichtestBESTverifiescompletenessofcustomerrecords?A.ReconcilerowcountsbetweenTransactandFinacle.B.Hashaggregate(SHA-256)ofkeycolumnspertable.C.Matchsum-of-balancestogeneral-ledgertrialbalance.D.Validateforeign-keyreferentialintegrity.Answer:CExplanation:Monetarytotalsaretheultimatecompletenessassertion;hashtotalsdetectalterationbutnotomission;rowcountsmisszero-dollaraccounts;referentialintegrityisinternalconsistency.36.TomaintainPCIDSScomplianceduringthedatamigration,whichcontrolisMOSTcritical?A.EncryptdataintransitwithTLS1.3.B.Performmigrationoveradedicateddarkfiber.C.RenderPANsunreadableviatokenizationbeforetransfer.D.Requirebackgroundchecksformigrationstaff.Answer:CExplanation:TokenizationremovesPANsfromPCIscope,reducingdownstreamcontrols.Encryptionandbackgroundchecksarenecessarybutdonotreducescope;darkfiberisexcessive.37.Theauditorreviewstheescrowclause.WhichfindingwouldMOSTlikelyqualifyas“materialopenhigh-risk”?A.1%ofMicroBankbranchesstillrunWindows7.B.MicroBank’sprivacynoticeomitsdata-sharingwithaffiliates.C.MicroBank’smobileappcollectsIMEInumbers.D.MicroBank’stapebackupfails2%ofrestoretests.Answer:AExplanation:Windows7isend-of-life,qualifiesashighriskunderFFIECguidance,andexposestheentirenetworktocompromise.PrivacyandIMEIareregulatory;2%backupfailureismedium.38.FinBankintendstodecommissionMicroBank’sdatacenteronDay1aftercutover.Whichresidual-risktopicshouldbecoveredinthedecommissioningaudit?A.PropersanitizationofExadatastoragecells.B.ReturnofFinBank’sloanedCiscoswitches.C.Cancellationofsoftwaremaintenancecontracts.D.Transferofdomain-nameownership.Answer:AExplanation:Storagesanitizationpreventsdataleakagewhendisksareresold.Otheritemsarecontractual,notsecurity.39.Tounifyvulnerability-managementmetrics,theauditorrecommendsasinglescoringsystem.WhichapproachBESTalignswithexecutiveriskappetite?A.CVSSv3.1basescoremappedtodollarlossusingFAIR.B.Countofcriticalvulnerabilitiesperhost.C.Days-to-patchaveragedacrossallsystems.D.Percentageofsystemsfullypatched.Answer:AExplanation:FAIR(FactorAnalysisofInformationRisk)translatestechnicalscoresintomonetaryloss,enablingROI-baseddecisions.Countsandpercentagesareoperational.40.Afterintegration,thecombinedentitywillrunRedHatOpenShiftonx86forcloud-nativeappswhilekeepingz/OSforcoreledger.Theauditorshouldrecommendimplementing:A.asingleidentityprovider(IdP)withADasthesource.B.cross-platformprivileged-accessmanagement(PAM)vault.C.mainframe-to-OpenShiftmessage-levelencryption.D.quarterlyunifiedpenetrationtests.Answer:BExplanation:Across-platformPAMvaultmanagescredentialsacrossz/OS(RACF)andKubernetes(RBAC),enforcingleastprivilegeandsessionrecording.SingleIdPisdesirablebutPAMisfoundationalforprivilegedusers.Part4–Drag-and-Place(Conceptualonly;providethecorrectsequence)41.PlacethefollowingstepsintheordertheyshouldoccurduringaCISA-compliantpost-implementationreviewofanewprocurementsystem.1.Validatethatuser-accessreviewsareperformed.2.Confirmthatprojectbenefitsarerealized.3.Verifythatsecuritybaselinesareenforced.4.Ensurethatoperationalproceduresaredocumented.5.Checkthatincident-responseplaybooksareupdated.Correctorder:3,1,5,4,2Explanation:Securitybaselinesmustbevalidatedfirst;accessreviewsensureonlyauthorizedusersexist;incidentplaybooksmustreflectnewattacksurface;documentationenablessustainment;benefitreal