Free CPA ISC (Information Systems & Controls) Security, Confidentiality and Privacy Practice Questions

D is correct. A fingerprint scan is a biometric authentication factor classified as 'something you are.' Biometric factors are based on unique physical or behavioral characteristics of the individual, including fingerprints, retinal patterns, iris scans, facial recognition, voiceprints, and behavioral biometrics. These characteristics are inherent to the person and cannot be easily shared or transferred.
A is incorrect because 'something you know' refers to knowledge-based factors like passwords and PINs, not physical characteristics.
B is incorrect because 'something you have' refers to physical objects in the user's possession, not biological traits.
C is incorrect because 'somewhere you are' is a location-based factor, not a biometric characteristic.

B is correct. FIDO2 hardware security keys provide the strongest phishing resistance because they use public-key cryptography bound to the legitimate website's origin (domain). When a user authenticates, the security key verifies that the requesting website matches the origin registered during setup. If a phishing site impersonates the legitimate site with a different domain, the key will not respond, making the credential impossible to phish. Additionally, the private key never leaves the hardware device and cannot be extracted.
A is incorrect because complex passwords, regardless of length and complexity requirements, can still be captured by phishing pages that impersonate the login screen — the user types the password into the fake site.
A is incorrect because knowledge-based answers are static and can be captured by phishing sites just like passwords; they are also vulnerable to social engineering and public information research.
D is incorrect because SMS one-time passwords can be intercepted through SIM-swapping attacks, SS7 protocol vulnerabilities, or real-time phishing proxies that relay the OTP to the attacker before it expires.

A is correct. NIST CSF and ISO 27001 are complementary. NIST CSF provides a flexible, risk-based structure organized around five functions that works well for strategic cybersecurity governance. ISO 27001 provides a prescriptive ISMS with specific Annex A controls that can be audited and certified. By using NIST CSF as the overarching risk management framework and mapping its categories and subcategories to specific ISO 27001 controls, the organization achieves both strategic risk management and certifiable compliance.
D is incorrect because NIST CSF offers valuable strategic risk management capabilities that ISO 27001 alone does not fully address, and using both is industry best practice.
C is incorrect because artificially separating technical and administrative controls between frameworks creates gaps and misses the benefit of integrated mapping.
B is incorrect because SOC 2 Trust Services Criteria serve a different purpose (service organization assurance) and do not replace enterprise cybersecurity frameworks.