Free CPA ISC (Information Systems & Controls) Security, Confidentiality and Privacy Practice Questions
Security, confidentiality, and privacy on the CPA ISC exam tests cybersecurity frameworks (NIST), access control mechanisms, encryption standards, incident response procedures, data privacy regulations (GDPR, CCPA), and IT risk assessment methodologies.
Sample Questions
Question 1
Easy
Which authentication factor category does a fingerprint scan belong to?
Solution
B is correct.
A fingerprint scan is a biometric authentication factor classified as 'something you are.' Biometric factors are based on unique physical or behavioral characteristics of the individual, including fingerprints, retinal patterns, iris scans, facial recognition, voiceprints, and behavioral biometrics. These characteristics are inherent to the person and cannot be easily shared or transferred.
A fingerprint scan is a biometric authentication factor classified as 'something you are.' Biometric factors are based on unique physical or behavioral characteristics of the individual, including fingerprints, retinal patterns, iris scans, facial recognition, voiceprints, and behavioral biometrics. These characteristics are inherent to the person and cannot be easily shared or transferred.
Question 2
Medium
Which of the following authentication methods provides the STRONGEST protection against credential theft through phishing attacks?
Solution
A is correct.
FIDO2 hardware security keys provide the strongest phishing resistance because they use public-key cryptography bound to the legitimate website's origin (domain). When a user authenticates, the security key verifies that the requesting website matches the origin registered during setup. If a phishing site impersonates the legitimate site with a different domain, the key will not respond, making the credential impossible to phish. Additionally, the private key never leaves the hardware device and cannot be extracted.
FIDO2 hardware security keys provide the strongest phishing resistance because they use public-key cryptography bound to the legitimate website's origin (domain). When a user authenticates, the security key verifies that the requesting website matches the origin registered during setup. If a phishing site impersonates the legitimate site with a different domain, the key will not respond, making the credential impossible to phish. Additionally, the private key never leaves the hardware device and cannot be extracted.
Question 3
Hard
A financial services company must comply with both NIST CSF and ISO 27001. The CISO notes that NIST CSF is descriptive and flexible while ISO 27001 is prescriptive and certifiable. How should the organization BEST leverage both frameworks in its security program?
Solution
D is correct.
NIST CSF and ISO 27001 are complementary. NIST CSF provides a flexible, risk-based structure organized around five functions that works well for strategic cybersecurity governance. ISO 27001 provides a prescriptive ISMS with specific Annex A controls that can be audited and certified. By using NIST CSF as the overarching risk management framework and mapping its categories and subcategories to specific ISO 27001 controls, the organization achieves both strategic risk management and certifiable compliance.
NIST CSF and ISO 27001 are complementary. NIST CSF provides a flexible, risk-based structure organized around five functions that works well for strategic cybersecurity governance. ISO 27001 provides a prescriptive ISMS with specific Annex A controls that can be audited and certified. By using NIST CSF as the overarching risk management framework and mapping its categories and subcategories to specific ISO 27001 controls, the organization achieves both strategic risk management and certifiable compliance.