CIA·PART1 · Part 1: Essentials of Internal Auditing·UnitPART1 · Unit 05Access: Premium
Domain V: Information Security
Prepare for Domain V: Information Security with CIA practice questions covering 7 topics. Part of Part 1: Essentials of Internal Auditing — build your knowledge and track your progress with CIA Practice.
What’s in it.
7 topics- Topic 01
Information Security Principles — Confidentiality, Integrity, Availability
45 questions - Topic 02
Cybersecurity Threats and Vulnerabilities
45 questions - Topic 03
Logical Access Controls and Privileged Access
42 questions - Topic 04
Physical Security Controls
39 questions - Topic 05
Security Policies, Standards, and Frameworks (ISO 27001, NIST)
45 questions - Topic 06
Privacy, Data Protection, and Regulatory Requirements (GDPR etc.)
57 questions - Topic 07
Security Incident Response and Reporting
45 questions
Sample questions
3 of manyA few questions from this unit, with the answer and a full explanation. The complete bank is available when you start practising.
An organisation provisions new user accounts based on informal requests from department managers via email. No approval workflow or access request form is used. What risk does this create?
- Inconsistent access grants without formal approval create a risk of excessive or inappropriate permissions being provisioned, with no audit trail demonstrating that access was justified and approvedCorrect answer
- The risk is that managers will request too little access for their staff, causing operational inefficiency
- The risk is that accounts will not be created promptly enough for new employees, reducing productivity
- The risk is that the IT team will not have sufficient capacity to process all informal requests in a timely manner
ExplanationWithout a formal approval workflow and access request form, provisioning is ad hoc and uncontrolled. Key risks include: access being granted based on what managers request rather than what the role requires (violating least privilege); no documented approval making it impossible to evidence that access was authorised; and no consistent process for applying access standards. A well-designed provisioning process requires a formal request, business justification, approval by the data owner or manager, and configuration aligned to a defined role profile.
What is the Post-Incident Activity (Lessons Learned) phase and why is it critical to the incident response lifecycle?
- It is a structured review after an incident to identify what happened, what was done well, what failed, and what improvements should be made to prevent recurrence or improve future responseCorrect answer
- Post-Incident Activity is the process of restoring data from backups and validating system functionality after recovery is complete
- Post-Incident Activity involves submitting a formal report to senior management confirming that the incident is resolved and no further action is required
- Post-Incident Activity is only required for incidents that resulted in regulatory notification; internally managed incidents do not require a formal review
ExplanationThe Post-Incident Activity phase (NIST SP 800-61) — also called Lessons Learned — is critical because it converts incident experience into security improvements. A structured review (lessons learned meeting) within days or weeks of resolution addresses: timeline of events; detection effectiveness; response quality; communication effectiveness; control failures that enabled the incident; and recommended control improvements. Without this phase, organisations repeat the same mistakes. From an internal audit perspective, this phase also provides evidence for the effectiveness of the overall incident response programme. ISO/IEC 27001:2022 Annex A Control 5.27 (Learning from information security incidents) directly addresses this requirement.
An internal auditor is reviewing the IAM programme of a healthcare organisation with 3,000 employees and high turnover in clinical roles. The current process relies on managers submitting manual email requests to IT when staff leave. An audit of the past 12 months finds that 18% of terminated employees still had active accounts 30 days after their departure date. Which control weaknesses does this reveal, and what is the most effective remediation?
- The manual email process creates delays and relies on manager compliance; the most effective remediation is integrating the HR system with the IAM provisioning system so that access is automatically suspended when employment termination is recorded in HR, with privileged accounts suspended immediately on termination date.Correct answer
- The finding indicates an authentication failure; implementing MFA would prevent terminated employees from using their credentials after departure.
- The finding is acceptable for a healthcare organisation because clinical role turnover means some access continuity is operationally necessary.
- The most effective remediation is to conduct quarterly access recertification reviews, which would identify terminated employees within 90 days.
ExplanationAn 18% rate of active accounts for departed employees is a significant de-provisioning failure in a healthcare setting where access to patient data is subject to strict requirements. The manual email process is unreliable because it depends on managers remembering to submit requests and IT actioning them promptly. The most effective and scalable control is integrating the HR information system (HRIS) with the IAM system so that recording a termination date automatically triggers account suspension. Privileged accounts require immediate suspension on the termination date. Quarterly recertification would catch this within 90 days at best, which is too slow. The integration approach is the preventive control; recertification remains a complementary detective control.