CIA·PART3 · Part 3: Business Knowledge for Internal Auditing·UnitPART3 · Unit 02Access: Premium
Domain II: Information Security
Prepare for Domain II: Information Security with CIA practice questions covering 10 topics. Part of Part 3: Business Knowledge for Internal Auditing — build your knowledge and track your progress with CIA Practice.
What’s in it.
10 topics- Topic 01
Information Security Governance and Strategy
60 questions - Topic 02
Cybersecurity Frameworks (NIST CSF, ISO 27001, SOC 2)
47 questions - Topic 03
Threat Landscape — Phishing, Ransomware, Social Engineering, Insider Threat
42 questions - Topic 04
Vulnerability Assessment and Penetration Testing (Audit Role)
14 questions - Topic 05
Identity and Access Management
14 questions - Topic 06
Encryption and Key Management
15 questions - Topic 07
Network Security Architecture and Firewalls
14 questions - Topic 08
Security Operations and Incident Response
14 questions - Topic 09
Data Loss Prevention and Classification
15 questions - Topic 10
Third-Party and Vendor Security Risk
11 questions
Sample questions
3 of manyA few questions from this unit, with the answer and a full explanation. The complete bank is available when you start practising.
An organisation has a dedicated CISO, a detailed security policy, and annual security training. However, the board receives no regular security reporting and has never discussed the organisation's risk appetite for cybersecurity. Which governance deficiency does this best illustrate?
- The CISO lacks sufficient technical authority to implement effective controls without board-level backing.
- Absence of board-level oversight and risk appetite setting, which are foundational governance responsibilitiesCorrect answer
- The organisation lacks a security operations centre to monitor threats in real time and escalate incidents.
- The security policy is inadequate because it has not been approved by the board of directors.
ExplanationGovernance requires the board to set risk appetite and receive regular security reporting — not just to delegate security to technical staff. An organisation can have competent operational security (CISO, policy, training) while still lacking governance if the board is disengaged. The board's failure to discuss risk appetite means there is no strategic direction for security investment and control decisions. This is a governance deficiency, not an operational one.
An internal auditor reviews a financial services organisation's data classification programme. The programme has been in place for three years and initially classified all data assets. The auditor finds: no re-classification reviews have been conducted; the classification scheme does not cover data held by third-party vendors; new data types introduced through a digital transformation programme have not been classified; and a recent acquisition brought in a subsidiary with no classification scheme. Which finding poses the most immediate regulatory risk?
- Unclassified data from the acquisition and the digital transformation programme means the organisation cannot demonstrate that appropriate controls are in place for all personal data it holds, creating direct accountability risk under UK GDPR Article 5(2).Correct answer
- The most immediate regulatory risk is the absence of a DPO sign-off on the classification scheme; GDPR requires DPO approval of classification programmes.
- There is no immediate regulatory risk; regulatory enforcement only occurs after a notifiable data breach, not for classification programme gaps.
- The most immediate regulatory risk is the absence of re-classification reviews; ISO 27001 mandates annual re-classification of all data assets.
ExplanationGDPR Article 5(2) (accountability principle) requires organisations to be able to demonstrate compliance. If personal data acquired through an acquisition or introduced through digital transformation has not been classified, the organisation cannot demonstrate that appropriate controls are in place for it. This is an immediate accountability risk: a supervisory authority audit or a data subject complaint could reveal that the organisation processes personal data without adequate safeguards, creating liability under Articles 32 and 83. Regulatory enforcement is not limited to post-breach actions — GDPR regulators can and do audit organisations' data governance practices proactively.
What is ransomware and how does a typical ransomware attack unfold from initial access to encryption?
- Ransomware immediately encrypts all files upon initial access without any preliminary reconnaissance or lateral movement.
- Ransomware is a phishing attack that tricks users into purchasing fraudulent gift cards; no file encryption is involved.
- Ransomware is malware that encrypts the victim's files and demands payment for decryption; a typical attack begins with initial access (e.g., phishing), followed by persistence, lateral movement, and finally mass encryption of files.Correct answer
- Ransomware is a form of spyware that monitors user activity and demands payment to prevent disclosure of captured data to the victim's employer.
ExplanationRansomware is malicious software that encrypts a victim's data and demands a ransom (typically in cryptocurrency) for the decryption key. A modern ransomware attack typically follows a kill chain: (1) Initial access — phishing email, exploited VPN vulnerability, or RDP brute force; (2) Persistence — the attacker establishes backdoors and disables security tools; (3) Lateral movement — the attacker spreads across the network using stolen credentials; (4) Data exfiltration — sensitive data is stolen before encryption (enabling double extortion); (5) Encryption — files are encrypted and a ransom note left. The multi-stage nature means multiple controls can interrupt the chain before encryption occurs.