ISC Stimulated Exam Questions with
Complete Answers
Which of the following framework functions in the Privacy Framework Core best
describes how the organization answers what the company's privacy risks related to
data processing activities are?
A.
Control
B.
Communicate
C.
Govern
D.
Identify - ANSWER-D
Which of the following assumes that a company's network is always at risk and
focuses on continuous validation?
A.
Least privilege
B.
Whitelisting
C.
Need-to-know
D.
Zero trust - ANSWER-D
Which database schema, commonly used for dimensional modeling, is best
described as one where data is organized into a central fact table with associated
dimension tables surrounding it?
A.
Flat model
B.
Hierarchical model
C.
Snowflake schema
D.
Star schema - ANSWER-D
All of the following are considered requirements by the Payment Card Industry Data
Security Standard (PCI DSS) except which of the following?
A.
Enhancing accessibility of stored cardholder data by utilizing shared storage drives
between banks, retailers, and customers
B.
,Restricting access to cardholder data through the utilization of need-to-know
restrictions
C.
Enhancing the protection all organization systems to combat malware and regularly
update antivirus software or programs
D.
Updating all passwords and parameters to ensure that vendor-supplied defaults for
system passwords and other security parameters are not in use - ANSWER-A
Which of the following circumstances would most likely give rise to a modified
opinion from the service auditor in a SOC 1® Type 1 engagement?
A.
A deficiency in the operation of a relevant control was noted, but the service auditor
determined the impact was neither material nor pervasive.
B.
The controls are not suitably designed to provide reasonable assurance that the
service organization's service commitments and system requirements would be
achieved based on the applicable trust services criteria.
C.
The controls did not operate effectively throughout the specified period to achieve
the related control objectives stated in management's description of the service
organization's system, in all material respects.
D.
Management's description of the service organization's system is not fairly
presented, in all material respects. - ANSWER-D
Which of the following should be evaluated when testing whether data is secure
while also providing sufficient computing power?
A.
Operating system
B.
Switch
C.
Router
D.
Firmware - ANSWER-A
John works in the IT department of ABC Co. John circumvented controls to gain
unauthorized access to certain data for eventual sale on the dark web. John is both:
A.
An attacker and a state-sponsored actor.
B.
An insider and a hacker.
C.
An adversary and an external threat.
D.
A hacktivist and a government-sponsored actor. - ANSWER-B
An inclusive report on controls of a subservice organization is most useful in which of
the following circumstances?
, A.
The subservice organization's services and controls have a pervasive effect on the
service organization's system.
B.
The service organization is unable to obtain contractual or other commitment from
the subservice organization regarding its willingness to be included in the SOC 2®
engagement.
C.
A Type 1 or Type 2 SOC report related to the subservice organization, meeting user
needs, is available.
D.
The service auditor is not independent of the subservice organization. - ANSWER-A
The following characteristics are best represented by which type of cloud
deployment model?
Number of OrganizationsUsing the Same Cloud
Entity ThatOwns the Cloud
Location of CloudNetwork Equipment
Purpose of Cloud
Two or more
A third-party cloud service provider
Off site
Redundancy and data sharing with industry peers
A.
Hybrid
B.
Private
C.
Community
D.
Public - ANSWER-C
Priya, an IT security associate, is evaluating security awareness at Financial Horizon
Works Co. As part of this process, she decided to measure the average time taken
per security training session and the click rate for emails that mirror scam emails.
What components of security awareness is Priya measuring?
A.
Reply rates and phishing simulations
B.
Security behaviors (with and without champions) and report rates
C.
Employee engagement and phishing simulations
D.
Security behaviors (with and without champions) and re-click rates - ANSWER-C
During the risk assessment process of a business impact analysis (BIA), resources
are categorized by the impact to the day-to-day operations of an organization. If the
organization could work around the loss of an information resource for days or
Complete Answers
Which of the following framework functions in the Privacy Framework Core best
describes how the organization answers what the company's privacy risks related to
data processing activities are?
A.
Control
B.
Communicate
C.
Govern
D.
Identify - ANSWER-D
Which of the following assumes that a company's network is always at risk and
focuses on continuous validation?
A.
Least privilege
B.
Whitelisting
C.
Need-to-know
D.
Zero trust - ANSWER-D
Which database schema, commonly used for dimensional modeling, is best
described as one where data is organized into a central fact table with associated
dimension tables surrounding it?
A.
Flat model
B.
Hierarchical model
C.
Snowflake schema
D.
Star schema - ANSWER-D
All of the following are considered requirements by the Payment Card Industry Data
Security Standard (PCI DSS) except which of the following?
A.
Enhancing accessibility of stored cardholder data by utilizing shared storage drives
between banks, retailers, and customers
B.
,Restricting access to cardholder data through the utilization of need-to-know
restrictions
C.
Enhancing the protection all organization systems to combat malware and regularly
update antivirus software or programs
D.
Updating all passwords and parameters to ensure that vendor-supplied defaults for
system passwords and other security parameters are not in use - ANSWER-A
Which of the following circumstances would most likely give rise to a modified
opinion from the service auditor in a SOC 1® Type 1 engagement?
A.
A deficiency in the operation of a relevant control was noted, but the service auditor
determined the impact was neither material nor pervasive.
B.
The controls are not suitably designed to provide reasonable assurance that the
service organization's service commitments and system requirements would be
achieved based on the applicable trust services criteria.
C.
The controls did not operate effectively throughout the specified period to achieve
the related control objectives stated in management's description of the service
organization's system, in all material respects.
D.
Management's description of the service organization's system is not fairly
presented, in all material respects. - ANSWER-D
Which of the following should be evaluated when testing whether data is secure
while also providing sufficient computing power?
A.
Operating system
B.
Switch
C.
Router
D.
Firmware - ANSWER-A
John works in the IT department of ABC Co. John circumvented controls to gain
unauthorized access to certain data for eventual sale on the dark web. John is both:
A.
An attacker and a state-sponsored actor.
B.
An insider and a hacker.
C.
An adversary and an external threat.
D.
A hacktivist and a government-sponsored actor. - ANSWER-B
An inclusive report on controls of a subservice organization is most useful in which of
the following circumstances?
, A.
The subservice organization's services and controls have a pervasive effect on the
service organization's system.
B.
The service organization is unable to obtain contractual or other commitment from
the subservice organization regarding its willingness to be included in the SOC 2®
engagement.
C.
A Type 1 or Type 2 SOC report related to the subservice organization, meeting user
needs, is available.
D.
The service auditor is not independent of the subservice organization. - ANSWER-A
The following characteristics are best represented by which type of cloud
deployment model?
Number of OrganizationsUsing the Same Cloud
Entity ThatOwns the Cloud
Location of CloudNetwork Equipment
Purpose of Cloud
Two or more
A third-party cloud service provider
Off site
Redundancy and data sharing with industry peers
A.
Hybrid
B.
Private
C.
Community
D.
Public - ANSWER-C
Priya, an IT security associate, is evaluating security awareness at Financial Horizon
Works Co. As part of this process, she decided to measure the average time taken
per security training session and the click rate for emails that mirror scam emails.
What components of security awareness is Priya measuring?
A.
Reply rates and phishing simulations
B.
Security behaviors (with and without champions) and report rates
C.
Employee engagement and phishing simulations
D.
Security behaviors (with and without champions) and re-click rates - ANSWER-C
During the risk assessment process of a business impact analysis (BIA), resources
are categorized by the impact to the day-to-day operations of an organization. If the
organization could work around the loss of an information resource for days or