Unit 3 Module 3 ISC CPA Exam
Questions and Answers
- Graham performed procedures to determine how current password management
activities compared with the expected password management activities. - ANSWER-
The answer is C because security assessments typically do not evaluate manual
financial reporting relating controls because they are not closely related to IT security
controls
Henry, an IT security manager, is evaluating security awareness at Peame LLP. As
part of this process, he decided to specifically assess employee engagement and
phishing simulations. What metrics of security awareness are most appropriate for
Henry to use?
- Champion density and reply rates
- Percentage of employees who completed trainings and report rates
- Click rate and re-click rate
- Security behaviors (with and without champions) and nonresponder rates -
ANSWER-The answer is B and NOT C because it only represents the phishing
simulations but not employee engagement as well/ Answer B addresses both
employee engagement and phishing simulations by showing the percentage of
employees who completed the trainings and the report rates are related to the
phishing program
Austin is assessing an entity's communication of security knowledge to promote
awareness. Which of the following forms of communication should not be targeted in
Austin's assessment?
- Phishing simulation reports from IT to management
- Records of champion consultations
- SOC 2® reports provided to management
- Actual IT security training materials - ANSWER-The answer is C because SOC 2
reports provided to management would not be necessary for promotion of security
knowledge.
Questions and Answers
- Graham performed procedures to determine how current password management
activities compared with the expected password management activities. - ANSWER-
The answer is C because security assessments typically do not evaluate manual
financial reporting relating controls because they are not closely related to IT security
controls
Henry, an IT security manager, is evaluating security awareness at Peame LLP. As
part of this process, he decided to specifically assess employee engagement and
phishing simulations. What metrics of security awareness are most appropriate for
Henry to use?
- Champion density and reply rates
- Percentage of employees who completed trainings and report rates
- Click rate and re-click rate
- Security behaviors (with and without champions) and nonresponder rates -
ANSWER-The answer is B and NOT C because it only represents the phishing
simulations but not employee engagement as well/ Answer B addresses both
employee engagement and phishing simulations by showing the percentage of
employees who completed the trainings and the report rates are related to the
phishing program
Austin is assessing an entity's communication of security knowledge to promote
awareness. Which of the following forms of communication should not be targeted in
Austin's assessment?
- Phishing simulation reports from IT to management
- Records of champion consultations
- SOC 2® reports provided to management
- Actual IT security training materials - ANSWER-The answer is C because SOC 2
reports provided to management would not be necessary for promotion of security
knowledge.