ISC Exam Questions with Complete
Solutions
A cloud service provider's vision is to provide reliable and consistent network
connectivity for all customers. Part of its corporate strategy for achieving that is
heavily reliant on all of the following except: - ANSWER-Utilizing a community cloud
deployment model.
Testing of recovery plan pertains to which of the trust services criteria - ANSWER-
Availability
Under the COBIT core model, which of the following groups of objectives would best
be classified as Build, Acquire, and Implement (BAI)? - ANSWER-Managed
knowledge, managed organizational change, and managed availability and capacity
Under the COBIT core model, Align, Plan, and Organize (APO) includes things like -
ANSWER-managed security, managed human resources, and managed budget and
costs.
Under the COBIT core model, Deliver, Service, and Support (DSS) includes six
objectives, including - ANSWER-service requests and incidents, managed problems,
and managed security devices.
Under the COBIT core model, Evaluate, Direct, and Monitor (EDM) includes five
objectives including - ANSWER-governance framework setting and maintenance,
resource optimization, and benefits delivery.
Owen was unable to access a directory of sensitive files at his workplace. What
control potentially stopped Owen? - ANSWER-Filesystem ACL
A filesystem ACL - ANSWER-can deny privileges in an operating system by
restricting access to certain files, folders, and directories. ACLs are lists of rules that
outline which users have permission to access certain resources, such as a file,
folder, directory, or other IT resource. ACLs also administer account restrictions.
Access and account restrictions are enforced by controlling network traffic based on
the rules defined in the ACL.
When assessing materiality for a SOC 1® Type 2 engagement, the service auditor
would likely focus on quantitative factors, which include: - ANSWER-tolerable and
observed rate of deviations
In a sales database, you are tasked with extracting a list of all orders with a total
value exceeding $1,000. Which system query language (SQL) clause should you
use to filter the data based on the total order value? - ANSWER-WHERE
, GROUP BY is used when - ANSWER-needing to aggregate data into subtotals
based on the designated attribute
FROM - ANSWER-specifies the table/tables in which the information is coming from
SELECT - ANSWER-indicates which attributes are requested to view
A common type of insurable loss related to a cyberattack that includes the cost
associated with the recovery of lost or stolen data by external IT experts or managed
service providers best describes which of the following? - ANSWER-Incident
response cost
Business interruption losses are - ANSWER-larger in scope and include lost revenue
from operating delays that are due to the inability to access records, systems, or
financial resources.
While testing an authorization control during a SOC 2 Type 2 examination, the
service auditor noted significant delays in the performance of the control in three of
the nine sampled instances reviewed. Which of the following statements complies
with the required presentation of the test results in the SOC 2 Type 2 report? -
ANSWER-The authorization control was not performed in a timely manner for three
of the nine sampled instances.
A service auditor has determined that the extent of testing of system controls at a
service organization must be amended to obtain sufficient and appropriate evidence
about the operating effectiveness of controls in place at a service organization. To
amend the extent of testing, the service auditor may: - ANSWER-Consider both the
tolerable and expected rate of deviation.
Tokenization - ANSWER-The process of replacing sensitive data with unique
identification symbols that retain all the essential information about the data without
compromising its security.
Milly, a CPA firm, is performing a SOC 1® Type 2 engagement related to Pay Stub
Inc., a payroll processor. If Milly determines that the application of complementary
user entity controls is necessary to achieve the related control objectives stated in
management's system description and the carve-out method is applied, which
section(s) of the service auditor's report would contain amended language
addressing this point? - ANSWER-scope and opinion
Which of the following is the COBIT 2019 management objective that addresses IT
security, business process controls, and business continuity? - ANSWER-Deliver,
Service and Support
Timbercan Co. is using the COBIT 2019 Design Factors to revise its existing IT
governance system. To accomplish that, Timbercan is currently assessing the role of
its different IT systems for manufacturing. Its systems that are not critical for
business operations but drive innovation can best be described as which of the
following? - ANSWER-Turnaround
Solutions
A cloud service provider's vision is to provide reliable and consistent network
connectivity for all customers. Part of its corporate strategy for achieving that is
heavily reliant on all of the following except: - ANSWER-Utilizing a community cloud
deployment model.
Testing of recovery plan pertains to which of the trust services criteria - ANSWER-
Availability
Under the COBIT core model, which of the following groups of objectives would best
be classified as Build, Acquire, and Implement (BAI)? - ANSWER-Managed
knowledge, managed organizational change, and managed availability and capacity
Under the COBIT core model, Align, Plan, and Organize (APO) includes things like -
ANSWER-managed security, managed human resources, and managed budget and
costs.
Under the COBIT core model, Deliver, Service, and Support (DSS) includes six
objectives, including - ANSWER-service requests and incidents, managed problems,
and managed security devices.
Under the COBIT core model, Evaluate, Direct, and Monitor (EDM) includes five
objectives including - ANSWER-governance framework setting and maintenance,
resource optimization, and benefits delivery.
Owen was unable to access a directory of sensitive files at his workplace. What
control potentially stopped Owen? - ANSWER-Filesystem ACL
A filesystem ACL - ANSWER-can deny privileges in an operating system by
restricting access to certain files, folders, and directories. ACLs are lists of rules that
outline which users have permission to access certain resources, such as a file,
folder, directory, or other IT resource. ACLs also administer account restrictions.
Access and account restrictions are enforced by controlling network traffic based on
the rules defined in the ACL.
When assessing materiality for a SOC 1® Type 2 engagement, the service auditor
would likely focus on quantitative factors, which include: - ANSWER-tolerable and
observed rate of deviations
In a sales database, you are tasked with extracting a list of all orders with a total
value exceeding $1,000. Which system query language (SQL) clause should you
use to filter the data based on the total order value? - ANSWER-WHERE
, GROUP BY is used when - ANSWER-needing to aggregate data into subtotals
based on the designated attribute
FROM - ANSWER-specifies the table/tables in which the information is coming from
SELECT - ANSWER-indicates which attributes are requested to view
A common type of insurable loss related to a cyberattack that includes the cost
associated with the recovery of lost or stolen data by external IT experts or managed
service providers best describes which of the following? - ANSWER-Incident
response cost
Business interruption losses are - ANSWER-larger in scope and include lost revenue
from operating delays that are due to the inability to access records, systems, or
financial resources.
While testing an authorization control during a SOC 2 Type 2 examination, the
service auditor noted significant delays in the performance of the control in three of
the nine sampled instances reviewed. Which of the following statements complies
with the required presentation of the test results in the SOC 2 Type 2 report? -
ANSWER-The authorization control was not performed in a timely manner for three
of the nine sampled instances.
A service auditor has determined that the extent of testing of system controls at a
service organization must be amended to obtain sufficient and appropriate evidence
about the operating effectiveness of controls in place at a service organization. To
amend the extent of testing, the service auditor may: - ANSWER-Consider both the
tolerable and expected rate of deviation.
Tokenization - ANSWER-The process of replacing sensitive data with unique
identification symbols that retain all the essential information about the data without
compromising its security.
Milly, a CPA firm, is performing a SOC 1® Type 2 engagement related to Pay Stub
Inc., a payroll processor. If Milly determines that the application of complementary
user entity controls is necessary to achieve the related control objectives stated in
management's system description and the carve-out method is applied, which
section(s) of the service auditor's report would contain amended language
addressing this point? - ANSWER-scope and opinion
Which of the following is the COBIT 2019 management objective that addresses IT
security, business process controls, and business continuity? - ANSWER-Deliver,
Service and Support
Timbercan Co. is using the COBIT 2019 Design Factors to revise its existing IT
governance system. To accomplish that, Timbercan is currently assessing the role of
its different IT systems for manufacturing. Its systems that are not critical for
business operations but drive innovation can best be described as which of the
following? - ANSWER-Turnaround