CPA Exam Practice Test for Information Systems and Controls
Which of the following is the primary purpose of an internal control system in an organization?
A) To ensure compliance with laws and regulations
B) To protect the company from theft
C) To enhance operational efficiency
D) To provide reasonable assurance regarding the achievement of objectives
What is the main responsibility of an information systems auditor?
A) To manage the IT infrastructure
B) To develop internal control systems
C) To assess and evaluate the effectiveness of controls
D) To design software applications for financial reporting
Which of the following is an example of a preventive control in an information system?
A) Security cameras
B) Backup data storage
C) Firewalls to block unauthorized access
D) Segregation of duties
Which of the following controls is used to ensure that data entered into an accounting system is accurate and complete?
A) Reconciliation
B) Data validation
C) Encryption
D) Backup
Which of the following best describes the principle of “segregation of duties”?
A) Assigning all tasks to a single employee for efficiency
B) Ensuring that no employee has access to all parts of a system or process
C) Implementing electronic controls to prevent unauthorized access
D) Allowing employees to audit their own work
What is the primary purpose of the Sarbanes-Oxley Act of 2002 in relation to information systems?
A) To establish auditing standards for financial reporting
B) To require companies to develop data encryption protocols
C) To mandate the use of firewalls in financial systems
D) To promote efficient software development practices
Which of the following is an example of a detective control in an information system?
A) Backup and restore procedures
B) User authentication procedures
C) Audit logs to track system activity
D) Segregation of duties
In the context of information systems, what does the term “data integrity” refer to?
A) Ensuring that data is secure from unauthorized access
B) Ensuring that data is accurate, complete, and reliable
C) Ensuring that data is processed quickly and efficiently
D) Ensuring that data is backed up regularly
Which of the following is an example of a corrective control in an information system?
A) Firewalls
B) Backups
C) Software patch management
D) User authentication
What is the purpose of an audit trail in an information system?
A) To record all transactions and events that affect system security
B) To monitor employee work performance
C) To verify compliance with legal regulations
D) To protect against physical theft of system hardware
Which of the following is a key component of an information security management system (ISMS)?
A) Access controls
B) Financial analysis
C) Performance evaluations
D) Data compression
Which of the following is an example of an authentication control in an information system?
A) Password protection
B) Backup and recovery procedures
C) Segregation of duties
D) Encryption of data in transit
Which of the following describes the concept of “risk management” in the context of information systems?
A) Identifying potential security threats and mitigating them
B) Developing new software applications for internal use
C) Monitoring employee productivity with surveillance software
D) Encrypting all organizational data
Which of the following is an example of an end-user computing control?
A) Firewall configuration
B) User access rights management
C) Data backup and recovery
D) Manual data entry error correction
Which of the following is a key objective of an information system’s internal controls?
A) Maximizing the number of users with system access
B) Safeguarding assets and ensuring data integrity
C) Allowing all employees to access financial records
D) Streamlining system operations for better performance
What is the primary purpose of an entity’s disaster recovery plan?
A) To develop new business strategies
B) To ensure continuous data availability during a disruption
C) To monitor employee performance
D) To design new financial reporting software
Which of the following is the most important aspect of a system’s user access control?
A) Ensuring that users have access to all organizational resources
B) Restricting user access based on their job responsibilities
C) Allowing users to share login credentials
D) Providing unlimited access to system administrators
What does “least privilege” refer to in the context of access control?
A) Granting users access to all resources they need to perform their duties
B) Granting users the minimum level of access necessary to perform their tasks
C) Allowing users to change access rights at will
D) Granting users access to all areas of the system
Which of the following is a characteristic of a well-designed IT governance framework?
A) Unlimited access to all users
B) Clear alignment between business goals and IT objectives
C) Focus only on technical aspects of information systems
D) Elimination of all security measures for efficiency
Which of the following best describes the role of a systems development life cycle (SDLC)?
A) Managing software licensing
B) Developing a structured process for creating and maintaining information systems
C) Identifying security vulnerabilities in existing systems
D) Conducting audits of system processes
Which of the following is an example of an access control mechanism for sensitive information?
A) Data encryption
B) Physical locks on doors
C) Database indexing
D) Periodic user performance reviews
Which of the following types of controls is used to prevent unauthorized access to a system?
A) Detective controls
B) Corrective controls
C) Preventive controls
D) Compensating controls
What is the purpose of the COBIT framework in IT governance?
A) To develop new software systems
B) To manage system access rights
C) To provide a comprehensive set of controls for IT management
D) To design user authentication systems
Which of the following is a primary objective of risk assessment in information systems?
A) To assess employee performance
B) To identify and evaluate potential threats to the system
C) To design new IT infrastructure
D) To reduce data storage costs
What is the role of a firewall in information systems security?
A) To monitor employee activity
B) To block unauthorized access to the network
C) To store backup data
D) To manage access rights
Which of the following best describes the purpose of encryption in an information system?
A) To prevent unauthorized users from accessing sensitive data
B) To monitor system performance
C) To store backup data securely
D) To improve system processing speed
Which of the following is an example of a system input control?
A) Data validation checks
B) Backup procedures
C) Audit logs
D) Segregation of duties
Which of the following is a key feature of an effective incident response plan?
A) Identifying and responding to system vulnerabilities
B) Securing employee workstations with antivirus software
C) Establishing clear procedures for managing security breaches
D) Reducing IT costs
Which of the following is the most important objective of a business continuity plan (BCP)?
A) Maximizing profit margins
B) Ensuring the availability of critical systems and data during and after a disaster
C) Preventing employee layoffs
D) Minimizing operating expenses
Which of the following is an example of an output control in an information system?
A) Access control measures
B) Monitoring audit logs
C) Validation of user input
D) Ensuring that reports are accurate and complete
31. Which of the following is the purpose of a “control matrix” in an information systems audit?
A) To monitor network performance
B) To track employee productivity
C) To assess the design and effectiveness of internal controls
D) To manage data storage requirements
32. Which of the following is an example of a compensating control in an information system?
A) User authentication
B) Regular system backups
C) Monthly review of access logs by management
D) Use of data encryption
33. Which of the following control activities is designed to reduce the risk of fraud in the information system?
A) Training staff on security best practices
B) Implementing access control mechanisms
C) Running routine vulnerability scans
D) Establishing a system for reporting fraud
34. What is the primary purpose of encryption in an information system?
A) To secure network traffic
B) To store data efficiently
C) To ensure data availability
D) To make data readable to unauthorized users
35. Which of the following is an example of a physical security control?
A) User access passwords
B) Biometric authentication systems
C) Network firewalls
D) Encryption of data at rest
36. Which of the following best describes “accountability” in an information system’s control structure?
A) Ensuring only authorized personnel have access to the system
B) Requiring users to take responsibility for their actions within the system
C) Limiting system downtime
D) Reducing system processing time
37. Which of the following controls is intended to limit user access to only the necessary information and actions for their job?
A) Role-based access control
B) Data validation checks
C) Firewalls
D) Audit trails
38. What does the term “risk appetite” refer to in an organization’s information security strategy?
A) The level of risk an organization is willing to accept
B) The types of risks to be avoided
C) The risk assessment process
D) The cost of implementing controls
39. Which of the following is the purpose of a “data classification scheme” in an organization?
A) To protect sensitive data by categorizing it according to its level of importance
B) To improve system performance by organizing data
C) To monitor user access
D) To facilitate data storage and retrieval
40. Which of the following controls helps ensure that only authorized personnel can modify the data in an information system?
A) Firewalls
B) Access controls
C) Backup systems
D) Data recovery procedures
41. Which of the following is an example of an operational control in an information system?
A) Encryption of sensitive data
B) User access management
C) Performing daily system backups
D) Managing disaster recovery plans
42. Which of the following describes the role of “separation of duties” in an information system’s internal control structure?
A) Preventing a single individual from having control over multiple phases of a process
B) Enabling users to perform all tasks within a system
C) Allowing unrestricted access to critical data for all users
D) Restricting employees from collaborating on tasks
43. Which of the following control activities is aimed at ensuring data accuracy in an information system?
A) Backup procedures
B) Input validation checks
C) Firewall configuration
D) Employee performance monitoring
44. Which of the following is a characteristic of a system with strong information security controls?
A) All employees have access to all data
B) Security controls are regularly reviewed and updated
C) Security procedures are only followed during audits
D) Only administrators have access to the system
45. What is the purpose of a “security incident response plan” in an information system?
A) To ensure data availability during a disaster
B) To track and respond to security breaches and incidents
C) To assess the effectiveness of the firewall
D) To manage the system’s hardware components
46. Which of the following is an example of a system control that limits user access based on their job function?
A) Role-based access control
B) Data encryption
C) Antivirus software
D) Backup procedures
47. Which of the following best describes the purpose of a business continuity plan (BCP)?
A) To ensure the system operates smoothly during normal conditions
B) To maintain critical business operations during and after a disruption
C) To monitor the performance of IT systems
D) To minimize data storage requirements
48. Which of the following is a characteristic of an information system’s audit trail?
A) It only records successful user logins
B) It tracks system activities and provides a log for monitoring
C) It can be easily edited by system users
D) It is used to store backups of critical data
49. What is the primary function of “change management” in information systems?
A) To ensure system users can easily modify data
B) To control the way changes to the system are made and documented
C) To monitor network traffic
D) To ensure users are compliant with security protocols
50. Which of the following best describes the role of a system “firewall” in network security?
A) To encrypt data during transmission
B) To block unauthorized access and monitor network traffic
C) To store backups of system data
D) To control user access to sensitive data
51. Which of the following would be considered a logical control in an information system?
A) Use of a biometric scanner
B) Data encryption
C) Locking doors to the server room
D) Video surveillance of the data center
52. Which of the following is a key component of the “CIA triad” of information security?
A) Confidentiality
B) Control procedures
C) Accountability
D) Automation
53. What is the purpose of performing a “risk assessment” in an information system?
A) To determine the budget for IT infrastructure
B) To evaluate and mitigate potential security threats
C) To design user interfaces
D) To install security software
54. What does “data masking” in an information system involve?
A) Creating backup copies of data
B) Replacing sensitive data with fictional data for testing purposes
C) Encrypting data in storage
D) Removing outdated data from the system
55. Which of the following is a preventive control aimed at ensuring user authentication in a system?
A) Multi-factor authentication
B) Data encryption
C) Regular data backups
D) System performance monitoring
56. Which of the following is the purpose of an “incident response” team in an organization?
A) To prevent all system downtime
B) To plan the system architecture
C) To respond quickly to security breaches or threats
D) To increase network speed and performance
57. Which of the following best describes the principle of “least privilege” in an information system?
A) Granting users full access to all system resources
B) Granting users only the access necessary for their specific roles
C) Allowing users to modify security settings at will
D) Restricting all access to system resources
58. Which of the following is an example of a detective control in an information system?
A) Regular user access reviews
B) Firewalls
C) Encryption
D) Data masking
59. What is the role of “physical security” controls in information systems?
A) To protect against unauthorized access to sensitive data
B) To prevent unauthorized physical access to IT hardware and systems
C) To improve network performance
D) To detect and respond to security incidents
60. What is the purpose of a “data backup strategy” in an information system?
A) To ensure data is stored efficiently
B) To protect data from loss or corruption
C) To monitor user activities
D) To automate system updates
61. Which of the following is an example of a detective control in an information system?
A) Data encryption
B) User authentication
C) System activity monitoring
D) Role-based access control
62. Which of the following best describes the concept of “data integrity” in an information system?
A) Ensuring data is available at all times
B) Ensuring data is accurate, consistent, and trustworthy
C) Restricting access to certain data
D) Encrypting data during transmission
63. Which of the following is a primary objective of internal controls in an information system?
A) Increase system performance
B) Prevent unauthorized access and errors
C) Reduce system downtime
D) Ensure compliance with tax laws
64. What is the primary purpose of an audit trail in an information system?
A) To monitor system performance
B) To provide a record of system activities for security and accountability
C) To optimize data storage
D) To reduce user workload
65. Which of the following is an example of a preventive control for data security?
A) Logging user access attempts
B) Periodic vulnerability scanning
C) Encryption of sensitive data
D) Data backup
66. What is the primary purpose of a firewall in an information system?
A) To encrypt sensitive data
B) To monitor and control network traffic
C) To provide a backup of critical data
D) To ensure system uptime
67. Which of the following is an example of an administrative control in an information system?
A) Access control lists
B) Employee training and awareness programs
C) Encryption
D) Data integrity checks
68. Which of the following would likely be a concern for an organization with inadequate information system controls?
A) Decreased system performance
B) Increased risk of unauthorized access and data breaches
C) Improved user productivity
D) Reduction in network traffic
69. Which of the following is an example of a detective control used to identify fraud in an information system?
A) Regular employee access reviews
B) System redundancy
C) Firewalls
D) User authentication
70. Which of the following activities would be classified as a compensating control in an information system?
A) Installing an intrusion detection system
B) Conducting periodic security audits
C) Encrypting all communications
D) Regular employee training on security practices
71. What is the main purpose of an access control list (ACL) in an information system?
A) To track system usage patterns
B) To control and manage user permissions to system resources
C) To monitor network performance
D) To prevent unauthorized physical access to the data center
72. Which of the following best describes the purpose of a disaster recovery plan (DRP) for an information system?
A) To prevent unauthorized access
B) To ensure business continuity in the event of a disaster
C) To monitor system performance
D) To ensure compliance with tax regulations
73. Which of the following is a key element of the “CIA Triad” in information security?
A) Compliance
B) Availability
C) Automation
D) Authentication
74. Which of the following is an example of an input control in an information system?
A) Encryption of data
B) Validation checks to ensure correct data is entered
C) System performance monitoring
D) Backup procedures
75. What is the primary function of “data masking” in an information system?
A) To enhance system speed
B) To replace sensitive data with fictional data for testing or training
C) To backup critical data
D) To encrypt data during transmission
76. Which of the following is a method for ensuring “data availability” in an information system?
A) Regular data backups
B) User training
C) Periodic vulnerability assessments
D) Data encryption
77. What does the term “least privilege” mean in the context of an information system?
A) Limiting user access to the bare minimum necessary for their job function
B) Allowing users to access all data within the system
C) Restricting all access to sensitive data
D) Allowing system administrators full access to all data
78. Which of the following controls ensures that users can only access the data that is relevant to their roles in an organization?
A) Encryption
B) Role-based access control
C) Data validation
D) Redundancy
79. What is the purpose of an “incident response” team in the context of an information system?
A) To develop system architecture
B) To address and respond to security incidents and breaches
C) To monitor system performance and availability
D) To ensure system compatibility with hardware
80. Which of the following controls is used to identify and alert administrators to unauthorized access attempts?
A) Backup procedures
B) Access control lists
C) Intrusion detection systems
D) Data encryption
81. What is the function of “multifactor authentication” in an information system’s security strategy?
A) To provide a password-free login system
B) To ensure users are granted access based on multiple forms of verification
C) To prevent system downtime
D) To monitor network activity
82. Which of the following is a characteristic of an effective “incident response plan” (IRP)?
A) It eliminates all security threats before they occur
B) It provides a structured approach for responding to security incidents
C) It only addresses incidents after they have been detected
D) It is solely focused on system performance
83. Which of the following is the primary objective of a security audit in an information system?
A) To assess the system’s performance
B) To identify vulnerabilities and ensure compliance with security policies
C) To monitor system traffic
D) To train employees on security best practices
84. Which of the following is a feature of “data encryption” in information systems?
A) To compress data to reduce storage
B) To make sensitive data unreadable without the appropriate decryption key
C) To monitor system traffic for suspicious activity
D) To identify unauthorized access attempts
85. What is the primary purpose of implementing “two-factor authentication” (2FA) in an information system?
A) To ensure system uptime
B) To provide an extra layer of security by requiring two types of verification
C) To store data securely
D) To improve system performance
86. Which of the following is an example of a “physical control” to secure an information system?
A) Firewalls
B) Role-based access control
C) Security guards and locked doors to the data center
D) User authentication
87. What is the main objective of a “backup strategy” in an information system?
A) To protect data from being lost or corrupted
B) To encrypt sensitive data
C) To monitor system performance
D) To ensure high-speed access to data
88. Which of the following best describes the role of an “information security policy” in an organization?
A) It specifies the hardware requirements for the system
B) It outlines the rules and procedures for managing and protecting information assets
C) It tracks employee productivity
D) It determines the cost of implementing system controls
89. What is the purpose of implementing “data loss prevention” (DLP) controls in an information system?
A) To ensure that data is backed up regularly
B) To monitor and block the unauthorized transmission of sensitive data
C) To secure data during transmission
D) To detect and respond to security incidents
90. What does the term “accounting information system” refer to?
A) A system that tracks the financial transactions of an organization
B) A system designed to monitor employee activities
C) A system used for data encryption
D) A system used for network management
91. Which of the following is a function of an intrusion prevention system (IPS) in an information system?
A) To monitor network traffic and alert on suspicious activity
B) To encrypt data during transmission
C) To prevent unauthorized access by blocking traffic from suspicious sources
D) To conduct system performance tests
92. Which of the following best describes “end-to-end encryption”?
A) Encrypting data only during storage
B) Encrypting data from the sender’s system until it reaches the recipient’s system
C) Encrypting data within the firewall only
D) Encrypting data only when accessed by administrators
93. What is the main purpose of “separation of duties” in an information system’s control environment?
A) To enhance system performance
B) To reduce the risk of fraud and errors by ensuring that no one person controls all aspects of a transaction
C) To ensure that all users have equal access to system data
D) To provide additional storage capacity for data
94. Which of the following is a type of biometric authentication?
A) Password
B) Fingerprint scan
C) Security token
D) Smart card
95. What is the primary purpose of a “security patch” in an information system?
A) To reduce system downtime
B) To fix vulnerabilities and strengthen system security
C) To monitor user activity
D) To increase data processing speed
96. What is the function of “role-based access control” (RBAC) in an information system?
A) To limit access to data based on the roles assigned to users within the organization
B) To store and back up data securely
C) To monitor network traffic
D) To ensure system performance
97. Which of the following is an example of an output control in an information system?
A) Data validation during input
B) Password protection
C) Printout reconciliation to ensure all reports are printed
D) Backup copies of data
98. What is the primary role of a “data steward” in an organization’s data governance framework?
A) To ensure data privacy is maintained
B) To define and manage data access policies
C) To oversee the quality and integrity of data
D) To provide data security training to employees
99. Which of the following is an example of a preventive control for protecting sensitive data?
A) Data encryption
B) Intrusion detection systems
C) Regular security audits
D) Audit logs
100. Which of the following best describes “data redaction”?
A) Encrypting data to prevent unauthorized access
B) Removing or obscuring sensitive information in a document or dataset
C) Storing data in a secure database
D) Allowing access only to authorized users
101. What is the primary purpose of a “network segmentation” control?
A) To encrypt sensitive data
B) To divide a network into smaller, isolated segments to contain potential breaches
C) To monitor user activity across the entire network
D) To optimize system performance
102. Which of the following is an example of a compensating control in a security system?
A) Encryption of sensitive data
B) Using two-factor authentication instead of single-factor authentication
C) Logging all system access attempts
D) Performing regular vulnerability scans
103. Which of the following is a primary goal of an organization’s business continuity plan (BCP)?
A) To improve system performance
B) To ensure that critical operations can continue in the event of a disaster or disruption
C) To prevent unauthorized access to sensitive data
D) To optimize network traffic
104. What is a “zero-trust” security model?
A) A model that grants access to all users by default
B) A model where no user or system is trusted by default, and access is granted based on continuous verification
C) A model that requires employees to verify their identity only once
D) A model that only applies to external users
105. Which of the following is an example of an information system control designed to prevent data entry errors?
A) Input data validation rules
B) Encryption during data transmission
C) Automated backup systems
D) Audit trails
106. What is the role of “multi-layer security” in an information system?
A) To ensure that data is available at all times
B) To implement multiple security measures at different layers to provide defense in depth
C) To monitor system performance
D) To reduce data storage costs
107. Which of the following is a potential risk of not properly securing an organization’s information system?
A) Increased system uptime
B) Reduced legal and compliance risks
C) Increased vulnerability to data breaches and unauthorized access
D) Improved user experience
108. Which of the following is a function of a public key infrastructure (PKI)?
A) To provide role-based access control
B) To use asymmetric encryption for secure data transmission and authentication
C) To monitor system traffic
D) To optimize server performance
109. What is the purpose of a “data retention policy” in an organization?
A) To define how long data should be kept and when it should be securely deleted or archived
B) To store sensitive data in an encrypted format
C) To allow unrestricted access to all data
D) To monitor user activity
110. Which of the following is a best practice for securing passwords in an information system?
A) Storing passwords in plaintext format
B) Using complex passwords and implementing a password manager
C) Allowing users to reuse the same password across multiple systems
D) Enabling password sharing among employees
111. Which of the following would be considered a “data breach” in an information system?
A) Unauthorized access to sensitive data or systems
B) A system backup failure
C) A minor system glitch
D) Delays in data processing
112. Which of the following is a key element of “data masking” for securing sensitive data?
A) Replacing sensitive data with fictitious data for testing or non-production use
B) Encrypting sensitive data during transmission
C) Creating backups of sensitive data
D) Monitoring access to sensitive data
113. What is the main purpose of a “secure socket layer” (SSL) protocol?
A) To monitor system activity for signs of suspicious behavior
B) To establish an encrypted link between a web server and a browser
C) To perform data backup
D) To track user activity
114. Which of the following is a characteristic of “system redundancy”?
A) Storing data in an encrypted format
B) Implementing duplicate systems to provide continued service during failures
C) Restricting user access to data
D) Optimizing data retrieval speed
115. Which of the following is a primary purpose of an audit log in an information system?
A) To track system performance
B) To provide a record of user activity for security and auditing purposes
C) To reduce storage requirements
D) To back up critical data
116. Which of the following would be classified as a “physical security control” for an information system?
A) Password protection
B) Data encryption
C) Access controls to restrict physical access to servers and data centers
D) Regular software patches
117. Which of the following is a common method for securing data during transmission over the internet?
A) Data masking
B) SSL/TLS encryption
C) Access control lists
D) Role-based access control
118. Which of the following is a primary function of a firewall in an information system?
A) To encrypt data at rest
B) To monitor and filter incoming and outgoing network traffic based on security rules
C) To store user credentials
D) To perform data compression
119. What is the primary objective of an information security policy in an organization?
A) To increase system performance
B) To provide guidelines for securing data and systems against threats
C) To optimize database storage
D) To automate software updates
120. Which of the following controls is designed to detect unauthorized access attempts?
A) Intrusion detection system (IDS)
B) Role-based access control (RBAC)
C) Multi-factor authentication (MFA)
D) Data encryption
121. What is the purpose of an “audit trail” in an information system?
A) To track and record user activity for security and compliance purposes
B) To optimize data retrieval speed
C) To store passwords securely
D) To automate system backups
122. Which of the following describes a “phishing attack”?
A) A type of malware that encrypts data and demands payment
B) A cyberattack where fraudulent messages trick users into revealing sensitive information
C) A denial-of-service attack that floods a network with traffic
D) A virus that spreads through removable storage devices
123. Which of the following authentication methods is considered the most secure?
A) Single sign-on (SSO)
B) Username and password
C) Multi-factor authentication (MFA)
D) Security questions
124. Which of the following is an example of a preventive control?
A) Security log monitoring
B) Intrusion detection system (IDS)
C) Data encryption
D) Incident response plan
125. What is the primary role of a Chief Information Security Officer (CISO)?
A) To develop and implement an organization’s information security strategy
B) To manage daily IT operations
C) To handle customer service issues
D) To oversee financial audits
126. Which of the following security measures is most effective in preventing unauthorized access to systems?
A) Password expiration policies
B) Role-based access control (RBAC)
C) Regular security audits
D) Incident response plans
127. What is the purpose of an “intrusion prevention system” (IPS)?
A) To detect and block malicious activity in real-time
B) To provide secure backups for business continuity
C) To monitor compliance with data protection laws
D) To ensure network connectivity is uninterrupted
128. What type of attack involves hackers intercepting communication between two parties?
A) Man-in-the-middle attack
B) Phishing attack
C) Ransomware attack
D) Brute force attack
129. Which of the following security principles ensures that data is accessible only to authorized users?
A) Integrity
B) Confidentiality
C) Availability
D) Non-repudiation
130. Which of the following is an example of social engineering?
A) A hacker exploiting a software vulnerability
B) A scammer pretending to be IT support to obtain user credentials
C) An employee accidentally deleting important files
D) A denial-of-service (DoS) attack
131. What is the purpose of a “penetration test” in cybersecurity?
A) To identify vulnerabilities in an information system by simulating cyberattacks
B) To monitor real-time network traffic
C) To create strong passwords
D) To provide secure backups
132. What is the primary function of a “data loss prevention” (DLP) system?
A) To prevent unauthorized access to sensitive data
B) To detect insider threats
C) To back up critical data
D) To optimize database performance
133. Which of the following is a key advantage of cloud computing in information security?
A) Reduced reliance on hardware-based security solutions
B) Guaranteed data privacy without encryption
C) Eliminates the need for user authentication
D) No need for compliance with security regulations
134. Which of the following techniques is used to ensure data integrity?
A) Digital signatures
B) Firewalls
C) Multi-factor authentication
D) Role-based access control
135. Which of the following cybersecurity frameworks is widely used for risk management?
A) COBIT
B) NIST Cybersecurity Framework
C) ITIL
D) PMP
136. What is the main goal of a “disaster recovery plan” (DRP)?
A) To prevent unauthorized system access
B) To restore critical business operations after a major disruption
C) To monitor security logs
D) To detect malware infections
137. Which type of control is encryption classified as?
A) Detective control
B) Preventive control
C) Corrective control
D) Directive control
138. Which of the following is the most effective way to secure mobile devices used for work purposes?
A) Require multi-factor authentication
B) Use complex passwords only
C) Allow unrestricted access to company data
D) Disable encryption
139. Which of the following statements about ransomware is true?
A) It encrypts files and demands payment for decryption
B) It spreads through hardware vulnerabilities only
C) It is harmless and does not affect system performance
D) It primarily targets cloud storage systems
140. Which of the following security controls helps in preventing insider threats?
A) Least privilege access
B) Automated patch management
C) Network segmentation
D) Hardware firewalls
141. Which of the following is an advantage of using a “security information and event management” (SIEM) system?
A) It provides real-time security monitoring and threat detection
B) It prevents all malware attacks
C) It eliminates the need for firewalls
D) It guarantees 100% data security
142. Which of the following describes the concept of “least privilege”?
A) Allowing employees access to only the data and systems necessary for their job roles
B) Granting administrators full access to all company data
C) Preventing employees from accessing their own work accounts
D) Allowing all users full access to reduce IT support requests
143. What is the purpose of “tokenization” in data security?
A) To replace sensitive data with a unique identifier to protect it from exposure
B) To encrypt data using a complex algorithm
C) To delete sensitive data permanently
D) To monitor user activity logs
144. Which of the following is the primary function of an access control list (ACL)?
A) To encrypt sensitive data
B) To define permissions for users and systems accessing a resource
C) To track failed login attempts
D) To create backup copies of files
145. What is the primary objective of a business continuity plan (BCP)?
A) To detect and respond to cyber threats
B) To ensure the organization can continue operations during and after a disaster
C) To increase system performance
D) To automate data processing
146. Which of the following is an example of an administrative control in information security?
A) Encryption of confidential data
B) Security awareness training for employees
C) Firewalls and intrusion detection systems
D) Multi-factor authentication
147. Which of the following is a best practice for securing wireless networks?
A) Using WEP encryption
B) Disabling SSID broadcasting
C) Keeping default administrator credentials
D) Allowing unrestricted access to all devices
148. Which of the following attacks is characterized by overwhelming a system with excessive traffic?
A) Phishing
B) Denial-of-Service (DoS)
C) SQL Injection
D) Trojan Horse
149. Which of the following is an example of a detective control?
A) Firewalls
B) Security awareness training
C) Intrusion detection systems (IDS)
D) Role-based access control
150. What is the purpose of a digital certificate in a public key infrastructure (PKI)?
A) To encrypt emails only
B) To verify the identity of an entity using cryptographic keys
C) To store passwords securely
D) To perform software updates
151. Which of the following is an example of an integrity control?
A) Data encryption
B) Digital signatures
C) Role-based access control
D) Intrusion prevention system
152. Which cybersecurity framework is widely used for IT governance?
A) ISO 9001
B) COBIT
C) Six Sigma
D) GAAP
153. What is the main goal of data classification?
A) To store data efficiently
B) To protect sensitive information by categorizing data based on security levels
C) To ensure faster network access
D) To reduce database size
154. Which of the following attacks involves injecting malicious SQL statements into a database query?
A) Cross-site scripting (XSS)
B) SQL injection
C) Phishing
D) Man-in-the-middle attack
155. What is the purpose of hashing in cybersecurity?
A) To encrypt and decrypt sensitive data
B) To generate a unique fingerprint for data integrity verification
C) To create user authentication credentials
D) To detect and remove malware
156. Which of the following is an example of a corrective control?
A) Intrusion detection system (IDS)
B) Security policies
C) Incident response plan
D) Firewalls
157. Which of the following is a key feature of an endpoint detection and response (EDR) system?
A) Detecting and responding to threats at the device level
B) Providing cloud backup storage
C) Encrypting all user data
D) Blocking unauthorized emails
158. Which of the following ensures non-repudiation in digital transactions?
A) Multi-factor authentication
B) Digital signatures
C) Firewalls
D) VPNs
159. What is the main advantage of role-based access control (RBAC)?
A) It eliminates the need for authentication
B) It provides fine-grained control over user access permissions
C) It automatically encrypts all data
D) It allows users unrestricted access to all resources
160. What is the purpose of a virtual private network (VPN)?
A) To block malicious software
B) To create a secure encrypted tunnel for remote network access
C) To perform regular security audits
D) To prevent phishing attacks
161. Which of the following best describes a zero-day attack?
A) An attack exploiting an unknown software vulnerability
B) A social engineering scam
C) A denial-of-service attack
D) A ransomware infection
162. Which of the following is an example of a physical security control?
A) Firewall rules
B) Biometric authentication
C) Password policies
D) Data encryption
163. What is the primary benefit of using multi-factor authentication (MFA)?
A) It eliminates the need for passwords
B) It adds an additional layer of security by requiring multiple verification methods
C) It speeds up user login time
D) It replaces firewalls
164. Which of the following is a key characteristic of cloud security?
A) It is managed entirely by the cloud provider
B) It includes shared responsibility between the provider and the customer
C) It eliminates the need for local security measures
D) It ensures all data is automatically encrypted
165. Which of the following methods is best for preventing unauthorized USB device usage?
A) Implementing endpoint security solutions
B) Encrypting all files
C) Allowing unrestricted access to removable media
D) Using only cloud storage
166. What is the purpose of a security operations center (SOC)?
A) To manage employee benefits
B) To monitor and respond to security threats in real-time
C) To develop financial reports
D) To oversee software development
167. Which of the following describes “data masking”?
A) Encrypting stored files
B) Obscuring sensitive data to prevent unauthorized access
C) Hiding user credentials from employees
D) Blocking internet access
168. Which of the following is the most effective method to prevent password reuse across multiple accounts?
A) Enforcing password complexity requirements
B) Using a password manager
C) Conducting periodic security audits
D) Requiring employees to write down their passwords
169. What is the primary function of an authentication server?
A) To store encryption keys
B) To validate user credentials and grant access to resources
C) To prevent phishing attacks
D) To monitor email traffic
170. Which security principle states that users should be granted only the minimum permissions necessary to perform their job functions?
A) Least privilege
B) Separation of duties
C) Defense in depth
D) Availability
171. Which of the following best describes the purpose of a firewall in network security?
A) To encrypt data transmissions
B) To prevent unauthorized access to a network
C) To detect malware infections
D) To create virtual private networks
172. What is the primary objective of an intrusion detection system (IDS)?
A) To block malicious traffic in real-time
B) To detect and alert on suspicious network activity
C) To replace antivirus software
D) To enhance user authentication
173. Which of the following is a key benefit of using multi-factor authentication (MFA)?
A) It eliminates the need for passwords
B) It provides an additional layer of security beyond usernames and passwords
C) It automatically updates system software
D) It replaces firewalls
174. Which of the following is an example of a technical security control?
A) Security awareness training
B) Access control policies
C) Firewall configurations
D) Incident response planning
175. Which type of malware disguises itself as legitimate software?
A) Trojan horse
B) Worm
C) Spyware
D) Ransomware
176. Which type of authentication method uses physical characteristics for identification?
A) Two-factor authentication
B) Password authentication
C) Biometric authentication
D) Token-based authentication
177. Which cybersecurity attack exploits human psychology rather than technical vulnerabilities?
A) Denial-of-service attack
B) Social engineering
C) Man-in-the-middle attack
D) SQL injection
178. Which of the following ensures data integrity?
A) Data encryption
B) Hashing
C) Firewall configuration
D) Virtual private networks
179. What is the main function of a public key infrastructure (PKI)?
A) To store passwords securely
B) To create and manage digital certificates
C) To monitor network traffic
D) To detect malware
180. Which of the following helps prevent unauthorized access to sensitive information?
A) Data masking
B) Backups
C) Virtualization
D) Open-source software
181. What is the primary benefit of role-based access control (RBAC)?
A) It simplifies user access management
B) It eliminates the need for authentication
C) It prevents all security breaches
D) It encrypts sensitive files
182. Which of the following controls is designed to detect unauthorized access attempts?
A) Encryption
B) Intrusion detection system (IDS)
C) Access control lists (ACLs)
D) Firewalls
183. Which type of cyberattack involves an attacker intercepting and altering communications between two parties?
A) Ransomware attack
B) Man-in-the-middle attack
C) Phishing attack
D) Cross-site scripting
184. Which of the following security measures is used to protect against brute-force attacks?
A) Data encryption
B) Account lockout policies
C) Firewalls
D) Antivirus software
185. Which of the following is an example of an administrative security control?
A) Security awareness training
B) Intrusion detection system
C) Antivirus software
D) Firewall
186. What is the purpose of a honeypot in cybersecurity?
A) To store sensitive data securely
B) To detect and analyze cyber threats by attracting attackers
C) To encrypt email communications
D) To prevent data loss
187. Which of the following security measures helps ensure the confidentiality of data in transit?
A) Firewalls
B) Data encryption
C) Intrusion detection systems
D) Role-based access control
188. What is the primary objective of a disaster recovery plan (DRP)?
A) To detect malware infections
B) To recover IT systems and data after a disaster
C) To prevent unauthorized access
D) To enforce password policies
189. Which of the following authentication methods requires users to provide two different types of credentials?
A) Single sign-on
B) Multi-factor authentication (MFA)
C) Biometric authentication
D) Firewall authentication
190. What is the purpose of data loss prevention (DLP) software?
A) To back up data automatically
B) To prevent unauthorized data transfers
C) To encrypt all stored data
D) To block malware infections
191. Which of the following best describes a security incident response plan?
A) A plan to manage and recover from security incidents
B) A strategy for software updates
C) A method to encrypt sensitive information
D) A process to improve network performance
192. Which security measure ensures that only authorized users can access a system?
A) Access control
B) Firewalls
C) Encryption
D) VPNs
193. Which type of attack involves encrypting a victim’s data and demanding payment for its release?
A) Phishing
B) Ransomware
C) Denial-of-service (DoS)
D) Man-in-the-middle attack
194. What is the primary purpose of an audit log?
A) To track and record system activities for security analysis
B) To enhance system performance
C) To detect phishing attacks
D) To encrypt sensitive files
195. Which of the following is a method used to prevent unauthorized changes to system files?
A) Change management processes
B) Multi-factor authentication
C) Password policies
D) Data compression
196. Which security measure helps detect anomalies in network traffic?
A) Firewalls
B) Intrusion detection systems (IDS)
C) Encryption algorithms
D) VPNs
197. What is the primary purpose of an endpoint security solution?
A) To protect individual devices from cybersecurity threats
B) To manage database storage
C) To encrypt all network traffic
D) To prevent phishing emails
198. Which of the following is a fundamental principle of cybersecurity?
A) Confidentiality, Integrity, and Availability (CIA)
B) Efficiency, Speed, and Performance
C) Security, Usability, and Cost
D) Authentication, Logging, and Performance
199. Which of the following is an example of a preventive security control?
A) Firewalls
B) Intrusion detection systems
C) Incident response plans
D) Audit logs
200. Which type of attack attempts to guess a user’s password by trying multiple combinations?
A) Brute-force attack
B) Social engineering
C) SQL injection
D) Trojan horse
201. Which of the following best defines a zero-trust security model?
A) Allowing all internal network traffic by default
B) Restricting access based on the least privilege principle
C) Eliminating the need for user authentication
D) Trusting users once they are inside the network
202. What is the primary objective of penetration testing?
A) To identify vulnerabilities in a system before attackers do
B) To enforce password policies
C) To encrypt all network communications
D) To monitor employee activity
203. Which of the following is an example of a logical access control?
A) Biometric scanner
B) Firewall rules
C) Security guards
D) CCTV cameras
204. Which term refers to an attacker impersonating a legitimate entity to steal information?
A) Phishing
B) DoS attack
C) SQL injection
D) Brute-force attack
205. What is the primary purpose of network segmentation?
A) To isolate sensitive data and limit unauthorized access
B) To increase network speed
C) To replace firewalls
D) To prevent all cyberattacks
206. Which security framework is widely used for risk management and compliance in IT governance?
A) COBIT
B) GAAP
C) FIFO
D) HTTP
207. Which of the following best describes an Advanced Persistent Threat (APT)?
A) A short-lived attack that floods a network
B) A prolonged and targeted cyberattack by sophisticated hackers
C) A common email scam
D) A virus that spreads rapidly
208. What is the primary function of an access control list (ACL)?
A) To define which users or systems are granted access to network resources
B) To encrypt sensitive files
C) To replace authentication methods
D) To store audit logs
209. Which type of malware spreads without user interaction?
A) Trojan horse
B) Worm
C) Spyware
D) Adware
210. Which of the following is an example of social engineering?
A) A hacker using a brute-force attack
B) A phishing email that tricks users into revealing login credentials
C) A ransomware attack encrypting files
D) A firewall blocking unauthorized traffic
211. Which of the following techniques is commonly used to ensure data confidentiality?
A) Data encryption
B) Hashing
C) Firewalls
D) Intrusion detection systems
212. Which type of attack attempts to inject malicious SQL statements into a database query?
A) SQL injection
B) Cross-site scripting
C) Phishing
D) Ransomware
213. What is the primary function of a Virtual Private Network (VPN)?
A) To provide a secure communication channel over an untrusted network
B) To store passwords securely
C) To prevent malware infections
D) To replace encryption
214. Which of the following is a key feature of a next-generation firewall (NGFW)?
A) Deep packet inspection
B) Basic packet filtering only
C) No logging capabilities
D) Disabling encryption
215. What is the primary goal of an incident response plan?
A) To restore normal operations after a security incident
B) To eliminate all cyber threats permanently
C) To replace user authentication methods
D) To encrypt data automatically
216. Which type of attack involves overwhelming a network or system with excessive traffic?
A) Man-in-the-middle attack
B) Denial-of-service (DoS) attack
C) Phishing attack
D) Keylogging
217. Which authentication method is considered the most secure?
A) Password authentication
B) Single-factor authentication
C) Multi-factor authentication
D) Username-based authentication
218. Which of the following helps prevent unauthorized changes to critical system files?
A) Change management controls
B) Antivirus software
C) Public Wi-Fi
D) Password sharing
219. Which security control type is designed to detect threats rather than prevent them?
A) Firewall
B) Antivirus software
C) Intrusion Detection System (IDS)
D) Access control list
220. What is the primary purpose of hashing in cybersecurity?
A) To ensure data integrity
B) To encrypt network traffic
C) To compress data files
D) To replace passwords
221. Which cybersecurity principle is focused on restricting access to only what is necessary?
A) Least privilege
B) Open access
C) Full disclosure
D) Multi-tenancy
222. Which of the following best defines a brute-force attack?
A) A method that tries multiple password combinations until access is gained
B) A technique that involves social engineering
C) A denial-of-service (DoS) attack
D) A firewall configuration error
223. Which security control helps protect against insider threats?
A) Role-based access control (RBAC)
B) Open access policies
C) Default administrator credentials
D) Unsecured file sharing
224. Which of the following best describes encryption?
A) A process of converting data into an unreadable format to protect it from unauthorized access
B) A method for compressing data
C) A type of firewall configuration
D) A social engineering technique
225. Which security concept ensures that critical systems remain available during a cyber incident?
A) Availability
B) Confidentiality
C) Integrity
D) Compliance
226. What is a common sign of a phishing email?
A) Unexpected requests for sensitive information
B) A secure connection symbol in the browser
C) Strong encryption
D) A firewall rule update
227. Which of the following is a primary goal of risk assessment in information security?
A) Identifying and mitigating potential threats
B) Increasing internet speeds
C) Replacing firewalls with VPNs
D) Preventing all network traffic
228. Which type of attack involves an unauthorized party inserting malicious code into a website?
A) Cross-site scripting (XSS)
B) DoS attack
C) Keylogging
D) Insider threat
229. Which of the following security policies is designed to handle user credentials securely?
A) Password policy
B) Data masking policy
C) Wireless access policy
D) Social engineering policy
230. Which cybersecurity control provides a detailed log of system activities for auditing purposes?
A) Logging and monitoring
B) Encryption
C) Data compression
D) Firewall rules
231. Which of the following security principles ensures that users have only the minimum necessary access to perform their tasks?
A) Role-based access control
B) Least privilege
C) Multi-factor authentication
D) Encryption
232. Which type of malware is designed to lock users out of their data until a ransom is paid?
A) Spyware
B) Ransomware
C) Adware
D) Worm
233. What is the purpose of a firewall in network security?
A) To monitor and control incoming and outgoing network traffic based on security rules
B) To replace antivirus software
C) To create secure passwords
D) To prevent all cyberattacks
234. Which of the following is a best practice for securing cloud-based data?
A) Using multi-factor authentication (MFA)
B) Allowing unrestricted public access
C) Disabling logging and monitoring
D) Using default credentials
235. What is the primary goal of an Intrusion Prevention System (IPS)?
A) To detect and block suspicious activities in real-time
B) To monitor internet speeds
C) To backup all company data automatically
D) To track employee performance
236. Which type of cyberattack involves sending fraudulent emails to trick users into revealing sensitive information?
A) Phishing
B) Keylogging
C) Malware
D) Firewall breach
237. What is a primary function of encryption in data security?
A) To make data unreadable to unauthorized users
B) To increase file storage efficiency
C) To detect security vulnerabilities
D) To prevent all cyberattacks
238. Which of the following is a key feature of a Security Information and Event Management (SIEM) system?
A) Real-time threat monitoring and incident response
B) Automatic password generation
C) Blocking all external website access
D) Eliminating the need for security policies
239. Which security control is designed to reduce risks associated with removable media (USB drives, external hard drives)?
A) Disabling USB ports on company computers
B) Allowing unrestricted USB access
C) Using outdated antivirus software
D) Eliminating firewalls
240. Which of the following best describes a distributed denial-of-service (DDoS) attack?
A) An attack that overwhelms a system by sending a flood of traffic from multiple sources
B) A targeted email scam
C) A security audit process
D) A type of firewall setting
241. Which of the following is a primary function of endpoint security software?
A) Protecting devices from malware, ransomware, and unauthorized access
B) Increasing Wi-Fi speed
C) Blocking all email communications
D) Preventing software updates
242. Which authentication factor is considered the strongest?
A) Something you know (password)
B) Something you have (security token)
C) Something you are (biometrics)
D) A combination of multiple factors
243. What is a primary goal of IT governance frameworks such as COBIT?
A) To align IT processes with business objectives while ensuring security and compliance
B) To eliminate the need for IT audits
C) To focus solely on cybersecurity
D) To prevent cloud computing adoption
244. Which of the following is an example of a vulnerability in an information system?
A) An outdated operating system with unpatched security flaws
B) A properly configured firewall
C) Strong password policies
D) Multi-factor authentication
245. Which type of attack targets web applications by injecting malicious scripts into input fields?
A) Cross-site scripting (XSS)
B) Ransomware
C) Brute-force attack
D) DDoS attack
246. Which type of risk assessment method is used to assign numerical values to potential threats?
A) Quantitative risk assessment
B) Qualitative risk assessment
C) Compliance risk assessment
D) Automated risk assessment
247. Which of the following is NOT a common feature of a strong password policy?
A) Minimum length requirement
B) Use of complex characters
C) Frequent password reuse
D) Multi-factor authentication
248. Which type of cyberattack attempts to guess a user’s password using all possible combinations?
A) Brute-force attack
B) SQL injection
C) Phishing
D) Spoofing
249. Which regulation is designed to protect the personal data of European Union (EU) citizens?
A) General Data Protection Regulation (GDPR)
B) Sarbanes-Oxley Act (SOX)
C) Health Insurance Portability and Accountability Act (HIPAA)
D) Federal Information Security Management Act (FISMA)
250. What is the primary role of a Chief Information Security Officer (CISO)?
A) Overseeing an organization’s cybersecurity strategy and risk management
B) Managing financial statements
C) Developing software applications
D) Handling physical security of office buildings
251. Which type of attack involves an attacker intercepting and altering communications between two parties?
A) Man-in-the-middle attack
B) SQL injection
C) Ransomware attack
D) Denial-of-service attack
252. Which of the following is NOT a component of the CIA (Confidentiality, Integrity, Availability) Triad?
A) Confidentiality
B) Integrity
C) Availability
D) Compliance
253. Which cybersecurity best practice can help prevent credential stuffing attacks?
A) Implementing multi-factor authentication
B) Using weak passwords
C) Allowing unlimited login attempts
D) Disabling firewalls
254. What is the purpose of a security awareness training program?
A) To educate employees on best practices to prevent cyber threats
B) To replace firewalls
C) To provide software development training
D) To eliminate the need for encryption
255. Which tool is commonly used to scan a network for vulnerabilities?
A) Nessus
B) Microsoft Word
C) Google Chrome
D) Adobe Photoshop
256. Which of the following is a security best practice for handling third-party vendors?
A) Conducting regular security assessments and audits
B) Providing unrestricted access to internal systems
C) Disabling authentication requirements
D) Ignoring compliance requirements
257. What is the purpose of a data loss prevention (DLP) system?
A) To prevent unauthorized sharing or transmission of sensitive data
B) To increase internet speed
C) To allow automatic access to company files
D) To replace encryption
258. Which term refers to the process of identifying, assessing, and mitigating security risks?
A) Risk management
B) Firewall implementation
C) Data encryption
D) Cloud computing
259. Which of the following is the best method to ensure data integrity during transmission?
A) Using strong passwords
B) Encrypting data in transit
C) Implementing multi-factor authentication
D) Restricting user access
260. What is the primary function of a Virtual Private Network (VPN)?
A) To encrypt internet traffic and secure connections
B) To block malware infections
C) To increase internet speed
D) To replace firewalls
261. Which of the following is an example of social engineering?
A) Phishing emails attempting to trick users into revealing credentials
B) A brute-force attack on a password-protected system
C) A firewall preventing unauthorized access
D) An AI-driven security system
262. Which security protocol is commonly used for encrypting web traffic?
A) HTTPS
B) FTP
C) SMTP
D) ICMP
263. Which type of cyberattack exploits vulnerabilities in software to gain unauthorized access?
A) Zero-day attack
B) Phishing
C) Social engineering
D) Keylogging
264. Which of the following is a key feature of biometric authentication?
A) Uses unique physical characteristics such as fingerprints or facial recognition
B) Requires only a username and password
C) Relies on CAPTCHA tests
D) Encrypts email messages
265. Which security measure helps prevent unauthorized physical access to IT infrastructure?
A) Biometric access controls
B) Software firewalls
C) Antivirus software
D) Publicly available passwords
266. Which of the following represents an example of a logical access control?
A) Password protection and authentication mechanisms
B) Surveillance cameras monitoring server rooms
C) Secure door locks for data centers
D) Fire suppression systems
267. Which security framework is commonly used for IT governance and risk management?
A) COBIT
B) HTML
C) SMTP
D) ASCII
268. Which type of attack attempts to overload a system with excessive network traffic?
A) Distributed Denial-of-Service (DDoS) attack
B) Man-in-the-middle attack
C) Ransomware attack
D) SQL injection
269. What is the primary goal of penetration testing?
A) To identify security vulnerabilities before attackers exploit them
B) To install firewalls
C) To develop software applications
D) To delete unnecessary files
270. Which regulation governs financial reporting and internal controls for publicly traded companies in the U.S.?
A) Sarbanes-Oxley Act (SOX)
B) General Data Protection Regulation (GDPR)
C) Health Insurance Portability and Accountability Act (HIPAA)
D) Fair Credit Reporting Act (FCRA)
271. Which security mechanism ensures that electronic records cannot be altered without detection?
A) Digital signatures
B) Weak passwords
C) Incognito browsing
D) Public Wi-Fi access
272. Which security concept refers to disguising data to make it unreadable without decryption?
A) Data masking
B) Firewall configuration
C) Cloud computing
D) Intrusion detection
273. Which of the following is an example of an insider threat?
A) A disgruntled employee leaking confidential data
B) A hacker launching a brute-force attack
C) A phishing email sent from an external source
D) A DDoS attack
274. Which of the following is the best practice for securing an organization’s wireless network?
A) Using WPA3 encryption
B) Keeping the default router password
C) Allowing unrestricted guest access
D) Disabling all security settings
275. Which term describes a process where a system automatically records access attempts and activities?
A) Logging and monitoring
B) Phishing attack
C) Data encryption
D) Email filtering
276. What is the primary goal of a business continuity plan (BCP)?
A) To ensure critical business operations continue after a disruption
B) To reduce tax obligations
C) To enhance software development speed
D) To increase hardware costs
277. Which security best practice helps prevent unauthorized system changes?
A) Implementing change management controls
B) Disabling antivirus software
C) Ignoring security patches
D) Allowing all employees to modify configurations
278. What is the main function of a security incident response plan?
A) To provide a structured approach for handling cybersecurity incidents
B) To replace all antivirus software
C) To increase computer processing speed
D) To prevent all network failures
279. Which security principle ensures that data is accurate and has not been altered without authorization?
A) Integrity
B) Confidentiality
C) Availability
D) Anonymity
280. Which of the following is a primary benefit of cloud security controls?
A) Scalability and remote access while ensuring data protection
B) Increased physical storage space
C) Unrestricted user access to all files
D) Eliminating the need for cybersecurity policies
281. Which type of security attack involves injecting malicious SQL queries into input fields?
A) SQL injection attack
B) Phishing attack
C) DDoS attack
D) Ransomware attack
282. Which security measure can help mitigate risks associated with Bring Your Own Device (BYOD) policies?
A) Enforcing Mobile Device Management (MDM) solutions
B) Allowing employees to connect without authentication
C) Disabling all security protocols
D) Encouraging the use of personal devices without restrictions
283. Which of the following is a fundamental cybersecurity practice for email security?
A) Enabling spam filters and phishing detection
B) Clicking on all email links without verification
C) Sharing passwords via email
D) Using default login credentials
284. Which method is used to validate the identity of a user before granting system access?
A) Authentication
B) Encryption
C) Virtualization
D) Penetration testing
285. What is the purpose of an audit trail in information security?
A) To track and record system activities for accountability
B) To block internet access
C) To increase storage space
D) To disable encryption
286. Which security model focuses on maintaining confidentiality by preventing unauthorized access to classified information?
A) Bell-LaPadula Model
B) Clark-Wilson Model
C) Biba Model
D) Brewer-Nash Model
287. Which of the following is an example of a physical security control?
A) Biometric scanners at data centers
B) Firewalls monitoring network traffic
C) Multi-factor authentication for user access
D) Encryption of stored files
288. Which of the following is a primary benefit of role-based access control (RBAC)?
A) Restricting access based on job roles and responsibilities
B) Allowing unrestricted data access for all employees
C) Eliminating the need for authentication
D) Granting temporary access to everyone
289. Which of the following controls helps ensure the integrity of financial transactions?
A) Hashing algorithms
B) Public Wi-Fi access
C) Disabling user logs
D) Allowing users to share passwords
290. Which method is commonly used to detect and prevent fraud in financial reporting?
A) Continuous auditing techniques
B) Using default passwords
C) Disabling all security logs
D) Ignoring anomaly detection alerts
291. Which regulation is primarily concerned with protecting the privacy of healthcare data?
A) HIPAA
B) PCI-DSS
C) GDPR
D) SOX
292. Which of the following is an example of a preventive control?
A) Implementing access controls to restrict unauthorized users
B) Reviewing logs after an incident
C) Conducting forensic investigations
D) Restoring backups after a data breach
293. Which of the following is the best method to prevent brute-force attacks?
A) Implementing account lockout policies
B) Allowing unlimited login attempts
C) Using weak passwords
D) Disabling password complexity requirements
294. Which security control helps ensure system availability in case of a disaster?
A) Redundant data centers
B) Encrypting stored data
C) Password management policies
D) Disabling firewall logs
295. Which of the following describes a firewall’s primary function?
A) Controlling and monitoring network traffic
B) Encrypting stored files
C) Analyzing social media activity
D) Scanning for viruses on local devices
296. Which of the following ensures that users cannot deny having performed an action on a system?
A) Non-repudiation
B) Least privilege access
C) Firewalls
D) Phishing detection
297. Which method is used to detect unauthorized access attempts in real time?
A) Intrusion Detection System (IDS)
B) Data masking
C) Cloud storage encryption
D) Role-based access control
298. Which risk management strategy focuses on reducing the impact of a cybersecurity incident?
A) Risk mitigation
B) Risk acceptance
C) Risk avoidance
D) Risk transfer
299. Which of the following is an example of a detective security control?
A) Log monitoring and analysis
B) Biometric authentication
C) Encrypting email messages
D) Disabling unneeded user accounts
300. Which technique is used to verify that a system’s security controls are effective?
A) Security testing and vulnerability assessments
B) Using the same password for all systems
C) Disabling user activity logs
D) Ignoring security patches
301. Which of the following security policies is most effective for preventing insider threats?
A) Implementing least privilege access control
B) Allowing employees full system access
C) Encouraging employees to share credentials
D) Disabling all security controls
302. Which of the following best describes multi-factor authentication (MFA)?
A) Requiring multiple forms of authentication, such as a password and a fingerprint
B) Using a single username and password for all systems
C) Allowing employees to use personal devices without restrictions
D) Disabling all authentication methods
303. Which of the following techniques helps prevent data leaks from insider threats?
A) Data Loss Prevention (DLP) solutions
B) Allowing unrestricted file sharing
C) Using public Wi-Fi for sensitive transactions
D) Ignoring security alerts
304. Which regulation is primarily designed to protect credit card transaction security?
A) PCI-DSS
B) HIPAA
C) SOX
D) GDPR
305. Which cybersecurity framework is widely used for risk management and security governance?
A) NIST Cybersecurity Framework
B) HTML
C) SQL
D) SMTP
306. Which security mechanism helps protect against unauthorized access to web applications?
A) Web Application Firewall (WAF)
B) USB drive encryption
C) Physical locks on servers
D) Disabling multi-factor authentication
307. Which of the following best describes the principle of “separation of duties”?
A) Splitting responsibilities among multiple employees to reduce fraud risk
B) Assigning all IT security roles to one person
C) Allowing employees to bypass security policies
D) Ignoring user access reviews
308. Which of the following is an example of a business continuity strategy?
A) Establishing a secondary data center for disaster recovery
B) Using weak passwords for faster access
C) Allowing all users to modify system settings
D) Disabling firewall protections
309. Which attack method attempts to capture login credentials by imitating a trusted website?
A) Phishing attack
B) SQL injection
C) Zero-day exploit
D) Denial-of-service attack
310. Which of the following helps ensure data is recoverable after a cyber incident?
A) Regular data backups
B) Ignoring security updates
C) Using unsecured storage devices
D) Allowing all employees unrestricted file access
311. Which type of control helps prevent unauthorized changes to financial data?
A) Change management controls
B) Publicly shared passwords
C) Allowing anonymous access
D) Using outdated security protocols
312. Which of the following is the best strategy to reduce the risk of ransomware attacks?
A) Regular software updates and user awareness training
B) Ignoring suspicious email attachments
C) Disabling firewalls
D) Using weak passwords
313. Which of the following best defines the principle of least privilege?
A) Users are granted the minimum level of access necessary to perform their job
B) All employees should have full access to the system
C) Users are allowed to bypass security controls if needed
D) Employees should share login credentials for efficiency
314. Which of the following is an example of a detective security control?
A) Audit logs
B) Encryption
C) Firewalls
D) Access control lists
315. Which type of attack involves injecting malicious code into a website’s database?
A) SQL injection
B) Phishing
C) Denial-of-service (DoS)
D) Man-in-the-middle (MITM) attack
316. Which regulation requires companies to implement internal controls over financial reporting?
A) Sarbanes-Oxley Act (SOX)
B) General Data Protection Regulation (GDPR)
C) Health Insurance Portability and Accountability Act (HIPAA)
D) Payment Card Industry Data Security Standard (PCI-DSS)
317. Which of the following is an example of a strong password policy?
A) Minimum of 12 characters, including uppercase, lowercase, numbers, and symbols
B) Using the same password for all accounts
C) Passwords should never expire
D) Using personal names as passwords
318. What is the purpose of multi-factor authentication (MFA)?
A) To require multiple verification methods before granting access
B) To allow users to log in without passwords
C) To automatically store passwords in a shared file
D) To disable security alerts
319. Which of the following is the most effective way to protect against ransomware?
A) Regular backups and employee training
B) Disabling antivirus software
C) Using default credentials for all accounts
D) Ignoring suspicious emails
320. What is the primary goal of an intrusion prevention system (IPS)?
A) To block malicious traffic in real time
B) To generate reports for security audits
C) To analyze social media activity
D) To store user credentials
321. Which of the following best describes social engineering?
A) Manipulating individuals to gain unauthorized access to systems
B) Using advanced encryption algorithms to secure data
C) Deploying firewalls to block unauthorized traffic
D) Storing data in a secure cloud environment
322. Which of the following best describes role-based access control (RBAC)?
A) Users are assigned permissions based on their job roles
B) All users have equal access rights
C) Users create their own access permissions
D) Permissions are granted randomly
323. Which security principle ensures that a system can continue operating after a cyberattack?
A) Resilience
B) Redundancy
C) Encryption
D) Non-repudiation
324. Which of the following best describes a zero-day vulnerability?
A) A security flaw that is unknown to the software vendor
B) A virus that spreads through email attachments
C) A security patch that has been applied to a system
D) A firewall rule that blocks malicious traffic
325. Which of the following best describes a distributed denial-of-service (DDoS) attack?
A) Overloading a system with excessive traffic to disrupt operations
B) Encrypting data to protect it from unauthorized access
C) Sending fraudulent emails to obtain sensitive information
D) Using AI to monitor network traffic
326. Which of the following ensures that sensitive data remains confidential?
A) Encryption
B) Firewall rules
C) Audit logs
D) Multi-factor authentication
327. What is the primary objective of a business impact analysis (BIA)?
A) To identify critical business functions and their impact during a disruption
B) To develop marketing strategies
C) To track employee performance
D) To increase sales revenue
328. Which of the following describes a phishing attack?
A) An attacker impersonates a trusted entity to steal credentials
B) A hacker gains access through software vulnerabilities
C) A system crash caused by malware
D) A firewall blocks legitimate user access
329. Which security mechanism helps protect against unauthorized data modifications?
A) Hashing
B) Phishing filters
C) Distributed denial-of-service (DDoS) protection
D) Anti-malware software
330. Which regulation requires organizations to protect European citizens’ personal data?
A) GDPR
B) SOX
C) HIPAA
D) PCI-DSS
331. Which of the following is a key requirement under the Sarbanes-Oxley Act (SOX)?
A) Implementation of internal controls over financial reporting
B) Protection of patient health information
C) Secure storage of credit card data
D) Monitoring of online advertisements
332. Which of the following describes a security token?
A) A physical or digital device used for authentication
B) A type of encryption algorithm
C) A virus used in cyberattacks
D) A firewall rule
333. Which of the following is a preventive security control?
A) Implementing firewalls and access controls
B) Reviewing audit logs after an incident
C) Conducting forensic investigations
D) Allowing unrestricted internet access
334. Which type of attack attempts to guess passwords through repeated attempts?
A) Brute-force attack
B) Phishing
C) SQL injection
D) Man-in-the-middle attack
335. Which of the following is an example of an insider threat?
A) An employee intentionally leaking confidential information
B) A hacker exploiting a system vulnerability
C) A phishing email targeting executives
D) A denial-of-service (DoS) attack
336. Which security model focuses on preventing unauthorized data modifications?
A) Biba Model
B) Bell-LaPadula Model
C) Brewer-Nash Model
D) Clark-Wilson Model
337. Which security framework is widely used for cybersecurity risk management?
A) NIST Cybersecurity Framework
B) COBOL
C) Python
D) Windows Defender
338. Which of the following is an example of an authentication factor?
A) Passwords
B) Firewalls
C) Encryption algorithms
D) Server logs
339. Which of the following best describes end-to-end encryption?
A) Data is encrypted from sender to recipient, preventing unauthorized access
B) Data is only encrypted during transmission
C) Encryption is disabled for user convenience
D) Users can access encrypted data without authentication
340. Which of the following best describes the primary purpose of an IT audit?
A) To assess the effectiveness of IT controls and ensure compliance
B) To increase an organization’s marketing reach
C) To monitor employee productivity
D) To improve customer engagement
341. Which encryption method is commonly used to secure financial transactions online?
A) AES (Advanced Encryption Standard)
B) MD5
C) DES (Data Encryption Standard)
D) SHA-1
342. Which of the following best describes two-factor authentication (2FA)?
A) Requiring two different methods to verify identity before granting access
B) Using only a username and password for access
C) Encrypting all network traffic
D) Blocking all user access to the system
343. Which of the following is a key benefit of cloud computing in cybersecurity?
A) Increased scalability and security monitoring capabilities
B) Reduced reliance on cybersecurity measures
C) Elimination of all security risks
D) No need for access controls
344. Which security concept ensures that data is accessible only to authorized users?
A) Confidentiality
B) Integrity
C) Availability
D) Redundancy
345. Which of the following is a common way attackers gain access through social engineering?
A) Impersonating a trusted individual to extract sensitive information
B) Using complex encryption techniques
C) Writing secure software code
D) Implementing strong firewalls
346. Which of the following best describes a security patch?
A) A software update designed to fix security vulnerabilities
B) A new version of an application with additional features
C) A method for encrypting data in transit
D) A report on user activity logs
347. Which of the following is an example of a logical security control?
A) Multi-factor authentication
B) Security cameras
C) Employee ID badges
D) Fire-resistant filing cabinets
348. What is the primary function of a firewall?
A) To filter network traffic based on security rules
B) To encrypt all transmitted data
C) To generate security patches
D) To scan for viruses in emails
349. Which of the following is a key requirement of the Payment Card Industry Data Security Standard (PCI-DSS)?
A) Protecting cardholder data through encryption and access controls
B) Implementing a financial fraud insurance policy
C) Allowing all employees access to payment information
D) Storing credit card numbers in unencrypted formats
350. What is a honeypot in cybersecurity?
A) A decoy system used to detect and analyze cyber threats
B) A type of password encryption method
C) A malware detection software
D) A cloud-based firewall solution
351. Which of the following best describes an access control list (ACL)?
A) A list of permissions defining what actions users or systems can perform
B) A backup copy of an organization’s security policies
C) A record of all failed login attempts
D) A software patch designed to fix security issues
352. What is the purpose of penetration testing?
A) To identify vulnerabilities in a system before they are exploited by attackers
B) To monitor user activity logs
C) To create firewalls for network protection
D) To encrypt all transmitted data
353. Which type of cyberattack involves intercepting and altering communications between two parties?
A) Man-in-the-middle (MITM) attack
B) Brute-force attack
C) Ransomware attack
D) Zero-day attack
354. Which security principle ensures that data cannot be altered by unauthorized individuals?
A) Integrity
B) Confidentiality
C) Availability
D) Resilience
355. What is the primary function of a virtual private network (VPN)?
A) To create a secure encrypted tunnel for data transmission over the internet
B) To store passwords securely
C) To block malicious software
D) To provide unlimited internet access
356. Which of the following is an example of an administrative security control?
A) Security awareness training for employees
B) Installing firewalls on corporate networks
C) Implementing biometric authentication
D) Encrypting sensitive files
357. Which security model enforces mandatory access controls based on security labels?
A) Bell-LaPadula Model
B) Biba Model
C) Brewer-Nash Model
D) Clark-Wilson Model
358. Which of the following is a benefit of intrusion detection systems (IDS)?
A) Monitoring network activity for signs of suspicious behavior
B) Automatically blocking all inbound traffic
C) Encrypting data at rest
D) Preventing unauthorized physical access
359. Which of the following describes an attack where an unauthorized user gains access to a system using stolen credentials?
A) Credential stuffing
B) Cross-site scripting (XSS)
C) Zero-day exploit
D) Phishing
360. Which of the following is an example of physical security control?
A) Security cameras monitoring access points
B) Implementing password policies
C) Encrypting email communications
D) Using multi-factor authentication
361. What is the main goal of a security awareness training program?
A) To educate employees on recognizing and mitigating cyber threats
B) To increase employee workload
C) To eliminate all cybersecurity risks
D) To replace technical security measures
362. Which of the following is the best approach to mitigating insider threats?
A) Implementing strict access controls and continuous monitoring
B) Relying solely on external security measures
C) Allowing employees unrestricted access to sensitive data
D) Disabling all cybersecurity controls for internal users
363. What is the purpose of log management in cybersecurity?
A) To collect and analyze security logs for threat detection and compliance
B) To erase user activity logs periodically
C) To generate passwords for employees
D) To encrypt email communications
364. Which cybersecurity framework is commonly used to assess and improve security posture?
A) NIST Cybersecurity Framework
B) GDPR
C) PCI-DSS
D) HIPAA
365. Which of the following describes a key characteristic of a zero-trust security model?
A) Continuous verification of every access request, regardless of location
B) Assuming all internal users are automatically trusted
C) Allowing unrestricted access to cloud applications
D) Disabling multi-factor authentication