Search

CPA ISC Practice Questions (Part 3: 101–150) – Cybersecurity, Data & IT Controls MCQs

By /

CPA ISC Practice Questions (Part 3: 101–150)

The CPA ISC (Information Systems and Controls) exam assesses a candidate’s ability to evaluate IT governance, cybersecurity, and risk management. This section is vital for accountants and auditors dealing with modern digital systems.

In this post, you’ll find CPA ISC Practice Questions Part 3 (101–150), focusing on cybersecurity, IT governance, and data controls. Each MCQ is designed with detailed explanations to ensure you understand not just the correct answer, but also the reasoning behind it.

101. Which of the following is the PRIMARY objective of IT governance?

A) Reducing IT costs
B) Aligning IT with business objectives
C) Implementing latest technology trends
D) Minimizing staff workload

Correct Answer: B
Explanation: IT governance ensures that IT investments align with business goals, provide value, and manage risks effectively. Cost reduction and technology adoption are secondary benefits.

102. The principle of “least privilege” in cybersecurity means:

A) Users should have admin rights for faster work
B) Each user should have access only to what is necessary
C) All employees share one master password
D) System privileges are removed completely

Correct Answer: B
Explanation: Least privilege restricts user access to only those resources necessary for their role, reducing risk of insider threats and attacks.

103. Which of the following is MOST effective against phishing attacks?

A) Firewalls
B) Strong passwords
C) User awareness training
D) Antivirus software

Correct Answer: C
Explanation: While technical controls help, phishing mainly exploits human weakness. Awareness training is the best preventive measure.

104. A company requires biometric authentication for employees. This is an example of:

A) Something you know
B) Something you have
C) Something you are
D) Something you do

Correct Answer: C
Explanation: Biometrics (fingerprints, iris, facial recognition) fall under “something you are” in authentication factors.

105. Which cybersecurity framework is MOST widely adopted for risk management in the U.S.?

A) ISO 27001
B) NIST Cybersecurity Framework
C) COBIT 2019
D) ITIL

Correct Answer: B
Explanation: NIST CSF is extensively used in the U.S. for cybersecurity risk assessment and management.

106. Data integrity in an accounting system means:

A) Data is complete, accurate, and unaltered
B) Data is encrypted at rest
C) Data is backed up regularly
D) Data is accessible only to management

Correct Answer: A
Explanation: Data integrity ensures information is reliable and has not been tampered with, which is crucial for financial reporting.

107. In a layered security model, the concept is often referred to as:

A) Security by obscurity
B) Defense in depth
C) Role-based defense
D) Perimeter-only security

Correct Answer: B
Explanation: Defense in depth applies multiple security layers (network, application, user training) to reduce risk of a breach.

108. Which type of malware encrypts user files and demands payment?

A) Worm
B) Spyware
C) Ransomware
D) Trojan

Correct Answer: C
Explanation: Ransomware locks or encrypts data and demands ransom, making it a major cybersecurity threat.

109. In information security, a “vulnerability” is best defined as:

A) An attempted attack
B) A weakness that can be exploited
C) A policy violation
D) A backup failure

Correct Answer: B
Explanation: Vulnerabilities are weaknesses in systems, processes, or software that attackers may exploit.

110. A penetration test is designed to:

A) Evaluate user awareness
B) Simulate real-world attacks
C) Replace vulnerability scanning
D) Provide firewall configurations

Correct Answer: B
Explanation: Penetration testing simulates real-world attack scenarios to test system resilience and identify exploitable weaknesses.

111. Multi-factor authentication (MFA) increases security by:

A) Using longer passwords
B) Combining two or more authentication factors
C) Restricting access to one device
D) Encrypting all system data

Correct Answer: B
Explanation: MFA requires multiple factors (e.g., password + SMS code), making unauthorized access more difficult.

112. Which of the following is a detective control?

A) Intrusion detection system (IDS)
B) Antivirus software
C) Multi-factor authentication
D) Encryption

Correct Answer: A
Explanation: Detective controls identify incidents after they occur. IDS alerts administrators of suspicious activity.

113. The CIA triad in cybersecurity stands for:

A) Confidentiality, Integrity, Availability
B) Control, Integrity, Audit
C) Cyber, Information, Access
D) Confidentiality, Identity, Accuracy

Correct Answer: A
Explanation: Confidentiality, Integrity, and Availability are the three pillars of information security.

114. Which of the following BEST reduces single point of failure risk in IT infrastructure?

A) Encryption
B) Redundancy
C) Strong passwords
D) Firewalls

Correct Answer: B
Explanation: Redundant systems (backup servers, duplicate storage) ensure availability if one component fails.

115. Which control ensures accountability in IT systems?

A) Encryption
B) Audit trail/logs
C) Firewalls
D) Access restrictions

Correct Answer: B
Explanation: Audit logs track user activities and system changes, ensuring accountability and traceability.

116. Which of the following is an example of a preventive control?

A) Intrusion detection system
B) Backup and restore
C) Firewalls
D) Audit logs

Correct Answer: C
Explanation: Preventive controls (like firewalls) stop incidents before they occur.

117. Which U.S. regulation requires companies to maintain internal controls for financial reporting?

A) GDPR
B) SOX (Sarbanes-Oxley Act)
C) HIPAA
D) FISMA

Correct Answer: B
Explanation: SOX mandates strong internal controls to ensure accuracy and reliability in financial reporting.

118. The PRIMARY purpose of encryption is to protect:

A) Data availability
B) Data confidentiality
C) Data redundancy
D) Data accessibility

Correct Answer: B
Explanation: Encryption scrambles data so only authorized users can read it, ensuring confidentiality.

119. A company’s firewall is configured to allow only specific ports. This is an example of:

A) Physical control
B) Logical control
C) Corrective control
D) Compensating control

Correct Answer: B
Explanation: Logical controls restrict access to systems via software or configurations, like firewall rules.

120. Which type of cyberattack involves overwhelming a server with traffic to make it unavailable?

A) SQL Injection
B) DDoS
C) Phishing
D) Rootkit

Correct Answer: B
Explanation: A Distributed Denial of Service (DDoS) attack floods a server with traffic, disrupting normal service.

121. Which of the following is the MOST effective way to verify data integrity?

A) Encryption
B) Digital signatures
C) Compression
D) Backup

Correct Answer: B
Explanation: Digital signatures verify data has not been altered, ensuring integrity and authenticity.

122. Which framework focuses on aligning IT strategy with business goals?

A) COBIT
B) ITIL
C) NIST
D) PCI DSS

Correct Answer: A
Explanation: COBIT provides governance and management objectives that ensure IT is aligned with enterprise goals.

123. What is the main objective of identity and access management (IAM)?

A) Reducing system cost
B) Controlling user access to resources
C) Increasing system availability
D) Encrypting all traffic

Correct Answer: B
Explanation: IAM ensures that only authorized individuals have the right access to resources at the right time.

124. Which type of security test identifies vulnerabilities without exploiting them?

A) Penetration testing
B) Vulnerability scanning
C) Social engineering test
D) Red teaming

Correct Answer: B
Explanation: Vulnerability scans detect system weaknesses but do not exploit them, unlike penetration tests.

125. Which of the following controls helps ensure business continuity during disasters?

A) Encryption
B) Intrusion detection
C) Disaster recovery planning (DRP)
D) Data integrity checks

Correct Answer: C
Explanation: DRP ensures critical systems can be restored quickly after a disaster, ensuring continuity.

126. What is the main role of Public Key Infrastructure (PKI)?

A) Encrypt databases
B) Manage digital certificates
C) Store audit logs
D) Secure firewalls

Correct Answer: B
Explanation: PKI manages digital certificates and encryption keys, enabling secure communication and authentication.

127. Which of the following BEST describes role-based access control (RBAC)?

A) Access is based on physical location
B) Access is based on user job role
C) Access is based on password strength
D) Access is based on device used

Correct Answer: B
Explanation: RBAC grants permissions based on job roles, reducing administrative overhead and enforcing least privilege.

128. Which incident response phase involves learning from past incidents?

A) Detection
B) Recovery
C) Containment
D) Lessons learned

Correct Answer: D
Explanation: The “lessons learned” phase improves security policies and controls by analyzing incidents post-resolution.

129. Which type of hacker identifies system weaknesses without malicious intent?

A) Black hat
B) White hat
C) Gray hat
D) Script kiddie

Correct Answer: B
Explanation: White hat hackers are ethical hackers who test systems for vulnerabilities legally.

130. The PRIMARY purpose of a firewall is to:

A) Detect intrusions
B) Filter traffic between networks
C) Encrypt data packets
D) Manage user roles

Correct Answer: B
Explanation: Firewalls monitor and filter traffic between internal and external networks to block unauthorized access.

131. Which of the following attacks targets SQL databases?

A) Phishing
B) SQL Injection
C) Man-in-the-middle
D) DDoS

Correct Answer: B
Explanation: SQL Injection exploits vulnerabilities in database queries to manipulate or steal data.

132. In cybersecurity, “availability” ensures that:

A) Data is encrypted
B) Systems are accessible when needed
C) Only authorized people can access data
D) Data cannot be modified

Correct Answer: B
Explanation: Availability ensures systems and data remain accessible without interruption when required.

133. What is the PRIMARY role of audit logs in IT systems?

A) Prevent intrusions
B) Record system activity
C) Encrypt sensitive data
D) Restore lost files

Correct Answer: B
Explanation: Audit logs record events and user activities, allowing accountability and forensic investigation.

134. Which of the following is an administrative control?

A) Security awareness training
B) Firewalls
C) Antivirus software
D) Encryption

Correct Answer: A
Explanation: Administrative controls include policies, training, and procedures that support security.

135. A digital certificate binds a user’s identity with:

A) A firewall
B) A public key
C) A password
D) An IP address

Correct Answer: B
Explanation: Digital certificates link a verified identity to a public key, enabling trust in communications.

136. Which encryption method uses the same key for encryption and decryption?

A) Asymmetric encryption
B) Symmetric encryption
C) Hashing
D) PKI

Correct Answer: B
Explanation: Symmetric encryption uses one key for both processes, while asymmetric uses two (public/private).

137. Which control type is designed to fix issues after they occur?

A) Preventive
B) Detective
C) Corrective
D) Compensating

Correct Answer: C
Explanation: Corrective controls (e.g., patching vulnerabilities) restore systems after an incident occurs.

138. Which U.S. law protects patient health information?

A) SOX
B) HIPAA
C) FISMA
D) PCI DSS

Correct Answer: B
Explanation: HIPAA mandates protection and privacy of healthcare information in the United States.

139. Which of the following security models emphasizes “need to know”?

A) Bell-LaPadula
B) Clark-Wilson
C) Biba
D) RBAC

Correct Answer: A
Explanation: The Bell-LaPadula model enforces confidentiality and “need-to-know” access restrictions.

140. Which cloud model gives customers control over operating systems but not physical servers?

A) SaaS
B) IaaS
C) PaaS
D) On-premises

Correct Answer: B
Explanation: In Infrastructure as a Service (IaaS), customers manage OS and apps while providers manage hardware.

141. The PRIMARY purpose of hashing is to:

A) Ensure confidentiality
B) Ensure data integrity
C) Provide encryption
D) Backup data

Correct Answer: B
Explanation: Hashing verifies data integrity by producing a unique fixed-length value that changes if data changes.

142. Which of the following is an example of social engineering?

A) Phishing email
B) SQL Injection
C) Brute force attack
D) Ransomware infection

Correct Answer: A
Explanation: Social engineering manipulates humans into giving up sensitive info—phishing is the most common.

143. Which of the following is MOST likely used in two-factor authentication?

A) Password + OTP
B) Password + Username
C) Fingerprint + User ID
D) PIN + Password

Correct Answer: A
Explanation: Two-factor authentication combines two different types of factors, e.g., password (something you know) + OTP (something you have).

144. Which of the following is a corrective measure after ransomware infection?

A) Paying the ransom
B) Restoring from backup
C) Installing firewall
D) Enabling encryption

Correct Answer: B
Explanation: The best corrective action is restoring data from a secure backup instead of paying ransom.

145. What is the PRIMARY objective of access controls?

A) Reduce costs
B) Restrict unauthorized access
C) Encrypt network traffic
D) Increase system availability

Correct Answer: B
Explanation: Access controls ensure only authorized users gain access to specific data and systems.

146. Which of the following is considered a physical control?

A) Passwords
B) Biometric scanner
C) Firewalls
D) Role-based access

Correct Answer: B
Explanation: Physical controls include locks, biometric scanners, and security guards.

147. Which is the MOST effective way to secure wireless networks?

A) WEP encryption
B) WPA2 or WPA3 encryption
C) Open access points
D) MAC address filtering only

Correct Answer: B
Explanation: WPA2/WPA3 encryption provides strong wireless security, unlike outdated WEP.

148. A Business Impact Analysis (BIA) primarily identifies:

A) User access violations
B) Critical business functions and recovery time objectives
C) Password strength issues
D) Backup storage costs

Correct Answer: B
Explanation: BIA assesses critical operations and determines recovery priorities during disasters.

149. Which type of malware disguises itself as legitimate software?

A) Worm
B) Trojan
C) Spyware
D) Rootkit

Correct Answer: B
Explanation: Trojans appear harmless but contain malicious code to compromise systems.

150. Which is the MOST important first step in incident response?

A) Containment
B) Detection and identification
C) Eradication
D) Recovery

Correct Answer: B
Explanation: Incident response begins with detecting and identifying the problem before taking containment steps.

By working through these 50 questions, you strengthen your grasp of cybersecurity, IT governance, and data management concepts tested in the ISC exam. Continue to Part 4 (151–200) for advanced-level practice covering system assurance, data analytics, and IT audit scenarios.

👉 Next Steps:

Leave a Comment

Your email address will not be published. Required fields are marked *

© 2025 Your Preparation Hub. contact@tayarimcqs.com | About Us | Privacy Policy | Terms & Conditions | Disclaimer

error: Content is protected !!
Scroll to Top