Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. Cybersecurity-Audit-Certificate

ISACA Cybersecurity-Audit-Certificate Exam
ISACA Cybersecurity Audit Certificate (Page 3 )

Updated On: 12-Feb-2026
Page 3 of 28
PDF with 134 Questions

A healthcare organization recently acquired another firm that outsources its patient information processing to a third-party Software as a Service (SaaS) provider. From a regulatory perspective, which of the following is MOST important for the healthcare organization to determine?

  1. Cybersecurity risk assessment methodology
  2. Encryption algorithms used to encrypt the data
  3. Incident escalation procedures
  4. Physical location of the data

Answer(s): C

Explanation:

From a regulatory perspective, the MOST important thing for the healthcare organization to determine when outsourcing its patient information processing to a third-party Software as a Service (SaaS) provider is the incident escalation procedures. This is because incident escalation procedures define how security incidents involving patient information are reported, communicated, escalated, and resolved between the healthcare organization and the SaaS provider. This is essential for complying with regulatory requirements such as HIPAA, which mandate timely notification and response to breaches of protected health information. The other options are not as important as incident escalation procedures from a regulatory perspective, because they either relate to technical aspects that may not affect compliance (A, B), or operational aspects that may not affect patient information security (D).



Which of the following is MOST critical to guiding and managing security activities throughout an organization to ensure objectives are met?

  1. Allocating a significant amount of budget to security investments
  2. Adopting industry security standards and frameworks
  3. Establishing metrics to measure and monitor security performance
  4. Conducting annual security awareness training for all employees

Answer(s): C

Explanation:

The MOST critical thing to guiding and managing security activities throughout an organization to ensure objectives are met is establishing metrics to measure and monitor security performance. This is because metrics provide quantifiable and objective data that can be used to evaluate the effectiveness and efficiency of security activities, as well as identify gaps and areas for improvement. Metrics also enable communication and reporting of security performance to stakeholders, such as senior management, board members, auditors, regulators, customers, etc. The other options are not as critical as establishing metrics, because they either involve spending money without knowing the return on investment (A), adopting standards without customizing them to fit the organization's context and needs (B), or conducting training without assessing its impact on behavior change (D).



Which of the following is the BEST method of maintaining the confidentiality of digital information?

  1. Use of access controls, file permissions, and encryption
  2. Use of backups and business continuity planning
  3. Use of logging digital signatures, and write protection
  4. Use of the awareness tracing programs and related end-user testing

Answer(s): A

Explanation:

The BEST method of maintaining the confidentiality of digital information is using access controls, file permissions, and encryption. This is because these techniques help to prevent unauthorized access, disclosure, or modification of digital information, by restricting who can access the information, what they can do with it, and how they can access it. The other options are not as effective as using access controls, file permissions, and encryption, because they either relate to protecting availability (B), integrity C, or awareness (D).



Which of the following presents the GREATEST challenge to information risk management when outsourcing IT function to a third party?

  1. It is difficult to know the applicable regulatory requirements when data is located on another country.
  2. Providers may be reluctant to share technical delays on the extent of their information protection mechanisms.
  3. Providers may be restricted from providing detailed ^formation on their employees.
  4. It is difficult to determine vendor financial viability to assess their potential inability to meet contract requirements.

Answer(s): B

Explanation:

The GREATEST challenge to information risk management when outsourcing IT function to a third party is that providers may be reluctant to share technical details on the extent of their information protection mechanisms. This is because providers may consider their information protection mechanisms as proprietary or confidential, or may not want to reveal their weaknesses or vulnerabilities. This makes it difficult for the outsourcing organization to assess the level of security and compliance of the provider, and to monitor and audit their performance. The other options are not as challenging as providers being reluctant to share technical details, because they either involve legal or contractual aspects that can be clarified or negotiated before outsourcing (A, D), or human resource aspects that can be verified or validated by the provider C.



The GREATEST advantage of using a common vulnerability scoring system is that it helps with:

  1. risk aggregation.
  2. risk prioritization.
  3. risk elimination.
  4. risk quantification

Answer(s): B

Explanation:

The GREATEST advantage of using a common vulnerability scoring system is that it helps with risk prioritization. This is because a common vulnerability scoring system provides a standardized and consistent way of measuring and comparing the severity of vulnerabilities, based on their impact and exploitability. This allows organizations to prioritize the remediation of the most critical vulnerabilities and allocate resources accordingly. The other options are not as advantageous as using a common vulnerability scoring system, because they either involve aggregating (A), eliminating C, or quantifying (D) risk, which are not directly related to the scoring system.






Post your Comments and Discuss ISACA Cybersecurity-Audit-Certificate exam prep with other Community members:

Join the Cybersecurity-Audit-Certificate Discussion