QUESTION 1

The production and fixed asset cycles interface with which of the following transaction
cycles to submit purchase orders and invoices?

A. Revenue and cash collection cycles

B. General ledger and reporting cycles

C. Purchasing and disbursement cycles

D. Treasury cycles
QUESTION 2
Shoe-ify Inc. is a new platform that lets companies design shoes based on their customers'
foot shapes and running pronation patterns. The platform serves as an online
marketplace that allows companies' customers to design shoes, which the company then
builds and sells to the customer. Shoe-ify also provides other turn-key functions such as
built-in direct marketing services, payment processing, and logistics services. This is an
example of what type of cloud service provider?

A. Platform-as-a-Service

B. Software-as-a-Service

C. Infrastructure-as-a-Service

D. Business-Process-as-a-Service
QUESTION 3
Which of the following framework functions in the Privacy Framework Core best describes
the function that would include categories such as risk management strategy, awareness
and training, and monitoring review?

A. Identify

B. Control

C. Protect

D. Govern
QUESTION 4
Retailer Alex Co. recently purchased a new point-of-sale (POS) system to replace its
legacy system for transaction processing and is evaluating different approaches to
integrate the new software. Alex decided to take a parallel implementation approach as it
wants to be able to switch back to the legacy system if it encounters complications.
Which of the following change management controls does this reflect?

A. Separation of duties

B. Standardized change requests

C. Post-implementation testing

D. Reversion access
QUESTION 5
Which of the following best describes the overview of CIS Control 04: Secure
Configuration of Enterprise Assets and Software?

A. Use processes and tools to create, assign, manage, and revoke access
credentials and privileges for enterprise assets and software.

B. Establish and maintain the secure configuration of both software and assets
within the enterprise.

C. Actively manage all software on the network to prevent unmanaged software

from installation or execution.

D. Improve protections and detections of digital threats such as email and web
vectors.
QUESTION 6
Which of the following best describes the analytics and usage stage of the data life
cycle?

A. The stage that focuses on the determination of whether the data is complete,
clean, current, encrypted, and user-friendly

B. The stage that focuses on the data being useful internally to the organization
rather than being shared with external users and stakeholders

C. The stage that focuses on sharing the information with external users so the
organization no longer has sole control of how the data will be used

D. The stage that focuses on moving data sets from active systems to passive
systems in part to reduce security risks
QUESTION 7
A regional managed services provider (MSP) provides IT services to clients of various sizes
and budgets. One of its smaller customers is on a restricted budget and has very little
incremental data generated daily that requires a backup. However, the client's
applications heavily rely on this stored data, and the company is willing to pay more per
backup but perform them less frequently so the data can be restored quickly using a
single file in the event of a system failure. Which of the following forms of backup should
the client implement?

A. Incremental backup

B. Differential backup

C. Full backup

D. Incremental and full backup

QUESTION 8
Which of the following types of business planning focuses on how a company can most
effectively restore business operations following a disaster?

A. Budget planning.

B. Capacity planning.

C. Strategy planning.

D. Continuity planning.
QUESTION 9
Which CIS Control best describes the recommendation to establish and maintain a
program designed to influence behavior among the workforce to be security conscious
and properly skilled to reduce cybersecurity risks to the enterprise?

A. Control 14: Security Awareness and Skills Training

B. Control 10: Malware Defenses

C. Control 13: Network Monitoring and Defense

D. Control 16: Application Software Security

QUESTION 10
Which of the following components of the NIST CSF Framework Core describes the
function that outlines how a company restores its network to normal operations through
repairing equipment, restoring backed-up files, and restoring environments?

A. Recover

B. Protect

C. Identify

D. Detect
QUESTION 11
Which of the following is a common document found in the revenue cycle?

A. Packing slip

B. Bank statement

C. Bill of materials

D. Voucher
QUESTION 12
Which of the following components of the NIST CSF Framework Core describes the
function that outlines how a company should notify all affected parties while containing a
cybersecurity event?

A. Recover

B. Detect

C. Protect

D. Respond
QUESTION 13
What should a company do when seeking competitive advantages in planning for the
implementation of a new software system?

A. Direct manpower to the non-bottleneck process areas.

B. Design the software to fit the existing processes.

C. Design an optimal process and then align the software.

D. Allow management to dictate processes.

QUESTION 14
Which of the following is (are) the best definition(s) of a firewall?

I. A firewall is a system of user identification and authentication that prevents

unauthorized users from gaining access to network resources.

II. A firewall is a network node used to improve network traffic and to set up a
boundary that prevents traffic from one network segment from crossing over to
another.

III. A firewall can serve as a physical barrier that separates one part of a data center
from another.

A. I, II, and III are correct.

B. I and II only are correct.

C. III only is correct.

D. II and III only are correct.

QUESTION 15
Which CIS Control best describes the recommendation to establish and maintain
practices relevant to data sufficient to restore in-scope enterprise assets to a pre-incident
and trusted state?

A. Control 16: Application Software Security

B. Control 11: Data Recovery

C. Control 10: Malware Defenses

D. Control 15: Service Provider Management

QUESTION 16
Gary wants to conduct a full analysis of his clients' geographic locations to better
understand which parts of the country he should consider opening a second warehouse to
reduce shipping costs. Which of the following SQL queries would Gary most likely run to
obtain the appropriate information for his analysis?

A. SELECT customer_id, contact_name, address, state

FROM customers

B. SELECT vendor_id, contact_name, address, state

FROM vendors

C. SELECT vendor_id, contact_name

FROM vendors

D. SELECT customer_id, contact_name

FROM customers
QUESTION 17
All of the following are considered examples of costs or expenditures in response to when
a data breach occurs except for which of the following?

A. Cost of privacy and security policy reviews, evaluations, and updates

B. Cost of forensic and investigative detection services

C. Cost of regulatory fines due to the data breach

D. Cost of lost revenue from former customers no longer using the organization's
services due to the breach
QUESTION 18
The targeted time it should take to restore a company's operations to a target state after
a system failure and the actual time it takes to restore operations to that target state refer
to which of the following concepts?

A. Recovery time objective (RTO) and recovery time actual (RTA)

B. Recovery point objective (RPO) and recovery time actual (RTA)

C. Maximum tolerable downtime (MTD) and recovery point actual (RPA)

D. Mean time to repair (MTTR) and recovery point actual (RPA)

QUESTION 19
Which of the following configurations of elements represents the most complete disaster
recovery plan?

A. Vendor contract for alternate processing site, names of persons on the disaster
recovery team, off-site storage procedures.

B. Alternate processing site, backup and off-site storage procedures,

identification of critical applications, test of the plan.

C. Vendor contract for alternate processing site, backup procedures, names of

persons on the disaster recovery team.

D. Off-site storage procedures, identification of critical applications, test of the

plan.
QUESTION 20
Which CIS Control best describes the active management of all software on the network
so only authorized software is installed and can execute, and that unauthorized and
unmanaged software is found and prevented from installation or execution?

A. Control 02: Inventory and Control of Software Assets

B. Control 09: Email and Web Browser Protections

C. Control 01: Inventory and Control of Enterprise Assets

D. Control 04: Secure Configuration of Enterprise Assets and Software

QUESTION 21
Which Center for Internet Security (CIS) Control principle was designed to have all
recommendations be practical?

A. Feasible

B. Measurable

C. Align

D. Focus
QUESTION 22
A system that transforms economic events into journal entries and disseminates
information that supports daily operations is:

A. An enterprise resource planning system.

B. A financial reporting system.

C. A transaction processing system.

D. A management reporting system.

QUESTION 23
Which of the following best describes captured transactional data in an operational data
storage (ODS)?

A. Monthly financial account balances such as office equipment and machinery

for the past 10 years

B. Sensitive employee information such as social security numbers, email

addresses, phone numbers, and physical addresses

C. Activities such as customer orders, sales, and vendor payments

D. Predictive modeling data sets to predict customer preference changes in the

next 18 months
QUESTION 24
Which governance system principle under COBIT 2019 is best described as the creation of
value for the company's key groups and key parties by balancing benefits, risks, and
resources?

A. Dynamic governance system

B. Tailored to enterprise needs

C. End-to-end governance system

D. Provide stakeholder value

QUESTION 25
The beta version of a newly developed internal application was sent to a select group of
employees to ensure it met end-user requirements prior to launching the final version. This
would occur in which of the following types of tests?

A. System testing

B. Unit testing

C. Acceptance testing

D. Integration testing
QUESTION 26
Which of the following is least likely to be an example of an administrative safeguard
required for an organization considered a covered entity under HIPAA guidance in
relation to its administrative functions?

A. Information access management

B. Facility access controls

C. Contingency plans

D. Security awareness and training

QUESTION 27
Sunriss Corp. is trying to minimize its system availability risk by enhancing database
redundancy. Lacker only has one location, so it most likely will employ which of the
following practices?

A. Infrastructure capacity monitoring

B. Mirroring

C. Network security controls

D. Replication
QUESTION 28
Organizations seeking cloud service providers (CSP) that are compliant with varying
industry regulations, such as HIPAA or consumer privacy laws, may inquire if the CSP has
adopted standards specifically focused on operating in the cloud set by which of the
following entities?

A. World Health Organization (WHO)

B. Financial Accounting Standards Board (FASB)

C. Cloud Security Alliance (CSA)

D. Payment Card Industry Security Standards Council (PCI SSC)

QUESTION 29
Which of the following is a disadvantage of IT outsourcing?

A. Reduced costs

B. Quality control

C. Enhanced focus on the business

D. IT expertise
QUESTION 30
Algexo Corporation is establishing a data dictionary to help its database administrators
maintain the database and help ensure that its analysts can identify the data needed.
Which of the following best describes a scenario where Algexo Corporation's data
dictionary is not functioning appropriately to accomplish the organization's goals?

A. The "Amount" attribute within the database provides information related to the
dollar figure in U.S. currency of the specified transaction from the customer.

B. The "Invoice Date" attribute within the database provides information related to
the date that payment was received by the corporation from the customer.

C. The "Technician" attribute within the database provides information related to

the employee who performed the necessary services for the customer.

D. The "Last Name" attribute within the database provides information related to
the surname of the customer for the specific transaction.
QUESTION 31
When conducting an audit of a service organization's network infrastructure, a service
auditor finds a device that acts as the network's central hub and is therefore a potential
single point of failure if it quits working. Which topology is least likely to result in a
potential single point of failure?

A. Ring topology

B. Bus topology

C. Mesh topology

D. Star topology
QUESTION 32
Brown Co, a pharmaceutical company, is evaluating cloud service providers (CSPs) for
hosting several of its custom-built applications virtually. It should consider all of the
following risks, except:

A. The location of the company relative to the CSP.

B. Whether other pharma companies are adopting CSPs.

C. The ease with which it can switch CSPs.

D. Whether other pharma companies use the same CSP.

QUESTION 33
An audit trail that allows a user to trace a transaction from source documents to the
financial statement reports and to trace from the financial statement reports back to
source documents can be found in what type of well-designed system?

A. Executive information system

B. Customer relationship management system

C. Supply chain management system

D. Accounting information system

QUESTION 34
BeanCard Corporation is a financial institution that processes credit card payments,
coordinating with retailers, banks, and customers. In order for BeanCard Corporation to
comply with the Payment Card Industry Data Security Standard (PCI DSS) in relation to the
goal of protecting cardholder data, which of the following actions would BeanCard
Corporation most likely take?

A. Restrict physical access to cardholder data.

B. Encrypt the transmission of cardholder data across open, public networks.

C. Maintain a policy that addresses information security for all personnel.

D. Regularly test security systems and processes.

QUESTION 35
Private equity firm, Rulert Capital, has started implementing continuous testing at several
of its portfolio companies to streamline their testing processes. This marks a shift away
from the conventional model of building an application, testing it, and then deploying it.
What is one of the characteristics of continuous software deployment and continuous
software integration practices?

A. The cycle time for writing code increases.

B. Code integration happens at intervals during deployment in decentralized

repositories.

C. More work is required at the back end of the development process.

D. Coding bugs will get released in a live environment.

QUESTION 36
Which of the following components of a governance system can be best described as a
set of activities or practices that produce outputs that help achieve overall information
technology goals?

A. Principles, policies, frameworks

B. Organizational structures

C. Process

D. Information
QUESTION 37
Kelsey is a senior specialist in the IT department of a remote work organization and is
looking to view and extract specific data for use in the analysis of internal organization
personnel. Kelsey's goal in her analysis is to get a confirmation of the physical locations of
each employee within the organization to better plan a budget around shipping logistics
for sending new laptops to organization employees. Which of the following SQL queries
would most likely give Kelsey a complete list of relevant data to begin her analysis?

A. SELECT last_name, department, home_address

FROM internal_personnel

B. SELECT last_name, first_name, vendor_number, delivery_address

FROM vendor_list

C. SELECT last_name, first_name, customer_number, delivery_address

FROM customer_list

D. SELECT last_name, first_name, employee_number, home_address

FROM internal_personnel
QUESTION 38
Which of the following best describes the compliance requirements design factor under
COBIT?

A. Compliance demands on the company can be classified as low, normal, or high,

where the normal classification indicates that the organization is typical of its
industry.

B. Compliance demands on the company can be classified as one, two, or three,

where the two classification indicates that the organization is typical of its
industry.

C. Compliance demands on the company can be classified as low, medium, or

high, where the medium classification indicates that the organization is typical
of its industry.

D. Compliance demands on the company can be classified as one, two, or three,

where the three classification indicates that the organization is typical of its
industry.
QUESTION 39
Within the data life cycle, what is generally considered the first step of the life cycle
defining what data a business needs and where to capture or retrieve such data?

A. Preparation

B. Synthesis

C. Publication

D. Definition
QUESTION 40
The AICPA issued guidance regarding patch management in a SOC 2® audit that states
service auditors should:

A. Verify that patches are tested in a production environment prior to release.

B. Inspect policies to ensure they include rules on patch management.

C. Continuously monitor patch releases for a limited period after the audit.

D. Verify that patches are released on a specific day or on a given schedule.

QUESTION 41
Which overview explanation best summarizes CIS Control 13: Network Monitoring and
Defense?

A. Establish a program to develop and maintain an incident response capability to

prepare, detect, and quickly respond to an attack.

B. Manage the security life cycle of in-house developed, hosted, or acquired

software to prevent, detect, and remediate security weaknesses before they can
impact the enterprise.

C. Operate processes and tooling to establish and maintain comprehensive

network and monitoring defense against security threats across the enterprise's
network infrastructure and user base.

D. Establish, implement, and actively manage network devices in order to prevent

attackers from exploiting vulnerable network services and access points.