Written by students who passed Immediately available after payment Read online or as PDF Wrong document? Swap it for free 4.6 TrustPilot
logo-home
Exam (elaborations)

CSIA Final Exam Version 2 Cybersecurity Infrastructure Security Assessment Official Practice Exam Actual Exam 2026/2027 with Detailed Rationales | Complete Exam-Style Questions | Pass Guaranteed – A+ Graded

Rating
-
Sold
-
Pages
31
Grade
A+
Uploaded on
02-07-2026
Written in
2025/2026

CSIA Final Exam Version 2 Cybersecurity Infrastructure Security Assessment Official Practice Exam Actual Exam 2026/2027 – Real-Style Exam Questions | 100% Correct Answers | Security Controls Implementation | Vulnerability Management | Risk Assessment | Incident Response Procedures | Access Control Systems | Network Defense | Security Governance | Detailed Rationales | Graded A+ Verified – Pass Guaranteed – Instant Download

Show more Read less
Institution
CSIA
Course
CSIA

Content preview

CSIA Final Exam Version 2 Cybersecurity
Infrastructure Security Assessment Official
Practice Exam Actual Exam 2026/2027 with
Detailed Rationales | Complete Exam-Style
Questions | Pass Guaranteed – A+ Graded
══════════════════════════════════════
SECTION 1: CYBERSECURITY FUNDAMENTALS & RISK MANAGEMENT Q1 – Q10
══════════════════════════════════════

Question 1 of 50

A regional healthcare system with 12 hospitals recently migrated 70% of patient records to a
multi-tenant cloud EHR platform. During the annual HIPAA risk assessment, the CISO
identifies that the cloud provider's shared responsibility model does not cover endpoint
detection on clinician workstations accessing the platform via VPN. The organization has
limited capital for the fiscal year and faces an OCR audit in eight weeks.

A. Transfer all residual endpoint risk to a cyber insurance policy and document the coverage
limits in the risk register
B. Accept the endpoint risk temporarily and request a budget increase for the next fiscal year
to address the gap
C. Implement compensating controls such as EDR on all endpoints and enforce conditional
access policies to reduce risk to an acceptable level
D. Avoid the cloud deployment entirely and revert patient records to on-premises storage to
eliminate third-party risk

Correct Answer: C
Rationale: Compensating controls are the standard risk treatment when primary control gaps
exist in shared responsibility environments, directly supporting HIPAA Security Rule
requirements for reasonable and appropriate safeguards. Transferring risk without first
implementing available controls would likely be deemed negligent by OCR and could void
insurance coverage under maintenance of security clauses. Organizations that successfully
navigate cloud migrations consistently map their responsibility boundaries before
deployment rather than after audit discovery.

Question 2 of 50

,A Fortune 500 retail corporation is evaluating threat modeling methodologies for its new
customer loyalty mobile application, which processes payment card data through a tokenized
API architecture. The security architecture team must select a framework that quantifies
business impact alongside technical threat enumeration to present to the board risk
committee.

A. STRIDE is the only framework that effectively evaluates API and OAuth 2.0 threat
categories in mobile application deployments
B. PASTA provides the most business-aligned approach by integrating threat intelligence,
asset value, and quantitative risk scoring into a seven-stage process
C. OCTAVE is designed specifically for software development lifecycle threat modeling and
offers superior technical depth for mobile architectures
D. VAST is primarily a compliance framework and should be used alongside automated SAST
tools rather than as a standalone threat model

Correct Answer: B
Rationale: PASTA (Process for Attack Simulation and Threat Analysis) uniquely combines
technical threat enumeration with business impact quantification, making it ideal for
board-level risk presentations where asset value matters. STRIDE is a categorization model
rather than a full risk-centric methodology, and while useful for threat enumeration, it does
not inherently produce quantitative business impact scores. Security architects should align
their threat modeling selection with the audience; technical teams benefit from STRIDE's
categorization while executive stakeholders require PASTA's risk quantification.

Question 3 of 50

During a quarterly risk assessment at a defense contractor cleared for CUI processing, the
risk manager discovers that a legacy file server running Windows Server 2012 R2 cannot be
patched due to a proprietary inventory management application. The system stores
controlled unclassified information and is exposed to the internal network. The CIO insists
the system must remain operational for 18 months until a replacement is funded.

A. Apply the latest available patches and accept the residual risk since the system will be
decommissioned within two years
B. Migrate the CUI data to a personal cloud storage account to remove it from the vulnerable
on-premises environment
C. Immediately disconnect the server from the network and rebuild the inventory application
on a supported platform
D. Segment the server into an isolated VLAN, implement continuous monitoring, and
document an approved plan of action with milestones

Correct Answer: D
Rationale: Network segmentation with continuous monitoring is the appropriate
compensating control for legacy systems that cannot be immediately patched, satisfying

,NIST SP 800-171 requirements for system isolation and monitoring of unpatched assets.
Disconnecting the server immediately would disrupt critical business operations without an
approved transition plan, violating business continuity principles. Defense contractors must
understand that POA&M documentation is a CMMC requirement, not optional, and simply
accepting risk on CUI systems invites regulatory sanctions.

Question 4 of 50

A global manufacturing firm is implementing a new enterprise risk management framework
based on ISO 27005. The CISO needs to categorize security controls for a critical SCADA
environment that monitors chemical processing temperatures. The team has identified the
need for controls that prevent unauthorized physical access to the control room while also
ensuring operators can respond to temperature alarms without authentication delays.

A. Implement biometric access controls with mandatory two-person integrity for all control
room entries
B. Remove all physical access controls from the control room to ensure zero-delay operator
response to temperature anomalies
C. Deploy smart card readers on control room doors and require PIN-plus-card for every entry
regardless of alarm status
D. Install mantraps with biometric verification and establish emergency bypass procedures
for authenticated operators during critical alarms

Correct Answer: D
Rationale: Mantraps with biometric verification provide strong physical access prevention
while emergency bypass procedures maintain operational availability during critical safety
events, balancing security and safety in ICS environments. Removing all access controls
would violate NIST SP 800-82 and IEC 62443 physical security requirements for critical
infrastructure. Industrial security professionals must recognize that safety and security are
complementary disciplines; controls that compromise safety to achieve security or vice
versa introduce greater overall risk.

Question 5 of 50

A municipal water utility's vulnerability management program identifies 247 vulnerabilities
across its IT and OT networks during a quarterly scan. The utility has a three-person security
team and must prioritize remediation for a critical infrastructure environment where a
ransomware attack could disrupt water treatment operations. The utility is subject to AWIA
compliance requirements.

A. Prioritize all CVEs with a CVSS base score above 7.0 regardless of exploitability or asset
criticality
B. Remediate vulnerabilities on the corporate email server first since phishing is the most
common ransomware vector

, C. Use a risk-based approach that weights CVSS scores against asset criticality, threat
intelligence, and operational impact to prioritize OT network vulnerabilities
D. Patch all vulnerabilities simultaneously using an automated deployment tool across both
IT and OT networks

Correct Answer: C
Rationale: Risk-based vulnerability prioritization that integrates CVSS with asset criticality
and threat intelligence is essential for resource-constrained critical infrastructure
organizations, aligning with CISA's Known Exploited Vulnerabilities catalog and AWIA risk
assessment requirements. Prioritizing solely by CVSS base score ignores environmental
metrics and exploitability, often causing teams to waste resources on theoretically severe
but practically unexploitable flaws. In OT environments, automated patching can cause
operational instability; each patch requires change management review and testing before
deployment.

Question 6 of 50

A multinational bank's business continuity plan is being tested following a regional
datacenter outage caused by a prolonged power failure. The BCP coordinator discovers that
while the disaster recovery site activated within four hours, the customer call center
remained offline for 14 hours because agents lacked remote access credentials and
supervisors had no contact tree for off-hours notification.

A. The gap indicates a business continuity failure rather than a disaster recovery failure,
requiring updates to the BCP including redundant communication channels and pre-staged
remote access
B. The four-hour DR site activation meets industry standards, so the 14-hour call center delay
is an acceptable deviation documented in the risk register
C. The bank should consolidate all BCP and DR functions into a single IT operations team to
eliminate coordination gaps between technology and business units
D. The call center delay is primarily a human resources issue and should be addressed
through additional staffing rather than plan revision

Correct Answer: A
Rationale: The 14-hour call center outage represents a business continuity failure distinct
from the successful technical disaster recovery activation, highlighting the common gap
between IT systems recovery and business process continuity. Business continuity planning
must address people, processes, and technology, including communication trees and
pre-provisioned remote access for critical functions. Organizations that conflate DR and BCP
often discover too late that their technology can recover while their business operations
remain paralyzed.

Question 7 of 50

Written for

Institution
CSIA
Course
CSIA

Document information

Uploaded on
July 2, 2026
Number of pages
31
Written in
2025/2026
Type
Exam (elaborations)
Contains
Questions & answers

Subjects

Get to know the seller

Seller avatar
Reputation scores are based on the amount of documents a seller has sold for a fee and the reviews they have received for those documents. There are three levels: Bronze, Silver and Gold. The better the reputation, the more your can rely on the quality of the sellers work.
STUDYACEFILES (self)
View profile
Follow You need to be logged in order to follow users or courses
Sold
83
Member since
2 year
Number of followers
5
Documents
1988
Last sold
2 days ago
STUDYACEFILES

Welcome toSTUDYACEFILES store! We specialize in reliable test banks, exam questions with verified answers, practice exams, study guides, and complete exam review materials to help students pass on the first try. Our uploads support Nursing programs, professional certifications, business courses, accounting classes, and college-level exams. All documents are well-organized, accurate, exam-focused, and easy to follow, making them ideal for quizzes, midterms, finals, ATI & HESI prep, NCLEX-style practice, certification exams, and last-minute reviews. If you’re looking for trusted test banks, comprehensive exam prep, and time-saving study resources.

Read more Read less
3.9

14 reviews

5
5
4
4
3
4
2
1
1
0

Recently viewed by you

Why students choose Stuvia

Created by fellow students, verified by reviews

Quality you can trust: written by students who passed their tests and reviewed by others who've used these notes.

Didn't get what you expected? Choose another document

No worries! You can instantly pick a different document that better fits what you're looking for.

Pay as you like, start learning right away

No subscription, no commitments. Pay the way you're used to via credit card and download your PDF document instantly.

Student with book image

“Bought, downloaded, and aced it. It really can be that simple.”

Alisha Student

Working on your references?

Create accurate citations in APA, MLA and Harvard with our free citation generator.

Working on your references?

Frequently asked questions