Escrito por estudiantes que aprobaron Inmediatamente disponible después del pago Leer en línea o como PDF ¿Documento equivocado? Cámbialo gratis 4,6 TrustPilot
logo-home
Examen

CSIA Final Exam Version 2 Cybersecurity Infrastructure Security Assessment Official Practice Exam Actual Exam 2026/2027 with Detailed Rationales | Complete Exam-Style Questions | Pass Guaranteed – A+ Graded

Puntuación
-
Vendido
-
Páginas
31
Grado
A+
Subido en
02-07-2026
Escrito en
2025/2026

CSIA Final Exam Version 2 Cybersecurity Infrastructure Security Assessment Official Practice Exam Actual Exam 2026/2027 – Real-Style Exam Questions | 100% Correct Answers | Security Controls Implementation | Vulnerability Management | Risk Assessment | Incident Response Procedures | Access Control Systems | Network Defense | Security Governance | Detailed Rationales | Graded A+ Verified – Pass Guaranteed – Instant Download

Mostrar más Leer menos
Institución
CSIA
Grado
CSIA

Vista previa del contenido

CSIA Final Exam Version 2 Cybersecurity
Infrastructure Security Assessment Official
Practice Exam Actual Exam 2026/2027 with
Detailed Rationales | Complete Exam-Style
Questions | Pass Guaranteed – A+ Graded
══════════════════════════════════════
SECTION 1: CYBERSECURITY FUNDAMENTALS & RISK MANAGEMENT Q1 – Q10
══════════════════════════════════════

Question 1 of 50

A regional healthcare system with 12 hospitals recently migrated 70% of patient records to a
multi-tenant cloud EHR platform. During the annual HIPAA risk assessment, the CISO
identifies that the cloud provider's shared responsibility model does not cover endpoint
detection on clinician workstations accessing the platform via VPN. The organization has
limited capital for the fiscal year and faces an OCR audit in eight weeks.

A. Transfer all residual endpoint risk to a cyber insurance policy and document the coverage
limits in the risk register
B. Accept the endpoint risk temporarily and request a budget increase for the next fiscal year
to address the gap
C. Implement compensating controls such as EDR on all endpoints and enforce conditional
access policies to reduce risk to an acceptable level
D. Avoid the cloud deployment entirely and revert patient records to on-premises storage to
eliminate third-party risk

Correct Answer: C
Rationale: Compensating controls are the standard risk treatment when primary control gaps
exist in shared responsibility environments, directly supporting HIPAA Security Rule
requirements for reasonable and appropriate safeguards. Transferring risk without first
implementing available controls would likely be deemed negligent by OCR and could void
insurance coverage under maintenance of security clauses. Organizations that successfully
navigate cloud migrations consistently map their responsibility boundaries before
deployment rather than after audit discovery.

Question 2 of 50

,A Fortune 500 retail corporation is evaluating threat modeling methodologies for its new
customer loyalty mobile application, which processes payment card data through a tokenized
API architecture. The security architecture team must select a framework that quantifies
business impact alongside technical threat enumeration to present to the board risk
committee.

A. STRIDE is the only framework that effectively evaluates API and OAuth 2.0 threat
categories in mobile application deployments
B. PASTA provides the most business-aligned approach by integrating threat intelligence,
asset value, and quantitative risk scoring into a seven-stage process
C. OCTAVE is designed specifically for software development lifecycle threat modeling and
offers superior technical depth for mobile architectures
D. VAST is primarily a compliance framework and should be used alongside automated SAST
tools rather than as a standalone threat model

Correct Answer: B
Rationale: PASTA (Process for Attack Simulation and Threat Analysis) uniquely combines
technical threat enumeration with business impact quantification, making it ideal for
board-level risk presentations where asset value matters. STRIDE is a categorization model
rather than a full risk-centric methodology, and while useful for threat enumeration, it does
not inherently produce quantitative business impact scores. Security architects should align
their threat modeling selection with the audience; technical teams benefit from STRIDE's
categorization while executive stakeholders require PASTA's risk quantification.

Question 3 of 50

During a quarterly risk assessment at a defense contractor cleared for CUI processing, the
risk manager discovers that a legacy file server running Windows Server 2012 R2 cannot be
patched due to a proprietary inventory management application. The system stores
controlled unclassified information and is exposed to the internal network. The CIO insists
the system must remain operational for 18 months until a replacement is funded.

A. Apply the latest available patches and accept the residual risk since the system will be
decommissioned within two years
B. Migrate the CUI data to a personal cloud storage account to remove it from the vulnerable
on-premises environment
C. Immediately disconnect the server from the network and rebuild the inventory application
on a supported platform
D. Segment the server into an isolated VLAN, implement continuous monitoring, and
document an approved plan of action with milestones

Correct Answer: D
Rationale: Network segmentation with continuous monitoring is the appropriate
compensating control for legacy systems that cannot be immediately patched, satisfying

,NIST SP 800-171 requirements for system isolation and monitoring of unpatched assets.
Disconnecting the server immediately would disrupt critical business operations without an
approved transition plan, violating business continuity principles. Defense contractors must
understand that POA&M documentation is a CMMC requirement, not optional, and simply
accepting risk on CUI systems invites regulatory sanctions.

Question 4 of 50

A global manufacturing firm is implementing a new enterprise risk management framework
based on ISO 27005. The CISO needs to categorize security controls for a critical SCADA
environment that monitors chemical processing temperatures. The team has identified the
need for controls that prevent unauthorized physical access to the control room while also
ensuring operators can respond to temperature alarms without authentication delays.

A. Implement biometric access controls with mandatory two-person integrity for all control
room entries
B. Remove all physical access controls from the control room to ensure zero-delay operator
response to temperature anomalies
C. Deploy smart card readers on control room doors and require PIN-plus-card for every entry
regardless of alarm status
D. Install mantraps with biometric verification and establish emergency bypass procedures
for authenticated operators during critical alarms

Correct Answer: D
Rationale: Mantraps with biometric verification provide strong physical access prevention
while emergency bypass procedures maintain operational availability during critical safety
events, balancing security and safety in ICS environments. Removing all access controls
would violate NIST SP 800-82 and IEC 62443 physical security requirements for critical
infrastructure. Industrial security professionals must recognize that safety and security are
complementary disciplines; controls that compromise safety to achieve security or vice
versa introduce greater overall risk.

Question 5 of 50

A municipal water utility's vulnerability management program identifies 247 vulnerabilities
across its IT and OT networks during a quarterly scan. The utility has a three-person security
team and must prioritize remediation for a critical infrastructure environment where a
ransomware attack could disrupt water treatment operations. The utility is subject to AWIA
compliance requirements.

A. Prioritize all CVEs with a CVSS base score above 7.0 regardless of exploitability or asset
criticality
B. Remediate vulnerabilities on the corporate email server first since phishing is the most
common ransomware vector

, C. Use a risk-based approach that weights CVSS scores against asset criticality, threat
intelligence, and operational impact to prioritize OT network vulnerabilities
D. Patch all vulnerabilities simultaneously using an automated deployment tool across both
IT and OT networks

Correct Answer: C
Rationale: Risk-based vulnerability prioritization that integrates CVSS with asset criticality
and threat intelligence is essential for resource-constrained critical infrastructure
organizations, aligning with CISA's Known Exploited Vulnerabilities catalog and AWIA risk
assessment requirements. Prioritizing solely by CVSS base score ignores environmental
metrics and exploitability, often causing teams to waste resources on theoretically severe
but practically unexploitable flaws. In OT environments, automated patching can cause
operational instability; each patch requires change management review and testing before
deployment.

Question 6 of 50

A multinational bank's business continuity plan is being tested following a regional
datacenter outage caused by a prolonged power failure. The BCP coordinator discovers that
while the disaster recovery site activated within four hours, the customer call center
remained offline for 14 hours because agents lacked remote access credentials and
supervisors had no contact tree for off-hours notification.

A. The gap indicates a business continuity failure rather than a disaster recovery failure,
requiring updates to the BCP including redundant communication channels and pre-staged
remote access
B. The four-hour DR site activation meets industry standards, so the 14-hour call center delay
is an acceptable deviation documented in the risk register
C. The bank should consolidate all BCP and DR functions into a single IT operations team to
eliminate coordination gaps between technology and business units
D. The call center delay is primarily a human resources issue and should be addressed
through additional staffing rather than plan revision

Correct Answer: A
Rationale: The 14-hour call center outage represents a business continuity failure distinct
from the successful technical disaster recovery activation, highlighting the common gap
between IT systems recovery and business process continuity. Business continuity planning
must address people, processes, and technology, including communication trees and
pre-provisioned remote access for critical functions. Organizations that conflate DR and BCP
often discover too late that their technology can recover while their business operations
remain paralyzed.

Question 7 of 50

Escuela, estudio y materia

Institución
CSIA
Grado
CSIA

Información del documento

Subido en
2 de julio de 2026
Número de páginas
31
Escrito en
2025/2026
Tipo
Examen
Contiene
Preguntas y respuestas

Temas

$15.49
Accede al documento completo:

¿Documento equivocado? Cámbialo gratis Dentro de los 14 días posteriores a la compra y antes de descargarlo, puedes elegir otro documento. Puedes gastar el importe de nuevo.
Escrito por estudiantes que aprobaron
Inmediatamente disponible después del pago
Leer en línea o como PDF


Documento también disponible en un lote

Conoce al vendedor

Seller avatar
Los indicadores de reputación están sujetos a la cantidad de artículos vendidos por una tarifa y las reseñas que ha recibido por esos documentos. Hay tres niveles: Bronce, Plata y Oro. Cuanto mayor reputación, más podrás confiar en la calidad del trabajo del vendedor.
STUDYACEFILES (self)
Seguir Necesitas iniciar sesión para seguir a otros usuarios o asignaturas
Vendido
83
Miembro desde
2 año
Número de seguidores
5
Documentos
1988
Última venta
2 días hace
STUDYACEFILES

Welcome toSTUDYACEFILES store! We specialize in reliable test banks, exam questions with verified answers, practice exams, study guides, and complete exam review materials to help students pass on the first try. Our uploads support Nursing programs, professional certifications, business courses, accounting classes, and college-level exams. All documents are well-organized, accurate, exam-focused, and easy to follow, making them ideal for quizzes, midterms, finals, ATI & HESI prep, NCLEX-style practice, certification exams, and last-minute reviews. If you’re looking for trusted test banks, comprehensive exam prep, and time-saving study resources.

Lee mas Leer menos
3.9

14 reseñas

5
5
4
4
3
4
2
1
1
0

Recientemente visto por ti

Por qué los estudiantes eligen Stuvia

Creado por compañeros estudiantes, verificado por reseñas

Calidad en la que puedes confiar: escrito por estudiantes que aprobaron y evaluado por otros que han usado estos resúmenes.

¿No estás satisfecho? Elige otro documento

¡No te preocupes! Puedes elegir directamente otro documento que se ajuste mejor a lo que buscas.

Paga como quieras, empieza a estudiar al instante

Sin suscripción, sin compromisos. Paga como estés acostumbrado con tarjeta de crédito y descarga tu documento PDF inmediatamente.

Student with book image

“Comprado, descargado y aprobado. Así de fácil puede ser.”

Alisha Student

Preguntas frecuentes