Chapter 5

Protection of Information Assets

Everything Meridian Corp failed to have in place — and everything Alex needs to understand.

Domain 5: Protection of Information Assets 27%
👩‍💼

Week 5 — Alex and the CEO's Inbox

Monday morning. Alex arrives to find the CISO pacing. The CEO's email account was compromised over the weekend. A phishing email. The attacker spent 48 hours reading emails, forwarding selected messages to an external address, and sending a wire transfer request to Finance that almost got approved. Alex is pulled into the investigation. Domain 5 is everything she needs to understand — and everything Meridian Corp failed to have in place.

Part A Section 5.1

The CIA Triad

Scene 1 — The Three Pillars

Confidentiality, Integrity & Availability

👩‍💼
Alex's Story

Alex stares at the incident timeline on the whiteboard. The attacker read the CEO's emails — confidentiality breached. Modified one email before forwarding it — integrity breached. The CEO was locked out for six hours during remediation — availability breached. Three pillars. All three fell at once.

Three pillars representing Confidentiality, Integrity, and Availability
C

Confidentiality

Data is accessible only to authorised individuals. Prevents unauthorised disclosure.

  • Encryption
  • Access controls
  • Data classification
I

Integrity

Data is accurate, complete, and unaltered by unauthorised parties.

  • Hashing
  • Digital signatures
  • Change management
A

Availability

Systems and data are accessible when needed by authorised users.

  • Redundancy & failover
  • Backups
  • Disaster recovery
The Security Goal
Protect C + I + A = Information Security
Key Exam Tip

When ISACA asks which CIA property was violated, read carefully: data read by an attacker = confidentiality. Data modified = integrity. System taken offline = availability. Encryption protects confidentiality. Hashing protects integrity. Redundancy protects availability. These are different tools for different purposes — the exam tests whether you can match the tool to the property.

📰 Real World

The 2017 WannaCry ransomware attack simultaneously breached all three CIA properties: confidentiality (data accessed by attackers), integrity (files encrypted and corrupted), and availability (systems locked). 200,000 systems across 150 countries were affected, including 80 NHS trusts in the UK.

Test Yourself — CIA Triad
Q1. An attacker reads confidential emails from the CEO's inbox without modifying them. Which CIA property is PRIMARILY violated?
A. Integrity
B. Availability
C. Confidentiality
D. Non-repudiation
Reveal Answer
Correct: C
Reading without authorisation is a confidentiality breach. Integrity (A) would require modification. Availability (B) would require disruption. Non-repudiation (D) is not a CIA property — it is a separate concept related to digital signatures.
Q2. A ransomware attack encrypts all files on a server, making them inaccessible. Which CIA property is MOST affected?
A. Confidentiality
B. Availability
C. Integrity
D. Authentication
Reveal Answer
Correct: B
Ransomware primarily attacks availability — the data exists but cannot be accessed. The trap is A (confidentiality) — while the attacker may have read data, the primary impact of encryption-based ransomware is locking users out.
Q3. Which control BEST protects data integrity?
A. Encryption
B. Hashing and digital signatures
C. Firewalls
D. Backup tapes
Reveal Answer
Correct: B
Hashing verifies that data has not been altered; digital signatures prove who sent it and that it was not modified. Encryption (A) protects confidentiality. Firewalls (C) protect network perimeter. Backups (D) protect availability.

The CEO's emails were read. The first question: who let the attacker in?

Part A Section 5.2

Access Control

Scene 2 — Three Doors

Access Control Models

👩‍💼
Alex's Story

Alex pulls up the CEO's account settings. No MFA. Password: eight characters, his name and birth year. The access control policy requires 12-character passwords and MFA for all executives. The policy existed. The enforcement did not. Alex writes: 'Policy without enforcement is a suggestion.'

Three doors representing DAC, MAC, and RBAC access control models
D

DAC (Discretionary)

Owner decides who gets access. Most flexible, least secure.

  • Owner grants permissions
  • File sharing, ACLs
  • Common in workstations
M

MAC (Mandatory)

System enforces access based on labels. Most restrictive.

  • Classification levels
  • Security clearances
  • Government/military use
R

RBAC (Role-Based)

Access determined by job role. Most common in enterprises.

  • Roles assigned to users
  • Permissions tied to roles
  • Easiest to manage at scale

Key Principles

  • Least Privilege — Only the minimum access needed to perform the job
  • Need-to-Know — Access only the data required for a specific task
  • Separation of Duties — No single person controls an entire critical process
  • Defense in Depth — Multiple layers of security controls
Key Exam Tip

MAC is the most secure access control model because users cannot override it. RBAC is the most practical for large organisations. DAC is the least secure because the data owner can grant access at their discretion. When the exam asks which model provides the strongest protection, the answer is MAC. When it asks which is most commonly used in enterprises, the answer is RBAC.

📰 Real World

The 2021 Colonial Pipeline ransomware attack was enabled by a compromised VPN account with no MFA. The account was for an employee who had left the company — but the account was never disabled. One inactive, unprotected account shut down fuel supply to the US East Coast for 6 days.

Test Yourself — Access Control
Q1. The CEO's account had an 8-character password despite a policy requiring 12 characters. What is the MOST significant audit finding?
A. The password was too short
B. The access control policy is not being enforced
C. The CEO needs security training
D. The password complexity rules need updating
Reveal Answer
Correct: B
The policy existed but was not enforced — this is a control failure, not a policy gap. A is a symptom, not the root cause. C is secondary. D is wrong because the policy was adequate.
Q2. Which access control model is MOST appropriate for a government agency handling classified information?
A. DAC
B. RBAC
C. MAC
D. Rule-based
Reveal Answer
Correct: C
MAC uses security labels and clearance levels — mandatory, system-enforced, and the standard for classified government environments. DAC (A) allows user discretion. RBAC (B) is role-based but does not enforce classification labels.
Q3. An employee transfers departments but retains all previous access rights plus new ones. What principle is violated?
A. Separation of duties
B. Least privilege
C. Defense in depth
D. Need-to-know
Reveal Answer
Correct: B
Least privilege requires that users have only the minimum access necessary for their current role. Accumulating access across roles is called 'privilege creep' and violates least privilege. Access reviews should catch this.

The password failed. But how did the attacker get past the login without anyone noticing?

Part A Section 5.3

Authentication Methods

Scene 3 — The Vault with Three Locks

Three Factors of Authentication

👩‍💼
Alex's Story

Alex reviews the authentication logs. The attacker logged in from an IP in Eastern Europe. No geofencing. No anomaly detection triggered. The CEO had logged in from the same Singapore IP every day for three years. The system treated Eastern Europe as normal. One factor. No verification. No alarm.

A futuristic vault door with three authentication mechanisms
🧠 Mnemonic

"K-H-A"Know it (password), Have it (token), Are it (biometric). True MFA requires factors from at least two different categories, not just two passwords.

K

Something You Know

  • Passwords
  • PINs
  • Security questions
  • Passphrases

Weakest factor — can be guessed or stolen

H

Something You Have

  • Smart cards
  • Hardware tokens
  • Mobile device (OTP)
  • Security keys

Can be lost or stolen physically

A

Something You Are

  • Fingerprints
  • Iris/retina scan
  • Facial recognition
  • Voice patterns

Strongest factor — hardest to forge

Biometric Error Rates

  • FRR (Type I) — False Rejection Rate: rejects legitimate user
  • FAR (Type II) — False Acceptance Rate: accepts impostor
  • CER/EER — Crossover Error Rate: where FRR = FAR
  • Lower CER = more accurate biometric system
Key Exam Tip

Two passwords is NOT multi-factor authentication — both are 'something you know.' True MFA combines factors from different categories. The CER (Crossover Error Rate) is the best single metric for biometric accuracy — lower is better. Type II errors (false acceptance) are more dangerous from a security perspective because they let impostors in.

📰 Real World

The 2016 LinkedIn breach (2012 breach disclosed in 2016) exposed 117 million passwords, most stored as unsalted SHA-1 hashes — crackable within hours. Strong authentication includes both strong password requirements AND strong storage — both failed.

Test Yourself — Authentication
Q1. An organisation requires employees to enter a password and a PIN to access the system. Is this multi-factor authentication?
A. Yes, because two credentials are required
B. No, because both are the same factor type
C. Yes, because PIN and password are different
D. No, because PINs are not secure
Reveal Answer
Correct: B
Both a password and a PIN are 'something you know' — single factor, two instances. MFA requires factors from at least two different categories (know + have, know + are, etc.).
Q2. Which biometric error is MORE dangerous from a security perspective?
A. Type I (False Rejection)
B. Type II (False Acceptance)
C. Crossover Error Rate
D. Both are equally dangerous
Reveal Answer
Correct: B
Type II (FAR) accepts impostors — a direct security breach. Type I (FRR) inconveniences legitimate users but does not compromise security. The exam consistently tests this distinction.
Q3. The CEO's account was accessed from Eastern Europe despite his usual login from Singapore. What control would have BEST detected this anomaly?
A. Stronger password policy
B. Multi-factor authentication
C. Geolocation-based anomaly detection
D. Annual access review
Reveal Answer
Correct: C
Geolocation-based anomaly detection flags logins from unusual locations. MFA (B) would have prevented the login, but the question asks what would have detected the anomaly. Stronger passwords (A) would not help against a stolen credential. Access reviews (D) are periodic, not real-time.

The attacker got in. Now Alex needs to understand what they could read — and what should have been unreadable.

Part A Section 5.4

Encryption & Cryptography

Scene 4 — The Two Post Offices

Symmetric vs. Asymmetric Encryption

👩‍💼
Alex's Story

The emails the attacker read were not encrypted at rest. Wire transfer details — account numbers, amounts, beneficiary names — transmitted in plain text internally. Alex pulls the encryption policy: exists. Encryption implementation: partial. The policy said 'all sensitive data must be encrypted.' Nobody defined what 'sensitive' meant.

Two post offices comparing symmetric and asymmetric encryption
🧠 Mnemonic

"S = Same key, A = A pair"Symmetric uses the Same key for both parties (fast but key distribution is hard). Asymmetric uses A pair of keys — one public, one private (slower but solves key distribution).

S

Symmetric Encryption

One shared key for both encrypt & decrypt

  • AES (current standard)
  • DES / 3DES (legacy)
  • Fast — great for bulk data
  • Key distribution is the challenge
A

Asymmetric Encryption

Public key encrypts, private key decrypts

  • RSA, ECC, Diffie-Hellman
  • Solves key distribution
  • Slower — used for small data
  • Enables digital signatures

PKI & Digital Signatures

Hash the message Encrypt hash with sender's private key = Digital Signature

Digital signatures provide integrity, authentication, and non-repudiation — but NOT confidentiality.

Hashing Algorithms

  • MD5 — 128-bit (deprecated, collision-prone)
  • SHA-1 — 160-bit (deprecated)
  • SHA-256 — 256-bit (current standard)
  • SHA-3 — Latest generation
Key Exam Tip

Digital signatures use the sender's private key (not public). The receiver verifies using the sender's public key. Hashing is one-way — you cannot reverse a hash to get the original data. SSL/TLS uses asymmetric encryption for key exchange, then symmetric for bulk data transfer (hybrid approach). Encryption provides confidentiality; digital signatures provide integrity. These are different tools for different purposes.

📰 Real World

In 2018, Marriott disclosed a breach affecting 500 million guest records, including 8.6 million unencrypted credit card numbers. The data had been sitting in an unencrypted Starwood database since 2014 — four years of exposure that encryption would have mitigated.

Test Yourself — Encryption
Q1. Emails containing wire transfer details were transmitted in plain text. What control would BEST protect this data?
A. Stronger firewall rules
B. Encryption of data in transit
C. Access control lists
D. Intrusion detection system
Reveal Answer
Correct: B
Plain text data in transit requires encryption (TLS/S-MIME). Firewalls (A) control traffic flow but do not protect content. ACLs (C) control who can access, not how data moves. IDS (D) detects but does not protect content.
Q2. A digital signature provides which of the following?
A. Confidentiality and integrity
B. Integrity, authentication, and non-repudiation
C. Confidentiality and availability
D. Encryption and decryption
Reveal Answer
Correct: B
Digital signatures provide integrity (data not altered), authentication (verifies sender), and non-repudiation (sender cannot deny sending). They do NOT provide confidentiality — that requires encryption.
Q3. Which statement about symmetric and asymmetric encryption is CORRECT?
A. Symmetric is more secure than asymmetric
B. Asymmetric is faster than symmetric
C. Symmetric is faster and used for bulk data
D. Asymmetric cannot be used for digital signatures
Reveal Answer
Correct: C
Symmetric encryption is faster and used for bulk data. Asymmetric is slower but solves key distribution and enables digital signatures. Neither is universally 'more secure' — they serve different purposes.

The data was readable. Now Alex traces the attacker's exit route — how did the emails leave the building?

Part B Section 5.5

Network Security

Scene 5 — The Walled City

Network Defense Architecture

👩‍💼
Alex's Story

Alex checks the firewall logs. The attacker's exfiltration — forwarding emails to an external Gmail address — passed through the email gateway unchallenged. No DLP rule flagged large volumes of emails being forwarded externally. The wall had a gate. The gate was open. Nobody was watching.

A walled city with layered network defenses
🔥

Firewalls

  • Packet filtering
  • Stateful inspection
  • Application-layer (WAF)
  • Next-gen (NGFW)
👁

IDS (Detects)

  • Signature-based
  • Anomaly-based
  • Passive — alerts only
  • NIDS vs HIDS
🛑

IPS (Prevents)

  • Inline — blocks traffic
  • Active response
  • Can cause false positives
  • Real-time prevention

DMZ (Demilitarised Zone)

Buffer network between the internet and internal network. Hosts public-facing servers (web, email, DNS) while protecting the internal network.

DLP & Proxy Servers

DLP: Monitors and prevents sensitive data from leaving the network. Proxy: Intermediary that filters, caches, and hides internal IPs.

Key Exam Tip

IDS detects but does not block (detective control). IPS prevents and blocks (preventive control). The exam frequently tests this distinction. A stateful firewall tracks connections and is more secure than basic packet filtering. A firewall controls traffic based on rules — it cannot stop encrypted malware, social engineering, or attacks that use allowed ports. It is one layer, not the whole defence.

📰 Real World

The 2013 Target breach used the HVAC vendor's network access to reach the point-of-sale network. Proper network segmentation — a firewall rule separating vendor access from POS systems — would have contained the breach. Target paid $18.5 million in settlement.

Test Yourself — Network Security
Q1. Emails were forwarded to an external address without triggering any alerts. Which control would have BEST prevented this data exfiltration?
A. Firewall
B. IDS
C. DLP (Data Loss Prevention)
D. Antivirus
Reveal Answer
Correct: C
DLP monitors outbound data and can block or flag sensitive information leaving the network. Firewalls (A) control traffic by port/protocol but do not inspect email content. IDS (B) detects but does not prevent. Antivirus (D) scans for malware, not data leakage.
Q2. An IS auditor finds that the organisation's IDS generated 2,000 alerts last month, but the security team only investigated 50 due to staffing constraints. What should the auditor recommend FIRST?
A. Replace the IDS with an IPS to automatically block threats
B. Hire additional security staff to review all alerts
C. Tune the IDS rules to reduce false positives and prioritise high-risk alerts
D. Disable the IDS since most alerts are not investigated anyway
Reveal Answer
Correct: C
Tuning reduces alert fatigue by eliminating false positives, allowing the team to focus on genuine threats. The trap is A — an IPS would auto-block but could cause availability issues if the same noisy rules trigger blocking. Hiring (B) addresses staffing but not the root cause. Disabling (D) removes a critical detective control entirely.
Q3. Where should a public-facing web server be placed in the network architecture?
A. Internal network behind the firewall
B. DMZ
C. On the same subnet as the database server
D. Connected directly to the internet without a firewall
Reveal Answer
Correct: B
The DMZ is the buffer zone designed for public-facing servers. Internal network (A) exposes internal systems. Same subnet as database (C) violates segmentation. Direct internet (D) provides no protection.

The digital defences failed. But Alex is about to discover the physical ones are even worse.

Part B Section 5.6

Physical Security

Scene 6 — The Layered Data Center

Physical Security Controls

👩‍💼
Alex's Story

While investigating, Alex discovers the server room door propped open with a fire extinguisher for 'ventilation.' Three people who don't work in IT have a key. The CCTV above the server room has been offline for six weeks. Nobody noticed. Physical security is the foundation. Meridian's foundation has a crack.

Cross-section of a high-security data center showing layered defenses
Defense in Depth — Physical Layers
5 Server Room — Biometric locks, man-traps, locked racks
4 Building Interior — Key card access, visitor logs, escorts
3 Building Entrance — Security guards, reception, ID checks
2 Parking / Grounds — CCTV, motion sensors, lighting
1 Outer Perimeter — Fencing, bollards, gates, barriers

Environmental Controls

  • HVAC — temperature & humidity
  • Fire suppression (FM-200, inert gas)
  • Water/leak detection sensors
  • UPS & backup generators

Monitoring Controls

  • CCTV with recording & retention
  • Motion detectors
  • Security guard patrols
  • Visitor logs & badge systems
Key Exam Tip

A man-trap (airlock) is the strongest physical access control for preventing tailgating — only one person enters at a time. Water-based sprinklers damage equipment; prefer FM-200 or inert gas suppression for data centres. The IS auditor should verify that physical access logs are reviewed regularly and that CCTV is operational.

📰 Real World

In 2008, a thief walked into a Société Générale data centre by tailgating an employee through a secured door. Physical security controls — mantrap, badge-only access, CCTV — exist precisely because insider threats often begin with physical access.

Test Yourself — Physical Security
Q1. The server room door is propped open and CCTV has been offline for six weeks. What should the IS auditor report FIRST?
A. The CCTV vendor needs a new contract
B. Physical access controls are not operating effectively
C. The server room needs better ventilation
D. IT staff should be disciplined
Reveal Answer
Correct: B
The auditor reports the control failure: physical access controls are not operating effectively. This encompasses both the propped door and the offline CCTV. A is operational, not an audit finding. C accepts the workaround. D is a management action, not an audit recommendation.
Q2. During a physical security audit, an IS auditor observes that employees frequently hold the data centre door open for colleagues. Security awareness posters are displayed but ignored. What control should the auditor recommend as MOST effective?
A. Install additional security awareness posters
B. Implement disciplinary action for tailgating violations
C. Install a mantrap (airlock) entry system
D. Add CCTV cameras at the entrance
Reveal Answer
Correct: C
A mantrap physically prevents tailgating by allowing only one person through at a time — this is a preventive control. More posters (A) have already proven ineffective. Disciplinary action (B) is a deterrent but doesn't prevent the behaviour. CCTV (D) is detective, not preventive — it records tailgating but doesn't stop it.
Q3. Which fire suppression system is MOST appropriate for a data centre?
A. Water sprinkler
B. FM-200 (clean agent)
C. Foam system
D. Sand buckets
Reveal Answer
Correct: B
FM-200 and inert gas systems suppress fire without damaging electronic equipment. Water (A) causes as much damage as the fire. Foam (C) is for liquid fires. Sand (D) is not used in data centres.

The physical security was an embarrassment. But the original attack wasn't physical — it was psychological.

Part B Section 5.7

Malware & Threats

Scene 7 — The Threat Bestiary

Types of Malware & Social Engineering

👩‍💼
Alex's Story

The phishing email that compromised the CEO had no malware. Zero. It was a pure social engineering attack — a convincing email from 'IT Support' asking him to verify his credentials. The email gateway scanned for malware. It found none. Because social engineering has no signature. No payload. Just persuasion.

A fantasy bestiary showing cyber threats as creatures
🦠

Virus

Attaches to host files. Requires user action to spread. Modifies programs.

🐛

Worm

Self-replicating. No host needed. Spreads across networks automatically.

🐴

Trojan

Disguised as legitimate software. Opens backdoors. Does not self-replicate.

Ransomware

Encrypts victim's data and demands payment for decryption key. Prevention: regular backups, user training, patching.

Social Engineering

  • Phishing — Fake emails/sites to steal credentials
  • Spear phishing — Targeted at specific individuals
  • Pretexting — Creating a fabricated scenario
  • Tailgating — Following authorised person through door
Key Exam Tip

A worm is the most dangerous self-propagating malware because it spreads without user action. The key distinction: viruses need a host, worms don't. For ransomware, the best recovery strategy is tested offline backups. Social engineering attacks are best countered by security awareness training, not technical controls. No antivirus can stop an employee from willingly entering their password.

📰 Real World

The 2016 Bangladesh Bank heist netted $81 million through pure social engineering — fraudulent SWIFT payment instructions with no malware. The attackers had studied Bangladeshi banking communication patterns for months. No antivirus would have stopped it.

Test Yourself — Malware & Threats
Q1. The phishing email that compromised the CEO contained no malware. Why did the email gateway fail to catch it?
A. The gateway was misconfigured
B. Phishing emails always bypass gateways
C. Social engineering attacks have no technical signature to detect
D. The email came from a whitelisted domain
Reveal Answer
Correct: C
Pure social engineering has no malware payload, no malicious attachment, and no technical signature for a gateway to detect. The email was 'legitimate' in form — only the intent was malicious. This is why training matters more than technology for social engineering.
Q2. An IS auditor observes that malware rapidly spread across the organisation's network without any user interaction — no email attachments were opened and no files were downloaded. What type of malware is MOST likely responsible?
A. Trojan horse
B. Worm
C. Virus
D. Spyware
Reveal Answer
Correct: B
Worms self-replicate and spread across networks without requiring user action or a host file. Trojans (A) disguise themselves as legitimate software and require user execution. Viruses (C) need a host file and typically require user interaction to spread. Spyware (D) monitors activity but doesn't typically self-propagate across networks.
Q3. An IS auditor discovers that despite having advanced email filtering, anti-malware, and endpoint detection tools, three executives fell victim to a targeted spear-phishing attack last quarter. What should the auditor identify as the PRIMARY control gap?
A. The email filtering rules need to be updated
B. The anti-malware signatures are out of date
C. Security awareness training is insufficient or ineffective
D. The endpoint detection system failed to block the attack
Reveal Answer
Correct: C
Social engineering exploits human behaviour, not technical vulnerabilities. When technical controls are in place but users still fall victim, the primary gap is security awareness. Updated filters (A), signatures (B), and endpoint detection (D) address technical threats but cannot prevent a user from voluntarily disclosing credentials or clicking a convincing link.

The attacker used persuasion, not code. But the system they attacked had known weaknesses nobody fixed.

Part B Section 5.8

Vulnerability Management

Scene 8 — The Cyber Doctor

Vulnerability Assessment, Pen Testing & Patching

👩‍💼
Alex's Story

Alex pulls the vulnerability scan report. The email server has three unpatched vulnerabilities, two rated HIGH. The patch was available three months ago. The patching SLA requires HIGH vulnerabilities to be patched within 30 days. Ninety days. Three times over the deadline. The doctor diagnosed the disease. Nobody administered the cure.

A cybersecurity doctor examining a server patient
Vulnerability Management Lifecycle
1
Discover

Identify assets and scan for vulnerabilities

2
Prioritise

Rank by severity (CVSS) and business impact

3
Remediate

Apply patches, update configs, or accept risk

4
Verify

Rescan to confirm fixes are effective

🔍

Vulnerability Assessment

Automated scanning to identify weaknesses. Non-invasive. Produces a list of vulnerabilities ranked by severity.

Finds the doors — doesn't try to open them

⚔️

Penetration Testing

Simulated attack to exploit weaknesses. Invasive. Proves real-world impact. Requires written authorisation.

Tries to open the doors and walk in

Patch Management Process

Monitor for patches Test in non-production Schedule deployment Deploy & verify Document
Key Exam Tip

Penetration testing requires written management authorisation before starting — this is non-negotiable. Vulnerability assessments are broader (find all weaknesses); pen tests are deeper (prove exploitability). Patches should always be tested in a non-production environment before deployment. Vulnerability assessment identifies and classifies. Penetration testing actively exploits. They are NOT the same.

📰 Real World

The 2017 Equifax breach exploited Apache Struts CVE-2017-5638, a vulnerability for which a patch had been available for 2 months. Equifax's internal scan flagged it. The patching SLA was not followed. 147 million people's data was exposed.

Test Yourself — Vulnerability Management
Q1. The email server has two HIGH-severity vulnerabilities unpatched for 90 days against a 30-day SLA. What is the MOST significant audit finding?
A. The vulnerability scanner needs recalibrating
B. The patching SLA is not being met
C. The email server needs to be replaced
D. HIGH vulnerabilities are acceptable risk
Reveal Answer
Correct: B
The SLA exists and is being violated — this is a compliance failure with the organisation's own policy. A is deflection. C is excessive. D requires formal risk acceptance by management, which has not occurred.
Q2. An IS auditor reviews the results of a quarterly vulnerability scan that identified 47 high-severity findings. The IT team states they also conducted a penetration test last month that found no critical issues. What should the auditor conclude?
A. The penetration test result overrides the vulnerability scan — no action needed
B. The vulnerability scan likely produced false positives that can be ignored
C. The vulnerability findings require remediation regardless of penetration test results, as both assessments serve different purposes
D. A new penetration test should be conducted to resolve the conflict
Reveal Answer
Correct: C
Vulnerability assessments identify known weaknesses broadly; penetration tests attempt to exploit specific paths. A pen test finding "no critical issues" means the tester didn't find an exploitable chain — it doesn't mean vulnerabilities don't exist. Both serve complementary purposes. Assuming the scan is wrong (B) or that the pen test overrides it (A) ignores the different purposes of each assessment.
Q3. Before conducting a penetration test, what must the IS auditor obtain FIRST?
A. A vulnerability scan report
B. Written management authorisation
C. Insurance coverage
D. A list of all IP addresses
Reveal Answer
Correct: B
Written authorisation is mandatory before any penetration testing. Without it, the tester could face legal liability. A is helpful but not required first. C and D are operational concerns, not prerequisites.

The vulnerabilities were known. The patches were available. The response was too slow. What about the response to the actual attack?

Part C Section 5.9

Security Incident Response

Scene 9 — The Cyber Crime Scene

SIEM, Forensics & Chain of Custody

👩‍💼
Alex's Story

The CISO's incident response was swift on containment — account locked, password reset, forensics engaged. But the chain of custody for the forensic evidence was broken: three people accessed the CEO's laptop before the forensic image was taken. Alex watches from the side. Her job is to observe and document, not participate. Independence matters — even in a crisis.

A crime scene investigation timeline with five phases
Incident Response Phases
1
Preparation

Plan, team, tools, procedures

2
Identification

Detect & confirm the incident

3
Containment

Limit the damage & scope

4
Eradication

Remove the root cause

5
Recovery

Restore normal operations

6
Lessons Learned

Post-incident review

📊

SIEM

Security Information and Event Management. Aggregates logs from all systems, correlates events, and generates real-time alerts.

  • Centralised log management
  • Real-time correlation
  • Compliance reporting
🔬

Digital Forensics

Preserving and analysing digital evidence for investigation.

  • Create forensic image (bit-by-bit copy)
  • Work on copy, never original
  • Document everything

Chain of Custody Requirements

  • Who collected the evidence
  • When it was collected
  • Where it was stored
  • Who had access at each transfer
  • What changes (if any) were made
  • Unbroken chain = admissible in court
Key Exam Tip

The first priority during an incident is containment (after identification). Evidence preservation is critical — always create a bit-by-bit forensic copy and work on the copy, never the original. If chain of custody is broken, evidence may be inadmissible in court. The auditor's role in incident response is to observe and document, not participate in operational response. Participation compromises independence.

📰 Real World

The 2013 Target breach persisted for 16 days after the security team received FireEye alerts — because the incident response process didn't have clear escalation criteria for acting on alerts. Detection without response is not security.

Test Yourself — Incident Response
Q1. Three people accessed the CEO's laptop before a forensic image was taken. What is the MOST significant impact?
A. The investigation will take longer
B. The chain of custody is broken and evidence may be inadmissible
C. The laptop needs to be replaced
D. The three people are suspects
Reveal Answer
Correct: B
Chain of custody requires that evidence be preserved in its original state. Multiple people accessing the laptop before imaging means the evidence may be contaminated and inadmissible in legal proceedings.
Q2. What is the IS auditor's role during an active security incident?
A. Help contain the breach
B. Lead the incident response team
C. Observe and document the response process
D. Reset compromised passwords
Reveal Answer
Correct: C
The auditor maintains independence by observing and documenting, not participating in operational response. Helping contain (A) or leading response (B) compromises independence. Password resets (D) are IT operations.
Q3. After containing an incident, what is the NEXT phase?
A. Recovery
B. Lessons learned
C. Eradication
D. Preparation
Reveal Answer
Correct: C
The sequence is: Identification → Containment → Eradication → Recovery → Lessons Learned. After containment, the root cause must be eradicated before systems are restored.

The response was fast but messy. Now Alex asks the harder question: why was this data so easy to steal?

Part C Section 5.10

Data Classification

Scene 10 — The Grand Library

Data Classification Levels

👩‍💼
Alex's Story

The emails the attacker read included board minutes, M&A discussions, and personal employee data. None of it was classified. If it had been classified as Confidential or Restricted, DLP controls would have triggered on exfiltration. Without classification, every email looked the same to the system. Top secret and lunch orders — all treated equally.

A grand library with sections of increasing security
🧠 Mnemonic

"PICS"Public (open shelves), Internal (behind the desk), Confidential (locked room), Secret/Top Secret (the vault). Each level up = stricter controls, fewer people with access.

Classification Comparison
Aspect
Government
Private Sector
Highest
Top Secret
Confidential / Restricted
High
Secret
Private
Medium
Confidential
Sensitive / Internal
Lowest
Unclassified
Public

Data Owner (Senior Management)

  • Determines classification level
  • Defines who can access the data
  • Ultimately responsible for data protection

Data Custodian (IT Department)

  • Implements controls defined by owner
  • Manages backups and storage
  • Day-to-day technical safeguards
Key Exam Tip

The data owner (business management) determines classification — NOT IT. The data custodian (IT) implements controls. This distinction is heavily tested. Data classification is a business responsibility. Without classification, DLP controls cannot be calibrated, and staff do not know how to handle sensitive data.

📰 Real World

The 2014 Sony Pictures breach exposed classified internal documents — executive emails, salary data, unreleased films — because Sony had no data classification system. Without classification, DLP controls cannot be calibrated, and staff don't know how to handle sensitive data.

Test Yourself — Data Classification
Q1. Board minutes and M&A discussions were exfiltrated because they were not classified. Who is PRIMARILY responsible for classifying this data?
A. The IT department
B. The IS auditor
C. The business data owner
D. The CISO
Reveal Answer
Correct: C
Data classification is a business responsibility. The data owner (senior management/business unit) determines sensitivity. IT implements the controls. The auditor assesses, not classifies. The CISO advises but does not own the data.
Q2. Without data classification, which security control is MOST impaired?
A. Firewalls
B. Data Loss Prevention (DLP)
C. Antivirus
D. Physical access controls
Reveal Answer
Correct: B
DLP relies on classification labels to determine what data can leave the network. Without classification, DLP cannot distinguish board minutes from lunch orders. Firewalls (A), antivirus (C), and physical controls (D) operate independently of classification.
Q3. What is the CORRECT relationship between data owner and data custodian?
A. The custodian determines classification; the owner implements controls
B. The owner determines classification; the custodian implements controls
C. Both share equal responsibility for classification
D. The IS auditor determines classification for both
Reveal Answer
Correct: B
The owner (business) classifies. The custodian (IT) implements. This is the standard separation tested on every CISA exam.

The data was unclassified and unprotected. But some of it triggers legal obligations that nobody at Meridian has considered.

Part C Section 5.11

Privacy & Compliance

Scene 11 — The Privacy Courthouse

GDPR, Data Protection & Privacy by Design

👩‍💼
Alex's Story

The breach included personal data of employees — salary information, performance reviews forwarded in emails. Under PDPA (Singapore) and GDPR (for EU employees), this is a notifiable breach. Meridian has 72 hours from discovery to notify. The clock started when the CISO confirmed the breach. It is already ticking. Alex checks: nobody has started the notification process.

A European courthouse with privacy shield emblem and GDPR pillars
GDPR Key Principles

Lawfulness

Data must be processed lawfully, fairly, and transparently.

Purpose Limitation

Collected for specified, explicit, and legitimate purposes only.

Data Minimisation

Only collect what is adequate, relevant, and necessary.

Accuracy

Personal data must be accurate and kept up to date.

Storage Limitation

Kept only as long as necessary for the stated purpose.

Integrity & Confidentiality

Appropriate security measures to protect personal data.

Data Subject Rights (GDPR)

  • Right to access
  • Right to rectification
  • Right to erasure ("right to be forgotten")
  • Right to data portability
  • Right to object to processing

Key Roles & Requirements

  • Data Controller — Determines purpose & means of processing
  • Data Processor — Processes data on behalf of controller
  • DPO — Data Protection Officer (mandatory for some orgs)
  • 72-hour breach notification requirement
Key Exam Tip

Under GDPR, the data controller bears primary responsibility, not the processor. Breach notifications must be made within 72 hours. Know the difference between Privacy by Design (building privacy in from the start) and Privacy by Default (strictest settings are the default). The "right to be forgotten" means data subjects can request deletion of their personal data.

📰 Real World

British Airways was fined £20 million by the UK ICO for a 2018 breach affecting 400,000 customers. The fine reflected failure to implement appropriate technical measures — encryption, access controls, and monitoring — not just the breach itself.

Test Yourself — Privacy & Compliance
Q1. Employee salary and performance data was exposed in the breach. Under GDPR, how quickly must Meridian notify the supervisory authority?
A. 24 hours
B. 48 hours
C. 72 hours
D. 7 days
Reveal Answer
Correct: C
GDPR requires notification to the supervisory authority within 72 hours of becoming aware of a breach involving personal data. This is one of the most-tested numbers on the CISA exam.
Q2. Who bears PRIMARY responsibility for GDPR compliance?
A. The data processor
B. The data controller
C. The data protection officer
D. The IT department
Reveal Answer
Correct: B
The data controller determines the purpose and means of processing and bears primary responsibility. The processor acts on the controller's instructions. The DPO advises. IT implements.
Q3. An employee requests that all their personal data be deleted. Under GDPR, this is known as the:
A. Right to access
B. Right to portability
C. Right to erasure
D. Right to rectification
Reveal Answer
Correct: C
The right to erasure (also called the 'right to be forgotten') allows data subjects to request deletion of their personal data under certain conditions.

The legal clock is ticking. But how did this all start? One click. One person. One moment of inattention.

Part C Section 5.12

Security Awareness Training

Scene 12 — The Weakest Link Classroom

The Human Element & Training Programs

👩‍💼
Alex's Story

Alex interviews the CEO. He received the phishing email on his phone, was in a hurry, and clicked without thinking. 'I thought it was real,' he says. The last security awareness training at Meridian Corp was 18 months ago. It was a 20-minute video. Nobody checked if anyone watched it. The strongest firewall cannot stop a CEO in a hurry.

A classroom teaching security awareness with a human figure as the weakest link
🧠 Mnemonic

"People are the weakest link" — The strongest firewall cannot stop an employee from clicking a phishing link. Technical controls protect systems; training protects humans. Security is only as strong as its least informed user.

📚

Awareness Program Elements

  • New employee orientation security training
  • Annual refresher courses
  • Simulated phishing campaigns
  • Security newsletters & reminders
  • Role-specific training for IT staff

Training Must Cover

  • Password hygiene & MFA
  • Recognising phishing attempts
  • Reporting suspicious activity
  • Clean desk policy
  • Data handling & classification
  • Acceptable use policy

Measuring Effectiveness

  • Phishing simulation click rates (should decrease over time)
  • Number of security incidents reported by employees
  • Training completion rates
  • Post-training quiz scores
Key Exam Tip

Security awareness training is the most effective control against social engineering attacks. The exam often asks: 'What is the BEST way to prevent phishing?' — the answer is user training, not a technical control. Training should be mandatory, regular, and measured for effectiveness. Security is everyone's responsibility — training must be mandated and monitored by management, not just delivered by IT. Tone from the top matters.

📰 Real World

The 2016 US election hack on John Podesta's email began with a phishing email. His IT staffer called it 'legitimate' (he meant 'illegitimate' — a typo). Podesta clicked. No security awareness training, no simulated phishing programme. One click changed the course of an election.

Test Yourself — Security Awareness
Q1. Meridian's last security training was 18 months ago and completion was not verified. What is the MOST significant finding?
A. The training content is outdated
B. Security awareness training is not being conducted regularly or measured for effectiveness
C. The CEO should have known better
D. The training should be delivered by an external vendor
Reveal Answer
Correct: B
The finding covers both frequency (18 months, not annual) and measurement (no verification of completion). A is secondary. C is not an audit finding. D is a recommendation, not a finding.
Q2. An IS auditor is evaluating the organisation's security awareness programme. The CISO presents data showing 95% training completion rates, but the auditor notes that phishing simulation click rates have remained at 30% for three consecutive quarters. What should the auditor conclude?
A. The programme is effective because completion rates are high
B. The training content or delivery method is not changing employee behaviour effectively
C. The phishing simulations are too difficult and should be made easier
D. The 30% click rate is acceptable for most organisations
Reveal Answer
Correct: B
High completion rates mean people attended; unchanged phishing click rates mean behaviour hasn't improved. The goal of awareness training is behavioural change, not just attendance. The trap is A — confusing activity metrics (completion) with outcome metrics (actual behaviour). Making tests easier (C) masks the problem. Accepting 30% (D) ignores the risk.
Q3. The CEO clicked a phishing link on his phone. Which control would have been MOST effective in preventing this?
A. Mobile device management (MDM)
B. Stronger email filtering
C. Regular simulated phishing training for executives
D. Blocking personal email on company devices
Reveal Answer
Correct: C
The email bypassed filters (it had no malware). MDM (A) manages devices but does not prevent clicks. Stronger filtering (B) may not catch sophisticated phishing. Blocking personal email (D) is irrelevant — this was his corporate email. Only training changes behaviour.
🏆

Alex closes the investigation file.

One phishing email. Twelve security failures. Alex's investigation report maps every gap at Meridian Corp: missing MFA, weak passwords, no encryption, no DLP, broken physical security, unpatched vulnerabilities, broken chain of custody, unclassified data, missed notification deadlines, and no effective training. She knows now that information security is not a single control — it is a system. When any part fails, the whole system is exposed. Domain 5 taught her that protection is not a product. It is a practice.

✓ CIA Triad ✓ Access Control ✓ Authentication ✓ Encryption ✓ Network Security ✓ Physical Security ✓ Malware & Threats ✓ Vulnerability Mgmt ✓ Incident Response ✓ Data Classification ✓ Privacy & Compliance ✓ Security Awareness

Top 10 Exam Traps — Domain 5

1
❌ "Encryption ensures confidentiality AND integrity"
✓ Encryption provides confidentiality. Digital signatures provide integrity. Hashing provides integrity verification. These are different tools for different purposes.
2
❌ "A firewall prevents all network attacks"
✓ A firewall controls traffic based on rules — it cannot stop encrypted malware, social engineering, or attacks that use allowed ports. It is one layer, not the whole defence.
3
❌ "The auditor's job in incident response is to help contain the breach"
✓ The auditor maintains independence — they observe and document, but do not participate in operational response. Participation compromises independence.
4
❌ "Strong passwords make authentication secure"
✓ Passwords alone are 'something you know' — single-factor. MFA combines factors (know + have + are) and is significantly stronger. ISACA strongly prefers MFA in exam scenarios.
5
❌ "Data classification should be done by IT"
✓ Data classification is a BUSINESS responsibility — the business owner determines sensitivity. IT implements controls based on classification.
6
❌ "Symmetric encryption is more secure than asymmetric"
✓ They serve different purposes. Symmetric is faster (bulk data). Asymmetric is used for key exchange and digital signatures. Neither is universally 'more secure.'
7
❌ "IDS prevents intrusions"
✓ IDS detects and alerts — it is a detective control. Only IPS can actively block. An organisation with only IDS knows it was attacked; it did not prevent the attack.
8
❌ "Security awareness training is an IT responsibility"
✓ Security is everyone's responsibility — training must be mandated and monitored by management, not just delivered by IT. Tone from the top matters.
9
❌ "Residual risk is what's left after controls are implemented"
✓ Correct — but ISACA also tests that residual risk must be formally accepted by management. Acceptance without documentation is not acceptable risk acceptance.
10
❌ "Penetration testing and vulnerability assessment are the same"
✓ Vulnerability assessment identifies and classifies vulnerabilities. Penetration testing actively exploits them to prove impact. Pen testing requires explicit written authorisation.