CISA Exam Dumps and Braindumps

Which of the following scenarios best illustrates a social engineering attack?

• ❏ A. Cloud Security Command Center

• ❏ B. Removing backup files from the corporate servers

• ❏ C. Planting a covert backdoor into an application

• ❏ D. An employee is deceived into revealing sensitive company information

For a transactional database what does a thirty minute Recovery Point Objective indicate?

• ❏ A. Replication lag between primary and replica

• ❏ B. Maximum allowable data loss measured as thirty minutes

• ❏ C. Backup or snapshot frequency

While auditing the test phase of a newly deployed application at Lumen Financial Group what is the primary concern an IT auditor should evaluate?

• ❏ A. Representativeness of the test environment

• ❏ B. Validity of test input data

• ❏ C. Availability of testing documentation

• ❏ D. Completeness of test coverage

Who is responsible for ensuring that appropriate security controls are in place to protect an organization’s information assets?

• ❏ A. Internal auditors

• ❏ B. Data owners

• ❏ C. Cloud administrators

How would you describe audit risk in the context of an examination of financial records?

• ❏ A. The exposure present before any control measures are implemented

• ❏ B. The chance an auditor may fail to identify material misstatements during the audit

• ❏ C. The risk that internal control mechanisms will not stop or discover errors

• ❏ D. The exposure remaining after control procedures are in place

Which reporting relationship most effectively preserves an internal auditor’s objectivity and shields them from undue influence?

• ❏ A. Reporting through the Chief Technology Officer

• ❏ B. Having a direct reporting line to the board audit committee

• ❏ C. Being granted budget control over audited units

A regional logistics company needs to link networks with a trusted supplier and provide restricted access to parts of each other’s networks for collaboration. Which type of VPN is intended for this use?

• ❏ A. Cloud VPN

• ❏ B. Site-to-site VPN

• ❏ C. IPsec VPN

• ❏ D. Extranet VPN

When assessing an organization’s resilience to operational disruptions which factor should an information systems auditor prioritize?

• ❏ A. Availability of alternative suppliers for essential inputs

• ❏ B. Regular testing and updating of the business continuity plan

• ❏ C. Defined recovery time and recovery point objectives for critical services

While auditing change management at a mid sized software company called Northbridge Systems you observe that changes are frequently deployed without adequate written records. What recommendation should the auditor provide?

• ❏ A. Require a formal change control policy with mandatory documentation for every change

• ❏ B. Establish a change advisory board to review and approve proposed changes

• ❏ C. Integrate change tracking with Cloud Audit Logs so alterations are recorded automatically

• ❏ D. Suspend all future changes until documentation procedures are completely redesigned

What should an organization do first to ensure that when employees use personal ISP accounts to transfer corporate files, all internet traffic is routed through the corporate network?

• ❏ A. Require corporate VPN for all devices

• ❏ B. Update the IT security policy to forbid personal ISP use for corporate transfers

• ❏ C. VPC Service Controls

All questions come from my CISA Udemy course and certificationexams.pro

Which record should an information systems auditor examine to verify the permissions that have been assigned to a particular resource in a cloud environment?

• ❏ A. Cloud IAM policy

• ❏ B. Application logs

• ❏ C. Access control list

• ❏ D. Cloud Audit Logs

Which practice most effectively preserves the integrity of release artifacts and prevents unauthorized modifications to source code?

• ❏ A. Binary Authorization

• ❏ B. Version control

• ❏ C. Artifact signing

Which testing method is intended to confirm that a business can restore services after sudden outages or large scale incidents?

• ❏ A. Chaos engineering

• ❏ B. Unit testing

• ❏ C. Integration testing

• ❏ D. Disaster recovery testing

Which threat assessment finding about a colocation facility would be most concerning to an auditor?

• ❏ A. Physical entry controls are installed and monitored

• ❏ B. Assessment identifies only external threats

• ❏ C. Redundant power feeds and backup generators

Why do organizations include software escrow clauses in supplier agreements and what benefit do they provide to the purchaser?

• ❏ A. Oblige the supplier to deliver ongoing maintenance and technical assistance

• ❏ B. Protect the vendor intellectual property by restricting customer access to source materials

• ❏ C. Permit the purchaser to obtain the application source code if the vendor becomes insolvent or stops providing agreed support

• ❏ D. Store deployable binaries with an independent escrow agent for business continuity purposes

After a workflow redesign, should an information systems auditor identify controls that were removed or that may no longer function effectively and measure their impact?

• ❏ A. No

• ❏ B. True

A regional e-commerce firm maintains an online catalog and payment processing and it needs a single control that best ensures data confidentiality integrity and non-repudiation for transactions and communications. Which control provides the most complete protection for confidentiality integrity and non-repudiation?

• ❏ A. Secure Sockets Layer

• ❏ B. Cloud Key Management Service

• ❏ C. Public key infrastructure

• ❏ D. Virtual private network

What is the primary reason to require version control for an end user computing application?

• ❏ A. Cloud Source Repositories

• ❏ B. Ensure users operate the most recent authorized release

• ❏ C. Maintain an audit trail of edits

When an assurance engagement is being organized which benefit does preparing an audit plan provide for the audit team?

• ❏ A. Allocating time slots to minimize on-site work and improve efficiency

• ❏ B. Sharing the audit schedule and scope with interested parties

• ❏ C. Determining the staffing skills and tools needed for the engagement

• ❏ D. Finalizing and signing off on completed audit reports

What primary factor should a business impact analysis assess when setting recovery priorities?

• ❏ A. Historical rate of security incidents

• ❏ B. Estimated cost to restore operations after a disruption

• ❏ C. Total employee headcount

A regional fintech firm is deploying workloads across several cloud vendors and separate accounts. What primary security issue should the firm address to maintain a consistent and secure environment?

• ❏ A. Enable VPC Service Controls

• ❏ B. Establish uniform identity and access management across every cloud platform

• ❏ C. Delegate access governance to individual cloud teams

• ❏ D. Encrypt and secure network links between cloud environments

Which document establishes the framework for IT governance and defines IT roles and responsibilities?

• ❏ A. IT Strategic Roadmap

• ❏ B. IT Governance Charter

• ❏ C. Business Continuity Plan

You are conducting an information systems audit at NovaTech Solutions and you are evaluating the recent disaster recovery exercise to determine its effectiveness. What method provides the most reliable basis for judging whether the recovery test succeeded?

• ❏ A. Evaluate the cost efficiency of the recovery procedures

• ❏ B. Use Google Cloud Backup and DR

• ❏ C. Collect feedback from the systems team that conducted the exercise

• ❏ D. Confirm that the predefined recovery objectives were met

What type of attack floods a fingerprint sensor with a large number of biometric samples to cause the reader to malfunction?

• ❏ A. Denial of service attack

• ❏ B. Brute force attack

• ❏ C. Spoofing attack

A regional credit union finds that system support technicians share several privileged functions with ordinary staff and full segregation of duties cannot be achieved. What compensating control should the organization implement to address the segregation of duties risk?

• ❏ A. Cloud Audit Logs

• ❏ B. Performing pre-employment background checks

• ❏ C. Conducting periodic reviews of application and transaction logs

• ❏ D. Enforcing automatic user session timeouts after inactivity

ISACA Exam Sample Questions Answers

All questions come from my CISA Udemy course and certificationexams.pro

An employee is deceived into revealing sensitive company information is the correct choice.

This scenario is a classic social engineering attack because it relies on deception and manipulation of people rather than on a technical exploit. Social engineering techniques such as phishing, pretexting, and baiting trick employees into revealing credentials or other sensitive data so the attacker can gain access.

Cloud Security Command Center is a Google Cloud security management and monitoring product and not an example of an attack scenario. It is a tool used to detect and respond to threats rather than a social engineering method.

Removing backup files from the corporate servers describes destructive activity that requires access to systems and is a sabotage or insider threat scenario rather than social engineering, which typically involves tricking people into giving up information or access.

Planting a covert backdoor into an application is a technical compromise or supply chain attack that involves altering code or systems. It is not social engineering because it does not primarily rely on manipulating human behavior.

Maximum allowable data loss measured as thirty minutes is correct. A Recovery Point Objective of thirty minutes states the maximum amount of data, measured as the time window, that the business can tolerate losing after an outage.

RPO defines a business requirement for acceptable data loss and not the specific technical method used to achieve it. You can meet an RPO with frequent backups, continuous replication, or other techniques, but the RPO itself expresses the permitted data loss window.

The option Replication lag between primary and replica is incorrect. Replication lag is an operational metric that describes how far behind a replica currently is and it does not define the business tolerance for data loss.

The option Backup or snapshot frequency is incorrect. Backup frequency is an implementation choice that affects RPO but it is not the definition of RPO itself. You can choose different backup or replication strategies to achieve the required RPO.

The correct option is Completeness of test coverage.

Completeness of test coverage is the primary concern because an auditor needs assurance that all functional requirements, integration points, performance conditions, and relevant security and error scenarios were exercised during testing. If coverage is incomplete then untested features or paths can hide defects or vulnerabilities that will appear in production.

Auditors will look for traceability between requirements and test cases evidence of requirement coverage and metrics such as requirement coverage and relevant code or path coverage. They will also confirm that negative test cases boundary and edge cases and security focused tests were included as part of overall coverage.

Representativeness of the test environment is important because an environment that does not resemble production can mask problems. However this concern is secondary to ensuring that the set of tests themselves actually cover the application functionality and risks.

Validity of test input data matters for realistic results and for reproducing defects during testing. Valid input data is a component of good test design and it supports coverage, but by itself it does not guarantee that all relevant behaviors and failure modes were tested.

Availability of testing documentation helps an auditor to verify what was executed and why. Documentation is a necessary audit artifact but it is supporting evidence for coverage rather than the primary control, because well documented tests that do not provide sufficient coverage still leave risks unaddressed.

The correct answer is Data owners.

Data owners are the roles within an organization that are accountable for the classification and protection of information assets. They determine the sensitivity of the data and decide which security controls are required to meet legal regulatory and business requirements.

Data owners also approve access policies and work with security teams and administrators to ensure controls are implemented tested and monitored. They have the authority to accept residual risk and to require additional or compensating controls when necessary.

Internal auditors provide independent assurance by reviewing and testing controls and processes. They do not own the data and they are not responsible for selecting or implementing the controls so they are not the correct answer.

Cloud administrators configure operate and maintain cloud infrastructure and they implement technical controls when directed. They do not typically own the data or decide which controls are required from a business risk perspective so they are not the right choice.

The correct answer is The chance an auditor may fail to identify material misstatements during the audit.

This phrase matches the standard definition of audit risk because audit risk is the possibility that the auditor will give an inappropriate opinion when the financial statements contain a material misstatement. Audit risk arises from the combination of inherent risk and control risk together with the risk that the auditor’s procedures will not detect a material misstatement, which is called detection risk.

The exposure present before any control measures are implemented is not audit risk. That description refers to inherent risk which is the susceptibility of an assertion to a misstatement before considering any related controls.

The risk that internal control mechanisms will not stop or discover errors is not audit risk. That option describes control risk which is the risk that a client’s controls will fail to prevent or detect and correct a material misstatement.

The exposure remaining after control procedures are in place is not audit risk. That wording describes residual risk or the remaining risk after controls, and it does not capture the auditor’s risk of failing to detect material misstatements which is the essence of audit risk.

Having a direct reporting line to the board audit committee is the correct option because it best preserves an internal auditor’s objectivity and freedom from undue influence.

When the internal audit function has a direct reporting line to the board audit committee the audit activity is separated from operational management and can carry out planning testing and reporting without inappropriate pressure from the units being audited. This reporting relationship gives auditors access to the body responsible for governance so concerns can be escalated and oversight of the audit function is maintained in line with professional standards.

Reporting through the Chief Technology Officer is incorrect because placing internal audit under a member of management undermines independence and can allow management to influence scope findings and resource decisions. That structure is likely to compromise objectivity especially when management areas are subject to audit.

Being granted budget control over audited units is incorrect because giving auditors financial control over the units they review creates a clear conflict of interest. Budget authority over operational units prevents auditors from remaining neutral evaluators and weakens their ability to report unbiased findings.

The correct option is Extranet VPN.

Extranet VPN is intended to link networks belonging to different organizations for collaboration while providing restricted access to only selected resources. It lets each party expose specific subnets or services and keep the rest of their network isolated through policy and segmentation.

With Extranet VPN the logistics company can give a trusted supplier access to inventory or ordering systems without granting access to internal management or other sensitive networks.

Cloud VPN is a Google Cloud product that implements VPN tunnels and is a vendor service rather than the collaborative network model the question asks about. It describes how to connect to Google Cloud rather than the interorganization access pattern.

Site-to-site VPN typically describes a connection between fixed sites and is commonly used to link branch offices within a single organization. It does not specifically imply the controlled, inter-organizational access model required for an extranet.

IPsec VPN refers to the IPsec protocol suite used to secure tunnels and can be the underlying technology for many VPN types. It names the protocol rather than the business relationship or access model so it does not directly answer the question.

Regular testing and updating of the business continuity plan is the correct factor an information systems auditor should prioritize when evaluating an organization�s ability to withstand operational interruptions.

Regular testing and updating ensures that documented procedures actually work in practice and that staff can execute them under stress. An auditor looks for evidence of repeated exercises, lessons learned, corrective actions, and version control because those items demonstrate sustained readiness rather than a one time assertion.

Testing can include tabletop exercises, functional drills, and full scale recovery runs and updating covers changes in technology, personnel, and business processes. Together these activities prove the plan remains effective as the environment evolves and they reduce the likelihood and impact of unexpected interruptions.

Availability of alternative suppliers for essential inputs is important for supply chain resilience, but it is a narrower consideration. Having alternate suppliers helps maintain inputs but it does not by itself demonstrate that the organization can detect, respond to, and recover from a broad range of operational interruptions.

Defined recovery time and recovery point objectives for critical services are useful and necessary planning metrics, but they are not sufficient on their own. RTOs and RPOs state desired targets, but without evidence of testing and maintenance an auditor cannot conclude the organization can meet those targets under real incident conditions.

Require a formal change control policy with mandatory documentation for every change is the correct recommendation because it directly addresses the observed lack of written records and establishes clear, enforceable expectations for documenting, approving, and tracking every change.

A formal change control policy creates consistent procedures and assigns responsibilities so changes are recorded in a standard way. The policy can define required documentation fields, approval steps, retention periods, and retrospective documentation for previously undocumented changes. This approach improves accountability and auditability and reduces the risk of unauthorized or poorly tested changes.

Establish a change advisory board to review and approve proposed changes can improve governance and oversight but it does not by itself ensure that every change is documented. A CAB focuses on review and approval but a formal policy with mandatory documentation is still needed to guarantee records are created and retained.

Integrate change tracking with Cloud Audit Logs so alterations are recorded automatically can be a useful technical control but it is not sufficient alone. Audit logs capture system events and metadata and they may not record business justification, approvals, or out of band activities. Logs can complement written change records but they do not replace a formal change control policy and the required documentation artifacts.

Suspend all future changes until documentation procedures are completely redesigned is overly disruptive and impractical for normal business operations. A complete halt to changes is rarely necessary and a phased implementation of a formal policy and enforcement mechanisms is a more practical and effective remedy.

Update the IT security policy to forbid personal ISP use for corporate transfers is the correct first step.

This policy change creates a clear organizational requirement and gives the company the authority to mandate technical controls and compliance monitoring. A written policy enables legal and HR processes to enforce the rule and supports training and awareness so employees understand why routing must go through the corporate network.

After the policy is in place the organization can roll out technical measures such as managed VPN clients or network access controls and monitor compliance with logging and audits. The policy therefore precedes and justifies those technical changes so they can be applied consistently.

Require corporate VPN for all devices is not the best first step because a technical mandate needs an underlying policy and an enrollment plan. Requiring a VPN is a valid enforcement action but it depends on policy, device management, and user onboarding to be effective.

VPC Service Controls is incorrect because that Google Cloud feature is designed to limit data exfiltration from Google Cloud services and to define security perimeters. It does not force employees using personal ISP accounts to route all internet traffic through the corporate network.

Access control list is the record an information systems auditor should examine to verify the permissions that have been assigned to a particular resource in a cloud environment.

Access control list contains explicit entries that map identities to specific permissions on that resource. It shows who or what has been granted access and what actions they are allowed to perform, which makes it the direct source of truth for verifying assigned permissions.

Cloud IAM policy defines roles and bindings at project folder or resource scopes and it may not present the granular, per object entries that an auditor needs when verifying permissions for a single resource.

Application logs capture events generated by the application such as access attempts errors and operational messages and they do not represent the configured permission entries that control access to a resource.

Cloud Audit Logs record administrative and data access events so they can show changes to permissions and who accessed a resource and when. They do not however provide the current configured permission entries themselves and so they are not the primary record to verify assigned permissions.

The correct answer is Version control.

Version control preserves release artifact integrity and prevents unauthorized changes to source code by keeping a tamper-evident history of commits and by enabling access controls and review workflows. It records who made each change and when and it supports protections such as branch restrictions and signed commits which make unauthorized or unnoticed modifications much harder.

Binary Authorization enforces policies and verifies attestations at deployment time but it does not provide the source repository history or the collaborative access controls that prevent unauthorized changes to source code. It is useful for deployment gatekeeping but not for managing source change history.

Artifact signing ensures that a specific build or binary has not been altered after signing but it does not give the audit trail, change history, or code review mechanisms that prevent unauthorized edits to the source. Signing complements version control but it does not replace the repository functions needed to preserve source integrity.

The correct option is Disaster recovery testing.

Disaster recovery testing validates that an organization can restore systems, data, and services after sudden outages or large scale incidents. It typically includes rehearsing failover procedures, restoring from backups, and verifying recovery time objectives and recovery point objectives to ensure business continuity.

Chaos engineering focuses on injecting controlled failures to reveal weaknesses and improve system resilience, and it does not primarily verify the end to end restoration processes used after major disasters.

Unit testing verifies individual pieces of code or components in isolation to ensure they behave correctly during development, and it does not exercise operational recovery or backup restore procedures.

Integration testing checks how multiple components interact under normal or controlled conditions, and it does not test the full recovery of systems and business services after large scale outages.

The correct option is Assessment identifies only external threats.

This finding is most concerning because it shows the assessment scope is incomplete and focused only on outside actors. An audit expects a thorough threat assessment that includes internal threats, supply chain risks, environmental hazards, and accidental or insider actions. Missing those areas means the organization may not be identifying or mitigating significant risks to the colocation facility.

Physical entry controls are installed and monitored is not the most concerning finding because it describes a positive, implemented control that helps prevent unauthorized access. Auditors view monitored entry controls as evidence of effective physical security practices.

Redundant power feeds and backup generators is also not the most concerning finding because it indicates resilience and attention to availability. Those features reduce operational risk and support business continuity, so they are strengths rather than audit concerns.

Permit the purchaser to obtain the application source code if the vendor becomes insolvent or stops providing agreed support is correct.

A software escrow agreement deposits the application source code and related build materials with an independent escrow agent and defines specific release triggers such as vendor insolvency or failure to provide agreed support. When those triggers occur the purchaser can obtain the source code and the materials needed to build, maintain, patch, or migrate the application which preserves business continuity and reduces vendor lock in.

This mechanism gives the purchaser a practical and legal path to continue operations when the supplier can no longer meet its obligations. The escrow agent protects the materials and releases them only under the contractual conditions that the parties agreed.

Oblige the supplier to deliver ongoing maintenance and technical assistance is wrong because an escrow clause does not force the vendor to provide live support. The clause only defines when the purchaser may obtain source code if support or vendor viability fails.

Protect the vendor intellectual property by restricting customer access to source materials is wrong because the primary purpose of escrow is to protect the purchaser s operational continuity. The vendor typically retains IP ownership and access is restricted only until the agreed release conditions are met.

Store deployable binaries with an independent escrow agent for business continuity purposes is wrong because binaries alone are often insufficient to rebuild or fix the application. Effective escrow usually requires source code and build instructions so the purchaser can modify or recompile the software if needed.

The correct option is True.

An information systems auditor should identify and measure the impact of controls that were removed or that may no longer function effectively after a workflow redesign because process changes can alter the control environment and create new or increased risks. The auditor needs to determine whether removed controls left gaps or whether existing controls still mitigate the changed threats and risks.

Measuring the impact means assessing the change in likelihood and business impact for affected risks, revalidating control effectiveness through testing, and documenting findings to support remediation and management decisions. This assessment helps prioritize fixes and ensures continued compliance with policies and regulations.

No is incorrect because assuming that controls remain effective after a redesign can leave significant risks undetected. An auditor cannot skip verification simply because controls existed previously, and failing to evaluate removed or failing controls undermines the audit objective.

The correct answer is Public key infrastructure. It provides the single control that best ensures confidentiality integrity and non-repudiation for transactions and communications.

Public key infrastructure uses asymmetric key pairs and digital certificates to enable strong encryption for confidentiality and digital signatures for integrity and non-repudiation. A certificate authority issues and binds identities to public keys and the private key holder signs transactions so that the signature can be verified later and cannot be denied. Centralized certificate issuance revocation and audit capabilities give organizations control over trust and lifecycle management which supports non-repudiation across systems.

Secure Sockets Layer is an outdated protocol that has been replaced by Transport Layer Security. It can protect the confidentiality and integrity of a connection but it does not by itself provide a comprehensive non-repudiation mechanism or organization wide identity binding.

Cloud Key Management Service manages and protects cryptographic keys and it supports encryption at rest and key lifecycle. It does not by itself implement the certificate issuance identity binding and non-repudiation services of a full PKI. It can be a component of a PKI but it is not the single control that enforces non-repudiation for transactions.

Virtual private network secures traffic between networks and provides confidentiality for tunnels and sometimes integrity. It does not sign individual transactions or bind identities to keys at the message level so it cannot provide non-repudiation for messages or transactions. It is a network layer control rather than a transaction level trust mechanism.

Ensure users operate the most recent authorized release is correct because the main goal of enforcing version control for an end user computing application is to make sure all users run the approved and supported build rather than a mixture of versions.

Requiring the authorized release simplifies patching and security updates and reduces compatibility and support issues. It also enables predictable behavior across the user base and makes it easier to roll out fixes or to revoke a release if a problem is found.

Cloud Source Repositories is incorrect as an answer because it names a specific tool for storing and managing source code rather than stating the primary reason to enforce version control for end user applications. The question asks why you would enforce version control not which tool you would use.

Maintain an audit trail of edits is also incorrect as the primary reason. While version control does provide an audit trail and that is a useful benefit, the principal purpose in an end user computing context is to ensure users run the sanctioned release for security, supportability, and consistency.

The correct answer is Determining the staffing skills and tools needed for the engagement.

An audit plan sets the objectives scope and procedures and it therefore reveals what expertise and technical resources are required to carry out the work. By establishing the approach the team can identify the right mix of experience the need for specialists and the tools or access required which allows the engagement to be staffed and prepared effectively before fieldwork begins.

Allocating time slots to minimize on-site work and improve efficiency is focused on scheduling and logistics. That activity can follow from the plan but it is narrower and not the primary organizing benefit that determines team composition or technical needs.

Sharing the audit schedule and scope with interested parties describes stakeholder communication and coordination. That is an important part of engagement management but it is not what planning principally provides for organizing the audit team.

Finalizing and signing off on completed audit reports is a post engagement activity. It occurs after the audit work and reporting are complete and therefore it is not a benefit of preparing the audit plan.

The correct option is Estimated cost to restore operations after a disruption.

A business impact analysis is intended to measure the consequences of an outage in terms of operational loss and financial harm, and Estimated cost to restore operations after a disruption directly captures that consequence. Prioritizing recovery by the estimated restoration cost ensures limited resources go first to systems whose downtime would cause the greatest monetary and operational damage.

Using cost estimates supports decisions about recovery time objectives and investments in redundancy and backup so the organization can reduce the highest potential losses.

Historical rate of security incidents is not the primary factor because frequency of past incidents speaks to risk likelihood and not to the magnitude of impact or the cost to the business. A BIA focuses on impact and recovery priorities rather than incident counts.

Total employee headcount is not the primary factor because staff numbers do not directly measure the operational or financial loss caused by a service outage. Headcount may be one input for impact assessment but it does not replace an estimate of restoration cost when setting recovery priorities.

The correct option is Establish uniform identity and access management across every cloud platform.

A consistent identity and access management approach ensures uniform policies for authentication, authorization, and lifecycle management across multiple cloud vendors and separate accounts. Centralized IAM reduces privilege sprawl, prevents orphaned accounts, and makes auditing and incident response much simpler. For a fintech firm that must meet regulatory and security requirements, Establish uniform identity and access management across every cloud platform directly addresses the root cause of inconsistent access and misconfiguration across environments.

Enable VPC Service Controls is incorrect because that feature is specific to Google Cloud and it focuses on perimeter controls within a single provider. It does not create a consistent access model across different cloud vendors and separate accounts.

Delegate access governance to individual cloud teams is incorrect because decentralizing access governance typically produces inconsistent role definitions and policies. That inconsistency increases risk and makes compliance and auditing harder to achieve.

Encrypt and secure network links between cloud environments is useful but it is not the primary issue for maintaining a consistent and secure multicloud environment. Network encryption protects data in transit but it does not solve identity sprawl or inconsistent access controls across accounts and providers.

IT Governance Charter is the correct option.

The IT Governance Charter establishes the governance framework for IT and explicitly defines roles and responsibilities, decision rights, escalation paths, and accountability so that IT actions align with business objectives. It typically documents scope, objectives, committee structures, policies, and reporting lines which together create the formal structure for IT governance.

IT Strategic Roadmap is incorrect because a roadmap describes planned projects, initiatives, timelines, and investment priorities rather than assigning governance roles or formal decision authorities. A roadmap guides strategic direction and execution but it does not set the governance framework.

Business Continuity Plan is incorrect because a continuity plan focuses on restoring operations and recovering from disruptions rather than defining ongoing governance or role assignments. A business continuity plan details recovery procedures, communications, and resources for emergencies but not the governance structure for IT.

The correct option is Confirm that the predefined recovery objectives were met.

This option is correct because predefined recovery objectives give concrete, measurable acceptance criteria that determine success. Recovery time objectives and recovery point objectives define acceptable time to restore services and acceptable data loss, and meeting those objectives demonstrates the test achieved its intended goals. Verifiable evidence such as timestamps, restore logs, and validated system functionality should be checked against those objectives to judge success.

Evaluate the cost efficiency of the recovery procedures is not the most reliable basis because cost measures do not prove that systems were recovered within required time frames or that data integrity was preserved. Cost is an important consideration for planning but it is not an objective success criterion for a recovery test.

Use Google Cloud Backup and DR is not sufficient by itself because invoking a specific product or tool does not prove the recovery objectives were met. Tools can enable recovery, but the decisive factor is whether the documented acceptance criteria were achieved during the exercise.

Collect feedback from the systems team that conducted the exercise is useful for qualitative insights but it is subjective and potentially biased. Team feedback should be combined with objective measurements and artifacts rather than used alone to declare a test successful.

The correct answer is Brute force attack.

A Brute force attack against a fingerprint sensor is carried out by submitting a large number of biometric samples or repeated attempts until the sensor either finds a match or malfunctions. The repeated submissions can overwhelm the reader or exploit false acceptance behavior in the matcher, and that behavior matches the described scenario.

Denial of service attack is incorrect because that term generally refers to flooding system or network resources to disrupt availability. It does not specifically describe the repeated submission of biometric samples to force a reader to fail or accept a match.

Spoofing attack is incorrect because spoofing involves presenting fake biometric traits or artifacts to impersonate a legitimate user. That approach tries to trick the sensor with a forged fingerprint rather than overwhelming it with many different samples.

The correct option is Conducting periodic reviews of application and transaction logs.

This is an effective compensating control because regular reviews provide a detective capability that identifies misuse when segregation of duties cannot be fully implemented. Reviews of application and transaction logs create accountability and an audit trail so that unauthorized or inappropriate actions can be detected and investigated.

Periodic log review also supports timely response and forensics by correlating events and establishing a timeline of actions across systems. Coupling reviews with alerting and retention policies makes the control practical and auditable.

Cloud Audit Logs is a logging feature and not a complete compensating control by itself. Without a formal process to review and act on the logs the existence of audit logs does not address the segregation of duties risk.

Performing pre-employment background checks can reduce hiring risk but it does not provide ongoing detection or accountability for privileged actions. Background checks are preventive and they do not substitute for monitoring when privileges are shared.

Enforcing automatic user session timeouts after inactivity reduces the risk of unattended sessions but it does not prevent or detect improper privileged transactions. Session timeouts are useful for session management but they are not sufficient as a compensating control for segregation of duties.