- (Exam Topic 1)
An organization conducted an exercise to test the security awareness level of users by sending an email offering a cash reward 10 those who click on a link embedded in the body of the email. Which of the following metrics BEST indicates the effectiveness of awareness training?

1. A. The number of users deleting the email without reporting because it is a phishing email
2. B. The number of users clicking on the link to learn more about the sender of the email
3. C. The number of users forwarding the email to their business unit managers
4. D. The number of users reporting receipt of the email to the information security team

Correct Answer: D

- (Exam Topic 4)
Which of the following is MOST important to determine when conducting an audit Of an organization's data privacy practices?

1. A. Whether a disciplinary process is established for data privacy violations
2. B. Whether strong encryption algorithms are deployed for personal data protection
3. C. Whether privacy technologies are implemented for personal data protection
4. D. Whether the systems inventory containing personal data is maintained

Correct Answer: D
The systems inventory containing personal data is a crucial element for auditing an organization’s data privacy practices. The systems inventory is a list of all the systems, applications, databases, and devices that collect, store, process, or transmit personal data within the organization12. The systems inventory helps the auditor to identify the scope, location, ownership, and classification of personal data, as well as the risks and controls associated with them12. The systems inventory also helps the auditor to verify compliance with data privacy laws, regulations, and internal policies that apply to different types of personal data

- (Exam Topic 4)
Which of the following is the BEST source of information for examining the classification of new data?

1. A. Input by data custodians
2. B. Security policy requirements
3. C. Risk assessment results
4. D. Current level of protection

Correct Answer: C

- (Exam Topic 4)
During a routine internal software licensing review, an IS auditor discovers instances where employees shared license keys to critical pieces of business software. Which of the following would be the auditor's BEST course of action?

1. A. Recommend the utilization of software licensing monitoring tools
2. B. Recommend the purchase of additional software license keys
3. C. Validate user need for shared software licenses
4. D. Verify whether the licensing agreement allows shared use

Correct Answer: D

- (Exam Topic 4)
What should an IS auditor evaluate FIRST when reviewing an organization's response to new privacy legislation?

1. A. Implementation plan for restricting the collection of personal information
2. B. Privacy legislation in other countries that may contain similar requirements
3. C. Operational plan for achieving compliance with the legislation
4. D. Analysis of systems that contain privacy components

Correct Answer: D
This is according to the ISACA's IS Auditing Guideline G14 on Privacy and Data Protection, which states that an IS auditor should first evaluate the organization's ability to identify and assess the systems that contain privacy components, and then review the adequacy of the operational plan for achieving compliance with the legislation.