CPA ISC: Security, Confidentiality and Privacy

CPA means Certified Public Accountant. ISC means Information Systems and Controls. Use this focused page when your CPA ISC misses are about access, safeguards, confidentiality, privacy, incident response, vendor risk, or control objectives. Drill this topic before returning to mixed practice.

Topic snapshot

What this topic tests

This topic tests whether you can match risks to safeguards across security, confidentiality, and privacy objectives. Strong answers distinguish access control, encryption, monitoring, incident response, vendor risk, data retention, and privacy obligations.

Common traps

• confusing confidentiality with privacy or assuming one control solves both objectives
• choosing encryption when the real weakness is authorization, monitoring, or segregation of duties
• treating a policy as effective without evidence of implementation, review, or enforcement
• missing whether the stem asks for prevention, detection, correction, or governance

How to reason through these questions

Name the objective first: security, confidentiality, privacy, availability, processing integrity, or compliance. Then choose the control type that addresses the failure mode. The strongest answer will usually state both the risk and the control response.

Sample questions

These questions are original Mastery Exam Prep practice items aligned to this topic area. They are designed for self-assessment and are not official exam questions.

Question 1

Topic: Security, Confidentiality and Privacy

A CPA is reviewing an alert from the user-access process for a terminated employee.

• HR recorded the employee’s termination at 1:00 p.m. on Monday.
• Company policy requires all user access to be disabled within 4 hours of a termination notice.
• At 8:30 a.m. on Tuesday, the employee’s network and ERP accounts were still enabled because the HR-to-IAM feed failed.
• System logs show no login attempts, no successful logins, and no data access after termination.
• No evidence indicates data was disclosed outside the company.

Based on these facts, what should be done next?

• A. Classify the condition as an operational issue only and close it after disabling the accounts.
• B. Classify the condition as a data breach and begin external notification procedures immediately.
• C. Classify the condition as a control exception and review recent terminations to determine whether access removal failed for other users.
• D. Classify the condition as a security incident and preserve evidence of unauthorized account activity.

Best answer: C

What this tests: Security, Confidentiality and Privacy

Explanation: The access-removal control failed because the terminated employee’s accounts remained enabled beyond the required window. Since logs show no post-termination use and no data exposure, this is best classified as a control exception rather than a security incident or data breach. The next step is to assess whether the control failure affected other recent terminations.

Classification should follow the facts shown. An event is an observable occurrence, an incident involves actual or suspected compromise, a data breach involves unauthorized acquisition or disclosure of protected data, a control exception exists when a control does not operate as designed, and an operational issue affects processing or service without necessarily indicating control failure. Here, the key fact is that access was not removed within the policy’s 4-hour requirement. That means the deprovisioning control did not operate effectively. However, there were no logins, no data access, and no indication of disclosure, so the facts do not currently support classifying the matter as a security incident or data breach. The appropriate next step is to treat it as a control exception, remediate it, and determine whether similar exceptions occurred for other terminated users.

• Treating the matter as a data breach is premature because the facts show no unauthorized acquisition or disclosure of data.
• Treating the matter as a security incident overstates the evidence because there was no post-termination account use to investigate.
• Treating the matter as an operational issue only is incomplete because the failed interface caused a control to miss its required objective.

The deprovisioning control failed its required timing, but there is no evidence of unauthorized use or disclosure.

Question 2

Topic: Security, Confidentiality and Privacy

During a walkthrough of an online retailer’s payment process, a CPA learns the following:\n- The checkout page is hosted by a third-party payment processor.\n- Customer service representatives can view only the last four digits of the card number in the order system.\n- A nightly exception log on the retailer’s server stores full primary account numbers (PANs) for declined transactions for 30 days.\n- Management says, “The processor is PCI compliant, so we do not have PCI DSS responsibilities."\n\nWhat should the CPA recommend be done next?

• A. Request only the processor’s PCI attestation of compliance and stop further review of the merchant’s environment.
• B. Limit the review to whether customer service screens display only the last four digits of the card number.
• C. Delete the exception logs immediately and conclude the outsourced checkout keeps the merchant outside PCI DSS scope.
• D. Map and document all merchant locations and flows where cardholder data is stored, processed, or transmitted, including the exception logs, to determine PCI DSS scope and responsibilities.

Best answer: D

What this tests: Security, Confidentiality and Privacy

Explanation: The retailer may still be in PCI DSS scope because its own server stores full PANs in exception logs. The next step is to identify and document where cardholder data exists in the merchant environment so responsibilities and needed controls can be evaluated.

PCI DSS applies when an entity stores, processes, or transmits cardholder data. Using a third-party processor for checkout can reduce scope, but it does not automatically eliminate the merchant’s responsibilities. Here, the key fact is that the retailer’s own server retains full PANs in nightly exception logs, which means cardholder data may still exist within the merchant environment. The proper next step is to map data flows and storage locations, confirm what payment-card data elements are retained, and determine the resulting PCI DSS scope. After scope is understood, the CPA can evaluate whether controls over retention, masking, encryption, restricted access, and monitoring are appropriate and whether the processor’s compliance documentation is relevant to the remaining merchant responsibilities.

• Requesting only the processor’s PCI attestation skips the merchant’s separate responsibility for any cardholder data kept in its own systems.\n- Deleting the logs may be part of later remediation, but it is premature before the cardholder-data environment and related responsibilities are understood.\n- Focusing only on masked customer-service screens is too narrow because the stored full PANs in server logs are the more important PCI DSS scoping issue.

PCI DSS scope depends on whether the merchant environment stores, processes, or transmits cardholder data, so the full PANs in the exception logs must be evaluated first.

Question 3

Topic: Security, Confidentiality and Privacy

An online retailer detects 4,000 login attempts in one hour against its customer portal. Each attempt uses a different email address and password pair copied from a credential dump from an unrelated website. Accounts are compromised only when customers reused the same credentials on the retailer’s site. Which attack classification is most directly supported by these facts?

• A. Password spraying
• B. Brute-force attack
• C. Credential stuffing
• D. Replay attack

Best answer: C

What this tests: Security, Confidentiality and Privacy

Explanation: The incident describes attackers trying many stolen username-password combinations from another breach against a different site. That pattern is credential stuffing because success depends on users reusing the same credentials across systems.

Credential stuffing occurs when an attacker takes known username-password pairs, usually obtained from another data breach, and tests them on a different system. The key indicator is that the attacker is not guessing passwords from scratch; instead, the attacker is automating login attempts with previously exposed credentials and relying on password reuse. In this scenario, each attempt uses a different email and password pair from an unrelated breach dump, and compromises occur only when customers reused those exact credentials on the retailer’s portal. That is the defining fact pattern for credential stuffing. The classification is based on the source and pattern of the credentials being used, not merely on the high volume of login failures.

• Password spraying uses one or a few common passwords against many accounts, not many distinct stolen credential pairs.
• Brute-force attack involves systematic guessing of passwords rather than testing known breached combinations from another site.
• Replay attack reuses captured authentication messages, sessions, or tokens, not breach lists of usernames and passwords.

Using previously breached username-password pairs on a different site to exploit password reuse is credential stuffing.

Question 4

Topic: Security, Confidentiality and Privacy

A CPA is evaluating security controls over a cloud-based cash disbursements system. The exhibit summarizes three controls currently in place.

Which conclusion is best supported by the exhibit?

• A. MFA login is preventive, privileged-access monitoring is corrective, and malware recovery is detective.
• B. MFA login is corrective, privileged-access monitoring is detective, and malware recovery is preventive.
• C. MFA login is preventive, privileged-access monitoring is detective, and malware recovery is corrective.
• D. MFA login is detective, privileged-access monitoring is preventive, and malware recovery is corrective.

Best answer: C

What this tests: Security, Confidentiality and Privacy

Explanation: The classifications depend on when the control acts and what it is designed to do. MFA acts before access is granted, so it is preventive; the SIEM alert identifies a potentially improper event, so it is detective; and reimaging plus backup restoration repairs the environment after malware is found, so it is corrective.

Preventive controls are designed to stop or reduce the likelihood of an unwanted event before it happens. Detective controls identify that an event or condition has occurred. Corrective controls respond after a problem is detected to contain damage, restore systems, or return data to a reliable state. In this scenario, multifactor authentication is a gate that must be satisfied before sign-in, so it is preventive. The SIEM alert does not block the privileged-role assignment; it notifies security that the event occurred, which makes it detective. Reimaging an infected device and restoring files from backup happen after malware is confirmed and are intended to recover operations, so they are corrective.

• Treating MFA as detective or corrective is incorrect because MFA operates before access is granted.
• Treating the SIEM alert as preventive or corrective is incorrect because alerting identifies a role change but does not stop it or repair damage.
• Treating reimaging and backup restoration as detective or preventive is incorrect because those actions occur after malware is confirmed to recover the device and data.

MFA blocks unauthorized access before entry, the SIEM alert identifies a role change after it occurs, and reimaging plus restoration remediates damage after an incident.

Question 5

Topic: Security, Confidentiality and Privacy

A CPA is testing the incident response process for high-severity cybersecurity incidents.

Policy excerpt:

Evidence for Incident 24-017:

Which corrective action is the best response to the incident response deficiency evidenced here?

• A. Require quarterly privileged-access recertifications for all finance applications.
• B. Lower SIEM thresholds so every bulk-download alert automatically disables the user account at detection.
• C. Add SLA-based escalation controls for high-severity incidents and require time-stamped after-action review completion within the policy deadline.
• D. Send breach notices to all customers immediately after any high-severity alert is opened.

Best answer: C

What this tests: Security, Confidentiality and Privacy

Explanation: The incident was identified and documented quickly, and containment, communication, and remediation were recorded. However, escalation to the incident response manager missed the one-hour requirement, and no post-incident review was documented within the required timeframe. The best fix is to strengthen workflow controls around those two gaps.

When testing incident response, the question is not just whether actions occurred, but whether evidence shows they occurred on time and in accordance with policy. Here, the SIEM alert at 08:05 and high-severity ticket at 08:20 support timely identification. Containment at 11:35, legal/compliance notification at 11:50, and remediation on 4/4 show those stages were performed and documented. But the incident response manager was not notified until 11:10, which exceeds the one-hour escalation requirement measured from detection. Also, the ticket was closed on 4/18 and still had no after-action review by 4/30, so the post-incident review control failed. The best remediation is a ticketing workflow with SLA-based escalation monitoring and required, time-stamped after-action review completion within the policy window.

• Adding SLA-based escalation controls and required after-action review evidence directly fixes the late escalation and missing post-incident review shown in the ticket.
• Sending immediate breach notices to all customers overstates the response; the facts only establish a need for legal/compliance notification, not automatic customer notification.
• Automatically disabling accounts for every bulk-download alert redesigns detection and containment, but the documented deficiency is failure to meet escalation and review requirements.
• Quarterly privileged-access recertifications are preventive access controls, not the best correction for this incident response process breakdown.

It directly addresses the unsupported one-hour escalation and the missing post-incident review evidenced in the incident record.

Question 6

Topic: Security, Confidentiality and Privacy

A CPA is performing a walkthrough of an entity’s emergency privileged-access process.

Documented policy:

• Emergency administrator access requires an approved ticket before access is granted.
• Multifactor authentication (MFA) must be enabled before first use.
• Emergency access must expire automatically after 8 hours.

Observed walkthrough:

• A help desk analyst granted database administrator access immediately after receiving a phone request.
• The ticket was created and approved 20 minutes after access was already active.
• MFA was enabled later that afternoon.
• The access remained active until it was manually removed 2 days later.

Which correction best aligns the observed process with the documented policy requirements?

• A. Require the operations supervisor to notify internal audit by email whenever emergency privileged access is requested.
• B. Increase the frequency of quarterly reviews of privileged-access listings to identify emergency access granted in error.
• C. Suspend all emergency privileged access until management rewrites the policy and completes a full retraining program.
• D. Implement a system-enforced workflow that requires an approved ticket and active MFA before privileged access is activated, with automatic removal after 8 hours.

Best answer: D

What this tests: Security, Confidentiality and Privacy

Explanation: The walkthrough shows the live process does not match policy in three places: approval timing, MFA timing, and access expiration. The best correction is to enforce those requirements within the access workflow so the process cannot bypass policy.

A walkthrough compares documented requirements with what actually happens in practice. Here, the observed procedure failed the policy because privileged access was granted before approval, used before MFA was enabled, and left active far beyond the 8-hour limit. The strongest remediation is a preventive control built into the provisioning or privileged-access workflow: no activation without an approved ticket, no first use without MFA, and automatic expiration after the authorized period. That directly aligns operations with policy and reduces reliance on manual follow-up. Detective reviews or extra notifications may provide oversight, but they do not correct the real-time control failure observed during the walkthrough.

• Increasing quarterly reviews is a detective step; it may find problems later but does not stop access from being granted contrary to policy.
• Requiring an email to internal audit adds communication, but it does not enforce prior approval, MFA before use, or automatic expiration.
• Suspending all emergency access is disproportionate because the policy already exists; the issue is control execution, not the absence of a policy.

This remediation directly fixes all observed deviations from policy by making approval, MFA, and timely removal preventive system requirements.

Question 7

Topic: Security, Confidentiality and Privacy

A company’s data-handling standard and an incident ticket state:

Data-handling standard excerpt

• Personal information: first name or initial and last name combined with SSN, driver’s license number, passport number, full financial account number, or health insurance member ID
• Confidential information: standalone email addresses, customer IDs, masked account numbers, invoice amounts, and contract terms
• Privacy officer notification is required when personal information may have been accessed by an unauthorized party

Incident ticket

• A cloud folder was publicly accessible for 18 hours
• Exposed files were invoice PDFs containing customer IDs, email addresses, masked account numbers showing only the last 4 digits, invoice amounts, and contract terms
• No names or other personal-information elements from the standard were in the files
• The incident manager opened the privacy breach workflow solely because customer data was exposed

What is the best correction to the incident manager’s response?

• A. Reclassify it as a confidentiality incident and use the privacy breach workflow only if later evidence shows policy-defined personal information was exposed.
• B. Keep it in the privacy breach workflow because exposure of any customer-related data is a privacy event.
• C. Skip reclassification and notify all affected customers immediately because masked account numbers are sufficient personal information.
• D. Reclassify it as an availability incident because the public folder created a service-level failure.

Best answer: A

What this tests: Security, Confidentiality and Privacy

Explanation: The source excerpt controls the answer. The exposed files contain confidential data only, so this should be handled as a confidentiality/security incident unless later investigation finds the policy-defined personal information that would trigger the privacy workflow.

This item tests application of the provided source material, not broad recall that “customer data” always means a privacy breach. The company’s own standard defines personal information narrowly: a name paired with a specified sensitive element such as SSN, full financial account number, or similar data. The incident involved email addresses, customer IDs, masked account numbers, invoice amounts, and contract terms, and the stem states that no names or other listed personal-information elements were present. That means the current facts support a confidentiality incident because unauthorized disclosure occurred, but they do not yet meet the policy trigger for privacy officer notification. The proper correction is to reclassify the response accordingly while continuing containment, investigation, and evidence gathering.

• Treating any customer-related exposure as a privacy event ignores the policy definition given in the excerpt.
• Reclassifying it as an availability incident addresses the wrong control objective; the issue is unauthorized exposure, not loss of system access or uptime.
• Immediate customer notification overstates the required response because the stated policy trigger for a privacy workflow has not been met by masked account numbers alone.

The standard makes the decisive distinction: the exposed files contain confidential data, not the policy-defined personal information that triggers the privacy breach workflow.

Question 8

Topic: Security, Confidentiality and Privacy

A company uses a role-based purchasing application. Buyers are authorized to create purchase orders, but only purchasing managers are authorized to approve them. During access testing, the CPA finds that the application’s access control list grants the “Approve PO” permission to the entire Purchasing group, which includes buyers. What is the best correction?

• A. Revise the access control list so only the purchasing manager role has the “Approve PO” permission.
• B. Restrict buyer accounts to normal business hours.
• C. Require multifactor authentication when users sign in to the purchasing application.
• D. Require badge access to the purchasing department.

Best answer: A

What this tests: Security, Confidentiality and Privacy

Explanation: The issue is improper authorization, not weak authentication or physical access. The best fix is to change the application’s ACL so the approval function is assigned only to the purchasing manager role, consistent with least privilege.

Authorization controls determine what an authenticated user is allowed to do. In a role-based access model, permissions should be assigned to roles that match job responsibilities and enforced through an access control list or similar permission structure. Here, buyers should create purchase orders, while purchasing managers should approve them. Because the ACL gives approval rights to the broader Purchasing group, buyers have excessive privileges. The correct remediation is to revise the ACL so only the purchasing manager role can use the approval function. Restricting login hours is an account restriction that may reduce exposure but does not remove the improper approval right. Badge access is a physical barrier, and multifactor authentication strengthens identity verification, but neither corrects the application’s authorization design error.

• Restricting buyer accounts to business hours is an account restriction, but buyers would still have improper approval rights during those hours.
• Requiring badge access to the purchasing department is a physical barrier control and does not change application permissions.
• Requiring multifactor authentication improves authentication, but it does not determine which functions a user is authorized to perform.

The weakness is an overly broad authorization rule, so the ACL should be limited to the role that is actually authorized to approve purchase orders.

Question 9

Topic: Security, Confidentiality and Privacy

An accounts payable employee reports that her workstation suddenly began opening command windows, making repeated outbound connections to an unfamiliar IP address, and attempting to modify files on a shared drive. The security team confirms the activity started 5 minutes ago and is currently limited to that workstation. What should the company do next to best mitigate the current risk?

• A. Review endpoint and firewall logs for the last 30 days.
• B. Reconfigure network segments to separate accounts payable from the file server.
• C. Quarantine the affected workstation from the network immediately.
• D. Accelerate patch deployment to all finance workstations.

Best answer: C

What this tests: Security, Confidentiality and Privacy

Explanation: The workstation is showing active malicious behavior, so the first priority is containment. Quarantining the device immediately reduces the chance of lateral movement or further damage, while log review, patching, and segmentation are more appropriate after the immediate threat is contained.

When a single device is actively compromised, quarantine is the best immediate corrective action. Isolating the affected workstation from the network can stop continued communication with malicious external hosts and reduce the risk of spreading to shared drives or other internal systems. Log analysis is useful for understanding scope and timeline, but it does not itself contain the attack. Patching is a preventive measure that helps close vulnerabilities for future protection, yet it does not stop a device already exhibiting malicious behavior. Segmentation is also a preventive architecture control that can limit future lateral movement, but it is not the fastest next step for a known infected endpoint. Given these facts, immediate quarantine best mitigates the current risk.

• Reviewing logs helps investigate the incident, but it does not immediately stop the active malicious activity.
• Accelerated patching is important for future prevention, but it is not the first action for a workstation already showing signs of compromise.
• Reconfiguring network segments can improve long-term resilience, but it is slower and less direct than isolating the known affected device right away.

Immediate quarantine is the fastest way to contain an active compromise and prevent further spread or file modification.

Question 10

Topic: Security, Confidentiality and Privacy

A CPA reviewing confidentiality controls over vendor ACH payments obtains the following:

• Documented confidentiality procedure: Full routing and account numbers may be viewed only within the encrypted treasury application. Exception reviews must be performed in the application, and exports of full numbers are prohibited.
• Walkthrough observation: The treasury analyst exports a daily CSV of full routing and account numbers to a shared folder so the supervisor can review exceptions more quickly.
• Additional fact: The shared folder is accessible to all treasury staff. No evidence indicates access outside treasury or misuse of the file.

How should this inconsistency be characterized?

• A. An operating deviation from the stated confidentiality procedure
• B. A confirmed security incident involving unauthorized disclosure
• C. An availability issue caused by inadequate data retention
• D. A design deficiency in the stated confidentiality procedure

Best answer: A

What this tests: Security, Confidentiality and Privacy

Explanation: The best conclusion is an operating deviation from the stated confidentiality procedure. The source material requires in-application review and prohibits exports, but the observed process routinely exports full bank data to a broader-access shared folder. That means the control is not operating as described.

When source materials conflict with observed procedures, the observed procedure is stronger evidence of how the control actually operates. Here, the documented confidentiality procedure is clear: full account data must stay within the encrypted treasury application, and exception review must occur there without exporting full numbers. The walkthrough shows staff bypassing that process for convenience and placing sensitive data in a shared folder with broader access. That is best characterized as an operating deviation affecting confidentiality. It is not primarily a design deficiency, because the documented design already addresses the risk. It is also not a confirmed security incident, because the facts do not show unauthorized access, misuse, or disclosure beyond the treasury group. The issue is excess exposure of sensitive data through noncompliance with the stated procedure.

• A design deficiency would apply if the documented procedure failed to address the confidentiality risk; here, the procedure already prohibits exports and requires in-application review.
• A confirmed security incident goes beyond the facts; the stem shows broader internal exposure, not proven unauthorized access or misuse.
• An availability issue misclassifies the problem because the concern is improper storage and access of sensitive data, not inability to retrieve or use data.

The written procedure addresses the risk, but the observed daily export to a broader-access shared folder shows the confidentiality control is not operating as described.

Continue with full practice

Use the CPA ISC Practice Test page for the full practice route, mixed-topic practice, timed mock exams, and explanations.

Related focused pages

• Free CPA ISC Full-Length Practice Exam
• CPA ISC: Information Systems and Data Management
• CPA ISC: SOC Engagements and Report Scope

Free review resource

Read the CPA ISC guide on CPAExamsMastery.com, then return to Mastery Exam Prep for timed practice.