CISA Question #299: Real Exam Question with Answer & Explanation

Question

Which of the following risk scenarios is BEST mitigated through the use of a data loss prevention (DLP) tool?

Options

• AAn employee is sending company documents to an external email to increase productivity
• BA former employee retains access to an application that authenticates via single sign-on (SSO)
• CAn employee uses production data in a test environment
• DAn employee selects the incorrect data classification on documents

Explanation

DLP tools are specifically designed to detect and block the unauthorized transmission of sensitive data outside organizational boundaries - exactly what's happening when an employee emails company documents to an external address, regardless of their intent. This is the core use case DLP was built for: monitoring outbound channels (email, web uploads, USB transfers) and preventing data exfiltration in real time.

Why the distractors are wrong:

• B is an access management/identity problem - revoked SSO access requires provisioning controls or an IAM/PAM solution, not DLP.
• C is a data governance/environment segregation issue - solved through policies, data masking, or environment controls, not content-aware transmission monitoring.
• D is a user classification error - DLP can enforce classification rules, but selecting the wrong label is a training or metadata governance problem; the document never left the organization in this scenario.

Memory tip: Think of DLP as a "border guard" - it only intervenes when data is crossing a boundary (leaving the org). If the risk is about access, classification, or internal misuse with no outbound movement, DLP is not your primary control.

No community discussion yet for this question.