CCISO Study Questions Flashcards
(343 cards)
1
Q
Question No : 1 - Topic 1 Who in the organization determines access to information? A. Legal department B. Compliance officer C. Data Owner D. Information security officer
A
Answer : C
2
Q
Question No : 2 - Topic 1
What is the BEST way to achieve on-going compliance monitoring in an organization?
A. Only check compliance right before the auditors are scheduled to arrive onsite.
B. Outsource compliance to a 3rd party vendor and let them manage the program.
C. Have Compliance and Information Security partner to correct issues as they arise.
D. Have Compliance direct Information Security to fix issues after the auditors report.
A
Answer : C
3
Q
Question No : 3 - Topic 1 When dealing with a risk management process, asset classification is important because it will impact the overall: A. Threat identification B. Risk monitoring C. Risk treatment D. Risk tolerance
A
Answer : C
4
Q
Question No : 4 - Topic 1
Ensuring that the actions of a set of people, applications and systems follow the
organizations rules is BEST described as:
A. Risk management
B. Security management
C. Mitigation management
D. Compliance management
A
Answer : D
5
Q
Question No : 5 - Topic 1
Which of the following is a MAJOR consideration when an organization retains sensitive
customer data and uses this data to better target the organizations products and services?
A. Strong authentication technologies
B. Financial reporting regulations
C. Credit card compliance and regulations
D. Local privacy laws
A
Answer : D
6
Q
Question No : 6 - Topic 1
Which of the following is a benefit of information security governance?
A. Questioning the trust in vendor relationships.
B. Increasing the risk of decisions based on incomplete management information.
C. Direct involvement of senior management in developing control processes
D. Reduction of the potential for civil and legal liability
A
Answer : D
7
Q
Question No : 7 - Topic 1
In accordance with best practices and international standards, how often is security
awareness training provided to employees of an organization?
A. High risk environments 6 months, low risk environments 12 months
B. Every 12 months
C. Every 18 months
D. Every six months
A
Answer : B
8
Q
Question No : 8 - Topic 1
Which of the following is of MOST importance when security leaders of an organization are
required to align security to influence the culture of an organization?
A. Poses a strong technical background
B. Understand all regulations affecting the organization
C. Understand the business goals of the organization
D. Poses a strong auditing background
A
Answer : C
9
Q
Question No : 9 - Topic 1
Which of the following is used to establish and maintain a framework to provide assurance
that information security strategies are aligned with organizational objectives?
A. Awareness
B. Compliance
C. Governance
D. Management
A
Answer : C
10
Q
Question No : 10 - Topic 1
Which of the following provides an audit framework?
A. Control Objectives for IT (COBIT)
B. Payment Card Industry-Data Security Standard (PCI-DSS)
C. International Organization Standard (ISO) 27002
D. National Institute of Standards and Technology (NIST) SP 800-30
A
Answer : A
11
Q
Question No : 11 - Topic 1
The PRIMARY objective of security awareness is to:
A. Ensure that security policies are read.
B. Encourage security-conscious employee behavior.
C. Meet legal and regulatory requirements.
D. Put employees on notice in case follow-up action for noncompliance is necessary
A
Answer : B
12
Q
Question No : 12 - Topic 1
When deploying an Intrusion Prevention System (IPS) the BEST way to get maximum
protection from the system is to deploy it
A. In promiscuous mode and only detect malicious traffic.
B. In-line and turn on blocking mode to stop malicious traffic.
C. In promiscuous mode and block malicious traffic.
D. In-line and turn on alert mode to stop malicious traffic.
A
Answer : B
13
Q
Question No : 13 - Topic 1
Risk is defined as:
A. Threat times vulnerability divided by control
B. Advisory plus capability plus vulnerability
C. Asset loss times likelihood of event
D. Quantitative plus qualitative impact
A
Answer : A
14
Q
Question No : 14 - Topic 1
Which of the following are the MOST important factors for proactively determining system
vulnerabilities?
A. Subscribe to vendor mailing list to get notification of system vulnerabilities
B. Deploy Intrusion Detection System (IDS) and install anti-virus on systems
C. Configure firewall, perimeter router and Intrusion Prevention System (IPS)
D. Conduct security testing, vulnerability scanning, and penetration testing
A
Answer : D
15
Q
Question No : 15 - Topic 1 What is the first thing that needs to be completed in order to create a security program for your organization? A. Risk assessment B. Security program budget C. Business continuity plan D. Compliance and regulatory analysis
A
Answer : A
16
Q
Question No : 16 - Topic 1
According to ISO 27001, of the steps for establishing an Information Security Governance
program listed below, which comes first?
A. Identify threats, risks, impacts and vulnerabilities
B. Decide how to manage risk
C. Define the budget of the Information Security Management System
D. Define Information Security Policy
A
Answer : D
17
Q
Question No : 17 - Topic 1
The framework that helps to define a minimum standard of protection that business
stakeholders must attempt to achieve is referred to as a standard of:
A. Due Protection
B. Due Care
C. Due Compromise
D. Due process
A
Answer : B
18
Q
Question No : 18 - Topic 1
Developing effective security controls is a balance between:
A. Risk Management and Operations
B. Corporate Culture and Job Expectations
C. Operations and Regulations
D. Technology and Vendor Management
A
Answer : A
19
Q
Question No : 19 - Topic 1
According to the National Institute of Standards and Technology (NIST) SP 800-40, which
of the following considerations are MOST important when creating a vulnerability
management program?
A. Susceptibility to attack, mitigation response time, and cost
B. Attack vectors, controls cost, and investigation staffing needs
C. Vulnerability exploitation, attack recovery, and mean time to repair
D. Susceptibility to attack, expected duration of attack, and mitigation availability
A
Answer : A
20
Q
Question No : 20 - Topic 1
The Information Security Management program MUST protect:
A. all organizational assets
B. critical business processes and /or revenue streams
C. intellectual property released into the public domain
D. against distributed denial of service attacks
A
Answer : B
21
Q
Question No : 21 – Topic 1
A company wants to fill a Chief Information Security Officer position in the organization.
They need to define and implement a more holistic security program. Which of the following
qualifications and experience would be MOST desirable to find in a candidate?
A. Multiple certifications, strong technical capabilities and lengthy resume
B. Industry certifications, technical knowledge and program management skills
C. College degree, audit capabilities and complex project management
D. Multiple references, strong background check and industry certifications
A
Answer : B
22
Q
Question No : 22 - Topic 1
In which of the following cases, would an organization be more prone to risk acceptance
vs. risk mitigation?
A. The organization uses exclusively a quantitative process to measure risk
B. The organization uses exclusively a qualitative process to measure risk
C. The organization’s risk tolerance is high
D. The organization’s risk tolerance is lo
A
Answer : C
23
Q
Question No : 23 - Topic 1 Within an organizations vulnerability management program, who has the responsibility to implement remediation actions? A. Security officer B. Data owner C. Vulnerability engineer D. System administrator
A
Answer : D
24
Q
Question No : 24 - Topic 1
An organization information security policy serves to
A. establish budgetary input in order to meet compliance requirements
B. establish acceptable systems and user behavior
C. define security configurations for systems
D. define relationships with external law enforcement agencies
A
Answer : B
25
Question No : 25 - Topic 1
You have recently drafted a revised information security policy. From whom should you
seek endorsement in order to have the GREATEST chance for adoption and
implementation throughout the entire organization?
A. Chief Information Security Officer
B. Chief Executive Officer
C. Chief Information Officer
D. Chief Legal Counsel
Answer : B
26
Question No : 26 - Topic 1
What is the relationship between information protection and regulatory compliance?
A. That all information in an organization must be protected equally.
B. The information required to be protected by regulatory mandate does not have to be identified in the organizations data
classification policy.
C. That the protection of some information such as National ID information is mandated by regulation and other information
such as trade secrets are protected based on business need.
D. There is no relationship between the two.
Answer : C
27
Question No : 27 - Topic 1
Which of the following is the MAIN reason to follow a formal risk management process in
an organization that hosts and uses privately identifiable information (PII) as part of their
business models and processes?
A. Need to comply with breach disclosure laws
B. Need to transfer the risk associated with hosting PII data
C. Need to better understand the risk associated with using PII data
D. Fiduciary responsibility to safeguard credit card information
Answer : C
28
Question No : 28 - Topic 1
What should an organization do to ensure that they have a sound Business Continuity (BC)
Plan?
A. Test every three years to ensure that things work as planned
B. Conduct periodic tabletop exercises to refine the BC plan
C. Outsource the creation and execution of the BC plan to a third party vendor
D. Conduct a Disaster Recovery (DR) exercise every year to test the plan
Answer : B
29
Question No : 29 - Topic 1
What is the MAIN reason for conflicts between Information Technology and Information
Security programs?
A. Technology governance defines technology policies and standards while security governance does not.
B. Security governance defines technology best practices and Information Technology governance does not.
C. Technology Governance is focused on process risks whereas Security Governance is focused on business risk.
D. The effective implementation of security controls can be viewed as an inhibitor to rapid Information Technology
implementations.
Answer : D
30
Question No : 30 - Topic 1
If your organization operates under a model of "assumption of breach", you should:
A. Protect all information resource assets equally
B. Establish active firewall monitoring protocols
C. Purchase insurance for your compliance liability
D. Focus your security efforts on high value assets
Answer : C
31
Question No : 31 - Topic 1
A global retail company is creating a new compliance management process. Which of the
following regulations is of MOST importance to be tracked and managed by this process?
A. Information Technology Infrastructure Library (ITIL)
B. International Organization for Standardization (ISO) standards
C. Payment Card Industry Data Security Standards (PCI-DSS)
D. National Institute for Standards and Technology (NIST) standard
Answer : C
32
Question No : 32 - Topic 1
When an organization claims it is secure because it is PCI-DSS certified, what is a good
first question to ask towards assessing the effectiveness of their security program?
A. How many credit card records are stored?
B. How many servers do you have?
C. What is the scope of the certification?
D. What is the value of the assets at risk?
Answer : C
33
```
Question No : 33 - Topic 1
When managing the security architecture for your company you must consider:
A. Security and IT Staff size
B. Company Values
C. Budget
D. All of the above
```
Answer : D
34
```
Question No : 34 - Topic 1
A method to transfer risk is to:
A. Implement redundancy
B. move operations to another region
C. purchase breach insurance
D. Alignment with business operations
```
Answer : C
35
Question No : 35 - Topic 1
Why is it vitally important that senior management endorse a security policy?
A. So that they will accept ownership for security within the organization.
B. So that employees will follow the policy directives.
C. So that external bodies will recognize the organizations commitment to security.
D. So that they can be held legally accountable.
Answer : A
36
```
Question No : 36 - Topic 1
Risk that remains after risk mitigation is known as
A. Persistent risk
B. Residual risk
C. Accepted risk
D. Non-tolerated risk
```
Answer : B
37
Question No : 37 - Topic 1
A Security Operations Centre (SOC) manager is informed that a database containing highly
sensitive corporate strategy information is under attack. Information has been stolen and
the database server was disconnected. Who must be informed of this incident?
A. Internal audit
B. The data owner
C. All executive staff
D. Government regulators
Answer : B
38
Question No : 38 - Topic 1
What two methods are used to assess risk impact?
A. Cost and annual rate of expectance
B. Subjective and Objective
C. Qualitative and percent of loss realized
D. Quantitative and qualitative
Answer : D
39
Question No : 39 - Topic 1
Which of the following is a critical operational component of an Incident Response Program
(IRP)?
A. Weekly program budget reviews to ensure the percentage of program funding remains constant.
B. Annual review of program charters, policies, procedures and organizational agreements.
C. Daily monitoring of vulnerability advisories relating to your organizations deployed technologies.
D. Monthly program tests to ensure resource allocation is sufficient for supporting the needs of the organization
Answer : C
40
Question No : 40 - Topic 1
The PRIMARY objective for information security program development should be:
A. Reducing the impact of the risk to the business.
B. Establishing strategic alignment with bunsiness continuity requirements
C. Establishing incident response programs.
D. Identifying and implementing the best security solutions.
Answer : A
41
Question No : 41 - Topic 1
Which of the following functions MUST your Information Security Governance program
include for formal organizational reporting?
A. Audit and Legal
B. Budget and Compliance
C. Human Resources and Budget
D. Legal and Human Resources
Answer : A
42
Question No : 42 - Topic 1
Which of the following should be determined while defining risk management strategies?
A. Organizational objectives and risk tolerance
B. Risk assessment criteria
C. IT architecture complexity
D. Enterprise disaster recovery plans
Answer : A
43
Question No : 43 - Topic 1
The purpose of NIST SP 800-53 as part of the NIST System Certification and Accreditation
Project is to establish a set of standardized, minimum security controls for IT systems
addressing low, moderate, and high levels of concern for
A. Confidentiality, Integrity and Availability
B. Assurance, Compliance and Availability
C. International Compliance
D. Integrity and Availability
Answer : A
44
Question No : 44 - Topic 1
A security manager regualrly checks work areas after buisness hours for security
violations; such as unsecured files or unattended computers with active sessions. This
activity BEST demonstrates what part of a security program?
A. Audit validation
B. Physical control testing
C. Compliance management
D. Security awareness training
Answer : C
45
```
Question No : 45 - Topic 1
Which of the following represents the HIGHEST negative impact resulting from an
ineffective security governance program?
A. Reduction of budget
B. Decreased security awareness
C. Improper use of information resources
D. Fines for regulatory non-compliance
```
Answer : D
46
Question No : 46 - Topic 1
Quantitative Risk Assessments have the following advantages over qualitative risk
assessments:
A. They are objective and can express risk / cost in real numbers
B. They are subjective and can be completed more quickly
C. They are objective and express risk / cost in approximates
D. They are subjective and can express risk /cost in real numbers
Answer : A
47
Question No : 47 - Topic 1
The Information Security Governance program MUST:
A. integrate with other organizational governance processes
B. support user choice for Bring Your Own Device (BYOD)
C. integrate with other organizational governance processes
D. show a return on investment for the organization
Answer : A
48
Question No : 48 - Topic 1
An organizations firewall technology needs replaced. A specific technology has been
selected that is less costly than others and lacking in some important capabilities. The
security officer has voiced concerns about sensitive data breaches but the decision is
made to purchase. What does this selection indicate?
A. A high threat environment
B. A low risk tolerance environment
C. I low vulnerability environment
D. A high risk tolerance environment
Answer : D
49
Question No : 49 - Topic 1
When choosing a risk mitigation method what is the MOST important factor?
A. Approval from the board of directors
B. Cost of the mitigation is less than the risk
C. Metrics of mitigation method success
D. Mitigation method complies with PCI regulations
Answer : B
50
```
Question No : 50 - Topic 1
The FIRST step in establishing a security governance program is to?
A. Conduct a risk assessment.
B. Obtain senior level sponsorship.
C. Conduct a workshop for all end users.
D. Prepare a security budget.
```
Answer : B
51
Question No : 51 - Topic 1
The success of the Chief Information Security Officer is MOST dependent upon:
A. favorable audit findings
B. following the recommendations of consultants and contractors
C. development of relationships with organization executives
D. raising awareness of security issues with end users
Answer : C
52
```
Question No : 52 - Topic 1
Which of the following is a weakness of an asset or group of assets that can be exploited
by one or more threats?
A. Threat
B. Vulnerability
C. Attack vector
D. Exploitation
```
Answer : B
53
Question No : 53 - Topic 1
Which of the following is MOST important when dealing with an Information Security
Steering committee:
A. Include a mix of members from different departments and staff levels.
B. Ensure that security policies and procedures have been vetted and approved.
C. Review all past audit and compliance reports.
D. Be briefed about new trends and products at each meeting by a vendor.
Answer : C
54
```
Question No : 54 - Topic 1
Which of the following intellectual Property components is focused on maintaining brand
recognition?
A. Trademark
B. Patent
C. Research Logs
D. Copyright
```
Answer : A
55
Question No : 55 - Topic 1
An organization has defined a set of standard security controls. This organization has also
defined the circumstances and conditions in which they must be applied. What is the NEXT
logical step in applying the controls in the organization?
A. Determine the risk tolerance
B. Perform an asset classification
C. Create an architecture gap analysis
D. Analyze existing controls on systems
Answer : B
56
```
Question No : 56 – Topic 1
What is the definition of Risk in Information Security?
A. Risk = Probability x Impact
B. Risk = Threat x Probability
C. Risk = Financial Impact x Probability
D. Risk = Impact x Threat
```
Answer : A
57
Question No : 57 - Topic 1
What role should the CISO play in properly scoping a PCI environment?
A. Validate the business units suggestions as to what should be included in the scoping process
B. Work with a Qualified Security Assessor (QSA) to determine the scope of the PCI environment
C. Ensure internal scope validation is completed and that an assessment has been done to discover all credit card data
D. Complete the self-assessment questionnaire and work with an Approved Scanning Vendor (ASV) to determine scope
Answer : C
58
```
Question No : 58 - Topic 1
Risk appetite directly affects what part of a vulnerability management program?
A. Staff
B. Scope
C. Schedule
D. Scan tools
```
Answer : B
59
Question No : 59 - Topic 1
A global retail organization is looking to implement a consistent Disaster Recovery and
Business Continuity Process across all of its business units. Which of the following
standards and guidelines can BEST address this organizations need?
A. International Organization for Standardizations – 22301 (ISO-22301)
B. Information Technology Infrastructure Library (ITIL)
C. Payment Card Industry Data Security Standards (PCI-DSS)
D. International Organization for Standardizations – 27005 (ISO-27005)
Answer : A
60
Question No : 60 - Topic 1
The alerting, monitoring and life-cycle management of security related events is typically
handled by the
A. security threat and vulnerability management process
B. risk assessment process
C. risk management process
D. governance, risk, and compliance tools
Answer : A
61
Question No : 61 - Topic 1
An organization's Information Security Policy is of MOST importance because
A. it communicates management’s commitment to protecting information resources
B. it is formally acknowledged by all employees and vendors
C. it defines a process to meet compliance requirements
D. it establishes a framework to protect confidential information
Answer : A
62
Question No : 62 - Topic 1
You have purchased a new insurance policy as part of your risk strategy. Which of the
following risk strategy options have you engaged in?
A. Risk Avoidance
B. Risk Acceptance
C. Risk Transfer
D. Risk Mitigation
Answer : C
63
Question No : 63 - Topic 1
Information security policies should be reviewed:
A. by stakeholders at least annually
B. by the CISO when new systems are brought online
C. by the Incident Response team after an audit
D. by internal audit semiannually
Answer : A
64
Question No : 64 - Topic 1
When managing an Information Security Program, which of the following is of MOST
importance in order to influence the culture of an organization?
A. An independent Governance, Risk and Compliance organization
B. Alignment of security goals with business goals
C. Compliance with local privacy regulations
D. Support from Legal and HR teams
Answer : B
65
Question No : 65 - Topic 1
Payment Card Industry (PCI) compliance requirements are based on what criteria?
A. The types of cardholder data retained
B. The duration card holder data is retained
C. The size of the organization processing credit card data
D. The number of transactions performed per year by an organization
Answer : D
66
Question No : 66 - Topic 1
The single most important consideration to make when developing your security program,
policies, and processes is:
A. Budgeting for unforeseen data compromises
B. Streamlining for efficiency
C. Alignment with the business
D. Establishing your authority as the Security Executive
Answer : C
67
Question No : 67 - Topic 1
An organization is looking for a framework to measure the efficiency and effectiveness of
their Information Security Management System. Which of the following international
standards can BEST assist this organization?
A. International Organization for Standardizations – 27004 (ISO-27004)
B. Payment Card Industry Data Security Standards (PCI-DSS)
C. Control Objectives for Information Technology (COBIT)
D. International Organization for Standardizations – 27005 (ISO-27005)
Answer : A
68
Question No : 68 - Topic 1
Which of the following is considered the MOST effective tool against social engineering?
A. Anti-phishing tools
B. Anti-malware tools
C. Effective Security Vulnerability Management Program
D. Effective Security awareness program
Answer : D
69
```
Question No : 69 - Topic 1
You have a system with 2 identified risks. You determine the probability of one risk
occurring is higher than the
A. Controlled mitigation effort
B. Risk impact comparison
C. Relative likelihood of event
D. Comparative threat analysis
```
Answer : C
70
Question No : 70 - Topic 1
When briefing senior management on the creation of a governance process, the MOST
important aspect should be:
A. information security metrics.
B. knowledge required to analyze each issue.
C. baseline against which metrics are evaluated.
D. linkage to business area objectives.
Answer : D
71
Question No : 71 - Topic 1
Which of the following is the MOST important for a CISO to understand when identifying
threats?
A. How vulnerabilities can potentially be exploited in systems that impact the organization
B. How the security operations team will behave to reported incidents
C. How the firewall and other security devices are configured to prevent attacks
D. How the incident management team prepares to handle an attack
Answer : A
72
Question No : 72 - Topic 1
A global health insurance company is concerned about protecting confidential information.
Which of the following is of MOST concern to this organization?
A. Compliance to the Payment Card Industry (PCI) regulations.
B. Alignment with financial reporting regulations for each country where they operate.
C. Alignment with International Organization for Standardization (ISO) standards.
D. Compliance with patient data protection regulations for each country where they operate.
Answer : D
73
Question No : 73 - Topic 1
Which of the following is the MOST important benefit of an effective security governance
process?
A. Reduction of liability and overall risk to the organization
B. Better vendor management
C. Reduction of security breaches
D. Senior management participation in the incident response process
Answer : A
74
Question No : 74 - Topic 1
A business unit within your organization intends to deploy a new technology in a manner
that places it in violation of existing information security standards. What immediate action
should the information security manager take?
A. Enforce the existing security standards and do not allow the deployment of the new technology.
B. Amend the standard to permit the deployment.
C. If the risks associated with that technology are not already identified, perform a risk analysis to quantify the risk, and allow
the business unit to proceed based on the identified risk level.
D. Permit a 90-day window to see if an issue occurs and then amend the standard if there are no issues.
Answer : C
75
Question No : 75 - Topic 1
When creating a vulnerability scan schedule, who is the MOST critical person to
communicate with in order to ensure impact of the scan is minimized?
A. The asset owner
B. The asset manager
C. The data custodian
D. The project manager
Answer : A
76
Question No : 76 - Topic 1
A security officer wants to implement a vulnerability scanning program. The officer is
uncertain of the state of vulnerability resiliency within the organizations large IT
infrastructure. What would be the BEST approach to minimize scan data output while
retaining a realistic view of system vulnerability?
A. Scan a representative sample of systems
B. Perform the scans only during off-business hours
C. Decrease the vulnerabilities within the scan tool settings
D. Filter the scan output so only pertinent data is analyzed
Answer : A
77
```
Question No : 77 - Topic 1
When dealing with Security Incident Response procedures, which of the following steps
come FIRST when reacting to an incident?
A. Escalation
B. Recovery
C. Eradication
D. Containment
```
Answer : D
78
```
Question No : 78 - Topic 1
Credit card information, medical data, and government records are all examples of:
A. Confidential/Protected Information
B. Bodily Information
C. Territorial Information
D. Communications Information
```
Answer : A
79
Question No : 79 - Topic 1
What is the main purpose of the Incident Response Team?
A. Ensure efficient recovery and reinstate repaired systems
B. Create effective policies detailing program activities
C. Communicate details of information security incidents
D. Provide current employee awareness programs
Answer : A
80
Question No : 80 - Topic 1
An organization licenses and uses personal information for business operations, and a
server containing that information has been compromised. What kind of law would require
notifying the owner or licensee of this incident?
A. Data breach disclosure
B. Consumer right disclosure
C. Security incident disclosure
D. Special circumstance disclosure
Answer : A
81
Question No : 81 – Topic 1
Which of the following international standards can be BEST used to define a Risk
Management process in an organization?
A. National Institute for Standards and Technology 800-50 (NIST 800-50)
B. International Organization for Standardizations – 27005 (ISO-27005)
C. Payment Card Industry Data Security Standards (PCI-DSS)
D. International Organization for Standardizations – 27004 (ISO-27004)
Answer : B
82
```
Question No : 82 - Topic 1
Which of the following is MOST likely to be discretionary?
A. Policies
B. Procedures
C. Guidelines
D. Standards
```
Answer : C
83
Question No : 83 - Topic 1
When would it be more desirable to develop a set of decentralized security policies and
procedures within an enterprise environment?
A. When there is a need to develop a more unified incident response capability.
B. When the enterprise is made up of many business units with diverse business activities, risks profiles and regulatory
requirements.
C. When there is a variety of technologies deployed in the infrastructure.
D. When it results in an overall lower cost of operating the security program.
Answer : B
84
Question No : 84 - Topic 1
A security professional has been promoted to be the CISO of an organization. The first task
is to create a security policy for this organization. The CISO creates and publishes the
security policy. This policy however, is ignored and not enforced consistently. Which of the
following is the MOST likely reason for the policy shortcomings?
A. Lack of a formal security awareness program
B. Lack of a formal security policy governance process
C. Lack of formal definition of roles and responsibilities
D. Lack of a formal risk management policy
Answer : B
85
Question No : 85 - Topic 1
Which of the following most commonly falls within the scope of an information security
governance steering committee?
A. Approving access to critical financial systems
B. Developing content for security awareness programs
C. Interviewing candidates for information security specialist positions
D. Vetting information security policies
Answer : D
86
Question No : 86 - Topic 1
One of the MAIN goals of a Business Continuity Plan is to
A. Ensure all infrastructure and applications are available in the event of a disaster
B. Allow all technical first-responders to understand their roles in the event of a disaster
C. Provide step by step plans to recover business processes in the event of a disaster
D. Assign responsibilities to the technical teams responsible for the recovery of all data.
Answer : C
87
Question No : 87 - Topic 1
Which of the following has the GREATEST impact on the implementation of an information
security governance model?
A. Organizational budget
B. Distance between physical locations
C. Number of employees
D. Complexity of organizational structure
Answer : D
88
Question No : 88 - Topic 1
What is a difference from the list below between quantitative and qualitative Risk
Assessment?
A. Quantitative risk assessments result in an exact number (in monetary terms)
B. Qualitative risk assessments result in a quantitative assessment (high, medium, low, red, yellow, green)
C. Qualitative risk assessments map to business objectives
D. Quantitative risk assessments result in a quantitative assessment (high, medium, low, red, yellow, green)
Answer : A
89
Question No : 89 - Topic 1
After a risk assessment is performed, a particular risk is considered to have the potential of
costing the organization 1.2 Million USD. This is an example of
A. Risk Tolerance
B. Qualitative risk analysis
C. Risk Appetite
D. Quantitative risk analysis
Answer : D
90
Question No : 90 - Topic 1
A security manager has created a risk program. Which of the following is a critical part of
ensuring the program is successful?
A. Providing a risk program governance structure
B. Ensuring developers include risk control comments in code
C. Creating risk assessment templates based on specific threats
D. Allowing for the acceptance of risk for regulatory compliance requirements
Answer : A
91
```
Question No : 91 - Topic 1
Regulatory requirements typically force organizations to implement
A. Mandatory controls
B. Discretionary controls
C. Optional controls
D. Financial controls
```
Answer : A
92
```
Question No : 92 - Topic 1
You have implemented a new security control. Which of the following risk strategy options
have you engaged in?
A. Risk Avoidance
B. Risk Acceptance
C. Risk Transfer
D. Risk Mitigation
```
Answer : D
93
Question No : 93 - Topic 1
From an information security perspective, information that no longer supports the main
purpose of the business should be:
A. assessed by a business impact analysis.
B. protected under the information classification policy.
C. analyzed under the data ownership policy.
D. analyzed under the retention policy
Answer : D
94
Question No : 94 - Topic 1
What is the SECOND step to creating a risk management methodology according to the
National Institute of Standards and Technology (NIST) SP 800-30 standard?
A. Determine appetite
B. Evaluate risk avoidance criteria
C. Perform a risk assessment
D. Mitigate risk
Answer : D
95
Question No : 95 - Topic 1
The establishment of a formal risk management framework and system authorization
program is essential. The LAST step of the system authorization process is:
A. Contacting the Internet Service Provider for an IP scope
B. Getting authority to operate the system from executive management
C. Changing the default passwords
D. Conducting a final scan of the live system and mitigating all high and medium level vulnerabilities
Answer : B
96
Question No : 96 - Topic 1
Who is responsible for securing networks during a security incident?
A. Chief Information Security Officer (CISO)
B. Security Operations Center (SO
C. Disaster Recovery (DR) manager
D. Incident Response Team (IRT)
Answer : D
97
Question No : 97 - Topic 1
The exposure factor of a threat to your organization is defined by?
A. Asset value times exposure factor
B. Annual rate of occurrence
C. Annual loss expectancy minus current cost of controls
D. Percentage of loss experienced due to a realized threat event
Answer : D
98
Question No : 98 - Topic 2
Which of the following is considered to be an IT governance framework and a supporting
toolset that allows for managers to bridge the gap between control requirements, technical
issues, and business risks?
A. Control Objective for Information Technology (COBIT)
B. Committee of Sponsoring Organizations (COSO)
C. Payment Card Industry (PCI)
D. Information Technology Infrastructure Library (ITIL)
Answer : A
99
Question No : 99 - Topic 2
Which of the following represents the BEST reason for an organization to use the Control
Objectives for Information and Related Technology (COBIT) as an Information Technology
(IT) framework?
A. It allows executives to more effectively monitor IT implementation costs
B. Implementation of it eases an organization’s auditing and compliance burden
C. Information Security (IS) procedures often require augmentation with other standards
D. It provides for a consistent and repeatable staffing model for technology organizations
Answer : B
100
Question No : 100 - Topic 2
Which of the following are primary concerns for management with regard to assessing
internal control objectives?
A. Confidentiality, Availability, Integrity
B. Compliance, Effectiveness, Efficiency
C. Communication, Reliability, Cost
D. Confidentiality, Compliance, Cost
Answer : B
101
Question No : 101 - Topic 2
Which of the following activities must be completed BEFORE you can calculate risk?
A. Determining the likelihood that vulnerable systems will be attacked by specific threats
B. Calculating the risks to which assets are exposed in their current setting
C. Assigning a value to each information asset
D. Assessing the relative risk facing the organization’s information assets
Answer : C
102
Question No : 102 - Topic 2
Which of the following set of processes is considered to be one of the cornerstone cycles of
the International Organization for Standardization (ISO) 27001 standard?
A. Plan-Check-Do-Act
B. Plan-Do-Check-Act
C. Plan-Select-Implement-Evaluate
D. SCORE (Security Consensus Operational Readiness Evaluation)
Answer : B
103
Question No : 103 - Topic 2
Which of the following tests is an IS auditor performing when a sample of programs is
selected to determine if the source and object versions are the same?
A. A substantive test of program library controls
B. A compliance test of program library controls
C. A compliance test of the program compiler controls
D. A substantive test of the program compiler controls
Answer : B
104
Question No : 104 - Topic 2
The effectiveness of an audit is measured by?
A. The number of actionable items in the recommendations
B. How it exposes the risk tolerance of the company
C. How the recommendations directly support the goals of the company
D. The number of security controls the company has in use
Answer : C
105
Question No : 105 - Topic 2
Which of the following is the MOST effective way to measure the effectiveness of security
controls on a perimeter network?
A. Perform a vulnerability scan of the network
B. External penetration testing by a qualified third party
C. Internal Firewall ruleset reviews
D. Implement network intrusion prevention systems
Answer : B
106
Question No : 106 - Topic 2
Which of the following best describes the purpose of the International Organization for
Standardization (ISO) 27002 standard?
A. To give information security management recommendations to those who are responsible for initiating, implementing, or
maintaining security in their organization.
B. To provide a common basis for developing organizational security standards
C. To provide effective security management practice and to provide confidence in inter- organizational dealings
D. To established guidelines and general principles for initiating, implementing, maintaining, and improving information
security management within an organization
Answer : D
107
Question No : 107 - Topic 2
In MOST organizations which group periodically reviews network intrusion detection
system logs for all systems as part of their daily tasks?
A. Internal Audit
B. Database Administration
C. Information Security
D. Compliance
Answer : C
108
Question No : 108 - Topic 2
When measuring the effectiveness of an Information Security Management System which
one of the following would be MOST LIKELY used as a metric framework?
A. ISO 27001
B. PRINCE2
C. ISO 27004
D. ITILv3
Answer : C
109
Question No : 109 - Topic 2
The MOST common method to get an unbiased measurement of the effectiveness of an
Information Security Management System (ISMS) is to
A. assign the responsibility to the information security team.
B. assign the responsibility to the team responsible for the management of the controls.
C. create operational reports on the effectiveness of the controls.
D. perform an independent audit of the security controls.
Answer : D
110
```
Question No : 110 - Topic 2
Which of the following organizations is typically in charge of validating the implementation
and effectiveness of security controls?
A. Security Administrators
B. Internal/External Audit
C. Risk Management
D. Security Operations
```
Answer : B
111
Question No : 111 - Topic 2
The mean time to patch, number of virus outbreaks prevented, and number of
vulnerabilities mitigated are examples of what type of performance metrics?
A. Risk metrics
B. Management metrics
C. Operational metrics
D. Compliance metrics
Answer : C
112
Question No : 112 - Topic 2
You have implemented the new controls. What is the next step?
A. Document the process for the stakeholders
B. Monitor the effectiveness of the controls
C. Update the audit findings report
D. Perform a risk assessment
Answer : B
113
Question No : 113 - Topic 2
Creating a secondary authentication process for network access would be an example of?
A. Nonlinearities in physical security performance metrics
B. Defense in depth cost enumerated costs
C. System hardening and patching requirements
D. Anti-virus for mobile devices
Answer : A
114
Question No : 114 - Topic 2
A missing/ineffective security control is identified. Which of the following should be the
NEXT step?
A. Perform an audit to measure the control formally
B. Escalate the issue to the IT organization
C. Perform a risk assessment to measure risk
D. Establish Key Risk Indicators
Answer : C
115
Question No : 115 - Topic 2
An organization has implemented a change management process for all changes to the IT
production environment. This change management process follows best practices and is
expected to help stabilize the availability and integrity of the organizations IT environment.
Which of the following can be used to measure the effectiveness of this newly implemented
process:
A. Number of change orders rejected
B. Number and length of planned outages
C. Number of unplanned outages
D. Number of change orders processed
Answer : C
116
```
Question No : 116 - Topic 2
When working in the Payment Card Industry (PCI), how often should security logs be
review to comply with the standards?
A. Daily
B. Hourly
C. Weekly
D. Monthly
```
Answer : A
117
Question No : 117 - Topic 2
Which of the following is a benefit of a risk-based approach to audit planning?
A. Resources are allocated to the areas of the highest concern
B. Scheduling may be performed months in advance
C. Budgets are more likely to be met by the IT audit staff
D. Staff will be exposed to a variety of technologies
Answer : A
118
Question No : 118 - Topic 2
The executive board has requested that the CISO of an organization define and Key
Performance Indicators (KPI) to measure the effectiveness of the security awareness
program provided to call center employees. Which of the following can be used as a KPI?
A. Number of callers who report security issues.
B. Number of callers who report a lack of customer service from the call center
C. Number of successful social engineering attempts on the call center
D. Number of callers who abandon the call before speaking with a representative
Answer : C
119
Question No : 119 - Topic 2
When a CISO considers delaying or not remediating system vulnerabilities which of the
following are MOST important to take into account?
A. Threat Level, Risk of Compromise, and Consequences of Compromise
B. Risk Avoidance, Threat Level, and Consequences of Compromise
C. Risk Transfer, Reputational Impact, and Consequences of Compromise
D. Reputational Impact, Financial Impact, and Risk of Compromise
Answer : A
120
Question No : 120 - Topic 2
During the course of a risk analysis your IT auditor identified threats and potential impacts.
Next, your IT auditor should:
A. Identify and evaluate the existing controls.
B. Disclose the threats and impacts to management.
C. Identify information assets and the underlying systems.
D. Identify and assess the risk assessment process used by management.
Answer : A
121
Question No : 121 - Topic 2
When you develop your audit remediation plan what is the MOST important criteria?
A. To remediate half of the findings before the next audit.
B. To remediate all of the findings before the next audit.
C. To validate that the cost of the remediation is less than the risk of the finding.
D. To validate the remediation process with the auditor.
Answer : C
122
Question No : 122 - Topic 2
The implementation of anti-malware and anti-phishing controls on centralized email servers
is an example of what type of security control?
A. Organization control
B. Procedural control
C. Management control
D. Technical control
Answer : D
123
Question No : 123 - Topic 2
The effectiveness of social engineering penetration testing using phishing can be used as a
Key Performance Indicator (KPI) for the effectiveness of an organizations
A. Risk Management Program.
B. Anti-Spam controls.
C. Security Awareness Program.
D. Identity and Access Management Program.
Answer : C
124
Question No : 124 - Topic 2
When a critical vulnerability has been discovered on production systems and needs to be
fixed immediately, what is the BEST approach for a CISO to mitigate the vulnerability under
tight budget constraints?
A. Transfer financial resources from other critical programs
B. Take the system off line until the budget is available
C. Deploy countermeasures and compensating controls until the budget is available
D. Schedule an emergency meeting and request the funding to fix the issue
Answer : C
125
Question No : 125 - Topic 2
Which of the following activities is the MAIN purpose of the risk assessment process?
A. Creating an inventory of information assets
B. Classifying and organizing information assets into meaningful groups
C. Assigning value to each information asset
D. Calculating the risks to which assets are exposed in their current setting
Answer : D
126
Question No : 126 - Topic 2
Which of the following best represents a calculation for Annual Loss Expectancy (ALE)?
A. Single loss expectancy multiplied by the annual rate of occurrence
B. Total loss expectancy multiplied by the total loss frequency
C. Value of the asset multiplied by the loss expectancy
D. Replacement cost multiplied by the single loss expectancy
Answer : A
127
Question No : 127 - Topic 2
You are the Chief Information Security Officer of a large, multinational bank and you
suspect there is a flaw in a two factor authentication token management process. Which of
the following represents your BEST course of action?
A. Validate that security awareness program content includes information about the potential vulnerability
B. Conduct a thorough risk assessment against the current implementation to determine system functions
C. Determine program ownership to implement compensating controls
D. Send a report to executive peers and business unit owners detailing your suspicions
Answer : B
128
```
Question No : 128 - Topic 2
Which is the BEST solution to monitor, measure, and report changes to critical data in a
system?
A. Application logs
B. File integrity monitoring
C. SNMP traps
D. Syslog
```
Answer : B
129
Question No : 129 - Topic 2
An IT auditor has recently discovered that because of a shortage of skilled operations
personnel, the security administrator has agreed to work one late night shift a week as the
senior computer operator. The most appropriate course of action for the IT auditor is to:
A. Inform senior management of the risk involved.
B. Agree to work with the security officer on these shifts as a form of preventative control.
C. Develop a computer assisted audit technique to detect instances of abuses of the arrangement.
D. Review the system log for each of the late night shifts to determine whether any irregular actions occurred.
Answer : A
130
Question No : 130 - Topic 2
You work as a project manager for TYU project. You are planning for risk mitigation. You
need to quickly identify high-level risks that will need a more in-depth analysis. Which of the
following activities will help you in this?
A. Qualitative analysis
B. Quantitative analysis
C. Risk mitigation
D. Estimate activity duration
Answer : A
131
Question No : 131 - Topic 2
An information security department is required to remediate system vulnerabilities when
they are discovered. Please select the three primary remediation methods that can be used
on an affected system.
A. Install software patch, Operate system, Maintain system
B. Discover software, Remove affected software, Apply software patch
C. Install software patch, configuration adjustment, Software Removal
D. Software removal, install software patch, maintain system
Answer : C
132
Question No : 132 - Topic 2
With respect to the audit management process, management response serves what
function?
A. placing underperforming units on notice for failing to meet standards
B. determining whether or not resources will be allocated to remediate a finding
C. adding controls to ensure that proper oversight is achieved by management
D. revealing the root cause of the process failure and mitigating for all internal and external units
Answer : B
133
Question No : 133 - Topic 2
Which of the following reports should you as an IT auditor use to check on compliance with
a service level agreements requirement for uptime?
A. Systems logs
B. Hardware error reports
C. Utilization reports
D. Availability reports
Answer : D
134
Question No : 134 - Topic 2
The remediation of a specific audit finding is deemed too expensive and will not be
implemented. Which of the following is a TRUE statement?
A. The asset is more expensive than the remediation
B. The audit finding is incorrect
C. The asset being protected is less valuable than the remediation costs
D. The remediation costs are irrelevant; it must be implemented regardless of cost.
Answer : C
135
Question No : 135 - Topic 2
As the new CISO at the company you are reviewing the audit reporting process and notice
that it includes only detailed technical diagrams. What else should be in the reporting
process?
A. Executive summary
B. Penetration test agreement
C. Names and phone numbers of those who conducted the audit
D. Business charter
Answer : A
136
Question No : 136 - Topic 2
Control Objectives for Information and Related Technology (COBIT) is which of the
following?
A. An Information Security audit standard
B. An audit guideline for certifying secure systems and controls
C. A framework for Information Technology management and governance
D. A set of international regulations for Information Technology governance
Answer : C
137
Question No : 137 - Topic 2
An audit was conducted and many critical applications were found to have no disaster
recovery plans in place. You conduct a Business Impact Analysis (BIA) to determine impact
to the company for each application. What should be the NEXT step?
A. Determine the annual loss expectancy (ALE)
B. Create a crisis management plan
C. Create technology recovery plans
D. Build a secondary hot site
Answer : C
138
Question No : 138 - Topic 2
Which of the following is a term related to risk management that represents the estimated
frequency at which a threat is expected to transpire?
A. Single Loss Expectancy (SLE)
B. Exposure Factor (EF)
C. Annualized Rate of Occurrence (ARO)
D. Temporal Probability (TP)
Answer : C
139
Question No : 139 - Topic 2
Which represents PROPER separation of duties in the corporate environment?
A. Information Security and Identity Access Management teams perform two distinct functions
B. Developers and Network teams both have admin rights on servers
C. Finance has access to Human Resources data
D. Information Security and Network teams perform two distinct functions
Answer : D
140
Question No : 140 - Topic 2
Many times a CISO may have to speak to the Board of Directors (BOD) about their cyber
security posture. What would be the BEST choice of security metrics to present to the
BOD?
A. All vulnerabilities found on servers and desktops
B. Only critical and high vulnerabilities on servers and desktops
C. Only critical and high vulnerabilities that impact important production servers
D. All vulnerabilities that impact important production servers
Answer : C
141
Question No : 141 - Topic 2
A new CISO just started with a company and on the CISO's desk is the last complete
Information Security Management audit report. The audit report is over two years old. After
reading it, what should be the CISO's FIRST priority?
A. Have internal audit conduct another audit to see what has changed.
B. Contract with an external audit company to conduct an unbiased audit
C. Review the recommendations and follow up to see if audit implemented the changes
D. Meet with audit team to determine a timeline for corrections
Answer : C
142
Question No : 142 - Topic 2
IT control objectives are useful to IT auditors as they provide the basis for understanding
the:
A. Desired results or purpose of implementing specific control procedures.
B. The audit control checklist.
C. Techniques for securing information.
D. Security policy
Answer : A
143
```
Question No : 143 - Topic 2
The regular review of a firewall ruleset is considered a
A. Procedural control
B. Organization control
C. Technical control
D. Management control
```
Answer : A
144
Question No : 144 - Topic 2
Which of the following is the PRIMARY purpose of International Organization for
Standardization (ISO) 27001?
A. Use within an organization to formulate security requirements and objectives
B. Implementation of business-enabling information security
C. Use within an organization to ensure compliance with laws and regulations
D. To enable organizations that adopt it to obtain certifications
Answer : B
145
Question No : 145 - Topic 2
An organization is required to implement background checks on all employees with access
to databases containing credit card information. This is considered a security
A. Procedural control
B. Management control
C. Technical control
D. Administrative control
Answer : B
146
Question No : 146 - Topic 2
Dataflow diagrams are used by IT auditors to:
A. Order data hierarchically.
B. Highlight high-level data definitions.
C. Graphically summarize data paths and storage processes.
D. Portray step-by-step details of data generation.
Answer : C
147
Question No : 147 - Topic 2
The BEST organization to provide a comprehensive, independent and certifiable
perspective on established security controls in an environment is
A. Penetration testers
B. External Audit
C. Internal Audit
D. Forensic experts
Answer : B
148
Question No : 148 - Topic 2
An employee successfully avoids becoming a victim of a sophisticated spear phishing
attack due to knowledge gained through the corporate information security awareness
program. What type of control has been effectively utilized?
A. Management Control
B. Technical Control
C. Training Control
D. Operational Control
Answer : D
149
Question No : 149 - Topic 2
Assigning the role and responsibility of Information Assurance to a dedicated and
independent security group is an example of:
A. Detective Controls
B. Proactive Controls
C. Preemptive Controls
D. Organizational Controls
Answer : D
150
```
Question No : 150 - Topic 2
Which of the following is a fundamental component of an audit record?
A. Date and time of the event
B. Failure of the event
C. Originating IP-Address
D. Authentication type
```
Answer : A
151
Question No : 151 - Topic 2
As a new CISO at a large healthcare company you are told that everyone has to badge in
to get in the building. Below your office window you notice a door that is normally propped
open during the day for groups of people to take breaks outside. Upon looking closer you
see there is no badge reader. What should you do?
A. Nothing, this falls outside your area of influence.
B. Close and chain the door shut and send a company-wide memo banning the practice.
C. Have a risk assessment performed.
D. Post a guard at the door to maintain physical security
Answer : C
152
```
Question No : 152 - Topic 2
The amount of risk an organization is willing to accept in pursuit of its mission is known as
A. Risk mitigation
B. Risk transfer
C. Risk tolerance
D. Risk acceptance
```
Answer : C
153
Question No : 153 - Topic 2
A Chief Information Security Officer received a list of high, medium, and low impact audit
findings. Which of the following represents the BEST course of action?
A. If the findings impact regulatory compliance, try to apply remediation that will address the most findings for the least cost.
B. If the findings do not impact regulatory compliance, remediate only the high and medium risk findings.
C. If the findings impact regulatory compliance, remediate the high findings as quickly as possible.
D. If the findings do not impact regulatory compliance, review current security controls.
Answer : C
154
Question No : 154 - Topic 2
At which point should the identity access management team be notified of the termination
of an employee?
A. At the end of the day once the employee is off site
B. During the monthly review cycle
C. Immediately so the employee account(s) can be disabled
D. Before an audit
Answer : C
155
Question No : 155 - Topic 2
Which of the following is the MOST important reason to measure the effectiveness of an
Information Security Management System (ISMS)?
A. Meet regulatory compliance requirements
B. Better understand the threats and vulnerabilities affecting the environment
C. Better understand strengths and weaknesses of the program
D. Meet legal requirements
Answer : C
156
Question No : 156 - Topic 2
Your IT auditor is reviewing significant events from the previous year and has identified
some procedural oversights. Which of the following would be the MOST concerning?
A. Lack of notification to the public of disclosure of confidential information.
B. Lack of periodic examination of access rights
C. Failure to notify police of an attempted intrusion
D. Lack of reporting of a successful denial of service attack on the network.
Answer : A
157
Question No : 157 - Topic 2
Which of the following are necessary to formulate responses to external audit findings?
A. Internal Audit, Management, and Technical Staff
B. Internal Audit, Budget Authority, Management
C. Technical Staff, Budget Authority, Management
D. Technical Staff, Internal Audit, Budget Authority
Answer : C
158
Question No : 158 - Topic 2
Step-by-step procedures to regain normalcy in the event of a major earthquake is
PRIMARILY covered by which of the following plans?
A. Incident response plan
B. Business Continuity plan
C. Disaster recovery plan
D. Damage control plan
Answer : C
159
```
Question No : 159 - Topic 2
Which International Organization for Standardization (ISO) below BEST describes the
performance of risk management, and includes a five-stage risk management
methodology.
A. ISO 27001
B. ISO 27002
C. ISO 27004
D. ISO 27005
```
Answer : D
160
```
Question No : 160 - Topic 2
Which of the following activities results in change requests?
A. Preventive actions
B. Inspection
C. Defect repair
D. Corrective actions
```
Answer : A
161
Question No : 161 - Topic 2
Which of the following is the MOST important goal of risk management?
A. Identifying the risk
B. Finding economic balance between the impact of the risk and the cost of the control
C. Identifying the victim of any potential exploits.
D. Assessing the impact of potential threats
Answer : B
162
```
Question No : 162 - Topic 2
To have accurate and effective information security policies how often should the CISO
review the organization policies?
A. Every 6 months
B. Quarterly
C. Before an audit
D. At least once a year
```
Answer : D
163
Question No : 163 - Topic 2
The CIO of an organization has decided to assign the responsibility of internal IT audit to
the IT team. This is consider a bad practice MAINLY because
A. The IT team is not familiar in IT audit practices
B. This represents a bad implementation of the Least Privilege principle
C. This represents a conflict of interest
D. The IT team is not certified to perform audits
Answer : C
164
```
Question No : 164 - Topic 2
The patching and monitoring of systems on a consistent schedule is required by?
A. Local privacy laws
B. Industry best practices
C. Risk Management frameworks
D. Audit best practices
```
Answer : C
165
Question No : 165 - Topic 2
Creating good security metrics is essential for a CISO. What would be the BEST sources
for creating security metrics for baseline defenses coverage?
A. Servers, routers, switches, modem
B. Firewall, exchange, web server, intrusion detection system (IDS)
C. Firewall, anti-virus console, IDS, syslog
D. IDS, syslog, router, switches
Answer : C
166
Question No : 166 - Topic 2
Which of the following illustrates an operational control process:
A. Classifying an information system as part of a risk assessment
B. Installing an appropriate fire suppression system in the data center
C. Conducting an audit of the configuration management process
D. Establishing procurement standards for cloud vendors
Answer : B
167
Question No : 167 - Topic 2
Creating a secondary authentication process for network access would be an example of?
A. An administrator with too much time on their hands.
B. Putting undue time commitment on the system administrator.
C. Supporting the concept of layered security
D. Network segmentation.
Answer : C
168
```
Question No : 168 - Topic 2
Providing oversight of a comprehensive information security program for the entire
organization is the primary responsibility of which group under the InfoSec governance
framework?
A. Senior Executives
B. Office of the Auditor
C. Office of the General Counsel
D. All employees and users
```
Answer : A
169
```
Question No : 169 - Topic 2
How often should an environment be monitored for cyber threats, risks, and exposures?
A. Weekly
B. Monthly
C. Quarterly
D. Daily
```
Answer : D
170
```
Question No : 170 - Topic 2
The risk found after a control has been fully implemented is called:
A. Residual Risk
B. Total Risk
C. Post implementation risk
D. Transferred risk
```
Answer : A
171
Question No : 171 - Topic 2
A recent audit has identified a few control exceptions and is recommending the
implementation of technology and processes to address the finding. Which of the following
is the MOST likely reason for the organization to reject the implementation of the
recommended technology and processes?
A. The auditors have not followed proper auditing processes
B. The CIO of the organization disagrees with the finding
C. The risk tolerance of the organization permits this risk
D. The organization has purchased cyber insurance
Answer : C
172
Question No : 172 - Topic 2
Which of the following BEST describes an international standard framework that is based
on the security model Information TechnologyCode of Practice for Information Security
Management?
A. International Organization for Standardization 27001
B. National Institute of Standards and Technology Special Publication SP 800-12
C. Request For Comment 2196
D. National Institute of Standards and Technology Special Publication SP 800-26
Answer : A
173
Topic 3, Management Projects and Operations (Projects, Technology & Operations)
Question No : 173 - Topic 3
When should IT security project management be outsourced?
A. When organizational resources are limited
B. When the benefits of outsourcing outweigh the inherent risks of outsourcing
C. On new, enterprise-wide security initiatives
D. On projects not forecasted in the yearly budget
Answer : B
174
```
Question No : 174 - Topic 3
Which of the following is considered one of the most frequent failures in project
management?
A. Overly restrictive management
B. Excessive personnel on project
C. Failure to meet project deadlines
D. Insufficient resources
```
Answer : C
175
```
Question No : 175 - Topic 3
Which of the following methods are used to define contractual obligations that force a
vendor to meet customer expectations?
A. Terms and Conditions
B. Service Level Agreements (SLA)
C. Statement of Work
D. Key Performance Indicators (KPI)
```
Answer : B
176
Question No : 176 - Topic 3
Which of the following represents the best method of ensuring business unit alignment with
security program requirements?
A. Provide clear communication of security requirements throughout the organization
B. Demonstrate executive support with written mandates for security policy adherence
C. Create collaborative risk management approaches within the organization
D. Perform increased audits of security processes and procedures
Answer : C
177
Question No : 177 - Topic 3
Which of the following is MOST beneficial in determining an appropriate balance between
uncontrolled innovation and excessive caution in an organization?
A. Define the risk appetite
B. Determine budget constraints
C. Review project charters
D. Collaborate security projects
Answer : A
178
Question No : 178 - Topic 3
A CISO has recently joined an organization with a poorly implemented security program.
The desire is to base the security program on a risk management approach. Which of the
following is a foundational requirement in order to initiate this type of program?
A. A security organization that is adequately staffed to apply required mitigation strategies and regulatory compliance solutions
B. A clear set of security policies and procedures that are more concept-based than controls-based
C. A complete inventory of Information Technology assets including infrastructure, networks, applications and data
D. A clearly identified executive sponsor who will champion the effort to ensure organizational buy-in
Answer : D
179
Question No : 179 - Topic 3
When selecting a security solution with reoccurring maintenance costs after the first year
(choose the BEST answer):
A. The CISO should cut other essential programs to ensure the new solutions continued use
B. Communicate future operating costs to the CIO/CFO and seek commitment from them to ensure the new solutions continued
use
C. Defer selection until the market improves and cash flow is positive
D. Implement the solution and ask for the increased operating cost budget when it is time
Answer : B
180
Question No : 180 - Topic 3
An organization has a stated requirement to block certain traffic on networks. The
implementation of controls will disrupt a manufacturing process and cause unacceptable
delays, resulting in sever revenue disruptions. Which of the following is MOST likely to be
responsible for accepting the risk until mitigating controls can be implemented?
A. The CISO
B. Audit and Compliance
C. The CFO
D. The business owner
Answer : D
181
Question No : 181 - Topic 3
A CISO implements smart cards for credential management, and as a result has reduced
costs associated with help desk operations supporting password resets. This demonstrates
which of the following principles?
A. Security alignment to business goals
B. Regulatory compliance effectiveness
C. Increased security program presence
D. Proper organizational policy enforcement
Answer : A
182
```
Question No : 182 - Topic 3
Knowing the potential financial loss an organization is willing to suffer if a system fails is a
determination of which of the following?
A. Cost benefit
B. Risk appetite
C. Business continuity
D. Likelihood of impact
```
Answer : B
183
Question No : 183 - Topic 3
Which of the following functions evaluates risk present in IT initiatives and/or systems when
implementing an information security program?
A. Risk Management
B. Risk Assessment
C. System Testing
D. Vulnerability Assessment
Answer : B
184
```
Question No : 184 - Topic 3
Risk appetite is typically determined by which of the following organizational functions?
A. Security
B. Business units
C. Board of Directors
D. Audit and compliance
```
Answer : B
185
Question No : 185 - Topic 3
Which of the following can the company implement in order to avoid this type of security
issue in the future?
A. Network based intrusion detection systems
B. A security training program for developers
C. A risk management process
D. A audit management process
Answer : B
186
Question No : 186 - Topic 3
To get an Information Security project back on schedule, which of the following will provide
the MOST help?
A. Upper management support
B. More frequent project milestone meetings
C. Stakeholder support
D. Extend work hours
Answer : A
187
Question No : 187 - Topic 3
An application vulnerability assessment has identified a security flaw in an application. This
is a flaw that was previously identified and remediated on a prior release of the application.
Which of the following is MOST likely the reason for this recurring issue?
A. Ineffective configuration management controls
B. Lack of change management controls
C. Lack of version/source controls
D. High turnover in the application development department
Answer : C
188
Question No : 188 - Topic 3
Which of the following best summarizes the primary goal of a security program?
A. Provide security reporting to all levels of an organization
B. Create effective security awareness to employees
C. Manage risk within the organization
D. Assure regulatory compliance
Answer : C
189
Question No : 189 - Topic 3
An international organization is planning a project to implement encryption technologies to
protect company confidential information. This organization has data centers on three
continents. Which of the following would be considered a MAJOR constraint for the
project?
A. Time zone differences
B. Compliance to local hiring laws
C. Encryption import/export regulations
D. Local customer privacy laws
Answer : C
190
Question No : 190 - Topic 3
When considering using a vendor to help support your security devices remotely, what is
the BEST choice for allowing access?
A. Vendors uses their own laptop and logins with same admin credentials your security team uses
B. Vendor uses a company supplied laptop and logins using two factor authentication with same admin credentials your security
team uses
C. Vendor uses a company supplied laptop and logins using two factor authentication with their own unique credentials
D. Vendor uses their own laptop and logins using two factor authentication with their own unique credentials
Answer : C
191
```
Question No : 191 - Topic 3
Your incident response plan should include which of the following?
A. Procedures for litigation
B. Procedures for reclamation
C. Procedures for classification
D. Procedures for charge-back
```
Answer : C
192
Question No : 192 - Topic 3
Which one of the following BEST describes which member of the management team is
accountable for the day-to-day operation of the information security program?
A. Security administrators
B. Security mangers
C. Security technicians
D. Security analysts
Answer : B
193
```
Question No : 193 - Topic 3
How often should the Statements of Standards for Attestation Engagements-16
(SSAE16)/International Standard on Assurance Engagements 3402 (ISAE3402) report of
your vendors be reviewed?
A. Quarterly
B. Semi-annually
C. Bi-annually
D. Annually
```
Answer : D
194
Question No : 194 - Topic 3
Acme Inc. has engaged a third party vendor to provide 99.999% up-time for their online
web presence and had them contractually agree to this service level agreement. What type
of risk tolerance is Acme exhibiting? (choose the BEST answer):
A. low risk-tolerance
B. high risk-tolerance
C. moderate risk-tolerance
D. medium-high risk-tolerance
Answer : A
195
Question No : 195 - Topic 3
A newly appointed security officer finds data leakage software licenses that had never been
used. The officer decides to implement a project to ensure it gets installed, but the project
gets a great deal of resistance across the organization. Which of the following represents
the MOST likely reason for this situation?
A. The software license expiration is probably out of synchronization with other software licenses
B. The project was initiated without an effort to get support from impacted business units in the organization
C. The software is out of date and does not provide for a scalable solution across the enterprise
D. The security officer should allow time for the organization to get accustomed to her presence before initiating security
projects
Answer : B
196
Question No : 196 - Topic 3
A stakeholder is a person or group:
A. Vested in the success and/or failure of a project or initiative regardless of budget implications.
B. Vested in the success and/or failure of a project or initiative and is tied to the project budget.
C. That has budget authority.
D. That will ultimately use the system.
Answer : A
197
```
Question No : 197 - Topic 3
This occurs when the quantity or quality of project deliverables is expanded from the
original project plan.
A. Scope creep
B. Deadline extension
C. Scope modification
D. Deliverable expansion
```
Answer : A
198
```
Question No : 198 - Topic 3
As the CISO for your company you are accountable for the protection of information
resources commensurate with:
A. Customer demand
B. Cost and time to replace
C. Insurability tables
D. Risk of exposure
```
Answer : D
199
Question No : 199 - Topic 3
Which of the following methodologies references the recommended industry standard that
Information security project managers should follow?
A. The Security Systems Development Life Cycle
B. The Security Project And Management Methodology
C. Project Management System Methodology
D. Project Management Body of Knowledge
Answer : D
200
```
Question No : 200 - Topic 3
In effort to save your company money which of the following methods of training results in
the lowest cost for the organization?
A. Distance learning/Web seminars
B. Formal Class
C. One-One Training
D. Self –Study (noncomputerized)
```
Answer : D
201
Question No : 201 - Topic 3
Your company has a no right to privacy notice on all logon screens for your information
systems and users sign an Acceptable Use Policy informing them of this condition. A peer
group member and friend comes to you and requests access to one of her employees
email account. What should you do? (choose the BEST answer):
A. Grant her access, the employee has been adequately warned through the AUP.
B. Assist her with the request, but only after her supervisor signs off on the action.
C. Reset the employee’s password and give it to the supervisor.
D. Deny the request citing national privacy laws.
Answer : B
202
Question No : 202 - Topic 3
A system was hardened at the Operating System level and placed into the production
environment. Months later an audit was performed and it identified insecure configuration
different from the original hardened state. Which of the following security issues is the
MOST likely reason leading to the audit findings?
A. Lack of asset management processes
B. Lack of change management processes
C. Lack of hardening standards
D. Lack of proper access controls
Answer : B
203
Question No : 203 - Topic 3
Which of the following is a major benefit of applying risk levels?
A. Risk management governance becomes easier since most risks remain low once mitigated
B. Resources are not wasted on risks that are already managed to an acceptable level
C. Risk budgets are more easily managed due to fewer identified risks as a result of using a methodology
D. Risk appetite can increase within the organization once the levels are understood
Answer : B
204
Question No : 204 - Topic 3
When entering into a third party vendor agreement for security services, at what point in the
process is it BEST to understand and validate the security posture and compliance level of
the vendor?
A. At the time the security services are being performed and the vendor needs access to the network
B. Once the agreement has been signed and the security vendor states that they will need access to the network
C. Once the vendor is on premise and before they perform security services
D. Prior to signing the agreement and before any security services are being performed
Answer : D
205
Question No : 205 - Topic 3
Which of the following is considered a project versus a managed process?
A. monitoring external and internal environment during incident response
B. ongoing risk assessments of routine operations
C. continuous vulnerability assessment and vulnerability repair
D. installation of a new firewall system
Answer : D
206
Question No : 206 - Topic 3
You currently cannot provide for 24/7 coverage of your security monitoring and incident
response duties and your company is resistant to the idea of adding more full-time
employees to the payroll. Which combination of solutions would help to provide the
coverage needed without the addition of more dedicated staff? (choose the best answer):
A. Deploy a SEIM solution and have current staff review incidents first thing in the morning
B. Contract with a managed security provider and have current staff on recall for incident response
C. Configure your syslog to send SMS messages to current staff when target events are triggered
D. Employ an assumption of breach protocol and defend only essential information resources
Answer : B
207
Question No : 207 - Topic 3
When managing the critical path of an IT security project, which of the following is MOST
important?
A. Knowing who all the stakeholders are.
B. Knowing the people on the data center team.
C. Knowing the threats to the organization.
D. Knowing the milestones and timelines of deliverables.
Answer : D
208
Question No : 208 - Topic 3
The ultimate goal of an IT security projects is:
A. Increase stock value
B. Complete security
C. Support business requirements
D. Implement information security policies
Answer : C
209
Question No : 209 - Topic 3
Information Security is often considered an excessive, after-the-fact cost when a project or
initiative is completed. What can be done to ensure that security is addressed cost
effectively?
A. User awareness training for all employees
B. Installation of new firewalls and intrusion detection systems
C. Launch an internal awareness campaign
D. Integrate security requirements into project inception
Answer : D
210
Question No : 210 - Topic 3
A severe security threat has been detected on your corporate network. As CISO you
quickly assemble key members of the Information Technology team and business
operations to determine a modification to security controls in response to the threat. This is
an example of:
A. Change management
B. Business continuity planning
C. Security Incident Response
D. Thought leadership
Answer : C
211
Question No : 211 - Topic 3
Which of the following represents the BEST method of ensuring security program
alignment to business needs?
A. Create a comprehensive security awareness program and provide success metrics to business units
B. Create security consortiums, such as strategic security planning groups, that include business unit participation
C. Ensure security implementations include business unit testing and functional validation prior to production rollout
D. Ensure the organization has strong executive-level security representation through clear sponsorship or the creation of a
CISO role
Answer : B
212
Question No : 212 - Topic 3
The company decides to release the application without remediating the high-risk
vulnerabilities. Which of the following is the MOST likely reason for the company to release
the application?
A. The company lacks a risk management process
B. The company does not believe the security vulnerabilities to be real
C. The company has a high risk tolerance
D. The company lacks the tools to perform a vulnerability assessment
Answer : C
213
Question No : 213 - Topic 3
When operating under severe budget constraints a CISO will have to be creative to
maintain a strong security organization. Which example below is the MOST creative way to
maintain a strong security posture during these difficult times?
A. Download open source security tools and deploy them on your production network
B. Download trial versions of commercially available security tools and deploy on your production network
C. Download open source security tools from a trusted site, test, and then deploy on production network
D. Download security tools from a trusted source and deploy to production network
Answer : C
214
Question No : 214 - Topic 3
A department within your company has proposed a third party vendor solution to address
an urgent, critical business need. As the CISO you have been asked to accelerate
screening of their security control claims. Which of the following vendor provided
documents is BEST to make your decision:
A. Vendor’s client list of reputable organizations currently using their solution
B. Vendor provided attestation of the detailed security controls from a reputable accounting firm
C. Vendor provided reference from an existing reputable client detailing their implementation
D. Vendor provided internal risk assessment and security control documentation
Answer : B
215
Question No : 215 - Topic 3
Which of the following functions implements and oversees the use of controls to reduce risk
when creating an information security program?
A. Risk Assessment
B. Incident Response
C. Risk Management
D. Network Security administration
Answer : C
216
Question No : 216 - Topic 3
A CISO decides to analyze the IT infrastructure to ensure security solutions adhere to the
concepts of how hardware and software is implemented and managed within the
organization. Which of the following principles does this best demonstrate?
A. Alignment with the business
B. Effective use of existing technologies
C. Leveraging existing implementations
D. Proper budget management
Answer : A
217
Question No : 217 - Topic 3
Which of the following will be MOST helpful for getting an Information Security project that
is behind schedule back on schedule?
A. Upper management support
B. More frequent project milestone meetings
C. More training of staff members
D. Involve internal audit
Answer : A
218
Question No : 218 - Topic 3
When gathering security requirements for an automated business process improvement
program, which of the following is MOST important?
A. Type of data contained in the process/system
B. Type of connection/protocol used to transfer the data
C. Type of encryption required for the data once it is at rest
D. Type of computer the data is processed on
Answer : A
219
Question No : 219 - Topic 3
The Security Operations Center (SOC) just purchased a new intrusion prevention system
(IPS) that needs to be deployed in-line for best defense. The IT group is concerned about
putting the new IPS in-line because it might negatively impact network availability. What
would be the BEST approach for the CISO to reassure the IT group?
A. Work with the IT group and tell them to put IPS in-line and say it wont cause any network impact
B. Explain to the IT group that the IPS wont cause any network impact because it will fail open
C. Explain to the IT group that this is a business need and the IPS will fail open however, if there is a network failure the CISO
will accept responsibility
D. Explain to the IT group that the IPS will fail open once in-line however it will be deployed in monitor mode for a set period of
time to ensure that it doesnt block any legitimate traffic
Answer : D
220
```
Question No : 220 - Topic 3
Which of the following information may be found in table top exercises for incident
response?
A. Security budget augmentation
B. Process improvements
C. Real-time to remediate
D. Security control selection
```
Answer : B
221
Question No : 221 - Topic 3
A CISO decides to analyze the IT infrastructure to ensure security solutions adhere to the
concepts of how hardware and software is implemented and managed within the
organization. Which of the following principles does this best demonstrate?
A. Alignment with the business
B. Effective use of existing technologies
C. Leveraging existing implementations
D. Proper budget management
Answer : A
222
Question No : 222 - Topic 3
A person in your security team calls you at night and informs you that one of your web
applications is potentially under attack from a cross-site scripting vulnerability. What do you
do?
A. tell him to shut down the server
B. tell him to call the police
C. tell him to invoke the incident response process
D. tell him to analyze the problem, preserve the evidence and provide a full analysis and report
Answer : C
223
Question No : 223 - Topic 3
When is an application security development project complete?
A. When the application is retired.
B. When the application turned over to production.
C. When the application reaches the maintenance phase.
D. After one year.
Answer : A
224
Question No : 224 - Topic 3
Which of the following is critical in creating a security program aligned with an
organizations goals?
A. Ensure security budgets enable technical acquisition and resource allocation based on internal compliance requirements
B. Develop a culture in which users, managers and IT professionals all make good decisions about information risk
C. Provide clear communication of security program support requirements and audit schedules
D. Create security awareness programs that include clear definition of security program goals and charters
Answer : B
225
```
Question No : 225 - Topic 3
Which of the following functions evaluates patches used to close software vulnerabilities of
new systems to assure compliance with policy when implementing an information security
program?
A. System testing
B. Risk assessment
C. Incident response
D. Planning
```
Answer : A
226
```
Question No : 226 - Topic 3
Which of the following is the MOST important component of any change management
process?
A. Scheduling
B. Back-out procedures
C. Outage planning
D. Management approval
```
Answer : D
227
Question No : 227 - Topic 3
The security team has investigated the theft/loss of several unencrypted laptop computers
containing sensitive corporate information. To prevent the loss of any additional corporate
data it is unilaterally decided by the CISO that all existing and future laptop computers will
be encrypted. Soon, the help desk is flooded with complaints about the slow performance
of the laptops and users are upset. What did the CISO do wrong? (choose the BEST
answer):
A. Failed to identify all stakeholders and their needs
B. Deployed the encryption solution in an inadequate manner
C. Used 1024 bit encryption when 256 bit would have sufficed
D. Used hardware encryption instead of software encryption
Answer : A
228
Question No : 228 - Topic 3
You are the CISO of a commercial social media organization. The leadership wants to
rapidly create new methods of sharing customer data through creative linkages with mobile
devices. You have voiced concern about privacy regulations but the velocity of the
business is given priority. Which of the following BEST describes this organization?
A. Risk averse
B. Risk tolerant
C. Risk conditional
D. Risk minimal
Answer : B
229
Question No : 229 - Topic 3
An example of professional unethical behavior is:
A. Gaining access to an affiliated employees work email account as part of an officially sanctioned internal investigation
B. Sharing copyrighted material with other members of a professional organization where all members have legitimate access to
the material
C. Copying documents from an employers server which you assert that you have an intellectual property claim to possess, but the
company disputes
D. Storing client lists and other sensitive corporate internal documents on a removable thumb drive
Answer : C
230
Question No : 230 - Topic 3
Which of the following represents the BEST method for obtaining business unit acceptance
of security controls within an organization?
A. Allow the business units to decide which controls apply to their systems, such as the encryption of sensitive data
B. Create separate controls for the business units based on the types of business and functions they perform
C. Ensure business units are involved in the creation of controls and defining conditions under which they must be applied
D. Provide the business units with control mandates and schedules of audits for compliance validation
Answer : C
231
Question No : 231 - Topic 3
You manage a newly created Security Operations Center (SOC), your team is being
inundated with security alerts and dont know what to do. What is the BEST approach to
handle this situation?
A. Tell the team to do their best and respond to each alert
B. Tune the sensors to help reduce false positives so the team can react better
C. Request additional resources to handle the workload
D. Tell the team to only respond to the critical and high alerts
Answer : B
232
```
Question No : 232 - Topic 3
The organization does not have the time to remediate the vulnerability; however it is critical
to release the application. Which of the following needs to be further evaluated to help
mitigate the risks?
A. Provide developer security training
B. Deploy Intrusion Detection Systems
C. Provide security testing tools
D. Implement Compensating Controls
```
Answer : D
233
```
Question No : 233 - Topic 3
Which business stakeholder is accountable for the integrity of a new information system?
A. CISO
B. Compliance Officer
C. Project manager
D. Board of directors
```
Answer : A
234
Question No : 234 - Topic 3
In order for a CISO to have true situational awareness there is a need to deploy technology
that can give a real-time view of security events across the enterprise. Which tool selection
represents the BEST choice to achieve situational awareness?
A. Vmware, router, switch, firewall, syslog, vulnerability management system (VMS)
B. Intrusion Detection System (IDS), firewall, switch, syslog
C. Security Incident Event Management (SIEM), IDS, router, syslog
D. SIEM, IDS, firewall, VMS
Answer : D
235
```
Question No : 235 - Topic 3
How often should the SSAE16 report of your vendors be reviewed?
A. Quarterly
B. Semi-annually
C. Annually
D. Bi-annually
```
Answer : C
236
```
Question No : 236 - Topic 3
Which of the following are not stakeholders of IT security projects?
A. Board of directors
B. Third party vendors
C. CISO
D. Help Desk
```
Answer : B
237
Question No : 237 - Topic 3
Which of the following is the BEST indicator of a successful project?
A. it is completed on time or early as compared to the baseline project plan
B. it meets most of the specifications as outlined in the approved project definition
C. it comes in at or below the expenditures planned for in the baseline budget
D. the deliverables are accepted by the key stakeholders
Answer : D
238
Question No : 239 - Topic 3
What oversight should the information security team have in the change management
process for application security?
A. Information security should be informed of changes to applications only
B. Development team should tell the information security team about any application security flaws
C. Information security should be aware of any significant application security changes and work with developer to test for
vulnerabilities before changes are deployed in production
D. Information security should be aware of all application changes and work with developers before changes are deployed in
production
Answer : C
239
Question No : 240 - Topic 3
A CISO sees abnormally high volumes of exceptions to security requirements and constant
pressure from business units to change security processes. Which of the following
represents the MOST LIKELY cause of this situation?
A. Poor audit support for the security program
B. A lack of executive presence within the security program
C. Poor alignment of the security program to business needs
D. This is normal since business units typically resist security requirements
Answer : C
240
Topic 4, Information Security Core Competencies
Question No : 241 - Topic 4
Which of the following statements about Encapsulating Security Payload (ESP) is true?
A. It is an IPSec protocol.
B. It is a text-based communication protocol.
C. It uses TCP port 22 as the default port and operates at the application layer.
D. It uses UDP port 22
Answer : A
241
Question No : 242 - Topic 4
The ability to hold intruders accountable in a court of law is important. Which of the
following activities are needed to ensure the highest possibility for successful prosecution?
A. Well established and defined digital forensics process
B. Establishing Enterprise-owned Botnets for preemptive attacks
C. Be able to retaliate under the framework of Active Defense
D. Collaboration with law enforcement
Answer : A
242
```
Question No : 243 - Topic 4
Which of the following is a countermeasure to prevent unauthorized database access from
web applications?
A. Session encryption
B. Removing all stored procedures
C. Input sanitization
D. Library control
```
Answer : C
243
Question No : 238 - Topic 3
A recommended method to document the respective roles of groups and individuals for a
given process is to:
A. Develop a detailed internal organization chart
B. Develop a telephone call tree for emergency response
C. Develop an isolinear response matrix with cost benefit analysis projections
D. Develop a Responsible, Accountable, Consulted, Informed (RACI) chart
Answer : D
244
```
Question No : 244 - Topic 4
Security related breaches are assessed and contained through which of the following?
A. The IT support team.
B. A forensic analysis.
C. Incident response
D. Physical security team.
```
Answer : C
245
Question No : 245 - Topic 4
Your penetration testing team installs an in-line hardware key logger onto one of your
network machines. Which of the following is of major concern to the security organization?
A. In-line hardware keyloggers don’t require physical access
B. In-line hardware keyloggers don’t comply to industry regulations
C. In-line hardware keyloggers are undetectable by software
D. In-line hardware keyloggers are relatively inexpensive
Answer : C
246
Question No : 246 - Topic 4
Which of the following is the MAIN security concern for public cloud computing?
A. Unable to control physical access to the servers
B. Unable to track log on activity
C. Unable to run anti-virus scans
D. Unable to patch systems as needed
Answer : A
247
Question No : 247 - Topic 4
Your organization provides open guest wireless access with no captive portals. What can
you do to assist with law enforcement investigations if one of your guests is suspected of
committing an illegal act using your network?
A. Configure logging on each access point
B. Install a firewall software on each wireless access point.
C. Provide IP and MAC address
D. Disable SSID Broadcast and enable MAC address filtering on all wireless access points.
Answer : C
248
Question No : 248 - Topic 4
A customer of a bank has placed a dispute on a payment for a credit card account. The
banking system uses digital signatures to safeguard the integrity of their transactions. The
bank claims that the system shows proof that the customer in fact made the payment. What
is this system capability commonly known as?
A. non-repudiation
B. conflict resolution
C. strong authentication
D. digital rights management
Answer : A
249
Question No : 249 - Topic 4 The process of identifying and classifying assets is typically included in the
A. Threat analysis process
B. Asset configuration management process
C. Business Impact Analysis
D. Disaster Recovery plan
Answer : C
250
Question No : 250 - Topic 4
The general ledger setup function in an enterprise resource package allows for setting
accounting periods. Access to this function has been permitted to users in finance, the
shipping department, and production scheduling. What is the most likely reason for such
broad access?
A. The need to change accounting periods on a regular basis.
B. The requirement to post entries for a closed accounting period.
C. The need to create and modify the chart of accounts and its allocations.
D. The lack of policies and procedures for the proper segregation of duties.
Answer : D
251
Question No : 251 - Topic 4
You are having a penetration test done on your company network and the leader of the
team says they discovered all the network devices because no one had changed the
Simple Network Management Protocol (SNMP) community strings from the defaults. Which
of the following is a default community string?
A. Execute
B. Read
C. Administrator
D. Public
Answer : D
252
```
Question No : 252 - Topic 4
What is the FIRST step in developing the vulnerability management program?
A. Baseline the Environment
B. Maintain and Monitor
C. Organization Vulnerability
D. Define Policy
```
Answer : A
253
```
Question No : 253 - Topic 4
SQL injection is a very popular and successful injection attack method. Identify the basic
SQL injection text:
A. ‘ o 1=1 - -
B. /../../../../
C. “DROPTABLE USERNAME”
D. NOPS
```
Answer : A
254
Question No : 254 - Topic 4
While designing a secondary data center for your company what document needs to be
analyzed to determine to how much should be spent on building the data center?
A. Enterprise Risk Assessment
B. Disaster recovery strategic plan
C. Business continuity plan
D. Application mapping document
Answer : B
255
Question No : 255 - Topic 4
The process of creating a system which divides documents based on their security level to
manage access to private data is known as
A. security coding
B. data security system
C. data classification
D. privacy protection
Answer : C
256
Question No : 256 - Topic 4
One of your executives needs to send an important and confidential email. You want to
ensure that the message cannot be read by anyone but the recipient. Which of the
following keys should be used to encrypt the message?
A. Your public key
B. The recipient's private key
C. The recipient's public key
D. Certificate authority key
Answer : C
257
```
Question No : 257 - Topic 4
The process for identifying, collecting, and producing digital information in support of legal
proceedings is called
A. chain of custody.
B. electronic discovery.
C. evidence tampering.
D. electronic review.
```
Answer : B
258
```
Question No : 258 - Topic 4
An anonymity network is a series of?
A. Covert government networks
B. War driving maps
C. Government networks in Tora
D. Virtual network tunnels
```
Answer : D
259
Question No : 259 - Topic 4
Network Forensics is the prerequisite for any successful legal action after attacks on your
Enterprise Network. Which is the single most important factor to introducing digital
evidence into a court of law?
A. Comprehensive Log-Files from all servers and network devices affected during the attack
B. Fully trained network forensic experts to analyze all data right after the attack
C. Uninterrupted Chain of Custody
D. Expert forensics witness
Answer : C
260
```
Question No : 260 - Topic 4
Which of the following is a symmetric encryption algorithm?
A. 3DES
B. MD5
C. ECC
D. RSA
```
Answer : A
261
```
Question No : 261 - Topic 4
What type of attack requires the least amount of technical equipment and has the highest
success rate?
A. War driving
B. Operating system attacks
C. Social engineering
D. Shrink wrap attack
```
Answer : C
262
Question No : 262 - Topic 4
Physical security measures typically include which of the following components?
A. Physical, Technical, Operational
B. Technical, Strong Password, Operational
C. Operational, Biometric, Physical
D. Strong password, Biometric, Common Access Card
Answer : A
263
Question No : 263 - Topic 4
Your incident handling manager detects a virus attack in the network of your company. You
develop a signature based on the characteristics of the detected virus. Which of the
following phases in the incident handling process will utilize the signature to resolve this
incident?
A. Containment
B. Recovery
C. Identification
D. Eradication
Answer : D
264
```
Question No : 264 - Topic 4
Which of the following backup sites takes the longest recovery time?
A. Cold site
B. Hot site
C. Warm site
D. Mobile backup site
```
Answer : A
265
Question No : 265 – Topic 4
An access point (AP) is discovered using Wireless Equivalent Protocol (WEP). The
ciphertext sent by the AP is encrypted with the same key and cipher used by its stations.
What authentication method is being used?
A. Shared key
B. Asynchronous
C. Open
D. None
Answer : A
266
```
Question No : 266 - Topic 4
As a CISO you need to understand the steps that are used to perform an attack against a
network. Put each step into the correct order.
1.Covering tracks
2.Scanning and enumeration
3.Maintaining Access
4.Reconnaissance
5.Gaining Access
A. 4, 2, 5, 3, 1
B. 2, 5, 3, 1, 4
C. 4, 5, 2, 3, 1
D. 4, 3, 5, 2, 1
```
Answer : A
267
Question No : 267 - Topic 4
In terms of supporting a forensic investigation, it is now imperative that managers, firstresponders,
etc., accomplish the following actions to the computer under investigation:
A. Secure the area and shut-down the computer until investigators arrive
B. Secure the area and attempt to maintain power until investigators arrive
C. Immediately place hard drive and other components in an anti-static bag
D. Secure the area.
Answer : B
268
```
Question No : 268 - Topic 4
Which of the following is MOST important when tuning an Intrusion Detection System
(IDS)?
A. Trusted and untrusted networks
B. Type of authentication
C. Storage encryption
D. Log retention
```
Answer : A
269
Question No : 269 - Topic 4
What is the term describing the act of inspecting all real-time Internet traffic (i.e., packets)
traversing a major Internet backbone without introducing any apparent latency?
A. Traffic Analysis
B. Deep-Packet inspection
C. Packet sampling
D. Heuristic analysis
Answer : B
270
Question No : 270 - Topic 4
Which wireless encryption technology makes use of temporal keys?
A. Wireless Application Protocol (WAP)
B. Wifi Protected Access version 2 (WPA2)
C. Wireless Equivalence Protocol (WEP)
D. Extensible Authentication Protocol (EAP)
Answer : B
271
Topic 5, Strategic Planning & Finance.
Question No : 271 - Topic 5
Scenario: Your corporate systems have been under constant probing and attack from
foreign IP addresses for more than a week. Your security team and security infrastructure
have performed well under the stress. You are confident that your defenses have held up
under the test, but rumors are spreading that sensitive customer data has been stolen and
is now being sold on the Internet by criminal elements. During your investigation of the
rumored compromise you discover that data has been breached and you have discovered
the repository of stolen data on a server located in a foreign country. Your team now has
full access to the data on the foreign server.
Your defenses did not hold up to the test as originally thought. As you investigate how the
data was compromised through log analysis you discover that a hardworking, but
misguided business intelligence analyst posted the data to an obfuscated URL on a
popular cloud storage service so they could work on it from home during their off-time.
Which technology or solution could you deploy to prevent employees from removing
corporate data from your network? Choose the BEST answer.
A. Security Guards posted outside the Data Center
B. Data Loss Prevention (DLP)
C. Rigorous syslog reviews
D. Intrusion Detection Systems (IDS)
Answer : B
272
Question No : 272 - Topic 5
Scenario: An organization has made a decision to address Information Security formally
and consistently by adopting established best practices and industry standards. The
organization is a small retail merchant but it is expected to grow to a global customer base
of many millions of customers in just a few years.
Which of the following would be the FIRST step when addressing Information Security
formally and consistently in this organization?
A. Contract a third party to perform a security risk assessment
B. Define formal roles and responsibilities for Internal audit functions
C. Define formal roles and responsibilities for Information Security
D. Create an executive security steering committee
Answer : C
273
Question No : 273 - Topic 5
The rate of change in technology increases the importance of:
A. Outsourcing the IT functions.
B. Understanding user requirements.
C. Hiring personnel with leading edge skills.
D. Implementing and enforcing good processes.
Answer : D
274
When analyzing and forecasting a capital expense budget what are not included?
A. Network connectivity costs
B. New datacenter to operate from
C. Upgrade of mainframe
D. Purchase of new mobile devices to improve operations
Answer : A
275
Question No : 275 - Topic 5
Scenario: You are the CISO and have just completed your first risk assessment for your
organization. You find many risks with no security controls, and some risks with inadequate
controls. You assign work to your staff to create or adjust existing security controls to
ensure they are adequate for risk mitigation needs.
You have identified potential solutions for all of your risks that do not have security controls.
What is the NEXT step?
A. Get approval from the board of directors
B. Screen potential vendor solutions
C. Verify that the cost of mitigation is less than the risk
D. Create a risk metrics for all unmitigated risks
Answer : C
276
Question No : 276 - Topic 5
SCENARIO: A Chief Information Security Officer (CISO) recently had a third party conduct
an audit of the security program. Internal policies and international standards were used as
audit baselines. The audit report was presented to the CISO and a variety of high, medium
and low rated gaps were identified.
The CISO has implemented remediation activities. Which of the following is the MOST
logical next step?
A. Validate the effectiveness of applied controls
B. Validate security program resource requirements
C. Report the audit findings and remediation status to business stake holders
D. Review security procedures to determine if they need modified according to findings
Answer : A
277
Question No : 277 - Topic 5
Scenario: You are the CISO and have just completed your first risk assessment for your
organization. You find many risks with no security controls, and some risks with inadequate
controls. You assign work to your staff to create or adjust existing security controls to
ensure they are adequate for risk mitigation needs.
When adjusting the controls to mitigate the risks, how often should the CISO perform an
audit to verify the controls?
A. Annually
B. Semi-annually
C. Quarterly
D. Never
Answer : D
278
Question No : 278 - Topic 5
SCENARIO: Critical servers show signs of erratic behavior within your organizations
intranet. Initial information indicates the systems are under attack from an outside entity. As
the Chief Information Security Officer (CISO), you decide to deploy the Incident Response
Team (IRT) to determine the details of this incident and take action according to the
information available to the team.
What phase of the response provides measures to reduce the likelihood of an incident from
recurring?
A. Response
B. Investigation
C. Recovery
D. Follow-up
Answer : D
279
Question No : 279 - Topic 5
Scenario: An organization has made a decision to address Information Security formally
and consistently by adopting established best practices and industry standards. The
organization is a small retail merchant but it is expected to grow to a global customer base
of many millions of customers in just a few years.
The organization has already been subject to a significant amount of credit card fraud.
Which of the following is the MOST likely reason for this fraud?
A. Lack of compliance to the Payment Card Industry (PCI) standards
B. Ineffective security awareness program
C. Security practices not in alignment with ISO 27000 frameworks
D. Lack of technical controls when dealing with credit card data
Answer : A
280
```
Question No : 280 - Topic 5
When analyzing and forecasting an operating expense budget what are not included?
A. Software and hardware license fees
B. Utilities and power costs
C. Network connectivity costs
D. New datacenter to operate from
```
Answer : D
281
Question No : 281 - Topic 5
Scenario: Your organization employs single sign-on (user name and password only) as a
convenience to your employees to access organizational systems and data. Permission to
individual systems and databases is vetted and approved through supervisors and data
owners to ensure that only approved personnel can use particular applications or retrieve
information. All employees have access to their own human resource information, including
the ability to change their bank routing and account information and other personal details
through the Employee Self-Service application. All employees have access to the
organizational VPN.
Once supervisors and data owners have approved requests, information system
administrators will implement
A. Technical control(s)
B. Management control(s)
C. Policy control(s)
D. Operational control(s)
Answer : A
282
Question No : 282 - Topic 5
When updating the security strategic planning document what two items must be included?
A. Alignment with the business goals and the vision of the CIO
B. The risk tolerance of the company and the company mission statement
C. The executive summary and vision of the board of directors
D. The alignment with the business goals and the risk tolerance
Answer : D
283
Question No : 283 - Topic 5
Scenario: You are the CISO and are required to brief the C-level executive team on your
information security audit for the year. During your review of the audit findings you discover
that many of the controls that were put in place the previous year to correct some of the
findings are not performing as needed. You have thirty days until the briefing.
To formulate a remediation plan for the non-performing controls what other document do
you need to review before adjusting the controls?
A. Business Impact Analysis
B. Business Continuity plan
C. Security roadmap
D. Annual report to shareholders
Answer : A
284
Question No : 284 - Topic 5
The ability to demand the implementation and management of security controls on third
parties providing services to an organization is
A. Security Governance
B. Compliance management
C. Vendor management
D. Disaster recovery
Answer : C
285
Question No : 285 - Topic 5
John is the project manager for a large project in his organization. A new change request
has been proposed that will affect several areas of the project. One area of the project
change impact is on work that a vendor has already completed. The vendor is refusing to
make the changes as theyve already completed the project work they were contracted to
do. What can John do in this instance?
A. Refer the vendor to the Service Level Agreement (SLA) and insist that they make the changes.
B. Review the Request for Proposal (RFP) for guidance.
C. Withhold the vendor’s payments until the issue is resolved.
D. Refer to the contract agreement for direction.
Answer : D
286
Question No : 286 - Topic 5
The process to evaluate the technical and non-technical security controls of an IT system
to validate that a given design and implementation meet a specific set of security
requirements is called
A. Security certification
B. Security system analysis
C. Security accreditation
D. Alignment with business practices and goals
Answer : A
287
Question No : 287 - Topic 5
The total cost of security controls should:
A. Be equal to the value of the information resource being protected
B. Be greater than the value of the information resource being protected
C. Be less than the value of the information resource being protected
D. Should not matter, as long as the information resource is protected
Answer : C
288
Question No : 288 - Topic 5
When creating contractual agreements and procurement processes why should security
requirements be included?
A. To make sure they are added on after the process is completed
B. To make sure the costs of security is included and understood
C. To make sure the security process aligns with the vendor’s security process
D. To make sure the patching process is included with the costs
Answer : B
289
Question No : 289 - Topic 5
A system is designed to dynamically block offending Internet IP-addresses from requesting
services from a secure website. This type of control is considered
A. Zero-day attack mitigation
B. Preventive detection control
C. Corrective security control
D. Dynamic blocking control
Answer : C
290
Question No : 290 - Topic 5
Your company has limited resources to spend on security initiatives. The Chief Financial
Officer asks you to prioritize the protection of information resources based on their value to
the company. It is essential that you be able to communicate in language that your fellow
executives will understand. You should:
A. Create timelines for mitigation
B. Develop a cost-benefit analysis
C. Calculate annual loss expectancy
D. Create a detailed technical executive summary
Answer : B
291
Question No : 291 - Topic 5
Scenario: An organization has made a decision to address Information Security formally
and consistently by adopting established best practices and industry standards. The
organization is a small retail merchant but it is expected to grow to a global customer base
of many millions of customers in just a few years.
This global retail company is expected to accept credit card payments. Which of the
following is of MOST concern when defining a security program for this organization?
A. International encryption restrictions
B. Compliance to Payment Card Industry (PCI) data security standards
C. Compliance with local government privacy laws
D. Adherence to local data breach notification laws
Answer : B
292
Question No : 292 - Topic 5
Annual Loss Expectancy is derived from the function of which two factors?
A. Annual Rate of Occurrence and Asset Value
B. Single Loss Expectancy and Exposure Factor
C. Safeguard Value and Annual Rate of Occurrence
D. Annual Rate of Occurrence and Single Loss Expectancy
Answer : D
293
Question No : 293 - Topic 5
What is the primary reason for performing vendor management?
A. To understand the risk coverage that are being mitigated by the vendor
B. To establish a vendor selection process
C. To document the relationship between the company and the vendor
D. To define the partnership for long-term success
Answer : A
294
Question No : 294 - Topic 5
Scenario: An organization has recently appointed a CISO. This is a new role in the
organization and it signals the increasing need to address security consistently at the
enterprise level. This new CISO, while confident with skills and experience, is constantly on
the defensive and is unable to advance the IT security centric agenda.
Which of the following is the reason the CISO has not been able to advance the security
agenda in this organization?
A. Lack of identification of technology stake holders
B. Lack of business continuity process
C. Lack of influence with leaders outside IT
D. Lack of a security awareness program
Answer : C
295
SCENARIO: A Chief Information Security Officer (CISO) recently had a third party conduct
an audit of the security program. Internal policies and international standards were used as
audit baselines. The audit report was presented to the CISO and a variety of high, medium
and low rated gaps were identified.
The CISO has validated audit findings, determined if compensating controls exist, and
started initial remediation planning. Which of the following is the MOST logical next step?
A. Validate the effectiveness of current controls
B. Create detailed remediation funding and staffing plans
C. Report the audit findings and remediation status to business stake holders
D. Review security procedures to determine if they need modified according to findings
Answer : C
296
Question No : 296 - Topic 5
Scenario: As you begin to develop the program for your organization, you assess the
corporate culture and determine that there is a pervasive opinion that the security program
only slows things down and limits the performance of the real workers.
What must you do first in order to shift the prevailing opinion and reshape corporate culture
to understand the value of information security to the organization?
A. Cite compliance with laws, statutes, and regulations explaining the financial implications for the company for non-compliance
B. Understand the business and focus your efforts on enabling operations securely
C. Draw from your experience and recount stories of how other companies have been compromised
D. Cite corporate policy and insist on compliance with audit findings
Answer : B
297
Question No : 297 - Topic 5
The newly appointed CISO of an organization is reviewing the IT security strategic plan.
Which of the following is the MOST important component of the strategic plan?
A. There is integration between IT security and business staffing.
B. There is a clear definition of the IT security mission and vision.
C. There is an auditing methodology in place.
D. The plan requires return on investment for all security projects.
Answer : B
298
Question No : 298 - Topic 5
The new CISO was informed of all the Information Security projects that the organization
has in progress. Two projects are over a year behind schedule and over budget. Using best
business practices for project management you determine that the project correctly aligns
with the company goals.
Which of the following needs to be performed NEXT?
A. Verify the scope of the project
B. Verify the regulatory requirements
C. Verify technical resources
D. Verify capacity constraints
Answer : C
299
Question No : 299 - Topic 5
Scenario: An organization has recently appointed a CISO. This is a new role in the
organization and it signals the increasing need to address security consistently at the
enterprise level. This new CISO, while confident with skills and experience, is constantly on
the defensive and is unable to advance the IT security centric agenda.
From an Information Security Leadership perspective, which of the following is a MAJOR
concern about the CISOs approach to security?
A. Lack of risk management process
B. Lack of sponsorship from executive management
C. IT security centric agenda
D. Compliance centric agenda
Answer : C
300
Question No : 300 - Topic 5
You are just hired as the new CISO and are being briefed on all the Information Security
projects that your section has on going. You discover that most projects are behind
schedule and over budget.
Using the best business practices for project management you determine that the project
correctly aligns with the company goals and the scope of the project is correct. What is the
NEXT step?
A. Review time schedules
B. Verify budget
C. Verify resources
D. Verify constraints
Answer : C
301
Question No : 301 - Topic 5
You are just hired as the new CISO and are being briefed on all the Information Security
projects that your section has on going. You discover that most projects are behind
schedule and over budget.
Using the best business practices for project management you determine that the project
correct aligns with the company goals. What needs to be verified FIRST?
A. Scope of the project
B. Training of the personnel on the project
C. Timeline of the project milestones
D. Vendor for the project
Answer : A
302
Question No : 302 - Topic 5
Which of the following conditions would be the MOST probable reason for a security project
to be rejected by the executive board of an organization?
A. The Net Present Value (NPV) of the project is positive
B. The NPV of the project is negative
C. The Return on Investment (ROI) is larger than 10 months
D. The ROI is lower than 10 months
Answer : B
303
Question No : 303 - Topic 5
SCENARIO: A Chief Information Security Officer (CISO) recently had a third party conduct
an audit of the security program. Internal policies and international standards were used as
audit baselines. The audit report was presented to the CISO and a variety of high, medium
and low rated gaps were identified.
After determining the audit findings are accurate, which of the following is the MOST logical
next activity?
A. Begin initial gap remediation analyses
B. Review the security organization’s charter
C. Validate gaps with the Information Technology team
D. Create a briefing of the findings for executive management
Answer : A
304
Question No : 304 - Topic 5
Scenario: The new CISO was informed of all the Information Security projects that the
section has in progress. Two projects are over a year behind schedule and way over
budget.
Using the best business practices for project management, you determine that the project
correctly aligns with the organization goals. What should be verified next?
A. Scope
B. Budget
C. Resources
D. Constraints
Answer : A
305
Question No : 305 - Topic 5
SCENARIO: A CISO has several two-factor authentication systems under review and
selects the one that is most sufficient and least costly. The implementation project planning
is completed and the teams are ready to implement the solution. The CISO then discovers
that the product it is not as scalable as originally thought and will not fit the organizations
needs.
The CISO is unsure of the information provided and orders a vendor proof of concept to
validate the systems scalability. This demonstrates which of the following?
A. An approach that allows for minimum budget impact if the solution is unsuitable
B. A methodology-based approach to ensure authentication mechanism functions
C. An approach providing minimum time impact to the implementation schedules
D. A risk-based approach to determine if the solution is suitable for investment
Answer : D
306
Question No : 306 - Topic 5
SCENARIO: A CISO has several two-factor authentication systems under review and
selects the one that is most sufficient and least costly. The implementation project planning
is completed and the teams are ready to implement the solution. The CISO then discovers
that the product it is not as scalable as originally thought and will not fit the organizations
needs.
What is the MOST logical course of action the CISO should take?
A. Review the original solution set to determine if another system would fit the organizations risk appetite and budget regulatory
compliance requirements
B. Continue with the implementation and submit change requests to the vendor in order to ensure required functionality will be
provided when needed
C. Continue with the project until the scalability issue is validated by others, such as an auditor or third party assessor
D. Cancel the project if the business need was based on internal requirements versus regulatory compliance requirements
Answer : A
307
```
Question No : 307 - Topic 5
Involvement of senior management is MOST important in the development of:
A. IT security implementation plans.
B. Standards and guidelines.
C. IT security policies.
D. IT security procedures.
```
Answer : C
308
Question No : 308 - Topic 5
Scenario: Your organization employs single sign-on (user name and password only) as a
convenience to your employees to access organizational systems and data. Permission to
individual systems and databases is vetted and approved through supervisors and data
owners to ensure that only approved personnel can use particular applications or retrieve
information. All employees have access to their own human resource information, including
the ability to change their bank routing and account information and other personal details
through the Employee Self-Service application. All employees have access to the
organizational VPN.
The organization wants a more permanent solution to the threat to user credential
compromise through phishing. What technical solution would BEST address this issue?
A. Professional user education on phishing conducted by a reputable vendor
B. Multi-factor authentication employing hard tokens
C. Forcing password changes every 90 days
D. Decreasing the number of employees with administrator privileges
Answer : B
309
Question No : 309 - Topic 5
Access Control lists (ACLs), Firewalls, and Intrusion Prevention Systems are examples of
A. Network based security preventative controls
B. Software segmentation controls
C. Network based security detective controls
D. User segmentation controls
Answer : A
310
Question No : 310 - Topic 5
What is the BEST reason for having a formal request for proposal process?
A. Creates a timeline for purchasing and budgeting
B. Allows small companies to compete with larger companies
C. Clearly identifies risks and benefits before funding is spent
D. Informs suppliers a company is going to make a purchase
Answer : C
311
```
Question No : 311 - Topic 5
Which of the following is MOST useful when developing a business case for security
initiatives?
A. Budget forecasts
B. Request for proposals
C. Cost/benefit analysis
D. Vendor management
```
Answer : C
312
Question No : 312 - Topic 5
Scenario: You are the newly hired Chief Information Security Officer for a company that
has not previously had a senior level security practitioner. The company lacks a defined
security policy and framework for their Information Security Program. Your new boss, the
Chief Financial Officer, has asked you to draft an outline of a security policy and
recommend an industry/sector neutral information security control framework for
implementation.
Which of the following industry / sector neutral information security control frameworks
should you recommend for implementation?
A. National Institute of Standards and Technology (NIST) Special Publication 800-53
B. Payment Card Industry Digital Security Standard (PCI DSS)
C. International Organization for Standardization – ISO 27001/2
D. British Standard 7799 (BS7799)
Answer : C
313
Question No : 313 - Topic 5
Scenario: Your organization employs single sign-on (user name and password only) as a
convenience to your employees to access organizational systems and data. Permission to
individual systems and databases is vetted and approved through supervisors and data
owners to ensure that only approved personnel can use particular applications or retrieve
information. All employees have access to their own human resource information, including
the ability to change their bank routing and account information and other personal details
through the Employee Self-Service application. All employees have access to the
organizational VPN.
What type of control is being implemented by supervisors and data owners?
A. Management
B. Operational
C. Technical
D. Administrative
Answer : B
314
Question No : 314 - Topic 5
Acceptable levels of information security risk tolerance in an organization should be
determined by?
A. Corporate legal counsel
B. CISO with reference to the company goals
C. CEO and board of director
D. Corporate compliance committee
Answer : C
315
Question No : 315 - Topic 5
What is the primary reason for performing a return on investment analysis?
A. To decide between multiple vendors
B. To decide is the solution costs less than the risk it is mitigating
C. To determine the current present value of a project
D. To determine the annual rate of loss
Answer : B
316
```
Question No : 316 - Topic 5
Which of the following provides an independent assessment of a vendors internal security
controls and overall posture?
A. Alignment with business goals
B. ISO27000 accreditation
C. PCI attestation of compliance
D. Financial statements
```
Answer : B
317
Question No : 317 - Topic 5
Scenario: You are the CISO and have just completed your first risk assessment for your
organization. You find many risks with no security controls, and some risks with inadequate
controls. You assign work to your staff to create or adjust existing security controls to
ensure they are adequate for risk mitigation needs.
When formulating the remediation plan, what is a required input?
A. Board of directors
B. Risk assessment
C. Patching history
D. Latest virus definitions file
Answer : B
318
```
Question No : 318 - Topic 5
Which of the following is considered the foundation for the Enterprise Information Security
Architecture (EISA)?
A. Security regulations
B. Asset classification
C. Information security policy
D. Data classification
```
Answer : C
319
Question No : 319 - Topic 5
Scenario: Your company has many encrypted telecommunications links for their world-wide
operations. Physically distributing symmetric keys to all locations has proven to be
administratively burdensome, but symmetric keys are preferred to other alternatives.
Symmetric encryption in general is preferable to asymmetric encryption when:
A. The number of unique communication links is large
B. The volume of data being transmitted is small
C. The speed of the encryption / deciphering process is essential
D. The distance to the end node is farthest away
Answer : C
320
The Annualized Loss Expectancy (Before) minus Annualized Loss Expectancy (After)
minus Annual Safeguard Cost is the formula for determining:
A. Safeguard Value
B. Cost Benefit Analysis
C. Single Loss Expectancy
D. Life Cycle Loss Expectancy
Answer : B
321
Question No : 321 - Topic 5
Scenario: As you begin to develop the program for your organization, you assess the
corporate culture and determine that there is a pervasive opinion that the security program
only slows things down and limits the performance of the real workers.
Which group of people should be consulted when developing your security program?
A. Peers
B. End Users
C. Executive Management
D. All of the above
Answer : D
322
Question No : 322 - Topic 5
Scenario: Most industries require compliance with multiple government regulations and/or
industry standards to meet data protection and privacy mandates.
What is one proven method to account for common elements found within separate
regulations and/or standards?
A. Hire a GRC expert
B. Use the Find function of your word processor
C. Design your program to meet the strictest government standards
D. Develop a crosswalk
Answer : D
323
Question No : 323 - Topic 5
SCENARIO: A CISO has several two-factor authentication systems under review and
selects the one that is most sufficient and least costly. The implementation project planning
is completed and the teams are ready to implement the solution. The CISO then discovers
that the product it is not as scalable as originally thought and will not fit the organizations
needs.
The CISO discovers the scalability issue will only impact a small number of network
segments. What is the next logical step to ensure the proper application of risk
management methodology within the two-facto implementation project?
A. Create new use cases for operational use of the solution
B. Determine if sufficient mitigating controls can be applied
C. Decide to accept the risk on behalf of the impacted business units
D. Report the deficiency to the audit team and create process exceptions
Answer : B
324
Question No : 324 - Topic 5
Scenario: Your program is developed around minimizing risk to information by focusing on
people, technology, and operations.
You have decided to deal with risk to information from people first. How can you minimize
risk to your most sensitive information before granting access?
A. Conduct background checks on individuals before hiring them
B. Develop an Information Security Awareness program
C. Monitor employee browsing and surfing habits
D. Set your firewall permissions aggressively and monitor logs regularly.
Answer : A
325
Question No : 325 - Topic 5
SCENARIO: A Chief Information Security Officer (CISO) recently had a third party conduct
an audit of the security program. Internal policies and international standards were used as
audit baselines. The audit report was presented to the CISO and a variety of high, medium
and low rated gaps were identified.
Which of the following is the FIRST action the CISO will perform after receiving the audit
report?
A. Inform peer executives of the audit results
B. Validate gaps and accept or dispute the audit findings
C. Create remediation plans to address program gaps
D. Determine if security policies and procedures are adequate
Answer : B
326
Question No : 326 - Topic 5
Scenario: Most industries require compliance with multiple government regulations and/or
industry standards to meet data protection and privacy mandates.
When multiple regulations or standards apply to your industry you should set controls to
meet the:
A. Easiest regulation or standard to implement
B. Stricter regulation or standard
C. Most complex standard to implement
D. Recommendations of your Legal Staff
Answer : A
327
Question No : 327 - Topic 5
File Integrity Monitoring (FIM) is considered a
A. Network based security preventative control
B. Software segmentation control
C. Security detective control
D. User segmentation control
Answer : C
328
Question No : 328 - Topic 5
Human resource planning for security professionals in your organization is a:
A. Simple and easy task because the threats are getting easier to find and correct.
B. Training requirement that is met through once every year user training.
C. Training requirement that is on-going and always changing.
D. Not needed because automation and anti-virus software has eliminated the threats.
Answer : C
329
Question No : 329 - Topic 5
The formal certification and accreditation process has four primary steps, what are they?
A. Evaluating, describing, testing and authorizing
B. Evaluating, purchasing, testing, authorizing
C. Auditing, documenting, verifying, certifying
D. Discovery, testing, authorizing, certifying
Answer : A
330
Question No : 330 - Topic 5
SCENARIO: Critical servers show signs of erratic behavior within your organizations
intranet. Initial information indicates the systems are under attack from an outside entity. As
the Chief Information Security Officer (CISO), you decide to deploy the Incident Response
Team (IRT) to determine the details of this incident and take action according to the
information available to the team.
In what phase of the response will the team extract information from the affected systems
without altering original data?
A. Response
B. Investigation
C. Recovery
D. Follow-up
Answer : B
331
Question No : 331 - Topic 5
SCENARIO: Critical servers show signs of erratic behavior within your organizations
intranet. Initial information indicates the systems are under attack from an outside entity. As
the Chief Information Security Officer (CISO), you decide to deploy the Incident Response
Team (IRT) to determine the details of this incident and take action according to the
information available to the team.
During initial investigation, the team suspects criminal activity but cannot initially prove or
disprove illegal actions. What is the MOST critical aspect of the teams activities?
A. Regular communication of incident status to executives
B. Eradication of malware and system restoration
C. Determination of the attack source
D. Preservation of information
Answer : D
332
Question No : 332 - Topic 5
Scenario: Your corporate systems have been under constant probing and attack from
foreign IP addresses for more than a week. Your security team and security infrastructure
have performed well under the stress. You are confident that your defenses have held up
under the test, but rumors are spreading that sensitive customer data has been stolen and
is now being sold on the Internet by criminal elements. During your investigation of the
rumored compromise you discover that data has been breached and you have discovered
the repository of stolen data on a server located in a foreign country. Your team now has
full access to the data on the foreign server.
What action should you take FIRST?
A. Destroy the repository of stolen data
B. Contact your local law enforcement agency
C. Consult with other C-Level executives to develop an action plan
D. Contract with a credit reporting company for paid monitoring services for affected customers
Answer : C
333
```
Question No : 333 - Topic 5
When dealing with risk, the information security practitioner may choose to:
A. assign
B. transfer
C. acknowledge
D. defer
```
Answer : C
334
Question No : 334 - Topic 5
Scenario: An organization has recently appointed a CISO. This is a new role in the
organization and it signals the increasing need to address security consistently at the
enterprise level. This new CISO, while confident with skills and experience, is constantly on
the defensive and is unable to advance the IT security centric agenda.
The CISO has been able to implement a number of technical controls and is able to
influence the Information Technology teams but has not been able to influence the rest of
the organization. From an organizational perspective, which of the following is the LIKELY
reason for this?
A. The CISO does not report directly to the CEO of the organization
B. The CISO reports to the IT organization
C. The CISO has not implemented a policy management framework
D. The CISO has not implemented a security awareness program
Answer : B
335
Question No : 335 - Topic 5
As the CISO you need to write the IT security strategic plan. Which of the following is the
MOST important to review before you start writing the plan?
A. The existing IT environment.
B. The company business plan.
C. The present IT budget.
D. Other corporate technology trends.
Answer : B
336
Question No : 336 - Topic 5
Scenario: The new CISO was informed of all the Information Security projects that the
section has in progress. Two projects are over a year behind schedule and way over
budget.
Which of the following will be most helpful for getting an Information Security project that is
behind schedule back on schedule?
A. Upper management support
B. More frequent project milestone meetings
C. More training of staff members
D. Involve internal audit
Answer : A
337
Question No : 337 - Topic 5
Scenario: Your company has many encrypted telecommunications links for their world-wide
operations. Physically distributing symmetric keys to all locations has proven to be
administratively burdensome, but symmetric keys are preferred to other alternatives.
How can you reduce the administrative burden of distributing symmetric keys for your
employer?
A. Use asymmetric encryption for the automated distribution of the symmetric key
B. Use a self-generated key on both ends to eliminate the need for distribution
C. Use certificate authority to distribute private keys
D. Symmetrically encrypt the key and then use asymmetric encryption to unencrypt it
Answer : A
338
Question No : 338 - Topic 5
Scenario: An organization has made a decision to address Information Security formally
and consistently by adopting established best practices and industry standards. The
organization is a small retail merchant but it is expected to grow to a global customer base
of many millions of customers in just a few years.
Which of the following frameworks and standards will BEST fit the organization as a
baseline for their security program?
A. NIST and Privacy Regulations
B. ISO 27000 and Payment Card Industry Data Security Standards
C. NIST and data breach notification laws
D. ISO 27000 and Human resources best practices
Answer : B
339
Question No : 339 - Topic 5
The process for management approval of the security certification process which states the
risks and mitigation of such risks of a given IT system is called
A. Security certification
B. Security system analysis
C. Security accreditation
D. Alignment with business practices and goals
Answer : C
340
Question No : 340 - Topic 5
What are the primary reasons for the development of a business case for a security
project?
A. To estimate risk and negate liability to the company
B. To understand the attack vectors and attack sources
C. To communicate risk and forecast resource needs
D. To forecast usage and cost per software licensing
Answer : C
341
Question No : 341 - Topic 5
Scenario: Your organization employs single sign-on (user name and password only) as a
convenience to your employees to access organizational systems and data. Permission to
individual systems and databases is vetted and approved through supervisors and data
owners to ensure that only approved personnel can use particular applications or retrieve
information. All employees have access to their own human resource information, including
the ability to change their bank routing and account information and other personal details
through the Employee Self-Service application. All employees have access to the
organizational VPN.
Recently, members of your organization have been targeted through a number of
sophisticated phishing attempts and have compromised their system credentials. What
action can you take to prevent the misuse of compromised credentials to change bank
account information from outside your organization while still allowing employees to
manage their bank information?
A. Turn off VPN access for users originating from outside the country
B. Enable monitoring on the VPN for suspicious activity
C. Force a change of all passwords
D. Block access to the Employee-Self Service application via VPN
Answer : D
342
Question No : 342 - Topic 5
Scenario: Your program is developed around minimizing risk to information by focusing on
people, technology, and operations.
An effective way to evaluate the effectiveness of an information security awareness
program for end users, especially senior executives, is to conduct periodic:
A. Controlled spear phishing campaigns
B. Password changes
C. Baselining of computer systems
D. Scanning for viruses
Answer : A
343
Question No : 343 - Topic 5
Scenario: You are the newly hired Chief Information Security Officer for a company that
has not previously had a senior level security practitioner. The company lacks a defined
security policy and framework for their Information Security Program. Your new boss, the
Chief Financial Officer, has asked you to draft an outline of a security policy and
recommend an industry/sector neutral information security control framework for
implementation.
Your Corporate Information Security Policy should include which of the following?
A. Information security theory
B. Roles and responsibilities
C. Incident response contacts
D. Desktop configuration standards
Answer : B
