Domain 2

Question 1

Which of the following is considered to be an IT governance framework and a supporting toolset that allows for managers to bridge the gap between control requirements, technical issues, and business risks?
A. Control Objective for Information Technology (COBIT)
B. Committee of Sponsoring Organizations (COSO)
C. Payment Card Industry (PCI)
D. Information Technology Infrastructure Library (ITIL)

Answer 1

Control Objective for Information Technology (COBIT)

Question 2

Which of the following are primary concerns for management with regard to assessing internal control objectives?
A. Confidentiality, Availability, Integrity
B. Compliance, Effectiveness, Efficiency
C. Communication, Reliability, Cost
D. Confidentiality, Compliance, Cost

Answer 2

Compliance, Effectiveness, Efficiency

Question 3

Which of the following activities must be completed BEFORE you can calculate risk?
A. Determining the likelihood that vulnerable systems will be attacked by specific threats
B. Calculating the risks to which assets are exposed in their current setting
C. Assigning a value to each information asset
D. Assessing the relative risk facing the organization’s information assets

Answer 3

Assigning a value to each information asset

Question 4

Which of the following set of processes is considered to be one of the cornerstone cycles of the International Organization for Standardization (ISO) 27001 standard?
A. Plan-Check-Do-Act
B. Plan-Do-Check-Act
C. Plan-Select-Implement-Evaluate
D. SCORE (Security Consensus Operational Readiness Evaluation)

Answer 4

Plan-Do-Check-Act

Question 5

Which of the following tests is an IS auditor performing when a sample of programs is selected to determine if the source and object versions are the same?
A. A substantive test of program library controls
B. A compliance test of program library controls
C. A compliance test of the program compiler controls
D. A substantive test of the program compiler controls

Answer 5

A compliance test of program library controls

Question 6

The effectiveness of an audit is measured by?
A. The number of actionable items in the recommendations
B. How it exposes the risk tolerance of the company
C. How the recommendations directly support the goals of the company
D. The number of security controls the company has in use

Answer 6

How the recommendations directly support the goals of the company

Question 7

Which of the following is the MOST effective way to measure the effectiveness of security controls on a perimeter network?
A. Perform a vulnerability scan of the network
B. External penetration testing by a qualified third party
C. Internal Firewall ruleset reviews
D. Implement network intrusion prevention systems

Answer 7

External penetration testing by a qualified third party

Question 8

In MOST organizations which group periodically reviews network intrusion detection system logs for all systems as part of their daily tasks?
A. Internal Audit
B. Database Administration
C. Information Security
D. Compliance

Answer 8

Information Security

Question 9

When measuring the effectiveness of an Information Security Management System which
one of the following would be MOST LIKELY used as a metric framework?
A. ISO 27001
B. PRINCE2
C. ISO 27004
D. ITILv3

Answer 9

ISO 27004

Question 10

Which of the following organizations is typically in charge of validating the implementation and effectiveness of security controls?
A. Security Administrators
B. Internal/External Audit
C. Risk Management
D. Security Operations

Answer 10

Internal/External Audit

Question 11

The mean time to patch, number of virus outbreaks prevented, and number of vulnerabilities mitigated are examples of what type of performance metrics?
A. Risk metrics
B. Management metrics
C. Operational metrics
D. Compliance metrics

Answer 11

Operational metrics

Question 12

You have implemented the new controls. What is the next step?
A. Document the process for the stakeholders
B. Monitor the effectiveness of the controls
C. Update the audit findings report
D. Perform a risk assessment

Answer 12

Monitor the effectiveness of the controls

Question 13

Creating a secondary authentication process for network access would be an example of?
A. Nonlinearities in physical security performance metrics
B. Defense in depth cost enumerated costs
C. System hardening and patching requirements
D. Anti-virus for mobile devices

Answer 13

Nonlinearities in physical security performance metrics

Question 14

A missing/ineffective security control is identified. Which of the following should be the NEXT step?
A. Perform an audit to measure the control formally
B. Escalate the issue to the IT organization
C. Perform a risk assessment to measure risk
D. Establish Key Risk Indicators

Answer 14

Perform a risk assessment to measure risk

Question 15

An organization has implemented a change management process for all changes to the IT production environment. This change management process follows best practices and is expected to help stabilize the availability and integrity of the organizations IT environment. Which of the following can be used to measure the effectiveness of this newly implemented process:
A. Number of change orders rejected
B. Number and length of planned outages
C. Number of unplanned outages
D. Number of change orders processed

Answer 15

Number of unplanned outages

Question 16

Which of the following is a benefit of a risk-based approach to audit planning?
A. Resources are allocated to the areas of the highest concern
B. Scheduling may be performed months in advance
C. Budgets are more likely to be met by the IT audit staff
D. Staff will be exposed to a variety of technologies

Answer 16

Resources are allocated to the areas of the highest concern

Question 17

When a CISO considers delaying or not remediating system vulnerabilities, which of the following are MOST important to take into account?
A. Threat Level, Risk of Compromise, and Consequences of Compromise
B. Risk Avoidance, Threat Level, and Consequences of Compromise
C. Risk Transfer, Reputational Impact, and Consequences of Compromise
D. Reputational Impact, Financial Impact, and Risk of Compromise

Answer 17

Threat Level, Risk of Compromise, and Consequences of Compromise

Question 18

When you develop your audit remediation plan what is the MOST important criteria?
A. To remediate half of the findings before the next audit.
B. To remediate all of the findings before the next audit.
C. To validate that the cost of the remediation is less than the risk of the finding.
D. To validate the remediation process with the auditor.

Answer 18

To validate that the cost of the remediation is less than the risk of the finding.

Question 19

The implementation of anti-malware and anti-phishing controls on centralized email servers is an example of what type of security control?
A. Organization control
B. Procedural control
C. Management control
D. Technical control

Answer 19

Technical control

Question 20

The effectiveness of social engineering penetration testing using phishing can be used as a Key Performance Indicator (KPI) for the effectiveness of an organizations
A. Risk Management Program.
B. Anti-Spam controls.
C. Security Awareness Program.
D. Identity and Access Management Program.

Answer 20

Security Awareness Program.

Question 21

Which of the following activities is the MAIN purpose of the risk assessment process?
A. Creating an inventory of information assets
B. Classifying and organizing information assets into meaningful groups
C. Assigning value to each information asset
D. Calculating the risks to which assets are exposed in their current setting

Answer 21

Calculating the risks to which assets are exposed in their current setting

Question 22

Which of the following best represents a calculation for Annual Loss Expectancy (ALE)?
A. Single loss expectancy multiplied by the annual rate of occurrence
B. Total loss expectancy multiplied by the total loss frequency
C. Value of the asset multiplied by the loss expectancy
D. Replacement cost multiplied by the single loss expectancy

Answer 22

Single loss expectancy multiplied by the annual rate of occurrence

Question 23

You are the Chief Information Security Officer of a large, multinational bank and you suspect there is a flaw in a two factor authentication token management process. Which of the following represents your BEST course of action?
A. Validate that security awareness program content includes information about the potential vulnerability
B. Conduct a thorough risk assessment against the current implementation to determine system functions
C. Determine program ownership to implement compensating controls
D. Send a report to executive peers and business unit owners detailing your suspicions

Answer 23

Conduct a thorough risk assessment against the current implementation to determine system functions

Question 24

Which is the BEST solution to monitor, measure, and report changes to critical data in a system?
A. Application logs
B. File integrity monitoring
C. SNMP traps
D. Syslog

Answer 24

File integrity monitoring

Question 25

An IT auditor has recently discovered that because of a shortage of skilled operations personnel, the security administrator has agreed to work one late night shift a week as the senior computer operator. The most appropriate course of action for the IT auditor is to:
A. Inform senior management of the risk involved.
B. Agree to work with the security officer on these shifts as a form of preventative control.
C. Develop a computer assisted audit technique to detect instances of abuses of the arrangement.
D. Review the system log for each of the late night shifts to determine whether any irregular actions occurred

Answer 25

Inform senior management of the risk involved.

Question 26

An information security department is required to remediate system vulnerabilities when they are discovered. Please select the three primary remediation methods that can be used on an affected system.
A. Install software patch, Operate system, Maintain system
B. Discover software, Remove affected software, Apply software patch
C. Install software patch, configuration adjustment, Software Removal
D. Software removal, install software patch, maintain system

Answer 26

Install software patch, configuration adjustment, Software Removal

Question 27

With respect to the audit management process, management response serves what function?
A. placing underperforming units on notice for failing to meet standards
B. determining whether or not resources will be allocated to remediate a finding
C. adding controls to ensure that proper oversight is achieved by management
D. revealing the root cause of the process failure and mitigating for all internal and external units

Answer 27

determining whether or not resources will be allocated to remediate a finding

Question 28

Which of the following reports should you as an IT auditor use to check on compliance with a service level agreements requirement for uptime?
A. Systems logs
B. Hardware error reports
C. Utilization reports
D. Availability reports

Answer 28

Availability reports

Question 29

The remediation of a specific audit finding is deemed too expensive and will not be implemented. Which of the following is a TRUE statement?
A. The asset is more expensive than the remediation
B. The audit finding is incorrect
C. The asset being protected is less valuable than the remediation costs
D. The remediation costs are irrelevant; it must be implemented regardless of cost.

Answer 29

The asset being protected is less valuable than the remediation costs

Question 30

As the new CISO at the company you are reviewing the audit reporting process and notice that it includes only detailed technical diagrams. What else should be in the reporting process?
A. Executive summary
B. Penetration test agreement
C. Names and phone numbers of those who conducted the audit
D. Business charter

Answer 30

Executive summary

Question 31

Control Objectives for Information and Related Technology (COBIT) is which of the following?
A. An Information Security audit standard
B. An audit guideline for certifying secure systems and controls
C. A framework for Information Technology management and governance
D. A set of international regulations for Information Technology governance

Answer 31

A framework for Information Technology management and governance

Question 32

Which represents PROPER separation of duties in the corporate environment?
A. Information Security and Identity Access Management teams perform two distinct functions B. Developers and Network teams both have admin rights on servers
C. Finance has access to Human Resources data
D. Information Security and Network teams perform two distinct functions

Answer 32

Information Security and Network teams perform two distinct functions

Question 33

Many times a CISO may have to speak to the Board of Directors (BOD) about their cyber security posture. What would be the BEST choice of security metrics to present to the BOD?
A. All vulnerabilities found on servers and desktops
B. Only critical and high vulnerabilities on servers and desktops
C. Only critical and high vulnerabilities that impact important production servers
D. All vulnerabilities that impact important production servers

Answer 33

Only critical and high vulnerabilities that impact important production servers

Question 34

A new CISO just started with a company and on the CISO’s desk is the last complete Information Security Management audit report. The audit report is over two years old. After reading it, what should be the CISO’s FIRST priority?
A. Have internal audit conduct another audit to see what has changed.
B. Contract with an external audit company to conduct an unbiased audit
C. Review the recommendations and follow up to see if audit implemented the changes
D. Meet with audit team to determine a timeline for corrections

Answer 34

Review the recommendations and follow up to see if audit implemented the changes

Question 35

IT control objectives are useful to IT auditors as they provide the basis for understanding the:
A. Desired results or purpose of implementing specific control procedures.
B. The audit control checklist.
C. Techniques for securing information.
D. Security policy

Answer 35

Desired results or purpose of implementing specific control procedures.

Question 36

The regular review of a firewall ruleset is considered a
A. Procedural control
B. Organization control
C. Technical control
D. Management control

Answer 36

Procedural control

Question 37

Which of the following is the PRIMARY purpose of International Organization for Standardization (ISO) 27001?
A. Use within an organization to formulate security requirements and objectives
B. Implementation of business-enabling information security
C. Use within an organization to ensure compliance with laws and regulations
D. To enable organizations that adopt it to obtain certifications

Answer 37

Implementation of business-enabling information security

Question 38

An organization is required to implement background checks on all employees with access to databases containing credit card information. This is considered a security
A. Procedural control
B. Management control
C. Technical control
D. Administrative control

Answer 38

Management control

Question 39

Dataflow diagrams are used by IT auditors to:
A. Order data hierarchically.
B. Highlight high-level data definitions.
C. Graphically summarize data paths and storage processes.
D. Portray step-by-step details of data generation.

Answer 39

Graphically summarize data paths and storage processes.

Question 40

The BEST organization to provide a comprehensive, independent and certifiable perspective on established security controls in an environment is
A. Penetration testers
B. External Audit
C. Internal Audit
D. Forensic experts

Answer 40

External Audit

Question 41

An employee successfully avoids becoming a victim of a sophisticated spear phishing attack due to knowledge gained through the corporate information security awareness program. What type of control has been effectively utilized?
A. Management Control
B. Technical Control
C. Training Control
D. Operational Control

Answer 41

Operational Control

Question 42

Assigning the role and responsibility of Information Assurance to a dedicated and independent security group is an example of:
A. Detective Controls
B. Proactive Controls
C. Preemptive Controls
D. Organizational Controls

Answer 42

Organizational Controls

Question 43

Which of the following is a fundamental component of an audit record?
A. Date and time of the event
B. Failure of the event
C. Originating IP-Address
D. Authentication type

Answer 43

Date and time of the event

Question 44

As a new CISO at a large healthcare company you are told that everyone has to badge in
to get in the building. Below your office window you notice a door that is normally propped
open during the day for groups of people to take breaks outside. Upon looking closer you
see there is no badge reader. What should you do?
A. Nothing, this falls outside your area of influence.
B. Close and chain the door shut and send a company-wide memo banning the practice.
C. Have a risk assessment performed.
D. Post a guard at the door to maintain physical security

Answer 44

Have a risk assessment performed.

Question 45

The amount of risk an organization is willing to accept in pursuit of its mission is known as
A. Risk mitigation
B. Risk transfer
C. Risk tolerance
D. Risk acceptance

Answer 45

Risk tolerance

Question 46

At which point should the identity access management team be notified of the termination of an employee?
A. At the end of the day once the employee is off site
B. During the monthly review cycle
C. Immediately so the employee account(s) can be disabled
D. Before an audit

Answer 46

Immediately so the employee account(s) can be disabled

Question 47

Which of the following is the MOST important reason to measure the effectiveness of an Information Security Management System (ISMS)?
A. Meet regulatory compliance requirements
B. Better understand the threats and vulnerabilities affecting the environment
C. Better understand strengths and weaknesses of the program
D. Meet legal requirements

Answer 47

Better understand strengths and weaknesses of the program

Question 48

Your IT auditor is reviewing significant events from the previous year and has identified some procedural oversights. Which of the following would be the MOST concerning?
A. Lack of notification to the public of disclosure of confidential information.
B. Lack of periodic examination of access rights
C. Failure to notify police of an attempted intrusion
D. Lack of reporting of a successful denial of service attack on the network.

Answer 48

Lack of notification to the public of disclosure of confidential information.

Question 49

Which of the following are necessary to formulate responses to external audit findings?
A. Internal Audit, Management, and Technical Staff
B. Internal Audit, Budget Authority, Management
C. Technical Staff, Budget Authority, Management
D. Technical Staff, Internal Audit, Budget Authority

Answer 49

Technical Staff, Budget Authority, Management

Question 50

Step-by-step procedures to regain normalcy in the event of a major earthquake is PRIMARILY covered by which of the following plans?
A. Incident response plan
B. Business Continuity plan
C. Disaster recovery plan
D. Damage control plan

Answer 50

Disaster recovery plan

Question 51

Which International Organization for Standardization (ISO) below BEST describes the performance of risk management, and includes a five-stage risk management methodology.
A. ISO 27001
B. ISO 27002
C. ISO 27004
D. ISO 27005

Answer 51

ISO 27005

Question 52

Which of the following activities results in change requests?
A. Preventive actions
B. Inspection
C. Defect repair
D. Corrective actions

Answer 52

Preventive actions

Question 53

Which of the following is the MOST important goal of risk management?
A. Identifying the risk
B. Finding economic balance between the impact of the risk and the cost of the control
C. Identifying the victim of any potential exploits.
D. Assessing the impact of potential threats

Answer 53

Finding economic balance between the impact of the risk and the cost of the control

Question 54

The CIO of an organization has decided to assign the responsibility of internal IT audit to the IT team. This is consider a bad practice MAINLY because
A. The IT team is not familiar in IT audit practices
B. This represents a bad implementation of the Least Privilege principle
C. This represents a conflict of interest
D. The IT team is not certified to perform audits

Answer 54

This represents a conflict of interest

Question 55

The patching and monitoring of systems on a consistent schedule is required by?
A. Local privacy laws
B. Industry best practices
C. Risk Management frameworks
D. Audit best practices

Answer 55

Risk Management frameworks

Question 56

Creating good security metrics is essential for a CISO. What would be the BEST sources for creating security metrics for baseline defenses coverage?
A. Servers, routers, switches, modem
B. Firewall, exchange, web server, intrusion detection system (IDS)
C. Firewall, anti-virus console, IDS, syslog
D. IDS, syslog, router, switches

Answer 56

Firewall, anti-virus console, IDS, syslog

Question 57

Creating a secondary authentication process for network access would be an example of?
A. An administrator with too much time on their hands.
B. Putting undue time commitment on the system administrator.
C. Supporting the concept of layered security
D. Network segmentation.

Answer 57

Supporting the concept of layered security

Question 58

Providing oversight of a comprehensive information security program for the entire organization is the primary responsibility of which group under the InfoSec governance framework?
A. Senior Executives
B. Office of the Auditor
C. Office of the General Counsel
D. All employees and users

Answer 58

Senior Executives

Question 59

How often should an environment be monitored for cyber threats, risks, and exposures?
A. Weekly
B. Monthly
C. Quarterly
D. Daily

Answer 59

Daily

Question 60

Which of the following represents the BEST reason for an organization to use the Control Objectives for Information and Related Technology (COBIT) as an Information Technology (IT) framework?
A. It allows executives to more effectively monitor IT implementation costs
B. Implementation of it eases an organization’s auditing and compliance burden
C. Information Security (IS) procedures often require augmentation with other standards
D. It provides for a consistent and repeatable staffing model for technology organizations

Answer 60

Implementation of it eases an organization’s auditing and compliance burden

Question 61

The risk found after a control has been fully implemented is called:
A. Residual Risk
B. Total Risk
C. Post implementation risk
D. Transferred risk

Answer 61

Residual Risk

Question 62

A recent audit has identified a few control exceptions and is recommending the implementation of technology and processes to address the finding. Which of the following is the MOST likely reason for the organization to reject the implementation of the recommended technology and processes?
A. The auditors have not followed proper auditing processes
B. The CIO of the organization disagrees with the finding
C. The risk tolerance of the organization permits this risk
D. The organization has purchased cyber insurance

Answer 62

The risk tolerance of the organization permits this risk

Question 63

Which of the following BEST describes an international standard framework that is based on the security model Information Technology Code of Practice for Information Security Management?
A. International Organization for Standardization 27001
B. National Institute of Standards and Technology Special Publication SP 800-12
C. Request For Comment 2196
D. National Institute of Standards and Technology Special Publication SP 800-26

Answer 63

International Organization for Standardization 27001

Question 64

An effective method for reducing the impact of credential theft is:

Answer 64

Deploying multi-factor authentication so accounts are better protected.

Question 65

Metrics capable of demonstrating that an organization is susceptible to, or has a high probability of being susceptible to, a risk that exceeds the acceptable risk appetite are known as:

Answer 65

Key risk indicators (KRI)

Question 66

A primary consideration when selecting to transfer risk as a risk treatment option is which of the following?

Answer 66

Insurance cost

Question 67

The Information Technology Infrastructure Library Version 4 (ITIL® 4) Information Security Management Practice is based on which standard?

Answer 67

International Organization for Standardization (ISO) 27001.

Question 68

Your information-security program is technically well provisioned; however, you observe employee data and financial information exposed through compromised account credentials. From the choices provided, what should you do FIRST to minimize this threat?

Answer 68

Reset passwords for suspected compromised accounts.

Question 69

Which of the following illustrates an operational control process:
A. Classifying an information system as part of a risk assessment
B. Installing an appropriate fire suppression system in the data center
C. Conducting an audit of the configuration management process
D. Establishing procurement standards for cloud vendors

Answer 69

Installing an appropriate fire suppression system in the data center

Question 70

To have accurate and effective information security policies how often should the CISO review the organization policies?
A. Every 6 months
B. Quarterly
C. Before an audit
D. At least once a year

Answer 70

At least once a year

Question 71

A Chief Information Security Officer received a list of high, medium, and low impact audit
findings. Which of the following represents the BEST course of action?
A. If the findings impact regulatory compliance, try to apply remediation that will address the most findings for the least cost.
B. If the findings do not impact regulatory compliance, remediate only the high and medium risk findings.
C. If the findings impact regulatory compliance, remediate the high findings as quickly as possible.
D. If the findings do not impact regulatory compliance, review current security controls.

Answer 71

If the findings impact regulatory compliance, remediate the high findings as quickly as possible.

Question 72

Which of the following is a term related to risk management that represents the estimated frequency at which a threat is expected to transpire?
A. Single Loss Expectancy (SLE)
B. Exposure Factor (EF)
C. Annualized Rate of Occurrence (ARO)
D. Temporal Probability (TP)

Answer 72

Annualized Rate of Occurrence (ARO)

Question 73

An audit was conducted and many critical applications were found to have no disaster recovery plans in place. You conduct a Business Impact Analysis (BIA) to determine impact to the company for each application. What should be the NEXT step?
A. Determine the annual loss expectancy (ALE)
B. Create a crisis management plan
C. Create technology recovery plans
D. Build a secondary hot site

Answer 73

Create technology recovery plans

Question 74

You work as a project manager for TYU project. You are planning for risk mitigation. You need to quickly identify high-level risks that will need a more in-depth analysis. Which of the following activities will help you in this?
A. Qualitative analysis
B. Quantitative analysis
C. Risk mitigation
D. Estimate activity duration

Answer 74

Qualitative analysis

Question 75

When a critical vulnerability has been discovered on production systems and needs to be fixed immediately, what is the BEST approach for a CISO to mitigate the vulnerability under tight budget constraints?
A. Transfer financial resources from other critical programs
B. Take the system off line until the budget is available
C. Deploy countermeasures and compensating controls until the budget is available
D. Schedule an emergency meeting and request the funding to fix the issue

Answer 75

Deploy countermeasures and compensating controls until the budget is available

Question 76

During the course of a risk analysis your IT auditor identified threats and potential impacts. Next, your IT auditor should:
A. Identify and evaluate the existing controls.
B. Disclose the threats and impacts to management.
C. Identify information assets and the underlying systems.
D. Identify and assess the risk assessment process used by management.

Answer 76

Identify and evaluate the existing controls.

Question 77

The executive board has requested that the CISO of an organization define and Key Performance Indicators (KPI) to measure the effectiveness of the security awareness program provided to call center employees. Which of the following can be used as a KPI?
A. Number of callers who report security issues.
B. Number of callers who report a lack of customer service from the call center
C. Number of successful social engineering attempts on the call center
D. Number of callers who abandon the call before speaking with a representative

Answer 77

Number of successful social engineering attempts on the call center

Question 78

When working in the Payment Card Industry (PCI), how often should security logs be review to comply with the standards?
A. Daily
B. Hourly
C. Weekly
D. Monthly

Answer 78

Daily

Question 79

The MOST common method to get an unbiased measurement of the effectiveness of an Information Security Management System (ISMS) is to
A. assign the responsibility to the information security team.
B. assign the responsibility to the team responsible for the management of the controls.
C. create operational reports on the effectiveness of the controls.
D. perform an independent audit of the security controls.

Answer 79

perform an independent audit of the security controls.

Question 80

Which of the following best describes the purpose of the International Organization for
Standardization (ISO) 27002 standard?
A. To give information security management recommendations to those who are responsible for initiating, implementing, or maintaining security in their organization.
B. To provide a common basis for developing organizational security standards
C. To provide effective security management practice and to provide confidence in inter- organizational dealings
D. To established guidelines and general principles for initiating, implementing, maintaining, and improving information security management within an organization

Answer 80

To established guidelines and general principles for initiating, implementing, maintaining, and improving information security management within an organization