Domain 5

Question 1

Scenario: Your corporate systems have been under constant probing and attack from foreign IP addresses for more than a week. Your security team and security infrastructure have performed well under the stress. You are confident that your defenses have held up under the test, but rumors are spreading that sensitive customer data has been stolen and is now being sold on the Internet by criminal elements. During your investigation of the rumored compromise you discover that data has been breached and you have discovered the repository of stolen data on a server located in a foreign country. Your team now has full access to the data on the foreign server.

Your defenses did not hold up to the test as originally thought. As you investigate how the data was compromised through log analysis you discover that a hardworking, but misguided business intelligence analyst posted the data to an obfuscated URL on a popular cloud storage service so they could work on it from home during their off-time. Which technology or solution could you deploy to prevent employees from removing corporate data from your network? Choose the BEST answer.
A. Security Guards posted outside the Data Center
B. Data Loss Prevention (DLP)
C. Rigorous syslog reviews
D. Intrusion Detection Systems (IDS)

Answer 1

Data Loss Prevention (DLP)

Question 2

Scenario: An organization has made a decision to address Information Security formally and consistently by adopting established best practices and industry standards. The organization is a small retail merchant but it is expected to grow to a global customer base of many millions of customers in just a few years.

Which of the following would be the FIRST step when addressing Information Security formally and consistently in this organization?
A. Contract a third party to perform a security risk assessment
B. Define formal roles and responsibilities for Internal audit functions
C. Define formal roles and responsibilities for Information Security
D. Create an executive security steering committee

Answer 2

Define formal roles and responsibilities for Information Security

Question 3

The rate of change in technology increases the importance of:
A. Outsourcing the IT functions.
B. Understanding user requirements.
C. Hiring personnel with leading edge skills.
D. Implementing and enforcing good processes.

Answer 3

Implementing and enforcing good processes.

Question 4

When analyzing and forecasting a capital expense budget what are not included?
A. Network connectivity costs
B. New datacenter to operate from
C. Upgrade of mainframe
D. Purchase of new mobile devices to improve operations

Answer 4

Network connectivity costs

Question 5

Scenario: You are the CISO and have just completed your first risk assessment for your organization. You find many risks with no security controls, and some risks with inadequate controls. You assign work to your staff to create or adjust existing security controls to ensure they are adequate for risk mitigation needs.

You have identified potential solutions for all of your risks that do not have security controls. What is the NEXT step?
A. Get approval from the board of directors
B. Screen potential vendor solutions
C. Verify that the cost of mitigation is less than the risk
D. Create a risk metrics for all unmitigated risks

Answer 5

Verify that the cost of mitigation is less than the risk

Question 6

SCENARIO: A Chief Information Security Officer (CISO) recently had a third party conduct an audit of the security program. Internal policies and international standards were used as audit baselines. The audit report was presented to the CISO and a variety of high, medium and low rated gaps were identified.

The CISO has implemented remediation activities. Which of the following is the MOST logical next step?
A. Validate the effectiveness of applied controls
B. Validate security program resource requirements
C. Report the audit findings and remediation status to business stake holders
D. Review security procedures to determine if they need modified according to findings

Answer 6

Validate the effectiveness of applied controls

Question 7

Scenario: You are the CISO and have just completed your first risk assessment for your organization. You find many risks with no security controls, and some risks with inadequate controls. You assign work to your staff to create or adjust existing security controls to ensure they are adequate for risk mitigation needs.

When adjusting the controls to mitigate the risks, how often should the CISO perform an audit to verify the controls?
A. Annually
B. Semi-annually
C. Quarterly
D. Never

Answer 7

Never

Question 8

SCENARIO: Critical servers show signs of erratic behavior within your organizations intranet. Initial information indicates the systems are under attack from an outside entity. As the Chief Information Security Officer (CISO), you decide to deploy the Incident Response Team (IRT) to determine the details of this incident and take action according to the information available to the team.

What phase of the response provides measures to reduce the likelihood of an incident from recurring?
A. Response
B. Investigation
C. Recovery
D. Follow-up

Answer 8

Follow Up

Question 9

Scenario: An organization has made a decision to address Information Security formally and consistently by adopting established best practices and industry standards. The organization is a small retail merchant but it is expected to grow to a global customer base of many millions of customers in just a few years.

The organization has already been subject to a significant amount of credit card fraud. Which of the following is the MOST likely reason for this fraud?
A. Lack of compliance to the Payment Card Industry (PCI) standards
B. Ineffective security awareness program
C. Security practices not in alignment with ISO 27000 frameworks
D. Lack of technical controls when dealing with credit card data

Answer 9

Lack of compliance to the Payment Card Industry (PCI) standards

Question 10

When analyzing and forecasting an operating expense budget what are not included?
A. Software and hardware license fees
B. Utilities and power costs
C. Network connectivity costs
D. New datacenter to operate from

Answer 10

New datacenter to operate from

Question 11

Scenario: Your organization employs single sign-on (user name and password only) as a convenience to your employees to access organizational systems and data. Permission to individual systems and databases is vetted and approved through supervisors and data owners to ensure that only approved personnel can use particular applications or retrieve information. All employees have access to their own human resource information, including the ability to change their bank routing and account information and other personal details through the Employee Self-Service application. All employees have access to the
organizational VPN.

Once supervisors and data owners have approved requests, information system administrators will implement
A. Technical control(s)
B. Management control(s)
C. Policy control(s)
D. Operational control(s)

Answer 11

Technical control(s)

Question 12

When updating the security strategic planning document what two items must be included?
A. Alignment with the business goals and the vision of the CIO
B. The risk tolerance of the company and the company mission statement
C. The executive summary and vision of the board of directors
D. The alignment with the business goals and the risk tolerance

Answer 12

The alignment with the business goals and the risk tolerance

Question 13

Scenario: You are the CISO and are required to brief the C-level executive team on your information security audit for the year. During your review of the audit findings you discover that many of the controls that were put in place the previous year to correct some of the findings are not performing as needed. You have thirty days until the briefing. To formulate a remediation plan for the non-performing controls what other document do you need to review before adjusting the controls?
A. Business Impact Analysis
B. Business Continuity plan
C. Security roadmap
D. Annual report to shareholders

Answer 13

Business Impact Analysis

Question 14

The ability to demand the implementation and management of security controls on third parties providing services to an organization is
A. Security Governance
B. Compliance management
C. Vendor management
D. Disaster recovery

Answer 14

Vendor management

Question 15

John is the project manager for a large project in his organization. A new change request has been proposed that will affect several areas of the project. One area of the project change impact is on work that a vendor has already completed. The vendor is refusing to make the changes as theyve already completed the project work they were contracted to do. What can John do in this instance?
A. Refer the vendor to the Service Level Agreement (SLA) and insist that they make the changes.
B. Review the Request for Proposal (RFP) for guidance.
C. Withhold the vendor’s payments until the issue is resolved.
D. Refer to the contract agreement for direction.

Answer 15

Refer to the contract agreement for direction.

Question 16

The process to evaluate the technical and non-technical security controls of an IT system to validate that a given design and implementation meet a specific set of security requirements is called
A. Security certification
B. Security system analysis
C. Security accreditation
D. Alignment with business practices and goals.

Answer 16

Security certification

Question 17

The total cost of security controls should:
A. Be equal to the value of the information resource being protected
B. Be greater than the value of the information resource being protected
C. Be less than the value of the information resource being protected
D. Should not matter, as long as the information resource is protected

Answer 17

Be less than the value of the information resource being protected

Question 18

When creating contractual agreements and procurement processes why should security requirements be included?
A. To make sure they are added on after the process is completed
B. To make sure the costs of security is included and understood
C. To make sure the security process aligns with the vendor’s security process
D. To make sure the patching process is included with the costs

Answer 18

To make sure the costs of security is included and understood

Question 19

Your company has limited resources to spend on security initiatives. The Chief Financial Officer asks you to prioritize the protection of information resources based on their value to the company. It is essential that you be able to communicate in language that your fellow executives will understand. You should:
A. Create timelines for mitigation
B. Develop a cost-benefit analysis
C. Calculate annual loss expectancy
D. Create a detailed technical executive summary

Answer 19

Develop a cost-benefit analysis

Question 20

Scenario: An organization has made a decision to address Information Security formally and consistently by adopting established best practices and industry standards. The organization is a small retail merchant but it is expected to grow to a global customer base of many millions of customers in just a few years.

This global retail company is expected to accept credit card payments. Which of the following is of MOST concern when defining a security program for this organization?
A. International encryption restrictions
B. Compliance to Payment Card Industry (PCI) data security standards
C. Compliance with local government privacy laws
D. Adherence to local data breach notification laws

Answer 20

Compliance to Payment Card Industry (PCI) data security standards

Question 21

Annual Loss Expectancy is derived from the function of which two factors?
A. Annual Rate of Occurrence and Asset Value
B. Single Loss Expectancy and Exposure Factor
C. Safeguard Value and Annual Rate of Occurrence
D. Annual Rate of Occurrence and Single Loss Expectancy

Answer 21

Annual Rate of Occurrence and Single Loss Expectancy

Question 22

What is the primary reason for performing vendor management?
A. To understand the risk coverage that are being mitigated by the vendor
B. To establish a vendor selection process
C. To document the relationship between the company and the vendor
D. To define the partnership for long-term success

Answer 22

To understand the risk coverage that are being mitigated by the vendor

Question 23

Scenario: An organization has recently appointed a CISO. This is a new role in the organization and it signals the increasing need to address security consistently at the enterprise level. This new CISO, while confident with skills and experience, is constantly on the defensive and is unable to advance the IT security centric agenda. Which of the following is the reason the CISO has not been able to advance the security agenda in this organization?
A. Lack of identification of technology stake holders
B. Lack of business continuity process
C. Lack of influence with leaders outside IT
D. Lack of a security awareness program

Answer 23

Lack of influence with leaders outside IT

Question 24

SCENARIO: A Chief Information Security Officer (CISO) recently had a third party conduct an audit of the security program. Internal policies and international standards were used as audit baselines. The audit report was presented to the CISO and a variety of high, medium and low rated gaps were identified.

The CISO has validated audit findings, determined if compensating controls exist, and started initial remediation planning. Which of the following is the MOST logical next step?
A. Validate the effectiveness of current controls
B. Create detailed remediation funding and staffing plans
C. Report the audit findings and remediation status to business stake holders
D. Review security procedures to determine if they need modified according to findings

Answer 24

Report the audit findings and remediation status to business stake holders

Question 25

Scenario: As you begin to develop the program for your organization, you assess the
corporate culture and determine that there is a pervasive opinion that the security program
only slows things down and limits the performance of the real workers.
What must you do first in order to shift the prevailing opinion and reshape corporate culture
to understand the value of information security to the organization?
A. Cite compliance with laws, statutes, and regulations explaining the financial implications for the company for non-compliance
B. Understand the business and focus your efforts on enabling operations securely
C. Draw from your experience and recount stories of how other companies have been compromised
D. Cite corporate policy and insist on compliance with audit findings

Answer 25

Understand the business and focus your efforts on enabling operations securely

Question 26

The newly appointed CISO of an organization is reviewing the IT security strategic plan.
Which of the following is the MOST important component of the strategic plan?
A. There is integration between IT security and business staffing.
B. There is a clear definition of the IT security mission and vision.
C. There is an auditing methodology in place.
D. The plan requires return on investment for all security projects.

Answer 26

There is a clear definition of the IT security mission and vision.

Question 27

The new CISO was informed of all the Information Security projects that the organization
has in progress. Two projects are over a year behind schedule and over budget. Using best
business practices for project management you determine that the project correctly aligns
with the company goals.

Which of the following needs to be performed NEXT?
A. Verify the scope of the project
B. Verify the regulatory requirements
C. Verify technical resources
D. Verify capacity constraints

Answer 27

Verify technical resources

Question 28

Scenario: An organization has recently appointed a CISO. This is a new role in the
organization and it signals the increasing need to address security consistently at the
enterprise level. This new CISO, while confident with skills and experience, is constantly on
the defensive and is unable to advance the IT security centric agenda.
From an Information Security Leadership perspective, which of the following is a MAJOR
concern about the CISOs approach to security?
A. Lack of risk management process
B. Lack of sponsorship from executive management
C. IT security centric agenda
D. Compliance centric agenda

Answer 28

IT security centric agenda

Question 29

You are just hired as the new CISO and are being briefed on all the Information Security projects that your section has on going. You discover that most projects are behind schedule and over budget.

Using the best business practices for project management you determine that the project correctly aligns with the company goals and the scope of the project is correct. What is the NEXT step?
A. Review time schedules
B. Verify budget
C. Verify resources
D. Verify constraints

Answer 29

Verify resources

Question 30

You are just hired as the new CISO and are being briefed on all the Information Security projects that your section has on going. You discover that most projects are behind schedule and over budget.

Using the best business practices for project management you determine that the project correct aligns with the company goals. What needs to be verified FIRST?
A. Scope of the project
B. Training of the personnel on the project
C. Timeline of the project milestones
D. Vendor for the project

Answer 30

Scope of the project

Question 31

Which of the following conditions would be the MOST probable reason for a security project to be rejected by the executive board of an organization?
A. The Net Present Value (NPV) of the project is positive
B. The NPV of the project is negative
C. The Return on Investment (ROI) is larger than 10 months
D. The ROI is lower than 10 months

Answer 31

The NPV of the project is negative

Question 32

SCENARIO: A Chief Information Security Officer (CISO) recently had a third party conduct an audit of the security program. Internal policies and international standards were used as audit baselines. The audit report was presented to the CISO and a variety of high, medium and low rated gaps were identified.

After determining the audit findings are accurate, which of the following is the MOST logical next activity?
A. Begin initial gap remediation analyses
B. Review the security organization’s charter
C. Validate gaps with the Information Technology team
D. Create a briefing of the findings for executive management

Answer 32

Begin initial gap remediation analyses

Question 33

Scenario: The new CISO was informed of all the Information Security projects that the section has in progress. Two projects are over a year behind schedule and way over budget.
Using the best business practices for project management, you determine that the project correctly aligns with the organization goals. What should be verified next?
A. Scope
B. Budget
C. Resources
D. Constraints

Answer 33

Scope

Question 34

SCENARIO: A CISO has several two-factor authentication systems under review and selects the one that is most sufficient and least costly. The implementation project planning is completed and the teams are ready to implement the solution. The CISO then discovers that the product it is not as scalable as originally thought and will not fit the organizations needs.
The CISO is unsure of the information provided and orders a vendor proof of concept to validate the systems scalability. This demonstrates which of the following?
A. An approach that allows for minimum budget impact if the solution is unsuitable
B. A methodology-based approach to ensure authentication mechanism functions
C. An approach providing minimum time impact to the implementation schedules
D. A risk-based approach to determine if the solution is suitable for investment

Answer 34

A risk-based approach to determine if the solution is suitable for investment

Question 35

SCENARIO: A CISO has several two-factor authentication systems under review and selects the one that is most sufficient and least costly. The implementation project planning is completed and the teams are ready to implement the solution. The CISO then discovers
that the product it is not as scalable as originally thought and will not fit the organizations
needs.

What is the MOST logical course of action the CISO should take?
A. Review the original solution set to determine if another system would fit the organizations risk appetite and budget regulatory compliance requirements
B. Continue with the implementation and submit change requests to the vendor in order to ensure required functionality will be provided when needed
C. Continue with the project until the scalability issue is validated by others, such as an auditor or third party assessor
D. Cancel the project if the business need was based on internal requirements versus regulatory compliance requirements

Answer 35

Review the original solution set to determine if another system would fit the organizations risk appetite and budget regulatory compliance requirements

Question 36

Involvement of senior management is MOST important in the development of:
A. IT security implementation plans.
B. Standards and guidelines.
C. IT security policies.
D. IT security procedures.

Answer 36

IT security policies.

Question 37

Scenario: Your organization employs single sign-on (user name and password only) as a
convenience to your employees to access organizational systems and data. Permission to
individual systems and databases is vetted and approved through supervisors and data
owners to ensure that only approved personnel can use particular applications or retrieve
information. All employees have access to their own human resource information, including
the ability to change their bank routing and account information and other personal details
through the Employee Self-Service application. All employees have access to the
organizational VPN.
The organization wants a more permanent solution to the threat to user credential
compromise through phishing. What technical solution would BEST address this issue?
A. Professional user education on phishing conducted by a reputable vendor
B. Multi-factor authentication employing hard tokens
C. Forcing password changes every 90 days
D. Decreasing the number of employees with administrator privileges

Answer 37

Multi-factor authentication employing hard tokens

Question 38

Access Control lists (ACLs), Firewalls, and Intrusion Prevention Systems are examples of
A. Network based security preventative controls
B. Software segmentation controls
C. Network based security detective controls
D. User segmentation controls

Answer 38

Network based security preventative controls

Question 39

What is the BEST reason for having a formal request for proposal process?
A. Creates a timeline for purchasing and budgeting
B. Allows small companies to compete with larger companies
C. Clearly identifies risks and benefits before funding is spent
D. Informs suppliers a company is going to make a purchase

Answer 39

Clearly identifies risks and benefits before funding is spent

Question 40

Which of the following is MOST useful when developing a business case for security initiatives?
A. Budget forecasts
B. Request for proposals
C. Cost/benefit analysis
D. Vendor management

Answer 40

Cost/benefit analysis

Question 41

Scenario: You are the newly hired Chief Information Security Officer for a company that has not previously had a senior level security practitioner. The company lacks a defined security policy and framework for their Information Security Program. Your new boss, the Chief Financial Officer, has asked you to draft an outline of a security policy and recommend an industry/sector neutral information security control framework for implementation.
Which of the following industry / sector neutral information security control frameworks should you recommend for implementation?
A. National Institute of Standards and Technology (NIST) Special Publication 800-53
B. Payment Card Industry Digital Security Standard (PCI DSS)
C. International Organization for Standardization – ISO 27001/2
D. British Standard 7799 (BS7799)

Answer 41

International Organization for Standardization – ISO 27001/2

Question 42

Scenario: Your organization employs single sign-on (user name and password only) as a
convenience to your employees to access organizational systems and data. Permission to
individual systems and databases is vetted and approved through supervisors and data
owners to ensure that only approved personnel can use particular applications or retrieve

information. All employees have access to their own human resource information, including
the ability to change their bank routing and account information and other personal details
through the Employee Self-Service application. All employees have access to the
organizational VPN.
What type of control is being implemented by supervisors and data owners?
A. Management
B. Operational
C. Technical
D. Administrative

Answer 42

Operational

Question 43

Acceptable levels of information security risk tolerance in an organization should be
determined by?
A. Corporate legal counsel
B. CISO with reference to the company goals
C. CEO and board of director
D. Corporate compliance committee

Answer 43

CEO and board of director

Question 44

What is the primary reason for performing a return on investment analysis?
A. To decide between multiple vendors
B. To decide is the solution costs less than the risk it is mitigating
C. To determine the current present value of a project
D. To determine the annual rate of loss

Answer 44

To decide is the solution costs less than the risk it is mitigating

Question 45

Which of the following provides an independent assessment of a vendors internal security
controls and overall posture?
A. Alignment with business goals
B. ISO27000 accreditation
C. PCI attestation of compliance
D. Financial statements

Answer 45

ISO27000 accreditation

Question 46

Scenario: You are the CISO and have just completed your first risk assessment for your
organization. You find many risks with no security controls, and some risks with inadequate
controls. You assign work to your staff to create or adjust existing security controls to
ensure they are adequate for risk mitigation needs.
When formulating the remediation plan, what is a required input?
A. Board of directors
B. Risk assessment
C. Patching history
D. Latest virus definitions file

Answer 46

Risk assessment

Question 47

Which of the following is considered the foundation for the Enterprise Information Security
Architecture (EISA)?
A. Security regulations
B. Asset classification
C. Information security policy
D. Data classification

Answer 47

Information security policy

Question 48

Scenario: Your company has many encrypted telecommunications links for their world-wide
operations. Physically distributing symmetric keys to all locations has proven to be
administratively burdensome, but symmetric keys are preferred to other alternatives.
Symmetric encryption in general is preferable to asymmetric encryption when:
A. The number of unique communication links is large
B. The volume of data being transmitted is small
C. The speed of the encryption / deciphering process is essential
D. The distance to the end node is farthest away

Answer 48

The speed of the encryption / deciphering process is essential

Question 49

The Annualized Loss Expectancy (Before) minus Annualized Loss Expectancy (After)
minus Annual Safeguard Cost is the formula for determining:
A. Safeguard Value
B. Cost Benefit Analysis
C. Single Loss Expectancy
D. Life Cycle Loss Expectancy

Answer 49

Cost Benefit Analysis

Question 50

Scenario: As you begin to develop the program for your organization, you assess the
corporate culture and determine that there is a pervasive opinion that the security program
only slows things down and limits the performance of the real workers.
Which group of people should be consulted when developing your security program?
A. Peers
B. End Users
C. Executive Management
D. All of the above

Answer 50

All of the above

Question 51

Scenario: Most industries require compliance with multiple government regulations and/or
industry standards to meet data protection and privacy mandates.
What is one proven method to account for common elements found within separate
regulations and/or standards?
A. Hire a GRC expert
B. Use the Find function of your word processor
C. Design your program to meet the strictest government standards
D. Develop a crosswalk

Answer 51

Develop a crosswalk

Question 52

SCENARIO: A CISO has several two-factor authentication systems under review and
selects the one that is most sufficient and least costly. The implementation project planning
is completed and the teams are ready to implement the solution. The CISO then discovers
that the product it is not as scalable as originally thought and will not fit the organizations
needs.

The CISO discovers the scalability issue will only impact a small number of network
segments. What is the next logical step to ensure the proper application of risk
management methodology within the two-facto implementation project?
A. Create new use cases for operational use of the solution
B. Determine if sufficient mitigating controls can be applied
C. Decide to accept the risk on behalf of the impacted business units
D. Report the deficiency to the audit team and create process exceptions

Answer 52

Determine if sufficient mitigating controls can be applied

Question 53

Scenario: Your program is developed around minimizing risk to information by focusing on
people, technology, and operations.
You have decided to deal with risk to information from people first. How can you minimize
risk to your most sensitive information before granting access?
A. Conduct background checks on individuals before hiring them
B. Develop an Information Security Awareness program
C. Monitor employee browsing and surfing habits
D. Set your firewall permissions aggressively and monitor logs regularly.

Answer 53

Conduct background checks on individuals before hiring them

Question 54

SCENARIO: A Chief Information Security Officer (CISO) recently had a third party conduct
an audit of the security program. Internal policies and international standards were used as
audit baselines. The audit report was presented to the CISO and a variety of high, medium
and low rated gaps were identified.
Which of the following is the FIRST action the CISO will perform after receiving the audit
report?
A. Inform peer executives of the audit results
B. Validate gaps and accept or dispute the audit findings
C. Create remediation plans to address program gaps
D. Determine if security policies and procedures are adequate

Answer 54

Validate gaps and accept or dispute the audit findings

Question 55

Scenario: Most industries require compliance with multiple government regulations and/or
industry standards to meet data protection and privacy mandates.
When multiple regulations or standards apply to your industry you should set controls to
meet the:
A. Easiest regulation or standard to implement
B. Stricter regulation or standard
C. Most complex standard to implement
D. Recommendations of your Legal Staff

Answer 55

Easiest regulation or standard to implement

Question 56

File Integrity Monitoring (FIM) is considered a
A. Network based security preventative control
B. Software segmentation control
C. Security detective control
D. User segmentation control

Answer 56

Security detective control

Question 57

Human resource planning for security professionals in your organization is a:
A. Simple and easy task because the threats are getting easier to find and correct.
B. Training requirement that is met through once every year user training.
C. Training requirement that is on-going and always changing.
D. Not needed because automation and anti-virus software has eliminated the threats.

Answer 57

Training requirement that is on-going and always changing.

Question 58

The formal certification and accreditation process has four primary steps, what are they?
A. Evaluating, describing, testing and authorizing
B. Evaluating, purchasing, testing, authorizing
C. Auditing, documenting, verifying, certifying
D. Discovery, testing, authorizing, certifying

Answer 58

Evaluating, describing, testing and authorizing

Question 59

SCENARIO: Critical servers show signs of erratic behavior within your organizations
intranet. Initial information indicates the systems are under attack from an outside entity. As
the Chief Information Security Officer (CISO), you decide to deploy the Incident Response
Team (IRT) to determine the details of this incident and take action according to the
information available to the team.
In what phase of the response will the team extract information from the affected systems
without altering original data?
A. Response
B. Investigation
C. Recovery
D. Follow-up

Answer 59

Investigation

Question 60

SCENARIO: Critical servers show signs of erratic behavior within your organizations
intranet. Initial information indicates the systems are under attack from an outside entity. As
the Chief Information Security Officer (CISO), you decide to deploy the Incident Response
Team (IRT) to determine the details of this incident and take action according to the
information available to the team.

During initial investigation, the team suspects criminal activity but cannot initially prove or
disprove illegal actions. What is the MOST critical aspect of the teams activities?
A. Regular communication of incident status to executives
B. Eradication of malware and system restoration
C. Determination of the attack source
D. Preservation of information

Answer 60

Preservation of information

Question 61

Scenario: Your corporate systems have been under constant probing and attack from
foreign IP addresses for more than a week. Your security team and security infrastructure
have performed well under the stress. You are confident that your defenses have held up
under the test, but rumors are spreading that sensitive customer data has been stolen and
is now being sold on the Internet by criminal elements. During your investigation of the
rumored compromise you discover that data has been breached and you have discovered
the repository of stolen data on a server located in a foreign country. Your team now has
full access to the data on the foreign server.
What action should you take FIRST?
A. Destroy the repository of stolen data
B. Contact your local law enforcement agency
C. Consult with other C-Level executives to develop an action plan
D. Contract with a credit reporting company for paid monitoring services for affected customers

Answer 61

Consult with other C-Level executives to develop an action plan

Question 62

When dealing with risk, the information security practitioner may choose to:
A. assign
B. transfer
C. acknowledge
D. defer

Answer 62

acknowledge

Question 63

Scenario: An organization has recently appointed a CISO. This is a new role in the
organization and it signals the increasing need to address security consistently at the
enterprise level. This new CISO, while confident with skills and experience, is constantly on
the defensive and is unable to advance the IT security centric agenda.
The CISO has been able to implement a number of technical controls and is able to
influence the Information Technology teams but has not been able to influence the rest of
the organization. From an organizational perspective, which of the following is the LIKELY
reason for this?
A. The CISO does not report directly to the CEO of the organization
B. The CISO reports to the IT organization
C. The CISO has not implemented a policy management framework
D. The CISO has not implemented a security awareness program

Answer 63

The CISO reports to the IT organization

Question 64

As the CISO you need to write the IT security strategic plan. Which of the following is the
MOST important to review before you start writing the plan?
A. The existing IT environment.
B. The company business plan.
C. The present IT budget.
D. Other corporate technology trends.

Answer 64

The company business plan.

Question 65

Scenario: The new CISO was informed of all the Information Security projects that the
section has in progress. Two projects are over a year behind schedule and way over
budget.
Which of the following will be most helpful for getting an Information Security project that is
behind schedule back on schedule?
A. Upper management support
B. More frequent project milestone meetings
C. More training of staff members
D. Involve internal audit

Answer 65

Upper management support

Question 66

Scenario: Your company has many encrypted telecommunications links for their world-wide
operations. Physically distributing symmetric keys to all locations has proven to be
administratively burdensome, but symmetric keys are preferred to other alternatives.
How can you reduce the administrative burden of distributing symmetric keys for your
employer?
A. Use asymmetric encryption for the automated distribution of the symmetric key
B. Use a self-generated key on both ends to eliminate the need for distribution
C. Use certificate authority to distribute private keys
D. Symmetrically encrypt the key and then use asymmetric encryption to unencrypt it

Answer 66

Use asymmetric encryption for the automated distribution of the symmetric key

Question 67

Scenario: An organization has made a decision to address Information Security formally
and consistently by adopting established best practices and industry standards. The
organization is a small retail merchant but it is expected to grow to a global customer base
of many millions of customers in just a few years.
Which of the following frameworks and standards will BEST fit the organization as a
baseline for their security program?
A. NIST and Privacy Regulations
B. ISO 27000 and Payment Card Industry Data Security Standards
C. NIST and data breach notification laws
D. ISO 27000 and Human resources best practices

Answer 67

ISO 27000 and Payment Card Industry Data Security Standards

Question 68

The process for management approval of the security certification process which states the
risks and mitigation of such risks of a given IT system is called
A. Security certification
B. Security system analysis
C. Security accreditation
D. Alignment with business practices and goals.

Answer 68

Security accreditation

Question 69

What are the primary reasons for the development of a business case for a security
project?
A. To estimate risk and negate liability to the company
B. To understand the attack vectors and attack sources
C. To communicate risk and forecast resource needs
D. To forecast usage and cost per software licensing

Answer 69

To communicate risk and forecast resource needs

Question 70

Scenario: Your organization employs single sign-on (user name and password only) as a
convenience to your employees to access organizational systems and data. Permission to
individual systems and databases is vetted and approved through supervisors and data
owners to ensure that only approved personnel can use particular applications or retrieve
information. All employees have access to their own human resource information, including
the ability to change their bank routing and account information and other personal details
through the Employee Self-Service application. All employees have access to the
organizational VPN.

Recently, members of your organization have been targeted through a number of
sophisticated phishing attempts and have compromised their system credentials. What
action can you take to prevent the misuse of compromised credentials to change bank
account information from outside your organization while still allowing employees to
manage their bank information?
A. Turn off VPN access for users originating from outside the country
B. Enable monitoring on the VPN for suspicious activity
C. Force a change of all passwords
D. Block access to the Employee-Self Service application via VPN

Answer 70

Block access to the Employee-Self Service application via VPN

Question 71

Scenario: Your program is developed around minimizing risk to information by focusing on
people, technology, and operations.
An effective way to evaluate the effectiveness of an information security awareness
program for end users, especially senior executives, is to conduct periodic:
A. Controlled spear phishing campaigns
B. Password changes
C. Baselining of computer systems
D. Scanning for viruses

Answer 71

Controlled spear phishing campaigns

Question 72

Scenario: You are the newly hired Chief Information Security Officer for a company that
has not previously had a senior level security practitioner. The company lacks a defined
security policy and framework for their Information Security Program. Your new boss, the
Chief Financial Officer, has asked you to draft an outline of a security policy and
recommend an industry/sector neutral information security control framework for
implementation.
Your Corporate Information Security Policy should include which of the following?
A. Information security theory
B. Roles and responsibilities
C. Incident response contacts
D. Desktop configuration standards

Answer 72

Roles and responsibilities

Question 73

A system is designed to dynamically block offending Internet IP-addresses from requesting services from a secure website. This type of control is considered
A. Zero-day attack mitigation
B. Preventive detection control
C. Corrective security control
D. Dynamic blocking control

Answer 73

Corrective security control