Topic 1 Flashcards
An information security risk analysis BEST assists an organization in ensuring that:
A. the infrastructure has the appropriate level of access control.
B. cost-effective decisions are made with regard to which assets need protection
C. an appropriate level of funding is applied to security processes.
D. the organization implements appropriate security technologies
B. cost-effective decisions are made with regard to which assets need protection
In a multinational organization, local security regulations should be implemented over global security policy because:
A. business objectives are defined by local business unit managers.
B. deploying awareness of local regulations is more practical than of global policy.
C. global security policies include unnecessary controls for local businesses.
D. requirements of local regulations take precedence.
D. requirements of local regulations take precedence.
To gain a clear understanding of the impact that a new regulatory requirement will have on an organization’s information security controls, an information security manager should FIRST:
A. conduct a cost-benefit analysis.
B. conduct a risk assessment.
C. interview senior management.
D. perform a gap analysis.
B. conduct a risk assessment.
When management changes the enterprise business strategy, which of the following processes should be used to evaluate the existing
information security controls as well as to select new information security controls?
A. Access control management
B. Change management
C. Configuration management
D. Risk management
D. Risk management
Which of the following is the BEST way to build a risk-aware culture?
A. Periodically change risk awareness messages.
B. Ensure that threats are communicated organization-wide in a timely manner.
C. Periodically test compliance with security controls and post results.
D. Establish incentives and a channel for staff to report risks.
D. Establish incentives and a channel for staff to report risks.
What would be an information security manager’s BEST recommendation upon learning that an existing contract with a third party does not clearly
identify requirements for safeguarding the organization’s critical data?
A. Cancel the outsourcing contract.
B. Transfer the risk to the provider.
C. Create an addendum to the existing contract.
D. Initiate an external audit of the provider’s data center.
C. Create an addendum to the existing contract.
An organization has purchased a security information and event management (SIEM) tool. Which of the following is MOST important to consider before implementation?
A. Controls to be monitored
B. Reporting capabilities
C. The contract with the SIEM vendor
D. Available technical support
A. Controls to be monitored
Which of the following is MOST likely to be included in an enterprise security policy?
A. Definitions of responsibilities
B. Retention schedules
C. System access specifications
D. Organizational risk
A. Definitions of responsibilities
Which of the following should an information security manager do FIRST when a legacy application is not compliant with a regulatory requirement, but the business unit does not have the budget for remediation?
A. Develop a business case for funding remediation efforts.
B. Advise senior management to accept the risk of noncompliance.
C. Notify legal and internal audit of the noncompliant legacy application.
D. Assess the consequences of noncompliance against the cost of remediation.
D. Assess the consequences of noncompliance against the cost of remediation.
Which of the following is the MOST effective way to address an organization’s security concerns during contract negotiations with a third party?
A. Review the third-party contract with the organization’s legal department.
B. Communicate security policy with the third-party vendor.
C. Ensure security is involved in the procurement process.
D. Conduct an information security audit on the third-party vendor.
C. Ensure security is involved in the procurement process.
Which of the following is the BEST method to protect consumer private information for an online public website?
A. Apply strong authentication to online accounts
B. Encrypt consumer data in transit and at rest
C. Use secure encrypted transport layer
D. Apply a masking policy to the consumer data
B. Encrypt consumer data in transit and at rest
Which of the following is the MOST important consideration in a bring your own device (BYOD) program to protect company data in the event of a loss?
A. The ability to remotely locate devices
B. The ability to centrally manage devices
C. The ability to restrict unapproved applications
D. The ability to classify types of devices
B. The ability to centrally manage devices
An information security manager has been asked to determine whether an information security initiative has reduced risk to an acceptable level.
Which of the following activities would provide the BEST information for the information security manager to draw a conclusion?
A. Initiating a cost-benefit analysis of the implemented controls
B. Performing a risk assessment
C. Reviewing the risk register
D. Conducting a business impact analysis (BIA)
B. Performing a risk assessment
An organization that uses external cloud services extensively is concerned with risk monitoring and timely response. The BEST way to address this concern is to ensure:
A. the availability of continuous technical support.
B. appropriate service level agreements (SLAs) are in place.
C. a right-to-audit clause is included in contracts.
D. internal security standards are in place.
B. appropriate service level agreements (SLAs) are in place.
Which of the following is the BEST way to ensure that organizational security policies comply with data security regulatory requirements?
A. Obtain annual sign-off from executive management.
B. Align the policies to the most stringent global regulations.
C. Send the policies to stakeholders for review.
D. Outsource compliance activities.
B. Align the policies to the most stringent global regulations.
The PRIMARY reason for defining the information security roles and responsibilities of staff throughout an organization is to:
A. comply with security policy.
B. increase corporate accountability.
C. enforce individual accountability.
D. reinforce the need for training.
C. enforce individual accountability.
Threat and vulnerability assessments are important PRIMARILY because they are:
A. used to establish security investments.
B. needed to estimate risk.
C. the basis for setting control objectives.
D. elements of the organization’s security posture.
B. needed to estimate risk.
Which of the following should be an information security managers PRIMARY focus during the development of a critical system storing highly confidential data?
A. Ensuring the amount of residual risk is acceptable
B. Reducing the number of vulnerabilities detected
C. Avoiding identified system threats
D. Complying with regulatory requirements
A. Ensuring the amount of residual risk is acceptable
When evaluating vendors for sensitive data processing, which of the following should be the FIRST step to ensure the correct level of information security is provided?
A. Develop metrics for vendor performance.
B. Include information security criteria as part of vendor selection.
C. Review third-party reports of potential vendors.
D. Include information security clauses in the vendor contract.
B. Include information security criteria as part of vendor selection.
An information security team is investigating an alleged breach of an organization’s network. Which of the following would be the BEST single source of evidence to review?
A. File integrity monitoring (FIM) software
B. Security information and event management (SIEM) tool
C. Intrusion detection system (IDS)
D. Antivirus software
B. Security information and event management (SIEM) tool
Over the last year, an information security manager has performed risk assessments on multiple third-party vendors. Which of the following criteria would be
MOST helpful in determining the associated level of risk applied to each vendor?
A. Compliance requirements associated with the regulation
B. Criticality of the service to the organization
C. Corresponding breaches associated with each vendor
D. Compensating controls in place to protect information security
B. Criticality of the service to the organization
Which of the following is the MOST important security consideration when developing an incident response strategy with a cloud provider?
A. Security audit reports
B. Recovery time objective (RTO)
C. Technological capabilities
D. Escalation processes
D. Escalation processes
Executive leadership has decided to engage a consulting firm to develop and implement a comprehensive security framework for the organization to allow senior management to remain focused on business priorities. Which of the following poses the GREATEST challenge to the successful
implementation of the new security governance framework?
A. Executive leadership becomes involved in decisions about information security governance.
B. Executive leadership views information security governance primarily as a concern of the information security management team
C. Information security staff has little or no experience with the practice of information security governance.
D. Information security management does not fully accept the responsibility for information security governance.
B. Executive leadership views information security governance primarily as a concern of the information security management team
Risk scenarios simplify the risk assessment process by:
A. covering the full range of possible risk.
B. ensuring business risk is mitigated.
C. reducing the need for subsequent risk evaluation.
D. focusing on important and relevant risk.
D. focusing on important and relevant risk.
Which of the following is the MOST important consideration when developing information security objectives?
A. They are regularly reassessed and reported to stakeholders
B. They are approved by the IT governance function
C. They are clear and can be understood by stakeholders
D. They are identified using global security frameworks and standards
C. They are clear and can be understood by stakeholders
A legacy application does not comply with new regulatory requirements to encrypt sensitive data at rest, and remediating this issue would require significant investment. What should the information security manager do FIRST?
A. Assess the business impact to the organization.
B. Present the noncompliance risk to senior management.
C. Investigate alternative options to remediate the noncompliance.
D. Determine the cost to remediate the noncompliance.
A. Assess the business impact to the organization.
Which of the following BEST enables effective information security governance?
A. Security-aware corporate culture
B. Advanced security technologies
C. Periodic vulnerability assessments
D. Established information security metrics
A. Security-aware corporate culture
Application data integrity risk is MOST directly addressed by a design that includes.
A. strict application of an authorized data dictionary.
B. reconciliation routines such as checksums, hash totals, and record counts.
C. application log requirements such as field-level audit trails and user activity logs.
D. access control technologies such as role-based entitlements.
B. reconciliation routines such as checksums, hash totals, and record counts.
Deciding the level of protection a particular asset should be given is BEST determined by:
A. the corporate risk appetite.
B. a risk analysis.
C. a threat assessment.
D. a vulnerability assessment.
B. a risk analysis.
What should be an information security manager’s FIRST step when developing a business case for a new intrusion detection system (IDS) solution?
A. Calculate the total cost of ownership (TCO).
B. Define the issues to be addressed.
C. Perform a cost-benefit analysis.
D. Conduct a feasibility study.
B. Define the issues to be addressed.
Which of the following is the MOST important incident management consideration for an organization subscribing to a cloud service?
A. Decision on the classification of cloud-hosted data
B. Expertise of personnel providing incident response
C. Implementation of a SIEM in the organization
D. An agreement on the definition of a security incident
D. An agreement on the definition of a security incident
Which of the following is the BEST way for an organization to determine the maturity level of its information security program?
A. Review the results of information security awareness testing.
B. Validate the effectiveness of implemented security controls.
C. Benchmark the information security policy against industry standards.
D. Track the trending of information security incidents.
C. Benchmark the information security policy against industry standards.
An organization has identified an increased threat of external brute force attacks in its environment. Which of the following is the MOST effective way to mitigate this risk to the organization’s critical systems?
A. Increase the frequency of log monitoring and analysis.
B. Implement a security information and event management system (SIEM).
C. Increase the sensitivity of intrusion detection systems.
D. Implement multi-factor authentication.
D. Implement multi-factor authentication.
When supporting an organization’s privacy officer which of the following is the information security manager’s PRIMARY role regarding privacy requirements?
A. Ensuring appropriate controls are in place
B. Monitoring the transfer of private data
C. Determining data classification
D. Conducting privacy awareness programs
A. Ensuring appropriate controls are in place
The chief information security officer (CISO) has developed an information security strategy, but is struggling to obtain senior management commitment for funds to implement the strategy. Which of the following is the MOST likely reason?
A. The strategy does not include a cost-benefit analysis.
B. There was a lack of engagement with the business during development.
C. The strategy does not comply with security standards.
D. The CISO reports to the CIO.
B. There was a lack of engagement with the business during development.
An organization’s CIO has tasked the information security manager with drafting the charter for an information security steering committee. The committee will be comprised of the CIO, the IT shared services manager, the vice president of marketing, and the information security manager.
Which of the following is the MOST significant issue with the development of this committee?
A. The committee consists of too many senior executives.
B. The committee lacks sufficient business representation.
C. There is a conflict of interest between the business and IT.
D. The CIO is not taking charge of the committee.
B. The committee lacks sufficient business representation.
What is the PRIMARY purpose of an unannounced disaster recovery exercise?
A. To provide metrics to senior management
B. To evaluate how personnel react to the situation
C. To assess service level agreements (SLAs)
D. To estimate the recovery time objective (RTO)
B. To evaluate how personnel react to the situation
Labeling information according to its security classification:
A. reduces the need to identify baseline controls for each classification.
B. reduces the number and type of countermeasures required.
C. enhances the likelihood of people handling information securely.
D. affects the consequences if information is handled insecurely.
C. enhances the likelihood of people handling information securely.
Which of the following is the MOST effective approach for determining whether an organization’s information security program supports the information security strategy?
A. Ensure resources meet information security program needs
B. Audit the information security program to identify deficiencies
C. Identify gaps impacting information security strategy
D. Develop key performance indicators (KPIs) of information security
D. Develop key performance indicators (KPIs) of information security
When drafting the corporate privacy statement for a public web site, which of the following MUST be included?
A. Limited liability clause
B. Access control requirements
C. Explanation of information usage
D. Information encryption requirements
C. Explanation of information usage
An organization is concerned with the potential for exploitation of vulnerabilities in its server systems. Which of the following is the BEST control to mitigate the associated risk?
A. Enforcing standard system configurations based on secure configuration benchmarks
B. Implementing network and system-based anomaly monitoring software for server systems
C. Enforcing configurations for secure logging and audit trails on server systems
D. Implementing host-based intrusion detection systems (IDS) on server systems
A. Enforcing standard system configurations based on secure configuration benchmarks
Which of the following is the MOST important step when establishing guidelines for the use of social networking sites in an organization?
A. Identify secure social networking sites
B. Establish disciplinary actions for noncompliance
C. Perform a vulnerability assessment
D. Define acceptable information for posting
D. Define acceptable information for posting
Regular vulnerability scanning on an organization’s internal network has identified that many user workstations have unpatched versions of software. What is the
BEST way for the information security manager to help senior management understand the related risk?
A. Include the impact of the risk as part of regular metrics.
B. Send regular notifications directly to senior managers.
C. Recommend the security steering committee conduct a review.
D. Update the risk assessment at regular intervals.
A. Include the impact of the risk as part of regular metrics.
Which of the following BEST prepares a computer incident response team for a variety of information security scenarios?
A. Tabletop exercises
B. Forensics certification
C. Penetration tests
D. Disaster recovery drills
A. Tabletop exercises
Which of the following BEST protects against phishing attacks?
A. Security strategy training
B. Email filtering
C. Network encryption
D. Application whitelisting
A. Security strategy training
Which of the following is the MOST effective method of preventing deliberate internal security breaches?
A. Well-designed intrusion detection system (IDS)
B. Biometric security access control
C. Well-designed firewall system
D. Screening prospective employees
D. Screening prospective employees
When designing security controls, it is MOST important to:
A. focus on preventive controls.
B. apply controls to confidential information.
C. evaluate the costs associated with the controls.
D. apply a risk-based approach.
D. apply a risk-based approach.
An information security team plans to increase password complexity requirements for a customer-facing site, but there are concerns it will
negatively impact the user experience. Which of the following is the information security manager’s BEST course of action?
A. Evaluate business compensating controls.
B. Quantify the security risk to the business.
C. Assess business impact against security risk.
D. Conduct industry benchmarking.
C. Assess business impact against security risk.
Which of the following is the PRIMARY responsibility of an information security manager in an organization that is implementing the use of company-owned mobile devices in its operations?
A. Review and update existing security policies.
B. Enforce passwords and data encryption on the devices.
C. Conduct security awareness training.
D. Require remote wipe capabilities for devices.
A. Review and update existing security policies.
Which of the following would be MOST useful to help senior management understand the status of information security compliance?
A. Key performance indicators (KPIs)
B. Risk assessment results
C. Industry benchmarks
D. Business impact analysis (BIA) results
A. Key performance indicators (KPIs)
Which of the following is the MOST important reason for an organization to develop an information security governance program?
A. Establishment of accountability
B. Compliance with audit requirements
C. Creation of tactical solutions
D. Monitoring of security incidents
A. Establishment of accountability
Which of the following provides the MOST essential input for the development of an information security strategy?
A. Results of an information security gap analysis
B. Measurement of security performance against IT goals
C. Results of a technology risk assessment
D. Availability of capable information security resources
A. Results of an information security gap analysis
The MOST important reason for an information security manager to be involved in the change management process is to ensure that:
A. security controls drive technology changes.
B. risks have been evaluated.
C. security controls are updated regularly.
D. potential vulnerabilities are identified.
B. risks have been evaluated.
Which of the following should be the PRIMARY focus of a status report on the information security program to senior management?
A. Confirming the organization complies with security policies
B. Verifying security costs do not exceed the budget
C. Demonstrating risk is managed at the desired level
D. Providing evidence that resources are performing as expected
C. Demonstrating risk is managed at the desired level
Which of the following is MOST likely to be a component of a security incident escalation policy?
A. Names and telephone numbers of key management personnel
B. A severity-ranking mechanism tied only to the duration of the outage
C. Sample scripts and press releases for statements to media
D. Decision criteria for when to alert various groups
D. Decision criteria for when to alert various groups
Which of the following would be an information security manager’s PRIMARY challenge when deploying a bring your own device (BYOD) mobile program in an enterprise?
A. Configuration management
B. Mobile application control
C. Inconsistent device security
D. End user acceptance
C. Inconsistent device security
Company A, a cloud service provider, is in the process of acquiring Company B to gain new benefits by incorporating their technologies within its
cloud services.
Which of the following should be the PRIMARY focus of Company A’s information security manager?
A. The cost to align to Company A’s security policies
B. The organizational structure of Company B
C. Company B’s security policies
D. Company A’s security architecture
C. Company B’s security policies
Which of the following should be done FIRST when selecting performance metrics to report on the vendor risk management process?
A. Select the data source.
B. Review the confidentiality requirements.
C. Identify the intended audience.
D. Identify the data owner.
C. Identify the intended audience.
Which of the following BEST determines what information should be shared with different entities during incident response?
A. Escalation procedures
B. Communication plan
C. Disaster recovery policy
D. Business continuity plan (BCP)
B. Communication plan
Which of the following is the BEST way to enhance training for incident response teams?
A. Conduct interviews with organizational units.
B. Establish incident key performance indicators (KPIs).
C. Participate in emergency response activities.
D. Perform post-incident reviews.
D. Perform post-incident reviews.
An information security manager wants to improve the ability to identify changes in risk levels affecting the organization’s systems. Which of the
following is the BEST method to achieve this objective?
A. Performing business impact analyses (BIA)
B. Monitoring key goal indicators (KGIs)
C. Monitoring key risk indicators (KRIs)
D. Updating the risk register
C. Monitoring key risk indicators (KRIs)
When developing an escalation process for an incident response plan, the information security manager should PRIMARILY consider the:
A. affected stakeholders.
B. incident response team.
C. availability of technical resources.
D. media coverage
A. affected stakeholders.
Which of the following should be an information security managers MOST important consideration when determining if an information asset has been classified appropriately?
A. Value to the business
B. Security policy requirements
C. Ownership of information
D. Level of protection
A. Value to the business
The effectiveness of an incident response team will be GREATEST when:
A. the incident response process is updated based on lessons learned.
B. the incident response team members are trained security personnel.
C. the incident response team meets on a regular basis to review log files.
D. incidents are identified using a security information and event monitoring (SIEM) system.
A. the incident response process is updated based on lessons learned.
An information security manager MUST have an understanding of the organization’s business goals to:
A. relate information security to change management.
B. develop an information security strategy.
C. develop operational procedures
D. define key performance indicators (KPIs).
B. develop an information security strategy.
An information security manager MUST have an understanding of an information security program?
A. Understanding current and emerging technologies
B. Establishing key performance indicators (KPIs)
C. Conducting periodic risk assessments
D. Obtaining stakeholder input
C. Conducting periodic risk assessments
An attacker was able to gain access to an organization’s perimeter firewall and made changes to allow wider external access and to steal data.
Which of the following would have BEST provided timely identification of this incident?
A. Implementing a data loss prevention (DLP) suite
B. Deploying an intrusion prevention system (IPS)
C. Deploying a security information and event management system (SIEM)
D. Conducting regular system administrator awareness training
C. Deploying a security information and event management system (SIEM)
When establishing metrics for an information security program, the BEST approach is to identify indicators that:
A. support major information security initiatives.
B. reflect the corporate risk culture.
C. reduce information security program spending.
D. demonstrate the effectiveness of the security program.
D. demonstrate the effectiveness of the security program.
For an organization that provides web-based services, which of the following security events would MOST likely initiate an incident response plan and be escalated to management?
A. Anti-malware alerts on several employees’ workstations
B. Several port scans of the web server
C. Multiple failed login attempts on an employee’s workstation
D. Suspicious network traffic originating from the demilitarized zone (DMZ)
D. Suspicious network traffic originating from the demilitarized zone (DMZ)
An information security manager is implementing a bring your own device (BYOD) program. Which of the following would BEST ensure that users adhere to the security standards?
A. Publish the standards on the intranet landing page.
B. Deploy a device management solution.
C. Establish an acceptable use policy.
D. Monitor user activities on the network.
C. Establish an acceptable use policy.
When monitoring the security of a web-based application, which of the following is MOST frequently reviewed?
A. Audit reports
B. Access logs
C. Access lists
D. Threat metrics
B. Access logs
Which of the following is the MOST effective way for an information security manager to ensure that security is incorporated into an organization’s project development processes?
A. Develop good communications with the project management office (PMO).
B. Participate in project initiation, approval, and funding.
C. Conduct security reviews during design, testing, and implementation.
D. Integrate organization’s security requirements into project management.
D. Integrate organization’s security requirements into project management.
Which of the following provides the MOST relevant information to determine the overall effectiveness of an information security program and underlying business processes?
A. SWOT analysis
B. Industry benchmarks
C. Cost-benefit analysis
D. Balanced scorecard
D. Balanced scorecard
An organization finds unauthorized software has been installed on a number of workstations. The software was found to contain a Trojan, which had been uploading data to an unknown external party. Which of the following would have BEST prevented the installation of the unauthorized software?
A. Banning executable file downloads at the Internet firewall
B. Implementing an intrusion detection system (IDS)
C. Implementing application blacklisting
D. Removing local administrator rights
D. Removing local administrator rights
When developing a tabletop test plan for incident response testing, the PRIMARY purpose of the scenario should be to:
A. measure management engagement as part of an incident response team.
B. provide participants with situations to ensure understanding of their roles.
C. give the business a measure of the organization’s overall readiness.
D. challenge the incident response team to solve the problem under pressure.
B. provide participants with situations to ensure understanding of their roles.
Which of the following is MOST important for an information security manager to consider when identifying information security resource requirements?
A. Availability of potential resources
B. Information security incidents
C. Current resourcing levels
D. Information security strategy
D. Information security strategy
Which of the following is the MAIN benefit of performing an assessment of existing incident response processes?
A. Validation of current capabilities
B. Benchmarking against industry peers
C. Prioritization of action plans
D. Identification of threats and vulnerabilities
A. Validation of current capabilities
Which of the following BEST describes a buffer overflow?
A. A type of covert channel that captures data
B. A function is carried out with more data than the function can handle
C. Malicious code designed to interfere with normal operations
D. A program contains a hidden and unintended function that presents a security risk
B. A function is carried out with more data than the function can handle
Which of the following is the MOST important consideration when selecting members for an information security steering committee?
A. Information security expertise
B. Tenure in the organization
C. Business expertise
D. Cross-functional composition
D. Cross-functional composition
Which of the following BEST validates that security controls are implemented in a new business process?
A. Verify the use of a recognized control framework
B. Review the process for conformance with information security best practices
C. Benchmark the process against industry practices
D. Assess the process according to information security policy
D. Assess the process according to information security policy
Which of the following is the MOST effective way for an organization to ensure its third-party service providers are aware of information security requirements and expectations?
A. Including information security clauses within contracts
B. Auditing the service delivery of third-party providers
C. Providing information security training to third-party personnel
D. Requiring third parties to sign confidentiality agreements
A. Including information security clauses within contracts
The MOST important reason to use a centralized mechanism to identify information security incidents is to:
A. comply with corporate policies
B. detect threats across environments
C. prevent unauthorized changes to networks
D. detect potential fraud
B. detect threats across environments
Which of the following should be done FIRST when establishing security measures for personal data stored and processed on a human resources management system?
A. Conduct a vulnerability assessment.
B. Move the system into a separate network.
C. Conduct a privacy impact assessment (PIA).
D. Evaluate data encryption technologies.
C. Conduct a privacy impact assessment (PIA).
An information security manager has been informed of a new vulnerability in an online banking application, and a patch to resolve this issue is expected to be released in the next 72 hours. Which of the following should the information security manager do FIRST?
A. Implement mitigating controls.
B. Perform a business impact analysis (BIA).
C. Perform a risk assessment.
D. Notify senior management.
C. Perform a risk assessment.
Which of the following is MOST relevant for an information security manager to communicate to the board of directors?
A. The level of exposure
B. Vulnerability assessments
C. The level of inherent risk
D. Threat assessments
A. The level of exposure
Senior management has just accepted the risk of noncompliance with a new regulation. What should the information security manager do NEXT?
A. Report the decision to the compliance officer.
B. Reassess the organization’s risk tolerance.
C. Update details within the risk register.
D. Assess the impact of the regulation.
C. Update details within the risk register.
Which of the following BEST provides an information security manager with sufficient assurance that a service provider complies with the organization’s information security requirements?
A. A live demonstration of the third-party supplier’s security capabilities
B. The ability to audit the third-party supplier’s IT systems and processes
C. Third-party security control self-assessment results
D. An independent review report indicating compliance with industry standards
D. An independent review report indicating compliance with industry standards
Which of the following is the MOST essential element of an information security program?
A. Prioritizing program deliverables based on available resources
B. Benchmarking the program with global standards for relevance
C. Involving functional managers in program development
D. Applying project management practices used by the business
C. Involving functional managers in program development
Which of the following is BEST to include in a business case when the return on investment (ROI) for an information security initiative is difficult to calculate?
A. Projected increase in maturity level
B. Estimated increase in efficiency
C. Projected costs over time
D. Estimated reduction in risk
D. Estimated reduction in risk
If the inherent risk of a business activity is higher than the acceptable risk level, the information security manager should FIRST:
A. transfer risk to a third party to avoid cost of impact.
B. recommend that management avoid the business activity.
C. assess the gap between current and acceptable level of risk.
D. implement controls to mitigate the risk to an acceptable level.
C. assess the gap between current and acceptable level of risk.
Which of the following BEST enables the deployment of consistent security throughout international branches within a multinational organization?
A. Remediation of audit findings
B. Decentralization of security governance
C. Establishment of security governance
D. Maturity of security processes
C. Establishment of security governance
What is the PRIMARY benefit of effective configuration management?
A. Standardization of system support
B. Reduced frequency of incidents
C. Decreased risk to the organization’s systems
D. Improved vulnerability management
C. Decreased risk to the organization’s systems
A large organization is in the process of developing its information security program that involves working with several complex organizational
functions. Which of the following will BEST enable the successful implementation of this program?
A. Security governance
B. Security policy
C. Security metrics
D. Security guidelines
A. Security governance
What is the BEST reason to keep information security policies separate from procedures?
A. To keep policies from having to be changed too frequently
B. To ensure that individual documents do not contain conflicting information
C. To keep policy documents from becoming too large
D. To ensure policies receive the appropriate approvals
A. To keep policies from having to be changed too frequently
A small organization has a contract with a multinational cloud computing vendor. Which of the following would present the GREATEST concern to
an information security manager if omitted from the contract?
A. Escrow of software code with conditions for code release
B. Right of the subscriber to conduct onsite audits of the vendor
C. Authority of the subscriber to approve access to its data
D. Commingling of subscribers’ data on the same physical server
C. Authority of the subscriber to approve access to its data
An information security manager has identified a major security event with potential noncompliance implications. Who should be notified FIRST?
A. Internal audit
B. Public relations team
C. Senior management
D. Regulatory authorities
C. Senior management
Which of the following is the PRIMARY purpose of establishing an information security governance framework?
A. To proactively address security objectives
B. To reduce security audit issues
C. To enhance business continuity planning
D. To minimize security risks
A. To proactively address security objectives
An organization is leveraging tablets to replace desktop computers shared by shift-based staff. These tablets contain critical business data and are inherently at increased risk of theft. Which of the following will BEST help to mitigate this risk?
A. Implement remote wipe capability.
B. Create an acceptable use policy.
C. Conduct a mobile device risk assessment.
D. Deploy mobile device management (MDM).
D. Deploy mobile device management (MDM).
When scoping a risk assessment, assets need to be classified by:
A. sensitivity and criticality.
B. likelihood and impact.
C. threats and opportunities.
D. redundancy and recoverability.
A. sensitivity and criticality.
Which of the following would BEST enable effective decision-making?
A. Annualized loss estimates determined from past security events
B. A universally applied list of generic threats, impacts, and vulnerabilities
C. A consistent process to analyze new and historical information risk
D. Formalized acceptance of risk analysis by business management
C. A consistent process to analyze new and historical information risk
Which of the following has the GREATEST impact on efforts to improve an organization’s security posture?
A. Well-documented security policies and procedures
B. Supportive tone at the top regarding security
C. Regular reporting to senior management
D. Automation of security controls
B. Supportive tone at the top regarding security
Which of the following is the BEST strategy to implement an effective operational security posture?
A. Increased security awareness
B. Defense in depth
C. Threat management
D. Vulnerability management
B. Defense in depth
In a cloud technology environment, which of the following would pose the GREATEST challenge to the investigation of security incidents?
A. Non-standard event logs
B. Access to the hardware
C. Data encryption
D. Compressed customer data
B. Access to the hardware
The PRIMARY goal of conducting a business impact analysis (BIA) as part of an overall continuity planning process is to:
A. obtain the support of executive management.
B. document the disaster recovery process.
C. map the business process to supporting IT and other corporate resources.
D. identify critical processes and the degree of reliance on support services.
D. identify critical processes and the degree of reliance on support services.
Which of the following is MOST important when selecting an information security metric?
A. Ensuring the metric is repeatable
B. Aligning the metric to the IT strategy
C. Defining the metric in qualitative terms
D. Defining the metric in quantitative terms
B. Aligning the metric to the IT strategy
Which of the following is the BEST way for an information security manager to justify ongoing annual maintenance fees associated with an intrusion prevention system (IPS)?
A. Establish and present appropriate metrics that track performance.
B. Perform industry research annually and document the overall ranking of the IPS.
C. Perform a penetration test to demonstrate the ability to protect.
D. Provide yearly competitive pricing to illustrate the value of the IPS.
A. Establish and present appropriate metrics that track performance.
An organization wants to enable digital forensics for a business-critical application. Which of the following will BEST help to support this objective?
A. Install biometric access control.
B. Develop an incident response plan.
C. Define data retention criteria.
D. Enable activity logging.
D. Enable activity logging.
An employee clicked on a link in a phishing email, triggering a ransomware attack. Which of the following should be the information security manager’s FIRST step?
A. Notify internal legal counsel.
B. Isolate the impacted endpoints.
C. Wipe the affected system.
D. Notify senior management.
B. Isolate the impacted endpoints.
A recent audit found that an organization’s new user accounts are not set up uniformly. Which of the following is MOST important for the information security manager to review?
A. Security policies
B. Automated controls
C. Guidelines
D. Standards
D. Standards
Which of the following metrics is the BEST measure of the effectiveness of an information security program?
A. Reduction in the amount of risk exposure in an organization
B. Reduction in the number of threats to an organization
C. Reduction in the cost of risk remediation for an organization
D. Reduction in the number of vulnerabilities in an organization
A. Reduction in the amount of risk exposure in an organization
Which of the following is the BEST course of action if the business activity residual risk is lower than the acceptable risk level?
A. Update the risk assessment framework.
B. Monitor the effectiveness of controls.
C. Review the risk probability and impact.
D. Review the inherent risk level.
B. Monitor the effectiveness of controls.
The BEST way to avoid session hijacking is to use:
A. strong password controls.
B. a firewall.
C. a reverse lookup.
D. a secure protocol.
D. a secure protocol.
A critical server for a hospital has been encrypted by ransomware. The hospital is unable to function effectively without this server. Which of the following would
MOST effectively allow the hospital to avoid paying the ransom?
A. A continual server replication process
B. Employee training on ransomware
C. A properly tested offline backup system
D. A properly configured firewall
C. A properly tested offline backup system
Which of the following functions is MOST critical when initiating the removal of system access for terminated employees?
A. Help desk
B. Legal
C. Information security
D. Human resources (HR)
D. Human resources (HR)
The authorization to transfer the handling of an internal security incident to a third-party support provider is PRIMARILY defined by the:
A. escalation procedures.
B. information security manager.
C. chain of custody.
D. disaster recovery plan (DRP).
A. escalation procedures.
What is the PRIMARY objective of performing a vulnerability assessment following a business system update?
A. Improve the change control process.
B. Update the threat landscape.
C. Determine operational losses.
D. Review the effectiveness of controls.
D. Review the effectiveness of controls.
Which of the following should an information security manager perform FIRST when an organization’s residual risk has increased?
A. Implement security measures to reduce the risk.
B. Assess the business impact.
C. Transfer the risk to third parties.
D. Communicate the information to senior management.
B. Assess the business impact.
Which of the following is the PRIMARY reason for an information security manager to present the business case for an information security initiative to senior management?
A. To aid management in the decision-making process for purchasing the solution
B. To represent stakeholders who will benefit from enhancements in information security
C. To provide management with the status of the information security program
D. To demonstrate to management the due diligence involved with selecting the solution
A. To aid management in the decision-making process for purchasing the solution
During a security assessment, an information security manager finds a number of security patches were not installed on a server hosting a critical business application. The application owner did not approve the patch installation to avoid interrupting the application. Which of the following should be the information security manager’s FIRST course of action?
A. Report the risk to the information security steering committee.
B. Determine mitigation options with IT management.
C. Communicate the potential impact to the application owner.
D. Escalate the risk to senior management.
C. Communicate the potential impact to the application owner.
Which of the following BEST indicates an effective vulnerability management program?
A. Security incidents are reported in a timely manner.
B. Threats are identified accurately.
C. Controls are managed proactively.
D. Risks are managed within acceptable limits.
D. Risks are managed within acceptable limits.
An organization has experienced multiple instances of privileged users misusing their access. Which of the following processes would be MOST helpful in identifying such violations?
A. Policy exception review
B. Review of access controls
C. Security assessment
D. Log review
D. Log review
An information security manager discovers that the organization’s new information security policy is not being followed across all departments.
Which of the following should be of GREATEST concern to the information security manager?
A. Business unit management has not emphasized the importance of the new policy.
B. Different communication methods may be required for each business unit.
C. The wording of the policy is not tailored to the audience.
D. The corresponding controls are viewed as prohibitive to business operations.
D. The corresponding controls are viewed as prohibitive to business operations.
Which of the following is the BEST defense against a brute force attack?
A. Intruder detection lockout
B. Time-of-day restrictions
C. Discretionary access control
D. Mandatory access control
A. Intruder detection lockout
Which of the following is the MOST important reason to involve external forensics experts in evidence collection when responding to a major
security breach?
A. To provide the response team with expert training on evidence handling
B. To ensure evidence is handled by qualified resources
C. To prevent evidence from being disclosed to any internal staff members
D. To validate the incident response process
B. To ensure evidence is handled by qualified resources
Which of the following is the GREATEST benefit of integrating information security program requirements into vendor management?
A. The ability to meet industry compliance requirements
B. The ability to define service level agreements (SLAs)
C. The ability to reduce risk in the supply chain
D. The ability to improve vendor performance
C. The ability to reduce risk in the supply chain
Who should determine data access requirements for an application hosted at an organization’s data center?
A. Information security manager
B. Business owner
C. Data custodian
D. Systems administrator
B. Business owner
Which of the following is the MOST important objective of testing a security incident response plan?
A. Ensure the thoroughness of the response plan.
B. Verify the response assumptions are valid.
C. Confirm that systems are recovered in the proper order.
D. Validate the business impact analysis (BIA).
B. Verify the response assumptions are valid.
Which of the following is the MOST important reason for performing a cost-benefit analysis when implementing a security control?
A. To ensure that the mitigation effort does not exceed the asset value
B. To ensure that benefits are aligned with business strategies
C. To present a realistic information security budget
D. To justify information security program activities
A. To ensure that the mitigation effort does not exceed the asset value
An information security manager wants to document requirements detailing the minimum security controls required for user workstations. Which of the following resources would be MOST appropriate for this purpose?
A. Policies
B. Standards
C. Procedures
D. Guidelines
B. Standards
Which of the following information BEST supports risk management decision making?
A. Results of a vulnerability assessment
B. Estimated savings resulting from reduced risk exposure
C. Average cost of risk events
D. Quantification of threats through threat modeling
D. Quantification of threats through threat modeling
Which of the following is MOST important to do after a security incident has been verified?
A. Notify the appropriate law enforcement authorities of the incident.
B. Follow the escalation process to inform key stakeholders.
C. Prevent the incident from creating further damage to the organization.
D. Contact forensic investigators to determine the root cause.
C. Prevent the incident from creating further damage to the organization.
Which of the following should be the PRIMARY driver for selecting and implementing appropriate controls to address the risk associated with weak user passwords?
A. The organization’s risk tolerance
B. The organization’s culture
C. The cost of risk mitigation controls
D. Direction from senior management
A. The organization’s risk tolerance
Which of the following is MOST important to consider when determining the effectiveness of the information security governance program?
A. Key performance indicators (KPIs)
B. Maturity models
C. Risk tolerance levels
D. Key risk indicators (KRIs)
A. Key performance indicators (KPIs)
The business advantage of implementing authentication tokens is that they:
A. provide nonrepudiation.
B. reduce overall cost.
C. reduce administrative workload.
D. improve access security.
D. improve access security.
In an organization that has several independent security tools including intrusion detection systems (IDSs) and firewalls, which of the following is the BEST way to ensure timely detection of incidents?
A. Implement a log aggregation and correlation solution.
B. Ensure that the incident response plan is endorsed by senior management.
C. Ensure staff are cross trained to manage all security tools.
D. Outsource the management of security tools to a service provider.
A. Implement a log aggregation and correlation solution.
Which of the following is the MAIN objective of a risk management program?
A. Reduce corporate liability for information security incidents.
B. Reduce risk to the level of the organization’s risk appetite
C. Reduce risk to the maximum extent possible
D. Reduce costs associated with incident response.
B. Reduce risk to the level of the organization’s risk appetite
An information security manager was informed that a planned penetration test could potentially disrupt some services. Which of the following should be the FIRST course of action?
A. Estimate the impact and inform the business owner.
B. Accept the risk and document it in the risk register.
C. Ensure the service owner is available during the penetration test.
D. Reschedule the activity during an approved maintenance window.
A. Estimate the impact and inform the business owner.
The PRIMARY advantage of single sign-on (SSO) is that it will:
A. support multiple authentication mechanisms.
B. strengthen user passwords.
C. increase efficiency of access management.
D. increase the security of related applications.
C. increase efficiency of access management.
Which of the following is BEST determined by using technical metrics?
A. Whether controls are operating effectively
B. How well security risk is being managed
C. Whether security resources are adequately allocated
D. How well the security strategy is aligned with organizational objectives
A. Whether controls are operating effectively
The use of a business case to obtain funding for an information security investment is MOST effective when the business case:
A. relates the investment to the organization’s strategic plan.
B. realigns information security objectives to organizational strategy.
C. articulates management’s intent and information security directives in clear language.
D. translates information security policies and standards into business requirements.
A. relates the investment to the organization’s strategic plan.
The MOST important objective of security awareness training for business staff is to:
A. understand intrusion methods.
B. reduce negative audit findings.
C. increase compliance.
D. modify behavior.
D. modify behavior.
Which of the following is the PRIMARY responsibility of an information security steering committee?
A. Setting up password expiration procedures
B. Drafting security policies
C. Prioritizing security initiatives
D. Reviewing firewall rules
C. Prioritizing security initiatives
During a post-incident review, the sequence and correlation of actions must be analyzed PRIMARILY based on:
A. a consolidated event timeline.
B. logs from systems involved.
C. interviews with personnel.
D. documents created during the incident.
A. a consolidated event timeline.
Which of the following is the MOST important element in the evaluation of inherent security risks?
A. Impact to the organization
B. Control effectiveness
C. Residual risk
D. Cost of countermeasures
A. Impact to the organization
Recovery time objectives (RTOs) are an output of which of the following?
A. Business continuity plan (BCP)
B. Business impact analysis (BIA)
C. Service level agreement (SLA)
D. Disaster recovery plan (DRP)
B. Business impact analysis (BIA)
Which of the following is the MOST relevant information to include in an information security risk report to facilitate senior management’s
understanding of impact to the organization?
A. Detailed assessment of the security risk profile
B. Risks inherent in new security technologies
C. Findings from recent penetration testing
D. Status of identified key security risks
D. Status of identified key security risks
Which of the following is MOST important to include in a contract with a critical service provider to help ensure alignment with the organization’s information security program?
A. Escalation paths
B. Termination language
C. Key performance indicators (KPIs)
D. Right-to-audit clause
D. Right-to-audit clause
Which of the following is the BEST way to determine if a recent investment in access control software was successful?
A. Senior management acceptance of the access control software
B. A comparison of security incidents before and after software installation
C. A business impact analysis (BIA) of the systems protected by the software
D. A review of the number of key risk indicators (KRIs) implemented for the software
B. A comparison of security incidents before and after software installation
Which of the following is the MOST effective way to mitigate the risk of confidential data leakage to unauthorized stakeholders?
A. Create a data classification policy.
B. Implement role-based access controls.
C. Require the use of login credentials and passwords.
D. Conduct information security awareness training.
B. Implement role-based access controls.
Which of the following is the MOST important consideration when reporting the effectiveness of an information security program to key business stakeholders?
A. Linking security metrics to the business impact analysis (BIA)
B. Demonstrating a decrease in information security incidents
C. Demonstrating cost savings of each control
D. Linking security metrics to business objectives
D. Linking security metrics to business objectives
The PRIMARY purpose of establishing an information security governance framework should be to:
A. establish the business case for strategic integration of information security in organizational efforts.
B. document and communicate how the information security program functions within the organization.
C. align information security strategy and investments to support organizational activities.
D. align corporate governance, activities, and investments to information security goals.
C. align information security strategy and investments to support organizational activities.
Senior management is concerned that the incident response team took unapproved actions during incident response that put business objectives at risk. Which of the following is the BEST way for the information security manager to respond to this situation?
A. Update roles and responsibilities of the incident response team.
B. Train the incident response team on escalation procedures.
C. Implement a monitoring solution for incident response activities.
D. Validate that the information security strategy maps to corporate objectives.
B. Train the incident response team on escalation procedures.
An incident response team has determined there is a need to isolate a system that is
communicating with a known malicious host on the Internet.
Which of the following stakeholders should be contacted FIRST?
A. The business owner
B. Key customers
C. Executive management
D. System administrator
A. The business owner
Which of the following external entities would provide the BEST guidance to an organization facing advanced attacks?
A. Incident response experts from highly regarded peer organizations
B. Open-source reconnaissance
C. Recognized threat intelligence communities
D. Disaster recovery consultants widely endorsed in industry forums
C. Recognized threat intelligence communities
Which of the following should be an information security manager’s MOST important criterion for determining when to review the incident response plan?
A. When recovery time objectives (RTOs) are not met
B. When missing information impacts recovery from an incident
C. Before an internal audit of the incident response process
D. At intervals indicated by industry best practice
D. At intervals indicated by industry best practice
During which stage of the software development life cycle (SDLC) should application security controls FIRST be addressed?
A. Software code development
B. Configuration management
C. Requirements gathering
D. Application system design
C. Requirements gathering
Which of the following should be of MOST concern to an information security manager reviewing an organization’s data classification program?
A. The classifications do not follow industry best practices.
B. Labeling is not consistent throughout the organization.
C. The program allows exceptions to be granted.
D. Data retention requirements are not defined.
B. Labeling is not consistent throughout the organization.
Which of the following is PRIMARILY influenced by a business impact analysis (BIA)?
A. Recovery strategy
B. Risk mitigation strategy
C. Security strategy
D. IT strategy
A. Recovery strategy
The MAIN purpose of influenced by a business impact guideline for use within a large, international organization is to:
A. explain the organization’s preferred practices for security.
B. ensure that all business units have the same strategic security goals.
C. ensure that all business units implement identical security procedures.
D. provide evidence for auditors that security practices are adequate.
A. explain the organization’s preferred practices for security.
Which of the following is an information security manager’s BEST course of action upon discovering an organization with budget constraints lacks
several important security capabilities?
A. Suggest the deployment of open-source security tools to mitigate identified risks.
B. Establish a business case to demonstrate return on investment (ROI) of a security tool.
C. Recommend that the organization avoid the most severe risks.
D. Review the most recent audit report and request funding to address the most serious finding.
B. Establish a business case to demonstrate return on investment (ROI) of a security tool.
What is the FIRST line of defense against criminal insider activities?
A. Signing security agreements by critical personnel
B. Stringent and enforced access controls
C. Validating the integrity of personnel
D. Monitoring employee activities
C. Validating the integrity of personnel
The BEST way to report to the board on the effectiveness of the information security program is to present:
A. a summary of the most recent audit findings.
B. a report of cost savings from process improvements.
C. peer-group industry benchmarks.
D. a dashboard illustrating key performance metrics.
D. a dashboard illustrating key performance metrics.
An organization’s outsourced firewall was poorly configured and allowed unauthorized access that resulted in downtime of 48 hours. Which of the following should be the information security manager’s NEXT course of action?
A. Reconfigure the firewall in accordance with best practices.
B. Obtain supporting evidence that the problem has been corrected.
C. Seek damages from the service provider.
D. Revisit the contract and improve accountability of the service provider.
B. Obtain supporting evidence that the problem has been corrected.
Which is the MOST important requirement when establishing a process for responding to zero-day vulnerabilities?
A. The IT team updates antivirus signatures on user systems.
B. The IT team implements an emergency patch deployment process.
C. Business users stop using the impacted application until a patch is released.
D. The information security team implements recommended workarounds.
D. The information security team implements recommended workarounds.
An information security manager has determined that the mean time to prioritize information security incidents has increased to an unacceptable level. Which of the following processes would BEST enable the information security manager to address this concern?
A. Incident classification
B. Incident response
C. Forensic analysis
D. Vulnerability assessment
A. Incident classification
An information security manager discovers that newly hired privileged users are not taking necessary steps to protect critical information at their workstations.
Which of the following is the BEST way to address this situation?
A. Publish an acceptable use policy and require signed acknowledgment.
B. Turn on logging and record user activity.
C. Communicate the responsibility and provide appropriate training.
D. Implement a data loss prevention (DLP) solution.
C. Communicate the responsibility and provide appropriate training.
Which of the following should be the MOST important consideration when prioritizing risk remediation?
A. Evaluation of risk
B. Duration of exposure
C. Comparison to risk appetite
D. Impact of compliance
C. Comparison to risk appetite
To set security expectations across the enterprise, it is MOST important for the information security policy to be regularly reviewed and endorsed by:
A. security administrators.
B. senior management.
C. the chief information security officer (CISO).
D. the IT steering committee.
B. senior management.
Senior management wants to provide mobile devices to its sales force. Which of the following should the information security manager do FIRST to support this objective?
A. Develop an acceptable use policy
B. Conduct a vulnerability assessment on the devices
C. Assess risks introduced by the technology
D. Research mobile device management (MDM) solutions
C. Assess risks introduced by the technology
An information security manager needs to ensure security testing is conducted on a new system. Which of the following would provide the
HIGHEST level of assurance?
A. The vendor provides the results of a penetration test and code review.
B. An independent party is directly engaged to conduct testing.
C. The internal audit team is enlisted to run a vulnerability assessment against the system.
D. The security team conducts a self-assessment against a recognized industry framework.
B. An independent party is directly engaged to conduct testing.
An organization performed a risk analysis and found a large number of assets with low-impact vulnerabilities. The NEXT action of the information security manager should be to:
A. transfer the risk to a third party.
B. determine appropriate countermeasures.
C. report to management.
D. quantify the aggregated risk.
D. quantify the aggregated risk.
Organization A offers e-commerce services and uses secure transport protocol to protect Internet communication. To confirm communication with Organization A, which of the following would be the BEST for a client to verify?
A. The URL of the e-commerce server
B. The certificate of the e-commerce server
C. The IP address of the e-commerce server
D. The browser’s indication of SSL use
B. The certificate of the e-commerce server
Which of the following provides the MOST useful information for identifying security control gaps on an application server?
A. Risk assessments
B. Penetration testing
C. Threat models
D. Internal audit reports
B. Penetration testing
Which of the following components of an information security risk assessment is MOST valuable to senior management?
A. Residual risk
B. Return on investment (ROI)
C. Mitigation actions
D. Threat profile
A. Residual risk
Which of the following is the PRIMARY benefit of implementing a maturity model for information security management?
A. Gaps between current and desirable levels will be addressed.
B. Information security management costs will be optimized.
C. Information security strategy will be in line with industry best practice.
D. Staff awareness of information security compliance will be promoted.
A. Gaps between current and desirable levels will be addressed.
An information security manager notes that security incidents are not being appropriately escalated by the help desk after tickets are logged.
Which of the following is the BEST automated control to resolve this issue?
A. Integrating automated service level agreement (SLA) reporting into the help desk ticketing system
B. Changing the default setting for all security incidents to the highest priority
C. Integrating incident response workflow into the help desk ticketing system
D. Implementing automated vulnerability scanning in the help desk workflow
C. Integrating incident response workflow into the help desk ticketing system
An information security manager’s PRIMARY objective for presenting key risks to the board of directors is to:
A. ensure appropriate information security governance.
B. quantify reputational risks.
C. meet information security compliance requirements.
D. re-evaluate the risk appetite.
A. ensure appropriate information security governance.
Which of the following should be the PRIMARY consideration when implementing a data loss prevention (DLP) solution?
A. Data ownership
B. Data storage capabilities
C. Data classification
D. Selection of tools
C. Data classification
Which of the following is the MOST important function of an information security steering committee?
A. Evaluating the effectiveness of information security controls on a periodic basis
B. Defining the objectives of the information security framework
C. Conducting regular independent reviews of the state of security in the business
D. Approving security awareness content prior to publication
B. Defining the objectives of the information security framework
When determining an acceptable risk level, which of the following is the MOST important consideration?
A. Vulnerability scores
B. System criticalities
C. Risk matrices
D. Threat profiles
B. System criticalities
Which of the following is MOST important to include when reporting information security risk to executive leadership?
A. Key performance objectives and budget trends
B. Security awareness training participation and residual risk exposures
C. Risk analysis results and key risk indicators (KRIs)
D. Information security risk management plans and control compliance
C. Risk analysis results and key risk indicators (KRIs)
During which of the following development phases is it MOST challenging to implement security controls?
A. Implementation phase
B. Post-implementation phase
C. Design phase
D. Development phase
B. Post-implementation phase
An employee is found to be using an external cloud storage service to share corporate information with a third-party consultant, which is against company policy.
Which of the following should be the information security manager’s FIRST course of action?
A. Block access to the cloud storage service
B. Determine the classification level of the information
C. Seek business justification from the employee
D. Inform higher management of a security breach
B. Determine the classification level of the information
Which of the following is the MOST effective method of determining security priorities?
A. Vulnerability assessment
B. Gap analysis
C. Threat assessment
D. Impact analysis
D. Impact analysis
A measure of the effectiveness of the incident response capabilities of an organization is the:
A. number of incidents detected.
B. number of employees receiving incident response training.
C. reduction of the annual loss expectancy (ALE).
D. time to closure of incidents.
D. time to closure of incidents.
An organization is in the process of adopting a hybrid data infrastructure, transferring all non-core applications to cloud service providers, and maintaining all core business functions in-house. The information security manager has determined a defense in depth strategy should be used.
Which of the following BEST describes this strategy?
A. Separate security controls for applications, platforms, programs, and endpoints
B. Multi-factor login requirements for cloud service applications, timeouts, and complex passwords
C. Deployment of nested firewalls within the infrastructure
D. Strict enforcement of role-based access control (RBAC)
A. Separate security controls for applications, platforms, programs, and endpoints
Which of the following is an information security manager’s BEST approach when selecting cost-effective controls needed to meet business objectives?
A. Conduct a gap analysis.
B. Focus on preventive controls.
C. Align with industry best practice.
D. Align with the risk appetite.
D. Align with the risk appetite.
A risk was identified during a risk assessment. The business process owner has chosen to accept the risk because the cost of remediation is
greater than the projected cost of a worst-case scenario. What should be the information security manager’s NEXT course of action?
A. Document and schedule a date to revisit the issue.
B. Document and escalate to senior management.
C. Shut down the business application.
D. Determine a lower-cost approach to remediation.
A. Document and schedule a date to revisit the issue.
An organization wants to integrate information security into its human resource management processes. Which of the following should be the FIRST step?
A. Identify information security risk associated with the processes
B. Assess the business objectives of the processes
C. Evaluate the cost of information security integration
D. Benchmark the processes with best practice to identify gaps
B. Assess the business objectives of the processes
The MOST effective way to continuously monitor an organization’s cybersecurity posture is to evaluate its:
A. compliance with industry regulations.
B. key performance indicators (KPIs).
C. level of support from senior management.
D. timeliness in responding to attacks.
B. key performance indicators (KPIs).
Which of the following would provide the HIGHEST level of confidence in the integrity of data when sent from one party to another?
A. Harden the communication infrastructure.
B. Require files to be digitally signed before they are transmitted.
C. Enforce multi-factor authentication on both ends of the communication.
D. Require data to be transmitted over a secure connection.
B. Require files to be digitally signed before they are transmitted.
Which of the following is MOST important to the successful implementation of an information security program?
A. Establishing key performance indicators (KPIs)
B. Obtaining stakeholder input
C. Understanding current and emerging technologies
D. Conducting periodic risk assessments
B. Obtaining stakeholder input
Which of the following is the BEST way to strengthen the alignment of an information security program with business strategy?
A. Establishing an information security steering committee
B. Increasing the frequency of control assessments
C. Providing organizational training on information security policies
D. Increasing budget for risk assessments
A. Establishing an information security steering committee
Which of the following is necessary to determine what would constitute a disaster for an organization?
A. Recovery strategy analysis
B. Backup strategy analysis
C. Risk analysis
D. Threat probability analysis
C. Risk analysis
Management has announced the acquisition of a new company. The information security manager of the parent company is concerned that conflicting access rights may cause critical information to be exposed during the integration of the two companies. To BEST address this concern, the information security manager should:
A. escalate concerns for conflicting access rights to management.
B. review access rights as the acquisition integration occurs.
C. implement consistent access control standards.
D. perform a risk assessment of the access rights.
D. perform a risk assessment of the access rights.
Which of the following metrics provides the BEST measurement of the effectiveness of a security awareness program?
A. Variance of program cost to allocated budget
B. The number of security breaches
C. Mean time between incident detection and remediation
D. The number of reported security incidents
D. The number of reported security incidents
The ULTIMATE responsibility for ensuring the objectives of an information security framework are being met belongs to:
A. the board of directors.
B. the information security officer.
C. the steering committee.
D. the internal audit manager.
A. the board of directors.
Which of the following is MOST likely to affect an organization’s ability to respond to security incidents in a timely manner?
A. Lack of senior management buy-in
B. Inadequate detective control performance
C. Misconfiguration of security information and event management (SIEM) tool
D. Complexity of network segmentation
A. Lack of senior management buy-in
After a server has been attacked, which of the following is the BEST course of action?
A. Isolate the system.
B. Initiate incident response.
C. Conduct a security audit.
D. Review vulnerability assessment.
B. Initiate incident response.
When establishing classifications of security incidents for the development of an incident response plan, which of the following provides the
MOST valuable input?
A. Business impact analysis (BIA) results
B. Recommendations from senior management
C. The business continuity plan (BCP)
D. Vulnerability assessment results
A. Business impact analysis (BIA) results
