Strategic alignment is PRIMARILY achieved when services provided by the information security department:
A. reflect the requirements of key business stakeholders.
B. reflect the desires of the IT executive team.
C. reflect the requirements of industry best practices.
D. are reliable and cost-effective.
What is the TYPICAL output of a risk assessment?
A. A list of appropriate controls for reducing or eliminating risk
B. Documented threats to the organization
C. Evaluation of the consequences to the entity
D. An inventory of risk that may impact the organization
Which of the following actions is the BEST to ensure that incident response activities are consistent with the requirements of business continuity?
A. Develop a scenario and perform a structured walk-through.
B. Draft and publish a clear practice for enterprise-level incident response.
C. Establish a cross-departmental working group to share perspectives.
D. Develop a project plan for end-to-end testing of disaster recovery.
What is the BEST risk response for risk scenarios where the likelihood of a disruptive event for an asset is very low, but the potential financial impact is very high?
A. Accept the high cost of protection.
B. Implement detective controls.
C. Ensure that asset exposure is low.
D. Transfer the risk to a third party.
An effective risk management program should reduce risk to:
A. zero.
B. an acceptable level.
C. an acceptable percent of revenue.
D. an acceptable probability of occurrence.
The formal declaration of organizational information security goals and objectives should be found in the:
A. information security procedures.
B. information security principles.
C. employee code of conduct.
D. information security policy.
Which of the following is MOST effective in preventing disruptions to production systems?
A. Patch management
B. Security baselines
C. Virus detection
D. Change management
What is the MOST effective access control method to prevent users from sharing files with unauthorized users?
A. Mandatory
B. Discretionary
C. Walled garden
D. Role-based
Quantitative risk analysis is MOST appropriate when assessment results:
A. include customer perceptions.
B. contain percentage estimates.
C. lack specific details.
D. contain subjective information.
When should risk assessments be performed for optimum effectiveness?
A. At the beginning of security program development
B. On a continuous basis
C. While developing the business case for the security program
D. During the business change process
Which of the following is the BEST method or technique to ensure the effective implementation of an information security program?
A. Obtain the support of the board of directors.
B. Improve the content of the information security awareness program.
C. Improve the employees' knowledge of security policies.
D. Implement logical access controls to the information systems.
Which of the following is the BEST method to ensure the overall effectiveness of a risk management program?
A. User assessments of changes
B. Comparison of the program results with industry standards
C. Assignment of risk within the organization
D. Participation by all members of the organization
Which of the following is MOST important to the success of an information security program?
A. Security awareness training
B. Achievable goals and objectives
C. Senior management sponsorship
D. Adequate start-up budget and staffing
Which of the following is the MOST important step before implementing a security policy?
A. Communicating to employees
B. Training IT staff
C. Identifying relevant technologies for automation
D. Obtaining sign-off from stakeholders
For global organizations, which of the following is MOST essential to the continuity of operations in an emergency situation?
A. A documented succession plan
B. Distribution of key process documents
C. A reciprocal agreement with an alternate site
D. Strong senior management leadership
What is the PRIMARY benefit of a security awareness training program?
A. To reduce the likelihood of an information security event
B. To encourage compliance with information security policy
C. To comply with the local and industry-specific regulation and legislation
D. To provide employees with expectations for information security
When the computer incident response team (CIRT) finds clear evidence that a hacker has penetrated the corporate network and modified customer information, an information security manager should FIRST notify:
A. the information security steering committee.
B. customers who may be impacted.
C. data owners who may be impacted.
D. regulatory agencies overseeing privacy.
When a major vulnerability in the security of a critical web server is discovered, immediate notification should be made to the:
A. system owner to take corrective action.
B. incident response team to investigate.
C. data owners to mitigate damage.
D. development team to remediate.
Which of the following vulnerabilities allowing attackers access to the application database is the MOST serious?
A. Validation checks are missing in data input pages.
B. Password rules do not allow sufficient complexity.
C. Application transaction log management is weak.
D. Application and database share a single access ID.
A customer credit card database has been reported as being breached by hackers. What is the FIRST step in dealing with this attack?
A. Confirm the incident.
B. Notify senior management.
C. Start containment.
D. Notify law enforcement.
The facilities department of a large financial organization uses electronic swipe cards to manage physical access. The information security manager requests that facilities provide the manager with read-only access to the physical access data. What is the MOST likely purpose?
A. To monitor that personnel are complying with contract provisions
B. To determine who is in the building in case of fire
C. To compare logical and physical access for anomalies
D. To ensure that the physical access control system is operating correctly
Who is ultimately responsible for the organization's information?
A. Data custodian
B. Chief information security officer (CISO)
C. Board of directors
D. Chief information officer (CIO)
Which of the following is the MOST important consideration for an organization interacting with the media during a disaster?
A. Communicating specially drafted messages by an authorized person
B. Refusing to comment until recovery
C. Referring the media to the authorities
D. Reporting the losses and recovery strategy to the media
What should an information security manager focus on when speaking to an organization's human resources department about information security?
A. An adequate budget for the security program
B. Recruitment of technical IT employees
C. Periodic risk assessments
D. Security awareness training for employees
Which of the following are the MOST important criteria when selecting virus protection software?
A. Product market share and annualized cost
B. Ability to interface with intrusion detection system (IDS) software and firewalls
C. Alert notifications and impact assessments for new viruses
D. Ease of maintenance and frequency of updates
Information security policy enforcement is the responsibility of the:
A. security steering committee.
B. chief information officer (CIO).
C. chief information security officer (CISO).
D. chief compliance officer (CCO).
Which of the following helps management determine the resources needed to mitigate a risk to the organization?
A. Risk analysis process
B. Business impact analysis (BIA)
C. Risk management balanced scorecard
D. Risk-based audit program
Which of the following is the MOST important consideration when developing an information security strategy?
A. Resources available to implement the program
B. Compliance with legal and regulatory constraints
C. Effectiveness of risk mitigation
D. Resources required to implement the strategy
When properly tested, which of the following would MOST effectively support an information security manager in handling a security breach?
A. Business continuity plan
B. Disaster recovery plan
C. Incident response plan
D. Vulnerability management plan
From an information security perspective, which of the following will have the GREATEST impact on a financial enterprise with offices in various countries and involved in transborder transactions?
A. Current and future technologies
B. Evolving data protection regulations
C. Economizing the costs of network bandwidth
D. Centralization of information security
Which of the following control measures BEST addresses integrity?
A. Nonrepudiation
B. Timestamps
C. Biometric scanning
D. Encryption
An employee's computer has been infected with a new virus. What should be the FIRST action?
A. Execute the virus scan.
B. Report the incident to senior management.
C. Format the hard disk.
D. Disconnect the computer from the network.
What practice should FIRST be applied to an emergency security patch that has been received via email?
A. The patch should be loaded onto an isolated test machine.
B. The patch should be decompiled to check for malicious code.
C. The patch should be validated to ensure its authenticity.
D. The patch should be copied onto write-once media to prevent tampering.
The purpose of incident management and response is to:
A. recover an activity interrupted by an emergency or disaster, within a defined time and cost.
B. perform a walk-through of the steps required to recover from an adverse event.
C. reduce business disruption insurance premiums for the business.
D. address disruptive events with the objective of controlling impacts within acceptable levels.
Which of the following is characteristic of decentralized information security management across a geographically dispersed organization?
A. More uniformity in quality of service
B. Better adherence to policies
C. Better alignment to business unit needs
D. More savings in total operating costs
Which of the following is the MOST effective way to treat a risk such as a natural disaster that has a low probability and a high impact level?
A. Implement countermeasures.
B. Eliminate the risk.
C. Transfer the risk.
D. Accept the risk.
The FIRST step in developing a business case is to:
A. determine the probability of success.
B. calculate the return on investment (ROI).
C. analyze the cost-effectiveness.
D. define the issues to be addressed.
Which of the following is the MOST serious exposure of automatically updating virus signature files on every desktop each Friday at 11:00 p.m. (23.00 hrs.)?
A. Most new viruses' signatures are identified over weekends
B. Technical personnel are not available to support the operation
C. Systems are vulnerable to new viruses during the intervening week
D. The update's success or failure is not known until Monday
The purpose of an information security policy is to:
A. express clearly and concisely the goals of an information security protection program.
B. outline the intended configuration of information system security controls.
C. mandate the behavior and acceptable actions of all information system users.
D. authorize the steps and procedures necessary to protect critical information systems.
What is an advantage of sending messages using steganographic techniques as opposed to utilizing encryption?
A. The existence of messages is unknown.
B. Required key sizes are smaller.
C. Traffic cannot be sniffed.
D. Reliability of the data is higher in transit.
Which of the following is the MOST important information to include in a strategic plan for information security?
A. Information security staffing requirements
B. Current state and desired future state
C. IT capital investment requirements
D. Information security mission statement
Which of the following represents the MAJOR focus of privacy regulations?
A. Unrestricted data mining
B. Identity theft
C. Human rights protection
D. Identifiable personal data
Which of the following requirements is the MOST important when developing information security governance?
A. Complying with applicable corporate standards
B. Achieving cost effectiveness of risk mitigation
C. Obtaining consensus of business units
D. Aligning with organizational goals
An organization's board of directors has learned of recent legislation requiring organizations within the industry to enact specific safeguards to protect confidential customer information. What actions should the board take next?
A. Direct information security on what they need to do
B. Research solutions to determine the proper solutions
C. Require management to report on compliance
D. Nothing; information security does not report to the board
Once the objective of performing a security review has been defined, the NEXT step for the information security manager is to determine:
A. constraints.
B. approach.
C. scope.
D. results.
Which of the following should be identified in the business continuity policy?
A. Emergency call trees
B. Recovery criteria
C. Business impact assessment (BIA)
D. Critical backups inventory
An organization is planning to deliver subscription-based educational services to customers online that will require customers to log in with their user IDs and passwords. Which of the following is the BEST method to validate passwords entered by a customer before access to educational resources is granted?
A. Encryption
B. Content filtering
C. Database hardening
D. Hashing
Which person or group should have final approval of an organization's information security policies?
A. Business unit managers
C. Senior management
How can access control to a sensitive intranet application by mobile users BEST be implemented?
A. Through data encryption
B. Through digital signatures
C. Through strong passwords
D. Through two-factor authentication
To ensure that all employees follow procedures regarding the integrity and confidentiality of personal identifiable information (PII), a hospital required that policies and procedures be put in place for data access and that all data stored should be encrypted. This is an example of what type of controls?
A. Administrative and technical controls
B. Administrative and deterrent controls
C. Technical and physical controls
D. Administrative and corrective controls
Which of the following is MOST likely to be responsible for establishing the information security requirements over an application?
A. IT steering committee
B. Data owner
C. System owner
D. IS auditor
Effective governance of enterprise IT is BEST ensured by:
A. utilizing a bottom-up approach.
B. management by the IT department.
C. referring the matter to the organization's legal department.
D. utilizing a top-down approach.
After performing an asset classification, the information security manager is BEST able to determine the:
A. level of risk to information resources.
B. impact of a compromise.
C. requirements for control strength.
D. annual loss expectancy (ALE).
An information security manager is performing a security review and determines that not all employees comply with the access control policy for the data center. The FIRST step to address this issue should be to:
A. assess the risk of noncompliance.
B. initiate security awareness training.
C. prepare a status report for management.
D. increase compliance enforcement.
The MOST effective use of a risk register is to:
A. identify risks and assign roles and responsibilities for mitigation.
B. identify threats and probabilities.
C. facilitate a thorough review of all IT-related risks on a periodic basis.
D. record the annualized financial amount of expected losses due to risks.
The factor that is MOST likely to result in identification of security incidents is:
A. effective communication and reporting processes.
B. clear policies detailing incident severity levels.
C. intrusion detection system (IDS) capabilities.
D. security awareness training.
Which of the following is the MOST important element to ensure the successful recovery of a business during a disaster?
A. Detailed technical recovery plans are maintained offsite
B. Network redundancy is maintained through separate providers
C. Hot site equipment needs are recertified on a regular basis
D. Appropriate declaration criteria have been established
What is the PRIMARY purpose of using risk analysis within a security program?
A. The risk analysis helps justify the security expenditure.
B. The risk analysis helps prioritize the assets to be protected.
C. The risk analysis helps inform executive management of the residual risk.
D. The risk analysis helps assess exposures and plan remediation.
What is the MOST cost-effective means of improving security awareness of staff personnel?
A. Employee monetary incentives
B. User education and training
C. A zero-tolerance security policy
D. Reporting of security infractions
Which is the BEST way to assess aggregate risk derived from a chain of linked system vulnerabilities?
A. Vulnerability scans
B. Penetration tests
C. Code reviews
D. Security audits
Which of the following provides the BEST defense against the introduction of malware in end-user computers via the Internet browser?
A. Input validation checks on SQL injection
B. Restricting access to social media sites
C. Deleting temporary files
D. Restricting execution of mobile code
Of the following, retention of business records should be PRIMARILY based on:
A. periodic vulnerability assessment.
B. regulatory and legal requirements.
C. device storage capacity and longevity.
D. past litigation.
Which of the following is the BEST way to ensure that an intruder who successfully penetrates a network will be detected before significant damage is inflicted?
A. Perform periodic penetration testing
B. Establish minimum security baselines
C. Implement vendor default settings
D. Install a honeypot on the network
A newly hired information security manager notes that existing information security practices and procedures appear ad hoc. Based on this observation, the next action should be to:
A. assess the commitment of senior management to the program.
B. assess the maturity level of the organization.
C. review the corporate standards.
D. review corporate risk management practices.
Risk management programs are designed to reduce risk to:
A. a level that is too small to be measurable.
B. the point at which the benefit exceeds the expense.
C. a level that the organization is willing to accept.
D. a rate of return that equals the current cost of capital.
An organization's operations staff places payment files in a shared network folder and then the disbursement staff picks up the files for payment processing. This manual intervention will be automated some months later, thus cost-efficient controls are sought to protect against file alterations. Which of the following would be the BEST solution?
A. Design a training program for the staff involved to heighten information security awareness
B. Set role-based access permissions on the shared folder
C. The end user develops a PC macro program to compare sender and recipient file contents
D. Shared folder operators sign an agreement to pledge not to commit fraudulent activities
An organization has recently developed and approved an access control policy. Which of the following will be MOST effective in communicating the access control policy to the employees?
A. Requiring employees to formally acknowledge receipt of the policy
B. Integrating security requirements into job descriptions
C. Making the policy available on the intranet
D. Implementing an annual retreat for employees on information security
Which of the following is the MOST important area of focus when examining potential security compromise of a new wireless network?
A. Signal strength
B. Number of administrators
C. Bandwidth
D. Encryption strength
Which of the following is MOST important when deciding whether to build an alternate facility or subscribe to a third-party hot site?
A. Cost to build a redundant processing facility and invocation
B. Daily cost of losing critical systems and recovery time objectives (RTOs)
C. Infrastructure complexity and system sensitivity
D. Criticality results from the business impact analysis (BIA)
Who can BEST approve plans to implement an information security governance framework?
A. Internal auditor
B. Information security management
C. Steering committee
D. Infrastructure management
Successful implementation of information security governance will FIRST require:
A. security awareness training.
B. updated security policies.
C. a computer incident management team.
D. a security architecture.
Which of the following measures would be MOST effective against insider threats to confidential information?
A. Role-based access control
B. Audit trail monitoring
C. Privacy policy
D. Defense-in-depth
When an information security manager is developing a strategic plan for information security, the timeline for the plan should be:
A. aligned with the IT strategic plan.
B. based on the current rate of technological change.
C. three-to-five years for both hardware and software.
D. aligned with the business strategy.
What is the PRIMARY basis for the prioritization of security spending and budgeting?
A. The identified levels of risk
B. Industry trends
C. An increased cost of services
D. The allocated revenue of the enterprise
Which of the following approaches is BEST for addressing regulatory requirements?
A. Treat regulatory compliance as any other risk.
B. Ensure that policies address regulatory requirements.
C. Make regulatory compliance mandatory.
D. Obtain insurance for noncompliance.
What is the BEST way to ensure that an external service provider complies with organizational security policies?
A. Explicitly include the service provider in the security policies
B. Receive acknowledgement in writing stating the provider has read all policies
C. Cross-reference to policies in the service level agreement
D. Perform periodic reviews of the service provider
When performing a business impact analysis (BIA), which of the following would be the MOST appropriate to calculate the recovery time and cost estimates?
A. Information security manager
B. Information owners
C. Business continuity coordinator
D. Information technology (IT) operations manager
Which of the following is the BEST approach to obtain senior management commitment to the information security program?
A. Describe the reduction of risk.
B. Present the emerging threat environment.
C. Benchmark against other enterprises.
D. Demonstrate the alignment of the program to business objectives.
Which of the following would be the BEST indicator of an asset's value to an organization?
A. Risk assessment
B. Security audit
C. Certification
D. Classification
An information security manager believes that a network file server was compromised by a hacker. Which of the following should be the FIRST action taken?
A. Ensure that critical data on the server are backed up.
B. Shut down the compromised server.
C. Initiate the incident response process.
D. Shut down the network.
Which of the following is an indicator of effective governance?
A. A defined information security architecture
B. Compliance with international security standards
C. Periodic external audits
D. An established risk management program
What activity should information security management perform FIRST when assessing the potential impact of new privacy legislation on the organization?
A. Develop an operational plan for achieving compliance with the legislation.
B. Identify systems and processes that contain privacy components.
C. Restrict the collection of personal information until compliant.
D. Identify privacy legislation in other countries that may contain similar requirements.
Who has the FINAL responsibility for classifying information?
B. Legal department
C. Data owner
D. Chief information security officer (CISO)
Which of the following is involved when conducting a business impact analysis (BIA)?
A. Identifying security threats and vulnerabilities
B. Developing notification and activation procedures
C. Listing investigative priorities
D. Listing critical business resources
Which of the following has the highest priority when defining an emergency response plan?
A. Critical data
B. Critical infrastructure
C. Safety of personnel
D. Vital records
Why is public key infrastructure (PKI) the preferred model when providing encryption keys to a large number of individuals?
A. It is computationally more efficient.
B. It is more scalable than a symmetric key.
C. It is less costly to maintain than a symmetric key approach.
D. It provides greater encryption strength than a secret key model.
Which of the following activities will MOST effectively foster effective security behavior?
A. Implementing a security awareness program
B. Rewarding compliance with security policies and guidelines
C. Implementing a discipline and reward system
D. Implementing a whistle-blower hotline
How should an information security manager proceed when selecting a public cloud vendor to provide outsourced infrastructure and software?
A. Insist on strict service level agreements (SLAs) to guarantee application availability.
B. Verify that the vendor's security architecture meets the organization's requirements.
C. Update the organization's security policies to reflect the vendor agreement.
D. Consult a third party to provide an audit report to assess the vendor's security program.
Once residual risk has been determined, the enterprise should NEXT:
A. transfer the remaining risk to a third party.
B. acquire insurance against the effects of the residual risk.
C. validate that the residual risk is acceptable.
D. formally document and accept the residual risk.
The use of insurance is an example of which of the following?
A. Risk mitigation
B. Risk acceptance
C. Risk elimination
D. Risk transfer
Who should approve user access in business-critical applications?
A. The information security manager
B. The data owner
C. The data custodian
D. Business management
The PRIMARY goal of developing an information security strategy is to:
A. establish security metrics and performance monitoring.
B. educate business process owner s regarding their duties.
C. ensure that legal and regulatory requirements are met.
D. support the business objectives of the organization.
To determine how a security breach occurred on the corporate network, a security manager looks at the logs of various devices. Which of the following BEST facilitates the correlation and review of these logs?
A. Database server
B. Domain name server (DNS)
C. Time server
D. Proxy server
What is the BEST technique to determine which security controls to implement with a limited budget?
A. Risk analysis
B. Annualized loss expectancy (ALE) calculations
C. Cost-benefit analysis
D. Impact analysis
In implementing information security governance, the information security manager is PRIMARILY responsible for:
A. developing the security strategy.
B. reviewing the security strategy.
C. communicating the security strategy.
D. approving the security strategy.
Who has the inherent authority to grant an exception to information security policy?
A. The business process owner
B. The departmental manager
C. The policy approver
D. The information security manager
What should be the PRIMARY basis of a road map for implementing information security governance?
A. Policies
B. Architecture
C. Legal requirements
D. Strategy
Which of the following would BEST address the risk of data leakage?
A. File backup procedures
B. Database integrity checks
C. Acceptable use policies
D. Incident response procedures
Which of the following is the BEST approach to deal with inadequate funding of the information security program?
A. Eliminate low-priority security services.
B. Require management to accept the increased risk.
C. Use third-party providers for low-risk activities.
D. Reduce monitoring and compliance enforcement activities.
Which of the following events generally has the highest information security impact?
A. Opening a new office
B. Merging with another organization
C. Relocating the data center
D. Rewiring the network
An organization's board of directors is concerned about recent fraud attempts that originated over the Internet. What action should the board take to address this concern?
A. Direct information security regarding specific resolutions that are needed to address the risk.
B. Research solutions to determine appropriate actions for the company.
C. Take no action; information security does not report to the board.
D. Direct management to assess the risk and to report the results to the board.
An information security manager wants to implement a security information and event management system (SIEM) not funded in the current budget. Which of the following choices is MOST likely to persuade management of this need?
A. A comprehensive risk assessment
B. An enterprisewide impact assessment
C. A well-developed business case
D. Computing the net present value (NPV) of future savings
Which of the following should be performed FIRST in the aftermath of a denial-of-service attack?
A. Restore servers from backup media stored offsite
B. Conduct an assessment to determine system status
C. Perform an impact analysis of the outage
D. Isolate the screened subnet
When a significant security breach occurs, what should be reported FIRST to senior management?
A. A summary of the security logs that illustrates the sequence of events
B. An explanation of the incident and corrective action taken
C. An analysis of the impact of similar attacks at other organizations
D. A business case for implementing stronger logical access controls
Which of the following are the essential ingredients of a business impact analysis (BIA)?
A. Downtime tolerance, resources and criticality
B. Cost of business outages in a year as a factor of the security budget
C. Business continuity testing methodology being deployed
D. Structure of the crisis management team
The use of public key encryption for the purpose of providing encryption keys between a large number of individuals is preferred PRIMARILY because:
A. public key encryption is computationally more efficient.
B. scaling is less of a problem than using a symmetrical key.
C. public key encryption is less costly to maintain than symmetric key approaches.
D. public key encryption provides greater encryption strength than secret key options.
What is the FIRST step of performing an information risk analysis?
A. Establish the ownership of assets.
B. Evaluate the risks to the assets.
C. Take an asset inventory.
D. Categorize the assets.
Integrating a number of different activities in the development of an information security infrastructure is BEST achieved by developing:
A. a business plan.
B. an architecture.
C. requirements.
D. specifications.
Which of the following is the MOST important guideline when using software to scan for security exposures within a corporate network?
A. Never use open source tools
B. Focus only on production servers
C. Follow a linear process for attacks
D. Do not interrupt production processes
Which of the following would be the BEST approach to securing approval for information security expenditures?
A. Developing a business case
B. Conducting a cost-benefit analysis
C. Calculating return on investment (ROI)
D. Evaluating loss history
Asset classification should be MOSTLY based on:
A. business value.
B. book value.
C. replacement cost.
D. initial cost.
At what interval should a risk assessment TYPICALLY be conducted?
A. Once a year for each business process and subprocess
B. Every three to six months for critical business processes
C. On a continuous basis
D. Annually or whenever there is a significant change
Untested response plans:
A. depend on up-to-date contact information.
B. pose an unacceptable risk to the organization.
C. pose a risk that the plan will not work when needed.
D. are quickly distinguished from tested plans.
Which of the following situations must be corrected FIRST to ensure successful information security governance within an organization?
A. The information security department has had difficulty filling vacancies.
B. The chief information officer (CIO) approves changes to the security policy.
C. The information security oversight committee only meets quarterly.
D. The data center manager has final signoff on all security projects.
An organization's chief information security officer (CISO) would like to ensure that operations are prioritized correctly for recovery in case of a disaster. Which of the following would be the BEST to use?
A. A business impact assessment
B. An organization risk assessment
C. A business process map
D. A threat statement
What task should be performed once a security incident has been verified?
A. Identify the incident.
B. Contain the incident.
C. Determine the root cause of the incident.
D. Perform a vulnerability assessment.
An organization has commissioned an information security expert to perform network penetration testing and has provided the expert with information about the infrastructure to be tested. The benefit of this approach is:
A. more time is devoted to exploitation than to fingerprinting and discovery.
B. this accurately simulates an external hacking attempt.
C. the ability to exploit Transmission Control Protocol/Internet Protocol (TCP/IP) vulnerabilities.
D. the elimination of the need for penetration testing tools.
Which of the following is the BEST way to mitigate the risk of the database administrator reading sensitive data from the database?
A. Log all access to sensitive data.
B. Employ application-level encryption.
C. Install a database monitoring solution.
D. Develop a data security policy.
Which of the following is MOST essential when assessing risk?
A. Providing equal coverage for all asset types
B. Benchmarking data from similar organizations
C. Considering both monetary value and likelihood of loss
D. Focusing on valid past threats and business losses
Obtaining another party's public key is required to initiate which of the following activities?
A. Authorization
B. Digital signing
C. Authentication
D. Nonrepudiation
A regulatory authority has just introduced a new regulation pertaining to the release of quarterly financial results. The FIRST task that the security officer should perform is to:
A. identify whether current controls are adequate.
B. communicate the new requirement to audit.
C. implement the requirements of the new regulation.
D. conduct a cost-benefit analysis of implementing the control.
Which of the following is the MOST important to ensure a successful recovery?
A. Backup media is stored offsite
B. Recovery location is secure and accessible
C. More than one hot site is available
D. Network alternate links are regularly tested
Which of the following is the MOST important consideration when developing a service level agreement (SLA) to mitigate the risk that outsourcing will result in a loss to the business?
A. The nature of the indemnity clause
B. Ensuring that the business objectives are defined and met
C. Alignment of information system security objectives with enterprise goals
D. Compliance with legal requirements
Which of the following BEST prevents successful social engineering attacks?
A. Preemployment screening
B. Close monitoring of users' access patterns
C. Periodic awareness training
D. Efficient termination procedures
The assessment of risk is always subjective. To improve accuracy, which of the following is the MOST important action to take?
A. Train or "calibrate" the assessor.
B. Utilize only standardized approaches.
C. Ensure the impartiality of the assessor.
D. Utilize multiple methods of analysis.
The decision as to whether an IT risk has been reduced to an acceptable level should be determined by:
A. organizational requirements.
B. information systems requirements.
C. information security requirements.
D. international standards.
Which of the following is the MOST critical activity to ensure the ongoing security of outsourced IT services?
A. Provide security awareness training to the third-party provider's employees
B. Conduct regular security reviews of the third-party provider
C. Include security requirements in the service contract
D. Request that the third-party provider comply with the organization's information security policy
What is the MOST important reason for conducting security awareness programs throughout an organization?
A. Reducing the human risk
B. Maintaining evidence of training records to ensure compliance
C. Informing business units about the security strategy
D. Training personnel in security incident response
The PRIMARY reason to consider information security during the first stage of a project life cycle is:
A. the cost of security is higher in later stages.
B. information security may affect project feasibility.
C. information security is essential to project approval.
D. it ensures proper project classification.
Which of the following should be the PRIMARY basis for making a decision to establish an alternate site for disaster recovery?
A. A business impact analysis (BIA), which identifies the requirements for continuous availability of critical business processes
B. Adequate distance between the primary site and the alternate site so that the same disaster does not simultaneously impact both sites
C. A benchmarking analysis of similarly situated enterprises in the same geographic region to demonstrate due diligence
D. Differences between the regulatory requirements applicable at the primary site and those at the alternate site
Why is "slack space" of value to an information security manager as part of an incident investigation?
A. Hidden data may be stored there
B. The slack space contains login information
C. Slack space is encrypted
D. It provides flexible space for the investigation
Which of the following areas is MOST susceptible to the introduction of security weaknesses?
A. Database management
B. Tape backup management
C. Configuration management
D. Incident response management
Several business units reported problems with their systems after multiple security patches were deployed. What is the FIRST step to handle this problem?
A. Assess the problems and institute rollback procedures, if needed.
B. Disconnect the systems from the network until the problems are corrected.
C. Uninstall the patches from these systems.
D. Contact the vendor regarding the problems that occurred.
Which of the following choices BEST helps determine appropriate levels of information resource protection?
A. A business case
B. A vulnerability assessment
C. Asset classification
D. Asset valuation
In a social engineering scenario, which of the following will MOST likely reduce the likelihood of an unauthorized individual gaining access to computing resources?
A. Implementing on-screen masking of passwords
B. Conducting periodic security awareness programs
C. Increasing the frequency of password changes
D. Requiring that passwords be kept strictly confidential
An appropriate control for ensuring the authenticity of orders received in an electronic data interchange (EDI) system application is to:
A. acknowledge receipt of electronic orders with a confirmation message.
B. perform reasonableness checks on quantities ordered before filling orders.
C. encrypt electronic orders.
D. verify the identity of senders and determine whether orders correspond to contract terms.
Which of the following is the BEST approach to mitigate online brute-force attacks on user accounts?
A. Passwords stored in encrypted form
B. User awareness
C. Strong passwords that are changed periodically
D. Implementation of lock-out policies
Which of the following BEST ensures nonrepudiation?
A. Delivery path tracing
B. Reverse lookup translation
C. Out-of-band channels
D. Digital signatures
What must change management achieve from a risk management perspective?
A. It must be operated by information security to ensure that security is maintained.
B. It must be overseen by the steering committee because of its importance.
C. It must be secondary to release and configuration management.
D. It must include mandatory notification of the information security department.
Addressing risk at various life cycle stages is BEST supported by:
A. change management.
B. release management.
C. incident management.
D. configuration management.
Which of the following choices is the MOST important incident response resource for timely identification of an information security incident?
A. A fully updated intrusion detection system (IDS)
B. Multiple channels for distribution of information
C. A well-defined and structured communication plan
D. A regular schedule for review of network device logs
What makes an incident management program effective?
A. It identifies, assesses and prevents reoccurrence of incidents.
B. It detects and documents incidents.
C. It includes a risk management strategy.
D. It reflects the capabilities of the organization.
Which of the following is the MOST effective at preventing an unauthorized individual from following an authorized person through a secured entrance (tailgating or piggybacking)?
A. Card-key door locks
B. Photo identification
C. Biometric scanners
D. Awareness training
What is the PRIMARY goal of developing an information security program?
A. To implement the strategy
B. To optimize resources
C. To deliver on metrics
D. To achieve assurance
Responsibility for information security and related activities involves multiple departments. What is the PRIMARY reason the information security manager should develop processes that integrate these roles and responsibilities?
A. To mitigate the tendency for security gaps to exist between assurance functions
B. To reduce manpower requirements for providing effective information security
C. To ensure effective business continuity and disaster recovery
D. To simplify specification development and acquisition processes
An organization plans to contract with an outside service provider to host its corporate web site. The MOST important concern for the information security manager is to ensure that:
A. an audit of the service provider uncovers no significant weakness.
B. the contract includes a nondisclosure agreement (NDA) to protect the organization's intellectual property.
C. the contract should mandate that the service provider will comply with security policies.
D. the third-party service provider conducts regular penetration testing.
What is the BEST way to ensure data protection upon termination of employment?
A. Retrieve identification badge and card keys
B. Retrieve all personal computer equipment
C. Erase all of the employee's folders
D. Ensure all logical access is removed
The FIRST step to create an internal culture that embraces information security is to:
A. implement stronger controls.
B. conduct periodic awareness training.
C. actively monitor operations.
D. gain endorsement from executive management.
Which of the following is MOST important for measuring the effectiveness of a security awareness program?
A. Reduced number of security violation reports
B. A quantitative evaluation to ensure user comprehension
C. Increased interest in focus groups on security issues
D. Increased number of security violation reports
Highly integrated enterprise IT systems pose a challenge to the information security manager when attempting to set security baselines PRIMARILY from the perspective of:
A. increased difficulty in problem management.
B. added complexity in incident management.
C. determining the impact of cascading risk.
D. less flexibility in setting service delivery objectives.
Who is responsible for ensuring that information is classified?
A. Senior management
B. The security manager
C. The data owner
D. The data custodian
Evidence from a compromised server has to be acquired for a forensic investigation. What would be the BEST source?
A. A bit-level copy of all hard drive data
B. The last verified backup stored offsite
C. Data from volatile memory
D. Backup servers
What is the PRIMARY role of the information security manager related to the data classification and handling process within an organization?
A. Defining and ratifying the organization's data classification structure
B. Assigning the classification levels to the information assets
C. Securing information assets in accordance with their data classification
D. Confirming that information assets have been properly classified
After completing a full IT risk assessment, who is in the BEST position to decide which mitigating controls should be implemented?
B. The business manager
C. The IT audit manager
D. The information security officer (ISO)
Which of the following items is the BEST basis for determining the value of intangible assets?
A. Contribution to revenue generation
B. A business impact analysis (BIA)
C. Threat assessment and analysis
D. Replacement costs
Which of the following needs to be MOST seriously considered when designing a risk-based incident response management program?
A. The chance of collusion among staff
B. Degradation of investigation quality
C. Minimization of false-positive alerts
D. Monitoring repeated low-risk events
Which of the following is the MOST appropriate control to address compliance with specific regulatory requirements?
B. Standards
C. Procedures
D. Guidelines
What should documented standards/procedures for the use of cryptography across the enterprise achieve?
A. They should define the circumstances where cryptography should be used.
B. They should define cryptographic algorithms and key lengths.
C. They should describe handling procedures of cryptographic keys.
D. They should establish the use of cryptographic solutions.
A project manager is developing a developer portal and requests that the security manager assign a public IP address so that it can be accessed by in-house staff and by external consultants outside the organization's local area network (LAN). What should the security manager do FIRST?
A. Understand the business requirements of the developer portal
B. Perform a vulnerability assessment of the developer portal
C. Install an intrusion detection system (IDS)
D. Obtain a signed nondisclosure agreement (NDA) from the external consultants before allowing external access to the server
Which of the following BEST describes the key objective of an information security program?
A. Achieve strategic business goals and objectives.
B. Protect information assets using manual and automated controls.
C. Automate information security controls.
D. Eliminate threats to the organization.
Which of the following is MOST important when collecting evidence for forensic analysis?
A. Ensure the assignment of qualified personnel.
B. Request the IT department do an image copy.
C. Disconnect from the network and isolate the affected devices.
D. Ensure law enforcement personnel are present before the forensic analysis commences.
During a business continuity plan (BCP) test, one department discovered that its new software application was not going to be restored soon enough to meet the needs of the business. This situation can be avoided in the future by:
A. conducting a periodic and event-driven business impact analysis (BIA) to determine the needs of the business during a recovery.
B. assigning new applications a higher degree of importance and scheduling them for recovery first.
C. developing a help-desk ticket process that allows departments to request recovery of software during a disaster.
D. conducting a thorough risk assessment prior to purchasing the software.
What activity BEST helps ensure that contract personnel do not obtain unauthorized access to sensitive information?
A. Set accounts to pre-expire
B. Avoid granting system administration roles
C. Ensure they successfully pass background checks
D. Ensure their access is approved by the data owner
Which of the following is MOST important in developing a security strategy?
A. Creating a positive business security environment
B. Understanding key business objectives
C. Having a reporting line to senior management
D. Allocating sufficient resources to information security
What action should an incident response team take if the investigation of an incident response event cannot be completed in the time allocated?
A. Continue to work the current action.
B. Escalate to the next level for resolution.
C. Skip on to the next action in the plan.
D. Declare a disaster.
Who is accountable for ensuring that information is categorized and that specific protective measures are taken?
A. The security officer
B. Senior management
C. The end user
D. The custodian
A web-based business application is being migrated from test to production. Which of the following is the MOST important management signoff for this migration?
A. User
B. Network
C. Operations
D. Database
An enterprise is implementing an information security program. During which phase of the implementation should metrics be established to assess the effectiveness of the program over time?
A. Testing
B. Initiation
C. Design
D. Development
Systems thinking as it relates to information security is:
A. a prescriptive methodology for designing the systems architecture.
B. an understanding that the whole is greater than the sum of its parts.
C. a process that ensures alignment with business objectives.
D. a framework for information security governance.
Which of the following MOST effectively reduces false-positive alerts generated by a security information and event management (SIEM) process?
A. Building use cases
B. Conducting a network traffic analysis
C. Performing an asset-based risk assessment
D. The quality of the logs
The return on investment of information security can BEST be evaluated through which of the following?
A. Support of business objectives
B. Security metrics
C. Security deliverables
D. Process improvement models
Which of the following MOST commonly falls within the scope of an information security governance steering committee?
A. Interviewing candidates for information security specialist positions
B. Developing content for security awareness programs
C. Prioritizing information security initiatives
D. Approving access to critical financial systems
Due to limited storage media, an IT operations employee has requested permission to overwrite data stored on a magnetic tape. The decision of the authorizing manager will MOST likely be influenced by the data:
A. classification policy.
B. retention policy.
C. creation policy.
D. leakage protection.
Which of the following indicators is MOST likely to be of strategic value?
A. Number of users with privileged access
B. Trends in incident frequency
C. Annual network downtime
D. Vulnerability scan results
What is a PRIMARY characteristic of a well-established information security culture?
A. Alignment of information security and business objectives
B. Alignment of security controls with information technology
C. Alignment of concurrent security strategies
D. Alignment of values to protect corporate assets
Which of the following is the BEST method for ensuring that temporary employees do not receive excessive access rights?
A. Mandatory access controls
B. Discretionary access controls
C. Lattice-based access controls
D. Role-based access controls
When outsourcing to an offshore provider, the MOST difficult element to determine during a security review will be:
A. technical competency.
B. incompatible culture.
C. defense in depth.
D. adequate policies.
An internal review of a web-based application system reveals that it is possible to gain access to all employees' accounts by changing the employee's ID used for accessing the account on the URL. The vulnerability identified is:
A. broken authentication.
B. unvalidated input.
C. cross-site scripting.
D. structured query language (SQL) injection.
Which of the following roles is PRIMARILY responsible for determining the information classification levels for a given information asset?
A. Manager
B. Custodian
C. User
D. Owner
What is the FIRST action an information security manager should take when a company laptop is reported stolen?
A. Evaluate the impact of the information loss
B. Update the corporate laptop inventory
C. Ensure compliance with reporting procedures
D. Disable the user account immediately
Which one of the following considerations is MOST likely to be overlooked when conducting an information security review of a potential outsourcing service provider?
A. Cultural differences
B. Technical competency
C. Adequate controls
D. Information security policies
While implementing information security governance an organization should FIRST:
A. adopt security standards.
B. determine security baselines.
C. define the security strategy.
D. establish security policies.
Which of the following risk scenarios would BEST be assessed using qualitative risk assessment techniques?
A. Theft of purchased software
B. Power outage lasting 24 hours
C. Permanent decline in customer confidence
D. Temporary loss of email services
There is a delay between the time when a security vulnerability is first published, and the time when a patch is delivered. Which of the following should be carried out FIRST to mitigate the risk during this time period?
A. Identify the vulnerable systems and apply compensating controls
B. Minimize the use of vulnerable systems
C. Communicate the vulnerability to system users
D. Update the signatures database of the intrusion detection system (IDS)
Which of the following BEST indicates senior management commitment toward supporting information security?
A. Assessment of risk to the assets
B. Approval of risk management methodology
C. Review of inherent risk to information assets
D. Review of residual risk for information assets
Which of the following is the BEST source for determining the value of information assets?
A. Individual business managers
B. Business systems analysts
C. Information security management
D. Industry benchmarking results
Business objectives should be evident in the security strategy by:
A. inferred connections.
B. standardized controls.
C. managed constraints.
D. direct traceability.
A financial institution plans to allocate information security resources to each of its business divisions. What areas should security activities focus on?
A. Areas where strict regulatory requirements apply
B. Areas that require the shortest recovery time objective (RTO)
C. Areas that can maximize return on security investment (ROSI)
D. Areas where threat likelihood and impact are greatest
Which of the following gives the MOST assurance of the effectiveness of an organization's disaster recovery plan (DRP)?
A. Checklist test
B. Tabletop exercise
C. Full interruption test
D. Simulation test
The MOST likely reason that management would choose not to mitigate a risk that exceeds the risk appetite is that it:
A. is the residual risk after controls are applied.
B. is a risk that is expensive to mitigate.
C. falls within the risk tolerance level.
D. is a risk of relatively low frequency.
What is the BEST approach to manage a security incident involving a successful penetration?
A. Allow business processes to continue during the response.
B. Allow the security team to assess the attack profile.
C. Permit the incident to continue to trace the source.
D. Examine the incident response process for deficiencies.
Which of the following is the MOST likely outcome of a well-designed information security awareness course?
A. Increased reporting of security incidents to the incident response function
B. Decreased reporting of security incidents to the incident response function
C. Decrease in the number of password resets
D. Increase in the number of identified system vulnerabilities
Which of the following techniques MOST clearly indicates whether specific risk-reduction controls should be implemented?
A. Cost-benefit analysis
B. Penetration testing
C. Frequent risk assessment programs
D. Annual loss expectancy (ALE) calculation
Which of the following recovery strategies has the GREATEST chance of failure?
A. Hot site
B. Redundant site
C. Reciprocal arrangement
D. Cold site
Requiring all employees and contractors to meet personnel security/suitability requirements commensurate with their position sensitivity level and subject to personnel screening is an example of a security:
A. policy.
B. strategy.
C. guideline.
D. baseline.
Which of the following is MOST important to understand when developing a meaningful information security strategy?
A. Regulatory environment
B. International security standards
C. Organizational risks
D. Organizational goals
In a large enterprise, what makes an information security awareness program MOST effective?
A. The program is developed by a professional training company.
B. The program is embedded into the orientation process.
C. The program is customized to the audience using the appropriate delivery channel.
D. The program is required by the information security policy.
Which of the following controls would BEST prevent accidental system shutdown from the console or operations area?
A. Redundant power supplies
B. Protective switch covers
C. Shutdown alarms
D. Biometric readers
A company has installed biometric fingerprint scanners at all entrances in response to a management requirement for better access control. Due to the large number of employees coupled with a slow system response, it takes a substantial amount of time for all workers to gain access to the building and workers are increasingly piggybacking. What is the BEST course of action for the information security manager to address this issue?
A. Replace the system for better response time.
B. Escalate the issue to management.
C. Revert to manual entry control procedures.
D. Increase compliance enforcement.
Which of the following is the FIRST action to be taken when the information security manager notes that the controls for a critical application are inadequate?
A. Perform a risk assessment to determine the level of exposure.
B. Classify the risk as acceptable to senior management.
C. Deploy additional countermeasures immediately.
D. Transfer the remaining risk to another organization.
