A. that the primary and offsite facilities not be subject to the same environmental disasters.

B. that the offsite storage facility be in close proximity to the primary site.

C. the overall storage and maintenance costs of the offsite facility.

D. the availability of cost-effective media transportation services.

A. Platform security

B. Entitlement changes

C. Intrusion detection

D. Antivirus controls

A. Cost reduction

B. Compliance with company policies

C. Protection of business assets

D. Increased business value

A. Risk analysis

B. Business impact analysis (BIA)

C. Return on investment (ROI) analysis

D. Cost-benefit analysis

A. References from other organizations

B. Past experience of the engagement team

C. Sample deliverable

D. Methodology to be used in the assessment

A. Ensure that intrusion prevention is placed in front of the firewall.

B. Ensure that all devices that are connected can easily see the IPS in the network.

C. Ensure that all encrypted traffic is decrypted prior to being processed by the IPS.

D. Ensure that traffic to all devices is mirrored to the IPS.

A. Procedures for hardening database servers

B. Standards for password length and complexity

C. Policies addressing information security governance

D. Standards for document retention and destruction

A. Estimated productivity losses

B. Possible scenarios with threats and impacts

C. Value of information assets

D. Vulnerability assessment

A. release management.

B. incident management.

C. change management.

D. configuration management.

A. Technical

B. Regulatory

C. Privacy

D. Business

A. notifications.

B. warranties.

C. liabilities.

D. geographic coverage.

A. External auditors

B. A peer group within a similar business

C. Process owners

D. A specialized management consultant

A. developing and presenting a business case.

B. defining the risk that will be addressed.

C. presenting a financial analysis of benefits.

D. aligning the initiative with organizational objectives.

A. Choose a subset of influential people to promote the benefits of the security program.

B. Hold structured training in small groups on an annual basis.

C. Require each employee to complete a self-paced training module once per year.

D. Deliver training to all employees across the organization via streaming video.

A. providing access to systems.

B. approving access to systems.

C. establishing authorization and authentication.

D. handling identity management.

A. Direct reports to the chief information officer

B. IT management and key business process owners

C. Cross-section of end users and IT professionals

D. Internal audit and corporate legal departments

A. Number of open incidents

B. Reduction of the number of security incidents

C. Reduction of the average response time to an incident

D. Number of incidents handled per month

A. link security risk to organization business objectives.

B. explain the technical risk to the organization.

C. include industry best practices as they relate to information security.

D. detail successful attacks against a competitor.

A. Implementing wireless intrusion prevention systems

B. Not broadcasting the service set IDentifier (SSID)

C. Implementing wired equivalent privacy (WEP) authentication

D. Enforcing a virtual private network (VPN) over wireless

A. The internal audit department

B. System developers/analysts

C. Key business process owners

D. Corporate legal counsel

A. Type and nature of risk

B. Organizational culture

C. Overall business objectives

D. Lines of business

A. Standards and policies have only an indirect relationship.

B. Standards provide a detailed description of the meaning of a policy.

C. Standards provide direction on achieving compliance with policy intent.

D. Standards can exist without a relationship to any particular policy.

A. Exposure

B. Impact

C. Vulnerability

D. Likelihood

A. Updated call trees

B. Escalation criteria

C. Press release templates

D. Critical backup files inventory

A. includes appropriate justification.

B. explains the current risk profile.

C. details regulatory requirements.

D. identifies incidents and losses.

A. The KRI is accurate and reliable.

B. The KRI provides quantitative metrics.

C. The KRI indicates required action.

D. The KRI is predictive of a risk event.

A. Firewall blocking rules

B. Up-to-date signature files

C. Security awareness training

D. Intrusion detection monitoring

A. ability to resume normal operations.

B. maximum tolerable outage (MTO).

C. service delivery objective (SDO).

D. acceptable interruption window (AIW).

A. User passwords are not automatically expired

B. All network traffic goes through a single switch

C. User passwords are encoded but not encrypted

D. All users reside on a single internal subnet

A. A cost-benefit analysis has been completed.

B. Privacy requirements are met.

C. The service provider ensures a secure data transfer.

D. No significant security incident occurred at the service provider.

A. Regular review of risk treatment options

B. Classification of assets in order of criticality

C. Adoption of a maturity model

D. Integration of assurance functions

A. The security steering committee

B. The board of directors

C. IT managers

D. The information security manager

A. Survey business stakeholders

B. Track audits over time

C. Evaluate incident losses

D. Analyze business cases

A. Tree diagrams

B. Venn diagrams

C. Heat charts

D. Bar charts

A. To mitigate technical risks

B. To have an independent certification of network security

C. To receive an independent view of security exposures

D. To identify a complete list of vulnerabilities

A. ensuring inherent control strength.

B. ensuring strategic alignment.

C. utilizing effective life cycle management.

D. utilizing effective change management.

A. User security procedures

B. Business process flow

C. IT security standards

D. Regulatory requirements

A. verify the decision with the business units.

B. check the system's risk analysis.

C. recommend update after postimplementation review.

D. request an audit review.

A. technology constraints.

B. regulatory requirements.

C. litigation potential.

D. business strategy.

A. identify business risk that affects the organization.

B. establish the need for creating the program.

C. assign responsibility for the program.

D. assess adequacy of existing controls.

A. a statement regarding what the company will do with the information it collects.

B. a disclaimer regarding the accuracy of information on its web site.

C. technical information regarding how information is protected.

D. a statement regarding where the information is being hosted.

A. Impact and threat

B. Likelihood and consequence

C. Threat and exposure

D. Sensitivity and exposure

A. Enhanced policy compliance

B. Improved procedure flows

C. Segregation of duties

D. Better accountability

A. Ensure that a clear organizational incident definition and severity hierarchy exists.

B. Initiate a companywide incident identification training and awareness program.

C. Escalate the issue to the security steering committee for appropriate action.

D. Involve human resources (HR) in implementing a reporting enforcement program.

A. The firewall allows source routing.

B. The firewall allows broadcast propagation.

C. The firewall allows unregistered ports.

D. The firewall allows nonstandard protocols.

A. To help ensure the parties to the agreement can perform

B. To help ensure confidential data are not included in the agreement

C. To help ensure appropriate controls are included

D. To help ensure the right to audit is a requirement

A. Containment

B. Detection

C. Reaction

D. Recovery

A. Review of internal control mechanisms

B. Effective involvement in business decision making

C. Total elimination of risk factors

D. Ensuring trust in data

A. Assess the type and severity of the attack.

B. Determine whether it is an actual incident.

C. Contain the damage to minimize the risk.

D. Minimize the disruption of computer resources.

A. Network switch

B. Web server

C. Database server

D. File/print server

A. Information classification

B. Segregation of duties

C. Least privilege

D. Systems monitoring

A. External vulnerability reporting sources

B. Periodic vulnerability assessments performed by consultants

C. Intrusion prevention software

D. Honeypots located in the DMZ

A. Number of open incidents

B. Reduction of the number of security incidents

C. Reduction of the average response time to an incident

D. Number of incidents handled per month

A. Realistic budget estimates

B. Security awareness

C. Support of senior management

D. Recalculation of the work factor

A. changes comply with security policy.

B. risk from proposed changes is managed.

C. rollback to a current status has been considered.

D. changes are initiated by business managers.

A. prevent the occurrence of incidents.

B. ensure business continuity.

C. train users on resolution of incidents.

D. promote business resiliency.

A. The security administrator who implemented the controls

B. The organization's chief information security officer (CISO)

C. The organization's senior management

D. The information systems (IS) auditor who recommended the controls

A. The extent to which controls are procedural

B. The extent to which controls are subject to the same threat

C. The total cost of ownership for existing controls

D. The extent to which controls fail in a closed condition

A. Obtaining evidence as soon as possible

B. Preserving the integrity of the evidence

C. Disconnecting all IT equipment involved

D. Reconstructing the sequence of events

A. change the root password of the system.

B. implement multifactor authentication.

C. rebuild the system from the original installation medium.

D. disconnect the mail server from the network.

A. Enhanced policy compliance

B. Improved procedure flows

C. Segregation of duties

D. Better accountability

A. Create an image of the hard drive.

B. Encrypt the data on the hard drive.

C. Examine the original hard drive.

D. Create a logical copy of the hard drive.

A. Security compliant servers trend report

B. Percentage of security compliant servers

C. Number of security patches applied

D. Security patches applied trend report

A. Complete policies and standards

B. An appropriate governance framework

C. Current state and objectives

D. Management intent and direction

A. Performing a low-level format

B. Rewriting with zeros

C. Burning them

D. Degaussing them

A. Justification of the security budget must be continually made.

B. New vulnerabilities are discovered every day.

C. The risk environment is constantly changing.

D. Management needs to be continually informed about emerging risks.

A. it simulates the real-life situation of an external security attack.

B. human intervention is not required for this type of test.

C. less time is spent on reconnaissance and information gathering.

D. critical infrastructure information is not revealed to the tester.

A. The proportion of identified risk that has been remediated

B. The ratio of business insurance coverage to its cost

C. The percentage of the IT budget allocated to security

D. The percentage of assets that has been classified

A. Cross site request forgery

B. Structured Query Language (SQL) injection

C. Metasploit

D. Cross site scripting

A. It is easier to promote security awareness.

B. It is easier to manage and control.

C. It is more responsive to business unit needs.

D. It provides a faster turnaround for security requests.

A. Verify the date that signature files were last pushed out

B. Use a recently identified benign virus to test if it is quarantined

C. Research the most recent signature file and compare to the console

D. Check a sample of servers that the signature files are current

A. Enforce the existing security standard

B. Change the standard to permit the deployment

C. Perform a risk analysis to quantify the risk

D. Perform research to propose use of a better technology

A. treated as a distinct process.

B. conducted by the IT department.

C. integrated within business processes.

D. communicated to all employees.

A. Security metrics

B. Network topology

C. Security architecture

D. Process improvement models

A. Role-based access control systems

B. Automated access provisioning

C. Security awareness training

D. Intrusion prevention systems (IPSs)

A. recovery point objective (RPO).

B. recovery time objective (RTO).

C. service delivery objective (SDO).

D. maximum tolerable outage (MTO).

A. Unplugging the systems

B. Chain of custody

C. Separation of duties

D. Clock synchronization

A. application hardening.

B. spam filters.

C. an intrusion detection system (IDS).

D. end user awareness.

A. Briefing team members on the nature of new threats to IS security

B. Periodic testing and updates to incorporate lessons learned

C. Ensuring that all members have a good understanding of IS technology

D. A nonhierarchical structure to ensure that team members can share ideas

A. Research best practices

B. Meet with stakeholders

C. Establish change control procedures

D. Identify critical systems

A. Shorten the password validity period.

B. Encourage the use of special characters.

C. Strengthen segregation of duties (SoD).

D. Introduce compensatory controls.

A. consider possible impact of a security breach.

B. classify personal information in electronic form.

C. be performed by the information security manager.

D. classify systems according to the data processed.

A. Signed contracts

B. Severe penalties

C. Assigned accountability

D. Clear policies

A. Management discretion

B. Regulatory requirements

C. Inherent risk

D. Internal audit findings

A. Industry best practices

B. Business goals and objectives

C. Information technology (IT) plans

D. International information security frameworks

A. Allows the organization to eliminate risk

B. Is a necessary part of management's due diligence

C. Satisfies audit and regulatory requirements

D. Assists in increasing the return on investment (ROI)

A. Asset classification

B. Risk assessment

C. Security architecture

D. Configuration management

A. original cost.

B. net cash flow.

C. net present value.

D. replacement cost.

A. On the web server

B. On the intrusion detection system (IDS) server

C. On the screened subnet

D. On the domain boundary

A. baseline.

B. strategy.

C. procedure.

D. policy.

A. The number of incidents and the subsequent mitigation activities

B. The number, type and layering of deterrent control technologies

C. The extent of risk management requirements in policies and standards

D. The ratio of cost to insurance coverage for business interruption protection

A. A project database

B. A project portfolio database

C. Policy documents

D. A program management office

A. Ensuring that risk is identified and mitigated

B. Ensuring that information security strategy is aligned with organizational goals

C. Maximizing the return on information security investments

D. Ensuring the efficient utilization of information security resources

A. The regulations are ambiguous and difficult to interpret.

B. Management has a low level of risk tolerance.

C. The cost of compliance exceeds the cost of possible sanctions.

D. The regulations are inconsistent with the organizational strategy.

A. To justify program development costs

B. To integrate development activities

C. To gain management support for an information security program

D. To comply with international standards

A. There are sufficient safeguards in place to prevent this risk from happening.

B. The needed countermeasures are too complicated to deploy.

C. The cost of countermeasures outweighs the value of the asset and potential loss.

D. the likelihood of the risk occurring is unknown.

A. Number of controls implemented

B. Percent of control objectives accomplished

C. Percent of compliance with the security policy

D. Reduction in the number of reported security incidents

A. vulnerability assessments.

B. value analysis.

C. business climate.

D. audit recommendations.

A. Management discretion

B. Regulatory requirements

C. Inherent risk

D. Internal audit findings

A. a data leak prevention program.

B. user awareness training.

C. an information classification process.

D. a network intrusion detection system (IDS).

A. A tested business continuity/disaster recovery plan (BCP/DRP)

B. An increase in timely reporting of incidents by employees

C. Extent of risk management education

D. Regular review of risks by senior management

A. Information owner

B. Security manager

C. Chief information officer (CIO)

D. System administrator

A. Copies of critical contracts and service level agreements (SLAs)

B. Copies of the business continuity plan

C. Key software escrow agreements for the purchased systems

D. List of emergency numbers of service providers

A. To ensure that changes are authorized

B. To ensure that changes are applied

C. To ensure that changes are documented

D. To ensure that changes are tested

A. content filtering.

B. data classification.

C. information security awareness.

D. encryption for all attachments.

A. They all use weak encryption.

B. They are decrypted by the firewall.

C. They may be quarantined by mail filters.

D. They may be corrupted by the receiving mail server.

A. hardening of web servers.

B. consolidating multiple sites into a single portal.

C. coding standards and reviewing code.

D. using https in place of http.

A. Functional requirements are not adequately considered.

B. User training programs may be inadequate.

C. Budgets allocated to business units are not appropriate.

D. Information security plans are not aligned with business requirements.

A. Justification of the security budget must be continually made.

B. New vulnerabilities are discovered every day.

C. The risk environment is constantly changing.

D. Management needs to be continually informed about emerging risks.

A. Risk assessment

B. Risk treatment

C. Risk evaluation

D. Risk monitoring

A. ensure adequate corrective actions were implemented.

B. demonstrate management commitment to the information security process.

C. evaluate the incident response process for deficiencies.

D. evaluate the ability of the security team.

A. The market value minus the book value

B. The book value minus the market value

C. Adding the totals of the asset classification

D. A business impact assessment and analysis

A. Operations and marketing

B. IT, finance and legal

C. Audit, risk and regulations

D. Information security and risk

A. state expectations of IT management.

B. state only one general security mandate.

C. are aligned with organizational goals.

D. govern the creation of procedures and guidelines.

A. Evaluation of third parties requesting connectivity

B. Assessment of the adequacy of disaster recovery plans

C. Final approval of information security policies

D. Monitoring adherence to physical security controls

A. Visibility and duration

B. Likelihood and impact

C. Probability and frequency

D. Financial impact and duration

A. all organizational activities.

B. those elements identified by a risk assessment.

C. any area that exceeds acceptable risk levels.

D. only those areas that have potential impact.

A. Creation date

B. Author name

C. Initial draft approval date

D. Last review date

A. the method that minimizes risk to the greatest extent.

B. based on the organization's risk tolerance.

C. an efficient approach to achieve control objectives.

D. the method that maximizes risk mitigation.

A. Distributing industry statistics about security incidents

B. Monitoring the magnitude of incidents

C. Encouraging employees to behave in a more conscious manner

D. Continually reinforcing the security policy

A. reviewing new laws and regulations.

B. updating operational procedures.

C. validating staff qualifications.

D. conducting a risk assessment.

A. To create the information security policy

B. To maximize system uptime

C. To develop strong controls

D. To implement the strategy

A. Business impact analyses

B. Security gap analyses

C. System performance metrics

D. Incident response processes

A. Regular review of access control lists

B. Security guard escort of visitors

C. Visitor registry log at the door

D. A biometric coupled with a PIN

A. Enable access through a separate device that requires adequate authentication

B. Implement manual procedures that require password change after each use

C. Request the vendor to add multiple user IDs

D. Analyze the logs to detect unauthorized access

A. Residual risk

B. Separation of duties

C. Potential impact

D. Need to know

A. Services delivery objective

B. Recovery time objective (RTO)

C. Recovery window

D. Maximum tolerable outage (MTO)

A. Design

B. Implementation

C. Application security testing

D. Feasibility

A. Stolen customer data

B. An electrical power outage

C. A defaced web site

D. Loss of the software development team

A. To reduce governance costs

B. To improve risk management

C. To harmonize security activities

D. To meet or maintain regulatory compliance

A. Ensure all servers are up-to-date on OS patches

B. Employ packet filtering to drop suspect packets

C. Implement network address translation to make internal addresses nonroutable

D. Implement load balancing for Internet facing devices

A. The maximum tolerable outage (MTO) exceeded the acceptable interruption window (AIW).

B. The recovery plans specified outdated operating system (OS) versions.

C. Some restored systems exceeded service delivery objectives (SDO).

D. Aggregate recovery activities exceeded the acceptable interruption window (AIW).

A. guidelines.

B. standards.

C. policies.

D. procedures.

A. Business continuity coordinator

B. Chief operations officer (COO)

C. Information security manager

D. Internal audit

A. technology constraints.

B. regulatory requirements.

C. litigation potential.

D. business strategy.

A. Card key door locks

B. Photo identification

C. Awareness training

D. Biometric scanners

A. Transaction turnaround time

B. Mean time between failures (MTBF)

C. Service delivery objectives (SDOs)

D. The duration of the data restoration job

A. Signature-based detection

B. Deep packet inspection

C. Virus detection

D. Anomaly-based detection

A. create more overhead than signature-based IDSs.

B. cause false positives from minor changes to system variables.

C. generate false alarms from varying user or system actions.

D. cannot detect new types of attacks.

A. Static IP addressing

B. Network address translation

C. Background checks for temporary employees

D. Securing and analyzing system access logs

A. revise the information security program.

B. evaluate a balanced business scorecard.

C. conduct regular user awareness sessions.

D. perform penetration tests.

A. Database administrator (DBA)

B. Finance department management

C. Information security manager

D. IT department management

A. always the best option for an enterprise.

B. often in conflict with effective problem management.

C. the basis for enterprise risk management (ERM) activities.

D. a component of forensics training.

A. Criticality and sensitivity

B. Likelihood and impact

C. Valuation and replacement cost

D. Threat vector and exposure

A. Controls design and deployment

B. Security organization development

C. Logical and conceptual architecture design

D. Development of risk management objectives

A. Operation of a robust incident management process

B. Identification of areas of responsibility

C. Involvement of law enforcement

D. Expertise of resources

A. Give organization standards preference over local regulations

B. Follow local regulations only

C. Make the organization aware of those standards where local regulations cause conflicts

D. Negotiate a local version of the organization standards

A. Business continuity coordinator

B. Information security manager

C. Business process owners

D. IT management

A. organization's risk appetite.

B. external threat landscape.

C. effectiveness of mitigation options.

D. vulnerability assessment.

A. Ethics

B. Proportionality

C. Integration

D. Accountability

A. Policies

B. Procedures

C. Technical guides

D. Baselines

A. Procedures

B. Guidelines

C. Baselines

D. Policies

A. Periodically survey management

B. Implement a governance framework

C. Ensure that controls meet objectives

D. Develop an enterprise architecture

A. Inform management.

B. Notify users.

C. Isolate the server.

D. Verify the information.

A. maximize the cost-effectiveness of controls.

B. demonstrate that information security understands the requirements.

C. provide operational consistency.

D. minimize the number of regulations required.

A. Firewalls

B. Bastion hosts

C. Decoy files

D. Screened subnets

A. generally accepted industry best practices.

B. business requirements.

C. legislative and regulatory requirements.

D. storage availability.

A. service level monitoring.

B. penetration testing.

C. periodically auditing.

D. security awareness training.

A. Router

B. Firewall

C. Mail relay

D. Authentication server

A. Biometrics coupled with strong encryption

B. Challenge response authentication and a secure hash

C. Link encryption and hardware tokens

D. A public key infrastructure (PKI)

A. A tested plan and a team to provide oversight

B. An individual to serve as the liaison between the parties

C. Clear notification and reporting channels

D. A periodic audit of the provider's capabilities

A. To improve the integration of business and information security processes

B. To increase information security budgets and staffing levels

C. To develop tighter controls and stronger compliance efforts

D. To acquire better supplemental technical security controls

A. Access control policy

B. Data classification policy

C. Encryption standards

D. Acceptable use policy

A. Setting up a backup site

B. Maintaining redundant systems

C. Aligning with recovery time objectives (RTOs)

D. Data backup frequency

A. always the best option for an enterprise.

B. often in conflict with effective problem management.

C. the basis for enterprise risk management (ERM) activities.

D. a component of forensics training.

A. Run a forensics tool on the machine to gather evidence

B. Reboot the machine to break remote connections

C. Make a copy of the whole system's memory

D. Document current connections and open Transmission Control Protocol/User Datagram Protocol (TCP/UDP) ports

A. Management acceptance and support

B. Information security policies and standards

C. A management committee to provide oversight for the program

D. The context and purpose of the program

A. minimize the magnitude of impact.

B. align the security program with IT goals.

C. identify critical information assets.

D. reduce the number of policy exceptions.

A. Survey business stakeholders

B. Track audits over time

C. Evaluate incident losses

D. Analyze business cases

A. Determine whether the control is preventive, detective or corrective.

B. Review the control's capability of providing notification of failure.

C. Confirm the control's ability to meet intended objectives.

D. Assess and quantify the control's reliability.

A. the method that minimizes risk to the greatest extent.

B. based on the organization's risk tolerance.

C. an efficient approach to achieve control objectives.

D. the method that maximizes risk mitigation.

A. Number of open incidents

B. Reduction of the number of security incidents

C. Reduction of the average response time to an incident

D. Number of incidents handled per month

A. Invalid logon attempts

B. Write access violations

C. Concurrent logons

D. Firewall logs

A. To ensure the confidentiality of sensitive material

B. To provide a high assurance of identity

C. To allow deployment of the active directory

D. To implement secure sockets layer (SSL) encryption

A. A summary of the security logs that illustrates the sequence of events

B. An analysis of the impact of similar attacks at other organizations

C. A business case for implementing stronger logical access controls

D. The impact of the incident and corrective actions taken

A. Ensure all servers are up-to-date on OS patches

B. Employ packet filtering to drop suspect packets

C. Implement network address translation to make internal addresses nonroutable

D. Implement load balancing for Internet facing devices

A. Implement a security committee.

B. Perform a gap analysis.

C. Implement compensating controls.

D. Demand immediate compliance.

A. periodically testing the incident response plans.

B. regularly testing the intrusion detection system (IDS).

C. establishing mandatory training of all personnel.

D. periodically reviewing incident response procedures.

A. a data leak prevention program.

B. user awareness training.

C. an information classification process.