IT Exam Questions and Solutions Library
Which of the following should an organization do FIRST upon learning that a subsidiary is located in a country where civil unrest has just begun? A. Invoke the incident response plan. B. Assess changes in the risk profile. C. Conduct security awareness training. D. Activate the disaster recovery plan (DRP). Â Suggested Answer: B
After updating password standards, an information security manager is alerted by various application administrators that the applications they support are incapable of enforcing these standards. The information security manager's FIRST course of action should be to: A. evaluate the cost of replacing the applications. B. reevaluate the standards. C. determine the potential impact. D. implement compensating controls. Â Suggested Answer: C
Which of the following is a PRIMARY responsibility of a data owner? A. Data backup B. Data classification C. Data quality D. Data storage  Suggested Answer: B
Which of the following is MOST helpful for retaining the support of executive management for an information security program? A. Forming an information security steering committee to provide oversight of the program B. Providing regular performance reports on the effectiveness of the program C. Including satisfaction with information security in employee engagement surveys D. Developing business cases to justify continued expenses for security awareness  Suggested Answer: B
When performing a business impact analysis (BIA), which of the following is the MOST important reason to determine the maximum tolerable downtime (MTD)? A. To determine the data needed for a timely recovery B. To assist in developing recovery strategies C. To facilitate selection of the technologies needed to recover D. To establish resources needed for a successful recovery  Suggested Answer: B
Which of the following processes should remain internal when outsourcing IT operations? A. Authorization management B. Data encryption C. Log monitoring D. Incident management  Suggested Answer: A
An organization plans to adopt a DevOps approach for innovative application development. Which of the following should be the information security manager's MOST important consideration with regard to the information security strategy? A. Risk profile may change with the new approach. B. The identified framework may not be appropriate. C. Security policies may need to be revised. D. Security staff may lack software coding skills. Â Suggested Answer: A
Which of the following is the MOST important reason to integrate nonrepudiation into the design of user authentication? A. To ensure there are no conflicts when changing database records B. To ensure users cannot escalate their own access privileges C. To ensure users cannot alter log records within the system D. To ensure actions can be traced to specific users  Suggested Answer: D
A significant risk was identified within a core business function. Budget constraints do not allow for effective remediation. Who should be accountable for selecting the appropriate risk treatment? A. Data custodian B. Data owner C. Security officer D. Senior management  Suggested Answer: D
An information security manager is building a business case to support an investment in a next generation firewall. Which of the following would BEST maximize the effectiveness of the business case? A. Comparing inherent risk to residual risk B. Aligning proof-of-concept with the information security strategy C. Ensuring return on investment (ROI) is included D. Comparing costs between the new solution and the current firewall  Suggested Answer: B
Which of the following BEST enables the effectiveness of an information security training program for new employees? A. New employees are required to acknowledge the information security policy. B. New employees must complete a security assessment after training. C. Information security training precedes all other onboarding training. D. The training is specific to new employees' job functions. Â Suggested Answer: D
An information security manager has learned of an increasing trend in attacks that use phishing emails impersonating an organization's CEO in an attempt to commit wire transfer fraud. Which of the following is the BEST way to reduce the risk associated with this type of attack? A. Temporarily suspend wire transfers for the organization. B. Provide awareness training to staff responsible for wire transfers. C. Disable emails for staff responsible for wire transfers. D. Provide awareness training to the CEO for this type of phishing attack. Â Suggested Answer: B
Which of the following is the BEST indication of effective information security governance? A. Comprehensive security policies reflect organizational objectives. B. Information security is integrated into organizational processes. C. The information security program follows industry best practices. D. An information security risk register is maintained. Â Suggested Answer: B
A data loss prevention (DLP) tool has flagged personally identifiable information (PII) during transmission. Which of the following should the information security manager do FIRST? A. Validate the scope and impact with the business process owner. B. Escalate the issue to senior management. C. Review and validate the rules within the DLP system. D. Initiate the incident response plan. Â Suggested Answer: A
Which of the following is MOST likely to require an organization to update its business continuity plan (BCP)? A. Successful BCP testing results B. Increases in information security risk trends C. Multiple changes in organizational leadership D. Major changes in the business operating environment  Suggested Answer: D
Which of the following is the GREATEST benefit of performing a tabletop exercise of the business continuity plan (BCP)? A. It helps in assessing the availability of compatible backup hardware. B. It identifies appropriate follow-up work to address shortcomings in the plan. C. It provides a low-cost method of assessing the BCP’s completeness. D. It allows for greater participation and planning from the business side.  Suggested Answer: B
Which of the following is the BEST approach for encouraging business units to assume their roles and responsibilities in an information security program? A. Engage an independent security audit. B. Perform a risk assessment. C. Conduct an awareness program for senior management. D. Develop controls and countermeasures. Â Suggested Answer: A
Which of the following is MOST influential in driving the effectiveness of an information security program? A. Policies and standards B. Organizational risk appetite C. Information security metrics D. Organizational culture  Suggested Answer: D
The MAIN reason for having senior management review and approve an information security strategic plan is to ensure: A. compliance with legal and regulatory requirements. B. the plan aligns with corporate governance. C. staff participation in information security efforts. D. the organization has the required funds to implement the plan. Â Suggested Answer: B
Which of the following is the GREATEST risk associated with a poorly trained incident response team responding to a major incident? A. Separation of duty violations B. Loss of confidential information C. Evidence contamination D. Failure to escalate to senior management  Suggested Answer: C
Which of the following is the PRIMARY preventive method to mitigate risks associated with privileged accounts? A. Eliminate privileged accounts. B. Perform periodic certification of access to privileged accounts. C. Provide privileged account access only to users who need it. D. Frequently monitor activities on privileged accounts. Â Suggested Answer: C
Which of the following BEST enables an incident response team to determine appropriate actions during an initial investigation? A. Technical capabilities of the team B. Feedback from affected departments C. Historical data from past incidents D. Procedures for incident triage  Suggested Answer: D
An organization’s service desk has reported that a PC is displaying a message with the phrase "your personal files are encrypted." Which of the following should be done FIRST? A. Analyze the compromised PC to determine the root cause. B. Isolate the compromised PC from the network. C. Meet with the security team to identify related assets. D. Update all security endpoints to the most current versions.  Suggested Answer: B
When multiple Internet intrusions on a server are detected, the PRIMARY concern of the information security manager should be to ensure: A. the incident is reported to senior management. B. the integrity of evidence is preserved. C. the server is unplugged from power. D. forensic investigation software is loaded on the server. Â Suggested Answer: B
Which of the following groups is MOST important to involve in the development of information security procedures? A. Audit management B. Senior management C. End users D. Operational units  Suggested Answer: C
Which of the following would be MOST useful to determine the current status of an information security program's maturity level? A. Business impact analysis (BIA) B. Cost-benefit analysis C. Benchmark analysis D. Risk assessment  Suggested Answer: C
The MOST significant outcome obtained from conducting a business impact analysis (BIA) is improved: A. employee awareness. B. disaster recovery planning. C. IT capacity planning. D. budgeting. Â Suggested Answer: B
Which of the following BEST indicates ongoing senior management commitment to the organization's information security strategy? A. An efficient incident response program B. Established key performance indicators (KPIs) C. A comprehensive security awareness training program D. Adequate funding for the information security program  Suggested Answer: D
Which of the following is MOST important for the information security manager to include when presenting changes in the security risk profile to senior management? A. Performance measures for existing controls B. Number of false positives C. Security training test results D. Industry benchmarks  Suggested Answer: A
Which of the following is the MOST important objective when recommending controls? A. Ensuring implementation costs are approved B. Identifying business processes the controls can support C. Reducing the risk to an acceptable level D. Minimizing the impact to business processes  Suggested Answer: C
Which of the following considerations is MOST important when selecting a third-party intrusion detection system (IDS) vendor? A. The vendor’s proposal aligns with the objectives of the organization B. The vendor’s proposal allows for contract modification during technology refresh cycles C. The vendor’s proposal requires the provider to have a business continuity plan (BCP) D. The vendor’s proposal allows for escrow in the event the third party goes out of business  Suggested Answer: A
A financial institution is planning to develop a new mobile application. Which of the following is the BEST time to begin assessments of the application’s security compliance? A. During user acceptance testing (UAT) B. During regulatory review C. During the design phase D. During static code analysis  Suggested Answer: C
When considering a new security initiative, which of the following should be done prior to the development of a business case? A. Conduct a risk assessment B. Conduct a benchmarking exercise C. Perform a cost-benefit analysis D. Identify resource requirements  Suggested Answer: A
Which of the following BEST demonstrates the potential for successful business continuity in the event of a disaster? A. Tabletop exercises B. Awareness training assessments C. Disaster recovery tests D. Checklist reviews  Suggested Answer: C
Which of the following is an essential practice for workstations used to conduct a forensic investigation? A. A documented chain of custody log is kept for the workstations B. The workstations are only accessed by members of the forensics team C. Only forensics-related software is installed on the workstations D. The workstations are backed up and hardened on a regular basis  Suggested Answer: A
Which of the following components of the risk assessment process should be reviewed FIRST to gain an understanding of the scope of an emerging risk within an organization? A. Risk categorization B. Asset identification C. Control evaluation D. Risk treatment  Suggested Answer: B
An information security manager has been tasked with implementing a security solution that provides insight into potential security incidents Which of the following BEST supports this activity? A. Intrusion detection system (IDS) B. Security information and event management (SIEM) C. Data loss prevention system (DLP) D. User behavior analytics  Suggested Answer: B
Which of the following is MOST important for the information security manager to confirm when reviewing an incident response plan? A. The plan includes a requirement for post-incident review B. The plan is based on a business impact analysis (BIA) C. The plan is stored at backup recovery locations D. The plan is readily available to provide to auditors. Â Suggested Answer: A
Unintentional behavior by an employee caused a major data loss incident. Which of the following is the BEST way for the information security manager to prevent recurrence within the organization? A. Improve the security awareness training program B. Communicate consequences for future instances C. Implement compensating controls D. Enhance the data loss prevention (DLP) solution  Suggested Answer: A
Exceptions to a security policy should be approved based PRIMARILY on: A. results of a cost-benefit analysis. B. risk appetite. C. security incident classification. D. industry best practices. Â Suggested Answer: B
When developing a business case for a new security initiative, an information security manager should FIRST: A. conduct a feasibility study. B. calculate the total cost of ownership (TCO). C. perform a cost-benefit analysis. D. define the issues to be addressed. Â Suggested Answer: D
A proposal designed to gain buy-in from senior management for a new security project will be MOST effective if it includes: A. historical data of reported incidents. B. analysis of current threat landscape. C. industry benchmarking gap analysis. D. projected return on investment (ROI). Â Suggested Answer: D
Which of the following is MOST important for an information security steering committee to ensure? A. Funding is available for information security projects. B. Information security is managed as a business critical issue. C. Periodic information security audits are conducted. D. Resources used for information security projects are minimized. Â Suggested Answer: B
An organization experienced a breach which was successfully contained and remediated. Based on industry regulations, the breach needs to be communicated externally. What should the information security manager do NEXT? A. Refer to the privacy policy. B. Refer to the incident response plan. C. Send out a breach notification to all parties involved. D. Contact the board of directors. Â Suggested Answer: B
Which of the following is the BEST defense against a brute force attack? A. Discretionary access control B. Multi-factor authentication (MFA) C. Mandatory access control D. Time-of-day restrictions  Suggested Answer: B
Which of the following is MOST important to verify during a test of an organization's incident response process? A. Whether incident response team members know their responsibilities B. Whether senior management endorses the incident response process C. Whether users know which numbers to call in the call tree D. Whether incident response team members are cross-trained  Suggested Answer: A
An intrusion prevention system (IPS) has reported a significant increase in the number of hacking attempts over the past month, though no systems have actually been compromised. Which of the following should the information security manager do FIRST? A. Tune the IPS to address false positives. B. Report the increase in hacking attempts to senior management. C. Validate the events identified by the IPS. D. Update security awareness training. Â Suggested Answer: C
The likelihood of a successful intrusion is a function of: A. threat and vulnerability levels. B. design and redundancy of network perimeter controls. C. configuration and maintenance of log monitoring system. D. opportunity and asset value. Â Suggested Answer: A
Which of the following is the BEST evidence that senior management supports the information security program? A. The information security manager reports to the chief risk officer (CRO) B. A reduction in information security costs C. Consistent enforcement of information security policies D. A high level of information security risk acceptance  Suggested Answer: C
During incident recovery, which of the following is the BEST approach to ensure the eradication of traces hidden by an attacker? A. Reinstall the system from the original source. B. Perform continuous monitoring until validation is achieved. C. Prohibit use of the account suspected to be compromised. D. Conduct a forensic investigation to acquire evidence. Â Suggested Answer: A
When introducing a new information asset, what is the MOST important responsibility of the asset owner? A. Information backup B. Information access administration C. Information disposal D. Information classification  Suggested Answer: D
When establishing an information security governance framework, it is MOST important for an information security manager to understand: A. information security best practices. B. the corporate culture. C. risk management techniques. D. the threat environment. Â Suggested Answer: B
When updating the information security policy to accommodate a new regulation, the information security manager should FIRST: A. review key risk indicators (KRIs). B. consult process owners. C. update key performance indicators (KPIs). D. perform a gap analysis. Â Suggested Answer: D
Which of the following is the BEST way to align security and business strategies? A. Establish key performance indicators (KPIs) for the business. B. Integrate information security governance into corporate governance. C. Ensure the information security program conforms to industry standards. D. Include security risk as part of ongoing metrics reporting. Â Suggested Answer: B
Which of the following should an information security manager do FIRST when developing a security framework? A. Document security procedures B. Conduct an asset inventory C. Update the security policy D. Perform a gap analysis  Suggested Answer: B
A Software as a Service (SaaS) application has been implemented to support a critical business process. Which of the following is MOST important to include within the service level agreement (SLA) to ensure timely response to incidents affecting the application? A. Vendor declarations and warranties B. Enhanced monitoring of in-scope systems C. Defined incident response roles and responsibilities D. Established incident response procedures  Suggested Answer: C
Of the following, who is BEST positioned to perform a business impact analysis (BIA)? A. The information security team B. Process owners C. The IT team D. Business continuity management auditors  Suggested Answer: B
Which of the following is the BEST indication of an effective disaster recovery planning process? A. Recovery time objectives (RTOs) are shorter than recovery point objectives (RPOs) B. Hot sites are required for any declared disaster C. Post-incident reviews are conducted after each event D. Chain of custody is maintained throughout the disaster recovery process  Suggested Answer: C
Which of the following provides the BEST input to determine the level of protection needed for an IT system? A. Vulnerability assessment B. Asset classification C. Threat analysis D. Internal audit findings  Suggested Answer: B
Which of the following should be the FIRST consideration for an information security manager after a security incident has been confirmed? A. Developing incident reporting criteria B. Executing containment procedures C. Restoring business operations D. Determining the root cause  Suggested Answer: B
Which of the following actions will BEST resolve the root cause of a cyber incident involving unauthorized network access due to a critical vulnerability on a web server? A. Improving the patching process B. Locking accounts with unauthorized access C. Isolating affected systems D. Terminating malicious network connections  Suggested Answer: A
Following an unsuccessful denial of service (DoS) attack, identified weaknesses should be: A. noted and re-examined later if similar weaknesses are found B. tracked and reported on until their final resolution C. quickly resolved and eliminated regardless of cost D. documented in security awareness programs  Suggested Answer: B
Which of the following is an information security manager’s MOST important action during the third-party provider selection process? A. Determining it the third party is sufficiently staffed B. Performing a network penetration test C. Analyzing the third party’s existing control environment D. Consulting with the third party’s clients  Suggested Answer: C
Which of the following risk assessment findings for an online-only business should be given the HIGHEST priority to address availability concerns? A. The back office system that processes payments to providers has slowed. B. The web server for the online store was found to be vulnerable to distributed denial of service (DDoS) attacks. C. Email authentication through a connector to a single sign-on (SSO) service has a history of failure. D. The access point for the visitor WiFi network has several unpatched vulnerabilities. Â Suggested Answer: B
At which stage of business continuity planning is risk identification performed? A. Impact analysis B. Stakeholder meeting C. Development D. Project planning  Suggested Answer: D
An information security team plans to strengthen authentication requirements for a customer-facing site, but there are concerns it will negatively impact the user experience. Which of the following is the information security manager's BEST course of action? A. Refer to industry best practices. B. Quantify the security risk to the business. C. Provide security awareness training to customers. D. Assess business impact against security risk. Â Suggested Answer: D
Which of the following is the PRIMARY reason for executive management to be involved in establishing an enterprise’s security management framework? A. To determine the desired state of enterprise security B. To satisfy auditors’ recommendations for enterprise security C. To ensure industry best practices for enterprise security are followed D. To establish the minimum level of controls needed  Suggested Answer: A
Which of the following is MOST important for an information security manager to consider when determining whether data should be stored? A. Type and nature of data B. Business requirements C. Data storage limitations D. Data protection regulations  Suggested Answer: B
A business unit recently integrated the organization’s new strong password policy into its business application which requires users to reset passwords every 30 days. The help desk is now flooded with password reset requests. Which of the following is the information security manager’s BEST course of action to address this situation? A. Conduct a business impact analysis (BIA) B. Provide end-user training C. Escalate to senior management D. Continue to enforce the policy  Suggested Answer: B
Which of the following is the MOST important objective when planning an incident response program? A. Minimizing business impact B. Managing resources C. Recovering from a disaster D. Ensuring IT resiliency  Suggested Answer: A
What is the MOST important consideration when establishing metrics for reporting to the information security strategy committee? A. Benchmarking the expected value of the metrics against industry standards B. Aligning the metrics with the organizational culture C. Agreeing on baseline values for the metrics D. Developing a dashboard for communicating the metrics  Suggested Answer: C
Which of the following presents the GREATEST challenge when assessing the impact of emerging risk? A. Outdated risk management strategy B. Insufficient data related to the emerging risk C. Complexity of the emerging risk D. Lack of resources to perform risk assessments  Suggested Answer: B
To effectively manage an organization’s information security risk, it is MOST important to: A. establish and communicate risk tolerance. B. benchmark risk scenarios against peer organizations. C. assign risk management responsibility to an experienced consultant. D. periodically identify and correct new systems vulnerabilities.  Suggested Answer: A
Which of the following is the MOST useful input for an information security manager when updating the organization’s security policy? A. Security team capabilities B. Risk appetite C. Vulnerability scan D. Industry best practices  Suggested Answer: B
The MOST effective way for an information security manager to secure senior management support for the information security strategy is by: A. presenting industry-specific information security best practices. B. determining cost effective information security controls. C. educating management on information security program needs. D. developing reports showing current threats to the organization. Â Suggested Answer: C
When engaging an external party to perform a penetration test, it is MOST important to: A. provide an updated asset inventory. B. notify employees of the testing. C. define the project scope. D. provide network documentation. Â Suggested Answer: A
Which of the following is the MOST effective way to convey information security responsibilities across an organization? A. Implementing security awareness programs B. Defining information security responsibilities in the security policy C. Developing a skills matrix D. Documenting information security responsibilities within job descriptions  Suggested Answer: A
A financial institution is expanding to international jurisdictions and is mindful of protecting customer information. Which of the following should be of GREATEST concern? A. Ability to monitor and enforce security controls in multiple jurisdictions B. Global payment card industry regulations C. Privacy laws and regulations for each country in which the organization operates D. Information security resources available in each country in which the organization operates  Suggested Answer: C
When evaluating cloud storage solutions, the FIRST consideration should be: A. how the organization's sensitive data will be transferred. B. the service level agreement (SLA) for encryption keys. C. the volume of data to be stored in the cloud. D. alignment with the organization's data classification policy. Â Suggested Answer: D
Which of the following is the GREATEST benefit resulting from the introduction of data security standards for payment cards? A. It helps achieve the holistic protection of information assets in the industry. B. It deters hackers from committing crimes related to card payments. C. It enables a wider range of more sophisticated payment methods. D. It optimizes budget allocation for cybersecurity in each organization. Â Suggested Answer: A
Which of the following should an information security manager establish FIRST to ensure security-related activities are adequately monitored? A. Regular reviews of system logs B. Accountability for security functions C. Procedures for security assessments D. Schedules for internal audits  Suggested Answer: B
Which of the following is the BEST approach for data owners to use when defining access privileges for users? A. Implement an identity and access management (IDM) tool. B. Adopt user account settings recommended by the vendor. C. Perform a risk assessment of the users' access privileges. D. Define access privileges based on user roles. Â Suggested Answer: D
Which of the following is the BEST control to protect customer personal information that is stored in the cloud? A. Strong encryption methods B. Appropriate data anonymization C. Strong physical access controls D. Timely deletion of digital records  Suggested Answer: A
Which of the following is MOST important to include in an enterprise information security policy? A. Acceptable use B. Security objectives C. Security metrics D. Audit trail review requirements  Suggested Answer: B
An information security manager wants to upgrade an organization's workstations to a new operating system version. Which of the following would be MOST helpful to gain senior management support for the upgrade? A. The results of user surveys indicating issues with the current operating system B. A list of the latest security features in the new operating system C. A summary of performance improvements in the new operating system D. An assessment of the current operating system based on risk  Suggested Answer: D
Which of the following is MOST important to define when creating information security management metrics? A. Budget B. Objectives C. Policy D. Benchmarks  Suggested Answer: B
A PRIMARY benefit of adopting an information security framework is that it provides: A. standardized security controls. B. common exploitability indices. C. credible emerging threat intelligence. D. security and vulnerability reporting guidelines. Â Suggested Answer: A
It is MOST important that risk owners understand they are accountable for: A. collaborating with stakeholders to evaluate the effectiveness of controls associated with the risk. B. reporting risk metrics and control compliance status to the information security manager. C. escalating control deficiencies associated with the risk to the steering committee for decision making. D. overseeing and monitoring the effectiveness of controls associated with the risk. Â Suggested Answer: D
Which of the following is MOST important to include in security incident escalation procedures? A. Recovery procedures B. Containment procedures C. Key objectives of the security program D. Notification criteria  Suggested Answer: D
An organization has implemented a new email filter to mitigate risk associated with its email system. Who is BEST suited to be the control owner? A. Head of IT department B. Head of compliance C. Head of corporate communications D. Head of information security  Suggested Answer: D
Which of the following would be MOST effective in reducing the impact of a distributed denial of service (DDoS) attack? A. Impose state limits on servers. B. Spread a site across multiple ISPs. C. Harden network security. D. Block the attack at the source. Â Suggested Answer: B
The PRIMARY reason for senior management to monitor information security metrics is to ensure: A. alignment of the information security budget to corporate funding. B. alignment of information security with corporate governance. C. alignment of security and IT objectives. D. alignment with risk mitigation efforts. Â Suggested Answer: B
Which of the following is the MOST important reason to perform a privacy impact assessment? A. To provide assurance to senior management B. To ensure business data processing has been assessed for risk C. To ensure compensating controls are in place for key information assets D. To reduce threats associated with business data processing  Suggested Answer: B
When reporting information security risk to senior management, it is MOST important to include: A. control risk. B. inherent risk. C. detection risk. D. residual risk. Â Suggested Answer: D
Which of the following is MOST likely to improve an organization's security culture? A. Involving stakeholders in security planning B. Enforcing penalties for security incidents C. Communicating security incidents within the industry D. Incentivizing managers based on security metrics  Suggested Answer: A
Which of the following is MOST important to complete during the recovery phase of an incident response process before bringing affected systems back online? A. Test and verify that compromised systems are clean. B. Document recovery steps for senior management reporting. C. Record and close security incident tickets. D. Capture and preserve forensic images of affected systems. Â Suggested Answer: A
What is the BEST way for an information security manager to improve the effectiveness of risk management in an organization that currently manages risk at the departmental level? A. Deploy security risk management software in all departments. B. Determine whether the organization has defined its risk tolerance and risk appetite. C. Subscribe to external risk reports relevant to each department. D. Propose that security risk be integrated under a common risk register. Â Suggested Answer: D
Which of the following is MOST helpful to an information security manager when determining service level requirements for an outsourced application? A. Supplier business continuity plan (BCP) B. Information security policy C. Application capabilities D. Data classification  Suggested Answer: D
Which of the following is MOST important to consider when planning the eradication of a cyberattack? A. The skills and competencies of the eradication team B. The cost of tools and efforts required for the process C. Obtain a clean backup of the operating system D. Knowledge about the type and source of the threat  Suggested Answer: D
Which of the following BEST enables an information security manager to identify changes in the threat landscape due to emerging technologies? A. Input from external experts B. Annual security assessments C. Periodic risk assessments D. Benchmarking against industry peers  Suggested Answer: A
An enterprise has decided to procure security services from a third-party vendor to support its information security program. Which of the following is MOST important to include in the vendor selection criteria? A. The maturity of the vendor's internal control environment B. Feedback from the vendor's previous clients C. Alignment of the vendor's business objectives with enterprise security goals D. Penetration testing against the vendor's network  Suggested Answer: A
The resilience requirements of an application are BEST determined by: A. a cost-benefit analysis. B. a threat assessment. C. a business impact analysis (BIA). D. a risk assessment. Â Suggested Answer: C
Which of the following BEST facilitates recovery of data lost as a result of a cybersecurity incident? A. Disaster recovery plan (DRP) B. Offsite data backups C. Encrypted data drives D. Removable storage media  Suggested Answer: B
Which of the following is MOST important to the successful implementation of a new information security program? A. Evaluating current information security processes B. Gaining commitment from senior management C. Conducting regular external benchmarking D. Monitoring key performance indicators (KPIs) Â Suggested Answer: B
An information security team has confirmed that threat actors are taking advantage of a newly announced critical vulnerability within an application. Which of the following should be done FIRST? A. Notify senior management. B. Prevent access to the application. C. Invoke the incident response plan. D. Install additional application controls. Â Suggested Answer: C
Which of the following is the MOST important consideration when evaluating the performance of existing security controls? A. Interviewing control owners to accurately collect metrics data B. Establishing testing scenarios based on international standards C. Selecting testing methods that match the purpose of the testing D. Obtaining senior management support to facilitate testing  Suggested Answer: C
Which of the following metrics BEST demonstrates the effectiveness of an organization's security awareness program? A. Percentage of employee computers and devices infected with malware B. Percentage of employees who regularly attend security training C. Number of security incidents reported to the help desk D. Number of phishing emails viewed by end users  Suggested Answer: C
Who should decide whether a specific control should be changed once risk is approved for mitigation? A. Risk owner B. Data owner C. Control owner D. Process owner  Suggested Answer: C
When determining key risk indicators (KRIs) for use in an information security program it is MOST important to select: A. KRIs that track both short-term and long-term performance. B. KRIs that align with business processes. C. KRIs that are quantifiable. D. as many KRIs as possible to catch risk events from the broadest areas. Â Suggested Answer: C
Senior management has requested a budget cut for the information security program in the coming fiscal year. Which of the following should be the information security manager's FIRST course of action? A. Analyze the impact to the information security program. B. Advise business unit heads of potential changes to the information security program. C. Evaluate cost savings within existing implementations. D. Re-prioritize information security implementation and operations. Â Suggested Answer: C
Which of the following will have the GREATEST impact on the development of the information classification scheme consisting of various classification levels? A. Value of the information B. Data format C. Owners of the information D. Organizational structure  Suggested Answer: A
To prepare for a third-party forensics investigation following an incident involving malware, the incident response team should: A. clean the malware. B. isolate the infected systems. C. image the infected systems. D. preserve the evidence. Â Suggested Answer: D
Of the following, who should own the risk associated with unauthorized access to application data? A. Data custodian B. Application developer C. Application owner D. Access administrator  Suggested Answer: C
The categorization of incidents is MOST important for evaluating which of the following? A. Appropriate communication channels B. Risk severity and incident priority C. Allocation of needed resources D. Response and containment requirements  Suggested Answer: B
An organization learns that a third party has outsourced critical functions to another external provider. Which of the following is the information security manager's MOST important course of action? A. Engage an independent audit of the third party's external provider. B. Conduct an external audit of the contracted third party. C. Recommend canceling the contract with the third party. D. Evaluate the third party's agreements with its external provider. Â Suggested Answer: D
An organization has acquired a new system with strict maintenance instructions and schedules. Where should this information be documented? A. Standards B. Procedures C. Guidelines D. Policies  Suggested Answer: B
The PRIMARY benefit of using http secure (https) is that it provides: A. confidentiality of data transmitted. B. integrity for data at rest. C. authentication. D. better session traceability. Â Suggested Answer: A
An organization provides notebook PCs, cable wire locks, smartphone access, and virtual private network (VPN) access to its remote employees. Which of the following is MOST important for the information security manager to ensure? A. Employees are trained on the acceptable use policy. B. Employees use smartphone tethering when accessing from remote locations. C. Employees use the VPN when accessing the organization's online resources. D. Employees physically lock PCs when leaving the immediate area. Â Suggested Answer: C
To improve an organization's information security culture, it is MOST important for senior management to: A. participate in security training. B. review security budget and resources. C. demonstrate good security practices. D. approve security policies. Â Suggested Answer: C
Which of the following BEST illustrates residual risk within an organization? A. Balanced scorecard B. Risk management framework C. Business impact analysis (BIA) D. Heat map  Suggested Answer: D
Which of the following is the MOST effective way to determine the alignment of an information security program with the business strategy? A. Evaluate the results of business continuity testing. B. Evaluate the business impact of incidents. C. Review key performance indicators (KPIs). D. Engage business process owners. Â Suggested Answer: D
An organization experienced a loss of revenue during a recent disaster. Which of the following would BEST prepare the organization to recover? A. Business impact analysis (BIA) B. Incident response plan C. Disaster recovery plan (DRP) D. Business continuity plan (BCP) Â Suggested Answer: D
Which of the following is the MOST important success factor when developing an information security strategy? A. The delivery of the strategy is adequately funded. B. The strategy is aligned with an industry-recognized security control framework. C. The strategy is based on proven technologies and industry trends. D. The strategy is approved by the board and executive management. Â Suggested Answer: D
Which of the following BEST demonstrates a security-conscious organizational culture? A. Security incidents are reported directly to senior management. B. Security awareness metrics have been established and tracked. C. Phishing simulations are part of information security training. D. Employees identify potential incidents and report them. Â Suggested Answer: D
Which of the following is the MOST effective data loss control when connecting a personally owned mobile device to the corporate email system? A. Email must be stored in an encrypted format on the mobile device. B. Users must agree to the use of biometric multi-factor authentication (MFA). C. A senior manager must approve each new connection. D. Email synchronization must be prevented when connected to a public Wi-Fi hotspot. Â Suggested Answer: A
Which of the following should be the FIRST step when performing triage of a malware incident? A. Preserving the forensic image B. Containing the affected system C. Comparing backup against production D. Removing the malware  Suggested Answer: B
Which of the following BEST helps to enable the desired information security culture within an organization? A. Information security awareness training and campaigns B. Incentives for appropriate information security-related behavior C. Effective information security policies and procedures D. Delegation of information security roles and responsibilities  Suggested Answer: A
Which of the following should be the GREATEST concern for an information security manager when an annual audit reveals the organization's business continuity plan (BCP) has not been reviewed or updated in more than a year? A. The organization may suffer reputational damage for not following industry best practices. B. The audit finding may impact the overall risk rating of the organization. C. An outdated BCP may result in less efficient recovery if an actual incident occurs. D. The lack of updates to the BCP may result in noncompliance with internal policies. Â Suggested Answer: C
Which of the following is the MOST important goal of an information security program? A. Optimizing resources B. Reducing risk factors C. Managing controls D. Enhancing business decision making  Suggested Answer: B
Which of the following BEST helps to ensure the effective execution of an organization's disaster recovery plan (DRP)? A. The plan is based on industry best practices. B. The plan is reviewed by senior and IT operational management. C. Procedures are available at the primary and failover location. D. Process steps are documented by the disaster recovery team. Â Suggested Answer: C
Which of the following is the MOST appropriate metric to demonstrate the effectiveness of information security controls to senior management? A. Number of security vulnerabilities uncovered with network scans B. Percentage of servers patched C. Downtime due to malware infections D. Annualized loss resulting from security incidents  Suggested Answer: D
Which of the following is the BEST indication that an organization has integrated information security governance with corporate governance? A. Impact is measured according to business loss when assessing IT risk. B. Service levels for security vendors are defined according to business needs. C. Security policies are reviewed whenever business objectives are changed. D. Security performance metrics are measured against business objectives. Â Suggested Answer: D
The MOST effective way to present information security risk to senior management is to highlight: A. business impact. B. countermeasures. C. threat intelligence. D. risk mitigation over time. Â Suggested Answer: A
Within the confidentiality, integrity, and availability (CIA) triad, which of the following activities BEST supports the concept of confidentiality? A. Ensuring encryption for data in transit B. Enforcing service level agreements (SLAs) C. Utilizing a formal change management process D. Ensuring hashing of administrator credentials  Suggested Answer: A
Which of the following should be the PRIMARY objective for creating a culture of security within an organization? A. To obtain resources for information security initiatives B. To reduce risk to acceptable levels C. To prioritize security within the organization D. To demonstrate control effectiveness to senior management  Suggested Answer: B
Which of the following should be updated FIRST when aligning the incident response plan with the corporate strategy? A. Security procedures B. Disaster recovery plan (DRP) C. Incident notification plan D. Risk response scenarios  Suggested Answer: A
Which of the following is the MOST effective way to ensure the security of services and solutions delivered by third-party vendors? A. Review third-party contracts as part of the vendor management process. B. Perform an audit on vendors' security controls and practices. C. Integrate risk management into the vendor management process. D. Conduct security reviews on the services and solutions delivered. Â Suggested Answer: C
Which of the following eradication methods is MOST appropriate when responding to an incident resulting in malware on an application server? A. Disconnect the system from the network. B. Change passwords on the compromised system. C. Restore the system from a known good backup. D. Perform operation system hardening. Â Suggested Answer: C
Which of the following is MOST important for guiding the development and management of a comprehensive information security program? A. Adopting information security program management best practices B. Aligning the organization's business objectives with IT objectives C. Establishing and maintaining an information security governance framework D. Implementing policies and procedures to address the information security strategy  Suggested Answer: C
Which of the following is the BEST way to ensure data is not co-mingled or exposed when using a cloud service provider? A. Require the provider to follow stringent data classification procedures. B. Obtain an independent audit report. C. Review the provider's information security policies. D. Include high penalties for security breaches in the contract. Â Suggested Answer: A
Before approving the implementation of a new security solution, senior management requires a business case. Which of the following would BEST support the justification for investment? A. The solution contributes to business strategy. B. The solution improves business risk tolerance levels. C. The solution reduces the cost of noncompliance with regulations. D. The solution improves business resiliency. Â Suggested Answer: A
When an organization implements an information security governance framework, it is MOST important for executive leadership to have a direct role in: A. reviewing the information security policy directing the organization. B. developing technical key risk indicators (KRIs) for information security. C. implementing information security metrics for the organization. D. approving information security standards and procedures for the organization. Â Suggested Answer: A
Which of the following should have the MOST influence on an organization's response to a new industry regulation? A. The organization's risk control baselines B. The organization's control objectives C. The organization's risk management framework D. The organization's risk appetite  Suggested Answer: D
Biometrics are BEST used for: A. authorization. B. authentication. C. auditing. D. accounting. Â Suggested Answer: B
Predetermined containment methods to be used in a cybersecurity incident response should be based PRIMARILY on the: A. capability of incident handlers. B. type of confirmed incident. C. predicted incident duration. D. number of impacted users. Â Suggested Answer: B
Communicating which of the following would be MOST helpful to gain senior management support for risk treatment options? A. Threat analysis B. Root cause analysis C. Quantitative loss D. Industry benchmarks  Suggested Answer: C
Which of the following is the PRIMARY objective of information asset classification? A. Threat minimization B. Vulnerability reduction C. Risk management D. Compliance management  Suggested Answer: C
Which of the following trends would be of GREATEST concern when reviewing the performance of an organization's intrusion detection systems (IDSs)? A. Increase in false negatives B. Increase in false positives C. Decrease in false positives D. Decrease in false negatives  Suggested Answer: A
Management would like to understand the risk associated with engaging an Infrastructure-as-a-Service (IaaS) provider compared to hosting internally. Which of the following would provide the BEST method of comparing risk scenarios? A. Reviewing mitigating and compensating controls for each risk scenario B. Mapping the risk scenarios by likelihood and impact on a chart C. Performing a risk assessment on the IaaS provider D. Mapping risk scenarios according to sensitivity of data  Suggested Answer: B
Which of the following is the PRIMARY reason to regularly update business continuity and disaster recovery documents? A. To ensure audit and compliance requirements are met B. To enforce security policy requirements C. To maintain business asset inventories D. To ensure the availability of business operations  Suggested Answer: D
Which of the following should an information security manager do FIRST upon learning of a new ransomware targeting a particular line of business? A. Ensure backups are stored offsite. B. Conduct a disaster recovery test and address any gaps. C. Assess the potential impact to the organization. D. Conduct a vulnerability scan and remediate the findings. Â Suggested Answer: C
Which of the following should be the PRIMARY objective when establishing a new information security program? A. Facilitating operational security B. Optimizing resources C. Minimizing organizational risk D. Executing the security strategy  Suggested Answer: C
An organization implemented a number of technical and administrative controls to mitigate risk associated with ransomware. Which of the following is MOST important to present to senior management when reporting on the performance of this initiative? A. The number and severity of ransomware incidents B. The total cost of the investment C. Benchmarks of industry peers impacted by ransomware D. The cost and associated risk reduction  Suggested Answer: D
Which of the following is the BEST defense against distributed denial of service (DDoS) attacks? A. Regular patching B. Multiple and redundant paths C. Intruder-detection lockout D. Well-configured routers and firewalls  Suggested Answer: B
Which of the following scenarios would MOST likely require a change to corporate security policies? A. New security standards have been implemented. B. Employees do not understand or adhere to the policies. C. The organization has undergone a merger. D. The organization incurs an increased number of security incidents. Â Suggested Answer: C
While conducting a test of a business continuity plan (BCP), which of the following is the MOST important consideration? A. The test involves IT members in the test process. B. The test simulates actual prime-time processing conditions. C. The test is scheduled to reduce operational impact. D. The test addresses the critical components. Â Suggested Answer: D
When testing an incident response plan for recovery from a ransomware attack, which of the following is MOST important to verify? A. An alternative network link is immediately available. B. Data backups are recoverable from an offsite location. C. Network access requires two-factor authentication. D. Digital currency is immediately available. Â Suggested Answer: B
Which of the following is the GREATEST benefit of incorporating information security governance into the corporate governance framework? A. Management accountability for information security B. Improved process resiliency in the event of attacks C. Promotion of security-by-design principles to the business D. Heightened awareness of information security strategies  Suggested Answer: A
Which of the following should an information security manager do FIRST when a vulnerability has been disclosed? A. Perform a patch update. B. Conduct a risk assessment. C. Conduct an impact assessment. D. Perform a penetration test. Â Suggested Answer: B
When an organization experiences a disruptive event, the business continuity plan (BCP) should be triggered PRIMARILY based on: A. expected duration of outage. B. the root cause of the event. C. type of security incident. D. management direction. Â Suggested Answer: A
Which of the following controls would BEST help to detect a targeted attack exploiting a zero-day vulnerability? A. Intrusion prevention system (IPS) B. Vulnerability scanning C. Endpoint detection and response (EDR) D. Extended detection and response (XDR) Â Suggested Answer: D
Which of the following is the MOST relevant control to address the integrity of information? A. Implementation of a redundant server system B. Encryption of email C. Implementation of an Internet security application D. Assignment of appropriate access permissions  Suggested Answer: D
What should be the PRIMARY objective of an information classification scheme? A. To define data retention requirements B. To develop an asset inventory C. To meet legislative and regulatory requirements D. To implement controls proportionate to risk  Suggested Answer: D
Which of the following is MOST important to consider when prioritizing threats during the risk assessment process? A. Regulatory requirements on the organization B. The severity of exploited vulnerabilities C. The threat landscape within the industry D. The potential impact on operations  Suggested Answer: D
Which of the following would BEST fulfill a board of directors' request for a concise overview of information security risk facing the business? A. Business impact analysis (BIA) B. Balanced scorecard C. Risk heat map D. Risk scenario summary  Suggested Answer: C
Which of the following is the PRIMARY purpose of a business impact analysis (BIA)? A. To define security roles and responsibilities B. To determine the criticality of information assets C. To establish incident severity levels D. To determine return on investment (ROI) Â Suggested Answer: B
An organization wants to integrate information security into its HR management processes. Which of the following should be the FIRST step? A. Calculate the return on investment (ROI). B. Provide security awareness training to HR. C. Assess the business objectives of the processes. D. Benchmark the processes with best practice to identify gaps. Â Suggested Answer: C
Following a breach where the risk has been isolated and forensic processes have been performed, which of the following should be done NEXT? A. Place the web server in quarantine. B. Rebuild the server from the last verified backup. C. Shut down the server in an organized manner. D. Rebuild the server with relevant patches from the original media. Â Suggested Answer: B
Which of the following is MOST important for effective cybersecurity incident management? A. Early detection and response B. Regular tabletop exercises C. Root cause analysis D. Investigation and forensics  Suggested Answer: A
An organization uses a security standard that has undergone a major revision by the certifying authority. The old version of the standard will no longer be used for organizations wishing to maintain their certifications. Which of the following should be the FIRST course of action? A. Modify policies to ensure new requirements are covered. B. Review the new standard for applicability to the business. C. Evaluate the cost of maintaining the certification. D. Communicate the new standard to senior leadership. Â Suggested Answer: B
Which of the following is the BEST reason for senior management to support a business case for developing a monitoring system for a critical application? A. The system can be replicated for additional use cases. B. An industry peer experienced a recent breach with a similar application. C. The cost of implementing the system is less than the impact of downtime. D. The solution is within the organization's risk tolerance. Â Suggested Answer: C
Which of the following is MOST important when developing an information security governance framework? A. Ensuring alignment with the organization's risk management framework B. Integrating security within the system development life cycle (SDLC) process C. Developing policies and procedures to support the framework D. Developing security incident response measures  Suggested Answer: A
What should be an information security manager's GREATEST concern when an HR department outsources data processing to a cloud service provider? A. Security posture of the provider B. Data loss protection insurance C. Required provider service levels D. The scope of the data  Suggested Answer: A
Which of the following BEST enables the capability of an organization to sustain the delivery of products and services within acceptable time frames and at predefined capacity during a disruption? A. Business continuity plan (BCP) B. Disaster recovery plan (DRP) C. Business impact analysis (BIA) D. Service level agreement (SLA) Â Suggested Answer: A
Which of the following BEST determines an information asset's classification? A. Criticality to a business process B. Value of the information asset in the marketplace D. Risk assessment from the data owner E. Cost of producing the information asset  Suggested Answer: A
Which of the following is the PRIMARY objective of a cyber resilience strategy? A. Business continuity B. Employee awareness C. Executive support D. Regulatory compliance  Suggested Answer: A
Which of the following is the MOST important reason for an organization to communicate to affected parties that a security incident has occurred? A. To improve awareness of information security B. To disclose the root cause of the incident C. To comply with regulations regarding notification D. To increase goodwill toward the organization  Suggested Answer: C
Which of the following is the BEST indication that an information security control is no longer relevant? A. The control is not cost efficient. B. The control does not support a specific business function. C. IT management does not support the control. D. The technology related to the control is obsolete. Â Suggested Answer: D
Which of the following is the PRIMARY advantage of an organization using Disaster Recovery as a Service (DRaaS) to help manage its disaster recovery program? A. It offers the organization flexible deployment options using cloud infrastructure. B. It allows the organization to prioritize its core operations. C. It is more secure than traditional data backup architecture. D. It allows the use of a professional response team at a lower cost. Â Suggested Answer: B
Which of the following is the MOST important outcome of a post-incident review? A. The system affected by the incident is restored to its prior state. B. The root cause of the incident is determined. C. The person responsible for the incident is identified. D. The impact of the incident is reported to senior management. Â Suggested Answer: B
Which of the following is the BEST indicator of the performance of a security program? A. Changes in return on investments (ROIs) B. Changes in the maturity level C. Changes in budget allocation D. Changes in security training attendance  Suggested Answer: B
An organization has remediated a security flaw in a system. Which of the following should be done NEXT? A. Allocate budget for penetration testing. B. Update the system's documentation. C. Assess the residual risk. D. Share lessons learned with the organization. Â Suggested Answer: C
Which of the following BEST facilitates the development of a comprehensive information security policy? A. Alignment with an established information security framework B. Security key performance indicators (KPIs) C. A review of recent information security incidents D. An established internal audit program  Suggested Answer: A
Which of the following is the MOST effective way to demonstrate improvement in security performance? A. Report the results of a security control self-assessment (CSA). B. Present trends in a validated metrics dashboard. C. Provide a summary of security project return on investments (ROIs). D. Present vulnerability testing results. Â Suggested Answer: B
In order to gain organization-wide support for an information security program, which of the following is MOST important to consider? A. Corporate risk framework B. Corporate culture C. Clarity of security roles and responsibilities D. Maturity of the security policy  Suggested Answer: B
Which of the following is the BEST way to ensure the business continuity plan (BCP) is current? A. Manage business process changes. B. Update business impact analyses (BIAs) on a regular basis. C. Review and update emergency contact lists. D. Conduct periodic testing. Â Suggested Answer: D
Which of the following would be MOST useful when determining the business continuity strategy for a large organization's data center? A. Business impact analysis (BIA) B. Incident root cause analysis C. Stakeholder feedback analysis D. Business continuity risk analysis  Suggested Answer: A
The results of a risk assessment for a potential network reconfiguration reveal a high likelihood of sensitive data being compromised. What is the information security manager's BEST course of action? A. Seek an independent opinion to confirm the findings. B. Determine alignment with existing regulations. C. Report findings to key stakeholders. D. Recommend additional network segmentation. Â Suggested Answer: C
Who should be included in INITIAL discussions regarding a failed security control? A. Penetration testers B. The service provider C. Senior management D. The process owner  Suggested Answer: D
An organization has implemented a new customer relationship management (CRM) system. Who should be responsible for enforcing authorized and controlled access to the CRM data? A. The data custodian B. The data owner C. Internal IT audit D. The information security manager  Suggested Answer: A
Which of the following approaches to communication with senior management BEST enables an information security manager to maximize the effectiveness of the information security program? A. Reporting on industry security threats with potential impact to business objectives B. Conducting periodic one-on-one meetings to align security with business objectives C. Participating in operational review meetings to discuss daily operations and dependencies D. Providing regular status of updates to security policies and standards  Suggested Answer: B
Which of the following control types should be considered FIRST for aligning employee behavior with an organization's information security objectives? A. Administrative security controls B. Access security controls C. Technical security controls D. Physical security controls  Suggested Answer: A
An organization's information security team presented the risk register at a recent information security steering committee meeting. Which of the following should be of MOST concern to the committee? A. No owners were identified for some risks. B. Business applications had the highest number of risks. C. Risk mitigation action plans had no timelines. D. Risk mitigation action plan milestones were delayed. Â Suggested Answer: A
Which of the following BEST enables an organization to determine what activities and changes have occurred on a system during a cybersecurity incident? A. Penetration testing B. Root cause analysis C. Continuous log monitoring D. Computer forensics  Suggested Answer: D
Which of the following should the information security manager do FIRST upon learning that a business department wants to use blockchain technology for a new payment process? A. Include the new requirements in the system development life cycle (SDLC) pipeline. B. Update the business case to include security budget and resource needs for the new process. C. Perform a risk assessment to identify emerging risks. D. Benchmark blockchain solutions to determine which one is most secure. Â Suggested Answer: C
Which of the following BEST facilitates the development of information security procedures that effectively support the information security policy? A. Aligning procedures with industry best practices B. Classifying the information assets to be protected C. Considering the impact of systemic risk events D. Conducting an external benchmarking exercise  Suggested Answer: A
Which of the following would provide the BEST input to a business case for a technical solution to address potential system vulnerabilities? A. Business impact analysis (BIA) B. Vulnerability scan results C. Risk assessment D. Penetration test results  Suggested Answer: C
Which of the following is MOST helpful for determining priorities when creating a long-term information security roadmap? A. The organization's information security framework B. Information security steering committee input C. Enterprise architecture (EA) D. Industry best practices  Suggested Answer: C
A KEY consideration in the use of quantitative risk analysis is that it: A. applies commonly used labels to information assets. B. assigns numeric values to exposures of information assets. C. is based on criticality analysis of information assets. D. aligns with best practice for risk analysis of information assets. Â Suggested Answer: B
A situation where an organization has unpatched IT systems in violation of the patching policy should be treated as: A. an increased threat profile. B. a vulnerability management failure. C. an increased risk profile. D. a security control failure. Â Suggested Answer: C
How does data discovery assist with data classification? A. It provides assurance of data integrity. B. It shows where specific data is stored. C. It automatically classifies data by keywords. D. It helps to identify the data owner. Â Suggested Answer: B
Which of the following is the MOST effective control to prevent proliferation of shadow IT? A. Implement a software allow list. B. Conduct periodic vulnerability scanning. C. Install a solution to detect unlicensed software. D. Conduct software audits. Â Suggested Answer: A
Which of the following is the MOST important driver when developing an effective information security strategy? A. Benchmarking reports B. Information security standards C. Business requirements D. Security audit reports  Suggested Answer: C
Which of the following is MOST important for the improvement of a business continuity plan (BCP)? A. Implementing an IT resilience solution B. Implementing management reviews C. Documenting critical business processes D. Incorporating lessons learned  Suggested Answer: D
Which of the following is MOST important to consider when choosing a shared alternate location for computing facilities? A. Incident response team training B. The organization's risk tolerance C. The organization's mission D. Resource availability  Suggested Answer: D
A financial institution has identified a high risk of fraud within its credit department. Which of the following information security controls will BEST reduce the risk of fraud? A. Mandatory time off B. Segregation of duties C. Acceptable use policy D. Periodic risk assessments  Suggested Answer: B
An employee clicked on a malicious link in an email that resulted in compromising company data. What is the BEST way to mitigate this risk in the future? A. Assess and update spam filtering rules. B. Establish an acceptable use policy. C. Implement disciplinary procedures. D. Conduct phishing awareness training. Â Suggested Answer: D
The business value of an information asset is derived from: A. its replacement cost. B. its criticality. C. the threat profile. D. the risk assessment. Â Suggested Answer: B
Which of the following is the BEST indicator of the maturity level of a vendor risk management process? A. Number of vendors rejected because of security review results B. Percentage of vendors that are regularly reviewed against defined criteria C. Percentage of vendors that have gone through the vendor on boarding process D. Average time required to complete the vendor risk management process  Suggested Answer: B
An international organization with remote branches is implementing a corporate security policy for managing personally identifiable information (PII). Which of the following should be the information security manager's MAIN concern? A. Data backup strategy B. Organizational reporting structure C. Local regulations D. Consistency in awareness programs  Suggested Answer: C
Which of the following is the PRIMARY benefit of an information security awareness training program? A. Evaluating organizational security culture B. Enforcing security policy C. Influencing human behavior D. Defining risk accountability  Suggested Answer: A
Which of the following MOST effectively supports an organization's security culture? A. Business unit security metrics B. An information governance framework C. Stakeholder involvement D. A security mission statement  Suggested Answer: C
A new type of ransomware has infected an organization's network. Which of the following would have BEST enabled the organization to detect this situation? A. Periodic information security training for end users B. Use of integrated patch deployment tools C. Regular review of the threat landscape D. Monitoring of anomalies in system behavior  Suggested Answer: C
Which of the following should an information security manager do FIRST upon notification of a potential security risk associated with a third-party service provider? A. Determine risk treatment options. B. Conduct a vulnerability analysis. C. Escalate to the third-party provider. D. Conduct a risk analysis. Â Suggested Answer: D
A security incident has been reported within an organization. When should an information security manager contact the information owner? A. After the potential incident has been logged B. After the incident has been contained C. After the incident has been confirmed D. After the incident has been mitigated  Suggested Answer: A
An incident management team leader sends out a notification that the organization has successfully recovered from a cyberattack. Which of the following should be done NEXT? A. Secure and preserve digital evidence for analysis. B. Gather feedback on business impact. C. Conduct a meeting to capture lessons learned. D. Prepare an executive summary for senior management. Â Suggested Answer: A
Which of the following defines the MOST comprehensive set of security requirements for a newly developed information system? A. Baseline controls B. Audit findings C. Risk assessment results D. Key risk indicators (KRIs) Â Suggested Answer: A
Which of the following information security practices would BEST prevent a SQL injection attack? A. Adopting agile development B. Enhancing the patching program C. Training developers on secure coding practices to reduce vulnerabilities D. Performing vulnerability testing before each version release  Suggested Answer: C
Which of the following is a viable containment strategy for a distributed denial of service (DDoS) attack? A. Block IP addresses used by the attacker. B. Disable firewall ports exploited by the attacker. C. Power oft affected servers. D. Redirect the attacker's traffic. Â Suggested Answer: B
A data discovery project uncovers an unclassified process document. Of the following, who is BEST suited to determine the classification? A. Creator of the document B. Data custodian C. Information security manager D. Security policy author  Suggested Answer: C
Which of the following is MOST important to include in a post-incident report? A. Forensic analysis results B. List of potentially compromised assets C. Root cause analysis D. Service level agreements (SLAs) Â Suggested Answer: C
When creating an incident response plan, the triggers for the business continuity plan (BCP) MUST be based on: A. a threat assessment. B. recovery time objectives (RTOs). C. a business impact analysis (BIA). D. a risk assessment. Â Suggested Answer: C
An organization's information security strategy should be the PRIMARY input to which of the following? A. Security governance framework design B. Enterprise risk scenario development C. Security program metrics D. Organizational risk appetite  Suggested Answer: A
Which of the following BEST enables an organization to enhance its incident response plan processes and procedures? A. Information security audits B. Security risk assessments C. Lessons learned analysis D. Key performance indicators (KPIs) Â Suggested Answer: C
Which of the following is BEST used to determine the maturity of an information security program? A. Organizational risk appetite B. Risk assessment results C. Security metrics D. Security budget allocation  Suggested Answer: C
Which of the following should be done FIRST when developing an information security strategy that is aligned with organizational goals? A. Establish a security risk framework with key risk indicators (KRIs). B. Determine information security's impact on the achievement of organizational goals. C. Assess information security risk associated with the organizational goals D. Select information security projects related to the organizational goals. Â Suggested Answer: B
A business impact analysis (BIA) BEST enables an organization to establish: A. annualized loss expectancy (ALE). B. recovery methods. C. restoration priorities. D. total cost of ownership (TCO). Â Suggested Answer: C
Which of the following is the PRIMARY objective of developing an information security program that aligns with the information security strategy? A. To define the resources required to achieve information security goals B. To define a bottom-up approach for implementing information security policies C. To define standards to be implemented D. To define risk mitigation plans for security technologies  Suggested Answer: A
Which of the following is MOST important to include in an information security framework? A. Guidance for designing information security controls B. Information security organizational structure C. Industry benchmarks of information security metrics D. Information security risk assessment  Suggested Answer: A
An organization learns that a service provider experienced a breach last month and did not notify the organization. Which of the following should be the information security manager's FIRST course of action? A. Terminate the provider contract. B. Conduct a business impact analysis (BIA). C. Inform senior management. D. Review the provider contract. Â Suggested Answer: D
Which of the following is the GREATEST benefit of effective information security governance? A. Treatment priorities are based on risk exposure. B. Information security standards are communicated to primary stakeholders. C. The information security budget is aligned to the organization. D. Executive management's strategy is aligned to the information security strategy. Â Suggested Answer: D
The ability to integrate information security governance into corporate governance is PRIMARILY driven by: A. the percentage of corporate budget allocated to the information security program. B. how often information security metrics are presented to senior management. C. how often the information security steering committee reviews and updates security policies. D. how well the information security program supports business objectives. Â Suggested Answer: D
Which of the following presents the GREATEST challenge for protecting Internet of Things (IoT) devices? A. IoT vendor reputation B. IoT architecture diversity C. IoT-specific training D. IoT device policies  Suggested Answer: B
Which of the following parameters is MOST helpful when designing a disaster recovery strategy? A. Maximum tolerable downtime (MTD) B. Mean time between failures (MTBF) C. Allowable interruption window (AIW) D. Recovery point objective (RPO) Â Suggested Answer: A
An IT service desk was not adequately prepared for a recent ransomware attack on user workstations. Which of the following should be given HIGHEST priority by the information security team when creating an action plan to improve service desk readiness? A. Investing in threat intelligence capability B. Implementing key risk indicators (KRIs) for ransomware attacks C. Updating the information security incident response manual D. Strengthening the organization's data backup capability  Suggested Answer: C
After a risk has been identified, analyzed, and evaluated, which of the following should be done NEXT? A. Monitor the risk. B. Prioritize the risk for treatment C. Identify the risk owner. D. Identify controls for risk mitigation. Â Suggested Answer: B
Which of the following will BEST facilitate timely and effective incident response? A. Including penetration test results in incident response planning B. Assessing the risk of compromised assets C. Notifying stakeholders when invoking the incident response plan D. Classifying the severity of an incident  Suggested Answer: D
Which of the following MOST effectively communicates the current risk profile to senior management after controls are applied? A. Residual risk B. Impact of loss events C. Inherent risk D. Number of risks avoided  Suggested Answer: A
Which of the following processes should be done NEXT after completing a business impact analysis (BIA)? A. Evaluate the disaster recovery plan (DRP). B. Develop the requirements for the incident response plan. C. Develop a business continuity plan (BCP). D. Identify resources for business recovery. Â Suggested Answer: C
Which of the following is MOST important to include in an information security policy? A. Maturity levels B. Baselines C. Best practices D. Management objectives  Suggested Answer: D
Which of the following should an information security manager do FIRST when creating an organization's disaster recovery plan (DRP)? A. Develop response and recovery strategies. B. Identify the response and recovery teams. C. Review the communications plan. D. Conduct a business impact analysis (BIA). Â Suggested Answer: D
Which of the following would be the MOST effective use of findings from a post-incident review? A. Providing input for updates to the incident response plan B. Developing cost reports regarding the incident C. Providing justification for an increase in the incident response plan budget D. Incorporating the results into information security awareness training materials  Suggested Answer: A
During a post-incident review, it was determined that a known vulnerability was exploited in order to gain access to a system. The vulnerability was patched as part of the remediation on the offending system. Which of the following should be done NEXT? A. Scan to determine whether the vulnerability is present on other systems. B. Review the vulnerability management process. C. Install patches an all existing systems. D. Report the root cause of the vulnerability to senior management. Â Suggested Answer: A
Which of the following is MOST helpful in determining the realization of benefits from an information security program? A. Vulnerability assessments B. Key risk indicators (KRIs) C. Business impact analysis (BIA) D. Key performance indicators (KPIs) Â Suggested Answer: D
During an internal compliance review, the review team discovers that a critical legacy application is unable to meet the organization's mandatory security requirements. Which of the following should be done FIRST? A. Update the risk register. B. Recommend taking the application out of service. C. Implement compensating controls. D. Monitor the application until it can be replaced. Â Suggested Answer: C
Which of the following is the BEST way to improve an organization's ability to detect and respond to incidents? A. Conduct a business impact analysis (BIA). B. Conduct periodic awareness training. C. Perform a security gap analysis. D. Perform network penetration testing. Â Suggested Answer: B
Of the following, who would provide the MOST relevant input when aligning the information security strategy with organizational goals? A. Data privacy officer (DPO) B. Chief information security officer (CISO) C. Information security steering committee D. Enterprise risk committee  Suggested Answer: B
Which of the following is the PRIMARY role of the information security manager in application development? A. To ensure control procedures address business risk B. To ensure enterprise security controls are implemented C. To ensure compliance with industry best practice D. To ensure security is integrated into the system development life cycle (SDLC) Â Suggested Answer: D
Which of the following actions by senior management would BEST enable a successful implementation of an information security governance framework? A. Demonstrating support for the business and information security governance functions B. Delegating the implementation of the framework to information security management C. Promoting the use of an internationally recognized governance framework D. Engaging a consulting firm specializing in information security governance and standards  Suggested Answer: A
Which of the following is the BEST way to reduce the risk of security incidents from targeted email attacks? A. Conduct awareness training across the organization. B. Require acknowledgment of the acceptable use policy. C. Disable all incoming cloud mail services. D. Implement a data loss prevention (DLP) system. Â Suggested Answer: A
When an organization lacks internal expertise to conduct highly technical forensics investigations, what is the BEST way to ensure effective and timely investigations following an information security incident? A. Purchase forensic standard operating procedures. B. Retain a forensics firm prior to experiencing an incident. C. Ensure the incident response policy allows hiring a forensics firm. D. Provide forensics training to the information security team. Â Suggested Answer: B
Which of the following is MOST important for the effective implementation of an information security governance program? A. Information security roles and responsibilities are documented B. The program budget is approved and monitored by senior management C. Employees receive customized information security training D. The program goals are communicated and understood by the organization  Suggested Answer: D
Which of the following is the BEST way to maintain ongoing senior management support for the implementation of a security monitoring toot? A. Demonstrate return on investment (ROI). B. Update security plans. C. Present security monitoring reports. D. Communicate risk reduction. Â Suggested Answer: A
Which of the following would BEST support a business case to implement an anti-ransomware solution? A. Industry benchmark of anti-ransomware investments B. A threat and vulnerability assessment C. Trend analysis of ransomware attacks D. A reduction in required backups and associated costs  Suggested Answer: C
When responding to an incident involving malware on a server, which of the following should be done FIRST? A. Isolate the server from the network. B. Identify the owner of the server. C. Locate the most recent backups. D. Investigate the source of the malware. Â Suggested Answer: A
Which of the following BEST reduces the likelihood of leakage of private information via email? A. User awareness training B. Periodic phishing exercises C. Email signature verification D. Restricted personal use of company email  Suggested Answer: A
Which of the following BEST determines the data retention strategy and subsequent policy for an organization? A. Business impact analysis (BIA) B. Risk appetite C. Business requirements D. Supplier requirements  Suggested Answer: C
Which of the following MUST be established to maintain an effective information security governance framework? A. Security controls automation B. Change management processes C. Security policy provisions D. Defined security metrics  Suggested Answer: D
Which of the following is the BEST defense-in-depth implementation for protecting high value assets or for handling environments that have trust concerns? A. Continuous monitoring B. Compartmentalization C. Multi-factor authentication D. Overlapping redundancy  Suggested Answer: B
When responding to a security incident, information security management and the affected business unit management cannot agree whether to escalate the incident to senior management. Which of the following would MOST effectively prevent this situation from recurring? A. Develop additional communication channels. B. Obtain senior management buy-in for incident response processes. C. Periodically test the incident response plan. D. Create a clear definition of incident classifications. Â Suggested Answer: D
Which of the following should be done FIRST to ensure information security is integrated in system development projects? A. Assign resources based on the business impact. B. Define security requirements. C. Review the security policy. D. Embed a security representative in each project team. Â Suggested Answer: B
For which of the following is it MOST important that system administrators be restricted to read-only access? A. User access log files B. Administrator user profiles C. System logging options D. Administrator log files  Suggested Answer: A
Which of the following business units should own the data that populates an identity management system? A. Legal B. Human resources (HR) C. Information security D. Information technology  Suggested Answer: B
Which of the following BEST indicates senior management support for an information security program? A. Top-down communication B. Regular security awareness training C. Participation in a certification program D. Steering committee involvement  Suggested Answer: A
When selecting metrics to monitor the effectiveness of an information security program, it is MOST important for an information security manager to: A. identify the program's risk and compensating controls. B. consider the organization's business strategy. C. consider the strategic objectives of the program. D. leverage industry benchmarks. Â Suggested Answer: C
A business continuity plan (BCP) should contain: A. criteria for activation. B. hardware and software inventories. C. data restoration procedures. D. information about eradication activities. Â Suggested Answer: A
A finance department director has decided to outsource the organization's budget application and has identified potential providers. Which of the following actions should be initiated FIRST by the information security manager? A. Determine the required security controls for the new solution. B. Obtain audit reports on the service providers’ hosting environment. C. Review the disaster recovery plans (DRPs) of the providers. D. Align the roles of the organization's and the service providers’ staffs.  Suggested Answer: A
What type of control is being implemented when a security information and event management (SIEM) system is installed? A. Corrective B. Preventive C. Deterrent D. Detective  Suggested Answer: D
Which of the following should be done FIRST when developing an information asset classification policy? A. Identify accountability for information assets throughout the organization. B. Establish the criteria that define an asset's classification level. C. Identify existing security measures for protecting assets. D. Obtain executive input to identify high-value assets to be classified. Â Suggested Answer: B
Which of the following is the BEST option to lower the cost to implement application security controls? A. Include standard application security requirements. B. Perform security tests in the development environment. C. Perform a risk analysis after project completion. D. Integrate security activities within the development process. Â Suggested Answer: D
An information security manager learns that business unit leaders are encouraging increased use of social media platforms to reach customers. Which of the following should be done FIRST to help mitigate the risk of confidential information being disclosed by employees on social media? A. Establish an organization-wide social media policy. B. Develop sanctions for misuse of social media sites. C. Monitor social media sites visited by employees. D. Restrict social media access on corporate devices. Â Suggested Answer: A
Which of the following BEST facilitates effective strategic alignment of security initiatives? A. Procedures and standards are approved by department heads. B. Organizational units contribute to and agree on priorities. C. Periodic security audits are conducted by a third-party. D. The business strategy is periodically updated. Â Suggested Answer: B
Which of the following is MOST important to maintain integration among the incident response plan, business continuity plan (BCP), and disaster recovery plan (DRP)? A. Asset classification B. Recovery time objectives (RTOs) C. Chain of custody D. Escalation procedures  Suggested Answer: B
An information security program is BEST positioned for success when it is closely aligned with: A. information security best practices. B. recognized industry frameworks. C. information security policies. D. the information security strategy. Â Suggested Answer: D
Which of the following should an information security manager do FIRST after identifying suspicious activity on a PC that is not in the organization's IT asset inventory? A. Isolate the PC from the network B. Perform a vulnerability scan. C. Determine why the PC is not included in the inventory. D. Reinforce information security training. Â Suggested Answer: A
Which of the following is the MOST important consideration when briefing executives about the current state of the information security program? A. Including a situational forecast. B. Using appropriate language for the target audience. C. Including trend charts for metrics. D. Using a rating system to demonstrate program effectiveness. Â Suggested Answer: B
An organization has multiple data repositories across different departments. The information security manager has been tasked with creating an enterprise strategy for protecting data. Which of the following information security initiatives should be the HIGHEST priority for the organization? A. Data loss prevention (DLP) B. Data retention strategy C. Data encryption standards D. Data masking  Suggested Answer: A
Which of the following is ESSENTIAL to ensuring effective incident response? A. Business continuity plan (BCP) B. Cost-benefit analysis C. Classification scheme D. Senior management support  Suggested Answer: D
Which of the following is the BEST indicator of an organization's information security status? A. Threat analysis B. Controls audit C. Penetration test D. Intrusion detection log analysis  Suggested Answer: B
Which of the following practices is MOST effective for determining the adequacy of incident management operations? A. Conducting unannounced external vulnerability testing B. Testing current incident response plans with relevant stakeholders C. Assessing incident response team members’ incident response skills D. Reviewing incident response procedures against best practices  Suggested Answer: B
Which of the following MUST happen immediately following the identification of a malware incident? A. Eradication B. Containment C. Preparation D. Recovery  Suggested Answer: B
Which of the following is MOST effective in monitoring an organization's existing risk? A. Vulnerability assessment results B. Security information and event management (SIEM) systems C. Periodic updates to risk register D. Risk management dashboards  Suggested Answer: D
Which of the following BEST indicates that information security governance and corporate governance are integrated? A. The information security team is aware of business goals. B. A cost-benefit analysis is conducted on all information security initiatives. C. The board is regularly informed of information security key performance indicators (KPIs). D. The information security steering committee is composed of business leaders. Â Suggested Answer: C
Which of the following should be the PRIMARY basis for determining the value of assets? A. Cost of replacing the assets B. Total cost of ownership (TCO) C. Business cost when assets are not available D. Original cost of the assets minus depreciation  Suggested Answer: C
Which of the following is MOST helpful to identify whether information security policies have been followed? A. Corrective controls B. Directive controls C. Detective controls D. Preventive controls  Suggested Answer: C
Which of the following is the MOST important reason to classify an incident after detection? A. To assign appropriate prioritization levels B. To obtain funds for external forensic support C. To approve data breach notifications D. To ensure management is accurately informed  Suggested Answer: A
Which of the following principles BEST addresses the protection of data from unauthorized modification? A. Nonrepudiation B. Integrity C. Availability D. Authenticity  Suggested Answer: B
The MAIN reason for continuous monitoring of the security program is to: A. validate reduction of incidents. B. confirm benefits are being realized. C. ensure alignment with industry standards. D. optimize resource allocation. Â Suggested Answer: B
Which of the following would BEST enable the help desk to recognize an information security incident? A. Provide the help desk with criteria for security incidents. B. Include members of the help desk on the security incident response team. C. Require the help desk to participate in past-incident reviews. D. Train the help desk to review the call logs. Â Suggested Answer: A
Which of the following would be the GREATEST concern with the implementation of key risk indicators (KRIs)? A. Inability to measure KRIs B. Poorly defined risk appetite C. Overly specific KRI definitions D. Complex organizational structure  Suggested Answer: B
An employee's bring your own device (BYOD) smartphone has been lost. To reduce the risk associated with the loss of corporate sensitive data stored on the phone, the information security manager's BEST course of action should have been to implement: A. a requirement of prompt notification in the event of loss. B. multi-factor authentication for the mobile device. C. a board-approved and communicated mobile policy and standard. D. a securely configured device enforced by a mobile device management (MDM) solution. Â Suggested Answer: D
Which of the following is the BEST approach for an information security manager to develop an organization's information security strategy? A. Budget training costs and contingencies for unexpected events. B. Determine desired outcomes and perform a gap analysis. C. Evaluate the security posture in comparison with competitors. D. Estimate operational costs and perform reliability checks. Â Suggested Answer: B
Which of the following is the BEST way to monitor the effectiveness of security controls? A. Review application and system audit logs. B. Conduct regular threat assessments. C. Establish and report security metrics. D. Benchmark security controls against similar organizations. Â Suggested Answer: C
An organization experienced a data breach that affected many of its clients. Legal counsel found out about this event only after a press release was issued. Which of the following would have been MOST helpful in preventing this situation? A. A gap analysis of technical controls B. Regular information security policy reviews C. Tabletop testing of the incident response plan D. A comprehensive business continuity plan (BCP) Â Suggested Answer: C
Which of the following would MOST effectively ensure that a new server is appropriately secured? A. Enforcing technical security standards B. Performing secure code reviews C. Initiating security scanning D. Conducting penetration testing  Suggested Answer: A
Spoofing should be prevented because it may be used to: A. assemble information, track traffic, and identify network vulnerabilities. B. predict which way a program will branch when an option is presented. C. capture information such as passwords traveling through the network. D. gain illegal entry to a secure system by faking the sender's address. Â Suggested Answer: D
Which of the following is MOST important to have in place for an organization's information security program to be effective? A. Senior management support B. A comprehensive IT strategy C. Defined and allocated budget D. Documented information security processes  Suggested Answer: A
When assigning a risk owner, the MOST important consideration is to ensure the owner has: A. adequate knowledge of risk treatment and related control activities. B. decision-making authority and the ability to allocate resources for risk. C. sufficient time for monitoring and managing the risk effectively. D. risk communication and reporting skills to enable decision-making. Â Suggested Answer: B
After a ransomware incident, an organization's systems were restored. Which of the following should be of MOST concern to the information security manager? A. The service level agreement (SLA) was not met. B. The recovery time objective (RTO) was not met. C. The root cause was not identified. D. Notification to stakeholders was delayed. Â Suggested Answer: C
To improve the efficiency of the development of a new software application, security requirements should be defined: A. based on code review. B. based on available security assessment tools. C. after functional requirements. D. concurrently with other requirements. Â Suggested Answer: D
Which of the following would provide the MOST effective security outcome in an organization's contract management process? A. Extending security assessment to cover asset disposal on contract termination B. Ensuring security requirements are defined at the request-for-proposal (RFP) stage C. Extending security assessment to include random penetration testing D. Performing vendor security benchmark analyses at the request-for-proposal (RFP) stage  Suggested Answer: B
Which of the following is the BEST way to contain an SQL injection attack that has been detected by a web application firewall? A. Force password changes on the SQL database. B. Reconfigure the web application firewall to block the attack. C. Update the detection patterns on the web application firewall. D. Block the IPs from where the attack originates. Â Suggested Answer: B
Who is accountable for approving an information security governance framework? A. The board of directors B. The chief information security officer (CISO) C. The enterprise risk committee D. The chief information officer (CIO) Â Suggested Answer: A
Which of the following is the PRIMARY benefit achieved when an information security governance framework is aligned with corporate governance? A. Protection of business value and assets B. Identification of core business strategies C. Easier entrance into new businesses and technologies D. Improved regulatory compliance posture  Suggested Answer: A
Which of the following is the BEST method to protect the confidentiality of data transmitted over the Internet? A. Network address translation (NAT) B. Message hashing C. Transport Layer Security (TLS) D. Multi-factor authentication  Suggested Answer: C
Which of the following is the FIRST step when conducting a post-incident review? A. Identify mitigating controls. B. Assess the costs of the incident. C. Perform root cause analysis. D. Assign responsibility for corrective actions. Â Suggested Answer: C
Which of the following BEST facilitates the effectiveness of cybersecurity incident response? A. Utilizing a security information and event management (SIEM) tool B. Utilizing industry-leading network penetration testing tools C. Increasing communication with all incident response stakeholders D. Continuously updating signatures of the anti-malware solution  Suggested Answer: C
A business requires a legacy version of an application to operate, but the application cannot be patched. To limit the risk exposure to the business, a firewall is implemented in front of the legacy application. Which risk treatment option has been applied? A. Accept B. Transfer C. Mitigate D. Avoid  Suggested Answer: C
An information security manager has recently been notified of potential security risks associated with a third-party service provider. What should be done NEXT to address this concern? A. Escalate to the chief risk officer (CRO). B. Conduct a vulnerability analysis. C. Conduct a risk analysis. D. Determine compensating controls. Â Suggested Answer: C
An email digital signature will: A. automatically correct unauthorized modification of an email message. B. verify to recipients the integrity of an email message. C. protect the confidentiality of an email message. D. prevent unauthorized modification of an email message. Â Suggested Answer: B
To ensure the information security of outsourced IT services, which of the following is the MOST critical due diligence activity? A. Assess the level of security awareness of the service provider. B. Review a recent independent audit report of the service provider. C. Review samples of service level reports from the service provider. D. Request the service provider comply with information security policy. Â Suggested Answer: B
Which of the following is the MOST important reason to consider organizational culture when developing an information security program? A. It helps expedite approval for the information security budget. B. It helps the organization meet compliance requirements. C. Everyone in the organization is responsible for information security. D. Security incidents have an adverse impact on the entire organization. Â Suggested Answer: C
Which of the following processes BEST supports the evaluation of incident response effectiveness? A. Post-incident review B. Chain of custody C. Incident logging D. Root cause analysis  Suggested Answer: A
Which of the following should an information security manager do FIRST after learning through mass media of a data breach at the organization's hosted payroll service provider? A. Validate the breach with the provider. B. Suspend the data exchange with the provider. C. Notify appropriate regulatory authorities of the breach. D. Initiate the business continuity plan (BCP). Â Suggested Answer: A
Which of the following should an information security manager do FIRST after discovering that a business unit has implemented a newly purchased application and bypassed the change management process? A. Update the change management process. B. Revise the procurement process. C. Discuss the issue with senior leadership. D. Remove the application from production. Â Suggested Answer: C
An organization is strategizing on how to improve security awareness. Which of the following is MOST important to consider when developing this strategy? A. Technical solutions for delivery B. Cost to implement C. Organizational culture D. Organizational maturity  Suggested Answer: C
A penetration test against an organization's external web application shows several vulnerabilities. Which of the following presents the GREATEST concern? A. Vulnerabilities were caused by insufficient user acceptance testing (UAT). B. Exploit code for one of the vulnerabilities is publicly available. C. Atules of engagement form was not signed prior to the penetration test. D. Vulnerabilities were not found by internal tests. Â Suggested Answer: B
Which of the following is the GREATEST concern resulting from the lack of severity criteria in incident classification? A. The service desk will be staffed incorrectly. B. Timely detection of attacks will be impossible. C. Statistical reports will be incorrect. D. Escalation procedures will be ineffective. Â Suggested Answer: D
Which of the following would be the BEST way to maintain organization-wide support for an information security strategy? A. Ensure information security objectives are understood by key stakeholders. B. Monitor user activity to identify and track information security policy violations. C. Place information security awareness materials in visible locations. D. Ensure information security policies are easily accessible. Â Suggested Answer: A
Several critical systems have been compromised with malware. Which of the following is the BEST strategy to eradicate this incident? A. Reimage the systems. B. Block access to the impacted systems. C. Perform malware scanning. D. Perform a vulnerability assessment. Â Suggested Answer: A
Which of the following is the MOST important success factor for maintaining an organizational security-aware culture? A. Senior management sign-off on security projects and resources B. Regular security training and simulation exercises C. Regular organization-wide reporting on the risk profile D. Employee security policy acknowledgment  Suggested Answer: B
Senior management has expressed concern that the organization's intrusion prevention system (IPS) may repeatedly disrupt business operations. Which of the following BEST indicates that the information security manager has tuned the system to address this concern? A. Decreasing false positives B. Decreasing false negatives C. Increasing false negatives D. Increasing false positives  Suggested Answer: A
Which of the following metrics would BEST monitor how well information security requirements are incorporated into the change management process? A. Information security incidents caused due to unauthorized changes B. Unauthorized changes in the environment C. Denied changes due to insufficient security details D. Information security-related changes  Suggested Answer: C
Which of the following metrics is MOST appropriate for evaluating the incident notification process? A. Elapsed time between detection, reporting, and response B. Average number of incidents per reporting period C. Average total cost of downtime per reported incident D. Elapsed time between response and resolution  Suggested Answer: A
Meeting which of the following security objectives BEST ensures that information is protected against unauthorized disclosure? A. Confidentiality B. Integrity C. Authenticity D. Nonrepudiation  Suggested Answer: A
Which of the following is MOST important for an information security manager to consider when developing a business continuity plan (BCP) for ransomware attacks? A. Backups are maintained on multiple sites and regularly reviewed. B. Impacted networks can be detached at the network switch level. C. Backups are maintained offline and regularly tested. D. Production data is continuously replicated between primary and secondary sites. Â Suggested Answer: C
Of the following, who should be assigned as the owner of a newly identified risk related to an organization's new payroll system? A. Head of IT department B. Head of human resources (HR) C. Information security manager D. Data privacy officer  Suggested Answer: B
An organization has decided to outsource IT operations. Which of the following should be the PRIMARY focus of the information security manager? A. Business continuity contingency planning is provided. B. Security requirements are included in the vendor contract. C. External security audit results are reviewed. D. Service level agreements (SLAs) meet operational standards. Â Suggested Answer: B
Which of the following is MOST effective in gaining support for the information security strategy from senior management? A. Cost-benefit analysis results B. Third-party security audit results C. Business impact analysis (BIA) results D. A major breach at a competitor  Suggested Answer: A
Management of a financial institution accepted an operational risk that consequently led to the temporary deactivation of a critical monitoring process. Which of the following should be the information security manager's GREATEST concern with this situation? A. Deviation from risk management best practices B. Impact on the risk culture C. Inability to determine short-term impact D. Impact on compliance risk  Suggested Answer: B
A business impact analysis (BIA) should be periodically executed PRIMARILY to: A. verify the effectiveness of controls. B. check compliance with regulations. C. validate vulnerabilities on environmental changes. D. analyze the importance of assets. Â Suggested Answer: D
While responding to a high-profile security incident, an information security manager observed several deficiencies in the current incident response plan. When would be the BEST time to update the plan? A. While responding to the incident B. During post-incident review C. During a tabletop exercise D. After a risk reassessment  Suggested Answer: С
Which of the following BEST enables an information security manager to demonstrate the effectiveness of the information security and risk program to senior management? A. Updated risk assessments B. Audit reports C. Counts of information security incidents D. Monthly metrics  Suggested Answer: D
Which of the following would BEST justify spending for a compensating control? A. Root cause analysis B. Emerging risk trends C. Vulnerability assessment D. Risk analysis  Suggested Answer: D
Which or the following is the BEST way to monitor for advanced persistent threats (APT) in an organization? A. Browse the Internet to learn of potential events. B. Search for threat signatures in the environment. C. Search for anomalies in the environment. D. Network with peers in the industry to share information. Â Suggested Answer: C
In response to recent ransomware threats, an organization deployed a new endpoint detection and response (EDR) solution in its employee laptops. Of the following, who should be accountable for reviewing the solution to verify it has been properly deployed and configured? A. The security analyst B. The chief audit executive (CAE) C. The chief information security officer (CISO) D. The system administrator  Suggested Answer: A
An organization's quality process can BEST support security management by providing: A. a repository for security systems documentation. B. assurance that security requirements are met. C. guidance for security strategy. D. security configuration controls. Â Suggested Answer: B
Which of the following is the MOST important consideration when defining an information security framework? A. Information security budget B. Industry standards C. Business strategy D. Organizational culture  Suggested Answer: D
Which of the following is the MOST important consideration for reporting risk assessment results to senior management? A. The reports should include comparisons to industry benchmarks. B. The reports should be presented in business terms. C. The reports should use formal methodologies. D. The reports should include recommended controls. Â Suggested Answer: B
Which of the following is the BEST way to determine the effectiveness of an incident response plan? A. Reviewing previous audit reports B. Benchmarking the plan against best practices C. Performing a penetration test D. Conducting a tabletop exercise  Suggested Answer: A
Which of the following should be an information security manager's MOST important consideration when determining the priority for implementing security controls? A. Availability of security budget B. Alignment with industry benchmarks C. Results of business impact analyses (BIAs) D. Possibility of reputational loss due to incidents  Suggested Answer: C
Which of the following is the PRIMARY reason for an information security manager to periodically review existing controls? A. To prioritize security initiatives B. To avoid redundant controls C. To align with emerging risk D. To address end-user control complaints  Suggested Answer: C
Which of the following should be done FIRST when implementing a security program? A. Implement data encryption. B. Perform a risk analysis. C. Create an information asset inventory. D. Determine the value of information assets. Â Suggested Answer: B
Of the following, who is MOST appropriate to own the risk associated with the failure of a privileged access control? A. Data owner B. Information security manager C. Business owner D. Compliance manager  Suggested Answer: C
Which of the following is an example of a deterrent control? A. Segregation of responsibilities B. A warning banner C. An intrusion detection system (IDS) D. Periodic data restoration  Suggested Answer: B
An information security manager has completed a risk assessment and has determined the residual risk. Which of the following should be the NEXT step? A. Implement countermeasures to mitigate risk. B. Classify all identified risks. C. Conduct an evaluation of controls. D. Determine if the risk is within the risk appetite. Â Suggested Answer: D
Which of the following BEST enables an organization to maintain an appropriate security control environment? A. Periodic employee security training B. Budgetary support for security C. Alignment to an industry security framework D. Monitoring of the threat landscape  Suggested Answer: C
Which of the following is MOST important for responding effectively to security breaches? A. Chain of custody B. Incident classification C. Log monitoring D. Communication plan  Suggested Answer: D
Which of the following is the BEST method for assisting with incident containment in an Infrastructure as a Service (IaaS) cloud environment? A. Disabling unnecessary services B. Implementing privileged identity management C. Establishing automated detection D. Implementing network segmentation  Suggested Answer: D
Which of the following should be performed FIRST in response to a new information security regulation? A. Industry benchmarking B. Independent audit C. Risk assessment D. Gap analysis  Suggested Answer: C
The MOST useful technique for maintaining management support for the information security program is: A. informing management about the security of business operations. B. identifying the risks and consequences of failure to comply with standards. C. benchmarking the security programs of comparable organizations. D. implementing a comprehensive security awareness and training program. Â Suggested Answer: B
When remote access is granted to a company's internal network, the MOST important consideration should be that access is provided: A. by the use of a remote access server. B. if a robust IT infrastructure exists. C. subject to legal and regulatory requirements. D. on a need-to-know basis subject to controls. Â Suggested Answer: D
Which of the following should be triggered FIRST when unknown malware has infected an organization's critical system? A. Disaster recovery plan (DRP) B. Vulnerability management plan C. Incident response plan D. Business continuity plan (BCP) Â Suggested Answer: C
Which of the following is the FIRST step in developing a business impact analysis (BIA)? A. Identifying interdependencies among critical functions within the business B. Determining the minimum resources needed for recovery C. Identifying which business functions are critical to the organization D. Determining the required recovery time objective (RTO) of business operations  Suggested Answer: A
Which of the following is MOST important when defining how an information security budget should be allocated? A. Business impact assessment B. Regulatory compliance standards C. Information security strategy D. Information security policy  Suggested Answer: C
A forensic examination of a PC is required, but the PC has been switched off. Which of the following should be done FIRST? A. Perform a backup of the computer using the network. B. Perform a bit-by-bit backup of the hard disk using a write-blocking device. C. Reboot the system using third-party forensic software in the CD-ROM drive. D. Perform a backup of the hard drive using backup utilities. Â Suggested Answer: B
Which of the following should an organization do FIRST when confronted with the transfer of personal data across borders? A. Define policies and standards for data processing. B. Implement applicable privacy principles. C. Research cyber insurance policies. D. Assess local or regional regulation. Â Suggested Answer: D
Which of the following BEST enables an organization to measure the total time that operations can be sustained at an alternative site designated in the business continuity plan (BCP)? A. Recovery point objective (RPO) B. Allowable interruption window (AIW) C. Maximum tolerable outage (MTO) D. Recovery time objective (RTO) Â Suggested Answer: C
Which of the following has the GREATEST influence on the successful integration of information security within the business? A. Organizational structure and culture B. Risk tolerance and organizational objectives C. Information security personnel D. The desired state of the organization  Suggested Answer: A
Which of the following is the MOST important consideration to support potential legal action when responding to a security incident? A. Contacting the appropriate law enforcement agency B. Encrypting the documentation being assembled C. Maintaining chain-of-custody of evidence D. Preparing full forensic system backups  Suggested Answer: C
An incident response team has established that an application has been breached. Which of the following should be done NEXT? A. Maintain the affected systems in a forensically acceptable state. B. Inform senior management of the breach. C. Isolate the impacted systems from the rest of the network. D. Conduct a risk assessment on the affected application. Â Suggested Answer: C
A daily monitoring report reveals that an IT employee made a change to a firewall rule outside of the change control process. The information security manager's FIRST step in addressing the issue should be to: A. perform an analysis of the change. B. report the event to senior management. C. require that the change be reversed. D. review the change management process.  Suggested Answer: С
Which of the following BEST facilitates the reporting of useful information about the effectiveness of the information security program? A. Security benchmark report B. Risk heat map C. Security metrics dashboard D. Key risk indicators (KRIs)  Suggested Answer: С
Which of the following BEST mitigates the risk or information loss caused by a cloud service provider becoming insolvent? A. Contractual provisions for the right to audit B. Effective data loss prevention (DLP) controls C. Contractual provisions for data repatriation D. The purchasing of cybersecurity insurance  Suggested Answer: С
An information security team has been tasked with identifying confidential data within the organization to formalize its asset classification scheme. The MOST relevant input would be provided by: A. business process owners. B. the legal department. C. the chief information officer (CIO). D. database administrators (DBAs). Â Suggested Answer: A
Which of the following is the PRIMARY reason to conduct a post-incident review? A. To determine whether digital evidence is admissible B. To notify regulatory authorities C. To improve the response process D. To aid in future risk assessments  Suggested Answer: С
Which of the following is the BEST way to protect against unauthorized access to an encrypted file sent via email? A. Validating the recipient's identity B. Using a digital signature in the email C. Utilizing a separate distribution channel for the password D. Ensuring a policy exists for encrypting files in transit  Suggested Answer: С
The PRIMARY purpose of implementing information security governance metrics is to: A. measure alignment with best practices. B. refine control operations. C. assess operational and program metrics. D. guide security towards the desired state. Â Suggested Answer: D
Which of the following roles is PRIMARILY responsible for developing an information classification framework based on business needs? A. Information owner B. Information security steering committee C. Senior management D. Information security manager  Suggested Answer: A
Which of the following should be done FIRST when developing an information security strategy? A. Establish information security steering committee. B. Determine the desired state of information security. C. Develop security policies and standards. D. Identity owners of information assets. Â Suggested Answer: B
Which of the following is the BEST approach for addressing noncompliance with security standards? A. Maintain a security exceptions process. B. Apply additional logging and monitoring to affected assets. C. Discontinue affected activities until security requirements can be met. D. Develop new security standards. Â Suggested Answer: A
Which of the following is the BEST method for managing information security compliance of third-party suppliers? A. Develop specific information security policies for third parties. B. Conduct a vulnerability assessment of the third-party supplier. C. Include third-party supplier details in the risk register. D. Ensure information security requirements are addressed in the contract. Â Suggested Answer: D
An organization is in the process of creating an agreement with a cloud provider. Who should determine the third party's destruction schedule for the organization's information? A. The organization's information security manager B. The cloud provider's information security manager C. The organization's data owner D. The cloud provider's data custodian  Suggested Answer: C
Which of the following is the BEST course of action when an organization's incident response team does not have expertise in forensic analysis? A. Contract with external forensic experts. B. Develop forensic analysis procedures. C. Document the shortcoming. D. Acquire forensic analysis tools. Â Suggested Answer: A
What should be the FIRST step when investigating an employee suspected of inappropriately downloading proprietary information? A. Check for a signed nondisclosure agreement (NDA). B. Review system access logs. C. Conduct a forensic examination of the device. D. Discuss the concern with the employee. Â Suggested Answer: B
Which of the following is MOST critical to ensure that information security incidents are managed properly? A. Conducting an incident capability maturity assessment B. Testing the incident response plan C. Establishing an incident management performance matrix D. Assembling the incident response team  Suggested Answer: B
The GREATEST challenge when attempting data recovery of a specific file during forensic analysis is when: A. high-level disk formatting has been performed. B. all files in the directory have been deleted. C. the partition table on the disk has been deleted. D. the file has been overwritten. Â Suggested Answer: D
Which of the following is MOST helpful in determining the criticality of an organization's business functions? A. Disaster recovery plan (DRP) B. Business continuity plan (BCP) C. Security assessment report (SAR) D. Business impact analysis (BIA) Â Suggested Answer: D
The contribution of recovery point objective (RPO) to disaster recovery is to: A. eliminate single points of failure. B. reduce mean time between failures (MTBF). C. define backup strategy. D. minimize outage periods. Â Suggested Answer: C
An information security manager is MOST likely to obtain approval for a new security project when the business case provides evidence of: A. threats to the organization. B. organizational alignment. C. existing control costs. D. IT strategy alignment. Â Suggested Answer: A
Which of the following should be established FIRST when implementing an Information security governance framework? A. Security incident management learn B. Security policies C. Security architecture D. Security awareness training program  Suggested Answer: B
An information security team is planning a security assessment of an existing vendor. Which of the following approaches is MOST helpful for properly scoping the assessment? A. Review the vendor’s security policy. B. Review controls listed in the vendor contract. C. Focus the review on the infrastructure with the highest risk. D. Determine whether the vendor follows the selected security framework rules.  Suggested Answer: A
A third-party audit of an organization's network security has identified several critical risks. Which of the following should the information security manager do NEXT? A. Assign risk ownership. B. Identify mitigating controls. C. Report the findings to senior management. D. Prioritize the risks. Â Suggested Answer: D
Which of the following provides the BEST evidence that a recently established information security program is effective? A. The number of reported incidents has increased. B. Regular IT balanced scorecards are communicated. C. The number of tickets associated with IT incidents have stayed consistent. D. Senior management has reported fewer junk emails. Â Suggested Answer: B
An investigation of a recent security incident determined that the root cause was negligent handling of incident alerts by system administrators. What is the BEST way for the information security manager to address this issue? A. Provide incident response training to data owners. B. Provide incident response training to data custodians. C. Conduct a risk assessment and share the results with senior management. D. Revise the incident response plan to align with business processes. Â Suggested Answer: B
An organization is the victim or a targeted attack and is unaware of the compromise until a security analyst notices an additional user account on the firewall. The implementation of which of the following would have detected the incident? A. Web-application firewall B. Security information and event management (SIEM) C. Data leakage prevention (DLP) D. Network access control  Suggested Answer: B
Of the following, who is accountable for data loss in the event of an information security incident at a third-party provider? A. The information security manager B. The service provider that hosts the data C. The incident response team D. The business data owner  Suggested Answer: D
Which of the following BEST minimizes information security risk in deploying applications to the production environment? A. Conducting penetration testing post implementation B. Having a well-defined change process C. Verifying security during the testing process D. Integrating security controls in each phase of the life cycle  Suggested Answer: B
Which of the following would BEST guide the development and maintenance of an information security program? A. A business impact assessment B. The organization's risk appetite C. A comprehensive risk register D. An established risk assessment process  Suggested Answer: B
Which of the following BEST indicates effective information security governance? A. Availability of information security policies B. Regular steering committee meetings C. Organization-wide attendance at annual security training D. Regular testing of the security incident response plan  Suggested Answer: B
When performing a business impact analysis (BIA), who should be responsible for determining the initial recovery time objective (RTO)? A. Information security manager B. External consultant C. Business continuity coordinator D. Information owner  Suggested Answer: C
Which of the following will ensure confidentiality of content when accessing an email system over the Internet? A. Digital encryption B. Multi-factor authentication C. Digital signatures D. Data masking  Suggested Answer: A
Who is BEST suited to determine how the information in a database should be classified? A. Information security analyst B. Database analyst C. Database administrator (DBA) D. Data owner  Suggested Answer: D
Which of the following is an incident containment method? A. Reviewing system logs and audit trails B. Removing compromised systems from the network C. Analyzing systems for impact from the incident D. Mapping the scope of the incident on the network  Suggested Answer: B
A CISO learns that a third-party service provider did not notify the organization of a data breach that affected the service provider's data center. Which of the following should the CISO do FIRST? A. Determine the extent of the impact to the organization. B. Request an independent review of the provider's data center. C. Notify affected customers of the data breach. D. Recommend canceling the outsourcing contract. Â Suggested Answer: A
Which of the following is MOST important to include in an incident response plan to ensure incidents are responded to by the appropriate individuals? A. Skills required for the incident response team B. A detailed incident notification process C. A list of external resources to assist with incidents D. Service level agreements (SLAs) Â Suggested Answer: A
Which of the following is the PRIMARY role of an information security manager in a software development project? A. To identify software security weaknesses B. To identify noncompliance in the early design stage C. To assess and approve the security application architecture D. To enhance awareness for secure software design  Suggested Answer: C
Which of the following MOST effectively identifies issues related to noncompliance with legal, regulatory, and contractual requirements? A. Compliance maturity assessment B. Compliance benchmarking data C. Compliance gap analysis D. Independent compliance audit  Suggested Answer: D
Which of the following is MOST helpful for fostering an effective information security culture? A. Obtaining support from key organizational influencers B. Implementing comprehensive technical security controls C. Conducting regular information security awareness training D. Developing procedures to enforce the information security policy  Suggested Answer: C
Which of the following is MOST important to convey to employees in building a security risk-aware culture? A. Employee access should be based on the principle of least privilege. B. Personal information requires different security controls than sensitive information. C. The responsibility for security rests with all employees. D. Understanding an information asset's value is critical to risk management. Â Suggested Answer: C
Which of the following is the PRIMARY objective of integrating information security governance into corporate governance? A. To align security goals with the information security program B. To ensure the business supports information security goals C. To adequately safeguard the business in achieving its mission D. To obtain management commitment for sustaining the security program  Suggested Answer: D
Which of the following is an information security manager's MOST important action to mitigate the risk associated with malicious software? A. Disabling end-user computer peripheral access ports B. Implementing a multi-layered security program C. Ensuring antivirus has the latest definition files D. Strengthening security patch implementation processes  Suggested Answer: D
Which of the following is the PRIMARY reason for granting a security exception? A. The risk is justified by the cost to security. B. The risk is justified by the benefit to security. C. The risk is justified by the benefit to the business. D. The risk is justified by the cost to the business. Â Suggested Answer: C
Which of the following is MOST effective in preventing the introduction of vulnerabilities that may disrupt the availability of a critical business application? A. A patch management process B. Change management controls C. Version control D. Logical access controls  Suggested Answer: B
An organization is planning to outsource the execution of its disaster recovery activities. Which of the following would be MOST important to include in the outsourcing agreement? A. Requirements for regularly testing backups B. The disaster recovery communication plan C. Recovery time objectives (RTOs) D. Definition of when a disaster should be declared  Suggested Answer: C
Which type of plan is PRIMARILY intended to reduce the potential impact of security events that may occur? A. Incident response plan B. Business continuity plan (BCP) C. Security awareness plan D. Disaster recovery plan (DRP) Â Suggested Answer: B
Which of the following is the MOST important outcome of strategic alignment of corporate and information security governance? A. Implementation of information security controls B. Development of a common and comprehensive set of IT security policies C. Higher acceptance of information security projects D. Reduction of adverse impacts on the organization to an acceptable level  Suggested Answer: D
Which of the following is MOST important to have in place as a basis for developing an effective information security program that supports the organization's business goals? A. An information security strategy B. A defined security organizational structure C. Information security policies D. Metrics to drive the information security program  Suggested Answer: A
Which of the following BEST enables the integration of information security governance into corporate governance? A. Senior management approval of the information security strategy B. Clear lines of authority across the organization C. An information security steering committee with business representation D. Well-documented information security policies and standards  Suggested Answer: C
Which of the following contributes MOST to the effectiveness of information security governance? A. Properly managed risk B. Alignment with technology strategy C. Stakeholder commitment D. A defined security policy  Suggested Answer: C
An information security manager determines there are a significant number of exceptions to a newly released industry-required security standard. Which of the following should be done NEXT? A. Document risk acceptances. B. Conduct an information security audit. C. Assess the consequences of noncompliance. D. Revise the organization's security policy. Â Suggested Answer: D
Which of the following BEST facilitates effective incident response testing? A. Including all business units in testing B. Testing after major business changes C. Simulating realistic test scenarios D. Reviewing test results quarterly  Suggested Answer: C
Which of the following is the BEST indication of effective information security governance? A. Information security is considered the responsibility of the entire information security team. B. Information security is integrated into corporate governance. C. Information security governance is based on an external security framework. D. Information security controls are assigned to risk owners. Â Suggested Answer: B
The information security manager has been notified of a new vulnerability that affects key data processing systems within the organization. Which of the following should be done FIRST? A. Re-evaluate the risk. B. Ask the business owner for the new remediation plan. C. Inform senior management. D. Implement compensating controls. Â Suggested Answer: A
Which of the following is the BEST way to assess the risk associated with using a Software as a Service (SaaS) vendor? A. Require vendors to complete information security questionnaires. B. Request customer references from the vendor. C. Verify that information security requirements are included in the contract. D. Review the results of the vendor's independent control reports. Â Suggested Answer: C
Security administration efforts will be greatly reduced following the deployment of which of the following techniques? A. Access control lists B. Distributed access control C. Discretionary access control D. Role-based access control  Suggested Answer: D
Which of the following would be the BEST way for an information security manager to improve the effectiveness of an organization's information security program? A. Focus on addressing conflicts between security and performance. B. Obtain assistance from IT to implement automated security controls. C. Include information security requirements in the change control process. D. Collaborate with business and IT functions in determining controls. Â Suggested Answer: D
Which of the following should an information security manager do FIRST upon learning of noncompliance with an impending information security regulatory change? A. Conduct a business impact and vulnerability analysis. B. Report the noncompliance to senior management. C. Assess the risk and cost of noncompliance. D. Implement the correct measures to become compliant. Â Suggested Answer: D
Which of the following is MOST critical when creating an incident response plan? A. Identifying what constitutes an incident B. Identifying vulnerable data assets C. Documenting incident notification and escalation processes D. Aligning with the risk assessment process  Suggested Answer: A
Which of the following would BEST help to ensure appropriate security controls are built into software? A. Integrating security throughout the development process B. Performing security testing prior to deployment C. Providing standards for implementation during development activities D. Providing security training to the software development team  Suggested Answer: A
Which of the following will BEST facilitate the integration of information security governance into enterprise governance? A. Implementing an information security awareness program B. Documenting the information security governance framework C. Developing an information security policy based on risk assessments D. Establishing an information security steering committee  Suggested Answer: D
Which of the following should an information security manager do FIRST when noncompliance with security standards is identified? A. Validate the noncompliance B. Include the noncompliance in the risk register C. Report the noncompliance to senior management D. Implement compensating controls to mitigate the noncompliance  Suggested Answer: A
Which of the following should be considered FIRST when recovering a compromised system that needs a complete rebuild? A. Network system logs B. Intrusion detection system (IDS) logs C. Patch management files D. Configuration management files  Suggested Answer: D
When deciding to move to a cloud-based model, the FIRST consideration should be: A. data classification B. physical location of the data C. storage in a shared environment D. availability of the data  Suggested Answer: A
Which of the following is the PRIMARY objective of incident triage? A. Containment of threats B. Coordination of communications C. Categorization of events D. Mitigation of vulnerabilities  Suggested Answer: C
Who is accountable for ensuring risk mitigation is effective? A. Application owner B. Business owner C. Risk owner D. Control owner  Suggested Answer: C
Which of the following BEST enables an information security manager to obtain organizational support for the implementation of security controls? A. Conducting periodic vulnerability assessments B. Defining the organization's risk management framework C. Communicating business impact analysis (BIA) results D. Establishing effective stakeholder relationships  Suggested Answer: D
To support effective risk decision making, which of the following is MOST important to have in place? A. An audit committee consisting of mid-level management B. Risk reporting procedures C. Well-defined and approved controls D. Established risk domains  Suggested Answer: C
Which of the following parties should be responsible for determining access levels to an application that processes client information? A. The identity and access management team B. The business client C. The information security team D. Business unit management  Suggested Answer: A
What should be an information security manager's MOST important consideration when developing a multi-year plan? A. Ensuring contingency plans are in place for potential information security risks B. Ensuring alignment with the plans of other business units C. Demonstrating projected budget increases year after year D. Allowing the information security program to expand its capabilities  Suggested Answer: A
Reevaluation of risk is MOST critical when there is: A. a management request for updated security reports. B. resistance to the implementation of mitigating controls. C. a change in the threat landscape. D. a change in security policy. Â Suggested Answer: C
Which of the following BEST supports investments in an information security program? A. Business impact analysis (BIA) B. Risk assessment results C. Gap analysis results D. Business cases  Suggested Answer: B
Which of the following is MOST important to ensure when developing escalation procedures for an incident response plan? A. Minimum regulatory requirements are maintained. B. The contact list regularly updated. C. Each process is assigned to a responsible party. D. Senior management approval has been documented. Â Suggested Answer: C
Which of the following is the PRIMARY benefit of implementing a vulnerability assessment process? A. Compliance status is improved. B. Threat management is enhanced. C. Security metrics are enhanced. D. Proactive risk management is facilitated. Â Suggested Answer: D
An organization is implementing an information security governance framework. To communicate the program's effectiveness to stakeholders, it is MOST important to establish: A. a control self-assessment (CSA) process. B. metrics for each milestone. C. automated reporting to stakeholders. D. a monitoring process for the security policy. Â Suggested Answer: B
Which of the following would be the MOST effective way to present quarterly reports to the board on the status of the information security program? A. Detailed analysis of security program KPIs B. An information security risk register C. An information security dashboard D. A capability and maturity assessment  Suggested Answer: C
Which of the following is the BEST way to obtain support for a new organization-wide information security program? A. Deliver an information security awareness campaign. B. Publish an information security RACI chart. C. Benchmark against similar industry organizations. D. Establish an information security strategy committee. Â Suggested Answer: D
To confirm that a third-party provider complies with an organization's information security requirements, it is MOST important to ensure: A. contract clauses comply with the organization's information security policy. B. security metrics are included in the service level agreement (SLA). C. the information security policy of the third-party service provider is reviewed. D. right to audit is included in the service level agreement (SLA). Â Suggested Answer: C
Which of the following BEST enables an organization to transform its culture to support information security? A. Strong management support B. Robust technical security controls C. Periodic compliance audits D. Incentives for security incident reporting  Suggested Answer: A
An organization is close to going live with the implementation of a cloud-based application. Independent penetration test results have been received that show a high-rated vulnerability. Which of the following would be the BEST way to proceed? A. Postpone the implementation until the vulnerability has been fixed. B. Commission further penetration tests to validate initial test results. C. Assess whether the vulnerability is within the organization's risk tolerance levels. D. Implement the application and request the cloud service provider to fix the vulnerability. Â Suggested Answer: C
Which of the following is the BEST way to achieve compliance with new global regulations related to the protection of personal information? A. Review contracts and statements of work (SOWs) with vendors. B. Determine current and desired state of controls. C. Execute a risk treatment plan. D. Implement data regionalization controls. Â Suggested Answer: D
Which of the following should be given the HIGHEST priority during an information security post-incident review? A. Evaluating incident response effectiveness B. Documenting actions taken in sufficient detail C. Evaluating the performance of incident response team members D. Updating key risk indicators (KRIs) Â Suggested Answer: A
Which of the following is the BEST course of action when an online company discovers a network attack in progress? A. Shut off all network access points. B. Isolate the affected network segment. C. Dump all event logs to removable media. D. Enable trace logging on all events. Â Suggested Answer: B
Which of the following is the BEST reason for an organization to use Disaster Recovery as a Service (DRaaS)? A. It transfers the risk associated with recovery to a third party. B. It eliminates the need for the business to perform testing. C. It eliminates the need to maintain offsite facilities. D. It lowers the annual cost to the business. Â Suggested Answer: A
When properly implemented, secure transmission protocols protect transactions: A. from eavesdropping. B. in the server's database. C. from denial of service (DoS) attacks. D. on the client desktop. Â Suggested Answer: A
An organization is in the process of acquiring a new company. Which of the following would be the BEST approach to determine how to protect newly acquired data assets prior to integration? A. Review data architecture. B. Include security requirements in the contract. C. Perform a risk assessment. D. Assess security controls. Â Suggested Answer: C
The PRIMARY objective of a post-incident review of an information security incident is to: A. minimize impact. B. determine the impact. C. prevent recurrence. D. update the risk profile. Â Suggested Answer: C
The MOST appropriate time to conduct a disaster recovery test would be after: A. the security risk profile has been reviewed. B. major business processes have been redesigned. C. the business continuity plan (BCP) has been updated. D. noncompliance incidents have been filed. Â Suggested Answer: C
Which of the following methods is the BEST way to demonstrate that an information security program provides appropriate coverage? A. Gap assessment B. Vulnerability scan report C. Maturity assessment D. Security risk analysis  Suggested Answer: D
Which of the following is an information security manager's MOST important course of action when responding to a major security incident that could disrupt the business? A. Notify law enforcement. B. Contact forensic investigators. C. Follow the escalation process. D. Identify the indicators of compromise. Â Suggested Answer: C
Which of the following is the GREATEST benefit of information asset classification? A. Supporting segregation of duties B. Defining resource ownership C. Providing a basis for implementing a need-to-know policy D. Helping to determine the recovery point objective (RPO) Â Suggested Answer: C
While classifying information assets, an information security manager notices that several production databases do not have owners assigned to them. What the information security manager address this situation? A. Assign the highest classification level to those databases. B. Assign responsibility to the database administrator (DBA). C. Prepare a report of the databases for senior management. D. Review the databases for sensitive content. Â Suggested Answer: B
An organization’s research department plans to apply machine learning algorithms on a large data set containing customer names and purchase history. The risk leakage is considered high impact. Which of the following is the BEST risk treatment option in this situation? A. Accept the risk, as the benefits exceed the potential consequences. B. Mitigate the risk by applying anonymization on the data set. C. Transfer the risk by purchasing insurance. D. Mitigate the risk by encrypting the customer names in the data set.  Suggested Answer: B
IT projects have gone over budget with too many security controls being added post-production. Which of the following would MOST help to ensure that relevant to a project? A. Involving information security at each stage of project management B. Creating a data classification framework and providing it to stakeholders C. Identifying responsibilities during the project business case analysis D. Providing stakeholders with minimum information security requirements  Suggested Answer: A
Which of the following is the BEST approach to reduce unnecessary duplication of compliance activities? A. Integration of assurance efforts B. Automation of controls C. Documentation of control procedures D. Standardization of compliance requirements  Suggested Answer: D
Which of the following BEST helps to ensure a risk response plan will be developed and executed in a timely manner? A. Establishing risk metrics B. Training on risk management procedures C. Reporting on documented deficiencies D. Assigning a risk owner  Suggested Answer: D
An information security manager learns that IT personnel are not adhering to the information security policy because it creates process inefficiencies. What should the information security manager do FIRST? A. Propose that IT update information security policies and procedures. B. Request that internal audit conduct a review of the policy development process. C. Conduct user awareness training within the IT function. D. Determine the risk related to noncompliance with the policy. Â Suggested Answer: D
Which of the following is MOST important to include in a report to key stakeholders regarding the effectiveness of an information security program? A. Security incident details B. Security metrics C. Security risk exposure D. Security baselines  Suggested Answer: B
An organization is increasingly using Software as a Service (SaaS) to replace in-house hosting and support of IT applications. Which of the following would be the MOST effective way to help ensure procurement decisions consider information security concerns? A. Integrate information security risk assessments into the procurement process. B. Invite IT members into regular procurement team meetings to influence best practice. C. Enforce the right to audit in procurement contracts with SaaS vendors. D. Provide regular information security training to the procurement team. Â Suggested Answer: C
Which of the following should be the KEY consideration when creating an information security communication plan with industry peers? A. Reducing the costs associated with information sharing by automating the process B. Balancing the benefits of information sharing with the drawbacks of sharing sensitive information C. Notifying the legal department whenever incident-related information is shared D. Ensuring information is detailed enough to be of use to other organizations  Suggested Answer: B
Which of the following is MOST effective for communicating forward-looking trends within security reporting? A. Key risk indicators (KRIs) B. Key performance indicators (KPIs) C. Key control indicators (KCIs) D. Key goal indicators (KGIs) Â Suggested Answer: A
An organization recently purchased data loss prevention (DLP) software but soon discovered the software fails to detect or prevent data loss. Which of the following should the information security manager do FIRST? A. Revise the data classification policy. B. Review the contract. C. Review the configuration D. Implement stricter data loss controls. Â Suggested Answer: C
Network isolation techniques are immediately implemented after a security breach to. A. allow time for key stakeholder decision making. B. reduce the extent of further damage. C. enforce zero trust architecture principles. D. preserve evidence as required for forensics. Â Suggested Answer: B
Which of the following incident response phases involves actions to help safeguard critical systems while maintaining business operations? A. Containment B. Identification C. Preparation D. Recovery  Suggested Answer: A
An organization has received complaints from users that some of their files have been encrypted. These users are receiving demands for money to decrypt the files. Which of the following would be the BEST course of action? A. Isolate the affected systems. B. Conduct an impact assessment. C. Initiate incident response. D. Rebuild the affected systems. Â Suggested Answer: C
Which of the following has the GREATEST positive impact on the ability to execute a disaster recovery plan (DRP)? A. Updating the plan periodically B. Conducting a walk-through of the plan C. Storing the plan at an offsite location D. Communicating the plan to all stakeholders. Â Suggested Answer: D
Which of the following is MOST important to include in monthly information security reports to the board? A. Root cause analysis of security incidents B. Threat intelligence C. Risk assessment results D. Trend analysis of security metrics  Suggested Answer: C
Which of the following activities is designed to handle a control failure that leads to a breach? A. Vulnerability management B. Incident management C. Root cause analysis D. Risk assessment  Suggested Answer: B
Which of the following is MOST important to consider when aligning a security awareness program with the organization's business strategy? A. Processes and technology B. People and culture C. Regulations and standards D. Executive and board directives  Suggested Answer: D
Which of the following BEST indicates that information assets are classified accurately? A. An accurate and complete information asset catalog B. Appropriate assignment of information asset owners C. Appropriate prioritization of information risk treatment D. Increased compliance with information security policy  Suggested Answer: A
Which of the following is MOST likely to be impacted when emerging technologies are introduced to an organization? A. Risk profile B. Security policies C. Control effectiveness D. Risk assessment approach  Suggested Answer: A
An organization's main product is a customer-facing application delivered using Software as a Service (SaaS). The lead security engineer has just identified a major security vulnerability at the primary cloud provider. Within the organization, who is PRIMARILY accountable for the associated risk? A. The data owner B. The information security manager C. The security engineer D. The application owner  Suggested Answer: B
Which of the following is the MOST important criterion when deciding whether to accept residual risk? A. Cost of replacing the asset B. Annual loss expectancy (ALE) C. Cost of additional mitigation D. Annual rate of occurrence  Suggested Answer: B
An information security manager finds that a soon-to-be deployed online application will increase risk beyond acceptable levels, and necessary controls have not been included. Which of the following is the BEST course of action for the information security manager? A. Recommend a different application. B. Instruct IT to deploy controls based on urgent business needs. C. Solicit bids for compensating control products. D. Present a business case for additional controls to senior management. Â Suggested Answer: D
When developing a business case to justify an information security investment, which of the following would BEST enable an informed decision by senior management? A. The information security strategy B. Security investment trends in the industry C. Losses due to security incidents D. The results of a risk assessment  Suggested Answer: D
A data-hosting organization's data center houses servers, applications, and data for a large number of geographically dispersed customers. Which of the following strategies is the BEST approach for developing a physical access control policy for the organization? A. Review customers’ security policies. B. Design single sign-on (SSO) or federated access. C. Develop access control requirements for each system and application. D. Conduct a risk assessment to determine security risks and mitigating controls.  Suggested Answer: D
Which of the following is a PRIMARY benefit of managed security solutions? A. Easier implementation across an organization B. Greater ability to focus on core business operations C. Wider range of capabilities D. Lower cost of operations  Suggested Answer: B
Which of the following is an example of risk mitigation? A. Improving security controls B. Discontinuing the activity associated with the risk C. Performing a cost-benefit analysis D. Purchasing insurance  Suggested Answer: A
Which of the following BEST enables an organization to provide ongoing assurance that legal and regulatory compliance requirements can be met? A. Engaging external experts to provide guidance on changes in compliance requirements B. Assigning the operations manager accountability for meeting compliance requirements C. Embedding compliance requirements within operational processes D. Performing periodic audits for compliance with legal and regulatory requirements  Suggested Answer: D
Following a successful attack, an information security manager should be confident the malware has not continued to spread at the completion of which incident response phase? A. Recovery B. Eradication C. Identification D. Containment  Suggested Answer: D
Which of the following is the BEST method to align an information security strategic plan to the corporate strategy? A. Ensuring the plan complies with business unit expectations B. Involving industry experts in the development of the plan C. Involving senior management in the development of the plan D. Obtaining adequate funds from senior management  Suggested Answer: C
Which of the following would BEST ensure that security is integrated during application development? A. Performing application security testing during acceptance testing B. Introducing security requirements during the initiation phase C. Employing global security standards during development processes D. Providing training on secure development practices to programmers  Suggested Answer: D
Which of the following is MOST important in increasing the effectiveness of incident responders? A. Integrating staff with the IT department B. Testing response scenarios C. Communicating with the management team D. Reviewing the incident response plan annually  Suggested Answer: D
Which of the following should be the PRIMARY objective of the information security incident response process? A. Classifying incidents B. Conducting incident triage C. Communicating with internal and external parties D. Minimizing negative impact to critical operations  Suggested Answer: D
An incident response team has been assembled from a group of experienced individuals. Which type of exercise would be MOST beneficial for the team at the first drill? A. Tabletop exercise B. Red team exercise C. Disaster recovery exercise D. Black box penetration test  Suggested Answer: A
In violation of a policy prohibiting the use of cameras at the office, employees have been issued smartphones and tablet computers with enabled web cameras. Which of the following should be the information security manager's FIRST course of action? A. Revise the policy. B. Conduct a risk assessment. C. Communicate the acceptable use policy. D. Perform a root cause analysis. Â Suggested Answer: B
When performing a business impact analysis (BIA), who should calculate the recovery time and cost estimates? A. Business process owner B. Business continuity coordinator C. Information security manager D. Senior management  Suggested Answer: B
A PRIMARY purpose of creating security policies is to: A. implement management's security governance strategy. B. establish the way security tasks should be executed. C. communicate management's security expectations. D. define allowable security boundaries. Â Suggested Answer: C
The MAIN benefit of implementing a data loss prevention (DLP) solution is to: A. enhance the organization's antivirus controls. B. reduce the need for a security awareness program. C. complement the organization's detective controls. D. eliminate the risk of data loss. Â Suggested Answer: C
Which of the following is the MOST important detail to capture in an organization's risk register? A. Risk acceptance criteria B. Risk severity level C. Risk ownership D. Risk appetite  Suggested Answer: C
Which of the following will provide the MOST guidance when deciding the level of protection for an information asset? A. Impact on information security program B. Cost of controls C. Impact to business function D. Cost to replace  Suggested Answer: A
Which of the following BEST demonstrates return on investment (ROI) for an information security initiative? A. Risk heat map B. Business impact analysis (BIA) C. Business case D. Information security program roadmap  Suggested Answer: C
Which of the following is BEST suited to provide regular reporting to the board regarding the status of compliance to a global security standard? A. Legal counsel B. Quality assurance (QA) C. Information security D. Internal audit  Suggested Answer: D
Which of the following would be MOST effective in gaining senior management approval of security investments in network infrastructure? A. Performing penetration tests against the network to demonstrate business vulnerability B. Highlighting competitor performance regarding network best security practices C. Presenting comparable security implementation estimates from several vendors D. Demonstrating that targeted security controls tie to business objectives  Suggested Answer: D
Which of the following is the MOST important reason to implement information security governance? A. To align the security strategy with the organization’s strategy B. To monitor the performance of information security resources C. To monitor the achievement of business goals and objectives D. To provide adequate resources to achieve business goals  Suggested Answer: A
Which of the following is a PRIMARY objective of an information security governance framework? A. To provide the basis for action plans to achieve information security objectives organization-wide B. To achieve the desired information security state as defined by business unit management C. To align the relationships of stakeholders involved in developing and executing an information security strategy D. To provide assurance that information assets are provided a level of protection proportionate to their inherent risk  Suggested Answer: D
Which of the following is the BEST way to reduce the risk associated with a bring your own device (BYOD) program? A. Implement a mobile device policy and standard. B. Provide employee training on secure mobile device practices. C. Implement a mobile device management (MDM) solution. D. Require employees to install an effective anti-malware app. Â Suggested Answer: C
An information security manager has contracted with a company to design security architecture for an application. Which of the following is accountable for identification associated with this initiative? A. The project steering committee B. The information security manager C. The infrastructure management team D. The application development team  Suggested Answer: B
Which of the following desired outcomes BEST supports a decision to invest in a new security initiative? A. Enhanced security monitoring and reporting B. Reduction of organizational risk C. Reduced control complexity D. Enhanced threat detection capability  Suggested Answer: B
Which of the following is an information security manager’s MOST important consideration when exploring the use of a third-party provider to handle an IT function? A. The provider carries cyber insurance to cover security breaches. B. The provider agrees to provide historical security incident data. C. The provider’s security processes align with the organization’s. D. The provider has undergone an independent security review.  Suggested Answer: C
Which of the following MUST be defined in order for an information security manager to evaluate the appropriateness of controls currently in place? A. Security policy B. Risk management framework C. Security standards D. Risk appetite  Suggested Answer: B
When an organization decides to accept a risk, it should mean the cost to mitigate: A. exceeds budget allocation. B. is higher than the cost to transfer risk. C. is less than the residual risk. D. is greater than the residual risk. Â Suggested Answer: D
Which of the following is the MOST important reason to conduct interviews as part of the business impact analysis (BIA) process? A. To facilitate a qualitative risk assessment following the BIA B. To obtain input from as many relevant stakeholders as possible C. To ensure the stakeholders providing input own the related risk D. To increase awareness of information security among key stakeholders  Suggested Answer: B
Due to changes in an organization’s environment, security controls may no longer be adequate. What is the information security manager’s BEST course of action? A. Perform a new risk assessment. B. Review the previous risk assessment and countermeasures. C. Transfer the new risk to a third party. D. Evaluate countermeasures to mitigate new risks.  Suggested Answer: A
What is the PRIMARY benefit to an organization when information security program requirements are aligned with employment and staffing processes? A. Access is granted based on task requirements. B. Information assets are classified appropriately. C. Security staff turnover is reduced. D. Security incident reporting procedures are followed. Â Suggested Answer: C
When developing an asset classification program, which of the following steps should be completed FIRST? A. Implement a data loss prevention (DLP) system. B. Categorize each asset. C. Create a business case for a digital rights management tool. D. Create an inventory. Â Suggested Answer: D
Which of the following is the PRIMARY reason to monitor key risk indicators (KRIs) related to information security? A. To alert on unacceptable risk B. To identity residual risk C. To reassess risk appetite D. To benchmark control performance  Suggested Answer: A
Which of the following is the BEST indicator of an emerging incident? A. A weakness identified within an organization's information systems B. Attempted patching of systems resulting in errors C. Customer complaints about lack of website availability D. A recent security incident at an industry competitor  Suggested Answer: C
An organization has discovered a recurring problem with unsecure code being released into production. Which of the following is the information security manager action? A. Implement segregation of duties between development and production. B. Increase the frequency of penetration testing. C. Review existing configuration management processes. D. Review existing change management processes. Â Suggested Answer: D
When developing a categorization method for security incidents, the categories MUST: A. be created by the incident hander. B. align with reporting requirements. C. have agreed-upon definitions. D. align with industry standards. Â Suggested Answer: C
Which of the following risk scenarios is MOST likely to emerge from a supply chain attack? A. Unreliable delivery of hardware and software resources by a supplier B. Unavailability of services provided by a supplier C. Loss of customers due to unavailability of products D. Compromise of critical assets via third-party resources  Suggested Answer: D
An information security manager learns through a threat intelligence service that the organization may be targeted for a major emerging threat. Which of the following is the information security manager's FIRST course of action? A. Conduct an information security audit B. Perform a gap analysis C. Validate the relevance of the information D. Inform senior management  Suggested Answer: C
Which of the following BEST indicates that an organization has effectively tested its business continuity and disaster recovery plans within the stated recovery time objectives (RTOs)? A. Internal compliance requirements are being met B. Regulatory requirements are being met C. Risk management objectives are being met D. Business needs are being met  Suggested Answer: D
The MOST important attribute of a security control is that it is: A. auditable B. measurable C. scalable D. reliable  Suggested Answer: D
Which of the following will BEST enable an effective information asset classification process? A. Reviewing the recovery time objective (RTO) requirements of the asset B. Assigning ownership C. Including security requirements in the classification process D. Analyzing audit findings  Suggested Answer: C
An information security manager has been notified about a compromised endpoint device. Which of the following is the BEST course of action to prevent further damage? A. Run a virus scan on the endpoint device B. Wipe and reset the endpoint device C. Power off the endpoint device D. Isolate the endpoint device  Suggested Answer: D
During which of the following phases should an incident response team document actions required to remove the threat that caused the incident? A. Eradication B. Identification C. Containment D. Post-incident review  Suggested Answer: A
A user reports a stolen personal mobile device that stores sensitive corporate data. Which of the following will BEST minimize the risk of data exposure? A. Wipe the device remotely B. Remove user's access to corporate data C. Prevent the user from using personal mobile devices D. Report the incident to the police  Suggested Answer: B
An organization has acquired a company in a foreign country to gain an advantage in a new market. Which of the following is the FIRST step the information security manager should take? A. Evaluate the information security laws that apply to the acquired company B. Apply the existing information security program to the acquired company C. Merge the two existing information security programs D. Determine which country's information security regulations will be used  Suggested Answer: A
An organization's disaster recovery plan (DRP) is documented and kept at a disaster recovery site. Which of the following is the BEST way to ensure the plan can be carried out in an emergency? A. Require disaster recovery documentation be stored with all key decision makers B. Provide annual disaster recovery training to appropriate staff C. Maintain an outsourced contact center in another country D. Store disaster recovery documentation in a public cloud  Suggested Answer: B
Which of the following is a desired outcome of information security governance? A. Penetration test B. A maturity model C. Improved risk management D. Business agility  Suggested Answer: B
When designing an information security risk monitoring framework, it is MOST important to ensure: A. preservation of forensic evidence is enabled B. the monitoring system is patched regularly C. feedback is communicated to stakeholders D. outlier events are escalated to system administrators  Suggested Answer: C
Which of the following BEST enables staff acceptance of information security policies? A. Adequate security funding B. A robust incident response program C. Strong senior management support D. Computer-based training  Suggested Answer: C
Which of the following is the BEST way to rigorously test a disaster recovery plan (DRP) for a mission-critical system without disrupting business operations? A. Parallel testing B. Simulation testing C. Checklist review D. Structured walk-through  Suggested Answer: A
An information security manager is concerned with continued security policy violations in a particular business unit despite recent efforts to rectify the situation. What is the BEST course of action? A. Review the business unit’s function against the policy B. Revise the policy to accommodate the business unit C. Report the business unit for policy noncompliance D. Enforce sanctions on the business unit  Suggested Answer: A
Which of the following BEST facilitates an information security manager’s efforts to obtain senior management commitment for an information security program? A. Presenting evidence of inherent risk B. Reporting the security maturity level C. Presenting compliance requirements D. Communicating the residual risk  Suggested Answer: D
Which of the following is PRIMARILY determined by asset classification? A. Priority for asset replacement B. Level of protection required for assets C. Replacement cost of assets D. Insurance coverage required for assets  Suggested Answer: B
Which of the following is MOST helpful for aligning security operations with the IT governance framework? A. Business impact analysis (BIA) B. Security operations program C. Information security policy D. Security risk assessment  Suggested Answer: C
An information security manager has been made aware of a new data protection regulation that will soon go into effect. Which of the following is the BEST way to manage the risk of noncompliance? A. Perform a gap analysis. B. Consult with senior management on the best course of action. C. Implement a program of work to comply with the new legislation. D. Understand the cost of noncompliance. Â Suggested Answer: C
An information security manager learns of a new standard related to an emerging technology the organization wants to implement. Which of the following should the information security manager recommend be done FIRST? A. Perform a risk assessment on the new technology. B. Obtain legal counsel’s opinion on the standard's applicability to regulations. C. Determine whether the organization can benefit from adopting the new standard. D. Review industry specialists’ analyses of the new standard.  Suggested Answer: A
Which of the following security processes will BEST prevent the exploitation of system vulnerabilities? A. Antivirus software B. Log monitoring C. Intrusion detection D. Patch management  Suggested Answer: D
Which of the following is the BEST method to protect against emerging advanced persistent threat (APT) actors? A. Providing ongoing training to the incident response team B. Updating information security awareness materials C. Implementing a honeypot environment D. Implementing proactive systems monitoring  Suggested Answer: D
Measuring which of the following is the MOST accurate way to determine the alignment of an information security strategy with organizational goals? A. Number of blocked intrusion attempts B. Number of business cases reviewed by senior management C. Trends in the number of identified threats to the business D. Percentage of controls integrated into business processes  Suggested Answer: D
An organization recently outsourced the development of a mission-critical business application. Which of the following would be the BEST way to test for the existence of backdoors? A. Perform security code reviews on the entire application B. Scan the entire application using a vulnerability scanning tool C. Monitor Internet traffic for sensitive information leakage D. Run the application from a high-privileged account on a test system  Suggested Answer: A
When remote access to confidential information is granted to a vendor for analytic purposes, which of the following is the MOST important security consideration? A. The vendor must be able to amend data B. The vendor must agree to the organization's information security policy C. Data is encrypted in transit and at rest at the vendor site D. Data is subject to regular access log review  Suggested Answer: C
When investigating an information security incident details of the incident should be shared: A. widely to demonstrate positive intent B. only as needed C. only with management D. only with internal audit  Suggested Answer: B
The PRIMARY advantage of involving end users in continuity planning is that they: A. can see the overall impact to the business B. are more objective than information security management C. can balance the technical and business risks D. have a better understanding of specific business needs  Suggested Answer: D
In a business proposal, a potential vendor promotes being certified for international security standards as a measure of its security capability. Before relying on this certification, it is MOST important that the information security manager confirms that the: A. certification scope is relevant to the service being offered B. certification will remain current through the life of the contract C. current international standard was used to assess security processes D. certification can be extended to cover the client's business  Suggested Answer: A
Which of the following service offerings in a typical Infrastructure as a Service (IaaS) model will BEST enable a cloud service provider to assist customers when recovering from a security incident? A. Capability to take a snapshot of virtual machines B. Capability of online virtual machine analysis C. Availability of web application firewall logs D. Availability of current infrastructure documentation  Suggested Answer: A
Which of the following roles is BEST able to influence the security culture within an organization? A. Chief information security officer (CISO) B. Chief information officer (CIO) C. Chief operating officer (COO) D. Chief executive officer (CEO) Â Suggested Answer: D
Which of the following BEST indicates the effectiveness of a recent information security awareness campaign delivered across the organization? A. Increase in the frequency of security incident escalations B. Reduction in the impact of security incidents C. Decrease in the number of security incidents D. Increase in the number of reported security incidents  Suggested Answer: D
Which of the following is the BEST evidence of alignment between corporate and information security governance? A. Security key performance indicators (KPIs) B. Senior management sponsorship C. Regular security policy reviews D. Project resource optimization  Suggested Answer: A
When designing a disaster recovery plan (DRP), which of the following MUST be available in order to prioritize system restoration? A. Key performance indicators (KPIs) B. Systems inventory C. Recovery procedures D. Business impact analysis (BIA) results  Suggested Answer: D
Which of the following factors has the GREATEST influence on the successful implementation of information security strategy goals? A. Regulatory requirements B. Compliance acceptance C. Management support D. Budgetary approval  Suggested Answer: C
Which of the following is the BEST approach for managing user access permissions to ensure alignment with data classification? A. Delegate the management of access permissions to an independent third party B. Review access permissions annually or whenever job responsibilities change C. Lock out accounts after a set number of unsuccessful login attempts D. Enable multi-factor authentication on user and admin accounts  Suggested Answer: B
Which of the following is the MOST critical factor for information security program success? A. A comprehensive risk assessment program for information security B. The information security manager's knowledge of the business C. Ongoing audits and addressing open items D. Security staff with appropriate training and adequate resources  Suggested Answer: A
Which of the following events would MOST likely require a revision to the information security program? A. A change in IT management B. A merger with another organization C. A significant increase in reported incidents D. An increase in industry threat level  Suggested Answer: B
Which of the following is the MOST important consideration when establishing an organization's information security governance committee? A. Members represent functions across the organization B. Members have knowledge of information security controls C. Members are rotated periodically D. Members are business risk owners  Suggested Answer: A
An incident management team is alerted to a suspected security event. Before classifying the suspected event as a security incident it is MOST important for the security manager to: A. follow the incident response plan B. follow the business continuity plan (BCP) C. conduct an incident forensic analysis D. notify the business process owner  Suggested Answer: D
Which of the following is the BEST way to ensure the capability to restore clean data after a ransomware attack? A. Purchase cyber insurance B. Encrypt sensitive production data C. Maintain multiple offline backups D. Perform integrity checks on backups  Suggested Answer: D
An organization's marketing department wants to use an online collaboration service, which is not in compliance with the information security policy. A risk assessment is performed, and risk acceptance is being pursued. Approval of risk acceptance should be provided by: A. business senior management. B. the compliance officer. C. the information security manager. D. the chief risk officer (CRO). Â Suggested Answer: A
In an organization with a rapidly changing environment, business management has accepted an information security risk. It is MOST important for the information security manager to ensure: A. change activities are documented. B. compliance with the risk acceptance framework. C. the rationale for acceptance is periodically reviewed. D. the acceptance is aligned with business strategy. Â Suggested Answer: C
Which of the following is the BEST course of action for an information security manager to align security and business goals? A. Reviewing the business strategy B. Conducting a business impact analysis (BIA) C. Actively engaging with stakeholders D. Defining key performance indicators (KPIs) Â Suggested Answer: C
What should be the information security manager’s FIRST step when updating an information security program? A. Review costs and benchmark them against industry norms. B. Interview business unit managers and key stakeholders. C. Identify program components that do not align with business objectives. D. Re-evaluate the organization's business expectations and objectives.  Suggested Answer: D
Which of the following defines the triggers within a business continuity plan (BCP)? A. Disaster recovery plan (DRP) B. Needs of the organization C. Information security policy D. Gap analysis  Suggested Answer: B
A cloud application used by an organization is found to have a serious vulnerability. After assessing the risk, which of the following would be the information security manager's BEST course of action? A. Instruct the vendor to conduct penetration testing. B. Suspend the connection to the application in the firewall. C. Initiate the organization’s incident response process. D. Report the situation to the business owner of the application.  Suggested Answer: D
Which of the following is the BEST indication of a successful information security culture? A. The budget allocated for information security is sufficient B. End users know how to identify and report incidents C. Individuals are given roles based on job functions D. Penetration testing is done regularly and findings remediated  Suggested Answer: B
Which of the following plans should be invoked by an organization in an effort to remain operational during a disaster? A. Incident response plan B. Disaster recovery plan (DRP) C. Business contingency plan D. Business continuity plan (BCP) Â Suggested Answer: D
Which of the following sources is MOST useful when planning a business-aligned information security program? A. Business impact analysis (BIA) B. Information security policy C. Security risk register D. Enterprise architecture (EA) Â Suggested Answer: A
Which of the following is the BEST technical defense against unauthorized access to a corporate network through social engineering? A. Requiring multifactor authentication B. Requiring challenge/response information C. Enforcing frequent password changes D. Enforcing complex password formats  Suggested Answer: A
What is the BEST way to reduce the impact of a successful ransomware attack? A. Include provisions to pay ransoms in the information security budget B. Monitor the network and provide alerts on intrusions C. Perform frequent backups and store them offline D. Purchase or renew cyber insurance policies  Suggested Answer: C
Which of the following is the BEST approach for governing noncompliance with security requirements? A. Require users to acknowledge the acceptable use policy B. Base mandatory review and exception approvals on residual risk C. Require the steering committee to review exception requests D. Base mandatory review and exception approvals on inherent risk  Suggested Answer: B
Which of the following is MOST important to ensuring information stored by an organization is protected appropriately? A. Defining security asset categorization B. Assigning information asset ownership C. Developing a records retention schedule D. Defining information stewardship roles  Suggested Answer: A
In which cloud model does the cloud service buyer assume the MOST security responsibility? A. Infrastructure as a Service (IaaS) B. Software as a Service (SaaS) C. Disaster Recovery as a Service (DRaaS) D. Platform as a Service (PaaS) Â Suggested Answer: A
Which of the following is the GREATEST benefit of conducting an organization-wide security awareness program? A. More security incidents are detected B. Security behavior is improved C. The security strategy is promoted D. Fewer security incidents are reported  Suggested Answer: B
Which of the following is the FIRST step to establishing an effective information security program? A. Assign accountability B. Perform a business impact analysis (BIA) C. Create a business case D. Conduct a compliance review  Suggested Answer: C
An information security manager believes that information has been classified inappropriately, increasing the risk of a breach. Which of the following is the information security manager's BEST action? A. Re-classify the data and increase the security level to meet business risk B. Complete a risk assessment and refer the results to the data owners C. Instruct the relevant system owners to reclassify the data D. Refer the issue to internal audit for a recommendation  Suggested Answer: B
Which of the following BEST supports the incident management process for attacks on an organization's supply chain? A. Requiring security awareness training for vendor staff B. Including service level agreements (SLAs) in vendor contracts C. Performing integration testing with vendor systems D. Establishing communication paths with vendors  Suggested Answer: B
Which of the following is MOST useful to an information security manager when conducting a post-incident review of an attack? A. Cost of the attack to the organization B. Location of the attacker C. Details from intrusion detection system (IDS) logs D. Method of operation used by the attacker  Suggested Answer: C
Which of the following is MOST important for an information security manager to verify when selecting a third-party forensics provider? A. Existence of a right to audit clause B. Technical capabilities of the provider C. Results of the provider's business continuity tests D. Existence of the provider's incident response plan  Suggested Answer: B
The BEST way to ensure that frequently encountered incidents are reflected in the user security awareness training program is to include: A. responses to security questionnaires. B. previous training sessions. C. examples of help desk requests. D. results of exit interviews. Â Suggested Answer: C
A risk assessment exercise has identified the threat of a denial of service (DoS) attack. Executive management has decided to take no further action related to this risk. The MOST likely reason for this decision is: A. the cost of implementing controls exceeds the potential financial losses. B. the risk assessment has not defined the likelihood of occurrence. C. executive management is not aware of the impact potential. D. the reported vulnerability has not been validated. Â Suggested Answer: A
Which of the following is the BEST indication of an effective information security awareness training program? A. An increase in the identification rate during phishing simulations B. An increase in the speed of incident resolution C. An increase in positive user feedback D. An increase in the frequency of phishing tests  Suggested Answer: A
Penetration testing is MOST appropriate when a: A. new system is about to go live. B. security incident has occurred. C. security policy is being developed. D. new system is being designed. Â Suggested Answer: A
Which of the following will result in the MOST accurate controls assessment? A. Mature change management processes B. Unannounced testing C. Well-defined security policies D. Senior management support  Suggested Answer: B
The MOST important reason for having an information security manager serve on the change management committee is to: A. ensure changes are properly documented. B. advise on change-related risk. C. identify changes to the information security policy. D. ensure that changes are tested. Â Suggested Answer: B
Of the following, who is in the BEST position to evaluate business impacts? A. Senior management B. Information security manager C. Process manager D. IT manager  Suggested Answer: C
Which of the following should be done FIRST when establishing a new data protection program that must comply with applicable data privacy regulations? A. Encrypt all personal data stored on systems and networks. B. Evaluate privacy technologies required for data protection. C. Create an inventory of systems where personal data is stored. D. Update disciplinary processes to address privacy violations. Â Suggested Answer: C
Which of the following is the BEST approach to incident response for an organization migrating to a cloud-based solution? A. Transfer responsibility for incident response to the cloud provider. B. Continue using the existing incident response procedures. C. Revise incident response procedures to encompass the cloud environment. D. Adopt the cloud provider’s incident response procedures.  Suggested Answer: C
Which of the following is the BEST way to help ensure an organization's risk appetite will be considered as part of the risk treatment process? A. Establish key risk indicators (KRIs). B. Provide regular reporting on risk treatment to senior management. C. Require steering committee approval of risk treatment plans. D. Use quantitative risk assessment methods. Â Suggested Answer: A
Which of the following is MOST important to include in a post-incident review following a data breach? A. An evaluation of the effectiveness of the information security strategy B. Documentation of regulatory reporting requirements C. A review of the forensics chain of custody D. Evaluations of the adequacy of existing controls  Suggested Answer: D
An organization plans to leverage popular social network platforms to promote its products and services. Which of the following is the BEST course of action for the information security manager to support this initiative? A. Conduct vulnerability assessments on social network platforms. B. Assess the security risk associated with the use of social networks. C. Establish processes to publish content on social networks. D. Develop security controls for the use of social networks. Â Suggested Answer: B
Which of the following BEST supports information security management in the event of organizational changes in security personnel? A. Ensuring current documentation of security processes B. Formalizing a security strategy and program C. Developing an awareness program for staff D. Establishing processes within the security operations team  Suggested Answer: A
Which of the following is the BEST tool to monitor the effectiveness of information security governance? A. Balanced scorecard B. Risk profile C. Business impact analysis (BIA) D. Key performance indicators (KPIs) Â Suggested Answer: A
Management decisions concerning information security investments will be MOST effective when they are based on: A. a process for identifying and analyzing threats and vulnerabilities. B. the formalized acceptance of risk analysis by management. C. the reporting of consistent and periodic assessments of risks. D. an annual loss expectancy (ALE) determined from the history of security events. Â Suggested Answer: C
An organization is going through a digital transformation process, which places the IT organization in an unfamiliar risk landscape. The information security manager has been tasked with leading the IT risk management process. Which of the following should be given the HIGHEST priority? A. Identification of risk B. Selection of risk treatment options C. Analysis of control gaps D. Design of key risk indicators (KRIs) Â Suggested Answer: A
Which of the following change management procedures is MOST likely to cause concern to the information security manager? A. Users are not notified of scheduled system changes. B. Fallback processes are tested the weekend before changes are made. C. The development manager migrates programs into production. D. A manual rather than an automated process is used to compare program versions. Â Suggested Answer: A
Which is the BEST method to evaluate the effectiveness of an alternate processing site when continuous uptime is required? A. Full interruption test B. Tabletop test C. Parallel test D. Simulation test  Suggested Answer: C
Which of the following should be the MOST important consideration when establishing information security policies for an organization? A. Job descriptions include requirements to read security policies. B. Senior management supports the policies. C. The policies are aligned to industry best practices. D. The policies are updated annually. Â Suggested Answer: B
If civil litigation is a goal for an organizational response to a security incident, the PRIMARY step should be to: A. capture evidence using standard server-backup utilities. B. document the chain of custody. C. reboot affected machines in a secure area to search for evidence. D. contact law enforcement. Â Suggested Answer: B
Which of the following is MOST helpful for determining which information security policies should be implemented by an organization? A. Business impact analysis (BIA) B. Risk assessment C. Vulnerability assessment D. Industry best practices  Suggested Answer: B
Which of the following BEST ensures timely and reliable access to services? A. Authenticity B. Availability C. Nonrepudiation D. Recovery time objective (RTO) Â Suggested Answer: B
An organization is creating a risk mitigation plan that considers redundant power supplies to reduce the business risk associated with critical system outages. Which type of control is being considered? A. Deterrent B. Detective C. Preventive D. Corrective  Suggested Answer: D
Which of the following BEST enables an information security manager to determine the comprehensiveness of an organization’s information security strategy? A. Internal security audit B. Organizational risk appetite C. External security audit D. Business impact analysis (BIA)  Suggested Answer: B
Which of the following is an information security manager's BEST course of action when a threat intelligence report indicates a large number of ransomware attacks targeting the industry? A. Assess the risk to the organization. B. Review the mitigating security controls. C. Notify staff members of the threat. D. Increase the frequency of system backups. Â Suggested Answer: A
Of the following, whose input is of GREATEST importance in the development of an information security strategy? A. Security architects B. End users C. Corporate auditors D. Process owners  Suggested Answer: D
Which risk is introduced when using only sanitized data for the testing of applications? A. Unexpected outcomes may arise in production. B. Data disclosure may occur during the migration event. C. Breaches of compliance obligations will occur. D. Data loss may occur during the testing phase. Â Suggested Answer: A
Which of the following is the MOST important consideration when defining a recovery strategy in a business continuity plan (BCP)? A. Legal and regulatory requirements B. Likelihood of a disaster C. Organizational tolerance to service interruption D. Geographical location of the backup site  Suggested Answer: C
Which of the following should be done FIRST when developing an information security program? A. Establish security policies. B. Define the security strategy. C. Approve security standards. D. Set security baselines. Â Suggested Answer: B
The BEST way to identify the risk associated with a social engineering attack is to: A. monitor the intrusion detection system (IDS). B. review single sign-on (SSO) authentication logs. C. perform a business risk assessment of the email filtering system. D. test user knowledge of information security practices. Â Suggested Answer: D
Which of the following is MOST important to have in place to help ensure an organization's cybersecurity program meets the needs of the business? A. Information security awareness training B. Risk assessment program C. Information security governance D. Information security metrics  Suggested Answer: C
Which of the following is the GREATEST benefit of including incident classification criteria within an incident response plan? A. More visibility to the impact of disruptions B. Ability to monitor and control incident management costs C. Effective protection of information assets D. Optimized allocation of recovery resources  Suggested Answer: D
A recovery point objective (RPO) is required in which of the following? A. Business continuity plan (BCP) B. Information security plan C. Incident response plan D. Disaster recovery plan (DRP) Â Suggested Answer: A
Which of the following provides the BEST assurance that security policies are applied across business operations? A. Organizational standards are enforced by technical controls. B. Organizational standards are included in awareness training. C. Organizational standards are required to be formally accepted. D. Organizational standards are documented in operational procedures. Â Suggested Answer: D
Which of the following should an information security manager do FIRST when a mandatory security standard hinders the achievement of an identified business objective? A. Recommend risk acceptance. B. Perform a cost-benefit analysis. C. Escalate to senior management. D. Revisit the business objective. Â Suggested Answer: C
A business unit is not complying with a control implemented to mitigate risk because doing so impacts the ability to achieve business goals. When reporting the noncompliance to senior management, what would be the information security manager's BEST recommendation? A. Accept the noncompliance. B. Conduct a control assessment. C. Implement compensating controls. D. Educate the noncompliant users. Â Suggested Answer: C
Which of the following is MOST helpful for protecting an enterprise from advanced persistent threats (APTs)? A. Updated security policies B. Regular antivirus updates C. Defined security standards D. Threat intelligence  Suggested Answer: D
Which of the following should be the PRIMARY consideration when developing an incident response plan? A. Previously reported incidents B. Management support C. Compliance with regulations D. The definition of an incident  Suggested Answer: D
A strict new regulation is being finalized to address global concerns regarding cybersecurity. Which of the following should the information security manager do FIRST? A. Monitor industry response to the regulation. B. Seek legal counsel on the new regulation. C. Validate the applicability of the regulation. D. Escalate compliance risk to senior management  Suggested Answer: C
A post-incident review identified that user error resulted in a major breach. Which of the following is MOST important to determine during the review? A. The underlying reason for the user error B. The time and location that the breach occurred C. Appropriate disciplinary procedures for user error D. Evidence of previous incidents caused by the user  Suggested Answer: A
Which of the following would be MOST helpful to identify worst-case disruption scenarios? A. Cost-benefit analysis B. SWOT analysis C. Business process analysis D. Business impact analysis (BIA) Â Suggested Answer: D
Which of the following BEST enables an organization to appropriately prioritize information security-focused projects? A. Return on investment (ROI) B. Privacy compliance requirements C. Organizational risk appetite D. Historical security incidents  Suggested Answer: C
Which of the following should an information security manager do FIRST upon learning that some security hardening settings may negatively impact future business activity? A. Document a security exception. B. Reduce security hardening settings. C. Perform a risk assessment. D. Inform business management of the risk. Â Suggested Answer: D
Which of the following activities MUST be performed by an information security manager for change requests? A. Assess impact on information security risk. B. Perform penetration testing on affected systems. C. Scan IT systems for operating system vulnerabilities. D. Review change in business requirements for information security. Â Suggested Answer: A
The PRIMARY purpose for continuous monitoring of security controls is to ensure: A. alignment with compliance requirements. B. effectiveness of controls. C. control gaps are minimized. D. system availability. Â Suggested Answer: B
Which of the following is the MOST important factor of a successful information security program? A. The program follows industry best practices. B. The program is based on a well-developed strategy. C. The program is focused on risk management. D. The program is cost-efficient and within budget. Â Suggested Answer: B
Which of the following messages would be MOST effective in obtaining senior management's commitment to information security management? A. Security is a business product and not a process. B. Effective security eliminates risk to the business. C. Adopt a recognized framework with metrics. D. Security supports and protects the business. Â Suggested Answer: D
When choosing the best controls to mitigate risk to acceptable levels, the information security manager s decision should be MAINLY driven by: A. regulatory requirements. B. control framework. C. best practices. D. cost-benefit analysis. Â Suggested Answer: D
A high-risk issue is discovered during an information security risk assessment of a legacy application. The business is unwilling to allocate the resources to remediate the issue. Which of the following would be the information security manager’s BEST course of action? A. Document risk acceptance from the business. B. Recommend discontinuing the use of the legacy application. C. Design alternative compensating controls to reduce the risk. D. Present the worst-case scenario related to the risk.  Suggested Answer: C
The PRIMARY benefit of introducing a single point of administration in network monitoring is that it: A. reduces unauthorized access to systems. B. promotes efficiency in control of the environment. C. prevents inconsistencies in information in the distributed environment. D. allows administrative staff to make management decisions. Â Suggested Answer: C
Which of the following is the MOST important reason to document information security incidents that are reported across the organization? A. Support business investments in security. B. Evaluate the security posture of the organization. C. Identify unmitigated risk. D. Prevent incident recurrence. Â Suggested Answer: D
Which of the following is MOST important for building a robust information security culture within an organization? A. Mature information security awareness training across the organization B. Security controls embedded within the development and operation of the IT environment C. Senior management approval of information security policies D. Strict enforcement of employee compliance with organizational security policies  Suggested Answer: A
Which of the following is the BEST way for an organization to ensure that incident response teams are properly prepared? A. Documenting multiple scenarios for the organization and response steps B. Providing training from third-party forensics firms C. Obtaining industry certifications for the response team D. Conducting tabletop exercises appropriate for the organization  Suggested Answer: D
Which of the following metrics BEST measures the effectiveness of an organization’s information security program? A. Return on information security investment B. Number of information security business cases developed C. Reduction in information security incidents D. Increase in risk assessments completed  Suggested Answer: A
Which of the following is MOST important when conducting a forensic investigation? A. Capturing full system images B. Documenting analysis steps C. Maintaining a chain of custody D. Analyzing system memory  Suggested Answer: C
Which of the following presents the GREATEST challenge to the recovery of critical systems and data following a ransomware incident? A. Unavailable or corrupt data backups B. Ineffective alert configurations for backup operations C. Lack of encryption for backup data in transit D. Undefined or undocumented backup retention policies  Suggested Answer: A
An organization is aligning its incident response capability with a public cloud service provider. What should be the information security manager’s FIRST course of action? A. Identify the skill set of the provider's incident response team. B. Update the incident escalation process. C. Evaluate the provider’s audit logging and monitoring controls. D. Review the provider’s incident definitions and notification criteria.  Suggested Answer: D
An information security manager is reporting on open items from the risk register to senior management. Which of the following is MOST important to communicate with regard to these risks? A. Key risk indicators (KRIs) B. Responsible entities C. Compensating controls D. Potential business impact  Suggested Answer: D
An information security team has discovered that users are sharing a login account to an application with sensitive information, in violation of the access policy. Business management indicates that the practice creates operational efficiencies. What is the information security manager’s BEST course of action? A. Present the risk to senior management. B. Modify the policy. C. Create an exception for the deviation. D. Enforce the policy.  Suggested Answer: A
Which of the following should be the FIRST step to gain approval for outsourcing to address a security gap? A. Perform a cost-benefit analysis. B. Collect additional metrics. C. Begin due diligence on the outsourcing company. D. Submit funding request to senior management. Â Suggested Answer: A
What is the MOST important reason to regularly report information security risk to relevant stakeholders? A. To enable risk-informed decision making B. To reduce the impact of information security risk C. To ensure information security controls are effective D. To achieve compliance with regulatory requirements  Suggested Answer: C
Which of the following is MOST important to ensure ongoing senior management commitment to an organization’s information security strategy? A. Effective and reliable security reporting B. A well-defined information security control framework C. A detailed and documented business impact analysis (BIA) D. Strategic alignment to an industry framework  Suggested Answer: B
A penetration test of a new system has identified a number of critical vulnerabilities, jeopardizing the go-live date. The information security manager is asked by the system owner to approve an exception to allow the system to be implemented without fixing the vulnerabilities. Which of the following is the MOST appropriate course of action? A. Implement a log monitoring process. B. Perform a risk assessment. C. Develop a set of compensating controls. D. Approve and document the exception. Â Suggested Answer: B
Which of the following information security activities is MOST helpful to support compliance with information security policy? A. Conducting information security awareness programs B. Creating monthly trend metrics C. Performing periodic IT reviews on new system acquisitions D. Obtaining management commitment  Suggested Answer: A
Which of the following is MOST important to determine following the discovery and eradication of a malware attack? A. The creator of the malware B. The malware entry path C. The type of malware involved D. The method of detecting the malware  Suggested Answer: D
Which of the following is MOST helpful in ensuring an information security governance framework continues to support business objectives? A. A consistent risk assessment methodology B. A monitoring strategy C. An effective organizational structure D. Stakeholder buy-in  Suggested Answer: A
Reviewing which of the following would be MOST helpful when a new information security manager is developing an information security strategy for a non-regulated organization? A. Management’s business goals and objectives B. Strategies of other non-regulated companies C. Industry best practices and control recommendations D. Risk assessment results  Suggested Answer: A
In order to understand an organization's security posture, it is MOST important for an organization's senior leadership to: A. review the number of reported security incidents. B. evaluate results of the most recent incident response test. C. ensure established security metrics are reported. D. assess progress of risk mitigation efforts. Â Suggested Answer: C
Information security controls should be designed PRIMARILY based on: A. regulatory requirements. B. a vulnerability assessment. C. business risk scenarios. D. a business impact analysis (BIA). Â Suggested Answer: C
An organization involved in e-commerce activities operating from its home country opened a new office in another country with stringent security laws. In this scenario, the overall security strategy should be based on: A. risk assessment results. B. international security standards. C. the most stringent requirements. D. the security organization structure. Â Suggested Answer: A
An information security manager developing an incident response plan MUST ensure it includes: A. critical infrastructure diagrams. B. a business impact analysis (BIA). C. criteria for escalation. D. an inventory of critical data. Â Suggested Answer: C
Which of the following is the MOST effective way to help staff members understand their responsibilities for information security? A. Require staff to sign confidentiality agreements. B. Require staff to participate in information security awareness training. C. Communicate disciplinary processes for policy violations. D. Include information security responsibilities in job descriptions. Â Suggested Answer: D
Security program development is PRIMARILY driven by which of the following? A. Regulatory requirements B. Business strategy C. Risk appetite D. Available resources  Suggested Answer: C
An organization has identified a risk scenario that has low impact to the organization but is very costly to mitigate. Which risk treatment option is MOST appropriate in this situation? A. Transfer B. Acceptance C. Mitigation D. Avoidance  Suggested Answer: A
Prior to conducting a forensic examination, an information security manager should: A. boot the original hard disk on a clean system. B. create an image of the original data on new media. C. duplicate data from the backup media. D. shut down and relocate the server. Â Suggested Answer: B
The fundamental purpose of establishing security metrics is to: A. adopt security best practices. B. establish security benchmarks. C. provide feedback on control effectiveness. D. increase return on investment (ROI). Â Suggested Answer: C
Which of the following presents the GREATEST challenge to a security operations center's timely identification of potential security breaches? A. An organization has a decentralized data center that uses cloud services. B. Operating systems are no longer supported by the vendor. C. IT system clocks are not synchronized with the centralized logging server. D. The patch management system does not deploy patches in a timely manner. Â Suggested Answer: C
An organization plans to utilize Software as a Service (SaaS) and is in the process of selecting a vendor. What should the information security manager do FIRST to support this initiative? A. Review independent security assessment reports for each vendor. B. Benchmark each vendor's services with industry best practices. C. Define information security requirements and processes. D. Analyze the risks and propose mitigating controls. Â Suggested Answer: A
An online bank identifies a successful network attack in progress. The bank should FIRST: A. report the root cause to the board of directors. B. isolate the affected network segment. C. shut down the entire network. D. assess whether personally identifiable information (PII) is compromised. Â Suggested Answer: B
Which of the following provides an information security manager with the MOST accurate indication of the organization's ability to respond to a cyber attack? A. Walk-through of the incident response plan B. Black box penetration test C. Simulated phishing exercise D. Red team exercise  Suggested Answer: D
Which of the following provides the BEST guidance when establishing a security program? A. Risk assessment methodology B. Security audit report C. Information security budget D. Information security framework  Suggested Answer: B
Which of the following should be of MOST concern to an information security manager reviewing the organization’s disaster recovery plan (DRP)? A. Organization wide training for disaster recovery has not occurred. B. The response team has contracted with an external consultant to support testing activities. C. Six months have elapsed since the most recent test of the response plan. D. The response plan document has not been updated with the latest notification list details.  Suggested Answer: D
Which of the following is the GREATEST risk of centralized information security administration within a multinational organization? A. Slower turnaround B. Less uniformity C. Less objectivity D. Violation of local law  Suggested Answer: C
Which of the following would BEST enable an organization to aggregate information from different systems to allow for centralized categorization of incidents? A. Intrusion detection system (IDS) B. Application program interfaces (APIs) C. Intrusion prevention system (IPS) D. Security information and event management (SIEM) Â Suggested Answer: D
When preparing an information security policy for a global organization, how should an information security manager BEST address local legislation in multiple countries? A. Rely on local interpretation of the global policy to comply with local legislation. B. Create a policy exception process for each country. C. Enforce the same global policy in every country. D. Establish local policies for each country that supplement the global policy. Â Suggested Answer: D
Which of the following is the MOST important control to implement when senior managers use smartphones to access sensitive company information? A. Centralized device administration B. Remote wipe capability C. Anti-malware on the devices D. Strong passwords  Suggested Answer: A
Which of the following is the MOST appropriate resource to determine whether or not a particular solution should utilize encryption based on its location and data classification? A. Guidelines B. Procedures C. Standards D. Policies  Suggested Answer: C
An organization that conducts business globally is planning to utilize a third-party service provider to process payroll information. Which of the following issues poses the GREATEST risk to the organization? A. The third party has not provided evidence of compliance with local regulations where data is generated. B. The third party does not have an independent assessment of controls available for review. C. The third party’s service level agreement (SLA) does not include guarantees of uptime. D. The third-party contract does not include an indemnity clause for compensation in the event of a breach.  Suggested Answer: D
The PRIMARY objective of timely declaration of a disaster is to: A. ensure the continuity of the organization’s essential services. B. protect critical physical assets from further loss. C. ensure engagement of business management in the recovery process. D. assess and correct disaster recovery process deficiencies.  Suggested Answer: C
Which of the following BEST enables the design of an effective incident escalation process? A. A well-defined organizational hierarchy B. Enforceable control baselines C. A comprehensive risk register D. Controls designed for defense in depth  Suggested Answer: A
An information security manager has been notified that two senior executives have the ability to elevate their own privileges in the corporate accounting system, in violation of policy. What is the FIRST step to address this issue? A. Notify the CISO of the security policy violation. B. Perform a system access review. C. Perform a full review of all system transactions over the past 90 days. D. Immediately suspend the executives’ access privileges.  Suggested Answer: B
Which of the following is MOST useful to display on a dashboard to demonstrate security performance? A. Number of hours spent per vulnerability remediated B. Number of vulnerabilities detected over time C. Severity of currently unremediated vulnerabilities D. Average time to identify vulnerabilities  Suggested Answer: C
Which of the following should be done FIRST when establishing an information security governance framework? A. Gain an understanding of the business and cultural attributes. B. Contract a third party to conduct an independent review of the program. C. Conduct a cost-benefit analysis of the framework. D. Evaluate information security tools and skills relevant for the environment. Â Suggested Answer: A
Which of the following is the BEST approach to make strategic information security decisions? A. Establish periodic senior management meetings. B. Establish regular information security status reporting. C. Establish an information security steering committee. D. Establish business unit security working groups. Â Suggested Answer: C
Which type of incident response test is the MOST efficient way to verify that backup power generators are functioning? A. Operational full test B. Simulation failure test C. Parallel recovery test D. Full interruption test  Suggested Answer: D
Which of the following is the MOST important action to prepare for a ransomware attack? A. Back up data regularly and verify the integrity of backups. B. Scan emails to detect threats and filter out executable files. C. Configure access controls with least privilege in mind. D. Execute operating systems and programs in a virtualized environment. Â Suggested Answer: A
Which of the following should be the MAIN outcome from monitoring key performance indicators (KPIs) for a corporate security management program? A. A balanced scorecard B. An effective security awareness program C. Data for the organization to assess progress D. Optimal level of value delivery  Suggested Answer: B
An organization is considering using a third party to host sensitive archived data. Which of the following is MOST important to verify before entering into the relationship? A. Independent audits of the vendor’s operations are regularly conducted. B. The vendor’s controls are in line with the organization’s security standards. C. The encryption keys are not provided to the vendor. D. The vendor’s data centers are in the same geographic region.  Suggested Answer: B
When creating an incident response plan, which of the following is MOST important to include during the preparation phase of the plan’s life cycle? A. Communication plan B. Response procedures C. Risk management plan D. Forensic analysis procedures  Suggested Answer: C
A software vendor has announced a zero-day vulnerability that exposes an organization’s critical business systems. The vendor has released an emergency patch. Which of the following should be the information security manager’s PRIMARY concern? A. Ability to test the patch prior to deployment B. Adequacy of the incident response plan C. Availability of resources to implement controls D. Documentation of patching procedures  Suggested Answer: A
Which of the following is MOST important to the successful management of an information security program? A. Compliance with regulatory requirements B. Adequate security budget C. Support from key stakeholders D. Continuous controls monitoring  Suggested Answer: C
A newly hired information security manager discovers that the cleanup of accounts for terminated employees happens only once a year. Which of the following should be the information security manager’s FIRST course of action? A. Design and document a new process. B. Perform a risk assessment. C. Report the issue to senior management. D. Update the security policy.  Suggested Answer: B
Which of the following BEST conveys minimum information security requirements to an organization in alignment with policies? A. Procedures B. Regulations C. Baselines D. Standards  Suggested Answer: D
Which of the following security initiatives should be the FIRST step in helping an organization maintain compliance with privacy regulations? A. Implementing a data classification framework B. Implementing security information and event management (SIEM) C. Installing a data loss prevention (DLP) solution D. Developing security awareness training  Suggested Answer: A
Which of the following is MOST important to consider when developing a business case to support the investment in an information security program? A. Senior management support B. Results of a risk assessment C. Results of a cost-benefit analysis D. Impact on the risk profile  Suggested Answer: C
The PRIMARY reason for using metrics as part of an information security program is to help management: A. determine whether objectives are being met. B. visualize security trends. C. develop an information security baseline. D. track financial impact of the program. Â Suggested Answer: A
After an information security incident has been detected and its priority established, which of the following should be the NEXT course of action? A. Gathering evidence B. Eradicating the incident C. Performing a risk assessment D. Containing the incident  Suggested Answer: D
Which of the following is the MOST important input to the development of an effective information security strategy? A. Well-defined security policies and procedures B. Current and desired state of security C. Business processes and requirements D. Risk and business impact assessments  Suggested Answer: B
Which of the following is MOST important to review following a security incident? A. Incident response procedures B. Response tools and techniques C. Incident response plan D. Lessons learned  Suggested Answer: D
Which of the following is necessary to ensure consistent protection for an organization’s information assets? A. Control assessment B. Data ownership C. Regulatory requirements D. Classification mode  Suggested Answer: D
A new law requires an organization to implement specific security controls. Which of the following should the information security manager do FIRST? A. Integrate the new requirements into the security policy. B. Perform a gap analysis on the new requirements. C. Develop a control implementation plan. D. Assess the risk of noncompliance with the new requirements. Â Suggested Answer: B
Which of the following BEST demonstrates that security controls are effective? A. Audit report B. Tabletop simulation C. Risk and control self-assessment D. Business impact analysis (BIA) results  Suggested Answer: D
Which of the following activities provides the GREATEST insight into the level of threat exposure within an IT environment? A. Executing an organization-wide security audit B. Performing penetration testing C. Performing technical vulnerability assessments D. Conducting a red team exercise  Suggested Answer: D
Which of the following is MOST important to ensure when an organization is moving portions of its sensitive database to the cloud? A. The conversion has been approved by the information security team. B. A right to audit clause is included in the contract. C. Input from data owners is included in the requirements definition. D. Data encryption is used in the cloud hosting solution. Â Suggested Answer: C
Which of the following is the BEST way to determine the gap between the present and desired state of an information security program? A. Determine whether critical success factors (CSFs) have been defined. B. Review and update current operational procedures. C. Perform a risk analysis for critical applications. D. Conduct a capability maturity model evaluation. Â Suggested Answer: D
The PRIMARY goal of information security governance is to: A. reduce risk to an acceptable level. B. align with business processes. C. align with business objectives. D. establish a security strategy. Â Suggested Answer: C
An information security manager of an e-commerce business is reviewing the results of a business continuity plan (BCP) review. Which of the following findings should be the MOST immediate concern? A. The cost of a recent recovery test exceeded budget expectations. B. The annual business impact analysis (BIA) has been delayed. C. The business continuity plan (BCP) has not been recently tested. D. The recovery time objective (RTO) was not met during a recent power outage. Â Suggested Answer: D
If an organization does not have an information security governance framework in place, which of the following would BEST facilitate the adoption of a future governance program? A. Audit recommendations B. IT department support C. Information security funding D. Involvement of business stakeholders  Suggested Answer: D
Which of the following would provide the GREATEST assurance to management that information security incidents will be detected and contained in a timely manner without jeopardizing the organization’s mission? A. Network security penetration testing program B. Continuous vulnerability scanning solution C. Security information and event management (SIEM) system D. Fully operational security operations center (SOC)  Suggested Answer: C
Which of the following would BEST provide stakeholders with information to determine the appropriate response to a disaster? A. Vulnerability assessment B. SWOT analysis C. Business impact analysis (BIA) D. Risk assessment  Suggested Answer: D
Which of the following is the BEST way to obtain reliable information to help an incident response team maintain awareness of emerging security threats and vulnerabilities? A. Subscribe to a reputed threat intelligence group. B. Assign staff to engage with social media hacking groups. C. Review alerts from a security information and event management (SIEM) system. D. Implement vulnerability scanners. Â Suggested Answer: A
Which of the following is the MOST effective approach to ensure seamless integration between the business continuity plan (BCP) and the incident response plan? A. The BCP manager is included in the core incident response team. B. Criteria for escalating to the BCP manager are in the incident response plan. C. Both response teams contain the same members. D. Consistent event classifications are used in both plans. Â Suggested Answer: D
Which of the following is an information security manager's BEST course of action when a potential business breach is discovered in a critical business system? A. Update the incident response plan. B. Inform affected stakeholders. C. Inform IT management. D. Implement mitigating actions immediately. Â Suggested Answer: B
Which of the following is MOST important to include in a report of an organization's information security risk? A. Control risk B. Mitigated risk C. Residual risk D. Inherent risk  Suggested Answer: C
Which of the following is an information security manager's BEST recommendation to senior management following a breach at the organization's Software as a Service (SaaS) vendor? A. Engage legal counsel B. Terminate the relationship with the vendor C. Renegotiate the vendor contract D. Update the vendor risk assessment  Suggested Answer: D
Which of the following is MOST important to consider when determining asset valuation? A. Potential business loss B. Asset classification level C. Asset recovery cost D. Cost of insurance premiums  Suggested Answer: A
Which of the following should an information security manager do FIRST to address the risk associated with a new third-party cloud application that will not meet organizational security requirements? A. Restrict application network access temporarily. B. Update the risk register. C. Consult with the business owner. D. Include security requirements in the contract. Â Suggested Answer: A
An event occurred that resulted in the activation of the business continuity plan (BCP). All employees were notified during the event, and they followed the plan. However, two major suppliers missed deadlines because they were not aware of the disruption. What is the BEST way to prevent a similar situation in the future? A. Ensure service level agreements (SLAs) with suppliers are enforced. B. Conduct a vulnerability assessment. C. Perform testing of the BCP communication plan. D. Provide suppliers with access to the BCP document. Â Suggested Answer: A
When performing a data classification project, an information security manager should: A. assign information criticality and sensitivity. B. identify information custodians. C. identify information owners. D. assign information access privileges. Â Suggested Answer: A
Which of the following provides the MOST comprehensive information related to an organization's current risk profile? A. Gap analysis results B. Risk register C. Heat map D. Risk assessment results  Suggested Answer: D
Which of the following has the GREATEST impact on the viability of an information security roadmap? A. Regulatory requirements B. Management support C. Threat landscape D. Resource availability  Suggested Answer: C
An information security manager is recommending an investment in a new security initiative to address recently published threats. Which of the following is MOST important to include in the business case? A. Alignment with the approved IT strategy B. Potential impact of threat realization C. Availability of resources to implement the initiative D. Peer group threat intelligence report  Suggested Answer: B
Which of the following is the MOST important output from a post-incident review? A. Documentation of lessons learned B. Repository of digital forensic artifacts C. Revised business impact analysis (BIA) D. Compilation of incident-related costs  Suggested Answer: A
Which of the following is the GREATEST benefit of using a network-based intrusion prevention system (IPS)? A. The ability to review and monitor data streams by network segment B. The ability to shut down or block suspicious connections C. Increased visibility into user web surfing D. Centralized controls for incident handling  Suggested Answer: B
What should be the GREATEST concern for an information security manager of a large multinational organization when outsourcing data processing to a cloud service provider? A. Local laws and regulations B. Backup and restoration of data C. Vendor service level agreements (SLAs) D. Independent review of the vendor  Suggested Answer: A
Which of the following should be an information security manager's MAIN concern if the same digital signing certificate is able to be used by two or more users? A. Potential to decrypt digital hash values B. Inability to validate identity of sender C. Certificate alteration D. Segregation of duties  Suggested Answer: B
Signature based anti-malware controls are MOST effective against: A. poorly configured firewall rules. B. reused virus code. C. known threats. D. zero-day exploits. Â Suggested Answer: B
Which of the following is the PRIMARY objective of a business impact analysis (BIA)? A. Confirm control effectiveness. B. Determine recovery priorities. C. Define the recovery point objective (RPO). D. Analyze vulnerabilities. Â Suggested Answer: B
A common drawback of email software packages that provide native encryption of messages is that the encryption: A. has an insufficient key length. B. cannot interoperate across product domains. C. cannot encrypt attachments. D. has no key-recovery mechanism. Â Suggested Answer: B
Which of the following is the MOST important outcome of effective risk treatment? A. Implementation of corrective actions B. Elimination of risk C. Timely reporting of incidents D. Reduced cost of acquiring controls  Suggested Answer: A
Which of the following would be impacted the MOST by a business decision to move from traditional computing to cloud computing? A. Security awareness B. Security standards C. Security policies D. Security strategy  Suggested Answer: D
Key risk indicators (KRIs) are MOST effective when they: A. are mapped to core strategic initiatives. B. allow for comparison with industry peers. C. are redefined on a regular basis. D. assess progress toward declared goals. Â Suggested Answer: C
An organization's intrusion prevention system (IPS) detected and blocked an unusually large number of external intrusion attempts within a 24-hour period. Which of the following should be the information security manager's FIRST course of action? A. Perform security assessments on Internet-facing systems. B. Identify the source and nature of the attempts. C. Review the server and firewall audit logs. D. Report the issue to senior management. Â Suggested Answer: C
Which of the following should be the GREATEST consideration when determining the recovery time objective (RTO) for an in-house critical application, database, or server? A. Direction from senior management B. Results of recovery testing C. Determination of recovery point objective (RPO) D. Impact of service interruption  Suggested Answer: C
Which of the following is the PRIMARY purpose of implementing information security standards? A. To provide a basis for developing information security policies B. To provide step-by-step instructions for performing security-related tasks C. To provide management direction with a specific security objective D. To establish a minimum acceptable security baseline  Suggested Answer: D
Which of the following should be the FIRST step in patch management procedures when receiving an emergency security patch? A. Validate the authenticity of the patch. B. Conduct comprehensive testing of the patch. C. Schedule patching based on the criticality. D. Install the patch immediately to eliminate the vulnerability. Â Suggested Answer: A
The MOST effective tools for responding to new and advanced attacks are those that detect attacks based on: A. behavior analysis. B. penetration testing. C. signature analysis. D. data packet analysis. Â Suggested Answer: B
When developing security processes for handling credit card data on the business unit's information system, the information security manager should FIRST: A. ensure that systems that handle credit card data are segmented. B. review industry best practices for handling secure payments. C. ensure alignment with industry encryption standards. D. review corporate policies regarding credit card information. Â Suggested Answer: D
What is the PRIMARY objective of information security involvement in the change management process? A. To narrow the threat landscape B. To ensure changes are not applied without prior authorization C. To reduce the likelihood of control failure D. To meet obligations for regulatory and legal compliance  Suggested Answer: B
Which of the following is MOST likely to trigger an update and revision of information security policies? A. Engagement with a new service provider B. Replacement of the information security manager C. Attainment of business process maturity D. Changes in the organization's risk appetite  Suggested Answer: B
A small organization with limited budget hires a new information security manager who finds the same IT staff member is assigned the responsibility of system administrator, security administrator, database administrator, and application administrator. What is the manager's BEST course of action? A. Formally document IT administrator activities. B. Automate user provisioning activities. C. Maintain strict control over user provisioning activities. D. Implement monitoring of IT administrator activities. Â Suggested Answer: D
Which of the following should an information security manager do FIRST when assessing conflicting requirements between the global organization's security standards and local regulations? A. Conduct a gap analysis against local regulations. B. Perform a cost-benefit analysis of compliance. C. Create a local version of the organizational standards. D. Prioritize the organizational standards over local regulations. Â Suggested Answer: B
Which of the following is the BEST method to reduce the risk of an information security breach due to spear phishing? A. Implementing a vulnerability management program B. Deploying an intrusion protection system (IPS) C. Establishing a company-wide information security awareness plan D. Reviewing log files daily to identify any suspicious activity  Suggested Answer: C
A desktop computer is being used to perpetrate a fraud, and data on the machine must be secured for evidence. Which of the following should be done FIRST? A. Encrypt the content of the hard drive using a strong algorithm. B. Obtain a hash of the desktop computer's internal hard drive. C. Copy the data on the computer to an external hard drive. D. Capture a forensic image of the computer. Â Suggested Answer: B
The PRIMARY purpose of an information security governance framework is to ensure that the information security strategy is an extension of: A. organizational strategies. B. information technology strategies. C. formal enterprise architecture. D. approved business cases. Â Suggested Answer: A
Which of the following is the MOST important consideration for a global organization that is designing an information security awareness program? A. National regulations B. Program costs C. Cultural backgrounds D. Local languages  Suggested Answer: A
Changes have been proposed to a large organization's enterprise resource planning (ERP) system that would violate existing security standards. Which of the following should be done FIRST to address this conflict? A. Perform a cost-benefit analysis B. Calculate business impact levels. C. Validate current standards. D. Implement updated standards. Â Suggested Answer: B
Which of the following should an information security manager do NEXT after creating a roadmap to execute the strategy for an information security program? A. Develop a project plan to implement the strategy B. Obtain consensus on the strategy from the executive board C. Define organizational risk tolerance D. Review alignment with business goals  Suggested Answer: A
An organization has just updated its backup capability to a new cloud-based solution. Which of the following tests will MOST effectively verify this change is working as intended? A. Simulation testing B. Tabletop testing C. Parallel testing D. Black box testing  Suggested Answer: C
Which of the following is the MOST important function of an information security steering committee? A. Assigning data classifications to organizational assets B. Defining security standards for logical access controls C. Developing organizational risk assessment processes D. Obtaining multiple perspectives from the business  Suggested Answer: D
Which of the following is the PRIMARY benefit of implementing an information security governance framework? A. The framework provides a roadmap to maximize revenue through the secure use of technology. B. The framework is able to confirm the validity of business goals and strategies. C. The framework defines managerial responsibilities for risk impacts to business goals. D. The framework provides direction to meet business goals while balancing risks and controls. Â Suggested Answer: D
Which of the following is the BEST way to prevent insider threats? A. Implement strict security policies and password controls. B. Conduct organization-wide security awareness training. C. Enforce segregation of duties and least privilege access. D. Implement logging for all access activities. Â Suggested Answer: D
Which of the following should be done FIRST to ensure a new critical cloud application can be supported by internal personnel? A. Establish a capability maturity model. B. Develop a training plan. C. Conduct a risk assessment. D. Perform a skills gap analysis. Â Suggested Answer: D
An organization is conducting a post-incident review to determine the root cause of an information security incident. Which of the following situations would be MOST harmful to this investigation? A. Unencrypted logs of the affected systems were saved on magnetic tapes. B. Antivirus signature update processes failed on the affected systems. C. Systems logs were cleared by the administrator to free up space on the affected systems. D. The incident response plan has not been updated during the past year. Â Suggested Answer: C
When building support for an information security program, which of the following elements is MOST important? A. Business impact analysis (BIA) B. Identification of existing vulnerabilities C. Threat analysis D. Information risk assessment  Suggested Answer: A
Capacity planning would prevent: A. system downtime for scheduled security maintenance. B. file system overload arising from distributed denial of service (DDoS) attacks. C. application failures arising from insufficient hardware resources. D. software failures arising from exploitation of buffer capacity vulnerabilities. Â Suggested Answer: C
Which of the following is the MOST effective way to ensure information security policies are understood? A. Implement a whistle-blower program. B. Document security procedures. C. Include security responsibilities in job descriptions. D. Provide regular security awareness training. Â Suggested Answer: D
Which of the following is the MOST effective method for testing an incident response plan? A. Disaster recovery testing B. Risk assessment C. Tabletop exercises D. Industry benchmarking  Suggested Answer: C
A penetration test was conducted by an accredited third party. Which of the following should be the information security manager's FIRST course of action? A. Request funding needed to resolve the top vulnerabilities. B. Ensure a risk assessment is performed to evaluate the findings. C. Report findings to senior management. D. Ensure vulnerabilities found are resolved within acceptable timeframes. Â Suggested Answer: B
An information security team must obtain approval from the information security steering committee to implement a key control. Which of the following is the MOST important input to assist the committee in making this decision? A. IT strategy B. Security architecture C. Risk assessment D. Business case  Suggested Answer: D
What should a global information security manager do FIRST when informed that a new regulation with significant impact will go into effect soon? A. Perform a vulnerability assessment. B. Perform a business impact analysis (BIA). C. Perform a privacy impact assessment. D. Perform a gap analysis. Â Suggested Answer: D
Which of the following will have the MOST negative impact to the effectiveness of incident response processes? A. High organizational risk tolerance B. Decentralized incident monitoring C. Ambiguous severity criteria D. Manual incident reporting processes  Suggested Answer: C
Which of the following tasks would provide a newly appointed information security manager with the BEST view of the organization's existing security posture? A. Performing a business impact analysis (BIA) B. Reviewing policies and procedures C. Performing a risk assessment D. Interviewing business managers and employees  Suggested Answer: C
Which of the following is the MOST important consideration when developing incident classification methods? A. Data classification B. Data owner input C. Service level agreements (SLAs) D. Business impact  Suggested Answer: D
Which of the following should be the PRIMARY goal of an information security manager when designing information security policies? A. Minimizing the cost of security controls B. Reducing organizational security risk C. Improving the protection of information D. Achieving organizational objectives  Suggested Answer: D
An organization has outsourced many application development activities to a third party that uses contract programmers extensively. Which of the following would provide the BEST assurance that the third party's contract programmers comply with the organization's security policies? A. Perform periodic security assessments of the contractors' activities. B. Conduct periodic vulnerability scans of the application. C. Require annual signed agreements of adherence to security policies. D. Include penalties for noncompliance in the contracting agreement. Â Suggested Answer: A
How does an organization's information security steering committee facilitate the achievement of information security program objectives? A. Monitoring information security resources B. Making decisions on security priorities C. Enforcing regulatory and policy compliance D. Evaluating information security metrics  Suggested Answer: D
Which of the following is the BEST reason to consolidate security operations teams across a global organization? A. Compliance with regulatory requirements B. Enhanced visibility of threats C. Detection of fraud D. Cost reduction  Suggested Answer: B
The business value of an information asset is derived from: A. its replacement cost. B. the risk assessment. C. its criticality. D. the threat profile. Â Suggested Answer: C
A business unit handles sensitive personally identifiable information (PII), which presents a significant financial liability to the organization should a breach occur. Which of the following is the BEST way to mitigate the risk to the organization? A. Implementing audit logging on systems B. Including indemnification into customer contracts C. Contracting the process to a third party D. Purchasing insurance  Suggested Answer: D
Which of the following is the BEST indication of a mature information security program? A. Security spending is below budget. B. Security incidents are managed properly. C. Security resources are optimized. D. Security audit findings are reduced. Â Suggested Answer: D
An organization recently updated and published its information security policy and standards. What should the information security manager do NEXT? A. Update the organization's risk register. B. Develop a policy exception process. C. Communicate the changes to stakeholders. D. Conduct a risk assessment. Â Suggested Answer: C
Which type of recovery site is MOST reliable and can support stringent recovery requirements? A. Cold site B. Warm site C. Mobile site D. Hot site  Suggested Answer: D
Which of the following has the MOST influence on the information security investment process? A. Security key performance indicators (KPIs) B. Organizational risk appetite C. IT governance framework D. Information security policy  Suggested Answer: D
An organization's information security manager is performing a post-incident review of a security incident in which the following events occurred: ✑ A bad actor broke into a business-critical FTP server by brute forcing an administrative password ✑ The third-party service provider hosting the server sent an automated alert message to the help desk, but was ignored ✑ The bad actor could not access the administrator console, but was exposed to encrypted data transferred to the server ✑ After three (3) hours, the bad actor deleted the FTP directory, causing incoming FTP attempts by legitimate customers to fail Which of the following could have been prevented by conducting regular incident response testing? A. Stolen data B. The server being compromised C. The brute force attack D. Ignored alert messages  Suggested Answer: D
Which of the following is MOST important when designing an information security governance framework? A. Assessing the availability of information security resources B. Assessing the current state of information security C. Aligning with the information security strategy D. Aligning with industry best practice frameworks  Suggested Answer: D
A serious vulnerability was detected in a business application that can be exploited by external attackers to compromise the system. What is the information security manager's BEST course of action? A. Implement temporary remediation. B. Request an immediate shutdown of the application. C. Report the risk to the business application owner. D. Ask the business application owner to apply the fix immediately. Â Suggested Answer: C
Which of the following is MOST important to consider when defining escalation processes for incident response procedures? A. Key risk indicators (KRIs) B. Business continuity plans (BCPs) C. Recovery time objectives (RTOs) D. Key performance indicators (KPIs) Â Suggested Answer: D
To optimize the implementation of information security governance in an organization, an information security manager should: A. implement processes consistent with international standards. B. utilize existing governance structures when possible. C. ensure changes are consistent with existing standards. D. make gradual changes to governance to minimize employee resistance. Â Suggested Answer: C
Which of the following should be the PRIMARY goal of information security? A. Business alignment B. Regulatory compliance C. Data governance D. Information management  Suggested Answer: D
Which of the following clauses would represent the MOST significant potential exposure if included in a contract with a third-party service provider? A. Provider responsibility in a disaster limited to best reasonable efforts B. Provider liability for loss of data limited to cost of physical media C. Audit rights limited to customer data and supporting infrastructure D. Access to escrowed software restricted to specific conditions  Suggested Answer: C
Which of the following should be the PRIMARY basis for determining information security objectives? A. Business strategy B. Regulatory requirements C. Information security strategy D. Data classification  Suggested Answer: C
Which of the following is the BEST method to ensure compliance with password standards? A. A user-awareness program B. Implementing password-synchronization software C. Using password-cracking software D. Automated enforcement of password syntax rules  Suggested Answer: D
The PRIMARY purpose for deploying information security metrics is to: A. ensure that technical operations meet specifications. B. compare program effectiveness to benchmarks. C. support ongoing security budget requirements. D. provide information needed to make decisions. Â Suggested Answer: A
Which of the following would BEST demonstrate the status of an organization's information security program to the board of directors? A. The information security operations matrix B. Changes to information security risks C. Information security program metrics D. Results of a recent external audit  Suggested Answer: D
An intrusion has been detected and contained. Which of the following steps represents the BEST practice for ensuring the integrity of the recovered system? A. Restore the application and data from a forensic copy. B. Install the OS, patches, and application from the original source. C. Restore the OS, patches, and application from a backup. D. Remove all signs of the intrusion from the OS and application. Â Suggested Answer: A
Which of the following should an information security manager do FIRST when informed that customer data has been breached within a third-party vendor's environment? A. Communicate the breach to leadership. B. Request and verify evidence of the breach. C. Notify the incident response team. D. Review vendor obligations in the contract. Â Suggested Answer: C
Which of the following is the GREATEST benefit of using cyber threat intelligence to improve an organization's patch management program? A. It allows the organization to define its risk tolerance and appetite. B. It identifies when to use workarounds to mitigate vulnerabilities rather than patching. C. It reduces the number of patches the organization needs to apply. D. It provides information about exploited vulnerabilities to expedite patching. Â Suggested Answer: D
Which of the following methods enables the MOST rigorous testing while avoiding the disruption of normal business operations? A. Walk-through test B. Full interruption test C. Parallel test D. Checklist review test  Suggested Answer: C
An empowered security steering committee has decided to accept a critical risk. Which of the following is the information security manager's BEST course of action? A. Notify the chief risk officer (CRO) and internal audit. B. Determine the impact to information security objectives. C. Remove the specific risk item from the risk register. D. Document the risk acceptance and justification. Â Suggested Answer: D
Which of the following would be the GREATEST threat posed by a distributed denial of service (DDoS) attack on a public-facing web server? A. Execution of unauthorized commands B. Unauthorized access to resources C. Defacement of website content D. Prevention of authorized access  Suggested Answer: D
Which of the following is the BEST indication of information security strategy alignment with the business? A. Number of business executives who have attended information security awareness sessions B. Percentage of corporate budget allocated to information security initiatives C. Percentage of information security incidents resolved within defined service level agreements (SLAs) D. Number of business objectives directly supported by information security initiatives  Suggested Answer: D
Which of the following would BEST mitigate accidental data loss events? A. Enforce a data hard drive encryption policy B. Conduct a data loss prevention audit C. Conduct periodic user awareness training D. Obtain senior management support for the information security strategy  Suggested Answer: C
Which of the following is a PRIMARY function of an incident response team? A. To provide a single point of contact for critical incidents B. To provide a risk assessment for zero-day vulnerabilities C. To provide a business impact analysis (BIA) D. To provide effective incident mitigation  Suggested Answer: D
Using which of the following metrics will BEST help to determine the resiliency of IT infrastructure security controls? A. Percentage of outstanding high-risk audit issues B. Number of incidents resulting in disruptions C. Number of successful disaster recovery tests D. Frequency of updates to system software  Suggested Answer: B
Which of the following is the MAIN reason for integrating an organization's incident response plan with its business continuity process? A. Incidents can escalate into disasters needing proper response B. Recovery time objectives (RTOs) need to be determined C. Incidents will be reported more timely when categorized as a disaster D. Integration of the plan will reduce resource costs to the organization  Suggested Answer: C
Which of the following should be the PRIMARY basis for a severity hierarchy for information security incident classification? A. Legal and regulatory requirements B. Root cause analysis results C. Availability of resources D. Adverse effects on the business  Suggested Answer: D
Which of the following would BEST enable the timely execution of an incident response plan? A. Definition of trigger events B. Centralized service desk C. The introduction of a decision support tool D. Clearly defined data classification process  Suggested Answer: A
Which of the following is the BEST approach to identify new security issues associated with IT systems and applications in a timely manner? A. Requiring periodic security audits of IT systems and applications B. Comparing current state to established industry benchmarks C. Performing a vulnerability assessment for each change to IT systems D. Integrating risk assessments into the change management process  Suggested Answer: D
Which of the following is MOST important to include in an information security strategy? A. Industry benchmarks B. Stakeholder requirements C. Risk register D. Regulatory requirements  Suggested Answer: B
The PRIMARY reason to create and externally store the disk hash value when performing forensic data acquisition from a hard disk is to: A. validate the integrity during analysis B. provide backup in case of media failure C. reinstate original data when accidental changes occur D. validate the confidentiality during analysis  Suggested Answer: A
Which of the following is the MOST important issue in a penetration test? A. Performing the test without the benefit of any insider knowledge B. Having an independent group perform the test C. Having a defined goal as well as success and failure criteria D. Obtaining permission from audit  Suggested Answer: C
An organization has decided to conduct a postmortem analysis after experiencing a loss from an information security attack. The PRIMARY purpose of this analysis should be to: A. evaluate the impact. B. prepare for criminal prosecution. C. document lessons learned. D. update information security policies. Â Suggested Answer: C
When a critical system incident is reported, the FIRST step of the incident handler should be to: A. power off the system. B. determine the scope of the incident. C. validate the incident. D. notify the appropriate parties. Â Suggested Answer: C
A multinational organization is introducing a security governance framework. The information security manager's concern is that regional security practices differ. Which of the following should be evaluated FIRST? A. Training requirements of the framework B. Global framework standards C. Cross-border data mobility D. Local regulatory requirements  Suggested Answer: D
Several months after the installation of a new firewall with intrusion prevention features to block malicious activity, a breach was discovered that came in through the firewall shortly after installation. This breach could have been detected earlier by implementing firewall: A. web surfing controls B. packet filtering C. application awareness D. log monitoring  Suggested Answer: B
Which of the following BEST enables successful identification of a potential IT security incident? A. Configuration management standards B. Event correlation C. Network intrusion detection systems (NIDS) D. File integrity monitoring  Suggested Answer: B
Which of the following is MOST important when providing updates during a security incident? A. Responding immediately to questions from the public B. Validating the reliability of information prior to dissemination C. Designating a communications representative D. Ensuring timely incident information to internal stakeholders  Suggested Answer: C
Which of the following BEST demonstrates the added value of an information security program? A. Security baselines B. A gap analysis C. A SWOT analysis D. A balanced scorecard  Suggested Answer: D
To overcome the perception that security is a hindrance to business activities, it is important for an information security manager to: A. focus on compliance B. reiterate the necessity of security C. promote the relevance and contribution of security D. rely on senior management to enforce security  Suggested Answer: C
Which of the following tasks should he performed once a disaster recovery plan (DRP) has been developed? A. Identify recovery time objectives (RTOs) B. Develop the test plan C. Analyze the business impact D. Define response team roles  Suggested Answer: B
Which of the following should be the MOST important consideration of business continuity management? A. Ensuring human safety B. Securing critical information assets C. Ensuring the reliability of backup data D. Identifying critical business processes  Suggested Answer: A
Which of the following should be the FIRST step of incident response procedures? A. Classify the event depending on severity and type B. Perform a risk assessment to determine the business impact C. Evaluate the cause of the control failure D. Identify if there is a need for additional technical assistance  Suggested Answer: A
Which of the following is the BEST method for reducing the risk of data loss due to phishing attacks? A. Changing passwords frequently B. Implementing data loss prevention C. Using spam filtering solutions D. Educating users  Suggested Answer: D
Which of the following tools provides an incident response team with the GREATEST insight into insider threat activity across multiple systems? A. An identity and access management (IAM) system B. A virtual private network (VPN) with multi-factor authentication C. A security information and event management (SIEM) system D. An intrusion prevention system (IPS) Â Suggested Answer: C
Which of the following is MOST important to the effectiveness of an information security program? A. The program is aligned to legal and regulatory requirements B. The program is aligned to a security control framework C. Annual audits of the program are conducted D. Users are trained on security policies and procedures  Suggested Answer: B
Conducting a business impact analysis (BIA) BEST helps to identify: A. asset inventory B. mitigation costs C. residual risk D. system criticality  Suggested Answer: D
An employee who denies accusations of downloading inappropriate material to an organizational device has been discharged. In support of the disciplinary action the collection of legal evidence is required. Which of the following is the information security manager's BEST recommendation? A. Delete all inappropriate material after taking a local copy B. Create a forensic image of the original file system C. Log in to the employee's device and create a local copy to USB drive D. Rely on server backup allowing strict access control  Suggested Answer: B
An information security manager wants to implement a security information and event management (SIEM) system that will aggregate log data from all systems that control perimeter access. Which of the following would BEST support the business case for this initiative to senior management? A. Industry examples of threats detected using a SIEM system B. Alignment with industry best practices C. Independent evidence of a SIEM system's ability to reduce risk D. Metrics related to the number of systems to be consolidated  Suggested Answer: C
The PRIMARY objective of performing a post-incident review is to: A. identify control improvements B. identify vulnerabilities C. re-evaluate the impact of incidents D. identify the root cause  Suggested Answer: A
In a call center, the BEST reason to conduct a social engineering exercise is to: A. gain funding for information security initiatives B. identify candidates for additional security training C. improve password policy D. minimize the likelihood of successful attacks  Suggested Answer: D
The PRIMARY purpose of a penetration test is to: A. test network load capability B. validate firewall and router configuration C. provide assurance of the security of the network D. identify vulnerabilities at a particular point in time  Suggested Answer: C
An information security policy was amended recently to support an organization's new information security strategy. Which of the following should be the information security manager's NEXT step? A. Evaluate the alignment with business strategy B. Update standards and procedures C. Review technical controls D. Refresh the security training program  Suggested Answer: B
Which of the following needs to be established FIRST in order to categorize data properly? A. A data protection policy B. A data flow diagram C. A data classification framework D. A data custodian  Suggested Answer: C
Which of the following is the BEST course of action when confidential information is inadvertently disseminated outside the organization? A. Change the encryption keys B. Declare an incident C. Review compliance requirements D. Communicate the exposure  Suggested Answer: B
An organization is performing an annual review of its risk landscape. Which of the following anticipated changes will have the MOST significant impact on the information security strategy? A. The renewal and renegotiation of the organization's contract with its managed security services provider B. Migration of personal data to a new database system on a different server platform C. The expansion to an international location with unfamiliar security and privacy regulations D. Replacement of the aging enterprise-wide core firewall infrastructure with a new solution from a different vendor  Suggested Answer: C
Which of the following provides the MOST assurance that a third-party hosting provider will be able to meet availability requirements? A. The third party's business continuity plan (BCP) B. The third party's incident response plan C. Right-to-audit clause D. Service level agreement (SLA) Â Suggested Answer: D
An organization permits the storage and use of its critical and sensitive information on employee-owned smartphones. Which of the following is the BEST security control? A. Monitoring now often the smartphone is used B. Developing security awareness training C. Requiring the backup of the organization s data by the user D. Establishing the authority to remote wipe  Suggested Answer: D
A spear phishing attack was used to trick a user into installing a Trojan onto a workstation. Which of the following would have been MOST effective in preventing this attack from succeeding? A. Application control B. Website blocking C. Internet filtering D. Network encryption  Suggested Answer: C
An information security manager has been asked to provide regular status reports to senior management regarding the information security program. Which of the following would provide the MOST helpful information? A. A list detailing the latest threats B. Number of phishing incidents per month C. Remediation activities performed D. Key performance indicators (KPIs) Â Suggested Answer: D
During the initiation phase of the system development life cycle (SDLC) for a software project, information security activities should address: A. baseline security controls B. security objectives C. cost-benefit analyses D. benchmarking security metrics  Suggested Answer: B
Which of the following is the BEST way to reduce the risk associated with a successful social engineering attack targeting help desk staff? A. Conduct security awareness training B. Implement two-factor authentication C. Block access to social media sites D. Enforce role based access to help desk systems  Suggested Answer: A
During the implementation of a new system, which of the following processes proactively minimizes the likelihood of disruption unauthorized alterations and errors? A. Password management B. Version management C. Change management D. Configuration management  Suggested Answer: C
When evaluating the risk from external hackers the maximum exposure time would be the difference between: A. log refresh and restoration. B. identification and resolution. C. detection and response. D. compromise and containment. Â Suggested Answer: C
What should be the FIRST step when implementing data loss prevention (DLP) technology? A. Build a business case B. Perform due diligence with vendor candidates C. Classify the organization's data D. Perform a cost benefit analysis  Suggested Answer: C
When creating an incident response plan, the PRIMARY benefit of establishing a clear definition of a security incident is that it helps to: A. develop effective escalation and response procedures B. make tabletop testing more effective C. adequately staff and train incident response teams D. communicate the incident response process to stakeholders  Suggested Answer: A
A financial company executive is concerned about recently increasing cyberattacks and needs to take action to reduce risk. The organization would BEST respond by: A. increasing budget and staffing levels tor the incident response team B. revalidating and mitigating risks to an acceptable level C. implementing an intrusion detection system (IDS) D. testing the business continuity plan (BCP) Â Suggested Answer: B
The effectiveness of an information security governance framework will BEST be enhanced if: A. consultants review the information security governance framework B. IS auditors are empowered to evaluate governance activities C. a culture of legal and regulatory compliance is promoted by management D. risk management is built into operational and strategic activities  Suggested Answer: D
Which of the following should be an information security manager's FIRST course of action when developing an incident management and response plan? A. Reassess management's risk appetite B. Conduct a gap analysis C. Update the current risk register D. Revise the business continuity plan (BCP) Â Suggested Answer: A
An information security manager has observed multiple exceptions for a number of different security controls. Which of the following should be the information security manager's FIRST course of action? A. Prioritize the risk and implement treatment options B. Report the noncompliance to the board of directors C. Inform respective risk owners of the impact of exceptions D. Design mitigating controls tor the exceptions  Suggested Answer: C
Who is accountable for ensuring proper controls are in place to address the confidentiality and availability of an information system? A. Information order B. Business manager C. Senior management D. Information security manager  Suggested Answer: A
Which of the following is the MOST effective way to help assure the integrity of an organization's accounting system? A. Performing frequent security reviews of the audit log B. Implementing two-factor authentication C. Conducting an annual security audit of the system D. Providing security awareness training to accounting staff  Suggested Answer: A
An organization faces severe fines and penalties if not in compliance with local regulatory requirements by an established deadline. Senior management has asked the information security manager to prepare an action plan to achieve compliance. Which of the following would provide the MOST useful information for planning purposes? A. Results from a business impact analysts (BIA) B. Results from a gap analysis C. An inventory of security controls currently in place D. Deadlines and penalties for noncompliance  Suggested Answer: B
An organization's HR department requires that employee account privileges be removed from all corporate IT systems within three days of termination to comply with a government regulation. However, the systems all have different user directories, and it currently takes up to four weeks to remove the privileges. Which of the following would BEST enable regulatory compliance? A. Identity and access management (IAM) system B. Privileged access management (PAM) system C. Multi-factor authentication (MFA) system D. Governance risk, and compliance (GRC) system  Suggested Answer: A
The information security manager of a multinational organization has been asked to consolidate the information security policies of its regional locations. Which of the following would be of GREATEST concern? A. Varying threat environments B. Disparate reporting lines C. Conflicting legal requirements D. Differences in work culture  Suggested Answer: C
Which of the following is the MOST important requirement for a successful security program? A. Management decision on asset value B. Penetration testing on key systems C. Nondisclosure agreements (NDA) with employees D. Mapping security processes to baseline security standards  Suggested Answer: A
Which of the following is the GREATEST value provided by a security information and event management (SIEM) system? A. Facilitating the monitoring of risk occurrences B. Measuring impact of exploits on business processes C. Maintaining a repository base of security policies D. Redirecting event logs to an alternate location for business continuity plan (BCP) Â Suggested Answer: A
A critical vulnerability is found on a server hosting multiple applications owned by different business units. One of the business units finds its hosted application will not function with the patch applied and chooses to accept the risk. Which of the following should be the information security manager s NEXT course of action? A. Update the risk register B. Develop a business case for compensating controls C. Update the information security policy D. Consult the incident management process  Suggested Answer: B
The MOST important element in achieving executive commitment to an information security governance program is: A. identified business drivers. B. a process improvement model. C. established security strategies. D. a defined security framework. Â Suggested Answer: A
Which of the following recovery approaches generally has the LOWEST periodic cost? A. Shared contingency center B. Reciprocal agreement C. Redundant site D. Cold site  Suggested Answer: B
Which of the following BEST determines the allocation of resources during a security incident response? A. Defined levels of severity B. Senior management commitment C. A business continuity plan (BCP) D. An established escalation process  Suggested Answer: A
During the response to a serious security breach, who is the BEST organizational staff member to communicate with external entities? A. The resource designated by senior management B. The incident response team leader C. The resource specified in the incident response plan D. A dedicated public relations spokesperson  Suggested Answer: A
Which of the following is the BEST way to demonstrate the alignment of the information security strategy with the business strategy? A. Show the relationship between information security goals and corporate goals. B. Compare the allocated budget for business with the information security budget. C. Present senior management's approval of information security policies. D. Provide evidence that information security is included in the change management process. Â Suggested Answer: A
A newly appointed information security manager has been asked to update all security-related policies and procedures that have been static for five years or more. What is the BEST next step? A. To gain an understanding of the current business direction B. To update in accordance with the best business practices C. To perform a risk assessment of the current IT environment D. To assess corporate culture  Suggested Answer: D
Implementing the principle of least privilege PRIMARILY requires the identification of: A. job duties. B. primary risk factors. C. authentication controls. D. data owners. Â Suggested Answer: A
Which of the following is MOST helpful in preventing cybersecurity incidents? A. Testing the backup plan according to a defined schedule B. Documenting and testing incident response plans C. Delivering periodic end-user security awareness training D. Implementing best practice password parameters  Suggested Answer: C
Which of the following is the MOST important consideration when determining which type of failover site to employ? A. Disaster recovery test results B. Reciprocal agreements C. Recovery time objectives (RTOs) D. Data retention requirements  Suggested Answer: C
A risk owner has accepted a large amount of risk due to the high cost of controls. Which of the following should be the information security manager's PRIMARY focus in this situation? A. Conducting an independent review of risk responses B. Establishing a strong ongoing risk monitoring process C. Presenting the risk profile for approval by the risk owner D. Updating the information security standards to include the accepted risk  Suggested Answer: B
Which of the following is the MOST important constraint to be considered when developing an information security strategy? A. Established security policies and standards B. Information security architecture C. Compliance with an international security standard D. Legal and regulatory requirements  Suggested Answer: D
Which of the following would BEST justify continued investment in an information security program? A. Speed of implementation B. Reduction in residual risk C. Industry peer benchmarking D. Security framework alignment  Suggested Answer: B
Which of the following BEST facilitates the effective execution of an incident response plan? A. The plan is based on industry best practice. B. The incident response plan aligns with the IT disaster recovery plan (DRP). C. The plan is based on risk assessment results. D. The response team is trained on the plan. Â Suggested Answer: D
Which of the following is the PRIMARY reason that an information security manager should restrict the use of generic administrator accounts in a multi-user environment? A. To prevent accountability issues B. To ensure segregation of duties is maintained C. To ensure system audit trails are not bypassed D. To prevent unauthorized user access  Suggested Answer: A
Which of the following documents should contain the INITIAL prioritization of recovery of services? A. Threat assessment B. IT risk analysis C. Business impact analysis (BIA) D. Business process map  Suggested Answer: C
The department head of application development has decided to accept the risks identified in a recent assessment. No recommendations will be implemented, even though the recommendations are required by regulatory oversight. What should the information security manager do NEXT? A. Formally document the decision. B. Review the regulations. C. Review the risk monitoring plan. D. Perform a risk reassessment. Â Suggested Answer: D
A company has a remote office located in a different country. The company's chief information security officer (CISO) has just learned of a new regulatory requirement mandated by the country of the remote office. Which of the following should be the NEXT step? A. Integrate new requirements into the corporate policies B. Evaluate whether the new regulation impacts information security C. Create separate security policies and procedures for the new regulation D. Implement the requirement at the remote office location  Suggested Answer: B
When integrating security risk management into an organization it is MOST important to ensure: A. the risk management methodology follows an established framework. B. business units approve the risk management methodology. C. the risk treatment process is defined. D. information security policies are documented and understood. Â Suggested Answer: B
Mitigating technology risks to acceptable levels should be based PRIMARILY upon: A. business process requirements. B. business process reengineering. C. legal and regulatory requirements. D. information security budget. Â Suggested Answer: D
For the information security manager, integrating the various assurance functions of an organization is important PRIMARILY to enable: A. consistent security. B. a security-aware culture. C. compliance with policy. D. comprehensive audits. Â Suggested Answer: D
An organization has concerns regarding a potential advanced persistent threat (APT). To ensure that the risk associated with this threat is appropriately managed, what should be the organization's FIRST action? A. Implement additional controls. B. Report to senior management. C. Initiate incident response processes. D. Conduct an impact analysis. Â Suggested Answer: C
Which of the following roles is accountable for ensuring the impact of a new regulatory framework on a business system is assessed? A. Senior management B. Application owner C. Legal representative D. Information security manager  Suggested Answer: B
Which of the following is the FIRST step in developing a business continuity plan (BCP)? A. Identify critical business processes. B. Determine the business recovery strategy C. Determine available resources D. Identify the applications with the shortest recovery time objectives (RTOs) Â Suggested Answer: A
A multinational organization is required to follow governmental regulations with different security requirements at each of its operating locations. The chief information security officer (CISO) should be MOST concerned with: A. developing a security program that meets global and regional requirements. B. ensuring effective communication with local regulatory bodies. C. monitoring compliance with defined security policies and standards. D. using industry best practice to meet local legal regulatory requirements. Â Suggested Answer: A
Which of the following is the MOST important consideration when defining security configuration baselines? A. The baselines address applicable regulatory standards. B. The baselines are proportionate to risk. C. The baselines address known system vulnerabilities. D. The baselines align with lines of business. Â Suggested Answer: B
An anomaly-based intrusion detection system (IDS) operates by gathering data on: A. normal network behavior and using it as a baseline for measuring abnormal activity. B. abnormal network behavior and using it as 4 baseline for measuring normal activity. C. abnormal network behavior and issuing instructions to the firewall to drop rogue connections. D. attack pattern signatures from historical data. Â Suggested Answer: A
Which of the following factors would have the MOST significant impact on an organization's information security governance model? A. Corporate culture B. Outsourced processes C. Number of employees D. Security budget  Suggested Answer: A
A newly appointed information security manager of a retailer with multiple stores discovers an HVAC (heating, ventilation, and air conditioning) vendor has remote access to the stores to enable real-time monitoring and equipment diagnostics. Which of the following should be the information security manager's FIRST course of action? A. Disconnect the real-time access. B. Conduct a penetration test of the vendor. C. Review the vendor contract. D. Review the vendor's technical security controls. Â Suggested Answer: D
Reverse lookups can be used to prevent successful: A. denial of service (DoS) attacks. B. phishing attacks. C. session hacking. D. Internet protocol (IP) spoofing. Â Suggested Answer: C
A post-incident review revealed that key stakeholders took longer than acceptable to decide whether an application should be shut down following a security breach. Which of the following is management's BEST course of action to rectify this issue? A. Improve incident response criteria. B. Improve incident response testing. C. Define incident classification. D. Establish containment procedures. Â Suggested Answer: C
To help ensure that an information security training program is MOST effective, its contents should be: A. aligned to business processes. B. based on employees' roles. C. based on recent incidents. D. focused on information security policy. Â Suggested Answer: B
A technical vulnerability assessment on a personnel information management server should be performed when: A. the data owner leaves the organization unexpectedly B. the number of unauthorized access attempts increases C. changes are made to the system configuration D. an unexpected server outage has occurred  Suggested Answer: C
An organization has purchased an Internet sales company to extend the sales department. The information security manager's FIRST step to ensure the security policy framework encompasses the new business model is to: A. perform a gap analysis. B. implement both companies' policies separately. C. merge both companies' policies. D. perform a vulnerability assessment. Â Suggested Answer: A
Relationships between critical systems are BEST understood by: A. performing a business impact analysis (BIA). B. developing a system classification scheme. C. evaluating key performance indicators (KPIs). D. evaluating the recovery time objectives (RTOs). Â Suggested Answer: A
Determining the risk for a particular threat/vulnerability pair before controls are applied can be expressed as: A. the likelihood of a given threat attempting to exploit a vulnerability. B. the magnitude of the impact, should a threat exploit a vulnerability. C. a function of the cost and effectiveness of controls over a vulnerability. D. a function of the likelihood and impact, should a threat exploit a vulnerability. Â Suggested Answer: D
When making decisions on prioritizing risk mitigation activities, which of the following would provide senior management with the MOST comprehensive information? A. Risk assessment report B. Risk action plan C. Risk register D. Internal audit report  Suggested Answer: A
What is the PRIMARY benefit of using key performance indicators (KPIs) for information security risk management? A. Set targets against which the organization's information security function can be evaluated. B. Prevent potential undesirable events from affecting information security. C. Identify risk events that have already occurred from affecting information security. D. Establish the process for setting organizational objectives in light of information security risk. Â Suggested Answer: A
Which of the following is the MOST important consideration when reporting on the status of information security activities? A. The report is comprehensive B. The report is updated on a regular basis C. The report is tailored to stakeholder needs D. The report structure is consistent with industry standards  Suggested Answer: C
Which of the following is the MOST important element when developing an information security strategy? A. Identifying and classifying information assets B. Determining the needs of the business C. Aligning to applicable laws and regulations D. Determining the risk management methodology  Suggested Answer: B
Which of the following has the GREATEST influence on an organization's information security strategy? A. Industry security standards B. The organizational structure C. The organization's risk tolerance D. Information security awareness  Suggested Answer: C
Which of the following is the MOST effective way to demonstrate alignment of information security strategy with business objectives? A. Balanced scorecard B. Benchmarking C. Heat map D. Risk matrix  Suggested Answer: A
An employee of an organization has reported losing a smartphone that contains sensitive information. The BEST step to address this situation is to: A. remotely wipe the device. B. terminate the device connectivity. C. disable the user's access to corporate resources. D. escalate to the user's management. Â Suggested Answer: A
During the eradication phase of an incident response, it is MOST important to: A. identify the root cause B. restore from the most recent backup C. notify affected users D. wipe the affected system  Suggested Answer: D
Which of the following should be an information security manager's FIRST course of action when a newly introduced privacy regulation affects the business? A. Identify and assess the risk in the context of business objectives B. Consult with IT staff and assess the risk based on their recommendations C. Update the security policy based on the regulatory requirements D. Propose relevant controls to ensure the business complies with the regulation  Suggested Answer: A
Which of the following should be done FIRST once a cybersecurity attack has been confirmed? A. Isolate the affected system B. Power down the system C. Notify senior management D. Contact legal authorities  Suggested Answer: A
Which of the following is an information security manager's BEST course of action to gain approval for investment in a technical control? A. Calculate the exposure factor B. Perform a cost-benefit analysis C. Conduct a risk assessment D. Conduct a business impact analysis (BIA) Â Suggested Answer: B
Which of the following is an important criterion for developing effective key risk indicators (KRIs) to monitor information security risk? A. The indicator should provide a retrospective view of risk impacts and be measured annually B. The indicator should focus on IT and accurately represent risk variances C. The indicator should align with key performance indicators (KPIs) and measure root causes of process performance issues D. The indicator should possess a high correlation with a specific risk and be measured on a regular basis  Suggested Answer: D
A health care organization's information security manager is notified of a possible breach of critical patient data involving a large volume of records. What should the information security manager do FIRST? A. Notify health care regulators B. Escalate the breach to senior management C. Validate whether the breach occurred D. Assess the possible impact of the breach. Â Suggested Answer: C
Which of the following presents the GREATEST risk associated with the use of an automated security information and event management (SIEM) system? A. Low number of false negatives B. High number of false negatives C. Low number of false positives D. High number of false positives  Suggested Answer: B
Of the following, who should the security manager consult FIRST when determining the severity level of a security incident involving a third-party vendor? A. Risk manager B. Business partners C. IT process owners D. Business process owners  Suggested Answer: D
Recommendations for enterprise investment in security technology should be PRIMARILY based on: A. availability of financial resources B. alignment with business needs C. the organization's risk tolerance D. adherence to international standards  Suggested Answer: D
When implementing a security policy for an organization handling personally identifiable information (PII), the MOST important objective should be: A. strong encryption B. regulatory compliance C. security awareness training D. data availability  Suggested Answer: B
An information security manager has received confirmation that the organization's e-commerce website was breached, exposing customer information. What should be done FIRST? A. Inform affected customers B. Perform a vulnerability assessment C. Execute the incident response plan D. Take the affected systems offline  Suggested Answer: C
Which of the following would be MOST useful when illustrating to senior management the status of a recently implemented information security governance framework? A. Periodic testing results B. A risk assessment C. A maturity model D. A threat assessment  Suggested Answer: C
An organization that has outsourced its incident management capabilities just discovered a significant privacy breach by an unknown attacker. Which of the following is the MOST important action of the information security manager? A. Follow the outsourcer's response plan B. Refer to the organization's response plan C. Notify the outsourcer of the privacy breach D. Alert the appropriate law enforcement authorities  Suggested Answer: C
Which of the following would BEST support an information security manager's efforts to obtain management approval for an identity and access management (IAM) system implementation? A. A recent security incident involving access authorization B. An established security policy with access management requirements C. A third-party audit finding based on regulatory requirements D. A business case proposal for the solution  Suggested Answer: D
Internal audit has reported a number of information security issues that are not in compliance with regulatory requirements. What should the information security manager do FIRST? A. Create a security exception B. Assess the risk to business operations C. Perform a vulnerability assessment D. Perform a gap analysis to determine needed resources  Suggested Answer: B
An organization is about to purchase a rival organization. The PRIMARY reason for performing information security due diligence prior to making the purchase is to: A. determine the security exposures B. assess the ability to integrate the security department operations C. ensure compliance with international standards D. evaluate the security policy and standards  Suggested Answer: A
When considering whether to adopt bring your own device (BYOD), it is MOST important for the information security manager to ensure that: A. the applications are tested prior to implementation B. security controls are applied to each device when joining the network C. users have read and signed acceptable use agreements D. business leaders have an understanding of security risks  Suggested Answer: D
The security baselines of an organization should be based on: A. procedures. B. standards. C. policies. D. guidelines. Â Suggested Answer: B
Which of the following would be MOST effective in changing the security culture and behavior of staff? A. Promoting the information security mission within the enterprise B. Enforcing strict technical information security controls C. Auditing compliance with the information security policy D. Developing procedures to enforce the information security policy  Suggested Answer: D
Which of the following MUST be performed once risk has been accepted? A. Reassess the risk on a regular basis. B. Calculate the business impact of acceptance. C. Flag the risk to avoid future reassessment. D. Remove the risk from the risk register. Â Suggested Answer: A
Which of the following is the MOST effective way to help ensure web developers understand the growing severity of web application security risks? A. Standardize secure web development practices B. Integrate security into the early phases of the development life cycle C. Incorporate security requirements into job descriptions D. Implement a tailored security awareness training program  Suggested Answer: D
When collecting admissible evidence, which of the following is the MOST important requirement? A. Need to know B. Due diligence C. Chain of custody D. Preserving audit logs  Suggested Answer: C
Which of the following is the MOST effective way to detect information security incidents? A. Establishing proper policies for response to threats and vulnerabilities B. Performing regular testing of the incident response program C. Providing regular and up-to-date training for the incident response team D. Educating end users on threat awareness and timely reporting  Suggested Answer: D
During the due diligence phase of an acquisition, the MOST important course of action for an information security manager is to: A. review the state of security awareness B. review information security policies C. perform a risk assessment D. perform a gap analysis  Suggested Answer: C
After the occurrence of a major information security incident, which of the following will BEST help an information security manager determine corrective actions? A. Preserving the evidence B. Performing an impact analysis C. Calculating cost of the incident D. Conducting a postmortem assessment  Suggested Answer: D
An organization's information security manager reads on social media that a recently purchased vendor product has been compromised and customer data has been posted online. What should the information security manager do FIRST? A. Activate the incident response program B. Validate the risk to the organization C. Perform a business impact analysis (BIA) D. Notify local law enforcement agencies of a breach  Suggested Answer: B
Which of the following analyses will BEST identify the external influences to an organization's information security? A. Threat analysis B. Business impact analysis (BIA) C. Gap analysis D. Vulnerability analysis  Suggested Answer: A
Which of the following would provide the MOST value to senior management when presenting the results of a risk assessment? A. Mapping the risks to existing controls B. Illustrating risk on a heat map C. Providing a technical risk assessment report D. Mapping the risks to the security classification scheme  Suggested Answer: B
Which of the following is the MOST effective approach to ensure IT processes are performed in compliance with the information security policies? A. Ensuring that key controls are embedded in the processes B. Providing information security policy training to the process owners C. Allocating sufficient resources D. Identifying risks in the processes and managing those risks  Suggested Answer: A
An organization's human resources (HR) department is planning to migrate a legacy application to a new application in the cloud. What is the BEST way for the information security manager to support this effort? A. Encrypt the data to the cloud so that the data is secure. B. Conduct vulnerability scans on the cloud provider. C. Update the policies to add controls for protecting the data. D. Conduct a security assessment on the cloud provider. Â Suggested Answer: D
What is the PRIMARY goal of an incident management program? A. Contain the incident B. Communicate to external entities C. Minimize impact to the organization D. Identify root cause  Suggested Answer: C
Which of the following backup methods requires the MOST time to restore data for an application? A. Disk mirroring B. Differential C. Incremental D. Full backup  Suggested Answer: C
The PRIMARY advantage of performing black-box control tests as opposed to white-box control tests is that they: A. require less IT staff preparation B. identify more threats C. simulate real-world attacks D. cause fewer potential production issues  Suggested Answer: A
Which of the following is the GREATEST inherent risk when performing a disaster recovery plan (DRP) test? A. Lack of communication to affected users B. Poor documentation of results and lessons learned C. Lack of coordination among departments D. Disruption to the production environment  Suggested Answer: B
Inadvertent disclosure of internal business information on social media is BEST minimized by which of the following? A. Implementing data loss prevention (DLP) solutions B. Limiting access to social media sites C. Developing social media guidelines D. Educating users on social media risks  Suggested Answer: B
Conflicting objectives are MOST likely to compromise the effectiveness of the information security process when information security management is: A. partially staffed by external security consultants B. combined with the change management function C. reporting to the network infrastructure manager D. outside of information technology  Suggested Answer: C
Which of the following is MOST important to the effectiveness of an information security program? A. Organizational culture B. Risk management C. IT governance D. Security metrics  Suggested Answer: A
An information security manager has been asked to provide contract guidance from a security perspective for outsourcing the organization's payroll processing Which of the following is MOST important to address? A. Vendor compliance with the most stringent data security regulations B. Vendor compliance with the organization's information security policies C. Vendor compliance with organizational service level agreement (SLA) requirements D. Vendor compliance with recognized industry security standards  Suggested Answer: B
Which of the following should include contact information for representatives of equipment and software vendors? A. Business continuity plan (BCP) B. Service level agreements (SLAs) C. Information security program charter D. Business impact analysis (BIA) Â Suggested Answer: A
Organization A offers e-commerce services and uses secure transport protocol! to protect Internet communication. To confirm communication with Organization A, which of the following would be the BEST for a client to verify? A. The certificate of the e-commerce server B. The browser's indication of SSL use C. The IP address of the e-commerce server D. The URL of the e-commerce server  Suggested Answer: A
Which of the following is the PRIMARY driver for determining the classification of application systems? A. The cost of repairing damage to system elements B. The extent that compromise can affect revenue C. The cost to implement regulatory requirements D. Controlling access based on the need to know  Suggested Answer: D
Which of the following departments should be responsible for classifying customer relationship management (CRM) system data on a database server maintained by IT? A. Sales B. Information security C. Human resources (HR) D. IT Â Suggested Answer: A
What is the role of the information security manager in finalizing contract negotiations with service providers? A. To perform a risk analysis on the outsourcing process B. To obtain a security standard certification from the provider C. To update security standards for the outsourced process D. To ensure that clauses for periodic audits are included  Suggested Answer: D
Which of the following is the BEST justification for making a revision to a password policy? A. A risk assessment B. Industry best practice C. Audit recommendation D. Vendor recommendation  Suggested Answer: A
Which of the following is MOST important for an information security manager to verify before conducting full-functional continuity testing? A. Incident response and recovery plans are documented in simple language B. Copies of recovery and incident response plans are kept offsite C. Teams and individuals responsible for recovery have been identified D. Risk acceptance by the business has been documented. Â Suggested Answer: D
The BEST indicator the effectiveness of a security program conducted for users is an increase in the number of: A. social engineering attempts reported to information security B. requests for more security training information C. participants in the security awareness program D. threats detected by information security staff  Suggested Answer: A
When preventive controls to appropriately mitigate risk are not feasible, which of the following is the MOST important action for the information security manager? A. Identifying unacceptable risk levels B. Assessing vulnerabilities C. Evaluating potential threats D. Managing the impact  Suggested Answer: D
Which of the following is MOST effective in reducing the financial impact following a security breach leading to data disclosure? A. Backup and recovery strategy B. A business continuity plan (BCP) C. A data loss prevention (DLP) solution D. An incident response plan  Suggested Answer: D
Which of the following is the MOST effective way to prevent information security incidents? A. Deploying intrusion detection tools in the network environment B. Deploying a consistent incident response approach C. Implementing a security information and event management (SIEM) tool D. Implementing a security awareness training program for employees  Suggested Answer: D
Which of the following is the MOST important consideration when updating procedures for managing security devices? A. Updates based on changes in risk, technology, and process B. Review and approval of procedures by management C. Updates based on the organization's security framework D. Notification to management of the procedural changes  Suggested Answer: A
Which of the following is the MAJOR advantage of conducting a post-incident review? The review: A. helps develop business cases for security monitoring tools B. provides continuous process improvement C. facilitates reporting on actions taken during the incident process D. helps identify current and desired level of risk  Suggested Answer: B
A modification to a critical system was not detected until the system was compromised. Which of the following will BEST help to prevent future occurrences? A. Conducting continuous network monitoring B. Improving the change control process C. Conducting continuous risk assessments D. Baselining server configurations  Suggested Answer: B
What would be the MAIN purpose of an immediate post-incident review after a comprehensive test of the incident response plan? A. To reduce costs associated with incident response efforts B. To determine ways to improve incident response plan processes C. To document weaknesses for the next incident response plan test D. To revalidate incident response plan activities  Suggested Answer: B
An organization recently activated its business continuity plan (BCP). All employees were notified during the event, but some did not fully follow the communications plan. What is the BEST way to prevent a recurrence? A. Perform tabletop testing with appropriate employees B. Reprimand employees for not following the plan C. Enhance external communication instructions in the BCP D. Incorporate BCP communication expectations in job descriptions  Suggested Answer: D
Which of the following is MOST helpful in determining an organization's current capacity to mitigate risks? A. Capability maturity model B. Vulnerability assessment C. Business impact analysis (BIA) D. IT security risk and exposure  Suggested Answer: A
Which of the following is the BEST way to present the status of an information security program to senior management? A. Detail latest security trends B. Display concise dashboards C. Provide detailed information regarding risk exposure D. Report on root causes of security incidents  Suggested Answer: B
Which of the following should be the PRIMARY basis for an information security strategy? A. Audit and regulatory requirements B. Information security policies C. The organization's vision and mission D. Results of a comprehensive gap analysis  Suggested Answer: D
What should an information security manager do FIRST to establish a roadmap for security investments? A. Perform cost-benefit analyses of the investments B. Gain a thorough understanding of the organization's operating processes C. Establish business cases for proposed security investments D. Ensure investments are strategically aligned with business objectives  Suggested Answer: D
Which of the following is the MOST effective way to detect security incidents? A. Analyze penetration test results B. Analyze security anomalies C. Analyze recent security risk assessments D. Analyze vulnerability assessments  Suggested Answer: B
Which of the following should be the PRIMARY outcome of an information security program? A. Threat reduction B. Strategic alignment C. Risk elimination D. Cost reduction  Suggested Answer: B
The BEST indication of a change in risk that may negatively impact an organization is an increase in the number of: A. security incidents reported by staff to the information security team. B. malware infections detected by the organization's anti-virus software. C. alerts triggered by the security information and event management (SIEM) solution. D. events logged by the intrusion detection system (IDS). Â Suggested Answer: A
Which of the following is MOST important to consider when determining the criticality and sensitivity of an information asset? A. Results of business continuity testing B. Number of threats that can impact the asset C. Investment required to protect the asset D. Business functions supported by the asset  Suggested Answer: D
To prevent ransomware attacks, it is MOST important to ensure: A. adequate backup and restoration processes are in place. B. regular security awareness training is conducted. C. the latest security appliances are installed. D. updated firewall software is installed. Â Suggested Answer: A
A security policy exception is leading to an unexpected increase in the number of alerts about suspicious Internet traffic on an organization's network. Which of the following is the BEST course of action? A. Remove the rules that trigger the increased number of alerts. B. Present a risk analysis with recommendations to senior management. C. Update the risk register so that senior management is kept informed. D. Evaluate and update the enterprise network security architecture. Â Suggested Answer: D
The MAIN purpose of documenting information security guidelines for use within a large, international organization is to: A. explain the organization's preferred practices for security. B. ensure that all business units have the same strategic security goals. C. ensure that all business units implement identical security procedures. D. provide evidence for auditors that security practices are adequate. Â Suggested Answer: A
Senior management has launched an enterprise-wide initiative to streamline internal processes to reduce costs, including security processes. What should the information security manager rely on MOST to allocate resources efficiently? A. Capability maturity assessment B. Risk classification C. Return on investment (ROI) D. Internal audit reports  Suggested Answer: B
Which of the following would be of GREATEST assistance in determining whether to accept residual risk of a critical security system? A. Maximum tolerable outage (MTO) B. Recovery time objective (RTO) C. Available annual budget D. Cost-benefit analysis of mitigating controls  Suggested Answer: D
Which of the following should an information security manager do FIRST to address complaints that a newly implemented security control has slowed business operations? A. Conduct user awareness training. B. Remove the control and identify alternatives. C. Discuss the issue with senior management for direction. D. Validate whether the control is operating as intended. Â Suggested Answer: D
An information security manager is preparing incident response plans for an organization that processes personal and financial information. Which of the following is the MOST important consideration? A. Aligning with an established industry framework B. Determining budgetary constraints C. Identifying regulatory requirements D. Aligning with enterprise architecture (EA) Â Suggested Answer: C
An information security manager has identified that security risks are not being treated in a timely manner. Which of the following is the BEST way to address this situation? A. Assign a risk owner to each risk. B. Create mitigating controls to manage the risks. C. Provide regular updates about the current state of the risks. D. Re-perform risk analysis at regular intervals. Â Suggested Answer: A
Which of the following would be MOST useful in determining how an organization will be affected by a new regulatory requirement for cloud services? A. Data loss protection plan B. Risk assessment C. Information asset inventory D. Data classification policy  Suggested Answer: B
Which of the following provides the BEST evidence that a newly implemented security awareness program has been effective? A. There have been no reported successful phishing attempts since the training started. B. Employees from each department have completed the required training. C. There has been an increase in the number of phishing attempts reported. D. Senior management supports funding for ongoing awareness training. Â Suggested Answer: C
An organization is considering the deployment of encryption software and systems organization-wide. The MOST important consideration should be whether: A. a classification policy has been developed to incorporate the need for encryption B. the business strategy includes exceptions to the encryption standard C. data can be recovered if the encryption keys are misplaced D. the implementation supports the business strategy  Suggested Answer: D
From an information security perspective, legal issues associated with a transborder flow of technology-related items are MOST often related to: A. website transactions and taxation B. encryption tools and personal data. C. lack of competition and free trade. D. software patches and corporate data. Â Suggested Answer: B
Recovery time objectives (RTOs) are BEST determined by: A. database administrators (DBAs). B. business managers. C. executive management. D. business continuity officers. Â Suggested Answer: B
Embedding security responsibilities into job descriptions is important PRIMARILY because it: A. simplifies development of the security awareness program B. aligns security to the human resources (HR) function C. strengthens employee accountability D. supports access management. Â Suggested Answer: C
An information security manager finds a legacy application has no defined data owner. Of the following, who would be MOST helpful in identifying the appropriate data owner? A. The individual responsible for providing support for the application B. The individual who manages the process supported by the application C. The individual who manages users of the application D. The individual who has the most privileges within the application  Suggested Answer: B
An online trading company discovers that a network attack has penetrated the firewall. What should be the information security manager's FIRST response? A. Evaluate the impact to the business. B. Examine firewall logs to identify the attacker. C. Notify the regulatory agency of the incident. D. Implement mitigating controls. Â Suggested Answer: A
Which of the following is the BEST method for determining whether a firewall has been configured to provide a comprehensive perimeter defense? A. A port scan of the firewall from an internal source B. A simulated denial of service (DoS) attack against the firewall C. A validation of the current firewall rule set D. A ping test from an external source  Suggested Answer: C
To ensure that a new application complies with information security policy, the BEST approach is to: A. perform a vulnerability analysis B. review the security of the application before implementation C. integrate security functionality during the development stage D. periodically audit the security of the application  Suggested Answer: C
The PRIMARY goal of the eradication phase in an incident response process is to: A. provide effective triage and containment of the incident. B. remove the threat and restore affected systems. C. maintain a strict chain of custody. D. obtain forensic evidence from the affected system. Â Suggested Answer: B
Which of the following is MOST important to ensuring that incident management plans are executed effectively? A. Management support and approval has been obtained. B. An incident response maturity assessment has been conducted. C. A reputable managed security services provider has been engaged. D. The incident response team has the appropriate training. Â Suggested Answer: D
To inform a risk treatment decision, which of the following should the information security manager compare with the organization's risk appetite? A. Gap analysis results B. Level of risk treatment C. Configuration parameters D. Level of residual risk  Suggested Answer: D
Which of the following would be the MOST effective countermeasure against malicious programming that rounds down transaction amounts and transfers them to the perpetrator's account? A. Set up an agent to run a virus-scanning program across platforms. B. Ensure that proper controls exist for code review and release management. C. Implement controls for continuous monitoring of middleware transactions. D. Apply the latest patch programs to the production operating systems. Â Suggested Answer: B
Which of the following is the PRIMARY responsibility of an information security governance committee? A. Reviewing the information security risk register B. Approving changes to the information security strategy C. Discussing upcoming information security projects D. Reviewing monthly information security metrics  Suggested Answer: B
The MOST important information for influencing management's support of information security is: A. a report of a successful attack on a competitor. B. a demonstration of alignment with the business strategy. C. an identification of the overall threat landscape. D. an identification of organizational risks. Â Suggested Answer: B
What should be an information security manager's MOST important consideration when reviewing a proposed upgrade to a business unit's production database? A. Ensuring the application inventory is updated B. Ensuring residual risk is within appetite C. Ensuring a cost-benefit analysis is completed D. Ensuring senior management is aware of associated risk  Suggested Answer: B
Prior to implementing a bring your own device (BYOD) program, it is MOST important to: A. review currently utilized applications. B. survey employees for requested applications. C. select mobile device management (MDM) software. D. develop an acceptable use policy. Â Suggested Answer: D
When developing an incident escalation process, the BEST approach is to classify incidents based on: A. their root causes. B. information assets affected. C. recovery point objectives (RPOs). D. estimated time to recover. Â Suggested Answer: B
Which of the following is the PRIMARY objective of defining a severity hierarchy for security incidents? A. To streamline the risk analysis process B. To facilitate the classification of an organization's IT assets C. To prioritize available incident response resources D. To facilitate root cause analysis of incidents  Suggested Answer: C
For an enterprise implementing a bring your own device (BYOD) program, which of the following would provide the BEST security of corporate data residing on unsecured mobile devices? A. Device certification process B. Acceptable use policy C. Containerization solution D. Data loss prevention (DLP) Â Suggested Answer: C
Which of the following should be the PRIMARY driver for delaying the delivery of an information security awareness program? A. Change in senior management B. High employee turnover C. Employee acceptance D. Risk appetite  Suggested Answer: D
An organization is developing a disaster recovery strategy and needs to identify each application's criticality so that the recovery sequence can be established. Which of the following is the BEST course of action? A. Restore the applications with the shortest recovery times first B. Document the data flow and review the dependencies C. Perform a business impact analysis (BIA) on each application D. Identify which applications contribute the most cash flow  Suggested Answer: C
An organization's IT department needs to implement security patches. Recent reports indicate these patches could result in stability issues. Which of the following is the information security manager's BEST recommendation? A. Research alternative software solutions B. Evaluate the patches in a test environment C. Increase monitoring after patch implementation D. Research compensating security controls  Suggested Answer: B
An organization has established a bring your own device (BYOD) program. Which of the following is the MOST important security consideration when allowing employees to use personal devices for corporate applications remotely? A. Mandatory controls for maintaining security policy B. Mobile operating systems support C. Security awareness training D. Secure application development  Suggested Answer: C
What is the BEST way for an information security manager to ensure critical assets are prioritized in a new information security program? A. Update operating procedures to include new requirements. B. Conduct security awareness training. C. Conduct an inventory of information assets. D. Backup information assets and store them offsite. Â Suggested Answer: C
Which of the following would provide the MOST useful information when prioritizing controls to be added to a system? A. The risk register B. Balanced scorecard C. Compliance requirements D. Baseline to industry standards  Suggested Answer: A
An organization has recently acquired a smaller company located in a different geographic region. Which of the following is the BEST approach for addressing conflicts between the parent organization's security standards and local regulations affecting the acquired company? A. Adopt the standards of the newly acquired company B. Give precedence to the parent organization's standards C. Create a local version of the parent organization's standards D. Create a global version of the local regulations  Suggested Answer: C
A new regulatory requirement affecting an organization's information security program is released. Which of the following should be the information security manager's FIRST course of action? A. Conduct benchmarking B. Perform a gap analysis C. Notify the legal department D. Determine the disruption to the business  Suggested Answer: C
An organization wants to ensure its confidential data is isolated in a multi-tenanted environment at a well-known cloud service provider. Which of the following is the BEST way to ensure the data is adequately protected? A. Verify the provider follows a cloud service framework standard. B. Review the provider's information security policies and procedures. C. Obtain documentation of the encryption management practices. D. Ensure an audit of the provider is conducted to identify control gaps. Â Suggested Answer: D
An information security manager has become aware that a third-party provider is not in compliance with the statement of work (SOW). Which of the following is the BEST course of action? A. Assess the extent of the issue. B. Report the issue to legal personnel. C. Notify senior management of the issue. D. Initiate contract renegotiation. Â Suggested Answer: A
An incident response team recently encountered an unfamiliar type of cyber event. Though the team was able to resolve the issue, it took a significant amount of time to identify. What is the BEST way to help ensure similar incidents are identified more quickly in the future? A. Establish performance metrics for the team. B. Perform a post-incident review. C. Perform a threat analysis. D. Implement a SIEM solution. Â Suggested Answer: B
Who should an information security manager contact FIRST upon discovering that a cloud-based payment system used by the organization may be infected with malware? A. Senior management B. Affected customers C. Cloud service provider D. The incident response team  Suggested Answer: D
An organization's operations have been significantly impacted by a cyberattack resulting in data loss. Once the attack has been contained, what should the security team do NEXT? A. Update the incident response plan. B. Perform a root cause analysis. C. Implement compensating controls. D. Conduct a lessons learned exercise. Â Suggested Answer: B
Which of the following would BEST help to ensure an organization's security program is aligned with business objectives? A. The organization's board of directors includes a dedicated information security advisor. B. The security strategy is reviewed and approved by the organization's steering committee. C. Security policies are reviewed and approved by the chief information officer (CIO) D. Business leaders receive annual information security awareness training This question has been  Suggested Answer: B
When defining and communicating roles and responsibilities between an organization and cloud service provider, which of the following situations would present the GREATEST risk to the organization's ability to ensure information risk is managed appropriately? A. The service agreement uses a custom-developed RACI instead of an industry standard RACI to document responsibilities B. The organization believes the provider accepted responsibility for issues affecting security that the provider did not accept C. The organization and provider identified multiple information security responsibilities that neither party was planning to provide D. The service agreement results in unnecessary duplication of effort because shared responsibilities have not been clearly defined  Suggested Answer: B
An IT department plans to migrate an application to the public cloud. Which of the following is the information security manager's MOST important action in support of this initiative? A. Review cloud provider independent assessment reports. B. Provide cloud security requirements C. Evaluate service level agreements (SLAs) D. Calculate security implementation costs  Suggested Answer: A
An executive's personal mobile device used for business purposes is reported lost. The information security manager should respond based on: A. the acceptable use policy. B. asset management guidelines. C. the business impact analysis (BIA). D. incident classification. Â Suggested Answer: D
What is the BEST approach for the information security manager to reduce the impact on a security program due to turnover within the security staff? A. Recruit certified staff B. Revise the information security program C. Document security procedures D. Ensure everyone is trained in their roles  Suggested Answer: C
Which of the following roles is BEST suited to validate user access requirements during an annual user access review? A. Access manager B. System administrator C. Business owner D. IT director  Suggested Answer: C
For an organization that is experiencing outages due to malicious code, which of the following is the BEST index of the effectiveness of countermeasures? A. Number of virus infections detected B. Average recovery time per incident C. Amount of infection-related downtime D. Number of downtime-related help desk calls  Suggested Answer: C
Which of the following should be the MOST important consideration when reviewing an information security strategy? A. Changes to the security budget B. New business initiatives C. Internal audit findings D. Recent security incidents  Suggested Answer: A
Human resources (HR) is evaluating potential Software as a Service (SaaS) cloud services. Which of the following should the information security manager do FIRST to support this effort? A. Perform a cost-benefit analysis of using cloud services B. Conduct a security audit on the cloud service providers C. Review the cloud service providers' control reports D. Perform a risk assessment of adopting cloud services  Suggested Answer: D
Which of the following is the BEST way to evaluate the impact of threat events on an organization's IT operations? A. Risk assessment B. Penetration testing C. Scenario analysis D. Controls review  Suggested Answer: C
Which of the following BEST demonstrates that an anti-phishing campaign is effective? A. Improved staff attendance in awareness sessions B. Decreased number of incidents that have occurred C. Decreased number of phishing emails received D. Improved feedback on the anti-phishing campaign  Suggested Answer: D
The GREATEST benefit resulting from well-documented information security procedures is that they: A. facilitate security training of new staff. B. ensure that security policies are consistently applied. C. provide a basis for auditing security practices. D. ensure processes can be followed by temporary staff. Â Suggested Answer: B
Which of the following is the MOST reliable way to ensure network security incidents are identified as soon as possible? A. Install stateful inspection firewalls. B. Conduct workshops and training sessions with end users. C. Collect and correlate IT infrastructure event logs. D. Train help desk staff to identify and prioritize security incidents. Â Suggested Answer: C
Which of the following would BEST help to ensure compliance with an organization's information security requirements by an IT service provider? A. Requiring an external security audit of the IT service provider B. Defining the business recovery plan with the IT service provider C. Defining information security requirements with internal IT D. Requiring regular reporting from the IT service provider  Suggested Answer: A
Which of the following is MOST important to include in an information security status report to senior management? A. Review of information security policies B. List of recent security events C. Key risk indicators (KRIs) D. Information security budget requests  Suggested Answer: C
Which of the following MOST effectively allows for disaster recovery testing without interrupting business operations? A. Structured walk-through B. Simulation testing C. Parallel testing D. Full interruption testing  Suggested Answer: C
Which of the following is the PRIMARY reason that an information security manager would contract with an external provider to perform penetration testing? A. To obtain an independent network security certification B. To mitigate gaps in technical skills C. To obtain an independent view of vulnerabilities D. To obtain the full list of system vulnerabilities  Suggested Answer: B
An organization has decided to outsource its disaster recovery function. Which of the following is the MOST important consideration when drafting the service level agreement (SLA)? A. Testing requirements B. Authorization chain C. Recovery time objectives (RTOs) D. Recovery point objectives (RPOs) Â Suggested Answer: A
What is the PRIMARY objective of implementing standard security configurations? A. Maintain a flexible approach to mitigate potential risk to unsupported systems. B. Minimize the operational burden of managing and monitoring unsupported systems. C. Compare configurations between supported and unsupported systems. D. Control vulnerabilities and reduce threats from changed configurations. Â Suggested Answer: D
Which of the following is MOST important to ensure when considering exceptions to an information security policy? A. Exceptions are approved by executive management. B. Exceptions undergo regular review. C. Exceptions reflect the organizational risk appetite. D. Exceptions are based on data classification. Â Suggested Answer: C
An external security audit has reported multiple instances of control noncompliance. Which of the following is MOST important for the information security manager to communicate to senior management? A. The impact of noncompliance on the organization's risk profile B. An accountability report to initiate remediation activities C. Control owner responses based on a root cause analysis D. A plan for mitigating the risk due to noncompliance  Suggested Answer: A
An organization's security policy is to disable access to USB storage devices on laptops and desktops. Which of the following is the STRONGEST justification for granting an exception to the policy? A. Users accept the risk of noncompliance. B. The benefit is greater than the potential risk. C. USB storage devices are enabled based on user roles. D. Access is restricted to read-only. Â Suggested Answer: B
Which of the following is an information security manager's FIRST priority after a high-profile system has been compromised? A. Implement improvements to prevent recurrence. B. Identify the malware that compromised the system. C. Restore the compromised system. D. Preserve incident-related data. Â Suggested Answer: C
Which of the following has the MOST direct impact on the usability of an organization's asset classification policy? A. The granularity of classifications in the hierarchy B. The support of IT management for the classification scheme C. The frequency of updates to the organization's risk register D. The business objectives of the organization  Suggested Answer: D
A corporate information security program is BEST positioned for success when: A. staff is receptive to the program. B. senior management supports the program. C. security is thoroughly assessed in the program. D. the program aligns with industry best practice. Â Suggested Answer: B
Following a significant change to the underlying code of an application, it is MOST important for the information security manager to: A. inform senior management. B. update the risk assessment. C. validate the user acceptance testing (UAT). D. modify key risk indicators (KRIs). Â Suggested Answer: D
Which of the following is the PRIMARY responsibility of an information security steering committee composed of management representation from business units? A. Oversee the execution of the information security strategy. B. Perform business impact analyses (BIAs). C. Manage the implementation of the information security plan. D. Monitor the treatment of information security risk. Â Suggested Answer: A
Audit trails of changes to source code and object code are BEST tracked through: A. use of compilers. B. code review. C. program library software. D. job control statements. Â Suggested Answer: C
Which of the following should be determined FIRST when preparing a risk communication plan? A. Reporting content B. Communication channel C. Target audience D. Reporting frequency  Suggested Answer: C
Which of the following will protect the confidentiality of data transmitted over the Internet? A. Message digests B. Encrypting file system C. Network address translation D. IPsec protocol  Suggested Answer: D
Which of the following would MOST effectively communicate the benefits of an information security program to executive management? A. Key performance indicators (KPIs) B. Threat models C. Key risk indicators (KRIs) D. Industry benchmarks  Suggested Answer: A
Which of the following processes can be used to remediate identified technical vulnerabilities? A. Updating the business impact analysis (BIA) B. Performing penetration testing C. Enforcing baseline configurations D. Conducting a risk assessment  Suggested Answer: A
Which of the following BEST enables the detection of advanced persistent threats (APTs)? A. Vulnerability scanning B. Security information and event management system (SIEM) C. Internet gateway filtering D. Periodic reviews of intrusion prevention system (IPS) Â Suggested Answer: A
Which of the following is the BEST way to strengthen the security of corporate data on a personal mobile device? A. Implementing a strong password policy B. Using containerized software C. Mandating use of pre-approved devices D. Implementing multi-factor authentication  Suggested Answer: C
An organization has implemented a new security control in response to a recently discovered vulnerability. Several employees have voiced concerns that the control disrupts their ability to work. Which of the following is the information security manager's BEST course of action? A. Evaluate compensating control options. B. Educate users about the vulnerability. C. Accept the vulnerability. D. Report the control risk to senior management. Â Suggested Answer: A
Which of the following would be MOST helpful when determining appropriate access controls for an application? A. Industry best practices B. Gap analysis results C. End-user input D. Data criticality  Suggested Answer: D
Which of the following would BEST help an organization's ability to manage advanced persistent threats (APT)? A. Having a skilled information security team B. Increasing the information security budget C. Using multiple security vendors D. Having network detection tools in place  Suggested Answer: D
An employee has just reported the loss of a personal mobile device containing corporate information. Which of the following should the information security manager do FIRST? A. Initiate incident response. B. Initiate a device reset. C. Conduct a risk assessment. D. Disable remote access. Â Suggested Answer: A
An organization has fallen victim to a spear-phishing attack that compromised the multi-factor authentication code. What is the information security manager's MOST important follow-up action? A. Communicate the threat to users. B. Install client anti-malware solutions. C. Implement firewall blocking of known attack signatures. D. Implement an advanced email filtering system. Â Suggested Answer: A
Which of the following is MOST important for an information security manager to communicate to stakeholders when approving exceptions to the information security policy? A. Impact on the risk profile B. Need for compensating controls C. Time period for review D. Requirements for senior management reporting  Suggested Answer: B
To implement effective continuous monitoring of IT controls, an information security manager needs to FIRST ensure: A. security alerts are centralized. B. periodic scanning of IT systems is in place. C. metrics are communicated to senior management. D. information assets have been classified. Â Suggested Answer: D
Which of the following would provide the BEST evidence to senior management that security control performance has improved? A. Demonstrated return on security investment B. Review of security metrics trends C. Results of an emerging threat analysis D. Reduction in inherent risk  Suggested Answer: B
An information security manager has identified the organization is not in compliance with new legislation that will soon be in effect. Which of the following is MOST important to consider when determining additional controls to be implemented? A. The information security strategy B. The organization's risk appetite C. The cost of noncompliance D. The information security policy  Suggested Answer: C
The PRIMARY benefit of a centralized time server is that it: A. decreases the likelihood of an unrecoverable systems failure. B. reduces individual time-of-day requests by client applications. C. allows decentralized logs to be kept in synchronization. D. is required by password synchronization programs. Â Suggested Answer: C
Which of the following is MOST appropriate to communicate to senior management regarding information risk? A. Risk profile changes B. Vulnerability scanning progress C. Defined risk appetite D. Emerging security technologies  Suggested Answer: A
A new information security manager finds that the organization tends to use short-term solutions to address problems. Resource allocation and spending are not effectively tracked, and there is no assurance that compliance requirements are being met. What should be done FIRST to reverse this bottom-up approach to security? A. Implement an information security awareness training program. B. Conduct a threat analysis. C. Establish an audit committee. D. Create an information security steering committee. Â Suggested Answer: D
An information security manager has been tasked with developing materials to update the board, regulatory agencies, and the media about a security incident. Which of the following should the information security manager do FIRST? A. Invoke the organization's incident response plan. B. Set up communication channels for the target audience. C. Create a comprehensive singular communication. D. Determine the needs and requirements of each audience. Â Suggested Answer: D
Which of the following is MOST appropriate to add to a dashboard for the purpose of illustrating an organization's risk level to senior management? A. Results of risk and control testing B. Number of reported incidents C. Budget variance for information security D. Risk heat map  Suggested Answer: D
When establishing escalation processes for an organization's computer security incident response team, the organization's procedures should: A. require events to be escalated whenever possible to ensure that management is kept informed. B. provide unrestricted communication channels to executive leadership to ensure direct access. C. specify step-by-step escalation paths to ensure an appropriate chain of command. D. recommend the same communication path for events to ensure consistency of communication. Â Suggested Answer: C
Which of the following is the MOST beneficial outcome of testing an incident response plan? A. The response includes escalation to senior management. B. Test plan results are documented. C. Incident response time is improved. D. The plan is enhanced to reflect the findings of the test. Â Suggested Answer: C
The PRIMARY goal of a post-incident review should be to: A. identify policy changes to prevent a recurrence. B. establish the cost of the incident to the business. C. determine why the incident occurred. D. determine how to improve the incident handling process. Â Suggested Answer: D
Which of the following will MOST effectively minimize the chance of inadvertent disclosure of confidential information? A. Applying data classification rules B. Following the principle of least privilege C. Restricting the use of removable media D. Enforcing penalties for security policy violations  Suggested Answer: B
Which type of control is an incident response team? A. Detective B. Directive C. Corrective D. Preventive  Suggested Answer: C
It is MOST important for an information security manager to ensure that security risk assessments are performed: A. during a root cause analysis. B. as part of the security business case. C. consistently throughout the enterprise. D. in response to the threat landscape. Â Suggested Answer: C
Which of the following BEST indicates the effectiveness of the vendor risk management process? A. Increase in the percentage of vendors certified to a globally recognized security standard B. Increase in the percentage of vendors with a completed due diligence review C. Increase in the percentage of vendors conducting mandatory security training D. Increase in the percentage of vendors that have reported security breaches  Suggested Answer: D
An organization has decided to store production data in a cloud environment. What should be the FIRST consideration? A. Data transfer B. Data classification C. Data backup D. Data isolation  Suggested Answer: B
What is the PRIMARY responsibility of the security steering committee? A. Implement information security control. B. Develop information security policy. C. Set direction and monitor performance. D. Provide information security training to employees. Â Suggested Answer: C
The PRIMARY objective of a risk response strategy should be: A. threat reduction. B. senior management buy-in. C. appropriate control selection. D. regulatory compliance. Â Suggested Answer: C
Which of the following should an information security manager do FIRST after a new cybersecurity regulation has been introduced? A. Consult corporate legal counsel. B. Conduct a cost-benefit analysis. C. Update the information security policy. D. Perform a gap analysis. Â Suggested Answer: D
Which of the following is the MOST important security feature an information security manager would need for a mobile device management (MDM) program? A. Ability to inventory devices B. Ability to remotely wipe devices C. Ability to locate devices D. Ability to push updates to devices  Suggested Answer: A
Which of the following is the MOST relevant factor when determining the appropriate escalation process in the incident response plan? A. Significance of the affected systems B. Number of resources allocated to respond C. Resilience capability of the affected systems D. Replacement cost of the affected systems  Suggested Answer: A
Management has expressed concerns to the information security manager that shadow IT may be a risk to the organization. What is the FIRST step the information security manager should take? A. Block the end user's ability to use shadow IT B. Update the security policy to address shadow IT C. Determine the value of shadow IT projects D. Determine the extent of shadow IT usage  Suggested Answer: D
The PRIMARY purpose for defining key risk indicators (KRIs) for a security program is to: A. support investments in the security program. B. compare security program effectiveness to benchmarks. C. provide information needed to take action. D. ensure mitigating controls meet specifications. Â Suggested Answer: C
Which of the following is the MOST effective way to protect the authenticity of data in transit? A. Digital signature B. Hash value C. Private key D. Public key  Suggested Answer: B
An organization shares customer information across its globally dispersed branches. Which of the following should be the GREATEST concern to information security management? A. Conflicting data protection regulations B. Cross-cultural differences between branches C. Insecure wide area networks (WANs) D. Decentralization of information security  Suggested Answer: A
An information security manager is assisting in the development of the request for proposal (RFP) for a new outsourced service. This will require the third party to have access to critical business information. The security manager should focus PRIMARILY on defining: A. security requirements for the process being outsourced B. risk-reporting methodologies C. service level agreements (SLAs) D. security metrics  Suggested Answer: A
Following a risk assessment, new countermeasures have been approved by management. Which of the following should be performed NEXT? A. Schedule the target end date for implementation activities. B. Develop an implementation strategy. C. Budget the total cost of implementation activities. D. Calculate the cost for each countermeasure. Â Suggested Answer: D
Which of the following is the MOST effective defense against malicious insiders compromising confidential information? A. Regular audits of access controls B. Strong background checks when hiring staff C. Prompt termination procedures D. Role-based access control  Suggested Answer: B
An information security manager is asked to provide a short presentation on the organization's current IT risk posture to the board of directors. Which of the following would be MOST effective to include in this presentation? A. Gap analysis results B. Risk register C. Threat assessment results D. Risk heat map  Suggested Answer: D
Which of the following provides the BEST assurance that a contracted third-party provider meets an organization's security requirements? A. Continuous monitoring B. Due diligence questionnaires C. Right-to-audit clause in the contract D. Performance metrics  Suggested Answer: A
An organization's senior management is encouraging employees to use social media for promotional purposes. Which of the following should be the information security manager s FIRST step to support this strategy? A. Incorporate social media into the security awareness program. B. Develop a guideline on the acceptable use of social media. C. Employ the use of a web content filtering solution. D. Develop a business case for a data loss prevention (DLP) solution. Â Suggested Answer: A
In addition to executive sponsorship and business alignment, which of the following is MOST critical for information security governance? A. Ownership of security B. Auditability of systems C. Allocation of training resources D. Compliance with policies  Suggested Answer: A
Which of the following is a PRIMARY responsibility of the information security governance function? A. Administering information security awareness training B. Advising senior management on optimal levels of risk appetite and tolerance C. Defining security strategies to support organizational programs D. Ensuring adequate support for solutions using emerging technologies  Suggested Answer: B
Which of the following is MOST important to the successful implementation of an information security program? A. Key performance indicators (KPIs) are defined. B. Adequate security resources are allocated to the program. C. A balanced scorecard is approved by the steering committee. D. The program is developed using global security standards. Â Suggested Answer: B
To address the issue that performance pressures on IT may conflict with information security controls, it is MOST important that: A. the steering committee provides guidance and dispute resolution. B. the security policy is changed to accommodate IT performance pressure. C. IT policies and procedures are better aligned to security policies. D. noncompliance issues are reported to senior management. Â Suggested Answer: A
Information security awareness programs are MOST effective when they are: A. sponsored by senior management. B. reinforced by computer-based training. C. customized for each target audience. D. conducted at employee orientation. Â Suggested Answer: C
Which of the following is MOST important to include when reporting information security risk to executive leadership? A. Key performance objectives and budget trends B. Security awareness training participation and residual risk exposures C. Risk analysis results and key risk indicators (KRIs) D. Information security risk management plans and control compliance  Suggested Answer: B
During which of the following development phases is it MOST challenging to implement security controls? A. Implementation phase B. Post-implementation phase C. Design phase D. Development phase  Suggested Answer: B
An employee is found to be using an external cloud storage service to share corporate information with a third-party consultant, which is against company policy. Which of the following should be the information security manager's FIRST course of action? A. Block access to the cloud storage service B. Determine the classification level of the information C. Seek business justification from the employee D. Inform higher management of a security breach  Suggested Answer: B
Which of the following is the MOST effective method of determining security priorities? A. Vulnerability assessment B. Gap analysis C. Threat assessment D. Impact analysis  Suggested Answer: D
A measure of the effectiveness of the incident response capabilities of an organization is the: A. number of incidents detected. B. number of employees receiving incident response training. C. reduction of the annual loss expectancy (ALE). D. time to closure of incidents. Â Suggested Answer: C
An organization is in the process of adopting a hybrid data infrastructure, transferring all non-core applications to cloud service providers, and maintaining all core business functions in-house. The information security manager has determined a defense in depth strategy should be used. Which of the following BEST describes this strategy? A. Separate security controls for applications, platforms, programs, and endpoints B. Multi-factor login requirements for cloud service applications, timeouts, and complex passwords C. Deployment of nested firewalls within the infrastructure D. Strict enforcement of role-based access control (RBAC) Â Suggested Answer: B
Which of the following is an information security manager's BEST approach when selecting cost-effective controls needed to meet business objectives? A. Conduct a gap analysis. B. Focus on preventive controls. C. Align with industry best practice. D. Align with the risk appetite. Â Suggested Answer: D
A risk was identified during a risk assessment. The business process owner has chosen to accept the risk because the cost of remediation is greater than the projected cost of a worst-case scenario. What should be the information security manager's NEXT course of action? A. Document and schedule a date to revisit the issue. B. Document and escalate to senior management. C. Shut down the business application. D. Determine a lower-cost approach to remediation. Â Suggested Answer: A
An organization wants to integrate information security into its human resource management processes. Which of the following should be the FIRST step? A. Identify information security risk associated with the processes B. Assess the business objectives of the processes C. Evaluate the cost of information security integration D. Benchmark the processes with best practice to identify gaps  Suggested Answer: B
The MOST effective way to continuously monitor an organization's cybersecurity posture is to evaluate its: A. compliance with industry regulations. B. key performance indicators (KPIs). C. level of support from senior management. D. timeliness in responding to attacks. Â Suggested Answer: D
Which of the following would provide the HIGHEST level of confidence in the integrity of data when sent from one party to another? A. Harden the communication infrastructure. B. Require files to be digitally signed before they are transmitted. C. Enforce multi-factor authentication on both ends of the communication. D. Require data to be transmitted over a secure connection. Â Suggested Answer: B
Which of the following is MOST important to the successful implementation of an information security program? A. Establishing key performance indicators (KPIs) B. Obtaining stakeholder input C. Understanding current and emerging technologies D. Conducting periodic risk assessments  Suggested Answer: B
Which of the following is the BEST way to strengthen the alignment of an information security program with business strategy? A. Establishing an information security steering committee B. Increasing the frequency of control assessments C. Providing organizational training on information security policies D. Increasing budget for risk assessments  Suggested Answer: A
Which of the following is necessary to determine what would constitute a disaster for an organization? A. Recovery strategy analysis B. Backup strategy analysis C. Risk analysis D. Threat probability analysis  Suggested Answer: C
Management has announced the acquisition of a new company. The information security manager of the parent company is concerned that conflicting access rights may cause critical information to be exposed during the integration of the two companies. To BEST address this concern, the information security manager should: A. escalate concerns for conflicting access rights to management. B. review access rights as the acquisition integration occurs. C. implement consistent access control standards. D. perform a risk assessment of the access rights. Â Suggested Answer: C
Which of the following metrics provides the BEST measurement of the effectiveness of a security awareness program? A. Variance of program cost to allocated budget B. The number of security breaches C. Mean time between incident detection and remediation D. The number of reported security incidents  Suggested Answer: C
The ULTIMATE responsibility for ensuring the objectives of an information security framework are being met belongs to: A. the board of directors. B. the information security officer. C. the steering committee. D. the internal audit manager. Â Suggested Answer: A
Which of the following is MOST likely to affect an organization's ability to respond to security incidents in a timely manner? A. Lack of senior management buy-in B. Inadequate detective control performance C. Misconfiguration of security information and event management (SIEM) tool D. Complexity of network segmentation  Suggested Answer: B
After a server has been attacked, which of the following is the BEST course of action? A. Isolate the system. B. Initiate incident response. C. Conduct a security audit. D. Review vulnerability assessment. Â Suggested Answer: B
When establishing classifications of security incidents for the development of an incident response plan, which of the following provides the MOST valuable input? A. Business impact analysis (BIA) results B. Recommendations from senior management C. The business continuity plan (BCP) D. Vulnerability assessment results  Suggested Answer: A
What is the FIRST line of defense against criminal insider activities? A. Signing security agreements by critical personnel B. Stringent and enforced access controls C. Validating the integrity of personnel D. Monitoring employee activities  Suggested Answer: D
The BEST way to report to the board on the effectiveness of the information security program is to present: A. a summary of the most recent audit findings. B. a report of cost savings from process improvements. C. peer-group industry benchmarks. D. a dashboard illustrating key performance metrics. Â Suggested Answer: D
An organization's outsourced firewall was poorly configured and allowed unauthorized access that resulted in downtime of 48 hours. Which of the following should be the information security manager's NEXT course of action? A. Reconfigure the firewall in accordance with best practices. B. Obtain supporting evidence that the problem has been corrected. C. Seek damages from the service provider. D. Revisit the contract and improve accountability of the service provider. Â Suggested Answer: B
Which is the MOST important requirement when establishing a process for responding to zero-day vulnerabilities? A. The IT team updates antivirus signatures on user systems. B. The IT team implements an emergency patch deployment process. C. Business users stop using the impacted application until a patch is released. D. The information security team implements recommended workarounds. Â Suggested Answer: D
An information security manager has determined that the mean time to prioritize information security incidents has increased to an unacceptable level. Which of the following processes would BEST enable the information security manager to address this concern? A. Incident classification B. Incident response C. Forensic analysis D. Vulnerability assessment  Suggested Answer: A
An information security manager discovers that newly hired privileged users are not taking necessary steps to protect critical information at their workstations. Which of the following is the BEST way to address this situation? A. Publish an acceptable use policy and require signed acknowledgment. B. Turn on logging and record user activity. C. Communicate the responsibility and provide appropriate training. D. Implement a data loss prevention (DLP) solution. Â Suggested Answer: C
Which of the following should be the MOST important consideration when prioritizing risk remediation? A. Evaluation of risk B. Duration of exposure C. Comparison to risk appetite D. Impact of compliance  Suggested Answer: D
To set security expectations across the enterprise, it is MOST important for the information security policy to be regularly reviewed and endorsed by: A. security administrators. B. senior management. C. the chief information security officer (CISO). D. the IT steering committee. Â Suggested Answer: B
Senior management wants to provide mobile devices to its sales force. Which of the following should the information security manager do FIRST to support this objective? A. Develop an acceptable use policy B. Conduct a vulnerability assessment on the devices C. Assess risks introduced by the technology D. Research mobile device management (MDM) solutions  Suggested Answer: A
An information security manager needs to ensure security testing is conducted on a new system. Which of the following would provide the HIGHEST level of assurance? A. The vendor provides the results of a penetration test and code review. B. An independent party is directly engaged to conduct testing. C. The internal audit team is enlisted to run a vulnerability assessment against the system. D. The security team conducts a self-assessment against a recognized industry framework. Â Suggested Answer: B
An organization performed a risk analysis and found a large number of assets with low-impact vulnerabilities. The NEXT action of the information security manager should be to: A. transfer the risk to a third party. B. determine appropriate countermeasures. C. report to management. D. quantify the aggregated risk. Â Suggested Answer: D
Organization A offers e-commerce services and uses secure transport protocol to protect Internet communication. To confirm communication with Organization A, which of the following would be the BEST for a client to verify? A. The URL of the e-commerce server B. The certificate of the e-commerce server C. The IP address of the e-commerce server D. The browser's indication of SSL use  Suggested Answer: B
Which of the following provides the MOST useful information for identifying security control gaps on an application server? A. Risk assessments B. Penetration testing C. Threat models D. Internal audit reports  Suggested Answer: B
Which of the following components of an information security risk assessment is MOST valuable to senior management? A. Residual risk B. Return on investment (ROI) C. Mitigation actions D. Threat profile  Suggested Answer: A
Which of the following is the PRIMARY benefit of implementing a maturity model for information security management? A. Gaps between current and desirable levels will be addressed. B. Information security management costs will be optimized. C. Information security strategy will be in line with industry best practice. D. Staff awareness of information security compliance will be promoted. Â Suggested Answer: A
An information security manager notes that security incidents are not being appropriately escalated by the help desk after tickets are logged. Which of the following is the BEST automated control to resolve this issue? A. Integrating automated service level agreement (SLA) reporting into the help desk ticketing system B. Changing the default setting for all security incidents to the highest priority C. Integrating incident response workflow into the help desk ticketing system D. Implementing automated vulnerability scanning in the help desk workflow  Suggested Answer: C
An information security manager's PRIMARY objective for presenting key risks to the board of directors is to: A. ensure appropriate information security governance. B. quantify reputational risks. C. meet information security compliance requirements. D. re-evaluate the risk appetite. Â Suggested Answer: A
Which of the following should be the PRIMARY consideration when implementing a data loss prevention (DLP) solution? A. Data ownership B. Data storage capabilities C. Data classification D. Selection of tools  Suggested Answer: C
Which of the following is the MOST important function of an information security steering committee? A. Evaluating the effectiveness of information security controls on a periodic basis B. Defining the objectives of the information security framework C. Conducting regular independent reviews of the state of security in the business D. Approving security awareness content prior to publication  Suggested Answer: B
When determining an acceptable risk level, which of the following is the MOST important consideration? A. Vulnerability scores B. System criticalities C. Risk matrices D. Threat profiles  Suggested Answer: B
The MOST important objective of security awareness training for business staff is to: A. understand intrusion methods. B. reduce negative audit findings. C. increase compliance. D. modify behavior. Â Suggested Answer: D
Which of the following is the PRIMARY responsibility of an information security steering committee? A. Setting up password expiration procedures B. Drafting security policies C. Prioritizing security initiatives D. Reviewing firewall rules  Suggested Answer: C
During a post-incident review, the sequence and correlation of actions must be analyzed PRIMARILY based on: A. a consolidated event timeline. B. logs from systems involved. C. interviews with personnel. D. documents created during the incident. Â Suggested Answer: A
Which of the following is the MOST important element in the evaluation of inherent security risks? A. Impact to the organization B. Control effectiveness C. Residual risk D. Cost of countermeasures  Suggested Answer: A
Recovery time objectives (RTOs) are an output of which of the following? A. Business continuity plan (BCP) B. Business impact analysis (BIA) C. Service level agreement (SLA) D. Disaster recovery plan (DRP) Â Suggested Answer: B
Which of the following is the MOST relevant information to include in an information security risk report to facilitate senior management's understanding of impact to the organization? A. Detailed assessment of the security risk profile B. Risks inherent in new security technologies C. Findings from recent penetration testing D. Status of identified key security risks  Suggested Answer: C
Which of the following is MOST important to include in a contract with a critical service provider to help ensure alignment with the organization's information security program? A. Escalation paths B. Termination language C. Key performance indicators (KPIs) D. Right-to-audit clause  Suggested Answer: C
Which of the following is the BEST way to determine if a recent investment in access control software was successful? A. Senior management acceptance of the access control software B. A comparison of security incidents before and after software installation C. A business impact analysis (BIA) of the systems protected by the software D. A review of the number of key risk indicators (KRIs) implemented for the software  Suggested Answer: C
Which of the following is the MOST effective way to mitigate the risk of confidential data leakage to unauthorized stakeholders? A. Create a data classification policy. B. Implement role-based access controls. C. Require the use of login credentials and passwords. D. Conduct information security awareness training. Â Suggested Answer: B
Which of the following is the MOST important consideration when reporting the effectiveness of an information security program to key business stakeholders? A. Linking security metrics to the business impact analysis (BIA) B. Demonstrating a decrease in information security incidents C. Demonstrating cost savings of each control D. Linking security metrics to business objectives  Suggested Answer: D
The PRIMARY purpose of establishing an information security governance framework should be to: A. establish the business case for strategic integration of information security in organizational efforts. B. document and communicate how the information security program functions within the organization. C. align information security strategy and investments to support organizational activities. D. align corporate governance, activities, and investments to information security goals. Â Suggested Answer: C
Senior management is concerned that the incident response team took unapproved actions during incident response that put business objectives at risk. Which of the following is the BEST way for the information security manager to respond to this situation? A. Update roles and responsibilities of the incident response team. B. Train the incident response team on escalation procedures. C. Implement a monitoring solution for incident response activities. D. Validate that the information security strategy maps to corporate objectives. Â Suggested Answer: A
An incident response team has determined there is a need to isolate a system that is communicating with a known malicious host on the Internet. Which of the following stakeholders should be contacted FIRST? A. The business owner B. Key customers C. Executive management D. System administrator  Suggested Answer: A
Which of the following external entities would provide the BEST guidance to an organization facing advanced attacks? A. Incident response experts from highly regarded peer organizations B. Open-source reconnaissance C. Recognized threat intelligence communities D. Disaster recovery consultants widely endorsed in industry forums  Suggested Answer: C
Which of the following should be an information security manager's MOST important criterion for determining when to review the incident response plan? A. When recovery time objectives (RTOs) are not met B. When missing information impacts recovery from an incident C. Before an internal audit of the incident response process D. At intervals indicated by industry best practice  Suggested Answer: D
During which stage of the software development life cycle (SDLC) should application security controls FIRST be addressed? A. Software code development B. Configuration management C. Requirements gathering D. Application system design  Suggested Answer: C
Which of the following should be of MOST concern to an information security manager reviewing an organization's data classification program? A. The classifications do not follow industry best practices. B. Labeling is not consistent throughout the organization. C. The program allows exceptions to be granted. D. Data retention requirements are not defined. Â Suggested Answer: B
Which of the following is PRIMARILY influenced by a business impact analysis (BIA)? A. Recovery strategy B. Risk mitigation strategy C. Security strategy D. IT strategy  Suggested Answer: B
The MAIN purpose of influenced by a business impact guideline for use within a large, international organization is to: A. explain the organization's preferred practices for security. B. ensure that all business units have the same strategic security goals. C. ensure that all business units implement identical security procedures. D. provide evidence for auditors that security practices are adequate. Â Suggested Answer: A
Which of the following is an information security manager's BEST course of action upon discovering an organization with budget constraints lacks several important security capabilities? A. Suggest the deployment of open-source security tools to mitigate identified risks. B. Establish a business case to demonstrate return on investment (ROI) of a security tool. C. Recommend that the organization avoid the most severe risks. D. Review the most recent audit report and request funding to address the most serious finding. Â Suggested Answer: B
An organization has experienced multiple instances of privileged users misusing their access. Which of the following processes would be MOST helpful in identifying such violations? A. Policy exception review B. Review of access controls C. Security assessment D. Log review  Suggested Answer: D
An information security manager discovers that the organization's new information security policy is not being followed across all departments. Which of the following should be of GREATEST concern to the information security manager? A. Business unit management has not emphasized the importance of the new policy. B. Different communication methods may be required for each business unit. C. The wording of the policy is not tailored to the audience. D. The corresponding controls are viewed as prohibitive to business operations. Â Suggested Answer: D
Which of the following is the BEST defense against a brute force attack? A. Intruder detection lockout B. Time-of-day restrictions C. Discretionary access control D. Mandatory access control  Suggested Answer: A
Which of the following is the MOST important reason to involve external forensics experts in evidence collection when responding to a major security breach? A. To provide the response team with expert training on evidence handling B. To ensure evidence is handled by qualified resources C. To prevent evidence from being disclosed to any internal staff members D. To validate the incident response process  Suggested Answer: B
Which of the following is the GREATEST benefit of integrating information security program requirements into vendor management? A. The ability to meet industry compliance requirements B. The ability to define service level agreements (SLAs) C. The ability to reduce risk in the supply chain D. The ability to improve vendor performance  Suggested Answer: C
Who should determine data access requirements for an application hosted at an organization's data center? A. Information security manager B. Business owner C. Data custodian D. Systems administrator  Suggested Answer: B
Which of the following is the MOST important objective of testing a security incident response plan? A. Ensure the thoroughness of the response plan. B. Verify the response assumptions are valid. C. Confirm that systems are recovered in the proper order. D. Validate the business impact analysis (BIA). Â Suggested Answer: B
Which of the following is the MOST important reason for performing a cost-benefit analysis when implementing a security control? A. To ensure that the mitigation effort does not exceed the asset value B. To ensure that benefits are aligned with business strategies C. To present a realistic information security budget D. To justify information security program activities  Suggested Answer: A
An information security manager wants to document requirements detailing the minimum security controls required for user workstations. Which of the following resources would be MOST appropriate for this purpose? A. Policies B. Standards C. Procedures D. Guidelines  Suggested Answer: B
Which of the following information BEST supports risk management decision making? A. Results of a vulnerability assessment B. Estimated savings resulting from reduced risk exposure C. Average cost of risk events D. Quantification of threats through threat modeling  Suggested Answer: B
Which of the following is MOST important to do after a security incident has been verified? A. Notify the appropriate law enforcement authorities of the incident. B. Follow the escalation process to inform key stakeholders. C. Prevent the incident from creating further damage to the organization. D. Contact forensic investigators to determine the root cause. Â Suggested Answer: B
Which of the following should be the PRIMARY driver for selecting and implementing appropriate controls to address the risk associated with weak user passwords? A. The organization's risk tolerance B. The organization's culture C. The cost of risk mitigation controls D. Direction from senior management  Suggested Answer: B
Which of the following is MOST important to consider when determining the effectiveness of the information security governance program? A. Key performance indicators (KPIs) B. Maturity models C. Risk tolerance levels D. Key risk indicators (KRIs) Â Suggested Answer: A
The business advantage of implementing authentication tokens is that they: A. provide nonrepudiation. B. reduce overall cost. C. reduce administrative workload. D. improve access security. Â Suggested Answer: C
In an organization that has several independent security tools including intrusion detection systems (IDSs) and firewalls, which of the following is the BEST way to ensure timely detection of incidents? A. Implement a log aggregation and correlation solution. B. Ensure that the incident response plan is endorsed by senior management. C. Ensure staff are cross trained to manage all security tools. D. Outsource the management of security tools to a service provider. Â Suggested Answer: A
Which of the following is the MAIN objective of a risk management program? A. Reduce corporate liability for information security incidents. B. Reduce risk to the level of the organization's risk appetite C. Reduce risk to the maximum extent possible D. Reduce costs associated with incident response. Â Suggested Answer: B
An information security manager was informed that a planned penetration test could potentially disrupt some services. Which of the following should be the FIRST course of action? A. Estimate the impact and inform the business owner. B. Accept the risk and document it in the risk register. C. Ensure the service owner is available during the penetration test. D. Reschedule the activity during an approved maintenance window. Â Suggested Answer: D
The PRIMARY advantage of single sign-on (SSO) is that it will: A. support multiple authentication mechanisms. B. strengthen user passwords. C. increase efficiency of access management. D. increase the security of related applications. Â Suggested Answer: C
Which of the following is BEST determined by using technical metrics? A. Whether controls are operating effectively B. How well security risk is being managed C. Whether security resources are adequately allocated D. How well the security strategy is aligned with organizational objectives  Suggested Answer: A
The use of a business case to obtain funding for an information security investment is MOST effective when the business case: A. relates the investment to the organization's strategic plan. B. realigns information security objectives to organizational strategy. C. articulates management's intent and information security directives in clear language. D. translates information security policies and standards into business requirements. Â Suggested Answer: B
Which of the following has the GREATEST impact on efforts to improve an organization's security posture? A. Well-documented security policies and procedures B. Supportive tone at the top regarding security C. Regular reporting to senior management D. Automation of security controls  Suggested Answer: B
Which of the following is the BEST strategy to implement an effective operational security posture? A. Increased security awareness B. Defense in depth C. Threat management D. Vulnerability management  Suggested Answer: B
In a cloud technology environment, which of the following would pose the GREATEST challenge to the investigation of security incidents? A. Non-standard event logs B. Access to the hardware C. Data encryption D. Compressed customer data  Suggested Answer: B
The PRIMARY goal of conducting a business impact analysis (BIA) as part of an overall continuity planning process is to: A. obtain the support of executive management. B. document the disaster recovery process. C. map the business process to supporting IT and other corporate resources. D. identify critical processes and the degree of reliance on support services. Â Suggested Answer: D
Which of the following is MOST important when selecting an information security metric? A. Ensuring the metric is repeatable B. Aligning the metric to the IT strategy C. Defining the metric in qualitative terms D. Defining the metric in quantitative terms  Suggested Answer: A
Which of the following is the BEST way for an information security manager to justify ongoing annual maintenance fees associated with an intrusion prevention system (IPS)? A. Establish and present appropriate metrics that track performance. B. Perform industry research annually and document the overall ranking of the IPS. C. Perform a penetration test to demonstrate the ability to protect. D. Provide yearly competitive pricing to illustrate the value of the IPS. Â Suggested Answer: C
An organization wants to enable digital forensics for a business-critical application. Which of the following will BEST help to support this objective? A. Install biometric access control. B. Develop an incident response plan. C. Define data retention criteria. D. Enable activity logging. Â Suggested Answer: D
An employee clicked on a link in a phishing email, triggering a ransomware attack. Which of the following should be the information security manager's FIRST step? A. Notify internal legal counsel. B. Isolate the impacted endpoints. C. Wipe the affected system. D. Notify senior management. Â Suggested Answer: B
A recent audit found that an organization's new user accounts are not set up uniformly. Which of the following is MOST important for the information security manager to review? A. Security policies B. Automated controls C. Guidelines D. Standards  Suggested Answer: D
Which of the following metrics is the BEST measure of the effectiveness of an information security program? A. Reduction in the amount of risk exposure in an organization B. Reduction in the number of threats to an organization C. Reduction in the cost of risk remediation for an organization D. Reduction in the number of vulnerabilities in an organization  Suggested Answer: A
Which of the following is the BEST course of action if the business activity residual risk is lower than the acceptable risk level? A. Update the risk assessment framework. B. Monitor the effectiveness of controls. C. Review the risk probability and impact. D. Review the inherent risk level. Â Suggested Answer: B
The BEST way to avoid session hijacking is to use: A. strong password controls. B. a firewall. C. a reverse lookup. D. a secure protocol. Â Suggested Answer: D
A critical server for a hospital has been encrypted by ransomware. The hospital is unable to function effectively without this server. Which of the following would MOST effectively allow the hospital to avoid paying the ransom? A. A continual server replication process B. Employee training on ransomware C. A properly tested offline backup system D. A properly configured firewall  Suggested Answer: C
Which of the following functions is MOST critical when initiating the removal of system access for terminated employees? A. Help desk B. Legal C. Information security D. Human resources (HR) Â Suggested Answer: D
The authorization to transfer the handling of an internal security incident to a third-party support provider is PRIMARILY defined by the: A. escalation procedures. B. information security manager. C. chain of custody. D. disaster recovery plan (DRP). Â Suggested Answer: A
What is the PRIMARY objective of performing a vulnerability assessment following a business system update? A. Improve the change control process. B. Update the threat landscape. C. Determine operational losses. D. Review the effectiveness of controls. Â Suggested Answer: D
Which of the following should an information security manager perform FIRST when an organization's residual risk has increased? A. Implement security measures to reduce the risk. B. Assess the business impact. C. Transfer the risk to third parties. D. Communicate the information to senior management. Â Suggested Answer: B
Which of the following is the PRIMARY reason for an information security manager to present the business case for an information security initiative to senior management? A. To aid management in the decision-making process for purchasing the solution B. To represent stakeholders who will benefit from enhancements in information security C. To provide management with the status of the information security program D. To demonstrate to management the due diligence involved with selecting the solution  Suggested Answer: D
During a security assessment, an information security manager finds a number of security patches were not installed on a server hosting a critical business application. The application owner did not approve the patch installation to avoid interrupting the application. Which of the following should be the information security manager's FIRST course of action? A. Report the risk to the information security steering committee. B. Determine mitigation options with IT management. C. Communicate the potential impact to the application owner. D. Escalate the risk to senior management. Â Suggested Answer: C
Which of the following BEST indicates an effective vulnerability management program? A. Security incidents are reported in a timely manner. B. Threats are identified accurately. C. Controls are managed proactively. D. Risks are managed within acceptable limits. Â Suggested Answer: D
Which of the following is the MOST effective way for an organization to ensure its third-party service providers are aware of information security requirements and expectations? A. Including information security clauses within contracts B. Auditing the service delivery of third-party providers C. Providing information security training to third-party personnel D. Requiring third parties to sign confidentiality agreements  Suggested Answer: A
The MOST important reason to use a centralized mechanism to identify information security incidents is to: A. comply with corporate policies B. detect threats across environments C. prevent unauthorized changes to networks D. detect potential fraud  Suggested Answer: B
Which of the following should be done FIRST when establishing security measures for personal data stored and processed on a human resources management system? A. Conduct a vulnerability assessment. B. Move the system into a separate network. C. Conduct a privacy impact assessment (PIA). D. Evaluate data encryption technologies. Â Suggested Answer: C
An information security manager has been informed of a new vulnerability in an online banking application, and a patch to resolve this issue is expected to be released in the next 72 hours. Which of the following should the information security manager do FIRST? A. Implement mitigating controls. B. Perform a business impact analysis (BIA). C. Perform a risk assessment. D. Notify senior management. Â Suggested Answer: A
Which of the following is MOST relevant for an information security manager to communicate to the board of directors? A. The level of exposure B. Vulnerability assessments C. The level of inherent risk D. Threat assessments  Suggested Answer: A
Senior management has just accepted the risk of noncompliance with a new regulation. What should the information security manager do NEXT? A. Report the decision to the compliance officer. B. Reassess the organization's risk tolerance. C. Update details within the risk register. D. Assess the impact of the regulation. Â Suggested Answer: D
Which of the following BEST provides an information security manager with sufficient assurance that a service provider complies with the organization's information security requirements? A. A live demonstration of the third-party supplier's security capabilities B. The ability to audit the third-party supplier's IT systems and processes C. Third-party security control self-assessment results D. An independent review report indicating compliance with industry standards  Suggested Answer: B
Which of the following is the MOST essential element of an information security program? A. Prioritizing program deliverables based on available resources B. Benchmarking the program with global standards for relevance C. Involving functional managers in program development D. Applying project management practices used by the business  Suggested Answer: B
Which of the following is BEST to include in a business case when the return on investment (ROI) for an information security initiative is difficult to calculate? A. Projected increase in maturity level B. Estimated increase in efficiency C. Projected costs over time D. Estimated reduction in risk  Suggested Answer: D
If the inherent risk of a business activity is higher than the acceptable risk level, the information security manager should FIRST: A. transfer risk to a third party to avoid cost of impact. B. recommend that management avoid the business activity. C. assess the gap between current and acceptable level of risk. D. implement controls to mitigate the risk to an acceptable level. Â Suggested Answer: C
Which of the following BEST enables the deployment of consistent security throughout international branches within a multinational organization? A. Remediation of audit findings B. Decentralization of security governance C. Establishment of security governance D. Maturity of security processes  Suggested Answer: C
What is the PRIMARY benefit of effective configuration management? A. Standardization of system support B. Reduced frequency of incidents C. Decreased risk to the organization's systems D. Improved vulnerability management  Suggested Answer: D
A large organization is in the process of developing its information security program that involves working with several complex organizational functions. Which of the following will BEST enable the successful implementation of this program? A. Security governance B. Security policy C. Security metrics D. Security guidelines  Suggested Answer: A
What is the BEST reason to keep information security policies separate from procedures? A. To keep policies from having to be changed too frequently B. To ensure that individual documents do not contain conflicting information C. To keep policy documents from becoming too large D. To ensure policies receive the appropriate approvals  Suggested Answer: A
A small organization has a contract with a multinational cloud computing vendor. Which of the following would present the GREATEST concern to an information security manager if omitted from the contract? A. Escrow of software code with conditions for code release B. Right of the subscriber to conduct onsite audits of the vendor C. Authority of the subscriber to approve access to its data D. Commingling of subscribers' data on the same physical server  Suggested Answer: C
An information security manager has identified a major security event with potential noncompliance implications. Who should be notified FIRST? A. Internal audit B. Public relations team C. Senior management D. Regulatory authorities  Suggested Answer: C
Which of the following is the PRIMARY purpose of establishing an information security governance framework? A. To proactively address security objectives B. To reduce security audit issues C. To enhance business continuity planning D. To minimize security risks  Suggested Answer: A
An organization is leveraging tablets to replace desktop computers shared by shift-based staff. These tablets contain critical business data and are inherently at increased risk of theft. Which of the following will BEST help to mitigate this risk? A. Implement remote wipe capability. B. Create an acceptable use policy. C. Conduct a mobile device risk assessment. D. Deploy mobile device management (MDM). Â Suggested Answer: D
When scoping a risk assessment, assets need to be classified by: A. sensitivity and criticality. B. likelihood and impact. C. threats and opportunities. D. redundancy and recoverability. Â Suggested Answer: A
Which of the following would BEST enable effective decision-making? A. Annualized loss estimates determined from past security events B. A universally applied list of generic threats, impacts, and vulnerabilities C. A consistent process to analyze new and historical information risk D. Formalized acceptance of risk analysis by business management  Suggested Answer: D
An information security manager wants to improve the ability to identify changes in risk levels affecting the organization's systems. Which of the following is the BEST method to achieve this objective? A. Performing business impact analyses (BIA) B. Monitoring key goal indicators (KGIs) C. Monitoring key risk indicators (KRIs) D. Updating the risk register  Suggested Answer: C
When developing an escalation process for an incident response plan, the information security manager should PRIMARILY consider the: A. affected stakeholders. B. incident response team. C. availability of technical resources. D. media coverage  Suggested Answer: A
Which of the following should be an information security managers MOST important consideration when determining if an information asset has been classified appropriately? A. Value to the business B. Security policy requirements C. Ownership of information D. Level of protection  Suggested Answer: A
The effectiveness of an incident response team will be GREATEST when: A. the incident response process is updated based on lessons learned. B. the incident response team members are trained security personnel. C. the incident response team meets on a regular basis to review log files. D. incidents are identified using a security information and event monitoring (SIEM) system. Â Suggested Answer: A
An information security manager MUST have an understanding of the organization's business goals to: A. relate information security to change management. B. develop an information security strategy. C. develop operational procedures D. define key performance indicators (KPIs). Â Suggested Answer: D
An information security manager MUST have an understanding of an information security program? A. Understanding current and emerging technologies B. Establishing key performance indicators (KPIs) C. Conducting periodic risk assessments D. Obtaining stakeholder input  Suggested Answer: D
An attacker was able to gain access to an organization's perimeter firewall and made changes to allow wider external access and to steal data. Which of the following would have BEST provided timely identification of this incident? A. Implementing a data loss prevention (DLP) suite B. Deploying an intrusion prevention system (IPS) C. Deploying a security information and event management system (SIEM) D. Conducting regular system administrator awareness training  Suggested Answer: C
When establishing metrics for an information security program, the BEST approach is to identify indicators that: A. support major information security initiatives. B. reflect the corporate risk culture. C. reduce information security program spending. D. demonstrate the effectiveness of the security program. Â Suggested Answer: D
For an organization that provides web-based services, which of the following security events would MOST likely initiate an incident response plan and be escalated to management? A. Anti-malware alerts on several employees' workstations B. Several port scans of the web server C. Multiple failed login attempts on an employee's workstation D. Suspicious network traffic originating from the demilitarized zone (DMZ) Â Suggested Answer: A
An information security manager is implementing a bring your own device (BYOD) program. Which of the following would BEST ensure that users adhere to the security standards? A. Publish the standards on the intranet landing page. B. Deploy a device management solution. C. Establish an acceptable use policy. D. Monitor user activities on the network. Â Suggested Answer: C
When monitoring the security of a web-based application, which of the following is MOST frequently reviewed? A. Audit reports B. Access logs C. Access lists D. Threat metrics  Suggested Answer: B
Which of the following is the MOST effective way for an information security manager to ensure that security is incorporated into an organization's project development processes? A. Develop good communications with the project management office (PMO). B. Participate in project initiation, approval, and funding. C. Conduct security reviews during design, testing, and implementation. D. Integrate organization's security requirements into project management. Â Suggested Answer: D
Which of the following provides the MOST relevant information to determine the overall effectiveness of an information security program and underlying business processes? A. SWOT analysis B. Industry benchmarks C. Cost-benefit analysis D. Balanced scorecard  Suggested Answer: D
An organization finds unauthorized software has been installed on a number of workstations. The software was found to contain a Trojan, which had been uploading data to an unknown external party. Which of the following would have BEST prevented the installation of the unauthorized software? A. Banning executable file downloads at the Internet firewall B. Implementing an intrusion detection system (IDS) C. Implementing application blacklisting D. Removing local administrator rights  Suggested Answer: D
When developing a tabletop test plan for incident response testing, the PRIMARY purpose of the scenario should be to: A. measure management engagement as part of an incident response team. B. provide participants with situations to ensure understanding of their roles. C. give the business a measure of the organization's overall readiness. D. challenge the incident response team to solve the problem under pressure. Â Suggested Answer: B
Which of the following is MOST important for an information security manager to consider when identifying information security resource requirements? A. Availability of potential resources B. Information security incidents C. Current resourcing levels D. Information security strategy  Suggested Answer: D
Which of the following is the MAIN benefit of performing an assessment of existing incident response processes? A. Validation of current capabilities B. Benchmarking against industry peers C. Prioritization of action plans D. Identification of threats and vulnerabilities  Suggested Answer: A
Which of the following BEST describes a buffer overflow? A. A type of covert channel that captures data B. A function is carried out with more data than the function can handle C. Malicious code designed to interfere with normal operations D. A program contains a hidden and unintended function that presents a security risk  Suggested Answer: B
Which of the following is the MOST important consideration when selecting members for an information security steering committee? A. Information security expertise B. Tenure in the organization C. Business expertise D. Cross-functional composition  Suggested Answer: D
Which of the following BEST validates that security controls are implemented in a new business process? A. Verify the use of a recognized control framework B. Review the process for conformance with information security best practices C. Benchmark the process against industry practices D. Assess the process according to information security policy  Suggested Answer: A
An organization is concerned with the potential for exploitation of vulnerabilities in its server systems. Which of the following is the BEST control to mitigate the associated risk? A. Enforcing standard system configurations based on secure configuration benchmarks B. Implementing network and system-based anomaly monitoring software for server systems C. Enforcing configurations for secure logging and audit trails on server systems D. Implementing host-based intrusion detection systems (IDS) on server systems  Suggested Answer: A
Which of the following is the MOST important step when establishing guidelines for the use of social networking sites in an organization? A. Identify secure social networking sites B. Establish disciplinary actions for noncompliance C. Perform a vulnerability assessment D. Define acceptable information for posting  Suggested Answer: D
Regular vulnerability scanning on an organization's internal network has identified that many user workstations have unpatched versions of software. What is the BEST way for the information security manager to help senior management understand the related risk? A. Include the impact of the risk as part of regular metrics. B. Send regular notifications directly to senior managers. C. Recommend the security steering committee conduct a review. D. Update the risk assessment at regular intervals. Â Suggested Answer: A
Which of the following BEST prepares a computer incident response team for a variety of information security scenarios? A. Tabletop exercises B. Forensics certification C. Penetration tests D. Disaster recovery drills  Suggested Answer: A
Which of the following BEST protects against phishing attacks? A. Security strategy training B. Email filtering C. Network encryption D. Application whitelisting  Suggested Answer: A
Which of the following is the MOST effective method of preventing deliberate internal security breaches? A. Well-designed intrusion detection system (IDS) B. Biometric security access control C. Well-designed firewall system D. Screening prospective employees  Suggested Answer: D
When designing security controls, it is MOST important to: A. focus on preventive controls. B. apply controls to confidential information. C. evaluate the costs associated with the controls. D. apply a risk-based approach. Â Suggested Answer: C
An information security team plans to increase password complexity requirements for a customer-facing site, but there are concerns it will negatively impact the user experience. Which of the following is the information security manager's BEST course of action? A. Evaluate business compensating controls. B. Quantify the security risk to the business. C. Assess business impact against security risk. D. Conduct industry benchmarking. Â Suggested Answer: A
Which of the following is the PRIMARY responsibility of an information security manager in an organization that is implementing the use of company-owned mobile devices in its operations? A. Review and update existing security policies. B. Enforce passwords and data encryption on the devices. C. Conduct security awareness training. D. Require remote wipe capabilities for devices. Â Suggested Answer: A
Which of the following would be MOST useful to help senior management understand the status of information security compliance? A. Key performance indicators (KPIs) B. Risk assessment results C. Industry benchmarks D. Business impact analysis (BIA) results  Suggested Answer: A
Which of the following is the MOST important reason for an organization to develop an information security governance program? A. Establishment of accountability B. Compliance with audit requirements C. Creation of tactical solutions D. Monitoring of security incidents  Suggested Answer: A
Which of the following provides the MOST essential input for the development of an information security strategy? A. Results of an information security gap analysis B. Measurement of security performance against IT goals C. Results of a technology risk assessment D. Availability of capable information security resources  Suggested Answer: A
The MOST important reason for an information security manager to be involved in the change management process is to ensure that: A. security controls drive technology changes. B. risks have been evaluated. C. security controls are updated regularly. D. potential vulnerabilities are identified. Â Suggested Answer: B
Which of the following should be the PRIMARY focus of a status report on the information security program to senior management? A. Confirming the organization complies with security policies B. Verifying security costs do not exceed the budget C. Demonstrating risk is managed at the desired level D. Providing evidence that resources are performing as expected  Suggested Answer: C
Which of the following is MOST likely to be a component of a security incident escalation policy? A. Names and telephone numbers of key management personnel B. A severity-ranking mechanism tied only to the duration of the outage C. Sample scripts and press releases for statements to media D. Decision criteria for when to alert various groups  Suggested Answer: B
Which of the following would be an information security manager's PRIMARY challenge when deploying a bring your own device (BYOD) mobile program in an enterprise? A. Configuration management B. Mobile application control C. Inconsistent device security D. End user acceptance  Suggested Answer: C
Company A, a cloud service provider, is in the process of acquiring Company B to gain new benefits by incorporating their technologies within its cloud services. Which of the following should be the PRIMARY focus of Company A's information security manager? A. The cost to align to Company A's security policies B. The organizational structure of Company B C. Company B's security policies D. Company A's security architecture  Suggested Answer: C
Which of the following should be done FIRST when selecting performance metrics to report on the vendor risk management process? A. Select the data source. B. Review the confidentiality requirements. C. Identify the intended audience. D. Identify the data owner. Â Suggested Answer: C
Which of the following BEST determines what information should be shared with different entities during incident response? A. Escalation procedures B. Communication plan C. Disaster recovery policy D. Business continuity plan (BCP) Â Suggested Answer: B
Which of the following is the BEST way to enhance training for incident response teams? A. Conduct interviews with organizational units. B. Establish incident key performance indicators (KPIs). C. Participate in emergency response activities. D. Perform post-incident reviews. Â Suggested Answer: D
Over the last year, an information security manager has performed risk assessments on multiple third-party vendors. Which of the following criteria would be MOST helpful in determining the associated level of risk applied to each vendor? A. Compliance requirements associated with the regulation B. Criticality of the service to the organization C. Corresponding breaches associated with each vendor D. Compensating controls in place to protect information security  Suggested Answer: B
Which of the following is the MOST important security consideration when developing an incident response strategy with a cloud provider? A. Security audit reports B. Recovery time objective (RTO) C. Technological capabilities D. Escalation processes  Suggested Answer: D
Executive leadership has decided to engage a consulting firm to develop and implement a comprehensive security framework for the organization to allow senior management to remain focused on business priorities. Which of the following poses the GREATEST challenge to the successful implementation of the new security governance framework? A. Executive leadership becomes involved in decisions about information security governance. B. Executive leadership views information security governance primarily as a concern of the information security management team C. Information security staff has little or no experience with the practice of information security governance. D. Information security management does not fully accept the responsibility for information security governance. Â Suggested Answer: B
Risk scenarios simplify the risk assessment process by: A. covering the full range of possible risk. B. ensuring business risk is mitigated. C. reducing the need for subsequent risk evaluation. D. focusing on important and relevant risk. Â Suggested Answer: D
Which of the following is the MOST important consideration when developing information security objectives? A. They are regularly reassessed and reported to stakeholders B. They are approved by the IT governance function C. They are clear and can be understood by stakeholders D. They are identified using global security frameworks and standards  Suggested Answer: C
A legacy application does not comply with new regulatory requirements to encrypt sensitive data at rest, and remediating this issue would require significant investment. What should the information security manager do FIRST? A. Assess the business impact to the organization. B. Present the noncompliance risk to senior management. C. Investigate alternative options to remediate the noncompliance. D. Determine the cost to remediate the noncompliance. Â Suggested Answer: A
Which of the following BEST enables effective information security governance? A. Security-aware corporate culture B. Advanced security technologies C. Periodic vulnerability assessments D. Established information security metrics  Suggested Answer: A
Application data integrity risk is MOST directly addressed by a design that includes. A. strict application of an authorized data dictionary. B. reconciliation routines such as checksums, hash totals, and record counts. C. application log requirements such as field-level audit trails and user activity logs. D. access control technologies such as role-based entitlements. Â Suggested Answer: B
Deciding the level of protection a particular asset should be given is BEST determined by: A. the corporate risk appetite. B. a risk analysis. C. a threat assessment. D. a vulnerability assessment. Â Suggested Answer: B
What should be an information security manager's FIRST step when developing a business case for a new intrusion detection system (IDS) solution? A. Calculate the total cost of ownership (TCO). B. Define the issues to be addressed. C. Perform a cost-benefit analysis. D. Conduct a feasibility study. Â Suggested Answer: C
Which of the following is the MOST important incident management consideration for an organization subscribing to a cloud service? A. Decision on the classification of cloud-hosted data B. Expertise of personnel providing incident response C. Implementation of a SIEM in the organization D. An agreement on the definition of a security incident  Suggested Answer: D
Which of the following is the BEST way for an organization to determine the maturity level of its information security program? A. Review the results of information security awareness testing. B. Validate the effectiveness of implemented security controls. C. Benchmark the information security policy against industry standards. D. Track the trending of information security incidents. Â Suggested Answer: B
An organization has identified an increased threat of external brute force attacks in its environment. Which of the following is the MOST effective way to mitigate this risk to the organization's critical systems? A. Increase the frequency of log monitoring and analysis. B. Implement a security information and event management system (SIEM). C. Increase the sensitivity of intrusion detection systems. D. Implement multi-factor authentication. Â Suggested Answer: D
When supporting an organization's privacy officer which of the following is the information security manager's PRIMARY role regarding privacy requirements? A. Ensuring appropriate controls are in place B. Monitoring the transfer of private data C. Determining data classification D. Conducting privacy awareness programs  Suggested Answer: A
The chief information security officer (CISO) has developed an information security strategy, but is struggling to obtain senior management commitment for funds to implement the strategy. Which of the following is the MOST likely reason? A. The strategy does not include a cost-benefit analysis. B. There was a lack of engagement with the business during development. C. The strategy does not comply with security standards. D. The CISO reports to the CIO. Â Suggested Answer: B
An organization's CIO has tasked the information security manager with drafting the charter for an information security steering committee. The committee will be comprised of the CIO, the IT shared services manager, the vice president of marketing, and the information security manager. Which of the following is the MOST significant issue with the development of this committee? A. The committee consists of too many senior executives. B. The committee lacks sufficient business representation. C. There is a conflict of interest between the business and IT. D. The CIO is not taking charge of the committee. Â Suggested Answer: B
What is the PRIMARY purpose of an unannounced disaster recovery exercise? A. To provide metrics to senior management B. To evaluate how personnel react to the situation C. To assess service level agreements (SLAs) D. To estimate the recovery time objective (RTO) Â Suggested Answer: B
Labeling information according to its security classification: A. reduces the need to identify baseline controls for each classification. B. reduces the number and type of countermeasures required. C. enhances the likelihood of people handling information securely. D. affects the consequences if information is handled insecurely. Â Suggested Answer: C
Which of the following is the MOST effective approach for determining whether an organization's information security program supports the information security strategy? A. Ensure resources meet information security program needs B. Audit the information security program to identify deficiencies C. Identify gaps impacting information security strategy D. Develop key performance indicators (KPIs) of information security  Suggested Answer: D
When drafting the corporate privacy statement for a public web site, which of the following MUST be included? A. Limited liability clause B. Access control requirements C. Explanation of information usage D. Information encryption requirements  Suggested Answer: C
An information security risk analysis BEST assists an organization in ensuring that: A. the infrastructure has the appropriate level of access control. B. cost-effective decisions are made with regard to which assets need protection C. an appropriate level of funding is applied to security processes. D. the organization implements appropriate security technologies  Suggested Answer: B
In a multinational organization, local security regulations should be implemented over global security policy because: A. business objectives are defined by local business unit managers. B. deploying awareness of local regulations is more practical than of global policy. C. global security policies include unnecessary controls for local businesses. D. requirements of local regulations take precedence. Â Suggested Answer: D
To gain a clear understanding of the impact that a new regulatory requirement will have on an organization's information security controls, an information security manager should FIRST: A. conduct a cost-benefit analysis. B. conduct a risk assessment. C. interview senior management. D. perform a gap analysis. Â Suggested Answer: D
When management changes the enterprise business strategy, which of the following processes should be used to evaluate the existing information security controls as well as to select new information security controls? A. Access control management B. Change management C. Configuration management D. Risk management  Suggested Answer: D
Which of the following is the BEST way to build a risk-aware culture? A. Periodically change risk awareness messages. B. Ensure that threats are communicated organization-wide in a timely manner. C. Periodically test compliance with security controls and post results. D. Establish incentives and a channel for staff to report risks. Â Suggested Answer: C
What would be an information security manager's BEST recommendation upon learning that an existing contract with a third party does not clearly identify requirements for safeguarding the organization's critical data? A. Cancel the outsourcing contract. B. Transfer the risk to the provider. C. Create an addendum to the existing contract. D. Initiate an external audit of the provider's data center. Â Suggested Answer: C
An organization has purchased a security information and event management (SIEM) tool. Which of the following is MOST important to consider before implementation? A. Controls to be monitored B. Reporting capabilities C. The contract with the SIEM vendor D. Available technical support  Suggested Answer: A
Which of the following is MOST likely to be included in an enterprise security policy? A. Definitions of responsibilities B. Retention schedules C. System access specifications D. Organizational risk  Suggested Answer: A
Which of the following should an information security manager do FIRST when a legacy application is not compliant with a regulatory requirement, but the business unit does not have the budget for remediation? A. Develop a business case for funding remediation efforts. B. Advise senior management to accept the risk of noncompliance. C. Notify legal and internal audit of the noncompliant legacy application. D. Assess the consequences of noncompliance against the cost of remediation. Â Suggested Answer: D
Which of the following is the MOST effective way to address an organization's security concerns during contract negotiations with a third party? A. Review the third-party contract with the organization's legal department. B. Communicate security policy with the third-party vendor. C. Ensure security is involved in the procurement process. D. Conduct an information security audit on the third-party vendor. Â Suggested Answer: B
Which of the following is the BEST method to protect consumer private information for an online public website? A. Apply strong authentication to online accounts B. Encrypt consumer data in transit and at rest C. Use secure encrypted transport layer D. Apply a masking policy to the consumer data  Suggested Answer: B
Which of the following is the MOST important consideration in a bring your own device (BYOD) program to protect company data in the event of a loss? A. The ability to remotely locate devices B. The ability to centrally manage devices C. The ability to restrict unapproved applications D. The ability to classify types of devices  Suggested Answer: B
An information security manager has been asked to determine whether an information security initiative has reduced risk to an acceptable level. Which of the following activities would provide the BEST information for the information security manager to draw a conclusion? A. Initiating a cost-benefit analysis of the implemented controls B. Performing a risk assessment C. Reviewing the risk register D. Conducting a business impact analysis (BIA) Â Suggested Answer: A
An organization that uses external cloud services extensively is concerned with risk monitoring and timely response. The BEST way to address this concern is to ensure: A. the availability of continuous technical support. B. appropriate service level agreements (SLAs) are in place. C. a right-to-audit clause is included in contracts. D. internal security standards are in place. Â Suggested Answer: C
Which of the following is the BEST way to ensure that organizational security policies comply with data security regulatory requirements? A. Obtain annual sign-off from executive management. B. Align the policies to the most stringent global regulations. C. Send the policies to stakeholders for review. D. Outsource compliance activities. Â Suggested Answer: B
The PRIMARY reason for defining the information security roles and responsibilities of staff throughout an organization is to: A. comply with security policy. B. increase corporate accountability. C. enforce individual accountability. D. reinforce the need for training. Â Suggested Answer: C
Threat and vulnerability assessments are important PRIMARILY because they are: A. used to establish security investments. B. needed to estimate risk. C. the basis for setting control objectives. D. elements of the organization's security posture. Â Suggested Answer: B
Which of the following should be an information security managers PRIMARY focus during the development of a critical system storing highly confidential data? A. Ensuring the amount of residual risk is acceptable B. Reducing the number of vulnerabilities detected C. Avoiding identified system threats D. Complying with regulatory requirements  Suggested Answer: D
When evaluating vendors for sensitive data processing, which of the following should be the FIRST step to ensure the correct level of information security is provided? A. Develop metrics for vendor performance. B. Include information security criteria as part of vendor selection. C. Review third-party reports of potential vendors. D. Include information security clauses in the vendor contract. Â Suggested Answer: B
An information security team is investigating an alleged breach of an organization's network. Which of the following would be the BEST single source of evidence to review? A. File integrity monitoring (FIM) software B. Security information and event management (SIEM) tool C. Intrusion detection system (IDS) D. Antivirus software  Suggested Answer: B
22 views0 answers0 votes
15 views0 answers0 votes
12 views0 answers0 votes
5 views0 answers0 votes
17 views0 answers0 votes
11 views0 answers0 votes
8 views0 answers0 votes
14 views0 answers0 votes
9 views0 answers0 votes
9 views0 answers0 votes
8 views0 answers0 votes
9 views0 answers0 votes
11 views0 answers0 votes
13 views0 answers0 votes
10 views0 answers0 votes
10 views0 answers0 votes
11 views0 answers0 votes
Other exams
- 101 (450)
- 101-500 (120)
- 102-500 (120)
- 1V0-21.20 (97)
- 200-125 (1926)
- 200-201 (300)
- 200-301 (1384)
- 200-901 (587)
- 201-450 (60)
- 202-450 (120)
- 212-89 (82)
- 220-1001 (414)
- 220-1002 (472)
- 220-1101 (517)
- 220-1102 (472)
- 2V0-21.19 (213)
- 2V0-21.19D (90)
- 2V0-21.20 (107)
- 2V0-21.23 (103)
- 2V0-31.20 (86)
- 2V0-31.21 (87)
- 2V0-41.19 (89)
- 2V0-41.20 (92)
- 2V0-41.23 (105)
- 2V0-51.21 (94)
- 2V0-602 (97)
- 2V0-62.21 (87)
- 300-101 (1468)
- 300-115 (992)
- 300-160 (97)
- 300-320 (112)
- 300-410 (621)
- 300-415 (402)
- 300-420 (266)
- 300-425 (176)
- 300-430 (249)
- 300-435 (105)
- 300-510 (106)
- 300-535 (45)
- 300-610 (135)
- 300-615 (200)
- 300-620 (292)
- 300-630 (107)
- 300-635 (46)
- 300-710 (311)
- 300-715 (277)
- 300-730 (172)
- 300-735 (56)
- 300-810 (170)
- 300-815 (170)
- 300-820 (306)
- 300-910 (105)
- 312-38 (184)
- 312-39 (85)
- 312-49 (146)
- 312-49V10 (580)
- 312-50V10 (203)
- 312-50V11 (400)
- 312-50v12 (310)
- 312-50V9 (198)
- 350-201 (129)
- 350-401 (1020)
- 350-501 (396)
- 350-601 (526)
- 350-701 (703)
- 350-801 (443)
- 350-901 (383)
- 3V0-21.21 (90)
- 5V0-21.19 (100)
- 5V0-21.21 (94)
- 5V0-23.20 (123)
- 5V0-31.22 (128)
- 712-50 (638)
- ADM-201 (561)
- AI-100 (206)
- AI-102 (293)
- AI-900 (245)
- ANS-C00 (377)
- ANS-C01 (220)
- AXS-C01 (58)
- AZ-103 (265)
- AZ-104 (606)
- AZ-120 (223)
- AZ-140 (189)
- AZ-204 (399)
- AZ-220 (174)
- AZ-300 (241)
- AZ-301 (232)
- AZ-303 (334)
- AZ-304 (237)
- AZ-305 (284)
- AZ-400 (516)
- AZ-500 (485)
- AZ-700 (260)
- AZ-800 (227)
- AZ-900 (462)
- BDS-C00 (85)
- CAS-003 (390)
- CAS-004 (514)
- CCAK (160)
- CCNA (1385)
- CCSP (509)
- CDPSE (126)
- Certified Advanced Administrator (182)
- Certified AI Associate (72)
- Certified Business Analyst (95)
- Certified CPQ Specialist (240)
- Certified Data Architect (70)
- Certified Experience Cloud Consultant (111)
- Certified Integration Architect (68)
- Certified Marketing Cloud Consultant (99)
- Certified Marketing Cloud Email Specialist (112)
- Certified OmniStudio Developer (77)
- CERTIFIED PLATFORM APP BUILDER (469)
- Certified Platform Developer II (266)
- Certified Sales Cloud Consultant Exam (196)
- Certified Tableau CRM and Einstein Discovery Consultant (95)
- CGEIT (362)
- CISA (1284)
- CISM (1250)
- CISSP (484)
- CISSP-ISSAP (107)
- CLF-C01 (987)
- CLF-C02 (714)
- CRISC (1896)
- CRT-450 (283)
- CS0-001 (277)
- CS0-002 (422)
- CS0-003 (265)
- CSSLP (172)
- CV0-003 (315)
- DA0-001 (190)
- DAS-C01 (164)
- DBS-C01 (359)
- DEA-C01 (141)
- DOP-C01 (208)
- DOP-C02 (281)
- DP-100 (477)
- DP-200 (228)
- DP-201 (206)
- DP-203 (370)
- DP-500 (183)
- DP-900 (285)
- DVA-C01 (443)
- DVA-C02 (414)
- GISF (316)
- GISP (654)
- Google Associate Cloud Engineer (274)
- Google Professional Cloud Architect (278)
- Google Professional Cloud Database Engineer (132)
- Google Professional Cloud Developer (279)
- Google Professional Cloud DevOps Engineer (166)
- Google Professional Cloud Network Engineer (172)
- Google Professional Cloud Security Engineer (244)
- ITILF (540)
- JN0-102 (63)
- JN0-103 (96)
- JN0-104 (103)
- JN0-105 (94)
- JN0-211 (65)
- JN0-231 (102)
- JN0-251 (67)
- JN0-347 (58)
- JN0-348 (69)
- JN0-349 (95)
- JN0-351 (90)
- JN0-360 (74)
- JN0-362 (63)
- JN0-363 (94)
- JN0-649 (65)
- JN0-663 (91)
- JN0-664 (95)
- JN0-682 (56)
- MB-210 (365)
- MB-220 (205)
- MB-230 (249)
- MB-300 (411)
- MB-310 (289)
- MB-330 (392)
- MB-500 (257)
- MB-700 (178)
- MB-800 (238)
- MD-100 (398)
- MLS-C0 (0)
- MLS-C01 (336)
- MS-100 (426)
- MS-101 (449)
- MS-102 (294)
- MS-203 (392)
- MS-500 (344)
- MS-700 (395)
- MS-900 (438)
- N10-007 (701)
- N10-008 (677)
- NSE4_FGT-7.2 (103)
- PAS-C01 (130)
- PCCET (137)
- PCCSE (246)
- PCDRA (93)
- PCNSA (403)
- PCNSE (619)
- PCSAE (139)
- PCSFE (103)
- PL-100 (339)
- PL-200 (279)
- PL-300 (516)
- PL-400 (349)
- PL-500 (158)
- PL-600 (192)
- PL-900 (288)
- PMP (1137)
- PNCSE (0)
- PSE Strata (115)
- PT0-001 (196)
- PT0-002 (341)
- RHCSA-EX200 (109)
- SAA-C02 (800)
- SAA-C03 (1777)
- SAP-C01 (1019)
- SAP-C02 (410)
- SC-100 (185)
- SC-200 (305)
- SC-300 (302)
- SC-400 (580)
- SC-900 (209)
- SCS-C01 (509)
- SCS-C02 (173)
- SK0-005 (303)
- SOA-C01 (931)
- SOA-C02 (464)
- SSCP (151)
- SY0-501 (1043)
- SY0-601 (847)
- SY0-701 (305)
- XK0-004 (322)
- XK0-005 (239)