Developing effective security controls is a balance between:

A. Technology and Vendor Management

B. Operations and Regulations

C. Risk Management and Operations

D. Corporate Culture and Job Expectations

A department within your company has proposed a third party vendor solution to address an urgent, critical business need. As the CISO you have been asked to accelerate screening of their security control claims.
Which of the following vendor provided documents is BEST to make your decision?

A. Vendor provided reference from an existing reputable client detailing their implementation

B. Vendor’s client list of reputable organizations currently using their solution

C. Vendor provided internal risk assessment and security control documentation

D. Vendor provided attestation of the detailed security controls from a reputable accounting firm

What is the primary difference between Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS)?

A. IPS identify potentially malicious traffic based on signature or behaviour and IDS does not

B. An IPS examine network traffic flows to detect and actively stop exploits and attacks

C. IDS are typically deployed behind the firewall and IPS are deployed in front of the firewall

D. Only IDS is susceptible to false positives

When dealing with Security Incident Response procedures, which of the following steps come FIRST when reacting to an incident?

A. Eradication

B. Escalation

C. Containment

D. Recovery

What oversight should the information security team have in the change management process for application security?

A. Information security should be aware of any significant application security changes and work with developer to test for vulnerabilities before changes are deployed in production

B. Information security should be aware of all application changes and work with developers before changes and deployed in production

C. Information security should be informed of changes to applications only

D. Development team should tell the information security team about any application security flaws

An organization information security policy serves to___________________.

A. define security configurations for systems

B. establish budgetary input in order to meet compliance requirements

C. establish acceptable systems and user behavior

D. define relationships with external law enforcement agencies

E. None

When dealing with a risk management process, asset classification is important because it will impact the overall:

A. Threat identification

B. Risk treatment

C. Risk monitoring

D. Risk tolerance

From the CISO's perspective in looking at financial statements, the statement of retained earnings of an organization:

A. Has a direct correlation with the CISO’s budget

B. Represents, in part, the savings generated by the proper acquisition and implementation of security controls

C. Represents the sum of all capital expenditures

D. Represents the percentage of earnings that could in part be used to finance future security controls

What is defined as the process of envisioning a desired future and translating this vision into broadly defined goals or objectives and a sequence of steps to achieve them?

A. Business Planning

B. Tactical Planning

C. Successor Planning

D. Strategic Planning

Scenario: Most industries require compliance with multiple government regulations and/or industry standards to meet data protection and privacy mandates.
When multiple regulations or standards apply to your industry you should set controls to meet the___________________________.

A. Most complex standard

B. Recommendations of your Legal Staff

C. Easiest regulation or standard to implement

D. Stricter regulation or standard

Which of the following functions evaluates patches used to close software vulnerabilities and perform validation of new systems to assure compliance with security?

A. Incident response

B. Risk management

C. System security administration

D. System testing

Scenario: Critical servers show signs of erratic behavior within your organization's intranet. Initial information indicates the systems are under attack from an outside entity. As the Chief Information Security Officer (CISO), you decide to deploy the Incident Response Team (IRT) to determine the details of this incident and take action according to the information available to the team. During initial investigation, the team suspects criminal activity but cannot initially prove or disprove illegal actions.
What is the MOST critical aspect of the team's activities?

A. Regular communication of incident status to executives

B. Preservation of information

C. Eradication of malware and system restoration

D. Determination of the attack source

Scenario: An organization has recently appointed a CISO. This is a new role in the organization and it signals the increasing need to address security consistently at the enterprise level. This new CISO, while confident with skills and experience, is constantly on the defensive and is unable to advance the IT security centric agenda. From an Information Security Leadership perspective, which of the following is a MAJOR concern about the CISO's approach to security?

A. Compliance centric agenda

B. IT security centric agenda

C. Lack of risk management process

D. Lack of sponsorship from executive management

As the Chief Information Security Officer, you want to ensure data shared securely, especially when shared with third parties outside the organization. What protocol provides the ability to extend the network perimeter with the use of encapsulation and encryption?

A. File Transfer Protocol (FTP)

B. Virtual Local Area Network (VLAN)

C. Simple Mail Transfer Protocol

D. Virtual Private Network (VPN)

The new CISO was informed of all the Information Security projects that the organization has in progress. Two projects are over a year behind schedule and over budget. Using best business practices for project management you determine that the project correctly aligns with the company goals.
Which of the following needs to be performed NEXT?

A. Verify technical resources

B. Verify capacity constraints

C. Verify the scope of the project

D. Verify the regulatory requirements

Why is it vitally important that senior management endorse a security policy?

A. So that employees will follow the policy directives.

B. So that they can be held legally accountable.

C. So that external bodies will recognize the organizations commitment to security.

D. So that they will accept ownership for security within the organization.

While designing a secondary data center for your company what document needs to be analyzed to determine to how much should be spent on building the data center?

A. Business continuity plan

B. Application mapping document

C. Disaster recovery strategic plan

D. Enterprise Risk Assessment

An organization has a stated requirement to block certain traffic on networks. The implementation of controls will disrupt a manufacturing process and cause unacceptable delays, resulting in sever revenue disruptions.
Which of the following is MOST likely to be responsible for accepting the risk until mitigating controls can be implemented?

A. Audit and Compliance

B. The CFO

C. The CISO

D. The business owner

You currently cannot provide for 24/7 coverage of your security monitoring and incident response duties and your company is resistant to the idea of adding more full-time employees to the payroll.
Which combination of solutions would help to provide the coverage needed without the addition of more dedicated staff?

A. Employ an assumption of breach protocol and defend only essential information resources.

B. Deploy a SEIM solution and have your staff review incidents first thing in the morning

C. Configure your syslog to send SMS messages to current staff when target events are triggered.

D. Engage a managed security provider and have current staff on call for incident response

Who should be involved in the development of an internal campaign to address email phishing?

A. Business unit leaders, CIO, CEO

B. Business Unite Leaders, CISO, CIO and CEO

C. All employees

D. CFO, CEO, CIO

Scenario: A Chief Information Security Officer (CISO) recently had a third party conduct an audit of the security program. Internal policies and international standards were used as audit baselines. The audit report was presented to the CISO and a variety of high, medium and low rated gaps were identified. The CISO has validated audit findings, determined if compensating controls exist, and started initial remediation planning.
Which of the following is the MOST logical next step?

A. Create detailed remediation funding and staffing plans

B. Report the audit findings and remediation status to business stake holders

C. Validate the effectiveness of current controls

D. Review security procedures to determine if they need modified according to findings

Which International Organization for Standardization (ISO) below BEST describes the performance of risk management, and includes a five-stage risk management methodology.

A. ISO 27005

B. ISO 27004

C. ISO 27002

D. ISO 27001

Which wireless encryption technology makes use of temporal keys?

A. Wi-Fi Protected Access version 2 (WPA2)

B. Wireless Equivalence Protocol (WEP)

C. Wi-Fi Protected Setup (WPS)

D. Extensible Authentication Protocol (EAP)

A recommended method to document the respective roles of groups and individuals for a given process is to:

A. Develop a detailed internal organization chart

B. Develop an isolinear response matrix with cost benefit analysis projections

C. Develop a Responsible, Accountable, Consulted, Informed (RACI) chart

D. Develop a telephone call tree for emergency response

Many times a CISO may have to speak to the Board of Directors (BOD) about their cyber security posture.
What would be the BEST choice of security metrics to present to the BOD?

A. All vulnerabilities found on servers and desktops

B. Only critical and high vulnerabilities servers

C. Only critical and high vulnerabilities on servers and desktops

D. All vulnerabilities that impact important production servers

Which of the following international standards can be BEST used to define a Risk Management process in an organization?

A. International Organization for Standardizations ג€” 27005 (ISO-27005)

B. National Institute for Standards and Technology 800-50 (NIST 800-50)

C. Payment Card Industry Data Security Standards (PCI-DSS)

D. International Organization for Standardizations ג€” 27004 (ISO-27004)

A key cybersecurity feature of a Personal Identification Verification (PIV) Card is:

A. Inability to export the private certificate/key

B. It can double as physical identification at the DMV

C. It has the user’s photograph to help ID them

D. It can be used as a secure flash drive

Which of the following tests is performed by an Information Systems (IS) auditor when a sample of programs is selected to determine if the source and object versions are the same?

A. A substantive test of program library controls

B. A compliance test of the program compiler controls

C. A compliance test of program library controls

D. A substantive test of the program compiler controls

You are just hired as the new CISO and are being briefed on all the Information Security projects that your section has on going. You discover that most projects are behind schedule and over budget. Using the best business practices for project management you determine that the project correctly aligns with the company goals and the scope of the project is correct.
What is the NEXT step?

A. Verify resources

B. Review time schedules

C. Verify budget

D. Verify constraints

Scenario: Your corporate systems have been under constant probing and attack from foreign IP addresses for more than a week. Your security team and security infrastructure have performed well under the stress. You are confident that your defenses have held up under the test, but rumors are spreading that sensitive customer data has been stolen and is now being sold on the Internet by criminal elements. During your investigation of the rumored compromise you discover that data has been breached and you have discovered the repository of stolen data on a server located in a foreign country.
Your team now has full access to the data on the foreign server. Your defenses did not hold up to the test as originally thought. As you investigate how the data was compromised through log analysis you discover that a hardworking, but misguided business intelligence analyst posted the data to an obfuscated URL on a popular cloud storage service so they could work on it from home during their off-time.
Which technology or solution could you deploy to prevent employees from removing corporate data from your network?

A. Rigorous syslog reviews

B. Intrusion Detection Systems (IDS)

C. Security Guards posted outside the Data Center

D. Data Loss Prevention (DLP)

Which of the following provides an independent assessment of a vendor's internal security controls and overall posture?

A. ISO27000 accreditation

B. Alignment with business goals

C. PCI attestation of compliance

D. Financial statements

What is the primary reason for performing a return on investment analysis?

A. To determine the current present value of a project

B. To determine the annual rate of loss

C. To decide between multiple vendors

D. To decide is the solution costs less than the risk it is mitigating

An application vulnerability assessment has identified a security flaw in an application. This is a flaw that was previously identified and remediated on a prior release of the application.
Which of the following is MOST likely the reason for this recurring issue?

A. Lack of version/source controls

B. Lack of change management controls

C. Ineffective configuration management controls

D. High turnover in the application development department

The newly appointed CISO of an organization is reviewing the IT security strategic plan.
Which of the following is the MOST important component of the strategic plan?

A. There is a clear definition of the IT security mission and vision.

B. The plan requires return on investment for all security projects.

C. There is integration between IT security and business staffing

D. There is an auditing methodology in place.

Which of the following functions implements and oversees the use of controls to reduce risk when creating an information security program?

A. Risk Assessment

B. Risk Management

C. Incident Response

D. Network Security administration

What is the FIRST step in developing the vulnerability management program?

A. Baseline the Environment

B. Define policy

C. Maintain and Monitor

D. Organization Vulnerability

The rate of change in technology increases the importance of:

A. Hiring personnel with leading edge skills.

B. Understanding user requirements.

C. Outsourcing the IT functions.

D. Implementing and enforcing good processes.

One of the MAIN goals of a Business Continuity Plan is to_______________.

A. Ensure all infrastructure and applications are available in the event of a disaster

B. Assign responsibilities to the technical teams responsible for the recovery of all data

C. Provide step by step plans to recover business processes in the event of a disaster

D. Allow all technical first-responders to understand their roles in the event of a disaster.

Acceptable levels of information security risk tolerance in an organization should be determined by?

A. Corporate compliance committee

B. CEO and board of director

C. CISO with reference to the company goals

D. Corporate legal counsel

One of your executives needs to send an important and confidential email. You want to ensure that the message cannot be read by anyone but the recipient.
Which of the following keys should be used to encrypt the message?

A. Certificate authority key

B. The recipient’s private key

C. The recipient’s public key

D. Your public key

Scenario: You are the CISO and have just completed your first risk assessment for your organization. You find many risks with no security controls, and some risks with inadequate controls. You assign work to your staff to create or adjust existing security controls to ensure they are adequate for risk mitigation needs.
When formulating the remediation plan, what is a required input?

A. Board of directors

B. Latest virus definitions file

C. Patching history

D. Risk assessment

Which of the following is the MOST important goal of risk management?

A. Finding economic balance between the impact of the risk and the cost of the control

B. Identifying the victim of any potential exploits

C. Identifying the risk

D. Assessing the impact of potential threats

When gathering security requirements for an automated business process improvement program, which of the following is MOST important?

A. Type of data contained in the process/system

B. Type of encryption required for the data once it is at rest

C. Type of computer the data is processed on

D. Type of connection/protocol used to transfer the data

Which of the following functions evaluates patches used to close software vulnerabilities and perform validation of new systems to assure compliance with security?

A. Incident response

B. Risk management

C. System security administration

D. System testing

A CISO decides to analyze the IT infrastructure to ensure security solutions adhere to the concepts of how hardware and software is implemented and managed within the organization.
Which of the following principles does this best demonstrate?

A. Proper budget management

B. Effective use of existing technologies

C. Alignment with the business

D. Leveraging existing implementations

Which of the following is the MOST important component of any change management process?

A. Outage planning

B. Scheduling

C. Approval tracking

D. Back-out procedures

When analyzing and forecasting a capital expense budget what are not included?

A. Purchase of new mobile devices to improve operations

B. New datacenter to operate from

C. Network connectivity costs

D. Upgrade of mainframe

After a risk assessment is performed, a particular risk is considered to have the potential of costing the organization 1.2 Million USD.
This is an example of____________.

A. Qualitative risk analysis

B. Risk Appetite

C. Quantitative risk analysis

D. Risk Tolerance

When managing an Information Security Program, which of the following is of MOST importance in order to influence the culture of an organization?

A. Compliance with local privacy regulations

B. An independent Governance, Risk and Compliance organization

C. Support Legal and HR teams

D. Alignment of security goals with business goals

You manage a newly created Security Operations Center (SOC), your team is being inundated with security alerts and don't know what to do.
What is the BEST approach to handle this situation?

A. Tune the sensors to help reduce false positives so the team can react better

B. Request additional resources to handle the workload

C. Tell the team to do their best and respond to each alert

D. Tell the team to only respond to the critical and high alerts