As the Risk Manager of an organization, you are task with managing vendor risk assessments. During the assessment, you identified that the vendor is engaged with high profiled clients, and bad publicity can jeopardize your own brand.
Which is the BEST type of risk that defines this event?

A. Compliance Risk

B. Reputation Risk

C. Operational Risk

D. Strategic Risk

Which of the following is an accurate description of a balance sheet?

A. The percentage of earnings that are retained by the organization for reinvestment in the business

B. The details of expenses and revenue over a long period of time

C. A summarized statement of all assets and liabilities at a specific point in time

D. A review of regulations and requirements impacting the business from a financial perspective

Who in the organization determines access to information?

A. Compliance officer

B. Legal department

C. Data Owner

D. Information security officer

Which of the following is MOST likely to be discretionary?

A. Policies

B. Procedures

C. Guidelines

D. Standards

At what level of governance are individual projects monitored and managed?

A. Program

B. Milestone

C. Enterprise

D. Portfolio

The primary purpose of a risk register is to:

A. Maintain a log of discovered risks

B. Track individual risk assessments

C. Develop plans for mitigating identified risks

D. Coordinate the timing of scheduled risk assessments

What is the main result of a company keeping its information security functions siloed in different business units?

A. Overlapping security initiatives, with wasted resources, or major gaps that can lead to serious security compromises

B. Board of Directors gains greater insight into the overall functions of the company and the separate security processes

C. Greater integration between groups that takes greater effort and expense but results in close execution of processes

D. Security and risk management teams have a responsibility to learn every aspect of the company and find ways to integrate into each silo

When dealing with risk, the information security practitioner may choose to:

A. acknowledge

B. transfer

C. assign

D. defer

Which of the following activities results in change requests?

A. Corrective actions

B. Defect repair

C. Preventive actions

D. Inspection

Which of the following is the MAIN reason to follow a formal risk management process in an organization that hosts and uses privately identifiable information (PII) as part of their business models and processes?

A. Need to comply with breach disclosure laws

B. Fiduciary responsibility to safeguard credit information

C. Need to transfer the risk associated with hosting PII data

D. Need to better understand the risk associated with using PII data

Which of the following statements below regarding Key Performance indicators (KPIs) are true?

A. Development of KPI’s are most useful when done independently

B. They are a strictly quantitative measure of success

C. They should be standard throughout the organization versus domain-specific so they are more easily correlated

D. They are a strictly qualitative measure of success

Scenario: A Chief Information Security Officer (CISO) recently had a third party conduct an audit of the security program. Internal policies and international standards were used as audit baselines. The audit report was presented to the CISO and a variety of high, medium and low rated gaps were identified.
After determining the audit findings are accurate, which of the following is the MOST logical next activity?

A. Validate gaps with the Information Technology team

B. Begin initial gap remediation analyses

C. Review the security organization’s charter

D. Create a briefing of the findings for executive management

Which of the following methods are used to define contractual obligations that force a vendor to meet customer expectations?

A. Terms and Conditions

B. Statements of Work

C. Service Level Agreements (SLA)

D. Key Performance Indicators (KPI)

A global health insurance company is concerned about protecting confidential information.
Which of the following is of MOST concern to this organization?

A. Alignment with International Organization for Standardization (ISO) standards.

B. Alignment with financial reporting regulations for each country where they operate.

C. Compliance to the payment Card Industry (PCI) regulations.

D. Compliance with patient data protection regulations for each country where they operate.

Which of the following best describes the sensors designed to project and detect a light beam across an area?

A. Smoke

B. Thermal

C. Air-aspirating

D. Photo electric

A Security Operations (SecOps) Manager is considering implementing threat hunting to be able to make better decisions on protecting information and assets.
What is the MAIN goal of threat hunting to the SecOps Manager?

A. Improve discovery of valid detected events

B. Enhance tuning of automated tools to detect and prevent attacks

C. Replace existing threat detection strategies

D. Validate patterns of behavior related to an attack

As the CISO, you need to create an IT security strategy.
Which of the following is the MOST important thing to review before you start writing the plan?

A. The existing IT environment

B. Other corporate technology trends

C. The company business plan

D. The present IT budget

Developing effective security controls is a balance between:

A. Technology and Vendor Management

B. Operations and Regulations

C. Risk Management and Operations

D. Corporate Culture and Job Expectations

Scenario: You are the newly hired Chief Information Security Officer for a company that has not previously had a senior level security practitioner. The company lacks a defined security policy and framework for their Information Security Program. Your new boss, the Chief Financial Officer, has asked you to draft an outline of a security policy and recommend an industry/sector neutral information security control framework for implementation.
Your Corporate Information Security Policy should include which of the following?

A. Roles and responsibilities

B. Information security theory

C. Incident response contacts

D. Desktop configuration standards

When dealing with risk, the information security practitioner may choose to:

A. acknowledge

B. transfer

C. assign

D. defer

Your company has a `no right to privacy` notice on all logon screens for your information systems and users sign an Acceptable Use Policy informing them of this condition. A peer group member and friend comes to you and requests access to one of her employee's email account.
What should you do?

A. Deny the request citing national privacy laws

B. None

C. Grant her access, the employee has been adequately warned through the AUP.

D. Assist her with the request, but only after her supervisor signs off on the action.

E. Reset the employee’s password and give it to the supervisor.

Which of the following is MOST likely to be discretionary?

A. Policies

B. Procedures

C. Guidelines

D. Standards

In MOST organizations which group periodically reviews network intrusion detection system logs for all systems as part of their daily tasks?

A. Internal Audit

B. Information Security

C. Compliance

D. Database Administration

Who in the organization determines access to information?

A. Compliance officer

B. Legal department

C. Data Owner

D. Information security officer

A system is designed to dynamically block offending Internet IP-addresses from requesting services from a secure website.
This type of control is considered______________________.

A. Preventive detection control

B. Corrective security control

C. Zero-day attack mitigation

D. Dynamic blocking control

Network Forensics is the prerequisite for any successful legal action after attacks on your Enterprise Network.
Which is the single most important factor to introducing digital evidence into a court of law?

A. Expert forensics witness

B. Fully trained network forensic expects to analyze all data right after the attack

C. Uninterrupted Chain of Custody

D. Comprehensive Log-Files from all servers and network devices affected during the attack

A method to transfer risk is to______________.

A. Implement redundancy

B. Move operations to another region

C. Align to business operations

D. Purchase breach insurance

ABC Limited has recently suffered a security breach with customers' social security number available on the dark web for sale. The CISO, during the time of the incident, has been fired, and you have been hired as the replacement. The analysis of the breach found that the absence of an insider threat program, lack of least privilege policy, and weak access control was to blame. You would like to implement key performance indicators to mitigate the risk.
Which metric would meet the requirement?

A. Number of times third parties access critical information systems

B. Number of systems with known vulnerabilities

C. Number of users with elevated privileges

D. Number of websites with weak or misconfigured certificates

The effectiveness of social engineering penetration testing using phishing can be used as a Key Performance Indicator (KPI) for the effectiveness of an organization's

A. Risk Management Program

B. Anti-Spam controls

C. Identity and Access Management Program

D. Security Awareness Program

Physical security measures typically include which of the following components?

A. Strong password, Biometric, Common Access Card

B. Technical, Strong Password, Operational

C. Operational, Biometric, Physical

D. Physical, Technical, Operational

Where does bottom-up financial planning primarily gain information for creating budgets?

A. By adding all capital and operational costs from the prior budgetary cycle, and determining potential financial shortages

B. By reviewing last year’s program-level costs and adding a percentage of expected additional portfolio costs

C. By adding the cost of all known individual tasks and projects that are planned for the next budgetary cycle

D. By adding all planned operational expenses per quarter then summarizing them in a budget request

Which of the following most commonly falls within the scope of an information security governance steering committee?

A. Vetting information security policies

B. Approving access to critical financial systems

C. Interviewing candidates for information security specialist positions

D. Developing content for security awareness programs

Physical security measures typically include which of the following components?

A. Strong password, Biometric, Common Access Card

B. Technical, Strong Password, Operational

C. Operational, Biometric, Physical

D. Physical, Technical, Operational

When managing the security architecture for your company you must consider:

A. Budget

B. Security and IT Staff size

C. Company values

D. All of the above

Which of the following represents the BEST method for obtaining business unit acceptance of security controls within an organization?

A. Allow the business units to decide which controls apply to their systems, such as the encryption of sensitive data

B. Ensure business units are involved in the creation of controls and defining conditions under which they must be applied

C. Provide the business units with control mandates and schedules of audits for compliance validation

D. Create separate controls for the business based on the types of business and functions they perform

The Information Security Management program MUST protect:

A. Audit schedules and findings

B. Intellectual property released into the public domain

C. all organizational assets

D. critical business processes and revenue streams

File Integrity Monitoring (FIM) is considered a________________________.

A. Network-based security preventative control

B. Software segmentation control

C. User segmentation control

D. Security detective control

In order for a CISO to have true situational awareness there is a need to deploy technology that can give a real-time view of security events across the enterprise.
Which of the following tools represents the BEST choice to achieve this awareness?

A. Intrusion Detection System (IDS), firewall, switch, syslog

B. Security Incident Event Management (SIEM), IDS, router, syslog

C. VMware, router, switch, firewall, syslog, vulnerability management system (VMS)

D. SIEM, IDS, firewall, VMS

Which of the following is considered the foundation for the Enterprise Information Security Architecture (EISA)?

A. Data classification

B. Security regulations

C. Information security policy

D. Asset classification

Scenario: An organization has made a decision to address Information Security formally and consistently by adopting established best practices and industry standards. The organization is a small retail merchant, but it is expected to grow to a global customer base of many millions of customers in just a few years. The organization has already been subject to a significant amount of credit card fraud.
Which of the following is the MOST likely reason for this fraud?

A. Lack of compliance to the Payment Card Industry (PCI) standards

B. Ineffective security awareness program

C. Lack of technical controls when dealing with credit card data

D. Security practices not in alignment with ISO 27000 frameworks

Which of the following would negatively impact a log analysis of a multinational organization?

A. Centralized log management

B. Encrypted log files in transit

C. Each node set to local time

D. Log aggregation agent each node

The organization does not have the time to remediate the vulnerability; however it is critical to release the application.
Which of the following needs to be further evaluated to help mitigate the risks?

A. Provide security testing tools

B. Provide developer security training

C. Deploy Intrusion Detection Systems

D. Implement Compensating Controls

During a cyber incident, which non-security personnel might be needed to assist the security team?

A. Threat analyst, IT auditor, forensic analyst

B. Network engineer, help desk technician, system administrator

C. CIO, CFO, CSO

D. Financial analyst, payroll clerk, HR manager

Scenario: You are the CISO and have just completed your first risk assessment for your organization. You find many risks with no security controls, and some risks with inadequate controls. You assign work to your staff to create or adjust existing security controls to ensure they are adequate for risk mitigation needs.
When formulating the remediation plan, what is a required input?

A. Board of directors

B. Latest virus definitions file

C. Patching history

D. Risk assessment

Providing oversight of a comprehensive information security program for the entire organization is the primary responsibility of which group under the InfoSec governance framework?

A. Office of the General Counsel

B. Office of the Auditor

C. Senior Executives

D. All employees and users

A bastion host should be placed:

A. Inside the DMZ

B. In-line with the data center firewall

C. Beyond the outer perimeter firewall

D. As the gatekeeper to the organization’s honeynet

What is the FIRST step in developing the vulnerability management program?

A. Baseline the Environment

B. Define policy

C. Maintain and Monitor

D. Organization Vulnerability

What is the MOST critical output of the incident response process?

A. A complete document of all involved team members and the support they provided

B. Recovery of all data from affected systems

C. Lessons learned from the incident, so they can be incorporated into the incident response processes

D. Clearly defined documents detailing standard evidence collection and preservation processes

The process for identifying, collecting, and producing digital information in support of legal proceedings is called _____________________________.

A. chain of custody

B. electronic review

C. evidence tampering

D. electronic discovery

Scenario: The new CISO was informed of all the Information Security projects that the section has in progress. Two projects are over a year behind schedule and way over budget.
Which of the following will be most helpful for getting an Information Security project that is behind schedule back on schedule?

A. Upper management support

B. Involve internal audit

C. More frequent project milestone meetings

D. More training of staff members