Ensuring that the actions of a set of people, applications and systems follow the organization's rules is BEST described as:

A. Compliance management

B. Security management

C. Risk management

D. Mitigation management

Scenario: An organization has recently appointed a CISO. This is a new role in the organization and it signals the increasing need to address security consistently at the enterprise level. This new CISO, while confident with skills and experience, is constantly on the defensive and is unable to advance the IT security centric agenda. The CISO has been able to implement a number of technical controls and is able to influence the Information Technology teams but has not been able to influence the rest of the organization.
From an organizational perspective, which of the following is the LIKELY reason for this?

A. The CISO reports to the IT organization

B. The CISO has not implemented a policy management framework

C. The CISO does not report directly to the CEO of the organization

D. The CISO has not implemented a security awareness program

The rate of change in technology increases the importance of:

A. Hiring personnel with leading edge skills.

B. Understanding user requirements.

C. Outsourcing the IT functions.

D. Implementing and enforcing good processes.

Which of the following methodologies references the recommended industry standard that all project managers should follow?

A. The Security Systems Development Life Cycle

B. Project Management System Methodology

C. Project Management Body of Knowledge

D. The Security Project and Management Methodology

Which of the following methods are used to define contractual obligations that force a vendor to meet customer expectations?

A. Terms and Conditions

B. Statements of Work

C. Service Level Agreements (SLA)

D. Key Performance Indicators (KPI)

Many successful cyber-attacks currently include:

A. Phishing Attacks

B. Misconfigurations

C. Social engineering

D. All of these

What role should the CISO play in properly scoping a PCI environment?

A. Complete the self-assessment questionnaire and work with an Approved Scanning Vendor (ASV) to determine scope

B. Work with a Qualified Security Assessor (QSA) to determine the scope of the PCI environment

C. Validate the business units’ suggestions as to what should be included in the scoping process

D. Ensure internal scope validation is completed and that an assessment has been done to discover all credit card data

Which of the following best represents a calculation for Annual Loss Expectancy (ALE)?

A. Value of the asset multiplied by the loss expectancy

B. Replacement cost multiplied by the single loss expectancy

C. Single loss expectancy multiplied by the annual rate of occurrence

D. Total loss expectancy multiplied by the total loss frequency

What is the THIRD state of the Tuchman Stages of Group Development?

A. Norming

B. Forming

C. Storming

D. Performing

You currently cannot provide for 24/7 coverage of your security monitoring and incident response duties and your company is resistant to the idea of adding more full-time employees to the payroll.
Which combination of solutions would help to provide the coverage needed without the addition of more dedicated staff?

A. Employ an assumption of breach protocol and defend only essential information resources.

B. Deploy a SEIM solution and have your staff review incidents first thing in the morning

C. Configure your syslog to send SMS messages to current staff when target events are triggered.

D. Engage a managed security provider and have current staff on call for incident response

Risk that remains after risk mitigation is known as_____________.

A. Accepted risk

B. Residual risk

C. Non-tolerated risk

D. Persistent risk

Which of the following are not stakeholders of IT security projects?

A. Board of directors

B. Help Desk

C. Third party vendors

D. CISO

Scenario: A CISO has several two-factor authentication systems under review and selects the one that is most sufficient and least costly. The implementation project planning is completed and the teams are ready to implement the solution. The CISO then discovers that the product it is not as scalable as originally thought and will not fit the organization's needs. The CISO discovers the scalability issue will only impact a small number of network segments.
What is the next logical step to ensure the proper application of risk management methodology within the two-factor implementation project?

A. Decide to accept the risk on behalf of the impacted business units

B. Create new use cases for operational use of the solution

C. Report the deficiency to the audit team and create process exceptions

D. Determine if sufficient mitigating controls can be applied

A newly-hired CISO needs to understand the organization's financial management standards for business units and operations. Which of the following would be the best source of this information?

A. The internal accounting department

B. The Chief Financial Officer (CFO)

C. The external financial audit service

D. The managers of the accounts payables and accounts receivables teams

Who is responsible for securing networks during a security incident?

A. Security Operations Center (SOC)

B. Chief Information Security Officer (CISO)

C. Disaster Recovery (DR) manager

D. Incident response Team (IRT)

Scenario: An organization has made a decision to address Information Security formally and consistently by adopting established best practices and industry standards. The organization is a small retail merchant, but it is expected to grow to a global customer base of many millions of customers in just a few years.
Which of the following would be the FIRST step when addressing Information Security formally and consistently in this organization?

A. Define formal roles and responsibilities for Information Security

B. Define formal roles and responsibilities for Internal audit functions

C. Create an executive security steering committee

D. Contract a third party to perform a security risk assessment

As the Business Continuity Coordinator of a financial services organization, you are responsible for ensuring assets are recovered timely in the event of a disaster.
Which is the BEST Disaster Recovery performance indicator to validate that you are prepared for a disaster?

A. Recovery Point Objective (RPO)

B. Disaster Recovery Plan

C. Recovery Time Objective (RTO)

D. Business Continuity Plan

The FIRST step in establishing a security governance program is to?

A. Obtain senior level sponsorship

B. Conduct a workshop for all end users.

C. Conduct a risk assessment.

D. Prepare a security budget.

During the course of a risk analysis your IT auditor identified threats and potential impacts. Next, your IT auditor should:

A. Identify and assess the risk assessment process used by management.

B. Identify and evaluate existing controls.

C. Identify information assets and the underlying systems.

D. Disclose the threats and impacts to management.

The primary purpose of a risk register is to:

A. Maintain a log of discovered risks

B. Track individual risk assessments

C. Develop plans for mitigating identified risks

D. Coordinate the timing of scheduled risk assessments

When analyzing and forecasting an operating expense budget what are not included?

A. New datacenter to operate from

B. Network connectivity costs

C. Software and hardware license fees

D. Utilities and power costs

Which level of data destruction applies logical techniques to sanitize data in all user-addressable storage locations?

A. Purge

B. Clear

C. Mangle

D. Destroy

An application vulnerability assessment has identified a security flaw in an application. This is a flaw that was previously identified and remediated on a prior release of the application.
Which of the following is MOST likely the reason for this recurring issue?

A. Lack of version/source controls

B. Lack of change management controls

C. Ineffective configuration management controls

D. High turnover in the application development department

Your company has a `no right to privacy` notice on all logon screens for your information systems and users sign an Acceptable Use Policy informing them of this condition. A peer group member and friend comes to you and requests access to one of her employee's email account.
What should you do?

A. Deny the request citing national privacy laws

B. None

C. Grant her access, the employee has been adequately warned through the AUP.

D. Assist her with the request, but only after her supervisor signs off on the action.

E. Reset the employee’s password and give it to the supervisor.

Which of the following is the MOST logical method of deploying security controls within an organization?

A. Obtain funding for all desired controls and then create project plans for implementation

B. Apply the simpler controls as quickly as possible and use a risk-based approach for the more difficult and costly controls

C. Apply the least costly controls to demonstrate positive program activity

D. Obtain business unit buy-in through close communication and coordination

Which of the following provides an independent assessment of a vendor's internal security controls and overall posture?

A. ISO27000 accreditation

B. Alignment with business goals

C. PCI attestation of compliance

D. Financial statements

The process of creating a system which divides documents based on their security level to manage access to private data is known as ____________________.

A. security coding

B. Privacy protection

C. data security system

D. data classification

As the CISO, you are the project sponsor for a highly visible log management project. The objective of the project is to centralize all the enterprise logs into a security information and event management (SIEM) system. You requested the results of the performance quality audits activity.
The performance quality audit activity is done in what project management process group?

A. Executing

B. Controlling

C. Planning

D. Closing

An organization licenses and uses personal information for business operations, and a server containing that information has been compromised.
What kind of law would require notifying the owner or licensee of this incident?

A. Consumer right disclosure

B. Data breach disclosure

C. Special circumstance disclosure

D. Security incident disclosure

Which of the following is the MOST important component of any change management process?

A. Outage planning

B. Scheduling

C. Approval tracking

D. Back-out procedures

An organization has defined a set of standard security controls. This organization has also defined the circumstances and conditions in which they must be applied.
What is the NEXT logical step in applying the controls in the organization?

A. Determine the risk tolerance

B. Perform an asset classification

C. Analyze existing controls on systems

D. Create an architecture gap analysis

When dealing with risk, the information security practitioner may choose to:

A. acknowledge

B. transfer

C. assign

D. defer

When evaluating a Managed Security Services Provider (MSSP), which service(s) is/are most important:

A. Patch management

B. Network monitoring

C. Ability to provide security services tailored to the business’ needs

D. 24/7 tollfree number

Creating a secondary authentication process for network access would be an example of?

A. An administrator with too much time on their hands

B. Supporting the concept of layered security

C. Network segmentation

D. Putting undue time commitment on the system administrator

What oversight should the information security team have in the change management process for application security?

A. Information security should be aware of any significant application security changes and work with developer to test for vulnerabilities before changes are deployed in production

B. Information security should be aware of all application changes and work with developers before changes and deployed in production

C. Information security should be informed of changes to applications only

D. Development team should tell the information security team about any application security flaws

A newly-hired CISO needs to understand the organization's financial management standards for business units and operations. Which of the following would be the best source of this information?

A. The internal accounting department

B. The Chief Financial Officer (CFO)

C. The external financial audit service

D. The managers of the accounts payables and accounts receivables teams

Which of the following statements below regarding Key Performance indicators (KPIs) are true?

A. Development of KPI’s are most useful when done independently

B. They are a strictly quantitative measure of success

C. They should be standard throughout the organization versus domain-specific so they are more easily correlated

D. They are a strictly qualitative measure of success

The single most important consideration to make when developing your security program, policies, and processes is:

A. Alignment with the business

B. Budgeting for unforeseen data compromises

C. Establishing your authority as the Security Executive

D. Streaming for efficiency

When an organization claims it is secure because it is PCI-DSS certified, what is a good first question to ask towards assessing the effectiveness of their security program?

A. How many credit records are stored?

B. What is the value of the assets at risk?

C. What is the scope of the certification?

D. How many servers do you have?

Which represents PROPER separation of duties in the corporate environment?

A. Information Security and Network teams perform two distinct functions

B. Information Security and Identity Access Management teams perform two distinct functions

C. Finance has access to Human Resources data

D. Developers and Network teams both have admin rights on servers

A university recently hired a CISO. One of the first tasks is to develop a continuity of operations plan (COOP).
In developing the business impact assessment (BIA), which of the following MOST closely relate to the data backup and restoral?

A. Recovery Point Objective (RPO)

B. Mean Time to Delivery (MTD)

C. Recovery Time Objective (RTO)

D. Maximum Tolerable Downtime (MTD)

A global retail organization is looking to implement a consistent Disaster Recovery and Business Continuity Process across all of its business units.
Which of the following standards and guidelines can BEST address this organization's need?

A. International Organization for Standardizations ג€” 22301 (ISO-22301)

B. Information Technology Infrastructure Library (ITIL)

C. Payment Card Industry Data Security Standards (PCI-DSS)

D. International Organization for Standardizations ג€” 27005 (ISO-27005)

What are the primary reasons for the development of a business case for a security project?

A. To forecast usage and cost per software licensing

B. To understand the attack vectors and attack sources

C. To communicate risk and forecast resource needs

D. To estimate risk and negate liability to the company

What is the FIRST step in developing the vulnerability management program?

A. Baseline the Environment

B. Define policy

C. Maintain and Monitor

D. Organization Vulnerability

When analyzing and forecasting a capital expense budget what are not included?

A. Purchase of new mobile devices to improve operations

B. New datacenter to operate from

C. Network connectivity costs

D. Upgrade of mainframe

As the Risk Manager of an organization, you are task with managing vendor risk assessments. During the assessment, you identified that the vendor is engaged with high profiled clients, and bad publicity can jeopardize your own brand.
Which is the BEST type of risk that defines this event?

A. Compliance Risk

B. Reputation Risk

C. Operational Risk

D. Strategic Risk

A business unit within your organization intends to deploy a new technology in a manner that places it in violation of existing information security standards.
What immediate action should the information security manager take?

A. Enforce the existing security standards and do not allow the deployment of the new technology.

B. If the risks associated with that technology are not already identified, perform a risk analysis to quantify the risk, and allow the business unit to proceed based on the identified risk level.

C. Amend the standard to permit the deployment.

D. Permit a 90-day window to see if an issue occurs and then amend the standard if there are no issues.

What is meant by password aging?

A. An expiration date set for passwords

B. A Single Sign-On requirement

C. Time in seconds a user is allocated to change a password

D. The amount of time it takes for a password to activate

The effectiveness of an audit is measured by?

A. The number of security controls the company has in use

B. How it exposes the risk tolerance of the company

C. The number of actionable items in the recommendations

D. How the recommendations directly support the goals of the company

Which of the following is of MOST importance when security leaders of an organization are required to align security to influence the culture of an organization?

A. Understand the business goals of the organization

B. Poses a strong technical background

C. Poses a strong auditing background

D. Understand all regulations affecting the organization