Which of the following represents the MOST negative impact resulting from an ineffective security governance program?

A. Improper use of information resources

B. Reduction of budget

C. Decreased security awareness

D. Fines for regulatory non-compliance

With a focus on the review and approval aspects of board responsibilities, the Data Governance Council recommends that the boards provide strategic oversight regarding information and information security, include these four things:

A. Metrics tracking security milestones, understanding criticality of information and information security, visibility into the types of information and how it is used, endorsement by the board of directors

B. Annual security training for all employees, continual budget reviews, endorsement of the development and implementation of a security program, metrics to track the program

C. Understanding criticality of information and information security, review investment in information security, endorse development and implementation of a security program, and require regular reports on adequacy and effectiveness

D. Endorsement by the board of directors for security program, metrics of security program milestones, annual budget review, report on integration and acceptance of program

Information security policies should be reviewed _____________________.

A. by the internal audit semiannually

B. by the CISO when new systems are brought online

C. by the Incident Response team after an audit

D. by stakeholders at least annually

Scenario: You are the CISO and have just completed your first risk assessment for your organization. You find many risks with no security controls, and some risks with inadequate controls. You assign work to your staff to create or adjust existing security controls to ensure they are adequate for risk mitigation needs.
When adjusting the controls to mitigate the risks, how often should the CISO perform an audit to verify the controls?

A. Never

B. Quarterly

C. Annually

D. Semi-annually

Scenario: A Chief Information Security Officer (CISO) recently had a third party conduct an audit of the security program. Internal policies and international standards were used as audit baselines. The audit report was presented to the CISO and a variety of high, medium and low rated gaps were identified.
After determining the audit findings are accurate, which of the following is the MOST logical next activity?

A. Validate gaps with the Information Technology team

B. Begin initial gap remediation analyses

C. Review the security organization’s charter

D. Create a briefing of the findings for executive management

Which of the following statements about Encapsulating Security Payload (ESP) is true?

A. It is an IPSec protocol

B. it is a text-based communication protocol

C. It uses UDP port 22

D. It uses TCP port 22 as the default port and operates at the application layer

Risk is defined as:

A. Quantitative plus qualitative impact

B. Asset loss times likelihood of event

C. Advisory plus capability plus vulnerability

D. Threat times vulnerability divided by control

The purpose of NIST SP 800-53 as part of the NIST System Certification and Accreditation Project is to establish a set of standardized, minimum security controls for IT systems addressing low, moderate, and high levels of concern for:

A. Integrity and Availability

B. Assurance, Compliance and Availability

C. International Compliance

D. Confidentiality, Integrity and Availability

Which of the following activities results in change requests?

A. Corrective actions

B. Defect repair

C. Preventive actions

D. Inspection

A security professional has been promoted to be the CISO of an organization. The first task is to create a security policy for this organization. The CISO creates and publishes the security policy.
This policy, however, is ignored and not enforced consistently. Which of the following is the MOST likely reason for the policy shortcomings?

A. Lack of a formal risk management policy

B. Lack of a formal security policy governance process

C. Lack of formal definition of roles and responsibilities

D. Lack of a formal security awareness program

Step-by-step procedures to regain normalcy in the event of a major earthquake is PRIMARILY covered by which of the following plans?

A. Damage control plan

B. Disaster recovery plan

C. Business Continuity plan

D. Incident response plan

What is generally the FIRST step in Information Security program development?

A. Design

B. Plan

C. Execute

D. Assess

Which of the following tests is performed by an Information Systems (IS) auditor when a sample of programs is selected to determine if the source and object versions are the same?

A. A substantive test of program library controls

B. A compliance test of the program compiler controls

C. A compliance test of program library controls

D. A substantive test of the program compiler controls

The Security Operations Center (SOC) just purchased a new intrusion prevention system (IPS) that needs to be deployed in-line for best defense. The IT group is concerned about putting the new IPS in-line because it might negatively impact network availability.
What would be the BEST approach for the CISO to reassure the IT group?

A. Explain to the IT group that this is a business need and the IPS will fail open however, if there is a network failure the CISO will accept responsibility

B. Work with the IT group and tell them to put IPS in-line and say it won’t cause any network impact

C. Explain to the IT group that the IPS will fail open once in-line however it will be deployed in monitor mode for a set period of time to ensure that it doesn’t block any legitimate traffic

D. Explain to the IT group that the IPS won’t cause any network impact because it will fail open

The alerting, monitoring and life-cycle management of security-related events is typically handled by the_________________.

A. risk management process

B. risk assessment process

C. governance, risk, and compliance tools

D. security threat and vulnerability management process

An employee successfully avoids becoming a victim of a sophisticated spear phishing attack due to knowledge gained through the corporate information security awareness program.
What type of control has been effectively utilized?

A. Technical Control

B. Management Control

C. Operational Control

D. Training Control

The single most important consideration to make when developing your security program, policies, and processes is:

A. Alignment with the business

B. Budgeting for unforeseen data compromises

C. Establishing your authority as the Security Executive

D. Streaming for efficiency

A CISO implements smart cards for credential management, and as a result has reduced costs associated with help desk operations supporting password resets.
This demonstrates which of the following principles?

A. Increased security program presence

B. Regulatory compliance effectiveness

C. Security organizational policy enforcement

D. Proper organizational policy enforcement

How often should the SSAE16 report of your vendors be reviewed?

A. Quarterly

B. Semi-annually

C. Bi-annually

D. Annually

One of the MAIN goals of a Business Continuity Plan is to_______________.

A. Ensure all infrastructure and applications are available in the event of a disaster

B. Assign responsibilities to the technical teams responsible for the recovery of all data

C. Provide step by step plans to recover business processes in the event of a disaster

D. Allow all technical first-responders to understand their roles in the event of a disaster.

Your incident response plan should include which of the following?

A. Procedures for classification

B. Procedures for charge-back

C. Procedures for reclamation

D. Procedures for litigation

A bastion host should be placed:

A. Inside the DMZ

B. In-line with the data center firewall

C. Beyond the outer perimeter firewall

D. As the gatekeeper to the organization’s honeynet

Creating a secondary authentication process for network access would be an example of?

A. An administrator with too much time on their hands

B. Supporting the concept of layered security

C. Network segmentation

D. Putting undue time commitment on the system administrator

Security related breaches are assessed and contained through which of the following?

A. The IT support team

B. A forensic analysis

C. Physical security team

D. Incident response

Payment Card Industry (PCI) compliance requirements are based on what criteria?

A. The size of the organization processing credit card data

B. The types of cardholder data retained

C. The duration card holder data is retained

D. The number of transactions performed per year by an organization

You have been hired as the CISO for a hospital. The hospital currently deploys a hybrid cloud model using a Software as a Service (SaaS) product for healthcare clearinghouse services. The Health Insurance Portability and Accountability Act (HIPAA) require an agreement between Cloud Service Providers (CSP) and the covered entity. Based on HIPAA, once the agreement between the covered entity and the CSP signed, the CSP is ____________?

A. Partially liable for compliance with the applicable requirements of the HIPAA Rules

B. Directly liable for compliance with the applicable requirements of the HIPAA Rules

C. Not liable for compliance with the applicable requirements of the HIPAA Rules

D. Indirectly liable for compliance with the applicable requirements of the HIPAA Rules

A severe security threat has been detected on your corporate network. As CISO you quickly assemble key members of the Information Technology team and business operations to determine a modification to security controls in response to the threat.
This is an example of:

A. Change management

B. Thought leadership

C. Business continuity planning

D. Security Incident Response

Which of the following is the MOST important goal of risk management?

A. Finding economic balance between the impact of the risk and the cost of the control

B. Identifying the victim of any potential exploits

C. Identifying the risk

D. Assessing the impact of potential threats

An information security department is required to remediate system vulnerabilities when they are discovered. Please select the three primary remediation methods that can be used on an affected system.

A. Install software patch, configuration adjustment, software removal

B. Install software patch, operate system, maintain system

C. Discover software, remove affected software, apply software patch

D. Software removal, install software patch, maintain system

As the CISO for your company you are accountable for the protection of information resources commensurate with:

A. Risk of exposure

B. Cost and time to replace

C. Insurability tables

D. Customer demand

Your incident response plan should include which of the following?

A. Procedures for classification

B. Procedures for charge-back

C. Procedures for reclamation

D. Procedures for litigation

The Information Security Governance program MUST:

A. integrate with other organizational governance processes

B. show a return on investment for the organization

C. integrate with other organizational governance processes

D. support user choice for Bring Your Own Device (BYOD)

What are the three hierarchically related aspects of strategic planning and in which order should they be done?

A. 1) Information technology strategic planning, 2) Enterprise strategic planning, 3) Cybersecurity or information security strategic planning

B. 1) Cybersecurity or information security strategic planning, 2) Enterprise strategic planning, 3) Information technology strategic planning

C. 1) Enterprise strategic planning, 2) Information technology strategic planning, 3) Cybersecurity or information security strategic planning

D. 1) Enterprise strategic planning, 2) Cybersecurity or information security strategic planning, 3) Information technology strategic planning

A customer of a bank has placed a dispute on a payment for a credit card account. The banking system uses digital signatures to safeguard the integrity of their transactions. The bank claims that the system shows proof that the customer in fact made the payment.
What is this system capability commonly known as?

A. conflict resolution

B. strong authentication

C. non-repudiation

D. digital rights management

The Information Security Management program MUST protect:

A. Audit schedules and findings

B. Intellectual property released into the public domain

C. all organizational assets

D. critical business processes and revenue streams

Which business stakeholder is accountable for the integrity of a new information system?

A. Compliance Officer

B. CISO

C. Project manager

D. Board of directors

Who should be involved in the development of an internal campaign to address email phishing?

A. Business unit leaders, CIO, CEO

B. Business Unite Leaders, CISO, CIO and CEO

C. All employees

D. CFO, CEO, CIO

Scenario: Your organization employs single sign-on (user name and password only) as a convenience to your employees to access organizational systems and data. Permission to individual systems and databases is vetted and approved through supervisors and data owners to ensure that only approved personnel can use particular applications or retrieve information. All employees have access to their own human resource information, including the ability to change their bank routing and account information and other personal details through the Employee Self-Service application. All employees have access to the organizational VPN.
Once supervisors and data owners have approved requests, information system administrators will implement:

A. Management control(s)

B. Technical control(s)

C. Operational control(s)

D. Policy controls(s)

What should an organization do to ensure that they have a sound Business Continuity (BC) Plan?

A. Conduct a Disaster Recovery (DR) exercise every year to test the plan

B. Conduct periodic tabletop exercises to refine the BC plan

C. Test every three years to ensure that the BC plan is valid

D. Define the Recovery Point Objective (RPO)

Scenario: A Chief Information Security Officer (CISO) recently had a third party conduct an audit of the security program. Internal policies and international standards were used as audit baselines. The audit report was presented to the CISO and a variety of high, medium and low rated gaps were identified. The CISO has validated audit findings, determined if compensating controls exist, and started initial remediation planning.
Which of the following is the MOST logical next step?

A. Create detailed remediation funding and staffing plans

B. Report the audit findings and remediation status to business stake holders

C. Validate the effectiveness of current controls

D. Review security procedures to determine if they need modified according to findings

Which of the following is a weakness of an asset or group of assets that can be exploited by one or more threats?

A. Vulnerability

B. Threat

C. Exploitation

D. Attack vector

At what level of governance are individual projects monitored and managed?

A. Program

B. Milestone

C. Enterprise

D. Portfolio

According to the National Institute of Standards and Technology (NIST) SP 800-40, which of the following considerations are MOST important when creating a vulnerability management program?

A. Susceptibility to attack, expected duration of attack, and mitigation availability

B. Attack vectors, controls cost, and investigation staffing needs

C. Susceptibility to attack, mitigation response time, and cost

D. Vulnerability exploitation, attack recovery, and mean time to repair

Which of the following methods are used to define contractual obligations that force a vendor to meet customer expectations?

A. Terms and Conditions

B. Statements of Work

C. Service Level Agreements (SLA)

D. Key Performance Indicators (KPI)

The Information Security Management program MUST protect:

A. Audit schedules and findings

B. Intellectual property released into the public domain

C. all organizational assets

D. critical business processes and revenue streams

The main purpose of the SOC is:

A. An organization which provides Tier 1 support for technology issues and provides escalation when needed

B. A distributed organization which provides intelligence to governments and private sectors on cyber-criminal activities

C. The coordination of personnel, processes and technology to identify information security events and provide timely response and remediation

D. A device which consolidates event logs and provides real-time analysis of security alerts generated by applications and network hardware

What is the definition of Risk in Information Security?

A. Risk = Probability x Impact

B. Risk = Impact x Threat

C. Risk = Threat x Probability

D. Risk = Financial Impact x Probability

Which of the following activities is the MAIN purpose of the risk assessment process?

A. Creating an inventory of information assets

B. Calculating the risks to which assets are exposed in their current setting

C. Classifying and organizing information assets into meaningful groups

D. Assigning value to each information asset

Which of the following provides an independent assessment of a vendor's internal security controls and overall posture?

A. ISO27000 accreditation

B. Alignment with business goals

C. PCI attestation of compliance

D. Financial statements

Scenario: A Chief Information Security Officer (CISO) recently had a third party conduct an audit of the security program. Internal policies and international standards were used as audit baselines. The audit report was presented to the CISO and a variety of high, medium and low rated gaps were identified.
Which of the following is the FIRST action the CISO will perform after receiving the audit report?

A. Inform peer executives of the audit results

B. Validate gaps and accepts or dispute the audit findings

C. Create remediation plans to address program gaps

D. Determine if security policies and procedures are adequate