A global retail company is creating a new compliance management process.
Which of the following regulations is of MOST importance to be tracked and managed by this process?

A. Information Technology Infrastructure Library (ITIL)

B. National Institute for Standards and technology (NIST) standard

C. International Organization for Standardization (ISO) standards

D. Payment Card Industry Data Security Standards (PCI-DSS)

Scenario: You are the CISO and are required to brief the C-level executive team on your information security audit for the year. During your review of the audit findings, you discover that many of the controls that were put in place the previous year to correct some of the findings are not performing as needed. You have thirty days until the briefing.
To formulate a remediation plan for the non-performing controls what other document do you need to review before adjusting the controls?

A. Business continuity plan

B. Security roadmap

C. Business impact analysis

D. Annual report to shareholders

Which of the following is a term related to risk management that represents the estimated frequency at which a threat is expected to transpire?

A. Temporal Probability (TP)

B. Annualized Rate of Occurrence (ARO)

C. Single Loss Expectancy (SLE)

D. Exposure Factor (EF)

Which of the following will be MOST helpful for getting an Information Security project that is behind schedule back on schedule?

A. More frequent project milestone meetings

B. Involve internal audit

C. Upper management support

D. More training of staff members

Scenario: An organization has recently appointed a CISO. This is a new role in the organization and it signals the increasing need to address security consistently at the enterprise level. This new CISO, while confident with skills and experience, is constantly on the defensive and is unable to advance the IT security centric agenda.
From an Information Security Leadership perspective, which of the following is a MAJOR concern about the CISO's approach to security?

A. IT security centric agenda

B. Lack of risk management process

C. Lack of risk management process

D. Compliance centric agenda

The process of identifying and classifying assets is typically included in the________________.

A. Threat analysis process

B. Business Impact Analysis

C. Asset configuration management process

D. Disaster Recovery plan

You have implemented a new security control. Which of the following risk strategy options have you engaged in?

A. Risk Transfer

B. Risk Mitigation

C. Risk Avoidance

D. Risk Acceptance

Acme Inc. has engaged a third party vendor to provide 99.999% up-time for their online web presence and had them contractually agree to this service level agreement.
What type of risk tolerance is Acme exhibiting?

A. medium-high risk-tolerance

B. low risk-tolerance

C. high risk-tolerance

D. moderate risk-tolerance

Which technology can provide a computing environment without requiring a dedicated hardware backend?

A. Mainframe server

B. Virtual Desktop

C. Thin client

D. Virtual Local Area Network

Scenario: An organization has made a decision to address Information Security formally and consistently by adopting established best practices and industry standards. The organization is a small retail merchant but it is expected to grow to a global customer base of many millions of customers in just a few years.
Which of the following frameworks and standards will BEST fit the organization as a baseline for their security program?

A. NIST and Privacy Regulations

B. NIST and Data Breach Notification Laws

C. ISO 27000 and Payment Card Industry Data Security Standards

D. ISO 27000 and Human resources best practices

When should IT security project management be outsourced?

A. On projects not forecasted in the yearly budget

B. When organizational resources are limited

C. When the benefits of outsourcing outweigh the inherent risks of outsourcing

D. On new, enterprise-wide security initiatives

The Security Operations Center (SOC) just purchased a new intrusion prevention system (IPS) that needs to be deployed in-line for best defense. The IT group is concerned about putting the new IPS in-line because it might negatively impact network availability.
What would be the BEST approach for the CISO to reassure the IT group?

A. Explain to the IT group that this is a business need and the IPS will fail open however, if there is a network failure the CISO will accept responsibility

B. Work with the IT group and tell them to put IPS in-line and say it won’t cause any network impact

C. Explain to the IT group that the IPS will fail open once in-line however it will be deployed in monitor mode for a set period of time to ensure that it doesn’t block any legitimate traffic

D. Explain to the IT group that the IPS won’t cause any network impact because it will fail open

What is a key policy that should be part of the information security plan?

A. Account management policy

B. Training policy

C. Acceptable Use policy

D. Remote Access policy

When dealing with risk, the information security practitioner may choose to:

A. acknowledge

B. transfer

C. assign

D. defer

Network Forensics is the prerequisite for any successful legal action after attacks on your Enterprise Network.
Which is the single most important factor to introducing digital evidence into a court of law?

A. Expert forensics witness

B. Fully trained network forensic expects to analyze all data right after the attack

C. Uninterrupted Chain of Custody

D. Comprehensive Log-Files from all servers and network devices affected during the attack

Creating a secondary authentication process for network access would be an example of?

A. An administrator with too much time on their hands

B. Supporting the concept of layered security

C. Network segmentation

D. Putting undue time commitment on the system administrator

Which of the following intellectual Property components is focused on maintaining brand recognition?

A. Trademark

B. Research Logs

C. Copyright

D. Patent

Which of the following is a strong post designed to stop a car?

A. Fence

B. Bollard

C. Reinforced rebar

D. Gate

Information security policies should be reviewed _____________________.

A. by the internal audit semiannually

B. by the CISO when new systems are brought online

C. by the Incident Response team after an audit

D. by stakeholders at least annually

Which of the following set of processes is considered to be one of the cornerstone cycles of the International Organization for Standardization (ISO) 27001 standard?

A. Plan-Check-Do-Act

B. Plan-Select-Implement-Evaluate

C. Plan-Do-Check-Act

D. SCORE (Security Consensus Operational Readiness Evaluation)

Many times a CISO may have to speak to the Board of Directors (BOD) about their cyber security posture.
What would be the BEST choice of security metrics to present to the BOD?

A. All vulnerabilities found on servers and desktops

B. Only critical and high vulnerabilities servers

C. Only critical and high vulnerabilities on servers and desktops

D. All vulnerabilities that impact important production servers

The purpose of NIST SP 800-53 as part of the NIST System Certification and Accreditation Project is to establish a set of standardized, minimum security controls for IT systems addressing low, moderate, and high levels of concern for:

A. Integrity and Availability

B. Assurance, Compliance and Availability

C. International Compliance

D. Confidentiality, Integrity and Availability

Which of the following best describes an access control process that confirms the identity of the entity seeking access to a logical or physical area?

A. Identification

B. Authorization

C. Authentication

D. Accountability

Scenario: A Chief Information Security Officer (CISO) recently had a third party conduct an audit of the security program. Internal policies and international standards were used as audit baselines. The audit report was presented to the CISO and a variety of high, medium and low rated gaps were identified. The CISO has validated audit findings, determined if compensating controls exist, and started initial remediation planning.
Which of the following is the MOST logical next step?

A. Create detailed remediation funding and staffing plans

B. Report the audit findings and remediation status to business stake holders

C. Validate the effectiveness of current controls

D. Review security procedures to determine if they need modified according to findings

Which of the following represents the BEST method of ensuring security program alignment to business needs?

A. Ensure the organization has strong executive-level security representation through clear sponsorship or the creation of a CISO role

B. Create a comprehensive security awareness program and provide success metrics to business units

C. Create security consortiums, such as strategic security planning groups, that include business unit participation

D. Ensure security implementations include business unit testing and functional validation prior to production rollout

Risk appetite directly affects what part of a vulnerability management program?

A. Scope

B. Schedule

C. Staff

D. Scan tools

Which of the following statements about Encapsulating Security Payload (ESP) is true?

A. It is an IPSec protocol

B. it is a text-based communication protocol

C. It uses UDP port 22

D. It uses TCP port 22 as the default port and operates at the application layer

What is meant by password aging?

A. An expiration date set for passwords

B. A Single Sign-On requirement

C. Time in seconds a user is allocated to change a password

D. The amount of time it takes for a password to activate

Who should be involved in the development of an internal campaign to address email phishing?

A. Business unit leaders, CIO, CEO

B. Business Unite Leaders, CISO, CIO and CEO

C. All employees

D. CFO, CEO, CIO

What is the definition of Risk in Information Security?

A. Risk = Probability x Impact

B. Risk = Impact x Threat

C. Risk = Threat x Probability

D. Risk = Financial Impact x Probability

The network administrator wants to strengthen physical security in the organization. Specifically, to implement a solution stopping people from entering certain restricted zones without proper credentials. Which of following physical security measures should the administrator use?

A. Video surveillance

B. Mantrap

C. Bollards

D. Fence

When selecting a security solution with reoccurring maintenance costs after the first year

A. Implement the solution and ask for the increased operating cost budget when it is time

B. Communicate future operating costs to the CIO/CFO and seek commitment from them to ensure the new solution’s continued use

C. Defer selection until the market improves and cash flow is positive

D. The CISO should cut other essential programs to ensure the new solution’s continued use

As a new CISO at a large healthcare company you are told that everyone has to badge in to get in the building. Below your office window you notice a door that is normally propped open during the day for groups of people to take breaks outside. Upon looking closer, you see there is no badge reader.
What should you do?

A. Post a guard at the door to maintain physical security

B. Close and chain the door shut and send a company-wide memo banning the practice

C. A physical risk assessment on the facility

D. Nothing, this falls outside your area of influence

To make sure that the actions of all employees, applications, and systems follow the organization's rules and regulations can BEST be described as which of the following?

A. Compliance management

B. Asset management

C. Risk management

D. Security management

The regular review of a firewall ruleset is considered a _______________________.

A. Procedural control

B. Organization control

C. Management control

D. Technical control

Which of the following reports should you as an IT auditor use to check on compliance with a Service Level Agreement (SLA) requirement for uptime?

A. Systems logs

B. Hardware error reports

C. Availability reports

D. Utilization reports

Which International Organization for Standardization (ISO) below BEST describes the performance of risk management, and includes a five-stage risk management methodology.

A. ISO 27005

B. ISO 27004

C. ISO 27002

D. ISO 27001

When deploying an Intrusion Prevention System (IPS), the BEST way to get maximum protection from the system is to deploy it___________

A. In-line and turn on alert mode to stop malicious traffic.

B. In promiscuous mode and block malicious traffic.

C. In promiscuous mode and only detect malicious traffic.

D. In-line and turn on blocking mode to stop malicious traffic in-line.

Which of the following most commonly falls within the scope of an information security governance steering committee?

A. Vetting information security policies

B. Approving access to critical financial systems

C. Interviewing candidates for information security specialist positions

D. Developing content for security awareness programs

What is the main purpose of the Incident Response Team?

A. Communicate details of information security incidents

B. Create effective policies detailing program activities

C. Ensure efficient recovery and reinstate repaired systems

D. Provide effective employee awareness programs

The Information Security Governance program MUST:

A. integrate with other organizational governance processes

B. show a return on investment for the organization

C. integrate with other organizational governance processes

D. support user choice for Bring Your Own Device (BYOD)

What is the THIRD state of the Tuchman Stages of Group Development?

A. Norming

B. Forming

C. Storming

D. Performing

Which of the following is a common technology for visual monitoring?

A. Closed circuit television

B. Open circuit television

C. Blocked video

D. Local video

From an information security perspective, information that no longer supports the main purpose of the business should be:

A. protected under the information classification policy

B. analyzed under the data ownership policy

C. assessed by a business impact analysis.

D. analyzed under the retention policy.

When reviewing a Solution as a Service (SaaS) provider's security health and posture, which key document should you review?

A. SaaS provider’s website certifications and representations (certs and reps)

B. SOC-2 Report

C. Metasploit Audit Report

D. Statement from SaaS provider attesting their ability to secure your data

The security team has investigated the theft/loss of several unencrypted laptop computers containing sensitive corporate information. To prevent the loss of any additional corporate data, it is unilaterally decided by the CISO that all existing and future laptop computers will be encrypted. The help desk is then flooded with complaints about the slow performance of the laptops and users are upset.
Which of the following best describes what the CISO did wrong?

A. Failed to identify all stakeholders and their needs

B. Deployed the encryption solution in an inadequate manner

C. Used 1024 bit encryption when 256 bit would have sufficed

D. Used hardware encryption instead of software encryption

A CISO decides to analyze the IT infrastructure to ensure security solutions adhere to the concepts of how hardware and software is implemented and managed within the organization. Which of the following principles does this best demonstrate?

A. Effective use of existing technologies

B. Create a comprehensive security awareness program and provide success metrics to business units

C. Proper budget management

D. Leveraging existing implementations

Control Objectives for Information and Related Technology (COBIT) is which of the following?

A. An audit guideline for certifying secure systems and controls

B. An information Security audit standard

C. A framework for Information Technology management and governance

D. A set of international regulations for Information Technology governance

Which of the following represents the MOST negative impact resulting from an ineffective security governance program?

A. Improper use of information resources

B. Reduction of budget

C. Decreased security awareness

D. Fines for regulatory non-compliance

The PRIMARY objective of security awareness is to:

A. Encourage security-conscious employee behavior

B. Put employees on notice in case follow-up action for noncompliance is necessary

C. Ensure that security policies are read

D. Meet legal and regulatory requirements