The PRIMARY reason for using metrics as part of an information security program is to help management:

A. determine whether objectives are being met.

B. visualize security trends.

C. develop an information security baseline.

D. track financial impact of the program.

Which of the following is an important criterion for developing effective key risk indicators (KRIs) to monitor information security risk?

A. The indicator should provide a retrospective view of risk impacts and be measured annually

B. The indicator should focus on IT and accurately represent risk variances

C. The indicator should align with key performance indicators (KPIs) and measure root causes of process performance issues

D. The indicator should possess a high correlation with a specific risk and be measured on a regular basis

Which of the following BEST enables the detection of advanced persistent threats (APTs)?

A. Vulnerability scanning

B. Security information and event management system (SIEM)

C. Internet gateway filtering

D. Periodic reviews of intrusion prevention system (IPS)

An organization performed a risk analysis and found a large number of assets with low-impact vulnerabilities. The NEXT action of the information security manager should be to:

A. transfer the risk to a third party.

B. determine appropriate countermeasures.

C. report to management.

D. quantify the aggregated risk.

Which of the following is BEST suited to provide regular reporting to the board regarding the status of compliance to a global security standard?

A. Legal counsel

B. Quality assurance (QA)

C. Information security

D. Internal audit

Which of the following is the BEST indication that an information security control is no longer relevant?

A. The control is not cost efficient.

B. The control does not support a specific business function.

C. IT management does not support the control.

D. The technology related to the control is obsolete.

Which of the following would provide the MOST effective security outcome in an organization's contract management process?

A. Extending security assessment to cover asset disposal on contract termination

B. Ensuring security requirements are defined at the request-for-proposal (RFP) stage

C. Extending security assessment to include random penetration testing

D. Performing vendor security benchmark analyses at the request-for-proposal (RFP) stage

An organization that has outsourced its incident management capabilities just discovered a significant privacy breach by an unknown attacker. Which of the following is the MOST important action of the information security manager?

A. Follow the outsourcer’s response plan

B. Refer to the organization’s response plan

C. Notify the outsourcer of the privacy breach

D. Alert the appropriate law enforcement authorities

Which of the following defines the MOST comprehensive set of security requirements for a newly developed information system?

A. Baseline controls

B. Audit findings

C. Risk assessment results

D. Key risk indicators (KRIs)

An information security manager has been asked to provide contract guidance from a security perspective for outsourcing the organization's payroll processing
Which of the following is MOST important to address?

A. Vendor compliance with the most stringent data security regulations

B. Vendor compliance with the organization’s information security policies

C. Vendor compliance with organizational service level agreement (SLA) requirements

D. Vendor compliance with recognized industry security standards

An information security manager is implementing a bring your own device (BYOD) program. Which of the following would BEST ensure that users adhere to the security standards?

A. Publish the standards on the intranet landing page.

B. Deploy a device management solution.

C. Establish an acceptable use policy.

D. Monitor user activities on the network.

The MAIN reason for having senior management review and approve an information security strategic plan is to ensure:

A. compliance with legal and regulatory requirements.

B. the plan aligns with corporate governance.

C. staff participation in information security efforts.

D. the organization has the required funds to implement the plan.

The effectiveness of an incident response team will be GREATEST when:

A. the incident response process is updated based on lessons learned.

B. the incident response team members are trained security personnel.

C. the incident response team meets on a regular basis to review log files.

D. incidents are identified using a security information and event monitoring (SIEM) system.

Which of the following is the MOST important success factor when developing an information security strategy?

A. The delivery of the strategy is adequately funded.

B. The strategy is aligned with an industry-recognized security control framework.

C. The strategy is based on proven technologies and industry trends.

D. The strategy is approved by the board and executive management.

Which type of incident response test is the MOST efficient way to verify that backup power generators are functioning?

A. Operational full test

B. Simulation failure test

C. Parallel recovery test

D. Full interruption test

The PRIMARY advantage of involving end users in continuity planning is that they:

A. can see the overall impact to the business

B. are more objective than information security management

C. can balance the technical and business risks

D. have a better understanding of specific business needs

Which of the following is MOST relevant for an information security manager to communicate to the board of directors?

A. The level of exposure

B. Vulnerability assessments

C. The level of inherent risk

D. Threat assessments

Which of the following BEST enables an organization to determine what activities and changes have occurred on a system during a cybersecurity incident?

A. Penetration testing

B. Root cause analysis

C. Continuous log monitoring

D. Computer forensics

If the inherent risk of a business activity is higher than the acceptable risk level, the information security manager should FIRST:

A. transfer risk to a third party to avoid cost of impact.

B. recommend that management avoid the business activity.

C. assess the gap between current and acceptable level of risk.

D. implement controls to mitigate the risk to an acceptable level.

Which of the following is MOST important for an information security manager to communicate to stakeholders when approving exceptions to the information security policy?

A. Impact on the risk profile

B. Need for compensating controls

C. Time period for review

D. Requirements for senior management reporting

Which of the following is MOST important for effective cybersecurity incident management?

A. Early detection and response

B. Regular tabletop exercises

C. Root cause analysis

D. Investigation and forensics

How does an organization's information security steering committee facilitate the achievement of information security program objectives?

A. Monitoring information security resources

B. Making decisions on security priorities

C. Enforcing regulatory and policy compliance

D. Evaluating information security metrics

Which of the following is MOST important for the information security manager to confirm when reviewing an incident response plan?

A. The plan includes a requirement for post-incident review

B. The plan is based on a business impact analysis (BIA)

C. The plan is stored at backup recovery locations

D. The plan is readily available to provide to auditors.

Which of the following should be the KEY consideration when creating an information security communication plan with industry peers?

A. Reducing the costs associated with information sharing by automating the process

B. Balancing the benefits of information sharing with the drawbacks of sharing sensitive information

C. Notifying the legal department whenever incident-related information is shared

D. Ensuring information is detailed enough to be of use to other organizations

An information security manager learns through a threat intelligence service that the organization may be targeted for a major emerging threat. Which of the following is the information security manager's FIRST course of action?

A. Conduct an information security audit

B. Perform a gap analysis

C. Validate the relevance of the information

D. Inform senior management

An information security manager has identified the organization is not in compliance with new legislation that will soon be in effect. Which of the following is MOST important to consider when determining additional controls to be implemented?

A. The information security strategy

B. The organization’s risk appetite

C. The cost of noncompliance

D. The information security policy

The security baselines of an organization should be based on:

A. procedures.

B. standards.

C. policies.

D. guidelines.

Which of the following is the MOST important objective of testing a security incident response plan?

A. Ensure the thoroughness of the response plan.

B. Verify the response assumptions are valid.

C. Confirm that systems are recovered in the proper order.

D. Validate the business impact analysis (BIA).

Which of the following BEST mitigates the risk or information loss caused by a cloud service provider becoming insolvent?

A. Contractual provisions for the right to audit

B. Effective data loss prevention (DLP) controls

C. Contractual provisions for data repatriation

D. The purchasing of cybersecurity insurance

Which of the following provides the MOST essential input for the development of an information security strategy?

A. Results of an information security gap analysis

B. Measurement of security performance against IT goals

C. Results of a technology risk assessment

D. Availability of capable information security resources

Which of the following BEST indicates that an organization has effectively tested its business continuity and disaster recovery plans within the stated recovery time objectives (RTOs)?

A. Internal compliance requirements are being met

B. Regulatory requirements are being met

C. Risk management objectives are being met

D. Business needs are being met

A legacy application does not comply with new regulatory requirements to encrypt sensitive data at rest, and remediating this issue would require significant investment. What should the information security manager do FIRST?

A. Assess the business impact to the organization.

B. Present the noncompliance risk to senior management.

C. Investigate alternative options to remediate the noncompliance.

D. Determine the cost to remediate the noncompliance.

During which stage of the software development life cycle (SDLC) should application security controls FIRST be addressed?

A. Software code development

B. Configuration management

C. Requirements gathering

D. Application system design

Which of the following is the MOST important reason to conduct interviews as part of the business impact analysis (BIA) process?

A. To facilitate a qualitative risk assessment following the BIA

B. To obtain input from as many relevant stakeholders as possible

C. To ensure the stakeholders providing input own the related risk

D. To increase awareness of information security among key stakeholders

An online bank identifies a successful network attack in progress. The bank should FIRST:

A. report the root cause to the board of directors.

B. isolate the affected network segment.

C. shut down the entire network.

D. assess whether personally identifiable information (PII) is compromised.

Which of the following should an information security manager do NEXT after creating a roadmap to execute the strategy for an information security program?

A. Develop a project plan to implement the strategy

B. Obtain consensus on the strategy from the executive board

C. Define organizational risk tolerance

D. Review alignment with business goals

Which of the following should an information security manager do FIRST when a mandatory security standard hinders the achievement of an identified business objective?

A. Recommend risk acceptance.

B. Perform a cost-benefit analysis.

C. Escalate to senior management.

D. Revisit the business objective.

Which of the following is the BEST reason for senior management to support a business case for developing a monitoring system for a critical application?

A. The system can be replicated for additional use cases.

B. An industry peer experienced a recent breach with a similar application.

C. The cost of implementing the system is less than the impact of downtime.

D. The solution is within the organization’s risk tolerance.

Which of the following is the MOST effective way to detect security incidents?

A. Analyze penetration test results

B. Analyze security anomalies

C. Analyze recent security risk assessments

D. Analyze vulnerability assessments

Which of the following is the MOST important outcome of effective risk treatment?

A. Implementation of corrective actions

B. Elimination of risk

C. Timely reporting of incidents

D. Reduced cost of acquiring controls

A penetration test of a new system has identified a number of critical vulnerabilities, jeopardizing the go-live date. The information security manager is asked by the system owner to approve an exception to allow the system to be implemented without fixing the vulnerabilities. Which of the following is the MOST appropriate course of action?

A. Implement a log monitoring process.

B. Perform a risk assessment.

C. Develop a set of compensating controls.

D. Approve and document the exception.

An information security manager was informed that a planned penetration test could potentially disrupt some services. Which of the following should be the FIRST course of action?

A. Estimate the impact and inform the business owner.

B. Accept the risk and document it in the risk register.

C. Ensure the service owner is available during the penetration test.

D. Reschedule the activity during an approved maintenance window.

An organization's outsourced firewall was poorly configured and allowed unauthorized access that resulted in downtime of 48 hours. Which of the following should be the information security manager's NEXT course of action?

A. Reconfigure the firewall in accordance with best practices.

B. Obtain supporting evidence that the problem has been corrected.

C. Seek damages from the service provider.

D. Revisit the contract and improve accountability of the service provider.

An organization's senior management is encouraging employees to use social media for promotional purposes. Which of the following should be the information security manager s FIRST step to support this strategy?

A. Incorporate social media into the security awareness program.

B. Develop a guideline on the acceptable use of social media.

C. Employ the use of a web content filtering solution.

D. Develop a business case for a data loss prevention (DLP) solution.

Labeling information according to its security classification:

A. reduces the need to identify baseline controls for each classification.

B. reduces the number and type of countermeasures required.

C. enhances the likelihood of people handling information securely.

D. affects the consequences if information is handled insecurely.

Which of the following is MOST important to determine following the discovery and eradication of a malware attack?

A. The creator of the malware

B. The malware entry path

C. The type of malware involved

D. The method of detecting the malware

The MOST important attribute of a security control is that it is:

A. auditable

B. measurable

C. scalable

D. reliable

Which of the following BEST helps to ensure the effective execution of an organization's disaster recovery plan (DRP)?

A. The plan is based on industry best practices.

B. The plan is reviewed by senior and IT operational management.

C. Procedures are available at the primary and failover location.

D. Process steps are documented by the disaster recovery team.

An organization implemented a number of technical and administrative controls to mitigate risk associated with ransomware. Which of the following is MOST important to present to senior management when reporting on the performance of this initiative?

A. The number and severity of ransomware incidents

B. The total cost of the investment

C. Benchmarks of industry peers impacted by ransomware

D. The cost and associated risk reduction

To help ensure that an information security training program is MOST effective, its contents should be:

A. aligned to business processes.

B. based on employees’ roles.

C. based on recent incidents.

D. focused on information security policy.