An incident management team leader sends out a notification that the organization has successfully recovered from a cyberattack. Which of the following should be done NEXT?

A. Secure and preserve digital evidence for analysis.

B. Gather feedback on business impact.

C. Conduct a meeting to capture lessons learned.

D. Prepare an executive summary for senior management.

Who is accountable for approving an information security governance framework?

A. The board of directors

B. The chief information security officer (CISO)

C. The enterprise risk committee

D. The chief information officer (CIO)

Which of the following is necessary to ensure consistent protection for an organization’s information assets?

A. Control assessment

B. Data ownership

C. Regulatory requirements

D. Classification mode

Implementing the principle of least privilege PRIMARILY requires the identification of:

A. job duties.

B. primary risk factors.

C. authentication controls.

D. data owners.

From an information security perspective, legal issues associated with a transborder flow of technology-related items are MOST often related to:

A. website transactions and taxation

B. encryption tools and personal data.

C. lack of competition and free trade.

D. software patches and corporate data.

Which of the following is the BEST method to align an information security strategic plan to the corporate strategy?

A. Ensuring the plan complies with business unit expectations

B. Involving industry experts in the development of the plan

C. Involving senior management in the development of the plan

D. Obtaining adequate funds from senior management

Of the following, who is MOST appropriate to own the risk associated with the failure of a privileged access control?

A. Data owner

B. Information security manager

C. Business owner

D. Compliance manager

During which stage of the software development life cycle (SDLC) should application security controls FIRST be addressed?

A. Software code development

B. Configuration management

C. Requirements gathering

D. Application system design

Which of the following is an essential practice for workstations used to conduct a forensic investigation?

A. A documented chain of custody log is kept for the workstations

B. The workstations are only accessed by members of the forensics team

C. Only forensics-related software is installed on the workstations

D. The workstations are backed up and hardened on a regular basis

Which of the following is BEST suited to provide regular reporting to the board regarding the status of compliance to a global security standard?

A. Legal counsel

B. Quality assurance (QA)

C. Information security

D. Internal audit

The BEST way to ensure that frequently encountered incidents are reflected in the user security awareness training program is to include:

A. responses to security questionnaires.

B. previous training sessions.

C. examples of help desk requests.

D. results of exit interviews.

The PRIMARY purpose for deploying information security metrics is to:

A. ensure that technical operations meet specifications.

B. compare program effectiveness to benchmarks.

C. support ongoing security budget requirements.

D. provide information needed to make decisions.

The MOST effective way to present information security risk to senior management is to highlight:

A. business impact.

B. countermeasures.

C. threat intelligence.

D. risk mitigation over time.

An information security manager has received confirmation that the organization's e-commerce website was breached, exposing customer information. What should be done FIRST?

A. Inform affected customers

B. Perform a vulnerability assessment

C. Execute the incident response plan

D. Take the affected systems offline

An information security manager is MOST likely to obtain approval for a new security project when the business case provides evidence of:

A. threats to the organization.

B. organizational alignment.

C. existing control costs.

D. IT strategy alignment.

An information security manager believes that information has been classified inappropriately, increasing the risk of a breach. Which of the following is the information security manager's BEST action?

A. Re-classify the data and increase the security level to meet business risk

B. Complete a risk assessment and refer the results to the data owners

C. Instruct the relevant system owners to reclassify the data

D. Refer the issue to internal audit for a recommendation

Communicating which of the following would be MOST helpful to gain senior management support for risk treatment options?

A. Threat analysis

B. Root cause analysis

C. Quantitative loss

D. Industry benchmarks

Which of the following information security activities is MOST helpful to support compliance with information security policy?

A. Conducting information security awareness programs

B. Creating monthly trend metrics

C. Performing periodic IT reviews on new system acquisitions

D. Obtaining management commitment

Which of the following is the MOST important reason to integrate nonrepudiation into the design of user authentication?

A. To ensure there are no conflicts when changing database records

B. To ensure users cannot escalate their own access privileges

C. To ensure users cannot alter log records within the system

D. To ensure actions can be traced to specific users

An organization provides notebook PCs, cable wire locks, smartphone access, and virtual private network (VPN) access to its remote employees. Which of the following is MOST important for the information security manager to ensure?

A. Employees are trained on the acceptable use policy.

B. Employees use smartphone tethering when accessing from remote locations.

C. Employees use the VPN when accessing the organization’s online resources.

D. Employees physically lock PCs when leaving the immediate area.

Which of the following is the MOST relevant control to address the integrity of information?

A. Implementation of a redundant server system

B. Encryption of email

C. Implementation of an Internet security application

D. Assignment of appropriate access permissions

When creating an incident response plan, the triggers for the business continuity plan (BCP) MUST be based on:

A. a threat assessment.

B. recovery time objectives (RTOs).

C. a business impact analysis (BIA).

D. a risk assessment.

An information security manager is concerned with continued security policy violations in a particular business unit despite recent efforts to rectify the situation. What is the BEST course of action?

A. Review the business unit’s function against the policy

B. Revise the policy to accommodate the business unit

C. Report the business unit for policy noncompliance

D. Enforce sanctions on the business unit

An information security program is BEST positioned for success when it is closely aligned with:

A. information security best practices.

B. recognized industry frameworks.

C. information security policies.

D. the information security strategy.

An incident response team has established that an application has been breached. Which of the following should be done NEXT?

A. Maintain the affected systems in a forensically acceptable state.

B. Inform senior management of the breach.

C. Isolate the impacted systems from the rest of the network.

D. Conduct a risk assessment on the affected application.

Which of the following BEST enables effective information security governance?

A. Security-aware corporate culture

B. Advanced security technologies

C. Periodic vulnerability assessments

D. Established information security metrics

An investigation of a recent security incident determined that the root cause was negligent handling of incident alerts by system administrators. What is the BEST way for the information security manager to address this issue?

A. Provide incident response training to data owners.

B. Provide incident response training to data custodians.

C. Conduct a risk assessment and share the results with senior management.

D. Revise the incident response plan to align with business processes.

Due to changes in an organization’s environment, security controls may no longer be adequate. What is the information security manager’s BEST course of action?

A. Perform a new risk assessment.

B. Review the previous risk assessment and countermeasures.

C. Transfer the new risk to a third party.

D. Evaluate countermeasures to mitigate new risks.

Which of the following is the PRIMARY responsibility of an information security governance committee?

A. Reviewing the information security risk register

B. Approving changes to the information security strategy

C. Discussing upcoming information security projects

D. Reviewing monthly information security metrics

An incident response team has been assembled from a group of experienced individuals. Which type of exercise would be MOST beneficial for the team at the first drill?

A. Tabletop exercise

B. Red team exercise

C. Disaster recovery exercise

D. Black box penetration test

A situation where an organization has unpatched IT systems in violation of the patching policy should be treated as:

A. an increased threat profile.

B. a vulnerability management failure.

C. an increased risk profile.

D. a security control failure.

An information security manager has recently been notified of potential security risks associated with a third-party service provider. What should be done NEXT to address this concern?

A. Escalate to the chief risk officer (CRO).

B. Conduct a vulnerability analysis.

C. Conduct a risk analysis.

D. Determine compensating controls.

Which of the following is the BEST way to reduce the risk associated with a bring your own device (BYOD) program?

A. Implement a mobile device policy and standard.

B. Provide employee training on secure mobile device practices.

C. Implement a mobile device management (MDM) solution.

D. Require employees to install an effective anti-malware app.

Which of the following provides the BEST guidance when establishing a security program?

A. Risk assessment methodology

B. Security audit report

C. Information security budget

D. Information security framework

Which of the following MOST effectively allows for disaster recovery testing without interrupting business operations?

A. Structured walk-through

B. Simulation testing

C. Parallel testing

D. Full interruption testing

Which of the following is the MOST appropriate resource to determine whether or not a particular solution should utilize encryption based on its location and data classification?

A. Guidelines

B. Procedures

C. Standards

D. Policies

An organization has implemented a new security control in response to a recently discovered vulnerability. Several employees have voiced concerns that the control disrupts their ability to work. Which of the following is the information security manager's BEST course of action?

A. Evaluate compensating control options.

B. Educate users about the vulnerability.

C. Accept the vulnerability.

D. Report the control risk to senior management.

An organization is conducting a post-incident review to determine the root cause of an information security incident. Which of the following situations would be
MOST harmful to this investigation?

A. Unencrypted logs of the affected systems were saved on magnetic tapes.

B. Antivirus signature update processes failed on the affected systems.

C. Systems logs were cleared by the administrator to free up space on the affected systems.

D. The incident response plan has not been updated during the past year.

Which of the following should be the FIRST step in patch management procedures when receiving an emergency security patch?

A. Validate the authenticity of the patch.

B. Conduct comprehensive testing of the patch.

C. Schedule patching based on the criticality.

D. Install the patch immediately to eliminate the vulnerability.

Which of the following BEST helps to ensure a risk response plan will be developed and executed in a timely manner?

A. Establishing risk metrics

B. Training on risk management procedures

C. Reporting on documented deficiencies

D. Assigning a risk owner

Which of the following is the FIRST step to establishing an effective information security program?

A. Assign accountability

B. Perform a business impact analysis (BIA)

C. Create a business case

D. Conduct a compliance review

Which of the following should be the PRIMARY driver for selecting and implementing appropriate controls to address the risk associated with weak user passwords?

A. The organization’s risk tolerance

B. The organization’s culture

C. The cost of risk mitigation controls

D. Direction from senior management

Which of the following BEST demonstrates return on investment (ROI) for an information security initiative?

A. Risk heat map

B. Business impact analysis (BIA)

C. Business case

D. Information security program roadmap

Which of the following is MOST important to include in monthly information security reports to the board?

A. Root cause analysis of security incidents

B. Threat intelligence

C. Risk assessment results

D. Trend analysis of security metrics

An organization's senior management is encouraging employees to use social media for promotional purposes. Which of the following should be the information security manager s FIRST step to support this strategy?

A. Incorporate social media into the security awareness program.

B. Develop a guideline on the acceptable use of social media.

C. Employ the use of a web content filtering solution.

D. Develop a business case for a data loss prevention (DLP) solution.

A critical vulnerability is found on a server hosting multiple applications owned by different business units. One of the business units finds its hosted application will not function with the patch applied and chooses to accept the risk. Which of the following should be the information security manager s NEXT course of action?

A. Update the risk register

B. Develop a business case for compensating controls

C. Update the information security policy

D. Consult the incident management process

The MAIN reason for continuous monitoring of the security program is to:

A. validate reduction of incidents.

B. confirm benefits are being realized.

C. ensure alignment with industry standards.

D. optimize resource allocation.

Which of the following BEST facilitates the development of a comprehensive information security policy?

A. Alignment with an established information security framework

B. Security key performance indicators (KPIs)

C. A review of recent information security incidents

D. An established internal audit program

What is the MOST important reason to regularly report information security risk to relevant stakeholders?

A. To enable risk-informed decision making

B. To reduce the impact of information security risk

C. To ensure information security controls are effective

D. To achieve compliance with regulatory requirements

Which of the following should be the FIRST step to gain approval for outsourcing to address a security gap?

A. Perform a cost-benefit analysis.

B. Collect additional metrics.

C. Begin due diligence on the outsourcing company.

D. Submit funding request to senior management.