An organization uses a security standard that has undergone a major revision by the certifying authority. The old version of the standard will no longer be used for organizations wishing to maintain their certifications. Which of the following should be the FIRST course of action?

A. Modify policies to ensure new requirements are covered.

B. Review the new standard for applicability to the business.

C. Evaluate the cost of maintaining the certification.

D. Communicate the new standard to senior leadership.

Which of the following is the BEST way to obtain support for a new organization-wide information security program?

A. Deliver an information security awareness campaign.

B. Publish an information security RACI chart.

C. Benchmark against similar industry organizations.

D. Establish an information security strategy committee.

A PRIMARY benefit of adopting an information security framework is that it provides:

A. standardized security controls.

B. common exploitability indices.

C. credible emerging threat intelligence.

D. security and vulnerability reporting guidelines.

An organization has decided to outsource IT operations. Which of the following should be the PRIMARY focus of the information security manager?

A. Business continuity contingency planning is provided.

B. Security requirements are included in the vendor contract.

C. External security audit results are reviewed.

D. Service level agreements (SLAs) meet operational standards.

Several months after the installation of a new firewall with intrusion prevention features to block malicious activity, a breach was discovered that came in through the firewall shortly after installation. This breach could have been detected earlier by implementing firewall:

A. web surfing controls

B. packet filtering

C. application awareness

D. log monitoring

Which of the following should an information security manager do FIRST when a mandatory security standard hinders the achievement of an identified business objective?

A. Recommend risk acceptance.

B. Perform a cost-benefit analysis.

C. Escalate to senior management.

D. Revisit the business objective.

When building support for an information security program, which of the following elements is MOST important?

A. Business impact analysis (BIA)

B. Identification of existing vulnerabilities

C. Threat analysis

D. Information risk assessment

During the eradication phase of an incident response, it is MOST important to:

A. identify the root cause

B. restore from the most recent backup

C. notify affected users

D. wipe the affected system

What is the PRIMARY objective of performing a vulnerability assessment following a business system update?

A. Improve the change control process.

B. Update the threat landscape.

C. Determine operational losses.

D. Review the effectiveness of controls.

The PRIMARY purpose for continuous monitoring of security controls is to ensure:

A. alignment with compliance requirements.

B. effectiveness of controls.

C. control gaps are minimized.

D. system availability.

Which of the following is the MOST appropriate resource to determine whether or not a particular solution should utilize encryption based on its location and data classification?

A. Guidelines

B. Procedures

C. Standards

D. Policies

Which of the following processes can be used to remediate identified technical vulnerabilities?

A. Updating the business impact analysis (BIA)

B. Performing penetration testing

C. Enforcing baseline configurations

D. Conducting a risk assessment

Which of the following is the PRIMARY objective of developing an information security program that aligns with the information security strategy?

A. To define the resources required to achieve information security goals

B. To define a bottom-up approach for implementing information security policies

C. To define standards to be implemented

D. To define risk mitigation plans for security technologies

What should be the FIRST step when investigating an employee suspected of inappropriately downloading proprietary information?

A. Check for a signed nondisclosure agreement (NDA).

B. Review system access logs.

C. Conduct a forensic examination of the device.

D. Discuss the concern with the employee.

An information security manager has observed multiple exceptions for a number of different security controls. Which of the following should be the information security manager's FIRST course of action?

A. Prioritize the risk and implement treatment options

B. Report the noncompliance to the board of directors

C. Inform respective risk owners of the impact of exceptions

D. Design mitigating controls tor the exceptions

If civil litigation is a goal for an organizational response to a security incident, the PRIMARY step should be to:

A. capture evidence using standard server-backup utilities.

B. document the chain of custody.

C. reboot affected machines in a secure area to search for evidence.

D. contact law enforcement.

How does an organization's information security steering committee facilitate the achievement of information security program objectives?

A. Monitoring information security resources

B. Making decisions on security priorities

C. Enforcing regulatory and policy compliance

D. Evaluating information security metrics

Which of the following should be the PRIMARY basis for determining the value of assets?

A. Cost of replacing the assets

B. Total cost of ownership (TCO)

C. Business cost when assets are not available

D. Original cost of the assets minus depreciation

An organization is going through a digital transformation process, which places the IT organization in an unfamiliar risk landscape. The information security manager has been tasked with leading the IT risk management process. Which of the following should be given the HIGHEST priority?

A. Identification of risk

B. Selection of risk treatment options

C. Analysis of control gaps

D. Design of key risk indicators (KRIs)

When an organization experiences a disruptive event, the business continuity plan (BCP) should be triggered PRIMARILY based on:

A. expected duration of outage.

B. the root cause of the event.

C. type of security incident.

D. management direction.

Which of the following is MOST useful to an information security manager when conducting a post-incident review of an attack?

A. Cost of the attack to the organization

B. Location of the attacker

C. Details from intrusion detection system (IDS) logs

D. Method of operation used by the attacker

Which of the following is the BEST way to prevent insider threats?

A. Implement strict security policies and password controls.

B. Conduct organization-wide security awareness training.

C. Enforce segregation of duties and least privilege access.

D. Implement logging for all access activities.

Following a successful attack, an information security manager should be confident the malware has not continued to spread at the completion of which incident response phase?

A. Recovery

B. Eradication

C. Identification

D. Containment

Which of the following should an information security manager do FIRST when creating an organization's disaster recovery plan (DRP)?

A. Develop response and recovery strategies.

B. Identify the response and recovery teams.

C. Review the communications plan.

D. Conduct a business impact analysis (BIA).

Which of the following is the BEST control to protect customer personal information that is stored in the cloud?

A. Strong encryption methods

B. Appropriate data anonymization

C. Strong physical access controls

D. Timely deletion of digital records

Which of the following is the BEST option to lower the cost to implement application security controls?

A. Include standard application security requirements.

B. Perform security tests in the development environment.

C. Perform a risk analysis after project completion.

D. Integrate security activities within the development process.

When multiple Internet intrusions on a server are detected, the PRIMARY concern of the information security manager should be to ensure:

A. the incident is reported to senior management.

B. the integrity of evidence is preserved.

C. the server is unplugged from power.

D. forensic investigation software is loaded on the server.

An information security team has discovered that users are sharing a login account to an application with sensitive information, in violation of the access policy. Business management indicates that the practice creates operational efficiencies. What is the information security manager’s BEST course of action?

A. Present the risk to senior management.

B. Modify the policy.

C. Create an exception for the deviation.

D. Enforce the policy.

An employee's bring your own device (BYOD) smartphone has been lost. To reduce the risk associated with the loss of corporate sensitive data stored on the phone, the information security manager's BEST course of action should have been to implement:

A. a requirement of prompt notification in the event of loss.

B. multi-factor authentication for the mobile device.

C. a board-approved and communicated mobile policy and standard.

D. a securely configured device enforced by a mobile device management (MDM) solution.

Which of the following is the FIRST step when conducting a post-incident review?

A. Identify mitigating controls.

B. Assess the costs of the incident.

C. Perform root cause analysis.

D. Assign responsibility for corrective actions.

Which of the following should be the PRIMARY basis for an information security strategy?

A. Audit and regulatory requirements

B. Information security policies

C. The organization’s vision and mission

D. Results of a comprehensive gap analysis

Reevaluation of risk is MOST critical when there is:

A. a management request for updated security reports.

B. resistance to the implementation of mitigating controls.

C. a change in the threat landscape.

D. a change in security policy.

Which of the following is MOST important to the successful implementation of an information security program?

A. Key performance indicators (KPIs) are defined.

B. Adequate security resources are allocated to the program.

C. A balanced scorecard is approved by the steering committee.

D. The program is developed using global security standards.

What should be an information security manager's MOST important consideration when reviewing a proposed upgrade to a business unit's production database?

A. Ensuring the application inventory is updated

B. Ensuring residual risk is within appetite

C. Ensuring a cost-benefit analysis is completed

D. Ensuring senior management is aware of associated risk

Which of the following should an organization do FIRST when confronted with the transfer of personal data across borders?

A. Define policies and standards for data processing.

B. Implement applicable privacy principles.

C. Research cyber insurance policies.

D. Assess local or regional regulation.

Of the following, who would provide the MOST relevant input when aligning the information security strategy with organizational goals?

A. Data privacy officer (DPO)

B. Chief information security officer (CISO)

C. Information security steering committee

D. Enterprise risk committee

A risk assessment exercise has identified the threat of a denial of service (DoS) attack. Executive management has decided to take no further action related to this risk. The MOST likely reason for this decision is:

A. the cost of implementing controls exceeds the potential financial losses.

B. the risk assessment has not defined the likelihood of occurrence.

C. executive management is not aware of the impact potential.

D. the reported vulnerability has not been validated.

An organization plans to utilize Software as a Service (SaaS) and is in the process of selecting a vendor. What should the information security manager do FIRST to support this initiative?

A. Review independent security assessment reports for each vendor.

B. Benchmark each vendor’s services with industry best practices.

C. Define information security requirements and processes.

D. Analyze the risks and propose mitigating controls.

A post-incident review identified that user error resulted in a major breach. Which of the following is MOST important to determine during the review?

A. The underlying reason for the user error

B. The time and location that the breach occurred

C. Appropriate disciplinary procedures for user error

D. Evidence of previous incidents caused by the user

Which of the following is the PRIMARY objective of a cyber resilience strategy?

A. Business continuity

B. Employee awareness

C. Executive support

D. Regulatory compliance

Management would like to understand the risk associated with engaging an Infrastructure-as-a-Service (IaaS) provider compared to hosting internally. Which of the following would provide the BEST method of comparing risk scenarios?

A. Reviewing mitigating and compensating controls for each risk scenario

B. Mapping the risk scenarios by likelihood and impact on a chart

C. Performing a risk assessment on the IaaS provider

D. Mapping risk scenarios according to sensitivity of data

Which of the following BEST indicates that an organization has effectively tested its business continuity and disaster recovery plans within the stated recovery time objectives (RTOs)?

A. Internal compliance requirements are being met

B. Regulatory requirements are being met

C. Risk management objectives are being met

D. Business needs are being met

In a business proposal, a potential vendor promotes being certified for international security standards as a measure of its security capability. Before relying on this certification, it is MOST important that the information security manager confirms that the:

A. certification scope is relevant to the service being offered

B. certification will remain current through the life of the contract

C. current international standard was used to assess security processes

D. certification can be extended to cover the client’s business

Which of the following is the MOST important control to implement when senior managers use smartphones to access sensitive company information?

A. Centralized device administration

B. Remote wipe capability

C. Anti-malware on the devices

D. Strong passwords

After a ransomware incident, an organization's systems were restored. Which of the following should be of MOST concern to the information security manager?

A. The service level agreement (SLA) was not met.

B. The recovery time objective (RTO) was not met.

C. The root cause was not identified.

D. Notification to stakeholders was delayed.

Predetermined containment methods to be used in a cybersecurity incident response should be based PRIMARILY on the:

A. capability of incident handlers.

B. type of confirmed incident.

C. predicted incident duration.

D. number of impacted users.

A CISO learns that a third-party service provider did not notify the organization of a data breach that affected the service provider's data center. Which of the following should the CISO do FIRST?

A. Determine the extent of the impact to the organization.

B. Request an independent review of the provider’s data center.

C. Notify affected customers of the data breach.

D. Recommend canceling the outsourcing contract.

Which of the following should be done FIRST when establishing an information security governance framework?

A. Gain an understanding of the business and cultural attributes.

B. Contract a third party to conduct an independent review of the program.

C. Conduct a cost-benefit analysis of the framework.

D. Evaluate information security tools and skills relevant for the environment.

Which of the following would be an information security manager's PRIMARY challenge when deploying a bring your own device (BYOD) mobile program in an enterprise?

A. Configuration management

B. Mobile application control

C. Inconsistent device security

D. End user acceptance

Which of the following has the MOST influence on the information security investment process?

A. Security key performance indicators (KPIs)

B. Organizational risk appetite

C. IT governance framework

D. Information security policy