DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

Boost Your Performance in the ISACA CISM Exam with Realistic Mock Tests

Unlock the power of SPOTO's ISACA CISM exam questions to propel your Certified Information Security Manager (CISM) certification journey forward. Dive into comprehensive exam questions and answers designed to enhance your understanding of risk assessment, governance implementation, and incident response strategies. With SPOTO's test questions and exam preparation materials, you'll gain a competitive edge in tackling data breaches, ransomware attacks, and other evolving security threats. Access valuable study materials and exam resources curated to help you pass successfully. Engage in realistic mock exams to simulate the exam environment and boost your confidence. Prepare with SPOTO and become a Certified Information Security Manager equipped to navigate today's cybersecurity challenges with expertise and confidence.
Take other online exams

Question #1
The MOST likely reason to use qualitative security risk assessments instead of quantitative methods is when:
A. an organization provides services instead of hard goods
B. a security program requires independent expression of risks
C. available data is too subjective
D. a mature security program is in place
View answer
Correct Answer: A

View The Updated CISM Exam Questions

SPOTO Provides 100% Real CISM Exam Questions for You to Pass Your CISM Exam!

Question #2
Which of the following BEST provides message integrity, sender identity authentication and nonrepudiation?
A. Symmetric cryptography
B. Public key infrastructure (PKI)
C. Message hashing
D. Message authentication code
View answer
Correct Answer: B
Question #3
Information security policies should PRIMARILY reflect:
A. compliance requirements
B. industry best practices
C. data security standards
D. senior management intent
View answer
Correct Answer: D
Question #4
Failure to include information security requirements within the build/buy decision would MOST likely result in the need for:
A. compensating controls in the operational environment
B. commercial product compliance with corporate standards
C. more stringent source programming standards
D. security scanning of operational platforms
View answer
Correct Answer: A
Question #5
The advantage of Virtual Private Network (VPN) tunneling for remote users is that it:
A. helps ensure that communications are secure
B. increases security between multi-tier systems
C. allows passwords to be changed less frequently
D. eliminates the need for secondary authentication
View answer
Correct Answer: A
Question #6
Which of the following is the MOST important factor when designing information security architecture?
A. Technical platform interfaces
B. Scalability of the network
C. Development methodologies
D. Stakeholder requirements
View answer
Correct Answer: D
Question #7
Which of the following is the PRIMARY reason social media has become a popular target for attack?
A. The prevalence of strong perimeter
B. The reduced effectiveness of access controls
C. The element of trust created by social media
D. The accessibility of social media from multiple locations
View answer
Correct Answer: D
Question #8
Which of the following is the BEST course of action for the information security manager when residual risk is above the acceptable level of risk?
A. Perform a cost-benefit analysis
B. Recommend additional controls
C. Carry out a risk assessment
D. Defer to business management
View answer
Correct Answer: B
Question #9
Which of the following BEST indicates a successful risk management practice?
A. Overall risk is quantified
B. Inherent risk is eliminated
C. Residual risk is minimized
D. Control risk is tied to business units
View answer
Correct Answer: C
Question #10
Which of the following is MOST likely to be included in an enterprise information security policy?
A. Security monitoring strategy
B. Audit trail review requirements
C. Password composition requirements
D. Consequences of noncompliance
View answer
Correct Answer: D
Question #11
Vulnerability scanning has detected a critical risk in a vital business application. Which of the following should the information security manager do FIRST?
A. Report the business risk to senior management
B. Confirm the risk with the business owner
C. Update the risk register
D. Create an emergency change request
View answer
Correct Answer: B
Question #12
An intrusion detection system should be placed:
A. outside the firewall
B. on the firewall server
C. on a screened subnet
D. on the external router
View answer
Correct Answer: C
Question #13
An organization has announced new initiatives to establish a big data platform and develop mobile apps. What is the FIRST step when defining new human resource requirements?
A. Request additional funding for recruiting and training
B. Analyze the skills necessary to support the new initiatives
C. Benchmark to an industry peer
D. Determine the security technology requirements for the initiatives
View answer
Correct Answer: B
Question #14
The chief information security officer (CISO) should ideally have a direct reporting relationship to the:
A. head of internal audit
B. chief operations officer (COO)
C. chief technology officer (CTO)
D. legal counsel
View answer
Correct Answer: B
Question #15
Management has expressed concern that they are not kept fully informed of key information security risks associated with the organization. Which of the following should be done FIRST to address this concern?
A. Prepare a presentation on information security initiatives for management
B. Provide a report on information security industry trends and benchmarks
C. Determine the desired metrics and develop a reporting schedule
D. Develop an ongoing risk and security awareness training program for management
View answer
Correct Answer: C
Question #16
Which of the following is MOST helpful for aligning security operations with the IT governance framework?
A. Information security policy
B. Security risk assessment
C. Security operations program
D. Business impact analysis (BIA)
View answer
Correct Answer: A
Question #17
An organization's board of directors has learned of recent legislation requiring organizations within the industry to enact specific safeguards to protect confidential customer information. What actions should the board take next?
A. Direct information security on what they need to do
B. Research solutions to determine the proper solutions
C. Require management to report on compliance
D. Nothing; information security does not report to the board
View answer
Correct Answer: C
Question #18
An information security manager mapping a job description to types of data access is MOST likely to adhere to which of the following information security principles?
A. Ethics
B. Proportionality
C. Integration
D. Accountability
View answer
Correct Answer: B
Question #19
Which of the following is the MOST important guideline when using software to scan for security exposures within a corporate network?
A. Never use open source tools
B. Focus only on production servers
C. Follow a linear process for attacks
D. Do not interrupt production processes
View answer
Correct Answer: D
Question #20
When a proposed system change violates an existing security standard, the conflict would be BEST resolved by:
A. calculating the residual risk
B. enforcing the security standard
C. redesigning the system change
D. implementing mitigating controls
View answer
Correct Answer: D
Question #21
Information security policies should:
A. address corporate network vulnerabilities
B. address the process for communicating a violation
C. be straightforward and easy to understand
D. be customized to specific groups and roles
View answer
Correct Answer: C
Question #22
There is a time lag between the time when a security vulnerability is first published, and the time when a patch is delivered. Which of the following should be carried out FIRST to mitigate the risk during this time period?
A. Identify the vulnerable systems and apply compensating controls
B. Minimize the use of vulnerable systems
C. Communicate the vulnerability to system users
D. Update the signatures database of the intrusion detection system (IDS)
View answer
Correct Answer: A
Question #23
A global organization has developed a strategy to share a customer information database between offices in two countries. In this situation, it is MOST important to ensure:
A. data sharing complies with local laws and regulations at both locations
B. data is encrypted in transit and at rest
C. a nondisclosure agreement is signed
D. risk coverage is split between the two locations sharing data
View answer
Correct Answer: A
Question #24
The BEST strategy for risk management is to:
A. achieve a balance between risk and organizational goals
B. reduce risk to an acceptable level
C. ensure that policy development properly considers organizational risks
D. ensure that all unmitigated risks are accepted by management
View answer
Correct Answer: B
Question #25
Which of the following would be the information security manager’s BEST course of action to gain approval for investment in a technical control?
A. Perform a cost-benefit analysis
B. Conduct a risk assessment
C. Calculate the exposure factor
D. Conduct a business impact analysis (BIA)
View answer
Correct Answer: D
Question #26
Security policies should be aligned MOST closely with:
A. industry' best practices
B. organizational needs
C. generally accepted standards
D. local laws and regulations
View answer
Correct Answer: B
Question #27
From an information security manager perspective, what is the immediate benefit of clearly-defined roles and responsibilities?
A. Enhanced policy compliance
B. Improved procedure flows
C. Segregation of duties
D. Better accountability
View answer
Correct Answer: D
Question #28
The PRIMARY driver to obtain external resources to execute the information security program is that external resources can:
A. contribute cost-effective expertise not available internally
B. be made responsible for meeting the security program requirements
C. replace the dependence on internal resources
D. deliver more effectively on account of their knowledge
View answer
Correct Answer: A
Question #29
A risk has been formally accepted and documented.Which of the following is the MOST important action for an information security manager?
A. Update risk tolerance levels
B. Notify senior management and the board
C. Monitor the environment for changes
D. Re-evaluate the organization’s risk appetite
View answer
Correct Answer: D
Question #30
Which of the following would help to change an organization's security culture?
A. Develop procedures to enforce the information security policy
B. Obtain strong management support
C. Implement strict technical security controls
D. Periodically audit compliance with the information security policy
View answer
Correct Answer: B
Question #31
Retention of business records should PRIMARILY be based on:
A. business strategy and direction
B. regulatory and legal requirements
C. storage capacity and longevity
D. business ease and value analysis
View answer
Correct Answer: B
Question #32
Information security projects should be prioritized on the basis of:
A. time required for implementation
B. impact on the organization
C. total cost for implementation
D. mix of resources required
View answer
Correct Answer: B
Question #33
Which of the following change management activities would be a clear indicator that normal operational procedures require examination? A high percentage of:
A. similar change requests
B. change request postponements
C. canceled change requests
D. emergency change requests
View answer
Correct Answer: D
Question #34
Which of the following BEST promotes stakeholder accountability in the management of information security risks?
A. Targeted security procedures
B. Establishment of information ownership
C. Establishment of security baselines
D. Regular reviews for noncompliance
View answer
Correct Answer: B
Question #35
An information security manager has been asked to create a strategy to protect the organization’s information from a variety of threat vectors. Which of the following should be done FIRST?
A. Perform a threat modeling exercise
B. Develop a risk profile
C. Design risk management processes
D. Select a governance framework
View answer
Correct Answer: B
Question #36
Which of the following should be the PRIMARY consideration when developing a security governance framework for an enterprise?
A. Understanding of the current business strategy
B. Assessment of the current security architecture
C. Results of a business impact analysis (BIA)
D. Benchmarking against industry best practice
View answer
Correct Answer: A
Question #37
Which of the following would be MOST important to include in a business case to help obtain senior management’s commitment for an information security investment?
A. Results of an independent audit
B. Industry best practices
C. Projected business value
D. Reference to business polices
View answer
Correct Answer: C
Question #38
Which of the following is the MOST important information to include in a strategic plan for information security?
A. Information security staffing requirements
B. Current state and desired future state
C. IT capital investment requirements
D. information security mission statement
View answer
Correct Answer: B
Question #39
Which of the following should be the PRIMARY basis for determining risk appetite?
A. Organizational objectives
B. Senior management input
C. Industry benchmarks
D. Independent audit results
View answer
Correct Answer: A
Question #40
What would be the PRIMARY reason for an organization to conduct a simulated phishing attack on its employees as part of a social engineering assessment?
A. Measure the effectiveness of security awareness training
B. Identify the need for mitigating security controls
C. Measure the effectiveness of the anti-spam solution
D. Test the effectiveness of the incident response plan
View answer
Correct Answer: A
Question #41
The MOST important reason to maintain key risk indicators (KRIs) is that:
A. threats and vulnerabilities continuously evolve
B. they are needed to verify compliance with laws and regulations
C. they help assess the performance of the security program
D. management uses them to make informed business decisions
View answer
Correct Answer: A
Question #42
The PRIMARY goal of a corporate risk management program is to ensure that an organization's:
A. IT assets in key business functions are protected
B. business risks are addressed by preventive controls
C. stated objectives are achievable
D. IT facilities and systems are always available
View answer
Correct Answer: C
Question #43
An information security manager has been tasked with implementing a security awareness training program. Which of the following will have the MOST influence on the effectiveness of this program?
A. Obtaining buy-in from senior management
B. Tailoring the training to the organization’s environment
C. Obtaining buy-in from end users
D. Basing the training program on industry best practices
View answer
Correct Answer: C
Question #44
Because of its importance to the business, an organization wants to quickly implement a technical solution which deviates from the company's policies. An information security manager should:
A. conduct a risk assessment and allow or disallow based on the outcome
B. recommend a risk assessment and implementation only if the residual risks are accepted
C. recommend against implementation because it violates the company's policies
D. recommend revision of current policy
View answer
Correct Answer: B
Question #45
In a multinational organization, local security regulations should be implemented over global security policy because:
A. usiness objectives are defined by local business unit managers
B. eploying awareness of local regulations is more practical than of global policy
C. lobal security policies include unnecessary controls for local businesses
D. equirements of local regulations take precedence
View answer
Correct Answer: D
Question #46
Which of the following is the BEST reason to develop comprehensive information security policies?
A. To comply with external industry and government regulations
B. To support development of effective risk indicators
C. To align the information security program to organizational strategy
D. To gain senior management support for the information security program
View answer
Correct Answer: C
Question #47
Which of the following environments represents the GREATEST risk to organizational security?
A. Locally managed file server
B. Enterprise data warehouse
C. Load-balanced, web server cluster
D. Centrally managed data switch
View answer
Correct Answer: A
Question #48
Senior management has expressed concern that the organization’s intrusion prevention system may repeatedly disrupt business operations. Which of the following BEST indicates that the information security manager has tuned the system to address this concern?
A. Decreasing false positives
B. Decreasing false negatives
C. Increasing false positives
D. Increasing false negatives
View answer
Correct Answer: A
Question #49
The decision as to whether a risk has been reduced to an acceptable level should be determined by:
A. organizational requirements
B. information systems requirements
C. information security requirements
D. international standards
View answer
Correct Answer: A
Question #50
The MAIN reason for deploying a public key infrastructure (PKI) when implementing an information security program is to:
A. ensure the confidentiality of sensitive material
B. provide a high assurance of identity
C. allow deployment of the active directory
D. implement secure sockets layer (SSL) encryption
View answer
Correct Answer: B
Question #51
The PRIMARY goal in developing an information security strategy is to:
A. establish security metrics and performance monitoring
B. educate business process owners regarding their duties
C. ensure that legal and regulatory requirements are met
D. support the business objectives of the organization
View answer
Correct Answer: D
Question #52
Of the following, whose input is of GREATEST importance in the development of an information security strategy?
A. End users
B. Corporate auditors
C. Process owners
D. Security architects
View answer
Correct Answer: D
Question #53
Meeting which of the following security objectives BEST ensures that information is protected against unauthorized modification?
A. Authenticity
B. Availability
C. Confidentiality
D. Integrity
View answer
Correct Answer: D
Question #54
Which of the following is MOST important in developing a security strategy?
A. Creating a positive business security environment
B. Understanding key business objectives
C. Having a reporting line to senior management
D. Allocating sufficient resources to information security
View answer
Correct Answer: B
Question #55
When scoping a risk assessment, assets need to be classified by:
A. likelihood and impact
B. sensitivity and criticality
C. threats and opportunities
D. redundancy and recoverability
View answer
Correct Answer: B
Question #56
Which of the following vulnerabilities presents the GREATEST risk of external hackers gaining access to the corporate network?
A. Internal hosts running unnecessary services
B. Inadequate logging
C. Excessive administrative rights to an internal database
D. Missing patches on a workstation
View answer
Correct Answer: C
Question #57
An organization without any formal information security program that has decided to implement information security best practices should FIRST:
A. invite an external consultant to create the security strategy
B. allocate budget based on best practices
C. benchmark similar organizations
D. define high-level business security requirements
View answer
Correct Answer: D
Question #58
Which of the following is the MOST important factor to ensure information security is meeting the organization’s objectives?
A. Internal audit’s involvement in the security process
B. Implementation of a control self-assessment process
C. Establishment of acceptable risk thresholds
D. Implementation of a security awareness program
View answer
Correct Answer: C
Question #59
A test plan to validate the security controls of a new system should be developed during which phase of the project?
A. Testing
B. Initiation
C. Design
D. Development
View answer
Correct Answer: C
Question #60
Which of the following should be the MOST important consideration when reporting sensitive risk-related information to stakeholders?
A. Ensuring nonrepudiation of communication
B. Consulting with the public relations director
C. Transmitting the internal communication securely
D. Customizing the communication to the audience
View answer
Correct Answer: C
Question #61
Which of the following is the GREATEST benefit of integrating information security program requirements into vendor management?
A. The ability to reduce risk in the supply chain
B. The ability to meet industry compliance requirements
C. The ability to define service level agreements (SLAs)
D. The ability to improve vendor performance
View answer
Correct Answer: A
Question #62
What does a network vulnerability assessment intend to identify?
A. 0-day vulnerabilities
B. Malicious software and spyware
C. Security design flaws
D. Misconfiguration and missing updates
View answer
Correct Answer: D
Question #63
For virtual private network (VPN) access to the corporate network, the information security manager is requiring strong authentication. Which of the following is the strongest method to ensure that logging onto the network is secure?
A. Biometrics
B. Symmetric encryption keys
C. Secure Sockets Layer (SSL)-based authentication
D. Two-factor authentication
View answer
Correct Answer: D
Question #64
Which of the following techniques would be the BEST test of security effectiveness?
A. Performing an external penetration test
B. Reviewing security policies and standards
C. Reviewing security logs
D. Analyzing technical security practices
View answer
Correct Answer: B
Question #65
On which of the following should a firewall be placed?
A. Web server
B. Intrusion detection system (IDS) server
C. Screened subnet
D. Domain boundary
View answer
Correct Answer: D
Question #66
A PRIMARY purpose of creating security policies is to:
A. implement management’s governance strategy
B. establish the way security tasks should be executed
C. communicate management’s security expectations
D. define allowable security boundaries
View answer
Correct Answer: B
Question #67
The recovery time objective (RTO) is reached at which of the following milestones?
A. Disaster declaration
B. Recovery of the backups
C. Restoration of the system
D. Return to business as usual processing
View answer
Correct Answer: C
Question #68
At what stage of the applications development process should the security department initially become involved?
A. When requested
B. At testing
C. At programming
D. At detail requirements
View answer
Correct Answer: D
Question #69
The MOST important objective of monitoring key risk indicators (KRIs) related to information security is to:
A. identify change in security exposures
B. reduce risk management costs
C. meet regulatory compliance requirements
D. minimize the loss from security incidents
View answer
Correct Answer: A
Question #70
Which of the following is the BEST method to ensure compliance with password standards?
A. Implementing password-synchronization software
B. A user-awareness program
C. Automated enforcement of password syntax rules
D. Using password-cracking software
View answer
Correct Answer: C
Question #71
The MOST effective approach to address issues that arise between IT management, business units and security management when implementing a new security strategy is for the information security manager to:
A. escalate issues to an external third party for resolution
B. ensure that senior management provides authority for security to address the issues
C. insist that managers or units not in agreement with the security solution accept the risk
D. refer the issues to senior management along with any security recommendations
View answer
Correct Answer: D
Question #72
After obtaining commitment from senior management, which of the following should be completed NEXT when establishing an information security program?
A. Define security metrics
B. Conduct a risk assessment
C. Perform a gap analysis
D. Procure security tools
View answer
Correct Answer: B
Question #73
Which of the following would be MOST useful when illustrating to senior management the status of a recently implemented information security governance framework?
A. A risk assessment
B. A threat assessment
C. A maturity model
D. Periodic testing results
View answer
Correct Answer: C
Question #74
The PRIMARY reason for defining the information security roles and responsibilities of staff throughout an organization is to:
A. reinforce the need for training
B. increase corporate accountability
C. comply with security policy
D. enforce individual accountability
View answer
Correct Answer: C
Question #75
Which of the following activities would BEST incorporate security into the software development life cycle (SDLC)?
A. Minimize the use of open source software
B. Include security training for the development team
C. Scan operating systems for vulnerabilities
D. Test applications before go-live
View answer
Correct Answer: D
Question #76
What is the PRIMARY role of the information security program?
A. To develop and enforce a set of security policies aligned with the business
B. To educate stakeholders regarding information security requirements
C. To perform periodic risk assessments and business impact analyses (BIAs)
D. To provide guidance in managing organizational security risk
View answer
Correct Answer: A
Question #77
Which of the following BEST ensures that modifications made to in-house developed business applications do not introduce new security exposures?
A. Stress testing
B. Patch management
C. Change management
D. Security baselines
View answer
Correct Answer: C
Question #78
Which of the following is an example of a vulnerability?
A. Natural disasters
B. Defective software
C. Ransomware
D. Unauthorized users
View answer
Correct Answer: B
Question #79
An information security manager is implementing a bring your own device (BYOD) program. Which of the following would BEST ensure that users adhere to the security standards?
A. Monitor user activities on the network
B. Publish the standards on the intranet landing page
C. Establish an acceptable use policy
D. Deploy a device management solution
View answer
Correct Answer: D
Question #80
For risk management purposes, the value of an asset should be based on:
A. original cost
B. net cash flow
C. net present value
D. replacement cost
View answer
Correct Answer: D
Question #81
Which of the following is the MOST effective way to treat a risk such as a natural disaster that has a low probability and a high impact level?
A. Implement countermeasures
B. Eliminate the risk
C. Transfer the risk
D. Accept the risk
View answer
Correct Answer: C
Question #82
Which of the following is the MOST important requirement for setting up an information security infrastructure for a new system?
A. Performing a business impact analysis (BIA)
B. Considering personal information devices as pan of the security policy
C. Initiating IT security training and familiarization
D. Basing the information security infrastructure on risk assessment
View answer
Correct Answer: D
Question #83
Which of the following are seldom changed in response to technological changes?
A. Standards
B. Procedures
C. Policies
D. Guidelines
View answer
Correct Answer: C
Question #84
Which of the following would help management determine the resources needed to mitigate a risk to the organization?
A. Risk analysis process
B. Business impact analysis (BIA)
C. Risk management balanced scorecard
D. Risk-based audit program
View answer
Correct Answer: B
Question #85
One way to determine control effectiveness is by determining:
A. whether it is preventive, detective or compensatory
B. the capability of providing notification of failure
C. the test results of intended objectives
D. the evaluation and analysis of reliability
View answer
Correct Answer: C
Question #86
An internal audit has identified major weaknesses over IT processing. Which of the following should an information security manager use to BEST convey a sense of urgency to management?
A. Security metrics reports
B. Risk assessment reports
C. Business impact analysis (BIA)
D. Return on security investment report
View answer
Correct Answer: B
Question #87
A successful information security management program should use which of the following to determine the amount of resources devoted to mitigating exposures?
A. Risk analysis results
B. Audit report findings
C. Penetration test results
D. Amount of IT budget available
View answer
Correct Answer: A
Question #88
Which of the following would BEST ensure that security risk assessment is integrated into the life cycle of major IT projects?
A. Integrating the risk assessment into the internal audit program
B. Applying global security standards to the IT projects
C. Training project managers on risk assessment
D. Having the information security manager participate on the project setting committees
View answer
Correct Answer: B
Question #89
A CIO has asked the organization’s information security manager to provide both one-year and five-year plansfor the information security program. What is the PRIMARY purpose for the long-term plan?
A. To create formal requirements to meet projected security needs for the future
B. To create and document a consistent progression of security capabilities
C. To prioritize risks on a longer scale than the one-year plan
D. To facilitate the continuous improvement of the IT organization
View answer
Correct Answer: D
Question #90
Which of the following is the MOST important management signoff for migrating an order processing system from a test environment to a production environment?
A. User
B. Security
C. Operations
D. Database
View answer
Correct Answer: A
Question #91
A newly hired information security manager reviewing an existing security investment plan is MOST likely to be concerned when the plan:
A. is based solely on a review of security threats and vulnerabilities in existing IT systems
B. identifies potential impacts that the implementation may have on business processes
C. focuses on compliance with common international security standards
D. has summarized IT costs for implementation rather than providing detail
View answer
Correct Answer: A
Question #92
What should be an information security manager’s FIRST course of action when an organization is subject to a new regulatory requirement?
A. Perform a gap analysis
B. Complete a control assessment
C. Submit a business case to support compliance
D. Update the risk register
View answer
Correct Answer: A
Question #93
An organization's information security strategy should be based on:
A. managing risk relative to business objectives
B. managing risk to a zero level and minimizing insurance premiums
C. avoiding occurrence of risks so that insurance is not required
D. transferring most risks to insurers and saving on control costs
View answer
Correct Answer: A
Question #94
Reviewing which of the following would BEST ensure that security controls are effective?
A. Risk assessment policies
B. Return on security investment
C. Security metrics
D. User access rights
View answer
Correct Answer: C
Question #95
Deciding the level of protection a particular asset should be given in BEST determined by:
A. a threat assessment
B. a vulnerability assessment
C. a risk analysis
D. the corporate risk appetite
View answer
Correct Answer: C
Question #96
Which of the following is the PRIMARY reason for implementing a risk management program?
A. Allows the organization to eliminate risk
B. Is a necessary part of management's due diligence
C. Satisfies audit and regulatory requirements
D. Assists in incrementing the return on investment (ROD
View answer
Correct Answer: B
Question #97
When developing an information security strategy, the MOST important requirement is that:
A. standards capture the intent of management
B. a schedule is developed to achieve objectives
C. the desired outcome is known
D. critical success factors (CSFs) are developed
View answer
Correct Answer: A
Question #98
During the security review of a legacy business application, it was discovered that sensitive client data is not encrypted in storage, which does not comply with the organization’s information security policy. Which of the following would be the information security manager’s BEST course of action?
A. Implement encryption on client data
B. Report the noncompliance to senior management
C. Analyze compensating controls and assess the associated risk
D. Determine the cost of encryption and discuss with the application owner
View answer
Correct Answer: C
Question #99
When trying to integrate information security across an organization, the MOST important goal for a governing body should be to ensure:
A. the resources used for information security projects are kept to a minimum
B. information security is treated as a business critical issue
C. funding is approved for requested information security projects
D. periodic information security audits are conducted
View answer
Correct Answer: B
Question #100
After a risk has been mitigated, which of the following is the BEST way to help ensure residual risk remains within an organization's established risk tolerance?
A. Introduce new risk scenarios to test program effectiveness
B. Monitor the security environment for changes in risk
C. Conduct programs to promote user risk awareness
D. Perform a business impact analysis (BIA)
View answer
Correct Answer: A
Question #101
Which of the following would BEST mitigate identified vulnerabilities in a timely manner?
A. Continuous vulnerability monitoring tool
B. Categorization of the vulnerabilities based on system’s criticality
C. Monitoring of key risk indicators (KRIs)
D. Action plan with responsibilities and deadlines
View answer
Correct Answer: C
Question #102
The MOST important outcome of information security governance is:
A. business risk avoidance
B. informed decision making
C. alignment with business goals
D. alignment with compliance requirements
View answer
Correct Answer: C
Question #103
Which of the following if the MOST significant advantage of developing a well-defined information security strategy?
A. Support for buy-in from organizational employees
B. Allocation of resources to highest priorities
C. Prevention of deviations from risk tolerance thresholds
D. Increased maturity of incident response processes
View answer
Correct Answer: C
Question #104
Which of the following is an important criterion for developing effective key risk indicators (KRIs) to monitor information security risk?
A. The indicator should possess a high correlation with a specific risk and be measured on a regular basis
B. The indicator should focus on IT and accurately represent risk variances
C. The indicator should align with key performance indicators and measure root causes of process performance issues
D. The indicator should provide a retrospective view of risk impacts and be measured annually
View answer
Correct Answer: A
Question #105
When selecting risk response options to manage risk, an information security manager’s MAIN focus should be on reducing:
A. exposure to meet risk tolerance levels
B. the likelihood of threat
C. financial loss by transferring risk
D. the number of security vulnerabilities
View answer
Correct Answer: A
Question #106
Determining the risk for a particular threat/vulnerability pair before controls are applied can be expressed as:
A. the likelihood of a given threat attempting to exploit a vulnerability
B. a function of the likelihood and impact, should a threat exploit a vulnerability
C. the magnitude of the impact, should a threat exploit a vulnerability
D. a function of the cost and effectiveness of controls over a vulnerability
View answer
Correct Answer: B
Question #107
Senior management commitment and support for information security can BEST be enhanced through:
A. a formal security policy sponsored by the chief executive officer (CEO)
B. regular security awareness training for employees
C. periodic review of alignment with business management goals
D. senior management signoff on the information security strategy
View answer
Correct Answer: C
Question #108
Which of the following is MOST helpful for prioritizing the recovery of IT assets during a disaster?
A. Business impact analysis (BIA)
B. Risk assessment
C. Vulnerability assessment
D. Cost-benefit analysis
View answer
Correct Answer: A
Question #109
Which of the following should be the PRIMARY objective when establishing a new information security program?
A. Executing the security strategy
B. Optimizing resources
C. Facilitating operational security
D. Achieving regulatory compliance
View answer
Correct Answer: A
Question #110
A risk assessment study carried out by an organization noted that there is no segmentation of the local area network (LAN). Network segmentation would reduce the potential impact of which of the following?
A. Denial of service (DoS) attacks
B. Traffic sniffing
C. Virus infections
D. IP address spoofing
View answer
Correct Answer: B
Question #111
A risk mitigation report would include recommendations for:
A. assessment
B. acceptance
C. evaluation
D. quantification
View answer
Correct Answer: B
Question #112
The MOST appropriate role for senior management in supporting information security is the:
A. evaluation of vendors offering security products
B. assessment of risks to the organization
C. approval of policy statements and funding
D. monitoring adherence to regulatory requirements
View answer
Correct Answer: C
Question #113
Which of the following is the MOST effective way to mitigate the risk of confidential data leakage to unauthorized stakeholders?
A. Implement role-based access controls
B. Create a data classification policy
C. Require the use of login credentials and passwords
D. Conduct information security awareness training
View answer
Correct Answer: A
Question #114
An information security manager discovers that the organization’s new information security policy is not being followed across all departments. Which of the following should be of GREATEST concern to the information security manager?
A. Different communication methods may be required for each business unit
B. Business unit management has not emphasized the importance of the new policy
C. The corresponding controls are viewed as prohibitive to business operations
D. The wording of the policy is not tailored to the audience
View answer
Correct Answer: C
Question #115
Which of the following is the MOST important step when establishing guidelines for the use of social networking sites in an organization?
A. Establish disciplinary actions for noncompliance
B. Define acceptable information for posting
C. Identify secure social networking sites
D. Perform a vulnerability assessment
View answer
Correct Answer: D
Question #116
An organization determines that an end-user has clicked on a malicious link. Which of the following wouldMOST effectively prevent similar situations from recurring?
A. End-user training
B. Virus protection
C. End-user access control
D. Updated security policies
View answer
Correct Answer: A
Question #117
Which of the following is the BEST control to minimize the risk associated with loss of information as a result of ransomware exploiting a zero-day vulnerability?
A. A security operation center
B. A patch management process
C. A public key infrastructure
D. A data recovery process
View answer
Correct Answer: D
Question #118
During which phase of development is it MOST appropriate to begin assessing the risk of a new application system?
A. Feasibility
B. Design
C. Development
D. Testing
View answer
Correct Answer: A
Question #119
The MAIN reason for internal certification of web-based business applications is to ensure:
A. compliance with industry standards
B. changes to the organizational policy framework are identified
C. up-to-date web technology is being used
D. compliance with organizational policies
View answer
Correct Answer: D
Question #120
The IT function has declared that, when putting a new application into production, it is not necessary to update the business impact analysis (BIA) because it does not produce modifications in the business processes. The information security manager should:
A. verify the decision with the business units
B. check the system's risk analysis
C. recommend update after post implementation review
D. request an audit review
View answer
Correct Answer: A
Question #121
Which would be one of the BEST metrics an information security manager can employ to effectively evaluate the results of a security program?
A. Number of controls implemented
B. Percent of control objectives accomplished
C. Percent of compliance with the security policy
D. Reduction in the number of reported security incidents
View answer
Correct Answer: B
Question #122
Which of the following is the MOST important consideration for designing an effective information security governance framework?
A. Defined security metrics
B. Continuous audit cycle
C. Security policy provisions
D. Security controls automation
View answer
Correct Answer: A
Question #123
To determine the selection of controls required to meet business objectives, an information security manager should:
A. prioritize the use of role-based access controls
B. focus on key controls
C. restrict controls to only critical applications
D. focus on automated controls
View answer
Correct Answer: B
Question #124
A risk management program would be expected to:
A. remove all inherent risk
B. maintain residual risk at an acceptable level
C. implement preventive controls for every threat
D. reduce control risk to zero
View answer
Correct Answer: B
Question #125
Which of the following is generally used to ensure that information transmitted over the Internet is authentic and actually transmitted by the named sender?
A. Biometric authentication
B. Embedded steganographic
C. Two-factor authentication
D. Embedded digital signature
View answer
Correct Answer: D
Question #126
Before final acceptance of residual risk, what is the BEST way for an information security manager to address risk factors determined to be lower than acceptable risk levels?
A. Evaluate whether an excessive level of control is being applied
B. Ask senior management to increase the acceptable risk levels
C. Implement more stringent countermeasures
D. Ask senior management to lower the acceptable risk levels
View answer
Correct Answer: A
Question #127
How would an information security manager balance the potentially conflicting requirements of an international organization's security standards and local regulation?
A. Give organization standards preference over local regulations
B. Follow local regulations only
C. Make the organization aware of those standards where local regulations causes conflicts
D. Negotiate a local version of the organization standards
View answer
Correct Answer: D
Question #128
The PRIMARY reason for initiating a policy exception process is when:
A. operations are too busy to comply
B. the risk is justified by the benefit
C. policy compliance would be difficult to enforce
D. users may initially be inconvenienced
View answer
Correct Answer: B
Question #129
A company's mail server allows anonymous file transfer protocol (FTP) access which could be exploited. What process should the information security manager deploy to determine the necessity for remedial action?
A. A penetration test
B. A security baseline review
C. A risk assessment
D. A business impact analysis (BIA)
View answer
Correct Answer: C
Question #130
The recovery point objective (RPO) is required in which of the following?
A. Information security plan
B. Incident response plan
C. Business continuity plan
D. Disaster recovery plan
View answer
Correct Answer: C
Question #131
Which of the following is the BEST way to identify the potential impact of a successful attack on an organization’s mission critical applications?
A. Conduct penetration testing
B. Execute regular vulnerability scans
C. Perform independent code review
D. Perform application vulnerability review
View answer
Correct Answer: A
Question #132
A software vendor has announced a zero-day vulnerability that exposes an organization’s critical business systems, following should be the information security manager’s PRIMARY concern?
A. Business tolerance of downtime
B. Adequacy of the incident response plan
C. Availability of resources to implement controls
D. Ability to test patches prior to deployment
View answer
Correct Answer: C
Question #133
Which of the following is the PRIMARY benefit of using agentless endpoint security solutions?
A. Decreased network bandwidth usage
B. Decreased administration
C. Increased resiliency
D. More comprehensive information results
View answer
Correct Answer: B
Question #134
Developing a successful business case for the acquisition of information security software products can BEST be assisted by:
A. assessing the frequency of incidents
B. quantifying the cost of control failures
C. calculating return on investment (ROI) projections
D. comparing spending against similar organizations
View answer
Correct Answer: C
Question #135
Which of the following BEST reduces the likelihood of leakage of private information via email?
A. Email encryption
B. User awareness training
C. Strong user authentication protocols
D. Prohibition on the personal use of email
View answer
Correct Answer: D
Question #136
A message is being sent with a hash. The risk of an attacker changing the message and generating an authentic hash value can be mitigated by:
A. using a secret key in conjunction with the hash algorithm
B. requiring the recipient to use a different hash algorithm
C. using the sender’s public key to encrypt the message
D. generating hash output that is the same size as the original message
View answer
Correct Answer: A
Question #137
Which of the following is MOST relevant for an information security manager to communicate to IT operations?
A. The level of inherent risk
B. Vulnerability assessments
C. Threat assessments
D. The level of exposure
View answer
Correct Answer: B
Question #138
Labeling information according to its security classification:
A. enhances the likelihood of people handling information securely
B. reduces the number and type of countermeasures required
C. reduces the need to identify baseline controls for each classification
D. affects the consequences if information is handled insecurely
View answer
Correct Answer: D
Question #139
In a large organization requesting outsourced services, which of the following contract clauses is MOSTimportant to the information security manager?
A. Compliance with security requirements
B. Frequency of status reporting
C. Nondisclosure clause
D. Intellectual property (IP)
View answer
Correct Answer: A
Question #140
A risk analysis for a new system is being performed.For which of the following is business knowledge MORE important than IT knowledge?
A. Vulnerability analysis
B. Balanced scorecard
C. Cost-benefit analysis
D. Impact analysis
View answer
Correct Answer: B
Question #141
What is the role of the information security manager in finalizing contract negotiations with service providers?
A. To update security standards for the outsourced process
B. To ensure that clauses for periodic audits are included
C. To obtain a security standard certification from the provider
D. To perform a risk analysis on the outsourcing process
View answer
Correct Answer: A
Question #142
Which of the following is MOST important for guiding the development and management of a comprehensive information security program?
A. Adopting information security program management best practices
B. Implementing policies and procedures to address the information security strategy
C. Establishing and maintaining an information security governance framework
D. Aligning the organization's business objectives with IT objectives
View answer
Correct Answer: C
Question #143
When developing incident response procedures involving servers hosting critical applications, which of the following should be the FIRST to be notified?
A. Business management
B. Operations manager
C. Information security manager
D. System users
View answer
Correct Answer: C
Question #144
The PRIMARY purpose of aligning information security with corporate governance objectives is to:
A. build capabilities to improve security processes
B. consistently manage significant areas of risk
C. identify an organization’s tolerance for risk
D. re-align roles and responsibilities
View answer
Correct Answer: A
Question #145
The MAIN purpose of documenting information security guidelines for use within a large, international organization is to:
A. ensure that all business units have the same strategic security goals
B. provide evidence for auditors that security practices are adequate
C. explain the organization's preferred practices for security
D. ensure that all business units implement identical security procedures
View answer
Correct Answer: A
Question #146
Which of the following would be MOST helpful in determining an organization’s current capacity to mitigate risk?
A. Capability maturity model
B. Business impact analysis
C. IT security risk and exposure
D. Vulnerability assessment
View answer
Correct Answer: A
Question #147
What is the BEST technique to determine which security controls to implement with a limited budget?
A. Risk analysis
B. Annualized loss expectancy (ALE) calculations
C. Cost-benefit analysis
D. Impact analysis
View answer
Correct Answer: C
Question #148
An intranet server should generally be placed on the:
A. internal network
B. firewall server
C. external router
D. primary domain controller
View answer
Correct Answer: A
Question #149
Information security policies should be designed PRIMARILY on the basis of:
A. business demands
B. inherent risks
C. international standards
D. business risks
View answer
Correct Answer: D
Question #150
An information security manager’s PRIMARY objective for presenting key risks to the board of directors is to:
A. meet information security compliance requirements
B. ensure appropriate information security governance
C. quantity reputational risks
D. re-evaluate the risk appetite
View answer
Correct Answer: B
Question #151
What is the PRIMARY role of the information security manager in the process of information classification within an organization?
A. Defining and ratifying the classification structure of information assets
B. Deciding the classification levels applied to the organization's information assets
C. Securing information assets in accordance with their classification
D. Checking if information assets have been classified properly
View answer
Correct Answer: A
Question #152
Which of the following is the MOST important driver when developing an effective information security strategy?
A. Information security standards
B. Compliance requirements
C. Benchmarking reports
D. Security audit reports
View answer
Correct Answer: A
Question #153
The effectiveness of virus detection software is MOST dependent on which of the following?
A. Packet filtering
B. Intrusion detection
C. Software upgrades
D. Definition tables
View answer
Correct Answer: D
Question #154
An organization outsources its payroll processing. Which of the following would be the BEST key risk indicator for monitoring the information security of the service provider?
A. Number of security incidents by severity
B. Number of critical security patches
C. Percentage of application up-time
D. Number of manual payroll adjustments
View answer
Correct Answer: A
Question #155
The MOST complete business case for security solutions is one that.
A. includes appropriate justification
B. explains the current risk profile
C. details regulatory requirements
D. identifies incidents and losses
View answer
Correct Answer: A
Question #156
The MOST important success factor to design an effective IT security awareness program is to:
A. customize the content to the target audience
B. ensure senior management is represented
C. ensure that all the staff is trained
D. avoid technical content but give concrete examples
View answer
Correct Answer: A
Question #157
Which of the following is the MOST important risk associated with middleware in a client-server environment?
A. Server patching may be prevented
B. System backups may be incomplete
C. System integrity may be affected
D. End-user sessions may be hijacked
View answer
Correct Answer: C
Question #158
Which of the following is the BEST indication of information security strategy alignment with the business?
A. Number of business objectives directly supported by information security initiatives
B. Percentage of corporate budget allocated to information security initiatives
C. Number of business executives who have attended information security awareness sessions
D. Percentage of information security incidents resolved within defined service level agreements
View answer
Correct Answer: A
Question #159
A risk management program should reduce risk to:
A. zero
B. an acceptable level
C. an acceptable percent of revenue
D. an acceptable probability of occurrence
View answer
Correct Answer: B
Question #160
Which of the following is the BEST performed by the security department?
A. Approving standards for accessing the operating system
B. Logging unauthorized access to the operating system
C. Managing user profiles for accessing the operating system
D. Provisioning users to access the operating system
View answer
Correct Answer: B
Question #161
Which of the following is the MOST important action when using a web application that has recognized vulnerabilities?
A. Deploy an application firewall
B. Deploy host-based intrusion detection
C. Install anti-spyware software
D. Monitor application level logs
View answer
Correct Answer: A
Question #162
A third-party service provider is developing a mobile app for an organization’s customers.Which of the following issues should be of GREATEST concern to the information security manager?
A. Software escrow is not addressed in the contract
B. The contract has no requirement for secure development practices
C. The mobile app’s programmers are all offshore contractors
D. SLAs after deployment are not clearly defined
View answer
Correct Answer: B
Question #163
The PRIMARY concern of an information security manager documenting a formal data retention policy would be:
A. generally accepted industry best practices
B. business requirements
C. legislative and regulatory requirements
D. storage availability
View answer
Correct Answer: B
Question #164
Which of the following is the BEST method to protect consumer private information for an online public website?
A. Encrypt consumer’s data in transit and at rest
B. Apply a masking policy to the consumer data
C. Use secure encrypted transport layer
D. Apply strong authentication to online accounts
View answer
Correct Answer: A
Question #165
Which of the following would be the FIRST step in establishing an information security program?
A. Develop the security policy
B. Develop security operating procedures
C. Develop the security plan
D. Conduct a security controls study
View answer
Correct Answer: C
Question #166
The value of information assets is BEST determined by:
A. individual business managers
B. business systems analysts
C. information security management
D. industry averages benchmarking
View answer
Correct Answer: A
Question #167
The MOST important factor in planning for the long-term retention of electronically stored business records is to take into account potential changes in:
A. storage capacity and shelf life
B. regulatory and legal requirements
C. business strategy and direction
D. application systems and media
View answer
Correct Answer: D
Question #168
Which of the following BEST ensures that information transmitted over the Internet will remain confidential?
A. Virtual private network (VPN)
B. Firewalls and routers
C. Biometric authentication
D. Two-factor authentication
View answer
Correct Answer: A
Question #169
When an organization and its IT-hosting service provider are establishing a contract with each other, it isMOST important that the contract includes:
A. details of expected security metrics
B. each party’s security responsibilities
C. penalties for noncompliance with security policy
D. recovery time objectives (RTOs)
View answer
Correct Answer: B
Question #170
Which of the following is MOST critical for prioritizing actions in a business continuity plan (BCP)?
A. Business impact analysis (BIA)
B. Risk assessment
C. Asset classification
D. Business process mapping
View answer
Correct Answer: A
Question #171
The MOST effective way to ensure that outsourced service providers comply with the organization's information security policy would be:
A. service level monitoring
B. penetration testing
C. periodically auditing
D. security awareness training
View answer
Correct Answer: C
Question #172
The BEST way to isolate corporate data stored on employee-owned mobile devices would be to implement:
A. a sandbox environment
B. device encryption
C. two-factor authentication
D. a strong password policy
View answer
Correct Answer: A
Question #173
Risk assessment should be conducted on a continuing basis because:
A. controls change on a continuing basis
B. the number of hacking incidents is increasing
C. management should be updated about changes in risk
D. factors that affect information security change
View answer
Correct Answer: A
Question #174
Which of the following BEST determines an information asset's classification?
A. Directives from the data owner
B. Criticality to a business process
C. Cost of producing the information asset
D. Value of the information asset to competitors
View answer
Correct Answer: B
Question #175
In performing a risk assessment on the impact of losing a server, the value of the server should be calculated using the:
A. original cost to acquire
B. cost of the software stored
C. annualized loss expectancy (ALE)
D. cost to obtain a replacement
View answer
Correct Answer: D
Question #176
Which of the following will BEST help to ensure security is addressed when developing a custom application?
A. Conducting security training for the development staff
B. Integrating security requirements into the development process
C. Requiring a security assessment before implementation
D. Integrating a security audit throughout the development process
View answer
Correct Answer: B
Question #177
Which of the following would be MOST helpful to identify security incidents in a timely manner?
A. Implement a ticketing system for the help desk
B. Require security staff to attend training
C. Develop a user awareness program
D. Perform regular penetration testing
View answer
Correct Answer: C
Question #178
Which of the following individuals would be in the BEST position to sponsor the creation of an information security steering group?
A. Information security manager
B. Chief operating officer (COO)
C. Internal auditor
D. Legal counsel
View answer
Correct Answer: B
Question #179
Which of the following is the PRIMARY reason an information security strategy should be deployed across an organization?
A. To ensure that the business complies with security regulations
B. To ensure that management's intent is reflected in security activities
C. To ensure that employees adhere to security standards
D. To ensure that security-related industry best practices are adopted
View answer
Correct Answer: A
Question #180
Which of the following is MOST important for a successful information security program?
A. Adequate training on emerging security technologies
B. Open communication with key process owners
C. Adequate policies, standards and procedures
D. Executive management commitment
View answer
Correct Answer: D
Question #181
Which of the following is MOST effective in preventing security weaknesses in operating systems?
A. Patch management
B. Change management
C. Security baselines
D. Configuration management
View answer
Correct Answer: A
Question #182
An organization is in the process of adopting a hybrid data infrastructure, transferring all non-core applications to cloud service providers and maintaining all core business functions in-house. The information security manager has determined a defense in depth strategy should be used. Which of the following BEST describes this strategy?
A. Multi-factor login requirements for cloud service applications, timeouts, and complex passwords
B. Deployment of nested firewalls within the infrastructure
C. Separate security controls for applications, platforms, programs, and endpoints
D. Strict enforcement of role-based access control (RBAC)
View answer
Correct Answer: C
Question #183
The return on investment of information security can BEST be evaluated through which of the following?
A. Support of business objectives
B. Security metrics
C. Security deliverables
D. Process improvement models
View answer
Correct Answer: A
Question #184
Which of the following would BEST justify spending for a compensating control?
A. Threat analysis
B. Risk analysis
C. Peer benchmarking
D. Vulnerability analysis
View answer
Correct Answer: B
Question #185
Which of the following roles is PRIMARILY responsible for developing an information classification framework based on business needs?
A. Senior management
B. Information security steering committee
C. Information owner
D. Information security manager
View answer
Correct Answer: C
Question #186
A risk analysis should:
A. include a benchmark of similar companies in its scope
B. assume an equal degree of protection for all assets
C. address the potential size and likelihood of loss
D. give more weight to the likelihood vs
View answer
Correct Answer: C
Question #187
Which of the following roles would represent a conflict of interest for an information security manager?
A. Evaluation of third parties requesting connectivity
B. Assessment of the adequacy of disaster recovery plans
C. Final approval of information security policies
D. Monitoring adherence to physical security controls
View answer
Correct Answer: C
Question #188
Which of the following techniques MOST clearly indicates whether specific risk-reduction controls should be implemented?
A. Countermeasure cost-benefit analysis
B. Penetration testing
C. Frequent risk assessment programs
D. Annual loss expectancy (ALE) calculation
View answer
Correct Answer: A
Question #189
Which of the following is MOST important to consider when developing a business continuity plan (BCP)?
A. Disaster recovery plan (DRP)
B. Business impact analysis (BIA)
C. Incident management requirements
D. Business communication plan
View answer
Correct Answer: B
Question #190
Which of the following technologies is utilized to ensure that an individual connecting to a corporate internal network over the Internet is not an intruder masquerading as an authorized user?
A. Intrusion detection system (IDS)
B. IP address packet filtering
C. Two-factor authentication
D. Embedded digital signature
View answer
Correct Answer: C
Question #191
Which of the following are likely to be updated MOST frequently?
A. Procedures for hardening database servers
B. Standards for password length and complexity
C. Policies addressing information security governance
D. Standards for document retention and destruction
View answer
Correct Answer: A
Question #192
Which of the following would BEST enable integration of information security governance into corporate governance?
A. Ensuring appropriate business representation on the information security steering committee
B. Using a balanced scorecard to measure the performance of the information security strategy
C. Implementing IT governance, risk and compliance (IT GRC) dashboards
D. Having the CIO chair the information security steering committee
View answer
Correct Answer: C
Question #193
In information security governance, the PRIMARY role of the board of directors is to ensure:
A. approval of relevant policies and standards
B. communication of security posture to stakeholders
C. compliance with regulations and best practices
D. alignment with the strategic goals of the organization
View answer
Correct Answer: D
Question #194
An information security manager is reviewing the impact of a regulation on the organization’s human resources system. The NEXT course of action should be to:
A. perform a gap analysis of compliance requirements
B. assess the penalties for non-compliance
C. review the organization’s most recent audit report
D. determine the cost of compliance
View answer
Correct Answer: A
Question #195
A legacy application does not comply with new regulatory requirements to encrypt sensitive data at rest, and remediating this issue would require significant investment. What should the information security manager do FIRST?
A. Investigate alternative options to remediate the noncompliance
B. Assess the business impact to the organization
C. Present the noncompliance risk to senior management
D. Determine the cost to remediate the noncompliance
View answer
Correct Answer: B
Question #196
Which of the following is MOST important to understand when developing a meaningful information security strategy?
A. Regulatory environment
B. International security standards
C. Organizational risks
D. Organizational goals
View answer
Correct Answer: D
Question #197
Which of the following is MOST important for an information security manager to consider when identifying information security resource requirements?
A. Information security incidents
B. Information security strategy
C. Current resourcing levels
D. Availability of potential resources
View answer
Correct Answer: B
Question #198
To effectively manage an organization’s information security risk, it is MOST important to:
A. periodically identify and correct new systems vulnerabilities
B. assign risk management responsibility to end users
C. benchmark risk scenarios against peer organizations
D. establish and communicate risk tolerance
View answer
Correct Answer: A
Question #199
Which of the following is the MOST likely to change an organization's culture to one that is more security conscious?
A. Adequate security policies and procedures
B. Periodic compliance reviews
C. Security steering committees
D. Security awareness campaigns
View answer
Correct Answer: D
Question #200
Which of the following is the PRIMARY goal of business continuity management?
A. Establish incident response procedures
B. Assess the impact to business processes
C. Increase survivability of the organization
D. Implement controls to prevent disaster
View answer
Correct Answer: C
Question #201
The cost of implementing a security control should not exceed the:
A. annualized loss expectancy
B. cost of an incident
C. asset value
D. implementation opportunity costs
View answer
Correct Answer: C
Question #202
Security awareness training should be provided to new employees:
A. on an as-needed basis
B. during system user training
C. before they have access to data
D. along with department staff
View answer
Correct Answer: C
Question #203
When implementing effective security governance within the requirements of the company's security strategy, which of the following is the MOST important factor to consider?
A. Preserving the confidentiality of sensitive data
B. Establishing international security standards for data sharing
C. Adhering to corporate privacy standards
D. Establishing system manager responsibility for information security
View answer
Correct Answer: A
Question #204
Which of the following BEST illustrates residual risk within an organization?
A. Risk management framework
B. Risk register
C. Business impact analysis
D. Heat map
View answer
Correct Answer: A
Question #205
Which of the following would be the BEST metric for the IT risk management process?
A. Number of risk management action plans
B. Percentage of critical assets with budgeted remedial
C. Percentage of unresolved risk exposures
D. Number of security incidents identified
View answer
Correct Answer: B
Question #206
The PRIMARY objective of an Internet usage policy is to prevent:
A. access to inappropriate sites
B. downloading malicious code
C. violation of copyright laws
D. disruption of Internet access
View answer
Correct Answer: D
Question #207
Which of the following is the PRIMARY objective of a business impact analysis (BIA)?
A. Analyze vulnerabilities
B. Determine recovery priorities
C. Confirm control effectiveness
D. Define the recovery point objective (RPO)
View answer
Correct Answer: D
Question #208
When developing an incident response plan, the information security manager should:
A. include response scenarios that have been approved previously by business management
B. determine recovery time objectives (RTOs)
C. allow IT to decide which systems can be removed from the infrastructure
D. require IT to invoke the business continuity plan
View answer
Correct Answer: B
Question #209
The use of a business case to obtain funding for an information security investment is MOST effective when the business case:
A. translates information security policies and standards into business requirements
B. relates the investment to the organization’s strategic plan
C. realigns information security objectives to organizational strategy
D. articulates management’s intent and information security directives in clear language
View answer
Correct Answer: B
Question #210
The BEST way to ensure that an external service provider complies with organizational security policies is to:
A. Explicitly include the service provider in the security policies
B. Receive acknowledgment in writing stating the provider has read all policies
C. Cross-reference to policies in the service level agreement
D. Perform periodic reviews of the service provider
View answer
Correct Answer: D
Question #211
An organization has decided to implement additional security controls to treat the risks of a new process. This is an example of:
A. eliminating the risk
B. transferring the risk
C. mitigating the risk
D. accepting the risk
View answer
Correct Answer: C
Question #212
Business units within an organization are resistant to proposed changes to the information security program. Which of the following is the BEST way to address this issue?
A. Implementing additional security awareness training
B. Communicating critical risk assessment results to business unit managers
C. Including business unit representation on the security steering committee
D. Publishing updated information security policies
View answer
Correct Answer: B
Question #213
Which of the following is the BEST way to facilitate the alignment between an organization’s information security program and business objectives?
A. Information security is considered at the feasibility stage of all IT projects
B. The information security governance committee includes representation from key business areas
C. The chief executive officer reviews and approves the information security program
D. The information security program is audited by the internal audit department
View answer
Correct Answer: B
Question #214
What will have the HIGHEST impact on standard information security governance models?
A. Number of employees
B. Distance between physical locations
C. Complexity of organizational structure
D. Organizational budget
View answer
Correct Answer: C
Question #215
Which of the following presents the GREATEST challenge in calculating return on investment (ROI) in the security environment?
A. Number of incidents cannot be predetermined
B. Project cost overruns cannot be anticipated
C. Cost of security tools is difficult to estimate
D. Costs of security incidents cannot be estimated
View answer
Correct Answer: A
Question #216
Which of the following is MOST important to determine before developing information security program metrics?
A. How the data will be collected
B. Who will use the metrics
C. How performance will be reported
D. Who will own the metrics
View answer
Correct Answer: D
Question #217
Which of the following would be the MOST effective to mitigate the risk of data loss in the event of a stolen laptop?
A. Providing end-user awareness training focused on travelling with laptops
B. Deploying end-point data loss prevention software on the laptop
C. Encrypting the hard drive
D. Utilizing a strong password
View answer
Correct Answer: C
Question #218
An organization has a process in place that involves the use of a vendor. A risk assessment was completed during the development of the process. A year after the implementation a monetary decision has been made to use a different vendor. What, if anything, should occur?
A. Nothing, since a risk assessment was completed during development
B. A vulnerability assessment should be conducted
C. A new risk assessment should be performed
D. The new vendor's SAS 70 type II report should be reviewed
View answer
Correct Answer: C
Question #219
Which of the following ensures that newly identified security weaknesses in an operating system are mitigated in a timely fashion?
A. Patch management
B. Change management
C. Security baselines
D. Acquisition management
View answer
Correct Answer: A
Question #220
Exceptions to a security policy should be approved based PRIMARILY on:
A. risk appetite
B. the external threat probability
C. results of a business impact analysis (BIA)
D. the number of security incidents
View answer
Correct Answer: C
Question #221
When configuring a biometric access control system that protects a high-security data center, the system's sensitivity level should be set:
A. to a higher false reject rate (FRR)
B. to a lower crossover error rate
C. to a higher false acceptance rate (FAR)
D. exactly to the crossover error rate
View answer
Correct Answer: A
Question #222
An organization will be outsourcing mission-critical processes.Which of the following is MOST important to verify before signing the service level agreement (SLA)?
A. The provider has implemented the latest technologies
B. The provider’s technical staff are evaluated annually
C. The provider is widely known within the organization’s industry
D. The provider has been audited by a recognized audit firm
View answer
Correct Answer: D
Question #223
Which of the following is the BEST method to defend against social engineering attacks?
A. Periodically perform antivirus scans to identify malware
B. Communicate guidelines to limit information posted to public sites
C. Employ the use of a web-content filtering solution
D. Monitor for unauthorized access attempts and failed logins
View answer
Correct Answer: C
Question #224
Which of the following types of controls would be MOST important to implement when digitizing human resource (HR) records?
A. Access management controls
B. Project management controls
C. Software development controls
D. Change management controls
View answer
Correct Answer: A
Question #225
An organization has acquired a company in a foreign country to gain an advantage in a new market. Which of the following is the FIRST step the information security manager should take?
A. Merge the two existing information security programs
B. Determine which country’s information security regulations will be used
C. Apply the existing information security program to the acquired company
D. Evaluate the information security laws that apply to the acquired company
View answer
Correct Answer: D
Question #226
Which of the following would be MOST helpful to achieve alignment between information security and organization objectives?
A. Key control monitoring
B. A robust security awareness program
C. A security program that enables business activities
D. An effective security architecture
View answer
Correct Answer: C
Question #227
To prevent computers on the corporate network from being used as part of a distributed denial of service attack, the information security manager should use:
A. incoming traffic filtering
B. outgoing traffic filtering
C. IT security policy dissemination
D. rate limiting
View answer
Correct Answer: B
Question #228
Which of the following would be MOST important to include in a bring your own device (BYOD) policy with regard to lost or stolen devices? The need for employees to:
A. initiate the company’s incident reporting process
B. seek advice from the mobile service provider
C. notify local law enforcement
D. request a remote wipe of the device
View answer
Correct Answer: D
Question #229
Obtaining senior management support for establishing a warm site can BEST be accomplished by:
A. establishing a periodic risk assessment
B. promoting regulatory requirements
C. developing a business case
D. developing effective metrics
View answer
Correct Answer: C
Question #230
All risk management activities are PRIMARILY designed to reduce impacts to:
A. a level defined by the security manager
B. an acceptable level based on organizational risk tolerance
C. a minimum level consistent with regulatory requirements
D. the minimum level possible
View answer
Correct Answer: B
Question #231
Which of the following is the PRIMARY reason for performing an analysis of the threat landscape on a regular basis?
A. To determine the basis for proposing an increase in security budgets
B. To determine if existing business continuity plans are adequate
C. To determine if existing vulnerabilities present a risk
D. To determine critical information for executive management
View answer
Correct Answer: C
Question #232
Which of the following is the MOST effective way to identify changes in an information security environment?
A. Continuous monitoring
B. Security baselining
C. Annual risk assessments
D. Business impact analysis
View answer
Correct Answer: A
Question #233
A successful risk management program should lead to:
A. optimization of risk reduction efforts against cost
B. containment of losses to an annual budgeted amount
C. identification and removal of all man-made threats
D. elimination or transference of all organizational risks
View answer
Correct Answer: A
Question #234
Which of the following is the BEST way to address any gaps identified during an outsourced provider selection and contract negotiation process?
A. Make the provider accountable for security and compliance
B. Perform continuous gap assessments
C. Include audit rights in the service level agreement (SLA)
D. Implement compensating controls
View answer
Correct Answer: D
Question #235
Shortly after installation, an intrusion detection system (IDS) reports a violation. Which of the following is theMOST likely ?
A. The violation is a false positive
B. A routine IDS log file upload has occurred
C. A routine IDS signature file download has occurred
D. An intrusion has occurred
View answer
Correct Answer: A
Question #236
Senior management commitment and support for information security can BEST be obtained through presentations that:
A. use illustrative examples of successful attacks
B. explain the technical risks to the organization
C. evaluate the organization against best security practices
D. tie security risks to key business objectives
View answer
Correct Answer: D
Question #237
A risk profile supports effective security decisions PRIMARILY because it:
A. defines how to best mitigate future risks
B. identifies priorities for risk reduction
C. enables comparison with industry best practices
D. describes security threats
View answer
Correct Answer: B
Question #238
When the inherent risk of a business activity is lower than the acceptable risk level, the BEST course of action would be to:
A. monitor for business changes
B. review the residual risk level
C. report compliance to management
D. implement controls to mitigate the risk
View answer
Correct Answer: B
Question #239
A business manager has decided not to implement a control based on the risk assessment of a mission-critical business application because of its impact on performance. What is the information security manager's BEST course of action?
A. Instruct the business manager to implement the mitigation control
B. Update the organization's risk profile
C. Recommend possible compensating controls
D. Escalate the issue to senior management for a final decision
View answer
Correct Answer: C
Question #240
The BEST way to ensure that security settings on each platform are in compliance with information security policies and procedures is to:
A. perform penetration testing
B. establish security baselines
C. implement vendor default settings
D. link policies to an independent standard
View answer
Correct Answer: B
Question #241
Before conducting a formal risk assessment of an organization's information resources, an information security manager should FIRST:
A. map the major threats to business objectives
B. review available sources of risk information
C. identify the value of the critical assets
D. determine the financial impact if threats materialize
View answer
Correct Answer: A
Question #242
To achieve effective strategic alignment of security initiatives, it is important that:
A. Steering committee leadership be selected by rotation
B. Inputs be obtained and consensus achieved between the major organizational units
C. The business strategy be updated periodically
D. Procedures and standards be approved by all departmental heads
View answer
Correct Answer: B
Question #243
An information security manager has recently been notified of potential security risks associated with a third- party service provider. What should be done NEXT to address this concern?
A. Conduct a risk analysis
B. Escalate to the chief risk officer
C. Conduct a vulnerability analysis
D. Determine compensating controls
View answer
Correct Answer: A
Question #244
What is the BEST way for a customer to authenticate an e-commerce vendor?
A. Use a secure communications protocol for the connection
B. Verify the vendor’s certificate with a certificate authority
C. Request email verification of the order
D. Encrypt the order using the vendor’s private key
View answer
Correct Answer: B
Question #245
Reviewing security objectives and ensuring the integration of security across business units is PRIMARILY the focus of the:
A. executive management
B. chief information security officer (CISO)
C. board of directors
D. steering committee
View answer
Correct Answer: B
Question #246
Which of the following would be the BEST indicator that an organization is appropriately managing risk?
A. The number of security incident events reported by staff has increased
B. Risk assessment results are within tolerance
C. A penetration test does not identify any high-risk system vulnerabilities
D. The number of events reported from the intrusion detection system has declined
View answer
Correct Answer: B
Question #247
Recovery time objectives (RTOs) are an output of which of the following?
A. Business continuity plan
B. Disaster recovery plan
C. Service level agreement (SLA)
D. Business impact analysis (BIA)
View answer
Correct Answer: B
Question #248
Which of the following tools is MOST appropriate for determining how long a security project will take to implement?
A. Gantt chart
B. Waterfall chart
C. Critical path
D. Rapid Application Development (RAD)
View answer
Correct Answer: C
Question #249
Security governance is MOST associated with which of the following IT infrastructure components?
A. Network
B. Application
C. Platform
D. Process
View answer
Correct Answer: D
Question #250
The impact of losing frame relay network connectivity for 18-24 hours should be calculated using the:
A. hourly billing rate charged by the carrier
B. value of the data transmitted over the network
C. aggregate compensation of all affected business users
D. financial losses incurred by affected business units
View answer
Correct Answer: D
Question #251
A large organization is considering a policy that would allow employees to bring their own smartphones into the organizational environment. The MOST important concern to the information security manager should be the:
A. higher costs in supporting end users
B. impact on network capacity
C. decrease in end user productivity
D. lack of a device management solution
View answer
Correct Answer: D
Question #252
Nonrepudiation can BEST be assured by using:
A. delivery path tracing
B. reverse lookup translation
C. out-of-hand channels
D. digital signatures
View answer
Correct Answer: D
Question #253
Which of the following is the BEST method for ensuring that security procedures and guidelines are known and understood?
A. Periodic focus group meetings
B. Periodic compliance reviews
C. Computer-based certification training (CBT)
D. Employee's signed acknowledgement
View answer
Correct Answer: C
Question #254
Which of the following is the MOST effective way to achieve the integration of information security governance into corporate governance?
A. Align information security budget requests to organizational goals
B. Ensure information security efforts support business goals
C. Provide periodic IT balanced scorecards to senior management
D. Ensure information security aligns with IT strategy
View answer
Correct Answer: A
Question #255
Which of the following is the MOST effective method for categorizing system and data criticality during the risk assessment process?
A. Interview senior management
B. Interview data custodians
C. Interview members of the board
D. Interview the asset owners
View answer
Correct Answer: D
Question #256
The risk of mishandling alerts identified by an intrusion detection system (IDS) would be the GREATESTwhen:
A. standard operating procedures are not formalized
B. the IT infrastructure is diverse
C. IDS sensors are misconfigured
D. operations and monitoring are handled by different teams
View answer
Correct Answer: A
Question #257
Which of the following should be of GREATEST concern to an information security manager when establishing a set of key risk indicators (KRIs)?
A. The impact of security risk on organizational objectives is not well understood
B. Risk tolerance levels have not yet been established
C. Several business functions have been outsourced to third-party vendors
D. The organization has no historical data on previous security events
View answer
Correct Answer: B
Question #258
It is MOST important that information security architecture be aligned with which of the following?
A. Industry best practices
B. Information technology plans
C. Information security best practices
D. Business objectives and goals
View answer
Correct Answer: D
Question #259
Which of the following is the GREATEST risk of single sign-on?
A. It is a single point of failure for an enterprise access control process
B. Password carelessness by one user may render the entire infrastructure vulnerable
C. Integration of single sign-on with the rest of the infrastructure is complicated
D. One administrator maintains the single sign-on solutions without segregation of duty
View answer
Correct Answer: A
Question #260
What is an appropriate frequency for updating operating system (OS) patches on production servers?
A. During scheduled rollouts of new applications
B. According to a fixed security patch management schedule
C. Concurrently with quarterly hardware maintenance
D. Whenever important security patches are released
View answer
Correct Answer: D
Question #261
Which of the following is the BEST approach to reduce unnecessary duplication of compliance activities?
A. Automation of controls
B. Documentation of control procedures
C. Integration of assurance efforts
D. Standardization of compliance requirements
View answer
Correct Answer: D
Question #262
Which of the following should be the PRIMARY goal of an information security manager when designinginformation security policies?
A. Reducing organizational security risk
B. Improving the protection of information
C. Minimizing the cost of security controls
D. Achieving organizational objectives
View answer
Correct Answer: D
Question #263
Which of the following is the BEST method for determining whether new risks exist in legacy applications?
A. Regularly scheduled risk assessments
B. Automated vulnerability scans
C. Third-party penetration testing
D. Frequent updates to the risk register
View answer
Correct Answer: A
Question #264
The BEST way to report to the board on the effectiveness of the information security program is to present:
A. a dashboard illustrating key performance metrics
B. peer-group industry benchmarks
C. a summary of the most recent audit findings
D. a report of cost savings from process improvements
View answer
Correct Answer: A
Question #265
The FIRST step in establishing a security governance program is to:
A. conduct a risk assessment
B. conduct a workshop for all end users
C. prepare a security budget
D. obtain high-level sponsorship
View answer
Correct Answer: D
Question #266
Which of the following guarantees that data in a file have not changed?
A. Inspecting the modified date of the file
B. Encrypting the file with symmetric encryption
C. Using stringent access control to prevent unauthorized access
D. Creating a hash of the file, then comparing the file hashes
View answer
Correct Answer: D
Question #267
Which of the following is the PRIMARY role of the information security manager in application development? To ensure:
A. enterprise security controls are implemented
B. compliance with industry best practice
C. control procedures address business risk
D. security is integrated into the system development life cycle (SDLC)
View answer
Correct Answer: A
Question #268
Which of the following metrics would provide management with the MOST useful information about the progress of a security awareness program?
A. Increased number of downloads of the organization’s security policy
B. Increased reported of security incidents
C. Completion rate of user awareness training within each business unit
D. Decreased number of security incidents
View answer
Correct Answer: D
Question #269
What is the PRIMARY objective of assigning classifications to information assets?
A. Identify appropriate levels of protection
B. Identify business owners and information custodians
C. Demonstrate compliance with regulatory requirements
D. Maintain an accurate IT asset inventory
View answer
Correct Answer: A
Question #270
When implementing information security in system development projects, which of the following is the MOSTeffective approach for an information security manager with limited resources?
A. Embedding a representative in business projects
B. Assigning resources based on the business impact
C. Presenting security requirements during project planning
D. Reviewing security requirements prior to development
View answer
Correct Answer: B
Question #271
Which of the following would be MOST useful to help senior management understand the status of information security compliance?
A. Industry benchmarks
B. Risk assessment results
C. Business impact analysis (BIA) results
D. Key performance indicators (KPIs)
View answer
Correct Answer: D
Question #272
Which of the following is MOST critical for an effective information security governance framework?
A. Board members are committed to the information security program
B. Information security policies are reviewed on a regular basis
C. The information security program is continually monitored
D. The CIO is accountable for the information security program
View answer
Correct Answer: A
Question #273
Which of the following is MOST important when carrying out a forensic examination of a laptop to determine an employee's involvement in a fraud?
A. The employee's network access should be suspended
B. The laptop should not be removed from the company premises
C. An HR representative should be present during the laptop examination
D. The investigation should be conducted on an image of the original disk drive
View answer
Correct Answer: D
Question #274
Which of the following is the BEST indicator that security awareness training has been effective?
A. Employees sign to acknowledge the security policy
B. More incidents are being reported
C. A majority of employees have completed training
D. No incidents have been reported in three months
View answer
Correct Answer: B
Question #275
Which of the following should be of MOST influence to an information security manager when developing IT security policies?
A. Past and current threats
B. IT security framework
C. Compliance with regulations
D. Business strategy
View answer
Correct Answer: D
Question #276
An information security manager has identified and implemented mitigating controls according to industry best practices. Which of the following is the GREATEST risk associated with this approach?
A. The cost of control implementation may be too high
B. The security program may not be aligned with organizational objectives
C. The mitigation measures may not be updated in a timely manner
D. Important security controls may be missed without senior management input
View answer
Correct Answer: B
Question #277
When creating an incident response plan, the PRIMARY benefit of establishing a clear definition of a securityincident is that it helps to:
A. communicate the incident response process to stakeholders
B. develop effective escalation and response procedures
C. make tabletop testing more effective
D. adequately staff and train incident response teams
View answer
Correct Answer: B
Question #278
Which of the following is the MAIN reason for performing risk assessment on a continuous basis'?
A. Justification of the security budget must be continually made
B. New vulnerabilities are discovered every day
C. The risk environment is constantly changing
D. Management needs to be continually informed about emerging risks
View answer
Correct Answer: C
Question #279
Which of the following would BEST detect malicious damage arising from an internal threat?
A. Access control list
B. Encryption
C. Fraud awareness training
D. Job rotation
View answer
Correct Answer: D
Question #280
Which if the following is MOST important to building an effective information security program?
A. Information security architecture to increase monitoring activities
B. Management support for information security
C. Relevant and timely content included in awareness programs
D. Logical access controls for information systems
View answer
Correct Answer: B
Question #281
The BEST way to ensure that information security policies are followed is to:
A. distribute printed copies to all employees
B. perform periodic reviews for compliance
C. include escalating penalties for noncompliance
D. establish an anonymous hotline to report policy abuses
View answer
Correct Answer: B
Question #282
Who should be responsible for enforcing access rights to application data?
A. Data owners
B. Business process owners
C. The security steering committee
D. Security administrators
View answer
Correct Answer: D
Question #283
Which of the following authentication methods prevents authentication replay?
A. Password hash implementation
B. Challenge/response mechanism
C. Wired Equivalent Privacy (WEP) encryption usage
D. HTTP Basic Authentication
View answer
Correct Answer: B
Question #284
A small organization has a contract with a multinational cloud computing vendor. Which of the following would present the GREATEST concern to an information security manager if omitted from the contract?
A. Authority of the subscriber to approve access to its data
B. Right of the subscriber to conduct onsite audits of the vendor
C. Escrow of software code with conditions for code release
D. Comingling of subscribers’ data on the same physical server
View answer
Correct Answer: D
Question #285
A common concern with poorly written web applications is that they can allow an attacker to:
A. gain control through a buffer overflow
B. conduct a distributed denial of service (DoS) attack
C. abuse a race condition
D. inject structured query language (SQL) statements
View answer
Correct Answer: D
Question #286
Management decisions concerning information security investments will be MOST effective when they are based on:
A. an annual loss expectancy (ALE) determined from the history of security events
B. the formalized acceptance of risk analysis by management
C. the reporting of consistent and periodic assessments of risks
D. a process for identifying and analyzing threats and vulnerabilities
View answer
Correct Answer: C
Question #287
Reevaluation of risk is MOST critical when there is:
A. a change in security policy
B. resistance to the implementation of mitigating controls
C. a change in the threat landscape
D. a management request for updated security reports
View answer
Correct Answer: C
Question #288
A business impact analysis (BIA) is the BEST tool for calculating:
A. total cost of ownership
B. priority of restoration
C. annualized loss expectancy (ALE)
D. residual risk
View answer
Correct Answer: B
Question #289
Which of the following characteristics is MOST important when looking at prospective candidates for the role of chief information security officer (CISO)?
A. Knowledge of information technology platforms, networks and development methodologies
B. Ability to understand and map organizational needs to security technologies
C. Knowledge of the regulatory environment and project management techniques
D. Ability to manage a diverse group of individuals and resources across an organization
View answer
Correct Answer: B
Question #290
After implementing an information security governance framework, which of the following would provide theBEST information to develop an information security project plan?
A. Risk heat map
B. Recent audit results
C. Balanced scorecard
D. Gap analysis
View answer
Correct Answer: C
Question #291
When performing a risk assessment, the MOST important consideration is that:
A. management supports risk mitigation efforts
B. annual loss expectations (ALEs) have been calculated for critical assets
C. assets have been identified and appropriately valued
D. attack motives, means and opportunities be understood
View answer
Correct Answer: C
Question #292
Which of the following is the BEST reason to initiate a reassessment of current risk?
A. Follow-up to an audit report
B. A recent security incident
C. Certification requirements
D. Changes to security personnel
View answer
Correct Answer: B
Question #293
Which of the following has the MOST direct impact on the usability of an organization's asset classification program?
A. The granularity of classifications in the hierarchy
B. The frequency of updates to the organization’s risk register
C. The business objectives of the organization
D. The support of senior management for the classification scheme
View answer
Correct Answer: A
Question #294
Which of the following would BEST protect an organization's confidential data stored on a laptop computer from unauthorized access?
A. Strong authentication by password
B. Encrypted hard drives
C. Multifactor authentication procedures
D. Network-based data backup
View answer
Correct Answer: B
Question #295
Which of the following is the MOST important outcome from vulnerability scanning?
A. Prioritization of risks
B. Information about steps necessary to hack the system
C. Identification of back doors
D. Verification that systems are properly configured
View answer
Correct Answer: D
Question #296
An organization plans to allow employees to use their own devices on the organization’s network. Which of the following is the information security manager’s BEST course of action?
A. Implement automated software
B. Assess associated risk
C. Conduct awareness training
D. Update the security policy
View answer
Correct Answer: B
Question #297
What would be the MOST significant security risks when using wireless local area network (LAN) technology?
A. Man-in-the-middle attack
B. Spoofing of data packets
C. Rogue access point
D. Session hijacking
View answer
Correct Answer: C
Question #298
Secure customer use of an e-commerce application can BEST be accomplished through:
A. data encryption
B. digital signatures
C. strong passwords
D. two-factor authentication
View answer
Correct Answer: A
Question #299
Which of the following BEST describes a buffer overflow?
A. A program contains a hidden and unintended function that presents a security risk
B. A type of covert channel that captures data
C. Malicious code designed to interfere with normal operations
D. A function is carried out with more data than the function can handle
View answer
Correct Answer: D
Question #300
Which of the following presents the GREATEST threat to the security of an enterprise resource planning (ERP) system?
A. User ad hoc reporting is not logged
B. Network traffic is through a single switch
C. Operating system (OS) security patches have not been applied
D. Database security defaults to ERP settings
View answer
Correct Answer: C
Question #301
When integrating information security requirements into software development, which of the following practices should be FIRST in the development lifecycle?
A. Penetration testing
B. Dynamic code analysis
C. Threat modeling
D. Source code review
View answer
Correct Answer: C
Question #302
Which of the following is the MOST important reason why information security objectives should be defined?
A. Tool for measuring effectiveness
B. General understanding of goals
C. Consistency with applicable standards
D. Management sign-off and support initiatives
View answer
Correct Answer: A
Question #303
An organization’s information security strategy for the coming year emphasizes reducing the risk of ransomware.Which of the following would be MOST helpful to support this strategy?
A. Provide relevant training to all staff
B. Create a penetration testing plan
C. Perform a controls gap analysis
D. Strengthen security controls for the IT environment
View answer
Correct Answer: A
Question #304
During the establishment of a service level agreement (SLA) with a cloud service provider, it is MOSTimportant for the information security manager to:
A. update the security policy to reflect the provider's terms of service
B. ensure security requirements are contractually enforceable
C. set up proper communication paths with the provider
D. understand the cloud storage architecture in use to determine security risk
View answer
Correct Answer: B
Question #305
Which of the following will BEST prevent external security attacks?
A. Static IP addressing
B. Network address translation
C. Background checks for temporary employees
D. Securing and analyzing system access logs
View answer
Correct Answer: B
Question #306
An information security manager is preparing a presentation to obtain support for a security initiative. Which of the following would be the BEST way to obtain management’s commitment for the initiative?
A. Include historical data of reported incidents
B. Provide the estimated return on investment
C. Provide an analysis of current risk exposures
D. Include industry benchmarking comparisons
View answer
Correct Answer: C
Question #307
Planning for the implementation of an information security program is MOST effective when it:
A. uses decision trees to prioritize security projects
B. applies gap analysis to current and future business plans
C. uses risk-based analysis for security projects
D. applies technology-driven solutions to identified needs
View answer
Correct Answer: C
Question #308
An information security organization should PRIMARILY:
A. support the business objectives of the company by providing security-related support services
B. be responsible for setting up and documenting the information security responsibilities of the information security team members
C. ensure that the information security policies of the company are in line with global best practices and standards
D. ensure that the information security expectations are conveyed to employees
View answer
Correct Answer: A
Question #309
To ensure that payroll systems continue on in an event of a hurricane hitting a data center, what would be the FIRS T crucial step an information security manager would take in ensuring business continuity planning?
A. Conducting a qualitative and quantitative risk analysis
B. Assigning value to the assets
C. Weighing the cost of implementing the plan vs
D. Conducting a business impact analysis (BIA)
View answer
Correct Answer: D
Question #310
The organization has decided to outsource the majority of the IT department with a vendor that is hosting servers in a foreign country. Of the following, which is the MOST critical security consideration?
A. Laws and regulations of the country of origin may not be enforceable in the foreign country
B. A security breach notification might get delayed due to the time difference
C. Additional network intrusion detection sensors should be installed, resulting in an additional cost
D. The company could lose physical control over the server and be unable to monitor the physical security posture of the servers
View answer
Correct Answer: A
Question #311
Which two components PRIMARILY must be assessed in an effective risk analysis?
A. Visibility and duration
B. Likelihood and impact
C. Probability and frequency
D. Financial impact and duration
View answer
Correct Answer: B
Question #312
Previously accepted risk should be:
A. re-assessed periodically since the risk can be escalated to an unacceptable level due to revised conditions
B. accepted permanently since management has already spent resources (time and labor) to conclude that the risk level is acceptable
C. avoided next time since risk avoidance provides the best protection to the company
D. removed from the risk log once it is accepted
View answer
Correct Answer: A
Question #313
Which of the following is the BEST way for an information security manager to justify continued investment in the information security program when the organization is facing significant budget cuts?
A. Demonstrate that the program enables business activities
B. Demonstrate an increase in ransomware attacks targeting peer organizations
C. Demonstrate that implemented program controls are effective
D. Demonstrate the readiness of business continuity plans
View answer
Correct Answer: A
Question #314
Which of the following should be done FIRST when establishing a new data protection program that must comply with applicable data privacy regulations?
A. Create an inventory of systems where personal data is stored
B. Encrypt all personal data stored on systems and networks
C. Evaluate privacy technologies required for data protection
D. Update disciplinary processes to address privacy violations
View answer
Correct Answer: C
Question #315
Risk assessment is MOST effective when performed:
A. at the beginning of security program development
B. on a continuous basis
C. while developing the business case for the security program
D. during the business change process
View answer
Correct Answer: B
Question #316
A PRIMARY advantage of involving business management in evaluating and managing information security risks is that they:
A. better understand organizational risks
B. can balance technical and business risks
C. are more objective than security management
D. better understand the security architecture
View answer
Correct Answer: B
Question #317
Information security awareness programs are MOST effective when they are:
A. customized for each target audience
B. sponsored by senior management
C. reinforced by computer-based training
D. conducted at employee orientation
View answer
Correct Answer: A
Question #318
Which of the following is the FIRST step in developing a disaster recovery plan (DRP)?
A. Perform a business impact analysis (BIA)
B. Identify potential third-party service providers
C. Set a recovery time objective (RTO)
D. Set a recovery point objective (RPO)
View answer
Correct Answer: A
Question #319
An organization has recently experienced unauthorized device access to its network. To proactively manage the problem and mitigate this risk, the BEST preventive control would be to:
A. keep an inventory of network and hardware addresses of all systems connected to the network
B. install a stateful inspection firewall to prevent unauthorized network traffic
C. implement network-level authentication and login to regulate access of devices to the network
D. deploy an automated asset inventory discovery tool to identify devices that access the network
View answer
Correct Answer: C
Question #320
What is the BEST policy for securing data on mobile universal serial bus (USB) drives?
A. Authentication
B. Encryption
C. Prohibit employees from copying data to USB devices
D. Limit the use of USB devices
View answer
Correct Answer: B
Question #321
Which of the following would a security manager establish to determine the target for restoration of normal processing?
A. Recover time objective (RTO)
B. Maximum tolerable outage (MTO)
C. Recovery point objectives (RPOs)
D. Services delivery objectives (SDOs)
View answer
Correct Answer: A
Question #322
Which of the following should be the MOST important consideration when implementing an information security framework?
A. Compliance requirements
B. Audit findings
C. Risk appetite
D. Technical capabilities
View answer
Correct Answer: A
Question #323
Which of the following is MOST critical to review when preparing to outsource a data repository to a cloud- based solution?
A. Disaster recovery plan
B. Identity and access management
C. Vendor’s information security policy
D. A risk assessment
View answer
Correct Answer: C
Question #324
It is important to classify and determine relative sensitivity of assets to ensure that:
A. cost of protection is in proportion to sensitivity
B. highly sensitive assets are protected
C. cost of controls is minimized
D. countermeasures are proportional to risk
View answer
Correct Answer: D
Question #325
An organization wants to enable digital forensics for a business-critical application. Which of the following willBEST help to support this objective?
A. Install biometric access control
B. Develop an incident response plan
C. Define data retention criteria
D. Enable activity logging
View answer
Correct Answer: D
Question #326
Who should drive the risk analysis for an organization?
A. Senior management
B. Security manager
C. Quality manager
D. Legal department
View answer
Correct Answer: B
Question #327
Which of the following would be MOST helpful to the information security manager tasked with enforcing enhanced password standards?
A. Conducting password strength testing
B. Reeducating end users on creating strong complex passwords
C. Implementing a centralized identity management system
D. Implementing technical password controls to include strong complexity
View answer
Correct Answer: C
Question #328
The PRIMARY reason for classifying assets is to:
A. balance asset value and protection measures
B. identify low-value assets with insufficient controls
C. establish clear lines of authority and ownership for the asset
D. inform senior management of the organization's risk posture
View answer
Correct Answer: A
Question #329
Which of the following is the BEST approach for an information security manager to effectively manage third- party risk?
A. Ensure controls are implemented to address changes in risk
B. Ensure senior management has approved the vendor relationship
C. Ensure risk management efforts are commensurate with risk exposure
D. Ensure vendor governance controls are in place
View answer
Correct Answer: D
Question #330
When outsourcing application development to a third party, which of the following is the BEST way to ensure the organization's security requirements are met?
A. Include a right to audit the system development lifecycle in the contract
B. Provide training in secure application coding to the third-party staff
C. Perform independent security testing of the developed applications
D. Require the third-party provider to document its security methodology
View answer
Correct Answer: C
Question #331
The PRIMARY objective of a security steering group is to:
A. ensure information security covers all business functions
B. ensure information security aligns with business goals
C. raise information security awareness across the organization
D. implement all decisions on security management across the organization
View answer
Correct Answer: B
Question #332
When drafting the corporate privacy statement for a public web site, which of the following MUST be included?
A. Access control requirements
B. Limited liability clause
C. Information encryption requirements
D. of information usage
View answer
Correct Answer: C
Question #333
The PRIMARY purpose of implementing information security governance metrics is to:
A. measure alignment with best practices
B. assess operational and program metrics
C. refine control operations,
D. guide security towards the desired state
View answer
Correct Answer: D
Question #334
In a business impact analysis, the value of an information system should be based on the overall cost:
A. of recovery
B. to recreate
C. if unavailable
D. of emergency operations
View answer
Correct Answer: C
Question #335
A multinational organization wants to ensure its privacy program appropriately addresses privacy risk throughout its operations.Which of the following would be of MOST concern to senior management?
A. The organization uses a decentralized privacy governance structure
B. Privacy policies are only reviewed annually
C. The organization does not have a dedicated privacy officer
D. The privacy program does not include a formal training component
View answer
Correct Answer: D
Question #336
Which of the following is MOST important for an information security manager to ensure is included in a business case for a new security system?
A. Effectiveness of controls
B. Risk reduction associated with the system
C. Audit-logging capabilities
D. Benchmarking results
View answer
Correct Answer: B
Question #337
Which of the following devices, when placed in a demilitarized zone (DMZ), would be considered a significant exposure?
A. Authentication server
B. Web server
C. Proxy server
D. Intrusion detection server
View answer
Correct Answer: A
Question #338
The PRIMARY benefit of performing an information asset classification is to:
A. link security requirements to business objectives
B. identify controls commensurate to risk
C. define access rights
D. establish ownership
View answer
Correct Answer: B
Question #339
In order to protect a network against unauthorized external connections to corporate systems, the information security manager should BEST implement:
A. a strong authentication
B. IP antispoofing filtering
C. network encryption protocol
D. access lists of trusted devices
View answer
Correct Answer: A
Question #340
Which is MOST important to identify when developing an effective information security strategy?
A. Business assets to be secured
B. Potential savings resulting from security governance
C. Compliance requirements
D. Control gaps that require remediation
View answer
Correct Answer: A
Question #341
Which of the following should an information security manager do FIRST after learning about a new regulation that affects the organization?
A. Evaluate the changes with legal counsel
B. Notify the affected business units
C. Assess the noncompliance risk
D. Inform senior management of the new regulation
View answer
Correct Answer: A
Question #342
A risk assessment should be conducted:
A. once a year for each business process and subprocess
B. every three to six months for critical business processes
C. by external parties to maintain objectivity
D. annually or whenever there is a significant change
View answer
Correct Answer: D
Question #343
Which of the following security characteristics is MOST important to the protection of customer data in an online transaction system?
A. Availability
B. Data segregation
C. Audit monitoring
D. Authentication
View answer
Correct Answer: D
Question #344
An outsource service provider must handle sensitive customer information. Which of the following is MOST important for an information security manager to know?
A. Security in storage and transmission of sensitive data
B. Provider's level of compliance with industry standards
C. Security technologies in place at the facility
D. Results of the latest independent security review
View answer
Correct Answer: A
Question #345
In order to ensure separation of duties, which of the following activities is BEST performed by someone other than the system administrator?
A. Deleting system logs
B. Using system utilities
C. Monitoring system utilization
D. Defining system recovery procedures
View answer
Correct Answer: A
Question #346
Which of the following is MOST important when selecting a third-party security operations center?
A. Indemnity clauses
B. Independent controls assessment
C. Incident response plans
D. Business continuity plans
View answer
Correct Answer: B
Question #347
In order to highlight to management, the importance of integrating information security in the businessprocesses, a newly hired information security officer should FIRST:
A. prepare a security budget
B. conduct a risk assessment
C. develop an information security policy
D. obtain benchmarking information
View answer
Correct Answer: B
Question #348
Which of the following devices should be placed within a DMZ?
A. Proxy server
B. Application server
C. Departmental server
D. Data warehouse server
View answer
Correct Answer: B
Question #349
An organization with a maturing incident response program conducts post-incident reviews for all major information security incidents. The PRIMARY goal of these reviews should be to:
A. document and report the root cause of the incidents for senior management
B. identify security program gaps or systemic weaknesses that need correction
C. prepare properly vetted notifications regarding the incidents to external parties
D. identify who should be held accountable for the security incidents
View answer
Correct Answer: A
Question #350
The BEST time to perform a penetration test is after:
A. an attempted penetration has occurred
B. an audit has reported weaknesses in security controls
C. various infrastructure changes are made
D. a high turnover in systems staff
View answer
Correct Answer: C
Question #351
Which of the following should be of MOST concern to an information security manager reviewing an organization’s data classification program?
A. The program allows exceptions to be granted
B. Labeling is not consistent throughout the organization
C. Data retention requirements are not defined
D. The classifications do not follow industry best practices
View answer
Correct Answer: B
Question #352
Which of the following groups would be in the BEST position to perform a risk analysis for a business?
A. External auditors
B. A peer group within a similar business
C. Process owners
D. A specialized management consultant
View answer
Correct Answer: C
Question #353
The data access requirements for an application should be determined by the:
A. legal department
B. compliance officer
C. information security manager
D. business owner
View answer
Correct Answer: D
Question #354
Which of the following would BEST provide stakeholders with information to determine the appropriate response to a disaster?
A. Risk assessment
B. Vulnerability assessment
C. Business impact analysis
D. SWOT analysis
View answer
Correct Answer: C
Question #355
The criticality and sensitivity of information assets is determined on the basis of:
A. threat assessment
B. vulnerability assessment
C. resource dependency assessment
D. impact assessment
View answer
Correct Answer: D
Question #356
The MOST important factor in ensuring the success of an information security program is effective:
A. communication of information security requirements to all users in the organization
B. formulation of policies and procedures for information security
C. alignment with organizational goals and objectives
D. monitoring compliance with information security policies and procedures
View answer
Correct Answer: C
Question #357
Which of the following is the BEST way to increase the visibility of information security within an organization’s culture?
A. Requiring cross-functional information security training
B. Implementing user awareness campaigns for the entire company
C. Publishing an acceptable use policy
D. Establishing security policies based on industry standards
View answer
Correct Answer: A
Question #358
An organization is concerned with the risk of information leakage caused by incorrect use of personally owned smart devices by employees. What is the BEST way for the information security manager to mitigate the associated risk?
A. Require employees to sign a nondisclosure agreement (NDA)
B. Implement a mobile device management (MDM) solution
C. Document a bring-your-own-device (BYOD) policy
View answer
Correct Answer: B
Question #359
Threat and vulnerability assessments are important PRIMARILY because they are:
A. needed to estimate risk
B. the basis for setting control objectives
C. elements of the organization’s security posture
D. used to establish security investments
View answer
Correct Answer: A
Question #360
Which of the following is the MOST relevant metric to include in an information security quarterly report to the executive committee?
A. Security compliant servers trend report
B. Percentage of security compliant servers
C. Number of security patches applied
D. Security patches applied trend report
View answer
Correct Answer: A

View The Updated ISACA Exam Questions

SPOTO Provides 100% Real ISACA Exam Questions for You to Pass Your ISACA Exam!

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: