DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

Boost Your ISACA Exam Preparation with CISM Practice Tests

Achieving the Certified Information Security Manager (CISM) certification is crucial in today's landscape of constantly evolving security threats and data breaches. However, preparing for the CISM exam can be a challenging task. That's where SPOTO's CISM exam questions and resources come into play. SPOTO offers a comprehensive collection of CISM exam questions and answers, test questions, mock exams, and study materials tailored to the CISM exam objectives. These exam preparation resources are designed to simulate the real exam environment, providing you with a realistic experience and boosting your confidence. With SPOTO's CISM exam questions, you can identify areas where you need further study and practice, ensuring you have the knowledge and skills necessary to assess risks, implement effective governance, and proactively respond to security incidents. By leveraging these exam resources and practicing with mock exams, you can effectively prepare and increase your chances of passing the CISM certification exam successfully. Data breaches, ransomware attacks and other constantly evolving security threats are top-of-mind for today's IT professionals. With a Certified Information Security Manager® (CISM®) certification, you'll learn how to assess risks, implement effective governance and proactively respond to incidents.
Take other online exams

Question #1
Which of the following is the MOST essential task for a chief information security officer (CISO) to perform?
A. Update platform-level security settings
B. Conduct disaster recovery test exercises
C. Approve access to critical financial systems
D. Develop an information security strategy paper
View answer
Correct Answer: D
Question #2
Who should decide the extent to which an organization will comply with new cybersecurity regulatory requirements?
A. Senior management
B. IT steering committee
C. Legal counsel
D. Information security manager
View answer
Correct Answer: A
Question #3
Which of the following is the information security manager's PRIMARY role in the information assets classification process?
A. Assigning asset ownership
B. Assigning the asset classification level
C. Securing assets in accordance with their classification
D. Developing an asset classification model
View answer
Correct Answer: D
Question #4
If the inherent risk of a business activity is higher than the acceptable risk level, the information security manager should FIRST:
A. implement controls to mitigate the risk to an acceptable level
B. recommend that management avoids the business activity
C. assess the gap between current and acceptable level of risk
D. transfer risk to a third party to avoid cost of impact
View answer
Correct Answer: C
Question #5
Risk scenarios simplify the risk assessment process by:
A. reducing the need for subsequent risk evaluation
B. focusing on important and relevant risk
C. ensuring business risk is mitigated
D. covering the full range of possible risk
View answer
Correct Answer: B
Question #6
A company has purchased a rival organization and is looking to integrate security strategies. Which of the following is the GREATEST issue to consider?
A. The organizations have different risk appetites
B. Differing security technologies
C. Differing security skills within the organizations
D. Confidential information could be leaked
View answer
Correct Answer: A
Question #7
Which of the following is the MOST important consideration in a bring your own device (BYOD) program to protect company data in the event of a loss?
A. The ability to remotely locate devices
B. The ability to centrally manage devices
C. The ability to restrict unapproved applications
D. The ability to classify types of devices
View answer
Correct Answer: B
Question #8
An organization is going through a digital transformation process, which places the IT organization in an unfamiliar risk landscape. The information security manager has been tasked with leading the IT risk management process. Which of the following should be given the HIGHEST priority?
A. Identification of risk
B. Design of key risk indicators (KRIs)
C. Analysis of control gaps
D. Selection of risk treatment options
View answer
Correct Answer: A
Question #9
For a user of commercial software downloaded from the Internet, which of the following is the MOST effective means of ensuring authenticity?
A. Digital signatures
B. Digital certificates
C. Digital code signing
D. Steganography
View answer
Correct Answer: C
Question #10
Which of the following would be the MOST important goal of an information security governance program?
A. Review of internal control mechanisms
B. Effective involvement in business decision making
C. Total elimination of risk factors
D. Ensuring trust in data
View answer
Correct Answer: D
Question #11
The BEST way to encourage good security practices is to:
A. schedule periodic compliance audits
B. discipline those who fail to comply with the security policy
C. recognize appropriate security behavior by individuals
D. publish the information security policy
View answer
Correct Answer: C
Question #12
Following a significant change to the underlying code of an application, it is MOST important for the information security manager to:
A. inform senior management
B. update the risk assessment
C. validate the user acceptance testing (UAT)
D. modify key risk indicators (KRIs)
View answer
Correct Answer: A
Question #13
Which of the following results from the risk assessment process would BEST assist risk management decision making?
A. Control risk
B. Inherent risk
C. Risk exposure
D. Residual risk
View answer
Correct Answer: D
Question #14
When implementing security controls, an information security manager must PRIMARILY focus on:
A. minimizing operational impacts
B. eliminating all vulnerabilities
C. usage by similar organizations
D. certification from a third party
View answer
Correct Answer: A
Question #15
Which of the following is the MOST important item to consider when evaluating products to monitor security across the enterprise?
A. Ease of installation
B. Product documentation
C. Available support
D. System overhead
View answer
Correct Answer: D
Question #16
In order to understand an organization’s security posture, it is MOST important for an organization’s senior leadership to:
A. ensure established security metrics are reported
B. review the number of reported security incidents
C. assess progress of risk mitigation efforts
D. evaluate results of the most recent incident response test
View answer
Correct Answer: A
Question #17
Which of the following types of information would the information security manager expect to have the LOWEST level of security protection in a large, multinational enterprise?
A. Strategic business plan
B. Upcoming financial results
C. Customer personal information
D. Previous financial results
View answer
Correct Answer: D
Question #18
An information security manager has researched several options for handling ongoing security concerns and will be presenting these solutions to business managers. Which of the following will BEST enable business managers to make an informed decision?
A. Business impact analysis (BIA)
B. Cost-benefit analysis
C. Risk analysis
D. Gap analysis
View answer
Correct Answer: A
Question #19
An information security manager has discovered that a business unit is planning on implementing a new application and has not engaged anyone from the information security department. Which of the following is the BEST course of action?
A. Recommend involvement with the change manager
B. Block the application from going into production
C. Discuss the issue with senior leadership
D. Review and update the change management process
View answer
Correct Answer: A
Question #20
Which of the following approaches is BEST for selecting controls to minimize information security risks?
A. Cost-benefit analysis
B. Control-effectiveness
C. Risk assessment
D. Industry best practices
View answer
Correct Answer: C
Question #21
The MAIN reason for an information security manager to monitor industry level changes in the business and IT is to:
A. evaluate the effect of the changes on the levels of residual risk
B. identify changes in the risk environment
C. update information security policies in accordance with the changes
D. change business objectives based on potential impact
View answer
Correct Answer: B
Question #22
A risk management approach to information protection is:
A. managing risks to an acceptable level, commensurate with goals and objectives
B. accepting the security posture provided by commercial security products
C. implementing a training program to educate individuals on information protection and risks
D. managing risk tools to ensure that they assess all information protection vulnerabilities
View answer
Correct Answer: A
Question #23
When performing a quantitative risk analysis, which of the following is MOST important to estimate the potential loss?
A. Evaluate productivity losses
B. Assess the impact of confidential data disclosure
C. Calculate the value of the information or asset
D. Measure the probability of occurrence of each threat
View answer
Correct Answer: C
Question #24
Security risk assessments should cover only information assets that:
A. are classified and labeled
B. are inside the organization
C. support business processes
D. have tangible value
View answer
Correct Answer: A
Question #25
Which of the following devices, when placed in a demilitarized zone (DMZ), would be considered the MOSTsignificant exposure?
A. Proxy server
B. Mail relay server
C. Application server
D. Database server
View answer
Correct Answer: D
Question #26
Which of the following is characteristic of centralized information security management?
A. More expensive to administer
B. Better adherence to policies
C. More aligned with business unit needs
D. Faster turnaround of requests
View answer
Correct Answer: B
Question #27
To gain a clear understanding of the impact that a new regulatory requirement will have on an organization's information security controls, an information security manager should FIRST:
A. onduct a cost-benefit analysis
B. onduct a risk assessment
C. nterview senior management
D. erform a gap analysis
View answer
Correct Answer: D
Question #28
In an organization with effective IT risk management, the PRIMARY reason to establish key risk indicators (KRIs) is to:
A. provide information to remediate risk events
B. demonstrate the alignment of risk management efforts
C. map potential risk to key organizational strategic initiatives
D. identity triggers that exceed risk thresholds
View answer
Correct Answer: C
Question #29
The main mail server of a financial institution has been compromised at the superuser level; the only way to ensure the system is secure would be to:
A. change the root password of the system
B. implement multifactor authentication
C. rebuild the system from the original installation medium
D. disconnect the mail server from the network
View answer
Correct Answer: C
Question #30
Which of the following is MOST appropriate for inclusion in an information security strategy?
A. Business controls designated as key controls
B. Security processes, methods, tools and techniques
C. Firewall rule sets, network defaults and intrusion detection system (IDS) settings
D. Budget estimates to acquire specific security tools
View answer
Correct Answer: B
Question #31
Which of the following metrics would be the MOST useful in measuring how well information security is monitoring violation logs?
A. Penetration attempts investigated
B. Violation log reports produced
C. Violation log entries
D. Frequency of corrective actions taken
View answer
Correct Answer: A
Question #32
Which of the following security activities should be implemented in the change management process to identify key vulnerabilities introduced by changes?
A. Business impact analysis (BIA)
B. Penetration testing
C. Audit and review
D. Threat analysis
View answer
Correct Answer: B
Question #33
Which of the following is the MOST significant security risk in IT asset management?
A. IT assets may be used by staff for private purposes
B. Unregistered IT assets may not be supported
C. Unregistered IT assets may not be included in security documentation
D. Unregistered IT assets may not be configured properly
View answer
Correct Answer: A
Question #34
The PRIMARY purpose for continuous monitoring of security controls is to ensure:
A. system availability
B. control gaps are minimized
C. effectiveness of controls
D. alignment with compliance requirements
View answer
Correct Answer: C
Question #35
Which of the following is MOST effective in protecting against the attack technique known as phishing?
A. Firewall blocking rules
B. Up-to-date signature files
C. Security awareness training
D. Intrusion detection monitoring
View answer
Correct Answer: C
Question #36
Successful social engineering attacks can BEST be prevented through:
A. preemployment screening
B. close monitoring of users' access patterns
C. periodic awareness training
D. efficient termination procedures
View answer
Correct Answer: C
Question #37
Which of the following is responsible for legal and regulatory liability?
A. Chief security officer (CSO)
B. Chief legal counsel (CLC)
C. Board and senior management
D. Information security steering group
View answer
Correct Answer: C
Question #38
An information security manager has been assigned to implement more restrictive preventive controls. By doing so, the net effect will be to PRIMARILY reduce the:
A. threat
B. loss
C. vulnerability
D. probability
View answer
Correct Answer: C
Question #39
Which of the following is MOST helpful in integrating information security governance with corporate governance?
A. Assigning the implementation of information security governance to the steering committee
B. Including information security processes within operational and management processes
C. Providing independent reports of information security efficiency and effectiveness to the board
D. Aligning the information security governance to a globally accepted framework
View answer
Correct Answer: B
Question #40
Which of the following is the BEST way to determine if an organization’s current risk is within the risk appetite?
A. Conducting a business impact analysis (BIA)
B. Implementing key performance indicators (KPIs)
C. Implementing key risk indicators (KRIs)
D. Developing additional mitigating controls
View answer
Correct Answer: C
Question #41
Minimum standards for securing the technical infrastructure should be defined in a security:
A. strategy
B. guidelines
C. model
D. architecture
View answer
Correct Answer: D
Question #42
When a significant security breach occurs, what should be reported FIRST to senior management?
A. A summary of the security logs that illustrates the sequence of events
B. An of the incident and corrective action taken
C. An analysis of the impact of similar attacks at other organizations
D. A business case for implementing stronger logical access controls
View answer
Correct Answer: B
Question #43
Which of the following would be MOST effective in successfully implementing restrictive password policies?
A. Regular password audits
B. Single sign-on system
C. Security awareness program
D. Penalties for noncompliance
View answer
Correct Answer: C
Question #44
Which of the following is the BEST course of action for an information security manager to align security and business goals?
A. Defining key performance indicators (KPIs)
B. Actively engaging with stakeholders
C. Reviewing the business strategy
D. Conducting a business impact analysis (BIA)
View answer
Correct Answer: D
Question #45
An organization with a strict need-to-know information access policy is about to launch a knowledge management intranet.Which of the following is the MOST important activity to ensure compliance with existing security policies?
A. Develop a control procedure to check content before it is published
B. Change organization policy to allow wider use of the new web site
C. Ensure that access to the web site is limited to senior managers and the board
D. Password-protect documents that contain confidential information
View answer
Correct Answer: A
Question #46
A large organization is in the process of developing its information security program that involves working with several complex organizational functions. Which of the following will BEST enable the successful implementation of this program?
A. Security governance
B. Security policy
C. Security metrics
D. Security guidelines
View answer
Correct Answer: A
Question #47
Investments in information security technologies should be based on:
A. vulnerability assessments
B. value analysis
C. business climate
D. audit recommendations
View answer
Correct Answer: B
Question #48
An organization enacted several information security policies to satisfy regulatory requirements. Which of the following situations would MOST likely increase the probability of noncompliance to these requirements?
A. Inadequate buy-in from system owners to support the policies
B. Availability of security policy documents on a public website
C. Lack of training for end users on security policies
D. Lack of an information security governance framework
View answer
Correct Answer: A
Question #49
An organization is adopting a standardized corporate chat messaging technology to help facilitate communication among business units. Which of the following is an ESSENTIAL task associated with this initiative?
A. Increasing security and operational staffing to support the technology
B. Restricting the use of the technology in departments with sensitive information
C. Reviewing existing organizational policies regarding the new technology
D. Enforcing encryption of chat communications
View answer
Correct Answer: C
Question #50
Which of the following is MOST important to the success of an information security program?
A. Security' awareness training
B. Achievable goals and objectives
C. Senior management sponsorship
D. Adequate start-up budget and staffing
View answer
Correct Answer: C
Question #51
A newly hired information security manager discovers that the cleanup of accounts for terminated employees happens only once a year.Which of the following should be the information security manager’s FIRST course of action?
A. Design and document a new process
B. Update the security policy
C. Perform a risk assessment
D. Report the issue to senior management
View answer
Correct Answer: C
Question #52
Which of the following is MOST important for an information security manager to ensure when evaluating change requests?
A. Requests are approved by process owners
B. Requests add value to the business
C. Residual risk is within risk tolerance
D. Contingency plans have been created
View answer
Correct Answer: D
Question #53
Which of the following is the MOST effective solution for preventing internal users from modifying sensitive and classified information?
A. Baseline security standards
B. System access violation logs
C. Role-based access controls
D. Exit routines
View answer
Correct Answer: C
Question #54
Which of the following roles is PRIMARILY responsible for determining the information classification levels for a given information asset?
A. Manager
B. Custodian
C. User
D. Owner
View answer
Correct Answer: D
Question #55
An information security steering group should:
A. provide general oversight and guidance
B. develop information security policies
C. establish information security baselines
D. oversee the daily operations of the security program
View answer
Correct Answer: A
Question #56
Which of the following is the BEST way to demonstrate to senior management that organizational security practices comply with industry standards?
A. Results of an independent assessment
B. Up-to-date policy and procedures documentation
C. A report on the maturity of controls
D. Existence of an industry-accepted framework
View answer
Correct Answer: A
Question #57
In the process of deploying a new e-mail system, an information security manager would like to ensure the confidentiality of messages while in transit. Which of the following is the MOST appropriate method to ensure data confidentiality in a new e-mail system implementation?
A. Encryption
B. Digital certificate
C. Digital signature
D. I lashing algorithm
View answer
Correct Answer: A
Question #58
The effectiveness of an information security governance framework will BEST be enhanced if:
A. IS auditors are empowered to evaluate governance activities
B. risk management is built into operational and strategic activities
C. a culture of legal and regulatory compliance is promoted by management
D. consultants review the information security governance framework
View answer
Correct Answer: D
Question #59
Data owners must provide a safe and secure environment to ensure confidentiality, integrity and availability of the transaction. This is an example of an information security:
A. baseline
B. strategy
C. procedure
D. policy
View answer
Correct Answer: D
Question #60
An organization plans to implement a document collaboration solution to allow employees to share company information. Which of the following is the MOST important control to mitigate the risk associated with the new solution?
A. Assign write access to data owners
B. Allow a minimum number of user access to the solution
C. Have data owners perform regular user access reviews
D. Permit only non-sensitive information on the solution
View answer
Correct Answer: C
Question #61
Which of the following would BEST enhance firewall security?
A. Placing the firewall on a screened subnet
B. Logging of security events
C. Implementing change-control practices
D. Providing dynamic address assignment
View answer
Correct Answer: B
Question #62
When residual risk is minimized:
A. acceptable risk is probable
B. transferred risk is acceptable
C. control risk is reduced
D. risk is transferable
View answer
Correct Answer: A
Question #63
When a newly installed system for synchronizing passwords across multiple systems and platforms abnormally terminates without warning, which of the following should automatically occur FIRST?
A. The firewall should block all inbound traffic during the outage
B. All systems should block new logins until the problem is corrected
C. Access control should fall back to no synchronized mode
D. System logs should record all user activity for later analysis
View answer
Correct Answer: C
Question #64
Risk acceptance is a component of which of the following?
A. Assessment
B. Mitigation
C. Evaluation
D. Monitoring
View answer
Correct Answer: B
Question #65
Who is ultimately responsible for the organization's information?
A. Data custodian
B. Chief information security officer (CISO)
C. Board of directors
D. Chief information officer (CIO)
View answer
Correct Answer: C
Question #66
Which of the following is the FIRST task when determining an organization’s information security profile?
A. Build an asset inventory
B. List administrative privileges
C. Establish security standards
D. Complete a threat assessment
View answer
Correct Answer: C
Question #67
Which of the following is the BEST method to determine whether an information security program meets an organization’s business objectives?
A. Implement performance measures
B. Review against international security standards
C. Perform a business impact analysis (BIA)
D. Conduct an annual enterprise-wide security evaluation
View answer
Correct Answer: A
Question #68
Which of the following risks would BEST be assessed using quantitative risk assessment techniques?
A. Customer data stolen
B. An electrical power outage
C. A web site defaced by hackers
D. Loss of the software development team
View answer
Correct Answer: B
Question #69
Which of the following is MOST important for an information security manager to regularly report to senior management?
A. Results of penetration tests
B. Audit reports
C. Impact of unremediated risks
D. Threat analysis reports
View answer
Correct Answer: C
Question #70
The PRIMARY objective of a risk response strategy should be:
A. threat reduction
B. regulatory compliance
C. senior management buy-in
D. appropriate control selection
View answer
Correct Answer: A
Question #71
The PRIMARY purpose of establishing an information security governance framework should be to:
A. align information security strategy and investments to support organizational activities
B. align corporate governance, activities, and investments to information security goals
C. establish the business case for strategic integration of information security in organizational efforts
D. document and communicate how the information security program functions within the organization
View answer
Correct Answer: A
Question #72
Which of the following controls is MOST effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices?
A. Regular review of access control lists
B. Security guard escort of visitors
C. Visitor registry log at the door
D. A biometric coupled with a PIN
View answer
Correct Answer: A
Question #73
Which of the following is MOST important to consider when developing a disaster recovery plan?
A. Business continuity plan (BCP)
B. Business impact analysis (BIA)
C. Cost-benefit analysis
D. Feasibility assessment
View answer
Correct Answer: B
Question #74
The BEST metric for evaluating the effectiveness of a firewall is the:
A. number of attacks blocked
B. number of packets dropped
C. average throughput rate
D. number of firewall rules
View answer
Correct Answer: A
Question #75
Which of the following BEST facilitates the monitoring of risk across an organization?
A. Penetration testing
B. Key risk indicators (KRIs)
C. Threat assessments
D. Risk appetite trends
View answer
Correct Answer: B
Question #76
Which of the following is the BEST criterion to use when classifying assets?
A. The market value of the assets
B. Annual loss expectancy (ALE)
C. Value of the assets relative to the organization
D. Recovery time objective (RTO)
View answer
Correct Answer: C
Question #77
Which of the following is the MOST effective approach for integrating security into application development?
A. Defining security requirements
B. Performing vulnerability scans
C. Including security in user acceptance testing sign-off
D. Developing security models in parallel
View answer
Correct Answer: A
Question #78
Which of the following would provide senior management with the BEST information to better understand the organization’s information security risk profile?
A. Scenarios that impact business operations
B. Scenarios that disrupt client services
C. Scenarios that impact business goals
D. Scenarios that have a monetary impact
View answer
Correct Answer: C
Question #79
Which of the following is the BEST indication that information security is integrated into corporate governance?
A. New vulnerabilities are reported directly to the security manager
B. Significant incidents are escalated to executive management
C. Security policy documents are reviewed periodically
D. Administrative staff is trained on current information security topics
View answer
Correct Answer: D
Question #80
Primary direction on the impact of compliance with new regulatory requirements that may lead to major application system changes should be obtained from the:
A. corporate internal auditor
B. System developers/analysts
C. key business process owners
D. corporate legal counsel
View answer
Correct Answer: C
Question #81
The BEST reason for an organization to have two discrete firewalls connected directly to the Internet and to the same DMZ would be to:
A. provide in-depth defense
B. separate test and production
C. permit traffic load balancing
D. prevent a denial-of-service attack
View answer
Correct Answer: C
Question #82
Which of the following processes can be used to remediate identified technical vulnerabilities?
A. Running baseline configurations
B. Conducting a risk assessment
C. Performing a business impact analysis (BIA)
D. Running automated scanners
View answer
Correct Answer: B
Question #83
The information security team has determined an additional security solution is needed to enhance the organization's security posture. What should the information security manager do NEXT to move forward with this initiative?
A. Evaluate available products
B. Create a business case
C. Proceed with vendor selection
D. Initiate vendor due-diligence
View answer
Correct Answer: B
Question #84
An organization has to comply with recently published industry regulatory requirements — compliance that potentially has high implementation costs. What should the information security manager do FIRST?
A. Implement a security committee
B. Perform a gap analysis
C. Implement compensating controls
D. Demand immediate compliance
View answer
Correct Answer: B
Question #85
What is the MAIN risk when there is no user management representation on the Information Security Steering Committee?
A. Functional requirements are not adequately considered
B. User training programs may be inadequate
C. Budgets allocated to business units are not appropriate
D. Information security plans are not aligned with business requirements
View answer
Correct Answer: D
Question #86
Which of the following is the MOST effective way to ensure security policies are relevant to organizational business practices?
A. Integrate industry best practices
B. Obtain senior management sign-off
C. Conduct an organization-wide security audit
D. Leverage security steering committee contribution
View answer
Correct Answer: D
Question #87
After completing a full IT risk assessment, who can BEST decide which mitigating controls should be implemented?
A. Senior management
B. Business manager
C. IT audit manager
D. Information security officer (ISO)
View answer
Correct Answer: B
Question #88
A CEO requests access to corporate documents from a mobile device that does not comply with organizational policy. The information security manager should FIRST:
A. evaluate a third-party solution
B. deploy additional security controls
C. evaluate the business risk
D. initiate an exception approval process
View answer
Correct Answer: C
Question #89
It is MOST important for an information security manager to ensure that security risk assessments are performed:
A. consistently throughout the enterprise
B. during a root cause analysis
C. as part of the security business case
D. in response to the threat landscape
View answer
Correct Answer: A
Question #90
The PRIMARY advantage of involving end users in continuity planning is that they:
A. are more objective than information security management
B. can balance the technical and business risks
C. have a better understanding of specific business needs
D. can see the overall impact to the business
View answer
Correct Answer: B
Question #91
Which of the following should be the information security manager’s NEXT step following senior management approval of the information security strategy?
A. Develop a security policy
B. Develop a budget
C. Perform a gap analysis
D. Form a steering committee
View answer
Correct Answer: A
Question #92
Which of the following would be MOST helpful in gaining support for a business case for an information security initiative?
A. Demonstrating organizational alignment
B. Emphasizing threats to the organization
C. Referencing control deficiencies
D. Presenting a solution comparison matrix
View answer
Correct Answer: A
Question #93
Which of the following should be an information security manager's PRIMARY focus during the development of a critical system storing highly confidential data?
A. Ensuring the amount of residual risk is acceptable
B. Reducing the number of vulnerabilities detected
C. Avoiding identified system threats
D. Complying with regulatory requirements
View answer
Correct Answer: D
Question #94
Which of the following situations would MOST inhibit the effective implementation of security governance?
A. The complexity of technology
B. Budgetary constraints
C. Conflicting business priorities
D. High-level sponsorship
View answer
Correct Answer: D
Question #95
Which of the following is the BEST way to integrate information security into corporate governance?
A. Engage external security consultants in security initiatives
B. Conduct comprehensive information security management training for key stakeholders
C. Ensure information security processes are part of the existing management processes
D. Require periodic security risk assessments be performed
View answer
Correct Answer: C
Question #96
Which of the following approaches would MOST likely ensure that risk management is integrated into the business life cycle processes?
A. Conducting periodic risk assessments
B. Integrating security risk into corporate risk management
C. Integrating risk management into the software development life cycle
D. Understanding the risk tolerance of corporate management
View answer
Correct Answer: B
Question #97
Which of the following is the BEST method to ensure the overall effectiveness of a risk management program?
A. User assessments of changes
B. Comparison of the program results with industry standards
C. Assignment of risk within the organization
D. Participation by all members of the organization
View answer
Correct Answer: D
Question #98
Priority should be given to which of the following to ensure effective implementation of information security governance?
A. Consultation
B. Negotiation
C. Facilitation
D. Planning
View answer
Correct Answer: D
Question #99
In assessing the degree to which an organization may be affected by new privacy legislation, information security management should FIRST:
A. develop an operational plan for achieving compliance with the legislation
B. identify systems and processes that contain privacy components
C. restrict the collection of personal information until compliant
D. identify privacy legislation in other countries that may contain similar requirements
View answer
Correct Answer: B
Question #100
Which of the following is the MOST relevant risk factor to an organization when employees use social media?
A. Social media can be accessed from multiple locations
B. Social media offers a platform that can host cyber-attacks
C. Social media can be used to gather intelligence for attacks
D. Social media increases the velocity of risk and the threat capacity
View answer
Correct Answer: C
Question #101
Which of the following is the BEST way for an information security manager to protect against a zero-day attack?
A. Perform a business impact analysis (BIA)
B. Conduct vulnerability scans on a daily basis
C. Configure daily runs of the virus protection software
D. Implement heuristic-based monitoring tools
View answer
Correct Answer: D
Question #102
Management is questioning the need for several items in the information security budget proposal. Which of the following would have been MOST helpful prior to budget submission?
A. Benchmarking information security efforts of industry competitors
B. Obtaining better pricing from information security service vendors
C. Presenting a report of current threats to the organization
D. Educating management on information security best practices
View answer
Correct Answer: C
Question #103
Which of the following is MOST important to consider when prioritizing threats during the risk assessment process?
A. The criticality of threatened systems
B. The severity of exploited vulnerabilities
C. The potential impact on operations
D. The capability of threat actors
View answer
Correct Answer: A
Question #104
Which of the following is MOST important to consider when determining the effectiveness of the information security governance program?
A. Key performance indicators (KPIs)
B. Key risk indicators (KRIs)
C. Maturity models
D. Risk tolerance levels
View answer
Correct Answer: A
Question #105
Which program element should be implemented FIRST in asset classification and control?
A. Risk assessment
B. Classification
C. Valuation
D. Risk mitigation
View answer
Correct Answer: C
Question #106
Nonrepudiation can BEST be ensured by using:
A. strong passwords
B. a digital hash
C. symmetric encryption
D. digital signatures
View answer
Correct Answer: D
Question #107
Which of the following should be the PRIMARY input when defining the desired state of security within an organization?
A. Acceptable risk level
B. Annual loss expectancy
C. External audit results
D. Level of business impact
View answer
Correct Answer: D
Question #108
Which of the following will identify a deviation in the information security management process from generally accepted standards of good practices?
A. Risk assessment
B. Business impact analysis (BIA)
C. Penetration testing
D. Gap analysis
View answer
Correct Answer: D
Question #109
Which of the following is the PRIMARY responsibility of the information security steering committee?
A. Developing security polices aligned with the corporate and IT strategies
B. Reviewing business cases where benefits have not been realized
C. Identifying risks associated with new security initiatives
D. Developing and presenting business cases for security initiatives
View answer
Correct Answer: A
Question #110
An online banking institution is concerned that the breach of customer personal information will have a significant financial impact due to the need to notify and compensate customers whose personal information may have been compromised. The institution determines that residual risk will always be too high and decides to:
A. mitigate the impact by purchasing insurance
B. implement a circuit-level firewall to protect the network
C. increase the resiliency of security measures in place
D. implement a real-time intrusion detection system
View answer
Correct Answer: A
Question #111
After adopting an information security framework, an information security manager is working with senior management to change the organization-wide perception that information security is solely the responsibility of the information security department. To achieve this objective, what should be the information securitymanager's FIRST initiative?
A. Develop an operational plan providing best practices for information security projects
B. Develop an information security awareness campaign with senior management's support
C. Document and publish the responsibilities of the information security department
D. Implement a formal process to conduct periodic compliance reviews
View answer
Correct Answer: B
Question #112
A web-based business application is being migrated from test to production. Which of the following is the MOST important management signoff for this migration?
A. User
B. Network
C. Operations
D. Database
View answer
Correct Answer: A
Question #113
Senior management commitment and support for information security will BEST be attained by an information security manager by emphasizing:
A. organizational risk
B. organization wide metrics
C. security needs
D. the responsibilities of organizational units
View answer
Correct Answer: A
Question #114
An information security manager uses security metrics to measure the:
A. performance of the information security program
B. performance of the security baseline
C. effectiveness of the security risk analysis
D. effectiveness of the incident response team
View answer
Correct Answer: A
Question #115
In a social engineering scenario, which of the following will MOST likely reduce the likelihood of an unauthorized individual gaining access to computing resources?
A. Implementing on-screen masking of passwords
B. Conducting periodic security awareness programs
C. Increasing the frequency of password changes
D. Requiring that passwords be kept strictly confidential
View answer
Correct Answer: B
Question #116
Which of the following would BEST address the risk of data leakage?
A. File backup procedures
B. Database integrity checks
C. Acceptable use policies
D. Incident response procedures
View answer
Correct Answer: C
Question #117
A risk assessment and business impact analysis (BIA) have been completed for a major proposed purchase and new process for an organization. There is disagreement between the information security manager and the business department manager who will own the process regarding the results and the assigned risk. Which of the following would be the BEST approach of the information security manager?
A. Acceptance of the business manager's decision on the risk to the corporation
B. Acceptance of the information security manager's decision on the risk to the corporation
C. Review of the assessment with executive management for final input
D. A new risk assessment and BIA are needed to resolve the disagreement
View answer
Correct Answer: C
Question #118
Which of the following is MOST important to evaluate after completing a risk action plan?
A. Threat profile
B. Inherent risk
C. Residual risk
D. Vulnerability landscape
View answer
Correct Answer: A
Question #119
Quantitative risk analysis is MOST appropriate when assessment data:
A. include customer perceptions
B. contain percentage estimates
C. do not contain specific details
D. contain subjective information
View answer
Correct Answer: B
Question #120
Which of the following will BEST protect against malicious activity by a former employee?
A. Preemployment screening
B. Close monitoring of users
C. Periodic awareness training
D. Effective termination procedures
View answer
Correct Answer: D
Question #121
An information security manager is planning to purchase a mobile device management (MDM) system to manage personal devices used by employees to access corporate email. Which of the following is MOST important to include in the business case?
A. Cost-benefit analysis
B. Identified risks and mitigating controls
C. Industry best practice benchmarking results
D. Information security-related metrics
View answer
Correct Answer: A
Question #122
Which of the following is the PRIMARY advantage of having an established information security governance framework in place when an organization is adopting emerging technologies?
A. An emerging technologies strategy is in place
B. An effective security risk management process is established
C. End user acceptance of emerging technologies is established
D. A cost-benefit analysis process is easier to perform
View answer
Correct Answer: B
Question #123
Which of the following is MOST likely to be included in an enterprise security policy?
A. efinitions of responsibilities
B. etention schedules
C. ystem access specifications
D. rganizational risk
View answer
Correct Answer: A
Question #124
When developing a new application, which of the following is the BEST approach to ensure compliance with security requirements?
A. Provide security training for developers
B. Prepare detailed acceptance criteria
C. Adhere to change management processes
D. Perform a security gap analysis
View answer
Correct Answer: B
Question #125
Which of the following is the BEST way to address risk associated with using an outsourced technology service provider?
A. Review cyber liability insurance
B. Implement a vendor management program
C. Require management approval for vendor selection
D. Perform due diligence on the provider at contract time
View answer
Correct Answer: B
Question #126
Which of the following is the BEST way to align security and business strategies?
A. Include security risk as part of corporate risk management
B. Develop a balanced scorecard for security
C. Establish key performance indicators (KPIs) for business through security processes
D. Integrate information security governance into corporate governance
View answer
Correct Answer: C
Question #127
Which of the following is MOST important for an information security manager to communicate to senior management regarding the security program?
A. Potential risks and exposures
B. Impact analysis results
C. Security architecture changes
D. User roles and responsibilities
View answer
Correct Answer: B
Question #128
Which of the following is the GREATEST benefit of integrating a security information and event management (SIEM) solution with traditional security tools such as IDS, anti-malware, and email screening solutions?
A. The elimination of false positive detections
B. A reduction in operational costs
C. An increase in visibility into patterns of potential threats
D. The consolidation of tools into a single console
View answer
Correct Answer: D
Question #129
Which of the following activities is MOST likely to increase the difficulty of totally eradicating malicious code that is not immediately detected?
A. Applying patches
B. Changing access rules
C. Upgrading hardware
D. Backing up files
View answer
Correct Answer: D
Question #130
An information security manager is reviewing the business case for a security project that is entering the development phase. It is determined that the estimated cost of the controls is now greater than the risk being mitigated.The information security manager’s BEST recommendation would be to:
A. eliminate some of the controls from the project scope
B. discontinue the project to release funds for other efforts
C. pursue the project until the benefits cover the costs
D. slow the pace of the project to spread costs over a longer period
View answer
Correct Answer: A
Question #131
Which of the following is MOST important to the successful promotion of good security management practices?
A. Security metrics
B. Security baselines
C. Management support
D. Periodic training
View answer
Correct Answer: C
Question #132
Which of the following would be the BEST defense against sniffing?
A. Password protect the files
B. Implement a dynamic IP address scheme
C. Encrypt the data being transmitted
D. Set static mandatory access control (MAC) addresses
View answer
Correct Answer: C
Question #133
Which of the following represents the MAJOR focus of privacy regulations?
A. Unrestricted data mining
B. Identity theft
C. Human rights protection
D. Identifiable personal data
View answer
Correct Answer: D
Question #134
Which of the following is a key area of the ISO 27001 framework?
A. Operational risk assessment
B. Financial crime metrics
C. Capacity management
D. Business continuity management
View answer
Correct Answer: D
Question #135
Which of the following is the MOST important element of an information security strategy?
A. Defined objectives
B. Time frames for delivery
C. Adoption of a control framework
D. Complete policies
View answer
Correct Answer: A
Question #136
Which of the following is the MOST important reason to monitor information risk on a continuous basis?
A. The risk profile can change over time
B. The effectiveness of controls can be verified
C. The cost of controls can be minimized
D. Risk assessment errors can be identified
View answer
Correct Answer: A
Question #137
When customer data has been compromised, an organization should contact law enforcement authorities:
A. if the attack comes from an international source
B. when directed by the information security manager
C. if there is potential impact to the organization
D. in accordance with the corporate communication policy
View answer
Correct Answer: D
Question #138
An information security manager is asked to provide evidence that the organization is fulfilling its legal obligation to protect personally identifiable information (PII).Which of the following would be MOST helpful for this purpose?
A. Metrics related to program effectiveness
B. Written policies and standards
C. Privacy awareness training
D. Risk assessments of privacy-related applications
View answer
Correct Answer: A
Question #139
Which of the following is MOST important to have in place to help ensure an organization's cybersecurity program meets the needs of the business?
A. Information security awareness training
B. Information security metrics
C. Risk assessment program
D. Information security governance
View answer
Correct Answer: D
Question #140
In risk assessment, after the identification of threats to organizational assets, the information security manager would:
A. evaluate the controls currently in place
B. implement controls to achieve target risk levels
C. request funding for the security program
D. determine threats to be reported to upper management
View answer
Correct Answer: A
Question #141
A security manager meeting the requirements for the international flow of personal data will need to ensure:
A. a data processing agreement
B. a data protection registration
C. the agreement of the data subjects
D. subject access procedures
View answer
Correct Answer: C
Question #142
Which of the following sites would be MOST appropriate in the case of a very short recovery time objective (RTO)?
A. Warm
B. Redundant
C. Shared
D. Mobile
View answer
Correct Answer: A
Question #143
Which of the following is the MOST important prerequisite for establishing information security management within an organization?
A. Senior management commitment
B. Information security framework
C. Information security organizational structure
D. Information security policy
View answer
Correct Answer: A
Question #144
Which of the following would be MOST useful in developing a series of recovery time objectives (RTOs)?
A. Gap analysis
B. Regression analysis
C. Risk analysis
D. Business impact analysis
View answer
Correct Answer: D
Question #145
Which of the following enables compliance with a nonrepudiation policy requirement for electronic transactions?
A. Digital certificates
B. Digital signatures
C. Encrypted passwords
D. One-time passwords
View answer
Correct Answer: B
Question #146
Which of the following would provide nonrepudiation of electronic transactions?
A. Two-factor authentication
B. Periodic reaccreditations
C. Third-party certificates
D. Receipt acknowledgment
View answer
Correct Answer: C
Question #147
The MOST important reason for conducting periodic risk assessments is because:
A. risk assessments are not always precise
B. security risks are subject to frequent change
C. reviewers can optimize and reduce the cost of controls
D. it demonstrates to senior management that the security function can add value
View answer
Correct Answer: B
Question #148
When performing an information risk analysis, an information security manager should FIRST:
A. establish the ownership of assets
B. evaluate the risks to the assets
C. take an asset inventory
D. categorize the assets
View answer
Correct Answer: C
Question #149
What mechanisms are used to identify deficiencies that would provide attackers with an opportunity to compromise a computer system?
A. Business impact analyses
B. Security gap analyses
C. System performance metrics
D. Incident response processes
View answer
Correct Answer: B
Question #150
An information security program should be sponsored by:
A. infrastructure management
B. the corporate audit department
C. key business process owners
D. information security management
View answer
Correct Answer: C
Question #151
Which of the following areas is MOST susceptible to the introduction of security weaknesses?
A. Database management
B. Tape backup management
C. Configuration management
D. Incident response management
View answer
Correct Answer: C
Question #152
Who can BEST advocate the development of and ensure the success of an information security program?
A. Internal auditor
B. Chief operating officer (COO)
C. Steering committee
D. IT management
View answer
Correct Answer: C
Question #153
In implementing information security governance, the information security manager is PRIMARILY responsible for:
A. developing the security strategy
B. reviewing the security strategy
C. communicating the security strategy
D. approving the security strategy
View answer
Correct Answer: A
Question #154
Access control to a sensitive intranet application by mobile users can BEST be implemented through:
A. data encryption
B. digital signatures
C. strong passwords
D. two-factor authentication
View answer
Correct Answer: D
Question #155
Due to budget constraints, an internal IT application does not include the necessary controls to meet a client service level agreement (SLA).Which of the following is the information security manager’s BEST course of action?
A. Inform the legal department of the deficiency
B. Analyze and report the issue to senior management
C. Require the application owner to implement the controls
D. Assess and present the risks to the application owner
View answer
Correct Answer: D
Question #156
Which of the following is the BEST defense against a brute force attack?
A. Discretionary access control
B. Intruder detection lockout
C. Time-of-day restrictions
D. Mandatory access control
View answer
Correct Answer: C
Question #157
The BEST protocol to ensure confidentiality of transmissions in a business-to-customer (B2C) financial web application is:
A. Secure Sockets Layer (SSL)
B. Secure Shell (SSH)
C. IP Security (IPSec)
D. Secure/Multipurpose Internet Mail Extensions (S/MIME )
View answer
Correct Answer: A
Question #158
Which of the following is the MOST important to keep in mind when assessing the value of information?
A. The potential financial loss
B. The cost of recreating the information
C. The cost of insurance coverage
D. Regulatory requirement
View answer
Correct Answer: A
Question #159
When an organization hires a new information security manager, which of the following goals should this individual pursue FIRST?
A. Develop a security architecture
B. Establish good communication with steering committee members
C. Assemble an experienced staff
D. Benchmark peer organizations
View answer
Correct Answer: B
Question #160
An advantage of antivirus software schemes based on change detection is that they have:
A. a chance of detecting current and future viral strains
B. a more flexible directory of viral signatures
C. to be updated less frequently than activity monitors
D. the highest probability of avoiding false alarms
View answer
Correct Answer: A
Question #161
Which of the following should be PRIMARILY included in a security training program for business process owners?
A. Impact of security risks
B. Application vulnerabilities
C. Application recovery time
D. List of security incidents reported
View answer
Correct Answer: A
Question #162
Which of the following is the BEST approach to identify noncompliance issues with legal, regulatory, and contractual requirements?
A. Risk assessment
B. Business impact analysis (BIA)
C. Vulnerability assessment
D. Gap analysis
View answer
Correct Answer: D
Question #163
During a review to approve a penetration test plan, which of the following should be an information security manager’s PRIMARY concern?
A. Penetration test team’s deviation from scope
B. Unauthorized access to administrative utilities
C. False positive alarms to operations staff
D. Impact on production systems
View answer
Correct Answer: D
Question #164
Which if the following would be the MOST important information to include in a business case for an information security project in a highly regulated industry?
A. Compliance risk assessment
B. Critical audit findings
C. Industry comparison analysis
D. Number of reported security incidents
View answer
Correct Answer: A
Question #165
Which of the following is the BEST metric for evaluating the effectiveness of an intrusion detection mechanism?
A. Number of attacks detected
B. Number of successful attacks
C. Ratio of false positives to false negatives
D. Ratio of successful to unsuccessful attacks
View answer
Correct Answer: C
Question #166
An organization is developing a disaster recovery plan for a data center that hosts multiple applications. The application recovery sequence would BEST be determined through an analysis of:
A. Key performance indicators (KPIs)
B. Recovery time objectives (RTOs)
C. Recovery point objectives (RPOs)
D. The data classification scheme
View answer
Correct Answer: B
Question #167
Which of the following is the FIRST step in developing a business continuity plan (BCP)?
A. Identify the applications with the shortest recovery time objectives (RTOs)
B. Determine the business recovery strategy
C. Identify critical business processes
D. Determine available resources
View answer
Correct Answer: C
Question #168
Which of the following would be the BEST way for a company to reduce the risk of data loss resulting fromemployee-owned devices accessing the corporate email system?
A. Link the bring-your-own-device (BYOD) policy to the existing staff disciplinary policy
B. Require employees to undergo training before permitting access to the corporate email service
C. Require employees to install a reputable mobile anti-virus solution on their personal devices
D. Use a mobile device management (MDM) solution to isolate the local corporate email storage
View answer
Correct Answer: D
Question #169
Security technologies should be selected PRIMARILY on the basis of their:
A. ability to mitigate business risks
B. evaluations in trade publications
C. use of new and emerging technologies
D. benefits in comparison to their costs
View answer
Correct Answer: A
Question #170
Which of the following would BEST help to ensure an organization’s security program is aligned with business objectives?
A. Security policies are reviewed and approved by the chief information officer
B. The security strategy is reviewed and approved by the organization’s executive committee
C. The organization’s board of directors includes a dedicated information security specialist
D. Project managers receive annual information security awareness training
View answer
Correct Answer: B
Question #171
Which of the following is the BEST indicator of a successful external intrusion into computer systems?
A. Unexpected use of protocols within the DMZ
B. Unexpected increase of malformed URLs
C. Decrease in the number of login failures
D. Spikes in the number of login failures
View answer
Correct Answer: A
Question #172
Which of the following should an information security manager establish FIRST to ensure security-related activities are adequately monitored?
A. Internal reporting channels
B. Accountability for security functions
C. Scheduled security assessments
D. Regular reviews of computer system logs
View answer
Correct Answer: A
Question #173
The MOST important function of a risk management program is to:
A. quantify overall risk
B. minimize residual risk
C. eliminate inherent risk
D. maximize the sum of all annualized loss expectancies (ALEs)
View answer
Correct Answer: B
Question #174
When determining an acceptable risk level, which of the following is the MOST important consideration?
A. System criticalities
B. Vulnerability scores
C. Risk matrices
D. Threat profiles
View answer
Correct Answer: A
Question #175
Who would be in the BEST position to determine the recovery point objective (RPO) for business applications?
A. Business continuity coordinator
B. Chief operations officer (COO)
C. Information security manager
D. Internal audit
View answer
Correct Answer: B
Question #176
When building a corporate-wide business continuity plan, it is discovered there are two separate lines of business systems that could be impacted by the same threat. Which of the following is the BEST method to determine the priority of system recovery in the event of a disaster?
A. Evaluating the cost associated with each system’s outage
B. Reviewing the business plans of each department
C. Comparing the recovery point objectives (RPOs)
D. Reviewing each system’s key performance indicators (KPIs)
View answer
Correct Answer: A
Question #177
What is the BEST way to ensure that contract programmers comply with organizational security policies?
A. Explicitly refer to contractors in the security standards
B. Have the contractors acknowledge in writing the security policies
C. Create penalties for noncompliance in the contracting agreement
D. Perform periodic security reviews of the contractors
View answer
Correct Answer: D
Question #178
Which of the following is the BEST way to build a risk-aware culture?
A. eriodically change risk awareness messages
B. nsure that threats are communicated organization-wide in a timely manner
C. eriodically test compliance with security controls and post results
D. stablish incentives and a channel for staff to report risks
View answer
Correct Answer: C
Question #179
An information security manager is developing a new information security strategy.Which of the following functions would serve as the BEST resource to review the strategy and provide guidance for business alignment?
A. Internal audit
B. The steering committee
C. The legal department
D. The board of directors
View answer
Correct Answer: B
Question #180
When developing a tabletop test plan for incident response testing, the PRIMARY purpose of the scenario should be to:
A. give the business a measure of the organization’s overall readiness
B. provide participants with situations to ensure understanding of their roles
C. measure management engagement as part of an incident response team
D. challenge the incident response team to solve the problem under pressure
View answer
Correct Answer: C
Question #181
An information security program should be established PRIMARILY on the basis of:
A. the approved information security strategy
B. the approved risk management approach
C. data security regulatory requirements
D. senior management input
View answer
Correct Answer: A
Question #182
Which of the following steps in conducting a risk assessment should be performed FIRST?
A. Identity business assets
B. Identify business risks
C. Assess vulnerabilities
D. Evaluate key controls
View answer
Correct Answer: A
Question #183
Internal audit has reported a number of information security issues which are not in compliance with regulatory requirements. What should the information security manager do FIRST?
A. Create a security exception
B. Perform a vulnerability assessment
C. Perform a gap analysis to determine needed resources
D. Assess the risk to business operations
View answer
Correct Answer: C
Question #184
Acceptable risk is achieved when:
A. residual risk is minimized
B. transferred risk is minimized
C. control risk is minimized
D. inherent risk is minimized
View answer
Correct Answer: A
Question #185
Which of the following is the BEST way to determine if an information security program aligns with corporate governance?
A. Evaluate funding for security initiatives
B. Survey end users about corporate governance
C. Review information security policies
D. Review the balanced scorecard
View answer
Correct Answer: C
Question #186
When evaluating vendors for sensitive data processing, which of the following should be the FIRST step to ensure the correct level of information security is provided?
A. Include information security clauses in the vendor contract
B. Review third-party reports of potential vendors
C. Include information security criteria as part of vendor selection
D. Develop metrics for vendor performance
View answer
Correct Answer: C
Question #187
Which of the following would BEST ensure the success of information security governance within an organization?
A. Steering committees approve security projects
B. Security policy training provided to all managers
C. Security training available to all employees on the intranet
D. Steering committees enforce compliance with laws and regulations
View answer
Correct Answer: A
Question #188
When identifying legal and regulatory issues affecting information security, which of the following would represent the BEST approach to developing information security policies?
A. Create separate policies to address each regulation
B. Develop policies that meet all mandated requirements
C. Incorporate policy statements provided by regulators
D. Develop a compliance risk assessment
View answer
Correct Answer: B
Question #189
To ensure appropriate control of information processed in IT systems, security safeguards should be basedPRIMARILY on:
A. established guidelines
B. criteria consistent with classification levels
C. efficient technical processing considerations
D. overall IT capacity and operational constraints
View answer
Correct Answer: A
Question #190
An organization has an approved bring your own device (BYOD) program. Which of the following is the MOSTeffective method to enforce application control on personal devices?
A. Establish a mobile device acceptable use policy
B. Implement a mobile device management solution
C. Educate users regarding the use of approved applications
D. Implement a web application firewall
View answer
Correct Answer: B
Question #191
An e-commerce order fulfillment web server should generally be placed on which of the following?
A. Internal network
B. Demilitarized zone (DMZ)
C. Database server
D. Domain controller
View answer
Correct Answer: B
Question #192
What would be an information security manager’s BEST course of action when notified that the implementation of some security controls is being delayed due to budget constraints?
A. Prioritize security controls based on risk
B. Request a budget exception for the security controls
C. Begin the risk acceptance process
D. Suggest less expensive alternative security controls
View answer
Correct Answer: A
Question #193
An information security manager is asked to provide a short presentation on the organization’s current IT risk posture to the board of directors. Which of the following would be MOST effective to include in this presentation?
A. Risk heat map
B. Gap analysis results
C. Threat assessment results
D. Risk register
View answer
Correct Answer: A
Question #194
When performing a qualitative risk analysis, which of the following will BEST produce reliable results?
A. Estimated productivity losses
B. Possible scenarios with threats and impacts
C. Value of information assets
D. Vulnerability assessment
View answer
Correct Answer: B
Question #195
Which of the following is the BEST way for an information security manager to identify compliance with information security policies within an organization?
A. Analyze system logs
B. Conduct security awareness testing
C. Perform vulnerability assessments
D. Conduct periodic audits
View answer
Correct Answer: D
Question #196
When speaking to an organization's human resources department about information security, an information security manager should focus on the need for:
A. an adequate budget for the security program
B. recruitment of technical IT employees
C. periodic risk assessments
D. security awareness training for employees
View answer
Correct Answer: D
Question #197
Which of the following represents a PRIMARY area of interest when conducting a penetration test?
A. Data mining
B. Network mapping
C. Intrusion Detection System (IDS)
D. Customer data
View answer
Correct Answer: B
Question #198
In an organization, information systems security is the responsibility of:
A. all personnel
B. information systems personnel
C. information systems security personnel
D. functional personnel
View answer
Correct Answer: A
Question #199
Which of the following characteristics is MOST important to a bank in a high-value online financial transaction system?
A. Identification
B. Confidentiality
C. Authentication
D. Audit monitoring
View answer
Correct Answer: B
Question #200
An information security manager learns of a new international standard related to information security. Which of the following would be the BEST course of action?
A. Review industry peers’ responses to the new standard
B. Consult with legal counsel on the standard’s applicability to regulations
C. Determine whether the organization can benefit from adopting the new standard
D. Perform a gap analysis between the new standard and existing practices
View answer
Correct Answer: C
Question #201
When messages are encrypted and digitally signed to protect documents transferred between trading partners, the GREATEST concern is that:
A. trading partners can repudiate the transmission of messages
B. hackers can eavesdrop on messages
C. trading partners can repudiate the receipt of messages
D. hackers can introduce forgery messages
View answer
Correct Answer: D
Question #202
Which of the following messages would be MOST effective in obtaining senior management’s commitment to information security management?
A. Effective security eliminates risk to the business
B. Adopt a recognized framework with metrics
C. Security is a business product and not a process
D. Security supports and protects the business
View answer
Correct Answer: A
Question #203
The service level agreement (SLA) for an outsourced IT function does not reflect an adequate level of protection. In this situation an information security manager should:
A. ensure the provider is made liable for losses
B. recommend not renewing the contract upon expiration
C. recommend the immediate termination of the contract
D. determine the current level of security
View answer
Correct Answer: D
Question #204
In assessing risk, it is MOST essential to:
A. provide equal coverage for all asset types
B. use benchmarking data from similar organizations
C. consider both monetary value and likelihood of loss
D. focus primarily on threats and recent business losses
View answer
Correct Answer: C
Question #205
The FIRST step in developing an information security management program is to:
A. identify business risks that affect the organization
B. clarify organizational purpose for creating the program
C. assign responsibility for the program
D. assess adequacy of controls to mitigate business risks
View answer
Correct Answer: B
Question #206
Which of the following is the BEST way for senior leadership to demonstrate commitment for an effective information security strategy?
A. Appointing the top information security role to report to the CEO
B. Communicating organizational risk appetite and tolerance
C. Approving a comprehensive risk management program
D. Allocating adequate resources for information security
View answer
Correct Answer: D
Question #207
A new regulation for safeguarding information processed by a specific type of transaction has come to the attention of an information security officer. The officer should FIRST:
A. meet with stakeholders to decide how to comply
B. analyze key risks in the compliance process
C. assess whether existing controls meet the regulation
D. update the existing security/privacy policy
View answer
Correct Answer: C
Question #208
From an information security perspective, information that no longer supports the main purpose of the business should be:
A. analyzed under the retention policy
B. protected under the information classification policy
C. analyzed under the backup policy
D. protected under the business impact analysis (BIA)
View answer
Correct Answer: A
Question #209
Which of the following requirements would have the lowest level of priority in information security?
A. Technical
B. Regulatory
C. Privacy
D. Business
View answer
Correct Answer: A
Question #210
For which of the following is it MOST important that system administrators be restricted to read-only access?
A. Administrator user profiles
B. System logging options
C. User access log files
D. Administrator log files
View answer
Correct Answer: D
Question #211
The MOST important component of a privacy policy is:
A. notifications
B. warranties
C. liabilities
D. geographic coverage
View answer
Correct Answer: A
Question #212
Which of the following measures would be MOST effective against insider threats to confidential information?
A. Role-based access control
B. Audit trail monitoring
C. Privacy policy
D. Defense-in-depth
View answer
Correct Answer: A
Question #213
Which of the following is a PRIMARY responsibility of an information security steering committee?
A. Reviewing the information security strategy
B. Approving the information security awareness training strategy
C. Analyzing information security policy compliance reviews
D. Approving the purchase of information security technologies
View answer
Correct Answer: A
Question #214
What would be an information security manager’s BEST recommendation upon learning that an existing contract with a third party does not clearly identify requirements for safeguarding the organization’s critical data?
A. Create an addendum to the existing contract
B. Cancel the outsourcing contract
C. Transfer the risk to the provider
D. Initiate an external audit of the provider’s data center
View answer
Correct Answer: A
Question #215
Prior to having a third party perform an attack and penetration test against an organization, the MOST important action is to ensure that:
A. the third party provides a demonstration on a test system
B. goals and objectives are clearly defined
C. the technical staff has been briefed on what to expect
D. special backups of production servers are taken
View answer
Correct Answer: B
Question #216
Which of the following is the PRIMARY advantage of desk checking a business continuity plan (BCP)?
A. Assesses the availability and compatibility a backup hardware
B. Allows for greater participation be management and the IT department
C. Ensures that appropriate follow-up work is performed on noted issues
D. Provides a low-cost method of assessing the BCP’s completeness
View answer
Correct Answer: C
Question #217
Security awareness training is MOST likely to lead to which of the following?
A. Decrease in intrusion incidents
B. Increase in reported incidents
C. Decrease in security policy changes
D. Increase in access rule violations
View answer
Correct Answer: B
Question #218
Effective information security policies should be PRIMARILY developed based on:
A. industry best practices
B. the cost of implementation
C. the organization's risk profile
D. the ease of enforcement
View answer
Correct Answer: C
Question #219
Which of the following is the MOST important reason for an information security review of contracts? To help ensure that:
A. the parties to the agreement can perform
B. confidential data are not included in the agreement
C. appropriate controls are included
D. the right to audit is a requirement
View answer
Correct Answer: C
Question #220
Which of the following is the BEST method or technique to ensure the effective implementation of aninformation security program?
A. Obtain the support of the board of directors
B. Improve the content of the information security awareness program
C. Improve the employees' knowledge of security policies
D. Implement logical access controls to the information systems
View answer
Correct Answer: A
Question #221
Which of the following is the MOST usable deliverable of an information security risk analysis?
A. Business impact analysis (BIA) report
B. List of action items to mitigate risk
C. Assignment of risks to process owners
D. Quantification of organizational risk
View answer
Correct Answer: B
Question #222
When designing an information security quarterly report to management, the MOST important element to be considered should be the:
A. information security metrics
B. knowledge required to analyze each issue
C. linkage to business area objectives
D. baseline against which metrics are evaluated
View answer
Correct Answer: C
Question #223
Which of the following is the MOST effective method for assessing the effectiveness of a security awareness program?
A. Post-incident review
B. Social engineering test
C. Vulnerability scan
D. Tabletop test
View answer
Correct Answer: B
Question #224
A company recently developed a breakthrough technology. Since this technology could give this company a significant competitive edge, which of the following would FIRST govern how this information is to beprotected?
A. Access control policy
B. Data classification policy
C. Encryption standards
D. Acceptable use policy
View answer
Correct Answer: B
Question #225
Which of the following is a PRIMARY responsibility of an information security governance committee?
A. Analyzing information security policy compliance reviews
B. Approving the purchase of information security technologies
C. Reviewing the information security strategy
D. Approving the information security awareness training strategy
View answer
Correct Answer: C
Question #226
Which of the following is MOST effective for securing wireless networks as a point of entry into a corporate network?
A. Boundary router
B. Strong encryption
C. Internet-facing firewall
D. Intrusion detection system (IDS)
View answer
Correct Answer: B
Question #227
A regulatory compliance issue has been identified in a critical business application, but remediating the issue would significantly impact business operations. What information would BEST enable senior management to make an informed decision?
A. Impact analysis and treatment options
B. Costs associated with compensating controls
C. Industry benchmarks and best practices
D. Risk assessment results and recommendations
View answer
Correct Answer: A
Question #228
Which of the following BEST demonstrates that the objectives of an information security governance framework are being met?
A. Risk dashboard
B. Key performance indicators (KPIs)
C. Penetration test results
D. Balanced scorecard
View answer
Correct Answer: D
Question #229
Which of the following is the BEST justification to convince management to invest in an information security program?
A. Cost reduction
B. Compliance with company policies
C. Protection of business assets
D. Increased business value
View answer
Correct Answer: D
Question #230
During the restoration of several servers, a critical process that services external customers was restored late due to a failure, resulting in lost revenue. Which of the following would have BEST help to prevent this occurrence?
A. Validation of senior management’s risk tolerance
B. Updates to the business impact analysis (BIA)
C. More effective disaster recovery plan (DRP) testing
D. Improvements to incident identification methods
View answer
Correct Answer: D
Question #231
When management changes the enterprise business strategy, which of the following processes should be used to evaluate the existing information security controls as well as to select new information securitycontrols?
A. Risk management
B. Change management
C. Access control management
D. Configuration management
View answer
Correct Answer: A
Question #232
The contribution of recovery point objective (RPO) to disaster recovery is to:
A. define backup strategy
B. eliminate single points of failure
C. reduce mean time between failures (MTBF)
D. minimize outage period
View answer
Correct Answer: D
Question #233
Which of the following should be an information security manager's FIRST course of action following a decision to implement a new technology?
A. Determine security controls needed to support the new technology
B. Perform a business impact analysis (BIA) on the new technology
C. Perform a return-on-investment (ROI) analysis for the new technology
D. Determine whether the new technology will comply with regulatory requirements
View answer
Correct Answer: B
Question #234
When management changes the enterprise business strategy, which of the following processes should be used to evaluate the existing information security controls as well as to select new information security controls?
A. ccess control management
B. hange management
C. onfiguration management
D. isk management
View answer
Correct Answer: D
Question #235
Which of the following is the MOST effective way for an organization to ensure its third-party service providers are aware of information security requirements and expectations?
A. Auditing the service delivery of third-party providers
B. Including information security clauses within contracts
C. Providing information security training to third-party personnel
D. Requiring third parties to sign confidentiality agreements
View answer
Correct Answer: B
Question #236
What is the MOST important item to be included in an information security policy?
A. The definition of roles and responsibilities
B. The scope of the security program
C. The key objectives of the security program
D. Reference to procedures and standards of the security program
View answer
Correct Answer: C
Question #237
Following a recent acquisition, an information security manager has been requested to address the outstanding risk reported early in the acquisition process. Which of the following would be the manager’s BEST course of action?
A. Add the outstanding risk to the acquiring organization’s risk registry
B. Re-assess the outstanding risk of the acquired company
C. Re-evaluate the risk treatment plan for the outstanding risk
D. Perform a vulnerability assessment of the acquired company’s infrastructure
View answer
Correct Answer: B
Question #238
The security responsibility of data custodians in an organization will include:
A. assuming overall protection of information assets
B. determining data classification levels
C. implementing security controls in products they install
D. ensuring security measures are consistent with policy
View answer
Correct Answer: D
Question #239
When an organization is setting up a relationship with a third-party IT service provider, which of the following is one of the MOST important topics to include in the contract from a security standpoint?
A. Compliance with international security standards
B. Use of a two-factor authentication system
C. Existence of an alternate hot site in case of business disruption
D. Compliance with the organization's information security requirements
View answer
Correct Answer: D
Question #240
Which of the following defines the minimum security requirements that a specific system must meet?
A. Security policy
B. Security guideline
C. Security procedure
D. Security baseline
View answer
Correct Answer: A
Question #241
Which of the following is the MOST effective way to ensure the process for granting access to new employees is standardized and meets organizational security requirements?
A. Grant authorization to individual systems as required with the approval of information security management
B. Require managers of new hires be responsible for account setup and access during employee orientation
C. Embed the authorization and creation of accounts with HR onboarding procedures
D. Adopt a standard template of access levels for all employees to be enacted upon hiring
View answer
Correct Answer: C
Question #242
Which of the following contributes MOST to the effective implementation of an information security strategy?
A. Reporting of security metrics
B. Regular security awareness training
C. Endorsement by senior management
D. Implementation of security standards
View answer
Correct Answer: C
Question #243
Which of the following should be the FIRST step to ensure an information security program meets the requirements of new regulations?
A. Validate the asset classification schema
B. Integrate compliance into the risk management process
C. Assess organizational security controls
D. Conduct a gap analysis to determine necessary changes
View answer
Correct Answer: B
Question #244
Which of the following will BEST protect confidential data when connecting large wireless networks to an existing wired-network infrastructure?
A. Mandatory access control (MAC) address filtering
B. Strong passwords
C. Virtual private network (VPN)
D. Firewall
View answer
Correct Answer: A
Question #245
Which of the following is the STRONGEST indicator of effective alignment between corporate governance and information security governance?
A. Senior management sponsors information security efforts
B. Senior management requests periodic information security updates
C. Key performance indicators (KPIs) for controls trend positively
D. Information security initiatives meet scope
View answer
Correct Answer: C
Question #246
A global organization processes and stores large volumes of personal data. Which of the following would be the MOST important attribute in creating a data access policy?
A. Availability
B. Integrity
C. Reliability
D. Confidentiality
View answer
Correct Answer: D
Question #247
When developing an information security governance framework, which of the following would be the MAINimpact when lacking senior management involvement?
A. Accountability for risk treatment is not clearly defined
B. Information security responsibilities are not communicated effectively
C. Resource requirements are not adequately considered
D. Information security plans do not support business requirements
View answer
Correct Answer: C
Question #248
An information security manager is assisting in the development of the request for proposal (RFP) for a new outsourced service. This will require the third party to have access to critical business information. The security manager should focus PRIMARILY on defining:
A. security metrics
B. service level agreements (SLAs)
C. risk-reporting methodologies
D. security requirements for the process being outsourced
View answer
Correct Answer: A
Question #249
After assessing and mitigating the risks of a web application, who should decide on the acceptance of residual application risks?
A. Information security officer
B. Chief information officer (CIO)
C. Business owner
D. Chief executive officer (CFO)
View answer
Correct Answer: C
Question #250
Which of the following defines the triggers within a business continuity plan (BCP)?
A. Disaster recovery plan
B. Needs of the organization
C. Gap analysis
D. Information security policy
View answer
Correct Answer: A
Question #251
Which of the following would be MOST relevant to include in a cost-benefit analysis of a two-factor authentication system?
A. Annual loss expectancy (ALE) of incidents
B. Frequency of incidents
C. Total cost of ownership (TCO)
D. Approved budget for the project
View answer
Correct Answer: C
Question #252
Which of the following risks is represented in the risk appetite of an organization?
A. Control
B. Inherent
C. Residual
D. Audit
View answer
Correct Answer: C
Question #253
When the computer incident response team (CIRT) finds clear evidence that a hacker has penetrated the corporate network and modified customer information, an information security manager should FIRST notify:
A. the information security steering committee
B. customers who may be impacted
C. data owners who may be impacted
D. regulatory- agencies overseeing privacy
View answer
Correct Answer: C
Question #254
Which of the following is the PRIMARY goal of a risk management program?
A. Implement preventive controls against threats
B. Manage the business impact of inherent risks
C. Manage compliance with organizational policies
D. Reduce the organization’s risk appetite
View answer
Correct Answer: B
Question #255
A risk management program will be MOST effective when:
A. risk appetite is sustained for a long period
B. risk assessments are repeated periodically
C. risk assessments are conducted by a third party
D. business units are involved in risk assessments
View answer
Correct Answer: D
Question #256
When preparing a risk treatment plan, which of the following is the MOST important consideration when reviewing options for mitigating risk?
A. Cost-benefit analysis
B. User acceptance
C. Business impact analysis (BIA)
D. Control identification
View answer
Correct Answer: A
Question #257
An outsourced vendor handles an organization's business-critical data.Which of the following is the MOST effective way for the client organization to obtain assurance of the vendor's security practices?
A. Verifying security certifications held by the vendor
B. Reviewing the vendor's security audit reports
C. Requiring periodic independent third-party reviews
D. Requiring business continuity plans (BCPs) from the vendor
View answer
Correct Answer: C
Question #258
The valuation of IT assets should be performed by:
A. an IT security manager
B. an independent security consultant
C. the chief financial officer (CFO)
D. the information owner
View answer
Correct Answer: D
Question #259
Which of the following, using public key cryptography, ensures authentication, confidentiality and nonrepudiation of a message?
A. Encrypting first by receiver's private key and second by sender's public key
B. Encrypting first by sender's private key and second by receiver's public key
C. Encrypting first by sender's private key and second decrypting by sender's public key
D. Encrypting first by sender's public key and second by receiver's private key
View answer
Correct Answer: B
Question #260
An internal control audit has revealed a control deficiency related to a legacy system where the compensating controls no longer appear to be effective.Which of the following would BEST help the information security manager determine the security requirements to resolve the control deficiency?
A. Risk assessment
B. Gap analysis
C. Cost-benefit analysis
D. Business case
View answer
Correct Answer: B
Question #261
An organization is already certified to an international security standard. Which mechanism would BEST help to further align the organization with other data security regulatory requirements as per new business needs?
A. Key performance indicators (KPIs)
B. Business impact analysis (BIA)
C. Gap analysis
D. Technical vulnerability assessment
View answer
Correct Answer: C
Question #262
Which of the following is MOST helpful to management in determining whether risks are within an organization’s tolerance level?
A. Audit findings
B. Heat map
C. Penetration test results
D. Maturity level
View answer
Correct Answer: B
Question #263
Which of the following devices should be placed within a demilitarized zone (DMZ)?
A. Network switch
B. Web server
C. Database server
D. File/print server
View answer
Correct Answer: B
Question #264
Which of the following is the PRIMARY prerequisite to implementing data classification within an organization?
A. Defining job roles
B. Performing a risk assessment
C. Identifying data owners
D. Establishing data retention policies
View answer
Correct Answer: C
Question #265
Of the following, the BEST method for ensuring that temporary employees do not receive excessive access rights is:
A. mandatory access controls
B. discretionary access controls
C. lattice-based access controls
D. role-based access controls
View answer
Correct Answer: D
Question #266
Acceptable levels of information security risk should be determined by:
A. legal counsel
B. security management
C. external auditors
D. die steering committee
View answer
Correct Answer: D
Question #267
Which of the following controls would BEST prevent accidental system shutdown from the console or operations area?
A. Redundant power supplies
B. Protective switch covers
C. Shutdown alarms
D. Biometric readers
View answer
Correct Answer: B
Question #268
An IS manager has decided to implement a security system to monitor access to the Internet and prevent access to numerous sites. Immediately upon installation, employees Hood the IT helpdesk with complaints of being unable to perform business functions on Internet sites. This is an example of:
A. conflicting security controls with organizational needs
B. strong protection of information resources
C. implementing appropriate controls to reduce risk
D. proving information security's protective abilities
View answer
Correct Answer: A
Question #269
The PRIMARY objective of security awareness is to:
A. ensure that security policies are understood
B. influence employee behavior
C. ensure legal and regulatory compliance
D. notify of actions for noncompliance
View answer
Correct Answer: B
Question #270
The MOST effective use of a risk register is to:
A. identify risks and assign roles and responsibilities for mitigation
B. identify threats and probabilities
C. facilitate a thorough review of all IT-related risks on a periodic basis
D. record the annualized financial amount of expected losses due to risks
View answer
Correct Answer: C
Question #271
Which of the following trends would be of GREATEST concern when reviewing the performance of an organization’s intrusion detection systems (IDS)?
A. Decrease in false negatives
B. Increase in false positives
C. Decrease in false positives
D. Increase in false negatives
View answer
Correct Answer: D
Question #272
Meeting which of the following security objectives BEST ensures that information is protected against unauthorized disclosure?
A. Authenticity
B. Confidentiality
C. Nonrepudiation
D. Integrity
View answer
Correct Answer: B
Question #273
In the development of an information security strategy, recovery time objectives (RTOs) will serve as indicators of:
A. senior management support
B. open vulnerabilities
C. risk tolerances
D. maturity levels
View answer
Correct Answer: C
Question #274
Which of the following is characteristic of decentralized information security management across a geographically dispersed organization?
A. More uniformity in quality of service
B. Better adherence to policies
C. Better alignment to business unit needs
D. More savings in total operating costs
View answer
Correct Answer: C
Question #275
Which of the following would the BEST demonstrate the added value of an information security program?
A. Security baselines
B. A SWOT analysis
C. A gap analysis
D. A balanced scorecard
View answer
Correct Answer: B
Question #276
A multinational organization has developed a bring your own device (BYOD) policy that requires the installation of mobile device management (MDM) software on personally owned devices. Which of the following poses the GREATEST challenge for implementing the police?
A. Varying employee data privacy rights
B. Translation and communication of policy
C. Differences in mobile OS platforms
D. Differences in corporate cultures
View answer
Correct Answer: C
Question #277
Which of the following is the MOST appropriate position to sponsor the design and implementation of a new security infrastructure in a large global enterprise?
A. Chief security officer (CSO)
B. Chief operating officer (COO)
C. Chief privacy officer (CPO)
D. Chief legal counsel (CLC)
View answer
Correct Answer: B
Question #278
What is the MOST important factor in the successful implementation of an enterprise wide information security program?
A. Realistic budget estimates
B. Security awareness
C. Support of senior management
D. Recalculation of the work factor
View answer
Correct Answer: C
Question #279
Which of the following MUST be established before implementing a data loss prevention (DLP) system?
A. Privacy impact assessment
B. A data backup policy
C. Data classification
D. A data recovery policy
View answer
Correct Answer: C
Question #280
Which of the following is MOST important to consider when defining control objectives?
A. The current level of residual risk
B. The organization’s strategic objectives
C. Control recommendations from a recent audit
D. The organization’s risk appetite
View answer
Correct Answer: B
Question #281
The chief information security officer (CISO) has developed an information security strategy, but is struggling to obtain senior management commitment for funds to implement the strategy.Which of the following is the MOST likely reason?
A. The strategy does not include a cost-benefit analysis
B. The CISO reports to the CIO
C. There was a lack of engagement with the business during development
D. The strategy does not comply with security standards
View answer
Correct Answer: A
Question #282
An operating system (OS) noncritical patch to enhance system security cannot be applied because a critical application is not compatible with the change. Which of the following is the BEST solution?
A. Rewrite the application to conform to the upgraded operating system
B. Compensate for not installing the patch with mitigating controls
C. Alter the patch to allow the application to run in a privileged state
D. Run the application on a test platform; tune production to allow patch and application
View answer
Correct Answer: B
Question #283
When an emergency security patch is received via electronic mail, the patch should FIRST be:
A. loaded onto an isolated test machine
B. decompiled to check for malicious code
C. validated to ensure its authenticity
D. copied onto write-once media to prevent tampering
View answer
Correct Answer: C
Question #284
After assessing risk, the decision to treat the risk should be based PRIMARILY on:
A. availability of financial resources
B. whether the level of risk exceeds risk appetite
C. whether the level of risk exceeds inherent risk
D. the criticality of the risk
View answer
Correct Answer: B
Question #285
An information security manager has been informed of a new vulnerability in an online banking application, and patch to resolve this issue is expected to be released in the next 72 hours. The information security manager’s MOST important course of action should be to:
A. assess the risk and advise senior management
B. identify and implement mitigating controls
C. run the application system in offline mode
D. perform a business impact analysis (BIA)
View answer
Correct Answer: A
Question #286
Based on the information provided, which of the following situations presents the GREATEST information security risk for an organization with multiple, but small, domestic processing locations?
A. Systems operation procedures are not enforced
B. Change management procedures are poor
C. Systems development is outsourced
D. Systems capacity management is not performed
View answer
Correct Answer: B
Question #287
The MOST appropriate individual to determine the level of information security needed for a specific business application is the:
A. system developer
B. information security manager
C. steering committee
D. system data owner
View answer
Correct Answer: D
Question #288
An inexperienced information security manager is relying on its internal audit department to design and implement key security controls. Which of the following is the GREATEST risk?
A. Inadequate implementation of controls
B. Conflict of interest
C. Violation of the audit charter
D. Inadequate audit skills
View answer
Correct Answer: B
Question #289
An information security manager suspects that the organization has suffered a ransomware attack. What should be done FIRST?
A. Notify senior management
B. Alert employees to the attack
C. Confirm the infection
D. Isolate the affected systems
View answer
Correct Answer: C
Question #290
Which of the following is the MOST important consideration when implementing an intrusion detection system (IDS)?
A. Tuning
B. Patching
C. Encryption
D. Packet filtering
View answer
Correct Answer: A
Question #291
Which of the following would BEST help to ensure the alignment between information security and business functions?
A. Developing information security policies
B. Establishing an information security governance committee
C. Establishing a security awareness program
D. Providing funding for information security efforts
View answer
Correct Answer: B
Question #292
While implementing information security governance an organization should FIRST:
A. adopt security standards
B. determine security baselines
C. define the security strategy
D. establish security policies
View answer
Correct Answer: C
Question #293
Which of the following is MOST likely to drive an update to the information security strategy?
A. A recent penetration test has uncovered a control weakness
B. A major business application has been upgraded
C. Management has decided to implement an emerging technology
D. A new chief technology officer has been hired
View answer
Correct Answer: C
Question #294
The PRIMARY reason for establishing a data classification scheme is to identify:
A. data ownership
B. data-retention strategy
C. appropriate controls
D. recovery priorities
View answer
Correct Answer: C
Question #295
Which of the following is MOST helpful to maintain cohesiveness within an organization’s information security resource?
A. Information security architecture
B. Security gap analysis
C. Business impact analysis
D. Information security steering committee
View answer
Correct Answer: A
Question #296
Which of the following will MOST likely reduce the chances of an unauthorized individual gaining access to computing resources by pretending to be an authorized individual needing to have his, her password reset?
A. Performing reviews of password resets
B. Conducting security awareness programs
C. Increasing the frequency of password changes
D. Implementing automatic password syntax checking
View answer
Correct Answer: B
Question #297
Which of the following is the MOST effective data loss control when connecting a personally owned mobile device to the corporate email system?
A. Email must be stored in an encrypted format on the mobile device
B. Email synchronization must be prevented when connected to a public Wi-Fi hotspot
C. A senior manager must approve each connection
D. Users must agree to allow the mobile device to be wiped if it is lost
View answer
Correct Answer: D
Question #298
Which of the following should be included in an annual information security budget that is submitted for management approval?
A. A cost-benefit analysis of budgeted resources
B. All of the resources that are recommended by the business
C. Total cost of ownership (TCO)
D. Baseline comparisons
View answer
Correct Answer: A
Question #299
Which of the following would be MOST important to consider when implementing security settings for a new system?
A. Results from internal and external audits
B. Government regulations and related penalties
C. Business objectives and related IT risk
D. Industry best practices applicable to the business
View answer
Correct Answer: C
Question #300
Security monitoring mechanisms should PRIMARILY:
A. focus on business-critical information
B. assist owners to manage control risks
C. focus on detecting network intrusions
D. record all security violations
View answer
Correct Answer: A
Question #301
Which of the following is MOST important when conducting a forensic investigation?
A. Documenting analysis steps
B. Capturing full system images
C. Maintaining a chain of custody
D. Analyzing system memory
View answer
Correct Answer: C
Question #302
Which of the following tasks should be performed once a disaster recovery plan has been developed?
A. Analyze the business impact
B. Define response team roles
C. Develop the test plan
D. Identify recovery time objectives (RTOs)
View answer
Correct Answer: B
Question #303
When preventative controls to appropriately mitigate risk are not feasible, which of the following is the MOSTimportant action for the information security manager to perform?
A. Assess vulnerabilities
B. Manage the impact
C. Evaluate potential threats
D. Identify unacceptable risk levels
View answer
Correct Answer: D
Question #304
When developing a disaster recovery plan, which of the following would be MOST helpful in prioritizing the order in which systems should be recovered?
A. Performing a business impact analysis (BIA)
B. Measuring the volume of data in each system
C. Reviewing the information security policy
D. Reviewing the business strategy
View answer
Correct Answer: A
Question #305
Successful implementation of information security governance will FIRST require:
A. security awareness training
B. updated security policies
C. a computer incident management team
D. a security architecture
View answer
Correct Answer: B
Question #306
An organization involved in e-commerce activities operating from its home country opened a new office in another country with stringent security laws. In this scenario, the overall security strategy should be based on:
A. risk assessment results
B. international security standards
C. the most stringent requirements
D. the security organization structure
View answer
Correct Answer: D
Question #307
A security risk assessment exercise should be repeated at regular intervals because:
A. business threats are constantly changing
B. omissions in earlier assessments can be addressed
C. repetitive assessments allow various methodologies
D. they help raise awareness on security in the business
View answer
Correct Answer: A
Question #308
Of the following, who should have PRIMARY responsibility for assessing the security risk associated with an outsourced cloud provider contract?
A. Information security manager
B. Compliance manager
C. Chief information officer
D. Service delivery manager
View answer
Correct Answer: D
Question #309
Which of the following is the BEST option for addressing regulations that will adversely affect the allocation of information security program resources?
A. Prioritize compliance efforts based on probability
B. Determine compliance levels of peer organizations
C. Delay implementation of compliance activities
D. Conduct assessments for management decisions
View answer
Correct Answer: D
Question #310
Which of the following is the BEST approach for determining the maturity level of an information security program?
A. Evaluate key performance indicators (KPIs)
B. Engage a third-party review
C. Review internal audit results
D. Perform a self-assessment
View answer
Correct Answer: A
Question #311
In order to highlight to management, the importance of network security, the security manager should FIRST:
A. develop a security architecture
B. install a network intrusion detection system (NIDS) and prepare a list of attacks
C. develop a network security policy
D. conduct a risk assessment
View answer
Correct Answer: D
Question #312
Which of the following BEST enables an information security manager to determine the comprehensiveness of an organization’s information security strategy?
A. Business impact analysis
B. Organizational risk appetite
C. Independent security audit
D. Security risk assessment
View answer
Correct Answer: A
Question #313
The MOST important reason that statistical anomaly-based intrusion detection systems (slat IDSs) are less commonly used than signature-based IDSs, is that stat IDSs:
A. create more overhead than signature-based IDSs
B. cause false positives from minor changes to system variables
C. generate false alarms from varying user or system actions
D. cannot detect new types of attacks
View answer
Correct Answer: C
Question #314
To help ensure that contract personnel do not obtain unauthorized access to sensitive information, an information security manager should PRIMARILY:
A. set their accounts to expire in six months or less
B. avoid granting system administration roles
C. ensure they successfully pass background checks
D. ensure their access is approved by the data owner
View answer
Correct Answer: B
Question #315
When using a newly implemented security information and event management (SIEM) infrastructure, which of the following should be considered FIRST?
A. Retention
B. Tuning
C. Encryption
D. Report distribution
View answer
Correct Answer: D
Question #316
An organization has detected potential risk emerging from noncompliance with new regulations in its industry. Which of the following is the MOST important reason to report this situation to senior management?
A. The risk profile needs to be updated
B. An external review of the risk needs to be conducted
C. Specific monitoring controls need to be implemented
D. A benchmark analysis needs to be performed
View answer
Correct Answer: A
Question #317
Which of the following is the MOST effective way to address an organization's security concerns during contract negotiations with a third party?
A. eview the third-party contract with the organization's legal department
B. ommunicate security policy with the third-party vendor
C. nsure security is involved in the procurement process
D. onduct an information security audit on the third-party vendor
View answer
Correct Answer: B
Question #318
Which of the following is the MOST likely outcome from the implementation of a security governance framework?
A. Increased availability of information systems
B. Compliance with international standards
C. Realized business value from information security initiatives
D. Cost reduction of information security initiatives
View answer
Correct Answer: C
Question #319
What would be an information security manager's BEST recommendation upon learning that an existing contract with a third party does not clearly identify requirements for safeguarding the organization's critical data?
A. ancel the outsourcing contract
B. ransfer the risk to the provider
C. reate an addendum to the existing contract
D. nitiate an external audit of the provider's data center
View answer
Correct Answer: C
Question #320
When contracting with an outsourcer to provide security administration, the MOST important contractual element is the:
A. right-to-terminate clause
B. limitations of liability
C. service level agreement (SLA)
D. financial penalties clause
View answer
Correct Answer: C
Question #321
A company is considering a new automated system that requires implementation of wireless devices for data capture. Even though wireless is not an approved technology, senior management has accepted the risk and approved a Proof-of-Concept (POC) to evaluate the technology and proposed solution. Which of the following is the information security manager's BEST course of action?
A. Sandbox the proposed solution
B. Provide personnel with wireless security training
C. Implement a wireless intrusion detection system (IDS)
D. Develop corporate wireless standards
View answer
Correct Answer: A
Question #322
A mission-critical system has been identified as having an administrative system account with attributes that prevent locking and change of privileges and name. Which would be the BEST approach to prevent successful brute forcing of the account?
A. Prevent the system from being accessed remotely
B. Create a strong random password
C. Ask for a vendor patch
D. Track usage of the account by audit trails
View answer
Correct Answer: B
Question #323
Who in an organization has the responsibility for classifying information?
A. Data custodian
B. Database administrator
C. Information security officer
D. Data owner
View answer
Correct Answer: D
Question #324
An information security manager must understand the relationship between information security and business operations in order to:
A. support organizational objectives
B. determine likely areas of noncompliance
C. assess the possible impacts of compromise
D. understand the threats to the business
View answer
Correct Answer: A
Question #325
An extranet server should be placed:
A. outside the firewall
B. on the firewall server
C. on a screened subnet
D. on the external router
View answer
Correct Answer: C
Question #326
A project manager is developing a developer portal and requests that the security manager assign a public IP address so that it can be accessed by in-house staff and by external consultants outside the organization's local area network (LAN). What should the security manager do FIRST?
A. Understand the business requirements of the developer portal
B. Perform a vulnerability assessment of the developer portal
C. Install an intrusion detection system (IDS)
D. Obtain a signed nondisclosure agreement (NDA) from the external consultants before allowing external access to the server
View answer
Correct Answer: A
Question #327
When developing security processes for handling credit card data on the business unit’s information system, the information security manager should FIRST:
A. review corporate policies regarding credit card information
B. implement the credit card companies’ security requirements
C. ensure that systems handle credit card data are segmented
D. review industry’s best practices for handling secure payments
View answer
Correct Answer: A
Question #328
Which of the following would BEST help an information security manager prioritize remediation activities to meet regulatory requirements?
A. A capability maturity model matrix
B. Annual loss expectancy (ALE) of noncompliance
C. Cost of associated controls
D. Alignment with the IT strategy
View answer
Correct Answer: D
Question #329
Which of the following would generally have the GREATEST negative impact on an organization?
A. Theft of computer software
B. Interruption of utility services
C. Loss of customer confidence
D. Internal fraud resulting in monetary loss
View answer
Correct Answer: C
Question #330
A global financial institution has decided not to take any further action on a denial of service (DoS) risk found by the risk assessment team. The MOST likely reason they made this decision is that:
A. there are sufficient safeguards in place to prevent this risk from happening
B. the needed countermeasure is too complicated to deploy
C. the cost of countermeasure outweighs the value of the asset and potential loss
D. The likelihood of the risk occurring is unknown
View answer
Correct Answer: C
Question #331
The MOST important characteristic of good security policies is that they:
A. state expectations of IT management
B. state only one general security mandate
C. are aligned with organizational goals
D. govern the creation of procedures and guidelines
View answer
Correct Answer: C
Question #332
When application-level security controlled by business process owners is found to be poorly managed, which of the following could BEST improve current practices?
A. Centralizing security management
B. Implementing sanctions for noncompliance
C. Policy enforcement by IT management
D. Periodic compliance reviews
View answer
Correct Answer: A
Question #333
A security awareness program should:
A. present top management's perspective
B. address details on specific exploits
C. address specific groups and roles
D. promote security department procedures
View answer
Correct Answer: C
Question #334
Which of the following should be an information security manager's PRIMARY role when an organization initiates a data classification process?
A. Verify that assets have been appropriately classified
B. Apply security in accordance with specific classification
C. Define the classification structure to be implemented
D. Assign the asset classification level
View answer
Correct Answer: C
Question #335
Which of the following is MOST important to include in monthly information security reports to the broad?
A. Trend analysis of security metrics
B. Threat intelligence
C. Root cause analysis of security incidents
D. Risk assessment results
View answer
Correct Answer: A
Question #336
Information security governance is PRIMARILY driven by:
A. technology constraints
B. regulatory requirements
C. litigation potential
D. business strategy
View answer
Correct Answer: D
Question #337
Which of the following is the MOST practical control that an organization can implement to prevent unauthorized downloading of data to universal serial bus (USB) storage devices?
A. Two-factor authentication
B. Restrict drive usage
C. Strong encryption
D. Disciplinary action
View answer
Correct Answer: B
Question #338
An organization is considering moving one of its critical business applications to a cloud hosting service. The cloud provider may not provide the same level of security for this application as the organization. Which of the following will provide the BEST information to help maintain the security posture?
A. Risk assessment
B. Cloud security strategy
C. Vulnerability assessment
D. Risk governance framework
View answer
Correct Answer: A
Question #339
An information security manager is evaluating the key risk indicators (KRIs) for an organization's information security program. Which of the following would be the information security manager's GREATEST concern?
A. Undefined thresholds to trigger alerts
B. Multiple KRIs for a single control process
C. Use of qualitative measures
D. Lack of formal KRI approval from IT management
View answer
Correct Answer: A
Question #340
Implementing a strong password policy is part of an organization’s information security strategy for the year. A business unit believes the strategy may adversely affect a client’s adoption of a recently developed mobile application and has decided not to implement the policy.Which of the following is the information security manager’s BEST course of action?
A. Analyze the risk and impact of not implementing the policy
B. Develop and implement a password policy for the mobile application
C. Escalate non-implementation of the policy to senior management
D. Benchmark with similar mobile applications to identify gaps
View answer
Correct Answer: C
Question #341
Which of the following should be the MOST important criteria when defining data retention policies?
A. Capacity requirements
B. Audit findings
C. Regulatory requirements
D. Industry best practices
View answer
Correct Answer: C
Question #342
An information security manager is developing a business case for an investment in an information security control. The FIRST step should be to:
A. research vendor pricing to show cost efficiency
B. assess potential impact to the organization
C. demonstrate increased productivity of security staff
D. gain audit buy-in for the security control
View answer
Correct Answer: B
Question #343
Which of the following is the BEST approach for an information security manager when developing new information security policies?
A. Create a stakeholder map
B. Reference an industry standard
C. Establish an information security governance committee
D. Download a policy template
View answer
Correct Answer: C
Question #344
What should be the PRIMARY basis for establishing a recovery time objective (RTO) for a critical business application?
A. Business impact analysis (BIA) results
B. Related business benchmarks
C. Risk assessment results
D. Legal and regulatory requirements
View answer
Correct Answer: A

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: