DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

Latest ISACA CISM Exam Questions for Effective Exam Preparation

Unlock the power of SPOTO's ISACA CISM exam questions to propel your Certified Information Security Manager (CISM) certification journey forward. Dive into comprehensive exam questions and answers designed to enhance your understanding of risk assessment, governance implementation, and incident response strategies. With SPOTO's test questions and exam preparation materials, you'll gain a competitive edge in tackling data breaches, ransomware attacks, and other evolving security threats. Access valuable study materials and exam resources curated to help you pass successfully. Engage in realistic mock exams to simulate the exam environment and boost your confidence. Prepare with SPOTO and become a Certified Information Security Manager equipped to navigate today's cybersecurity challenges with expertise and confidence.
Take other online exams

Question #1
Effective IT governance is BEST ensured by:
A. utilizing a bottom-up approach
B. management by the IT department
C. referring the matter to the organization's legal department
D. utilizing a top-down approach
View answer
Correct Answer: D
Question #2
To BEST improve the alignment of the information security objectives in an organization, the chief information security officer (CISO) should:
A. revise the information security program
B. evaluate a balanced business scorecard
C. conduct regular user awareness sessions
D. perform penetration tests
View answer
Correct Answer: B
Question #3
An information security manager learns users of an application are frequently using emergency elevated access privileges to process transactions.Which of the following should be done FIRST?
A. Request justification from the user’s managers for emergency access
B. Request the application administrator block all emergency access profiles
C. Update the frequency and usage of the emergency access profile in the policy
D. Review the security architecture of the application and recommend changes
View answer
Correct Answer: D
Question #4
Which of the following would MOST likely require a business continuity plan to be invoked?
A. An unauthorized visitor discovered in the data center
B. A distributed denial of service attack on an e-mail server
C. An epidemic preventing staff from performing job functions
D. A hacker holding personally identifiable information hostage
View answer
Correct Answer: B
Question #5
Which of the following should be determined FIRST when preparing a risk communication plan?
A. Target audience
B. Communication channel
C. Reporting content
D. Reporting frequency
View answer
Correct Answer: A
Question #6
An organization plans to leverage popular social network platforms to promote its products and services. Which of the following is the BEST course of action for the information security manager to support this initiative?
A. Develop security controls for the use of social networks
B. Assess the security risk associated with the use of social networks
C. Establish processes to publish content on social networks
D. Conduct vulnerability assessments on social network platforms
View answer
Correct Answer: C
Question #7
An IT department plans to migrate an application to the public cloud. Which of the following is the information security manager's MOST important action in support of this initiative?
A. Calculate security implementation costs
B. Evaluate service level agreements (SLAs)
C. Provide cloud security requirements
D. Review cloud provider independent assessment reports
View answer
Correct Answer: B
Question #8
Which of the following BEST enables the deployment of consistent security throughout international branches within a multinational organization?
A. Maturity of security processes
B. Remediation of audit findings
C. Decentralization of security governance
D. Establishment of security governance
View answer
Correct Answer: D
Question #9
To ensure the information security of outsourced IT services, which of the following is the MOST critical due diligence activity?
A. Review samples of service level reports from the service provider
B. Assess the level of security awareness of the service provider
C. Request that the service provider comply with information security policy
D. Review the security status of the service provider
View answer
Correct Answer: C
Question #10
Which of the following is the PRIMARY reason to conduct periodic business impact assessments?
A. Improve the results of last business impact assessment
B. Update recovery objectives based on new risks
C. Decrease the recovery times
D. Meet the needs of the business continuity policy
View answer
Correct Answer: B
Question #11
Conflicting objectives are MOST likely to compromise the effectiveness of the information security process when information security management is:
A. reporting to the network infrastructure manager
B. outside of information technology
C. partially staffed by external security consultants
D. combined with the change management function
View answer
Correct Answer: D
Question #12
The MAIN advantage of implementing automated password synchronization is that it:
A. reduces overall administrative workload
B. increases security between multi-tier systems
C. allows passwords to be changed less frequently
D. reduces the need for two-factor authentication
View answer
Correct Answer: A
Question #13
The MOST effective way to ensure network users are aware of their responsibilities to comply with an organization's security requirements is:
A. messages displayed at every logon
B. periodic security-related e-mail messages
C. an Intranet web site for information security
D. circulating the information security policy
View answer
Correct Answer: A
Question #14
An organization’s outsourced firewall was poorly configured and allowed unauthorized access that resulted in downtime of 48 hours. Which of the following should be the information security manager’s NEXT course of action?
A. Reconfigure the firewall in accordance with best practices
B. Obtain supporting evidence that the problem has been corrected
C. Revisit the contract and improve accountability of the service provider
D. Seek damages from the service provider
View answer
Correct Answer: B
Question #15
An organization is MOST at risk from a new worm being introduced through the intranet when:
A. desktop virus definition files are not up to date
B. system software does not undergo integrity checks
C. hosts have static IP addresses
D. executable code is run from inside the firewall
View answer
Correct Answer: A
Question #16
Management has announced the acquisition of a new company. The information security manager of parent company is concerned that conflicting access rights may cause critical information to be exposed during the integration of the two companies.To BEST address this concern, the information security manager should:
A. escalate concern for conflicting access rights to management
B. implement consistent access control standards
C. review access rights as the acquisition integration occurs
D. perform a risk assessment of the access rights
View answer
Correct Answer: B
Question #17
An internal review of a web-based application system finds the ability to gain access to all employees' accounts by changing the employee's ID on the URL used for accessing the account. The vulnerability identified is:
A. broken authentication
B. unvalidated input
C. cross-site scripting
D. structured query language (SQL) injection
View answer
Correct Answer: A
Question #18
Which is the BEST way for an organization to monitor security risk?
A. Analyzing key performance indicators (KPIs)
B. Using external risk intelligence services
C. Using a dashboard to assess vulnerabilities
D. Analyzing key risk indicators (KRIs)
View answer
Correct Answer: D
Question #19
Senior management has allocated funding to each of the organization’s divisions to address information security vulnerabilities. The funding is based on each division’s technology budget from the previous fiscal year. Which of the following should be of GREATEST concern to the information security manager?
A. Areas of highest risk may not be adequately prioritized for treatment
B. Redundant controls may be implemented across divisions
C. Information security governance could be decentralized by division
D. Return on investment may be inconsistently reported to senior management
View answer
Correct Answer: A
Question #20
In the event that a password policy cannot be implemented for a legacy application, which of the following is the BEST course of action?
A. Update the application security policy
B. Implement compensating control
C. Submit a waiver for the legacy application
D. Perform an application security assessment
View answer
Correct Answer: B
Question #21
The PRIMARY benefit of integrating information security risk into enterprise risk management is to:
A. ensure timely risk mitigation
B. justify the information security budget
C. obtain senior management’s commitment
D. provide a holistic view of risk
View answer
Correct Answer: D
Question #22
Which of the following has the GREATEST impact on efforts to improve an organization’s security posture?
A. Supportive tone at the top management regarding security
B. Well-documented security policies and procedures
C. Regular reporting to senior management
D. Automation of security controls
View answer
Correct Answer: A
Question #23
Which of the following will BEST ensure that management takes ownership of the decision making process for information security?
A. Security policies and procedures
B. Annual self-assessment by management
C. Security-steering committees
D. Security awareness campaigns
View answer
Correct Answer: C
Question #24
Which of the following should be the PRIMARY expectation of management when an organization introduces an information security governance framework?
A. Optimized information security resources
B. Consistent execution of information security strategy
C. Improved accountability to shareholders
D. Increased influence of security management
View answer
Correct Answer: B
Question #25
A message* that has been encrypted by the sender's private key and again by the receiver's public key achieves:
A. authentication and authorization
B. confidentiality and integrity
C. confidentiality and nonrepudiation
D. authentication and nonrepudiation
View answer
Correct Answer: C
Question #26
Which of the following is the MOST effective way to protect the authenticity of data in transit?
A. Hash value
B. Digital signature
C. Public key
D. Private key
View answer
Correct Answer: B
Question #27
Which of the following is MOST helpful in securing funding for a commercial vulnerability assessment tool?
A. Explaining the business value of vulnerability remediation
B. Identifying applicable legal and regulatory requirements
C. Presenting a vulnerability scan report for current business systems
D. Developing security metrics linked to business objectives
View answer
Correct Answer: A
Question #28
After undertaking a security assessment of a production system, the information security manager is MOSTlikely to:
A. inform the system owner of any residual risks and propose measures to reduce them
B. inform the development team of any residual risks, and together formulate risk reduction measures
C. inform the IT manager of the residual risks and propose measures to reduce them
D. establish an overall security program that minimizes the residual risks of that production system
View answer
Correct Answer: A
Question #29
Information security policy enforcement is the responsibility of the:
A. security steering committee
B. chief information officer (CIO)
C. chief information security officer (CISO)
D. chief compliance officer (CCO)
View answer
Correct Answer: C
Question #30
The PRIMARY reason an organization would require that users sign an acknowledgment of their system access responsibilities is to:
A. maintain an accurate record of users’ access rights
B. serve as evidence of security awareness training
C. maintain compliance with industry best practices
D. assign accountability for transactions made with the user’s I
View answer
Correct Answer: A
Question #31
An organization’s senior management is encouraging employees to use social media for promotional purposes. Which of the following should be the information security manager’s FIRST step to support this strategy?
A. Incorporate social media into the security awareness program
B. Develop a guideline on the acceptable use of social media
C. Develop a business case for a data loss prevention (DLP) solution
D. Employ the use of a web content filtering solution
View answer
Correct Answer: B
Question #32
An organization has concerns regarding a potential advanced persistent threat (APT). To ensure that the risk associated with this threat is appropriately managed, what should be the organization's FIRST action?
A. Report to senior management
B. Initiate incident response processes
C. Implement additional controls
D. Conduct an impact analysis
View answer
Correct Answer: D
Question #33
Which of the following is the BEST method for management to obtain assurance of compliance with its security policy?
A. Review security incident logs
B. Train staff on their compliance responsibilities
C. Conduct regular independent reviews
D. Questionstaff concerning their security duties
View answer
Correct Answer: C
Question #34
Which of the following devices should be placed within a DMZ?
A. Router
B. Firewall
C. Mail relay
D. Authentication server
View answer
Correct Answer: C
Question #35
Which of the following security mechanisms is MOST effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the organization's network?
A. Configuration of firewalls
B. Strength of encryption algorithms
C. Authentication within application
D. Safeguards over keys
View answer
Correct Answer: D
Question #36
An information security manager at a global organization that is subject to regulation by multiple governmental jurisdictions with differing requirements should:
A. bring all locations into conformity with the aggregate requirements of all governmental jurisdictions
B. establish baseline standards for all locations and add supplemental standards as required
C. bring all locations into conformity with a generally accepted set of industry best practices
D. establish a baseline standard incorporating those requirements that all jurisdictions have in common
View answer
Correct Answer: B
Question #37
In addition to cost, what is the BEST criteria for selecting countermeasures following a risk assessment?
A. Effort of implementation
B. Skill requirements for implementation
C. Effectiveness of each option
D. Maintenance requirements
View answer
Correct Answer: C
Question #38
Senior management commitment and support will MOST likely be offered when the value of information security governance is presented from a:
A. threat perspective
B. compliance perspective
C. risk perspective
D. policy perspective
View answer
Correct Answer: D
Question #39
An organization is considering the adoption of cloud service providers for its expanding global business operations. Which of the following is MOST important for the information security manager to review with regard to data protection?
A. Data privacy policy
B. Security policy and standards
C. Organizational requirements
D. Local laws and regulations
View answer
Correct Answer: A
Question #40
For an organization with a large and complex IT infrastructure, which of the following elements of a disaster recovery hot site service will require the closest monitoring?
A. Employee access
B. Audit rights
C. Systems configurations
D. Number of subscribers
View answer
Correct Answer: C
Question #41
An information security manager is advised by contacts in law enforcement that there is evidence that his/ her company is being targeted by a skilled gang of hackers known to use a variety of techniques, including social engineering and network penetration. The FIRST step that the security manager should take is to:
A. perform a comprehensive assessment of the organization's exposure to the hacker's techniques
B. initiate awareness training to counter social engineering
C. immediately advise senior management of the elevated risk
D. increase monitoring activities to provide early detection of intrusion
View answer
Correct Answer: C
Question #42
The likelihood of a successful attack is a function of:
A. incentive and capability of the intruder
B. opportunity and asset value
C. threat and vulnerability levels
D. value and desirability to the intruder
View answer
Correct Answer: A
Question #43
Which of the following should be done FIRST when establishing security measures for personal data stored and processed on a human resources management system?
A. Conduct a privacy impact assessment (PIA)
B. Evaluate data encryption technologies
C. Move the system into a separate network
D. Conduct a vulnerability assessment
View answer
Correct Answer: A
Question #44
Which of the following metrics is the BEST indicator of an abuse of the change management process that could compromise information security?
A. Small number of change request
B. Large percentage decrease in monthly change requests
C. Percentage of changes that include post-approval supplemental add-ons
D. High ratio of lines of code changed to total lines of code
View answer
Correct Answer: B
Question #45
It is important to develop an information security baseline because it helps to define:
A. critical information resources needing protection
B. a security policy for the entire organization
C. the minimum acceptable security to be implemented
D. required physical and logical access controls
View answer
Correct Answer: C
Question #46
Which of the following is the BEST way to ensure that organizational security policies comply with data security regulatory requirements?
A. Obtain annual sign-off from executive management
B. Align the policies to the most stringent global regulations
C. Outsource compliance activities
D. Send the policies to stakeholders for review
View answer
Correct Answer: C
Question #47
Which of the following should be the PRIMARY consideration for an information security manager when designing security controls for a newly acquired business application?
A. Known vulnerabilities in the application
B. The IT security architecture framework
C. Cost-benefit analysis of current controls
D. Business processes supported by the application
View answer
Correct Answer: C
Question #48
A business previously accepted the risk associated with a zero-day vulnerability. The same vulnerability was recently exploited in a high-profile attack on another organization in the same industry. Which of the following should be the information security manager’s FIRST course of action?
A. Reassess the risk in terms of likelihood and impact
B. Develop best and worst case scenarios
C. Report the breach of the other organization to senior management
D. Evaluate the cost of remediating the vulnerability
View answer
Correct Answer: A
Question #49
When creating an information security governance program, which of the following will BEST enable the organization to address regulatory compliance requirements?
A. Guidelines for processes and procedures
B. A security control framework
C. An approved security strategy plan
D. Input from the security steering committee
View answer
Correct Answer: A
Question #50
An organization has identified an increased threat of external brute force attacks in its environment. Which of the following is the MOST effective way to mitigate this risk to the organization's critical systems?
A. Increase the sensitivity of intrusion detection systems
B. Implement multi-factor authentication (MFA)
C. Implement a security information and event management system (SIEM)
D. Increase the frequency of log monitoring and analysis
View answer
Correct Answer: B
Question #51
Which of the following MOST efficiently ensures the proper installation of a firewall policy that restricts a small group of internal IP addresses from accessing the Internet?
A. A connectivity test from the restricted host
B. A simulated denial of service attack against the firewall
C. A port scan of the firewall from an external source
D. A review of the current firewall configuration
View answer
Correct Answer: A
Question #52
During which stage of the software development life cycle (SDLC) should application security controls FIRSTbe addressed?
A. Software code development
B. Configuration management
C. Application system design
D. Requirements gathering
View answer
Correct Answer: D
Question #53
The FIRST step to create an internal culture that focuses on information security is to:
A. implement stronger controls
B. conduct periodic awareness training
C. actively monitor operations
D. gain the endorsement of executive management
View answer
Correct Answer: D
Question #54
Which of the following is the BEST method to provide a new user with their initial password for e-mail system access?
A. Interoffice a system-generated complex password with 30 days expiration
B. Give a dummy password over the telephone set for immediate expiration
C. Require no password but force the user to set their own in 10 days
D. Set initial password equal to the user ID with expiration in 30 days
View answer
Correct Answer: B
Question #55
What is the BEST way to determine the level of risk associated with information assets processed by an IT application?
A. Evaluate the potential value of information for an attacker
B. Calculate the business value of the information assets
C. Review the cost of acquiring the information assets for the business
D. Research compliance requirements associated with the information
View answer
Correct Answer: B
Question #56
Which of the following should be established FIRST when implementing an information security governance framework?
A. Security incident management team
B. Security awareness training program
C. Security architecture
D. Security policies
View answer
Correct Answer: D
Question #57
Which of the following is MOST important for an information security manager to verify before conducting full- functional continuity testing?
A. Risk acceptance by the business has been documented
B. Incident response and recovery plans are documented in simple language
C. Teams and individuals responsible for recovery have been identified
D. Copies of recovery and incident response plans are kept offsite
View answer
Correct Answer: C
Question #58
The GREATEST benefit resulting from well-documented information security procedures is that they:
A. ensure that security policies are consistently applied
B. ensure that critical processes can be followed by temporary staff
C. facilitate security training of new staff
D. provide a basis for auditing security practices
View answer
Correct Answer: A
Question #59
Which of the following processes if the FIRST step in establishing an information security policy?
A. Security controls evaluation
B. Information security audit
C. Review of current global standards
D. Business risk assessment
View answer
Correct Answer: D
Question #60
Which of the following mechanisms is the MOST secure way to implement a secure wireless network?
A. Filter media access control (MAC) addresses
B. Use a Wi-Fi Protected Access (WPA2) protocol
C. Use a Wired Equivalent Privacy (WEP) key
D. Web-based authentication
View answer
Correct Answer: B
Question #61
The purpose of a corrective control is to:
A. reduce adverse events
B. indicate compromise
C. mitigate impact
D. ensure compliance
View answer
Correct Answer: C
Question #62
Senior management asks the information security manager for justification before approving the acquisition of a new intrusion detection system (IDS). The BEST course of action is to provide:
A. documented industry best practices
B. a gap analysis against the new IDS controls
C. a business case
D. a business impact analysis (BIA)
View answer
Correct Answer: C
Question #63
Which of the following BEST protects against phishing attacks?
A. Application whitelisting
B. Network encryption
C. Email filtering
D. Security strategy training
View answer
Correct Answer: C
Question #64
Which of the following is MOST important to consider when handling digital evidence during the forensics investigation of a cybercrime?
A. Business strategies
B. Industry best practices
C. Global standards
D. Local regulations
View answer
Correct Answer: D
Question #65
Which of the following should be the FIRST step in developing an information security plan?
A. Perform a technical vulnerabilities assessment
B. Analyze the current business strategy
C. Perform a business impact analysis
D. Assess the current levels of security awareness
View answer
Correct Answer: B
Question #66
Which of the following would be MOST useful in a report to senior management for evaluating changes in the organization’s information security risk position?
A. Risk register
B. Trend analysis
C. Industry benchmarks
D. Management action plan
View answer
Correct Answer: A
Question #67
Which of the following provides the GREATEST assurance that information security is addressed in change management?
A. Performing a security audit on changes
B. Providing security training for change advisory board
C. Requiring senior management sign-off on change management
D. Reviewing changes from a security perspective
View answer
Correct Answer: D
Question #68
Which of the following is the MOST effective way of ensuring that business units comply with an information security governance framework?
A. Integrating security requirements with processes
B. Performing security assessments and gap analysis
C. Conducting a business impact analysis (BIA)
D. Conducting information security awareness training
View answer
Correct Answer: B
Question #69
Which of the following will BEST facilitate the development of appropriate incident response procedures?
A. Conducting scenario testing
B. Performing vulnerability assessments
C. Analyzing key risk indicators (KRIs)
D. Assessing capability maturity
View answer
Correct Answer: A
Question #70
Which of the following is the MOST effective method of determining security priorities?
A. Impact analysis
B. Threat assessment
C. Vulnerability assessment
D. Gap analysis
View answer
Correct Answer: A
Question #71
In an organization implementing a data classification program, ultimate responsibility for the data on the database server lies with the:
A. information security manager
B. business unit manager
C. database administrator (DBA)
D. information technology manager:
View answer
Correct Answer: A
Question #72
The PRIMARY reason to classify information assets should be to ensure:
A. proper access control
B. senior management buy-in
C. insurance valuation is appropriate
D. proper ownership is established
View answer
Correct Answer: D
Question #73
An organization’s marketing department has requested access to cloud-based collaboration sites for exchanging media files with external marketing companies. As a result, the information security manager has been asked to perform a risks assessment. Which of the following should be the MOST important consideration?
A. The information to be exchanged
B. Methods for transferring the information
C. Reputations of the external marketing companies
D. The security of the third-party cloud provider
View answer
Correct Answer: B
Question #74
Which of the following is a step in establishing a security policy?
A. Developing platform-level security baselines
B. Creating a RACI matrix
C. Implementing a process for developing and maintaining the policy
D. Developing configuration parameters for the network
View answer
Correct Answer: C
Question #75
When a security standard conflicts with a business objective, the situation should be resolved by:
A. changing the security standard
B. changing the business objective
C. performing a risk analysis
D. authorizing a risk acceptance
View answer
Correct Answer: C
Question #76
Which of the following situations must be corrected FIRST to ensure successful information security governance within an organization?
A. The information security department has difficulty filling vacancies
B. The chief information officer (CIO) approves security policy changes
C. The information security oversight committee only meets quarterly
D. The data center manager has final signoff on all security projects
View answer
Correct Answer: D
Question #77
The FIRST step in establishing an information security program is to:
A. define policies and standards that mitigate the organization’s risks
B. secure organizational commitment and support
C. assess the organization’s compliance with regulatory requirements
D. determine the level of risk that is acceptable to senior management
View answer
Correct Answer: B
Question #78
Which of the following is the PRIMARY reason for executive management to be involved in establishing an enterprise’s security management framework?
A. To determine the desired state of enterprise security
B. To establish the minimum level of controls needed
C. To satisfy auditors’ recommendations for enterprise security
D. To ensure industry best practices for enterprise security are followed
View answer
Correct Answer: A
Question #79
What is the BEST method to verify that all security patches applied to servers were properly documented?
A. Trace change control requests to operating system (OS) patch logs
B. Trace OS patch logs to OS vendor's update documentation
C. Trace OS patch logs to change control requests
D. Review change control documentation for key servers
View answer
Correct Answer: C
Question #80
A validated patch to address a new vulnerability that may affect a mission-critical server has been released. What should be done immediately?
A. Add mitigating controls
B. Take the server off-line and install the patch
C. Check the server’s security and install the patch
D. Conduct an impact analysis
View answer
Correct Answer: D
Question #81
A CEO requires that information security risk management is practiced at the organizational level through a central risk register. Which of the following is the MOST important reason to report a summary of this risk register to the board?
A. To facilitate alignment between risk management and organizational objectives
B. To ensure adequate funding is available for risk management and mitigation
C. To comply with the organization's regulatory and legal requirements
D. To ensure alignment with industry standards and trends
View answer
Correct Answer: A
Question #82
From a business perspective, the MOST important function of information security is to support:
A. predictable operations
B. international standards
C. security awareness
D. corporate policy
View answer
Correct Answer: D
Question #83
Which of the following risks would BEST be assessed using qualitative risk assessment techniques?
A. Theft of purchased software
B. Power outage lasting 24 hours
C. Permanent decline in customer confidence
D. Temporary loss of e-mail due to a virus attack
View answer
Correct Answer: C
Question #84
A regulatory organization sends an email to an information security manager warning of an impending cyber- attack. The information security manager should FIRST:
A. validate the authenticity of the alert
B. determine whether the attack is in progress
C. alert the network operations center
D. reply asking for more details
View answer
Correct Answer: A
Question #85
Which of the following should be done FIRST when selecting performance metrics to report on the vendor risk management process?
A. Review the confidentiality requirements
B. Identify the data owner
C. Select the data source
D. Identify the intended audience
View answer
Correct Answer: B
Question #86
Without prior approval, a training department enrolled the company in a free cloud-based collaboration site and invited employees to use it. Which of the following is the BEST response of the information security manager?
A. Conduct a risk assessment and develop an impact analysis
B. Update the risk register and review the information security strategy
C. Report the activity to senior management
D. Allow temporary use of the site and monitor for data leakage
View answer
Correct Answer: C
Question #87
Which of the following could be detected by a network intrusion detection system (IDS)?
A. Undocumented open ports
B. Unauthorized file change
C. Internally generated attacks
D. Emailed virus attachments
View answer
Correct Answer: A
Question #88
Which of the following is BEST to include in a business case when the return on investment (ROI) for an information security initiative is difficult to calculate?
A. Estimated reduction in risk
B. Estimated increase in efficiency
C. Projected costs over time
D. Projected increase in maturity level
View answer
Correct Answer: A
Question #89
Which of the following would provide the BEST justification for a new information security investment?
A. Results of a comprehensive threat analysis
B. Projected reduction in risk
C. Senior management involvement in project prioritization
D. Defined key performance indicators (KPIs)
View answer
Correct Answer: A
Question #90
A risk was identified during a risk assessment. The business process owner has chosen to accept the risk because the cost of remediation is greater than the projected cost of a worst-case scenario. What should be the information security manager's NEXT course of action?
A. Determine a lower-cost approach to remediation
B. Document and schedule a date to revisit the issue
C. Shut down the business application
D. Document and escalate to senior management
View answer
Correct Answer: D
Question #91
When an information security manager is developing a strategic plan for information security, the timeline for the plan should be:
A. aligned with the IT strategic plan
B. based on the current rate of technological change
C. three-to-five years for both hardware and software
D. aligned with the business strategy
View answer
Correct Answer: D
Question #92
Which of the following devices could potentially stop a Structured Query Language (SQL) injection attack?
A. An intrusion prevention system (IPS)
B. An intrusion detection system (IDS)
C. A host-based intrusion detection system (HIDS)
D. A host-based firewall
View answer
Correct Answer: A
Question #93
What should be the PRIMARY objective of conducting interviews with business unit managers when developing an information security strategy?
A. Determine information types
B. Obtain information on departmental goals
C. Identify data and system ownership
D. Classify information assets
View answer
Correct Answer: B
Question #94
An organization is planning to open a new office in another country. Sensitive data will be routinely sentbetween two offices. What should be the information security manager’s FIRST course of action?
A. Identify applicable regulatory requirements to establish security policies
B. Update privacy policies to include the other country’s laws and regulations
C. Apply the current corporate security policies to the new office
D. Encrypt the data for transfer to the head office based on security manager approval
View answer
Correct Answer: A
Question #95
What is the BEST course of action when an information security manager finds an external service provider has not implemented adequate controls for safeguarding the organization’s critical data?
A. Assess the impact of the control gap
B. Initiate contract renegotiations
C. Purchase additional insurance
D. Conduct a controls audit of the provider
View answer
Correct Answer: A
Question #96
Ensuring that activities performed by outsourcing providers comply with information security policies can BESTbe accomplished through the use of:
A. service level agreements
B. independent audits
C. explicit contract language
D. local regulations
View answer
Correct Answer: B
Question #97
An organization has adopted a practice of regular staff rotation to minimize the risk of fraud and encourage cross training. Which type of authorization policy would BEST address this practice?
A. Multilevel
B. Role-based
C. Discretionary
D. Attribute-based
View answer
Correct Answer: B
Question #98
An information security manager has developed a strategy to address new information security risks resulting from recent changes in the business. Which of the following would be MOST important to include when presenting the strategy to senior management?
A. The costs associated with business process changes
B. Results of benchmarking against industry peers
C. The impact of organizational changes on the security risk profile
D. Security controls needed for risk mitigation
View answer
Correct Answer: C
Question #99
Which of the following BEST describes the scope of risk analysis?
A. Key financial systems
B. Organizational activities
C. Key systems and infrastructure
D. Systems subject to regulatory compliance
View answer
Correct Answer: B
Question #100
Relying on which of the following methods when detecting new threats using IDS should be of MOSTconcern?
A. Statistical pattern recognition
B. Attack signatures
C. Heuristic analysis
D. Traffic analysis
View answer
Correct Answer: B
Question #101
Which metric is the BEST indicator that an update to an organization’s information security awareness strategy is effective?
A. A decrease in the number of incidents reported by staff
B. A decrease in the number of email viruses detected
C. An increase in the number of email viruses detected
D. An increase in the number of incidents reported by staff
View answer
Correct Answer: A
Question #102
A core business unit relies on an effective legacy system that does not meet the current security standards and threatens the enterprise network. Which of the following is the BEST course of action to address the situation?
A. Document the deficiencies in the risk register
B. Disconnect the legacy system from the rest of the network
C. Require that new systems that can meet the standards be implemented
D. Develop processes to compensate for the deficiencies
View answer
Correct Answer: A
Question #103
A digital signature using a public key infrastructure (PKI) will:
A. not ensure the integrity of a message
B. rely on the extent to which the certificate authority (CA) is trusted
C. require two parties to the message exchange
D. provide a high level of confidentiality
View answer
Correct Answer: B
Question #104
An organization is considering a self-service solution for the deployment of virtualized development servers. Which of the following should be the information security manager’s PRIMARY concern?
A. Ability to maintain server security baseline
B. Ability to remain current with patches
C. Generation of excessive security event logs
D. Segregation of servers from the production environment
View answer
Correct Answer: D
Question #105
Which of the following will MOST effectively minimize the chance of inadvertent disclosure of confidential information?
A. Following the principle of least privilege
B. Restricting the use of removable media
C. Applying data classification rules
D. Enforcing penalties for security policy violations
View answer
Correct Answer: C
Question #106
When developing an information security governance framework, which of the following should be the FIRSTactivity?
A. Integrate security within the system’s development life-cycle process
B. Align the information security program with the organization’s other risk and control activities
C. Develop policies and procedures to support the framework
D. Develop response measures to detect and ensure the closure of security breaches
View answer
Correct Answer: B
Question #107
Which of the following would BEST ensure that application security standards are in place?
A. Functional testing
B. Performing a code review
C. Publishing software coding standards
D. Penetration testing
View answer
Correct Answer: D
Question #108
Which of the following is the MOST important function of information security?
A. Managing risk to the organization
B. Reducing the financial impact of security breaches
C. Identifying system vulnerabilities
D. Preventing security incidents
View answer
Correct Answer: A
Question #109
The PRIMARY goal of information security governance to an organization is to:
A. align with business processes
B. align with business objectives
C. establish a security strategy
D. manage security costs
View answer
Correct Answer: B
Question #110
When establishing an information security governance framework, it is MOST important for an information security manager to understand:
A. the regulatory environment
B. information security best practices
C. the corporate culture
D. risk management techniques
View answer
Correct Answer: A
Question #111
Which of the following should an information security manager perform FIRST when an organization’s residual risk has increased?
A. Implement security measures to reduce the risk
B. Communicate the information to senior management
C. Transfer the risk to third parties
D. Assess the business impact
View answer
Correct Answer: D
Question #112
An organization recently rolled out a new procurement program that does not include any security requirements. Which of the following should the information security manager do FIRST?
A. Conduct security assessments of vendors based on value of annual spend with each vendor
B. Meet with the head of procurement to discuss aligning security with the organization's operational objectives
C. Ask internal audit to conduct an assessment of the current state of third-party security controls
D. Escalate the procurement program gaps to the compliance department in case of noncompliance issues
View answer
Correct Answer: B
Question #113
Which of the following is a PRIMARY responsibility of the information security governance function?
A. Defining security strategies to support organizational programs
B. Ensuring adequate support for solutions using emerging technologies
C. Fostering a risk-aware culture to strengthen the information security program
D. Advising senior management on optimal levels of risk appetite and tolerance
View answer
Correct Answer: A
Question #114
The effectiveness of the information security process is reduced when an outsourcing organization:
A. is responsible for information security governance activities
B. receives additional revenue when security service levels are met
C. incurs penalties for failure to meet security service-level agreements
D. standardizes on a single access-control software product
View answer
Correct Answer: A
Question #115
Which of the following tools is MOST appropriate to assess whether information security governance objectives are being met?
A. SWOT analysis
B. Waterfall chart
C. Gap analysis
D. Balanced scorecard
View answer
Correct Answer: D
Question #116
Senior management has endorsed a comprehensive information security policy. Which of the following should the organization do NEXT?
A. Promote awareness of the policy among employees
B. Seek policy buy-in from business stakeholders
C. Implement an authentication and authorization system
D. Identify relevant information security frameworks for adoption
View answer
Correct Answer: B
Question #117
The PRIMARY disadvantage of using a cold-site recovery facility is that it is:
A. unavailable for testing during normal business hours
B. only available if not being used by the primary tenant
C. not possible to reserve test dates in advance
D. not cost-effective for testing critical applications at the site
View answer
Correct Answer: A
Question #118
When a departmental system continues to be out of compliance with an information security policy's password strength requirements, the BEST action to undertake is to:
A. submit the issue to the steering committee
B. conduct an impact analysis to quantify the risks
C. isolate the system from the rest of the network
D. request a risk acceptance from senior management
View answer
Correct Answer: B
Question #119
An organization has implemented a bring your own device (BYOD) program. Which of the following is theGREATEST risk to the organization?
A. Lack of nonrepudiation
B. Device incompatibility
C. Device theft
D. Data leakage
View answer
Correct Answer: D
Question #120
Which of the following is MOST important to the successful implementation of an information security governance framework across the organization?
A. Organizational security controls deployed in line with regulations
B. Security management processes aligned with security objectives
C. The existing organizational security culture
D. Security policies that adhere to industry best practices
View answer
Correct Answer: B
Question #121
An information security manager finds that a soon-to-be deployed online application will increase risk beyond acceptable levels, and necessary controls have not been included. Which of the following is the BEST course of action for the information security manager?
A. Present a business case for additional controls to senior management
B. Instruct IT to deploy controls based on urgent business needs
C. Solicit bids for compensating control products
D. Recommend a different application
View answer
Correct Answer: A
Question #122
Which of the following is an indicator of improvement in the ability to identify security risks?
A. Increased number of reported security incidents
B. Decreased number of staff requiring information security training
C. Decreased number of information security risk assessments
D. Increased number of security audit issues resolved
View answer
Correct Answer: D
Question #123
Logging is an example of which type of defense against systems compromise?
A. Containment
B. Detection
C. Reaction
D. Recovery
View answer
Correct Answer: B
Question #124
The MOST important element in achieving executive commitment to an information security governance program is:
A. a defined security framework
B. identified business drivers
C. established security strategies
D. a process improvement model
View answer
Correct Answer: B
Question #125
Which of the following is the MOST appropriate individual to implement and maintain the level of information security needed for a specific business application?
A. System analyst
B. Quality control manager
C. Process owner
D. Information security manager
View answer
Correct Answer: C
Question #126
Which of the following BEST protects against web-based cross-domain attacks?
A. Database hardening
B. Application controls
C. Network addressing scheme
D. Encryption controls
View answer
Correct Answer: B
Question #127
Which of the following is MOST effective in preventing weaknesses from being introduced into existing production systems?
A. Patch management
B. Change management
C. Security baselines
D. Virus detection
View answer
Correct Answer: B
Question #128
What should be an organization’s MAIN concern when evaluating an Infrastructure as a Service (IaaS) cloud computing model for an e-commerce application?
A. Availability of provider’s services
B. Internal audit requirements
C. Where the application resides
D. Application ownership
View answer
Correct Answer: A
Question #129
Which of the following MOST effectively helps an organization to align information security governance with corporate governance?
A. Promoting security as enabler to achieve business objectives
B. Prioritizing security initiatives based on IT strategy
C. Adopting global security standards to achieve business goals
D. Developing security performance metrics
View answer
Correct Answer: A
Question #130
The BEST way to justify the implementation of a single sign-on (SSO) product is to use:
A. return on investment (ROD
B. a vulnerability assessment
C. annual loss expectancy (ALE)
D. a business case
View answer
Correct Answer: D
Question #131
Risk assessment should be built into which of the following systems development phases to ensure that risks are addressed in a development project?
A. Programming
B. Specification
C. User testing
D. Feasibility
View answer
Correct Answer: D
Question #132
Which of the following would BEST prepare an information security manager for regulatory reviews?
A. Assign an information security administrator as regulatory liaison
B. Perform self-assessments using regulatory guidelines and reports
C. Assess previous regulatory reports with process owners input
D. Ensure all regulatory inquiries are sanctioned by the legal department
View answer
Correct Answer: B
Question #133
An information security manager has completed a risk assessment and has determined the residual risk. Which of the following should be the NEXT step?
A. Conduct an evaluation of controls
B. Determine if the risk is within the risk appetite
C. Implement countermeasures to mitigate risk
D. Classify all identified risks
View answer
Correct Answer: B
Question #134
A border router should be placed on which of the following?
A. Web server
B. IDS server
C. Screened subnet
D. Domain boundary
View answer
Correct Answer: D
Question #135
Which of the following is the MOST important reason for an organization to develop an information security governance program?
A. Establishment of accountability
B. Compliance with audit requirements
C. Monitoring of security incidents
D. Creation of tactical solutions
View answer
Correct Answer: B
Question #136
Which of the following is MOST essential for a risk management program to be effective?
A. Flexible security budget
B. Sound risk baseline
C. New risks detection
D. Accurate risk reporting
View answer
Correct Answer: C
Question #137
Attackers who exploit cross-site scripting vulnerabilities take advantage of:
A. a lack of proper input validation controls
B. weak authentication controls in the web application layer
C. flawed cryptographic secure sockets layer (SSL) implementations and short key lengths
D. implicit web application trust relationships
View answer
Correct Answer: A
Question #138
Which of the following would provide the MOST effective security outcome in an organization’s contract management process?
A. Extending security assessment to include random penetration testing
B. Extending security assessment to cover asset disposal on contract termination
C. Performing vendor security benchmark analyses at the request-for-proposal (RFP) stage
D. Ensuring security requirements are defined at the request-for-proposal (RFP) stage
View answer
Correct Answer: C
Question #139
Which of the following would BEST help to identify vulnerabilities introduced by changes to an organization’s technical infrastructure?
A. An intrusion detection system
B. Established security baselines
C. Penetration testing
D. Log aggregation and correlation
View answer
Correct Answer: C
Question #140
What should the information security manager recommend to support the development of a new web application that will allow retail customers to view inventory and order products?
A. Building an access control matrix
B. Request customers adhere to baseline security standards
C. Access through a virtual private network (VPN)
D. Implementation of secure transmission protocols
View answer
Correct Answer: D
Question #141
What would a security manager PRIMARILY utilize when proposing the implementation of a security solution?
A. Risk assessment report
B. Technical evaluation report
C. Business case
D. Budgetary requirements
View answer
Correct Answer: C
Question #142
A business impact analysis should be periodically executed PRIMARILY to:
A. validate vulnerabilities on environmental changes
B. analyze the importance of assets
C. verify the effectiveness of controls
D. check compliance with regulations
View answer
Correct Answer: A
Question #143
Which of the following is the MOST important prerequisite to performing an information security risk assessment?
A. Classifying assets
B. Determining risk tolerance
C. Reviewing the business impact analysis
D. Assessing threats and vulnerabilities
View answer
Correct Answer: D
Question #144
When supporting a large corporation’s board of directors in the development of governance, which of the following is the PRIMARY function of the information security manager?
A. Gaining commitment of senior management
B. Preparing the security budget
C. Providing advice and guidance
D. Developing a balanced scorecard
View answer
Correct Answer: C
Question #145
Who is responsible for ensuring that information is categorized and that specific protective measures are taken?
A. The security officer
B. Senior management
C. The end user
D. The custodian
View answer
Correct Answer: B
Question #146
Which of the following is the MOST effective way for senior management to support the integration of information security governance into corporate governance?
A. Develop the information security strategy based on the enterprise strategy
B. Appoint a business manager as heard of information security
C. Promote organization-wide information security awareness campaigns
D. Establish a steering committee with representation from across the organization
View answer
Correct Answer: A
Question #147
Relationships among security technologies are BEST defined through which of the following?
A. Security metrics
B. Network topology
C. Security architecture
D. Process improvement models
View answer
Correct Answer: C
Question #148
Which of the following is the MOST important requirement for the successful implementation of security governance?
A. Implementing a security balanced scorecard
B. Performing an enterprise-wide risk assessment
C. Mapping to organizational strategies
D. Aligning to an international security framework
View answer
Correct Answer: C
Question #149
As part of an international expansion plan, an organization has acquired a company located in another jurisdiction. Which of the following would be the BEST way to maintain any effective information security program?
A. Ensure information security is included in any change control efforts
B. Merge the two information security programs to establish continuity
C. Determine new factors that could influence the information security strategy
D. Implement the current information security program in the acquired company
View answer
Correct Answer: C
Question #150
An information security manager is recommending an investment in a new security initiative to address recently published threats. Which of the following would be MOST important to include in the business case?
A. Business impact if threats materialize
B. Availability of unused funds in the security budget
C. Threat information from reputable sources
D. Alignment of the new initiative with the approved business strategy
View answer
Correct Answer: A
Question #151
Which of the following is the MOST important consideration when selecting members for an information security steering committee?
A. Cross-functional composition
B. Information security expertise
C. Tenure in the organization
D. Business expertise
View answer
Correct Answer: A
Question #152
When implementing security architecture, an information security manager MUST ensure that security controls:
A. form multiple barriers against threats
B. are transparent
C. are the least expensive
D. are communicated through security policies
View answer
Correct Answer: A
Question #153
Which of the following is the MOST important component of a risk profile?
A. Risk management framework
B. Data classification results
C. Penetration test results
D. Risk assessment methodology
View answer
Correct Answer: A
Question #154
Which of the following is MOST important when establishing a successful information security governance framework?
A. Selecting information security steering committee members
B. Developing an information security strategy
C. Determining balanced scorecard metrics for information security
D. Identifying information security risk scenarios
View answer
Correct Answer: B
Question #155
What is the MOST important reason for conducting security awareness programs throughout an organization?
A. Reducing the human risk
B. Maintaining evidence of training records to ensure compliance
C. Informing business units about the security strategy
D. Training personnel in security incident response
View answer
Correct Answer: A
Question #156
Which of the following would be MOST effective in preventing malware from being launched through an email attachment?
A. Up-to-date security policies
B. Placing the e-mail server on a screened subnet
C. Security awareness training
D. A network intrusion detection system (NIDS)
View answer
Correct Answer: C
Question #157
Which of the following is MOST likely to be discretionary?
A. Policies
B. Procedures
C. Guidelines
D. Standards
View answer
Correct Answer: C
Question #158
After an information security business case has been approved by senior management, it should be:
A. used to design functional requirements for the solution
B. used as the foundation for a risk assessment
C. referenced to build architectural blueprints for the solution
D. reviewed at key intervals to ensure intended outcomes
View answer
Correct Answer: D
Question #159
In a well-controlled environment, which of the following activities is MOST likely to lead to the introduction of weaknesses in security software?
A. Applying patches
B. Changing access rules
C. Upgrading hardware
D. Backing up files
View answer
Correct Answer: B
Question #160
Which of the following is the MOST effective method to prevent a SQL injection in an employee portal?
A. Reconfigure the database schema
B. Enforce referential integrity on the database
C. Conduct code reviews
D. Conduct network penetration testing
View answer
Correct Answer: B
Question #161
Which of the following BEST demonstrates that an organization supports information security governance?
A. Employees attend annual organization-wide security training
B. Information security policies are readily available to employees
C. The incident response plan is documented and tested regularly
D. Information security steering committee meetings are held regularly
View answer
Correct Answer: D
Question #162
In the absence of technical controls, what would be the BEST way to reduce unauthorized text messaging oncompany-supplied mobile devices?
A. Conduct a business impact analysis (BIA) and provide the report to management
B. Update the corporate mobile usage policy to prohibit texting
C. Stop providing mobile devices until the organization is able to implement controls
D. Include the topic of prohibited texting in security awareness training
View answer
Correct Answer: D
Question #163
An information security manager at a global organization has to ensure that the local information security program will initially ensure compliance with the:
A. corporate data privacy policy
B. data privacy policy where data are collected
C. data privacy policy of the headquarters' country
D. data privacy directive applicable globally
View answer
Correct Answer: B
Question #164
What is the PRIMARY benefit to executive management when audit, risk, and security functions are aligned?
A. Reduced number of assurance reports
B. More effective decision making
C. More timely risk reporting
D. More efficient incident handling
View answer
Correct Answer: B
Question #165
Ongoing tracking of remediation efforts to mitigate identified risks can BEST be accomplished through the use of which of the following?
A. Tree diagrams
B. Venn diagrams
C. Heat charts
D. Bar charts
View answer
Correct Answer: C
Question #166
Which of the following is the MOST appropriate frequency for updating antivirus signature files for antivirus software on production servers?
A. Daily
B. Weekly
C. Concurrently with O/S patch updates
D. During scheduled change control updates
View answer
Correct Answer: A
Question #167
Which of the following will BEST protect an organization from internal security attacks?
A. Static IP addressing
B. Internal address translation
C. Prospective employee background checks
D. Employee awareness certification program
View answer
Correct Answer: C
Question #168
Which of the following are the essential ingredients of a business impact analysis (B1A)?
A. Downtime tolerance, resources and criticality
B. Cost of business outages in a year as a factor of the security budget
C. Business continuity testing methodology being deployed
D. Structure of the crisis management team
View answer
Correct Answer: A
Question #169
At what stage of the applications development process would encryption key management initially be addressed?
A. Requirements development
B. Deployment
C. Systems testing
D. Code reviews
View answer
Correct Answer: A
Question #170
When considering whether to adopt bring your own device (BYOD), it is MOST important for the information security manager to ensure that:
A. business leaders have an understanding of security risks
B. users have read and signed acceptable use agreements
C. security controls are applied to each device when joining the network
D. the applications are tested prior to implementation
View answer
Correct Answer: A
Question #171
The MOST appropriate owner of customer data stored in a central database, used only by an organization's sales department, would be the:
A. sales department
B. database administrator
C. chief information officer (CIO)
D. head of the sales department
View answer
Correct Answer: D
Question #172
Which of the following would be of GREATEST importance to the security manager in determining whether to accept residual risk?
A. Historical cost of the asset
B. Acceptable level of potential business impacts
C. Cost versus benefit of additional mitigating controls
D. Annualized loss expectancy (ALE)
View answer
Correct Answer: C
Question #173
Which of the following is the BEST metric for evaluating the effectiveness of security awareness twining? The number of:
A. password resets
B. reported incidents
C. incidents resolved
D. access rule violations
View answer
Correct Answer: B
Question #174
The MOST useful way to describe the objectives in the information security strategy is through:
A. attributes and characteristics of the \'desired state
B. overall control objectives of the security program
C. mapping the IT systems to key business processes
D. calculation of annual loss expectations
View answer
Correct Answer: A
Question #175
Which of the following is the MOST appropriate use of gap analysis?
A. Evaluating a business impact analysis (BIA)
B. Developing a balanced business scorecard
C. Demonstrating the relationship between controls
D. Measuring current state vs
View answer
Correct Answer: D
Question #176
To implement a security framework, an information security manager must FIRST develop:
A. security standards
B. security procedures
C. a security policy
D. security guidelines
View answer
Correct Answer: D
Question #177
An organization faces severe fines and penalties if not in compliance with local regulatory requirements by an established deadline. Senior management has asked the information security manager to prepare an actionplan to achieve compliance. Which of the following would provide the MOST useful information for planning purposes?
A. Results from a gap analysis
B. Results from a business impact analysis
C. Deadlines and penalties for noncompliance
D. An inventory of security controls currently in place
View answer
Correct Answer: D
Question #178
Which of the following is the PRIMARY objective of reporting security metrics to stakeholders?
A. To identify key controls within the organization
B. To provide support for security audit activities
C. To communicate the effectiveness of the security program
D. To demonstrate alignment to the business strategy
View answer
Correct Answer: D
Question #179
Which of the following will BEST enable an effective information asset classification process?
A. Reviewing the recovery time objective (RTO) requirements of the asset
B. Analyzing audit findings
C. Including security requirements in the classification process
D. Assigning ownership
View answer
Correct Answer: C
Question #180
Which of the following attacks is BEST mitigated by utilizing strong passwords?
A. Man-in-the-middle attack
B. Brute force attack
C. Remote buffer overflow
D. Root kit
View answer
Correct Answer: B
Question #181
Which of the following BEST supports the alignment of information security with business functions?
A. Creation of a security steering committee
B. IT management support of security assessments
C. Business management participation in security penetration tests
D. A focus on technology security risk within business processes
View answer
Correct Answer: A
Question #182
For a business operating in a competitive and evolving online market, it is MOST important for a security policy to focus on:
A. defining policies for new technologies
B. enabling adoption of new technologies
C. requiring accreditation for new technologies
D. managing risks of new technologies
View answer
Correct Answer: D
Question #183
Which of the following features is normally missing when using Secure Sockets Layer (SSL) in a web browser?
A. Certificate-based authentication of web client
B. Certificate-based authentication of web server
C. Data confidentiality between client and web server
D. Multiple encryption algorithms
View answer
Correct Answer: A
Question #184
Phishing is BEST mitigated by which of the following?
A. Security monitoring software
B. Encryption
C. Two-factor authentication
D. User awareness
View answer
Correct Answer: D
Question #185
An outcome of effective security governance is:
A. business dependency assessment
B. strategic alignment
C. risk assessment
D. planning
View answer
Correct Answer: B
Question #186
The BEST time to ensure that a corporation acquires secure software products when outsourcing softwaredevelopment is during:
A. corporate security reviews
B. contract performance audits
C. contract negotiation
D. security policy development
View answer
Correct Answer: C
Question #187
When a user employs a client-side digital certificate to authenticate to a web server through Secure Socket Layer (SSL), confidentiality is MOST vulnerable to which of the following?
A. IP spoofing
B. Man-in-the-middle attack
C. Repudiation
D. Trojan
View answer
Correct Answer: D
Question #188
Which of the following is the MOST important consideration when designing information security architecture?
A. Risk management parameters for the organization are defined
B. The information security architecture is aligned with industry standards
C. The level of security supported is based on business decisions
D. The existing threat landscape is monitored
View answer
Correct Answer: C
Question #189
Which of the following BEST enables effective information security governance?
A. Periodic vulnerability assessments
B. Established information security metrics
C. Advanced security technologies
D. Security-aware corporate culture
View answer
Correct Answer: D
Question #190
A new version of an information security regulation is published that requires an organization’s compliance. The information security manager should FIRST:
A. perform an audit based on the new version of the regulation
B. conduct a risk assessment to determine the risk of noncompliance
C. conduct benchmarking against similar organizations
D. perform a gap analysis against the new regulation
View answer
Correct Answer: D
Question #191
Investment in security technology and processes should be based on:
A. clear alignment with the goals and objectives of the organization
B. success cases that have been experienced in previous projects
C. best business practices
D. safeguards that are inherent in existing technology
View answer
Correct Answer: A
Question #192
The PRIMARY reason for assigning classes of sensitivity and criticality to information resources is to provide a basis for:
A. determining the scope for inclusion in an information security program
B. defining the level of access controls
C. justifying costs for information resources
D. determining the overall budget of an information security program
View answer
Correct Answer: B
Question #193
Which of the following BEST contributes to the development of a security governance framework that supports the maturity model concept?
A. Continuous analysis, monitoring and feedback
B. Continuous monitoring of the return on security investment (ROSD
C. Continuous risk reduction
D. Key risk indicator (KRD setup to security management processes
View answer
Correct Answer: A
Question #194
An information security manager learns that the root password of an external FTP server may be subject to brute force attacks. Which of the following would be the MOST appropriate way to reduce the likelihood of a successful attack?
A. Block the source IP address of the attacker
B. Lock remote logon after multiple failed attempts
C. Disable access to the externally facing server
D. Install an intrusion detection system (IDS)
View answer
Correct Answer: B
Question #195
Which of the following is the MOST effective mitigation strategy to protect confidential information from insider threats?
A. Performing an entitlement review process
B. Implementing authentication mechanisms
C. Defining segregation of duties
D. Establishing authorization controls
View answer
Correct Answer: D
Question #196
What is the BEST way to ensure that an intruder who successfully penetrates a network will be detected before significant damage is inflicted?
A. Perform periodic penetration testing
B. Establish minimum security baselines
C. Implement vendor default settings
D. Install a honeypot on the network
View answer
Correct Answer: D
Question #197
Which of the following BEST validates that security controls are implemented in a new business process?
A. Assess the process according to information security policy
B. Benchmark the process against industry practices
C. Verify the use of a recognized control framework
D. Review the process for conformance with information security best practices
View answer
Correct Answer: A
Question #198
Within the confidentiality, integrity, and availability (CIA) triad, which of the following activities BEST supports the concept of integrity?
A. Enforcing service level agreements
B. Implementing a data classification schema
C. Ensuring encryption for data in transit
D. Utilizing a formal change management process
View answer
Correct Answer: D
Question #199
Which of the following is the BEST advantage of a centralized information security organizational structure?
A. It allows for a common level of assurance across the enterprise
B. It is easier to manage and control business unit security teams
C. It is more responsive to business unit needs
D. It provides a faster turnaround for security waiver requests
View answer
Correct Answer: B
Question #200
Which of the following is the MOST important information to include in an information security standard?
A. Creation date
B. Author name
C. Initial draft approval date
D. Last review date
View answer
Correct Answer: D
Question #201
Who can BEST approve plans to implement an information security governance framework?
A. Internal auditor
B. Information security management
C. Steering committee
D. Infrastructure management
View answer
Correct Answer: C
Question #202
The information classification scheme should:
A. consider possible impact of a security breach
B. classify personal information in electronic form
C. be performed by the information security manager
D. classify systems according to the data processed
View answer
Correct Answer: A
Question #203
Which of the following is the MOST effective way to communicate information security risk to senior management?
A. Business impact analysis
B. Balanced scorecard
C. Key performance indicators (KPIs)
D. Heat map
View answer
Correct Answer: A
Question #204
Which of the following is MOST useful to include in a report to senior management on a regular basis to demonstrate the effectiveness of the information security program?
A. Key risk indicators (KRIs)
B. Capability maturity models
C. Critical success factors (CSFs)
D. Key performance indicators (KPIs)
View answer
Correct Answer: A
Question #205
An awareness program is implemented to mitigate the risk of infections introduced through the use of social media. Which of the following will BEST determine the effectiveness of the awareness program?
A. A post-awareness program survey
B. A quiz based on the awareness program materials
C. A simulated social engineering attack
D. Employee attendance rate at the awareness program
View answer
Correct Answer: C
Question #206
Which of the following is the MOST effective way for an information security manager to ensure that security is incorporated into an organization’s project development processes?
A. Conduct security reviews during design, testing, and implementation
B. Integrate organization’s security requirements into project management
C. Develop good communications with the project management office
D. Participate in project initiation, approval, and funding
View answer
Correct Answer: A
Question #207
Which of the following is MOST critical to the successful implementation of information security within an organizational?
A. The information security manager is responsible for setting information security policy
B. Strong risk management skills exist within the information security group
C. Budget is allocated for information security tools
D. Security is effectively marketed to all managers and employees
View answer
Correct Answer: D
Question #208
Which of the following should be the PRIMARY consideration when selecting a recovery site?
A. Regulatory requirements
B. Recovery time objective
C. Geographical location
D. Recovery point objective
View answer
Correct Answer: B
Question #209
On a company's e-commerce web site, a good legal statement regarding data privacy should include:
A. a statement regarding what the company will do with the information it collects
B. a disclaimer regarding the accuracy of information on its web site
C. technical information regarding how information is protected
D. a statement regarding where the information is being hosted
View answer
Correct Answer: A
Question #210
A good privacy statement should include:
A. notification of liability on accuracy of information
B. notification that information will be encrypted
C. what the company will do with information it collects
D. a description of the information classification process
View answer
Correct Answer: C
Question #211
Which of the following practices completely prevents a man-in-the-middle (MitM) attack between two hosts?
A. Use security tokens for authentication
B. Connect through an IPSec VPN
C. Use https with a server-side certificate
D. Enforce static media access control (MAC) addresses
View answer
Correct Answer: B
Question #212
In a large organization, defining recovery time objectives (RTOs) is PRIMARILY the responsibility of:
A. the IT manager
B. the information security manager
C. the business unit manager
D. senior manager
View answer
Correct Answer: D
Question #213
Application data integrity risk would be MOST directly addressed by a design that includes:
A. access control technologies such as role-based entitlements
B. strict application of an authorized data dictionary
C. application log requirements such as field-level audit trails and user activity logs
D. reconciliation routines such as checksums, hash totals, and record counts
View answer
Correct Answer: D
Question #214
Who is responsible for ensuring that information is classified?
A. Senior management
B. Security manager
C. Data owner
D. Custodian
View answer
Correct Answer: C
Question #215
Which of the following is the BEST way to sustain employee interest in information awareness in an organization?
A. Ensuring a common security awareness program for all staff
B. Relating security awareness programs to security policies
C. Ensuring all staff are involved
D. Using a variety of delivery methods
View answer
Correct Answer: D
Question #216
Temporarily deactivating some monitoring processes, even if supported by an acceptance of operational risk, may not be acceptable to the information security manager if:
A. it implies compliance risks
B. short-term impact cannot be determined
C. it violates industry security practices
D. changes in the roles matrix cannot be detected
View answer
Correct Answer: A
Question #217
The objective of risk management is to reduce risk to the minimum level that is:
A. compliant with security policies
B. practical given industry and regulatory environments
C. achievable from technical and financial perspectives
D. acceptable given the preference of the organization
View answer
Correct Answer: A
Question #218
Knowing which of the following is MOST important when the information security manager is seeking senior management commitment?
A. Security costs
B. Technical vulnerabilities
C. Security technology requirements
D. Implementation tasks
View answer
Correct Answer: C
Question #219
The MOST effective way to incorporate risk management practices into existing production systems is through:
A. policy development
B. change management
C. awareness training
D. regular monitoring
View answer
Correct Answer: B
Question #220
Mitigating technology risks to acceptable levels should be based PRIMARILY upon:
A. business process reengineering
B. business process requirement
C. legal and regulatory requirements
D. information security budget
View answer
Correct Answer: B
Question #221
The BEST way to identify the criticality of systems to the business is through:
A. a threat assessment
B. an asset classification
C. a vulnerability assessment
D. an impact assessment
View answer
Correct Answer: B
Question #222
Risk management is MOST cost-effective:
A. when performed on a continuous basis
B. while developing the business case for the security program
C. at the beginning of security program development
D. when integrated into other corporate assurance functions
View answer
Correct Answer: D
Question #223
When preparing a business case for the implementation of a security information and event management (SIEM) system, which of the following should be a PRIMARY driver in the feasibility study?
A. Cost of software
B. Cost-benefit analysis
C. Implementation timeframe
D. Industry benchmarks
View answer
Correct Answer: B
Question #224
Which of the following is the MOST effective method of preventing deliberate internal security breaches?
A. Screening prospective employees
B. Well-designed firewall system
C. Well-designed intrusion detection system (IDS)
D. Biometric security access control
View answer
Correct Answer: B
Question #225
The systems administrator did not immediately notify the security officer about a malicious attack. An information security manager could prevent this situation by:
A. periodically testing the incident response plans
B. regularly testing the intrusion detection system (IDS)
C. establishing mandatory training of all personnel
D. periodically reviewing incident response procedures
View answer
Correct Answer: A
Question #226
Which of the following is the MOST effective defense against spear phishing attacks?
A. Unified threat management
B. Web filtering
C. Anti-spam solutions
D. User awareness training
View answer
Correct Answer: D
Question #227
Which of the following is the PRIMARY responsibility of an information security manager in an organization that is implementing the use of company-owned mobile devices in its operations?
A. Require remote wipe capabilities for devices
B. Enforce passwords and data encryption on the devices
C. Conduct security awareness training
D. Review and update existing security policies
View answer
Correct Answer: D
Question #228
When personal information is transmitted across networks, there MUST be adequate controls over:
A. change management
B. privacy protection
C. consent to data transfer
D. encryption devices
View answer
Correct Answer: B
Question #229
Which of the following practices is BEST to remove system access for contractors and other temporary userswhen it is no longer required?
A. Log all account usage and send it to their manager
B. Establish predetermined automatic expiration dates
C. Require managers to e-mail security when the user leaves
D. Ensure each individual has signed a security acknowledgement
View answer
Correct Answer: B
Question #230
During a security assessment, an information security manager finds a number of security patches were not installed on a server hosting a critical business application. The application owner did not approve the patch installation to avoid interrupting the application.Which of the following should be the information security manager’s FIRST course of action?
A. Escalate the risk to senior management
B. Communicate the potential impact to the application owner
C. Report the risk to the information security steering committee
D. Determine mitigation options with IT management
View answer
Correct Answer: D
Question #231
An organization with a large number of users finds it necessary to improve access control applications. Which of the following would BEST help to prevent unauthorized user access to networks and applications?
A. Single sign-on
B. Biometric systems
C. Complex user passwords
D. Access control lists
View answer
Correct Answer: D
Question #232
The PRIMARY purpose of vulnerability assessments is to:
A. determine the impact of potential threats
B. test intrusion detection systems (IDS) and response procedures
C. provide clear evidence that the system is sufficiently secure
D. detect deficiencies that could lead to a system compromise
View answer
Correct Answer: D
Question #233
When developing an information security program, what is the MOST useful source of information for determining available resources?
A. Proficiency test
B. Job descriptions
C. Organization chart
D. Skills inventory
View answer
Correct Answer: D
Question #234
For an organization with operations in different parts of the world, the BEST approach for ensuring that security policies do not conflict with local laws and regulations is to:
A. refer to an external global standard to avoid any regional conflict
B. make policies at a sufficiently high level, so they are globally applicable
C. adopt uniform policies
D. establish a hierarchy of global and local policies
View answer
Correct Answer: D
Question #235
Once a suite of security controls has been successfully implemented for an organization’s business units, it isMOST important for the information security manager to:
A. ensure the controls are regularly tested for ongoing effectiveness
B. hand over the controls to the relevant business owners
C. prepare to adapt the controls for future system upgrades
D. perform testing to compare control performance against industry levels
View answer
Correct Answer: A
Question #236
The GREATEST benefit of choosing a private cloud over a public cloud would be:
A. server protection
B. collection of data forensics
C. online service availability
D. containment of customer data
View answer
Correct Answer: A
Question #237
The PRIMARY purpose of using risk analysis within a security program is to:
A. justify the security expenditure
B. help businesses prioritize the assets to be protected
C. inform executive management of residual risk value
D. assess exposures and plan remediation
View answer
Correct Answer: D
Question #238
Several significant risks have been identified after a centralized risk register was compiled and prioritized. The information security manager’s most important action is to:
A. provide senior management with risk treatment options
B. design and implement controls to reduce the risk
C. consult external third parties on how to treat the risk
D. ensure that employees are aware of the risk
View answer
Correct Answer: A
Question #239
Which of the following is MOST important to include when developing a business case for information security resources?
A. Senior management input
B. Gap analysis
C. Cost-benefit analysis
D. Risk assessment
View answer
Correct Answer: C
Question #240
Which of the following should be determined while defining risk management strategies?
A. Risk assessment criteria
B. Organizational objectives and risk appetite
C. IT architecture complexity
D. Enterprise disaster recovery plans
View answer
Correct Answer: B
Question #241
Identification and prioritization of business risk enables project managers to:
A. establish implementation milestones
B. reduce the overall amount of slack time
C. address areas with most significance
D. accelerate completion of critical paths
View answer
Correct Answer: C
Question #242
Organization A offers e-commerce services and uses secure transport protocol to protect Internet communication. To confirm communication with Organization A, which of the following would be the BEST for a client to verify?
A. The certificate of the e-commerce server
B. The browser’s indication of SSL use
C. The IP address of the e-commerce server
D. The URL of the e-commerce server
View answer
Correct Answer: A
Question #243
An information security strategy document that includes specific links to an organization's business activities is PRIMARILY an indicator of:
A. performance measurement
B. integration
C. alignment
D. value delivery
View answer
Correct Answer: C
Question #244
Several identified risks have been mitigated to an acceptable level with appropriate controls. Which of the following activities would BEST help to maintain acceptable risk levels?
A. Frequent assessments of inherent risks
B. Periodic reviews of changes to the environment
C. Periodic cost-benefit analyses of the implemented controls
D. Frequent assessments of risk action plans
View answer
Correct Answer: A
Question #245
In a resource-restricted security program, which of the following approaches will provide the BEST use of the limited resources?
A. Cross-training
B. Risk avoidance
C. Risk prioritization
D. Threat management
View answer
Correct Answer: C
Question #246
An information security risk analysis BEST assists an organization in ensuring that:
A. he infrastructure has the appropriate level of access control
B. ost-effective decisions are made with regard to which assets need protection
C. n appropriate level of funding is applied to security processes
D. he organization implements appropriate security technologies
View answer
Correct Answer: B
Question #247
Authorization can BEST be accomplished by establishing:
A. the ownership of the data
B. what users can do when they are granted system access
C. whether users are who they say they are
D. how users identify themselves to information systems
View answer
Correct Answer: B
Question #248
What should the information security manager do FIRST when end users express that new security controls are too restrictive?
A. Conduct a business impact analysis (BIA)
B. Obtain process owner buy-in to remove the controls
C. Perform a risk assessment on modifying the control environment
D. Perform a cost-benefit analysis on modifying the control environment
View answer
Correct Answer: C
Question #249
Which of (lie following would be the MOST relevant factor when defining the information classification policy?
A. Quantity of information
B. Available IT infrastructure
C. Benchmarking
D. Requirements of data owners
View answer
Correct Answer: D
Question #250
The MOST effective way to communicate the level of impact of information security risks on organizational objectives is to present:
A. business impact analysis (BIA) results
B. detailed threat analysis results
C. risk treatment options
D. a risk heat map
View answer
Correct Answer: D
Question #251
Which of the following should provide the PRIMARY justification to approve the implementation of a disaster recovery (DR) site on the recommendation of an external audit report?
A. Cost-benefit analysis
B. Recovery time objectives (RTOs)
C. Security controls at the DR site
D. Regulatory requirements
View answer
Correct Answer: A
Question #252
Which of the following is the MOST important item to include when developing web hosting agreements with third-party providers?
A. Termination conditions
B. Liability limits
C. Service levels
D. Privacy restrictions
View answer
Correct Answer: C
Question #253
The MAIN reason why asset classification is important to a successful information security program is because classification determines:
A. the priority and extent of risk mitigation efforts
B. the amount of insurance needed in case of loss
C. the appropriate level of protection to the asset
D. how protection levels compare to peer organizations
View answer
Correct Answer: C
Question #254
An organization wants to integrate information security into its human resource management processes. Which of the following should be the FIRST step?
A. Evaluate the cost of information security integration
B. Assess the business objectives of the processes
C. Identify information security risk associated with the processes
D. Benchmark the processes with best practice to identify gaps
View answer
Correct Answer: B
Question #255
Which of the following steps should be performed FIRST in the risk assessment process?
A. Staff interviews
B. Threat identification
C. Asset identification and valuation
D. Determination of the likelihood of identified risks
View answer
Correct Answer: C
Question #256
Which of the following would BEST enable an organization to effectively monitor the implementation of standardized configurations?
A. Implement a separate change tracking system to record changes to configurations
B. Perform periodic audits to detect non-compliant configurations
C. Develop policies requiring use of the established benchmarks
D. Implement automated scanning against the established benchmarks
View answer
Correct Answer: D
Question #257
Information security managers should use risk assessment techniques to:
A. justify selection of risk mitigation strategies
B. maximize the return on investment (ROD
C. provide documentation for auditors and regulators
D. quantify risks that would otherwise be subjective
View answer
Correct Answer: A
Question #258
The recovery point objective (RPO) requires which of the following?
A. Disaster declaration
B. Before-image restoration
C. System restoration
D. After-image processing
View answer
Correct Answer: B
Question #259
A security manager is preparing a report to obtain the commitment of executive management to a security program. Inclusion of which of the following would be of MOST value?
A. Examples of genuine incidents at similar organizations
B. Statement of generally accepted best practices
C. Associating realistic threats to corporate objectives
D. Analysis of current technological exposures
View answer
Correct Answer: C
Question #260
Information security should be:
A. focused on eliminating all risks
B. a balance between technical and business requirements
C. driven by regulatory requirements
D. defined by the board of directors
View answer
Correct Answer: B
Question #261
Which of the following would be the BEST option to improve accountability for a system administrator who has security functions?
A. Include security responsibilities in the job description
B. Require the administrator to obtain security certification
C. Train the system administrator on penetration testing and vulnerability assessment
D. Train the system administrator on risk assessment
View answer
Correct Answer: A
Question #262
The decision on whether new risks should fall under periodic or event-driven reporting should be based on which of the following?
A. Mitigating controls
B. Visibility of impact
C. Likelihood of occurrence
D. Incident frequency
View answer
Correct Answer: B
Question #263
Which of the following should be the PRIMARY basis for an information security strategy?
A. The organization’s vision and mission
B. Information security policies
C. Results of a comprehensive gap analysis
D. Audit and regulatory requirements
View answer
Correct Answer: A
Question #264
In addition to business alignment and security ownership, which of the following is MOST critical for information security governance?
A. Auditability of systems
B. Compliance with policies
C. Reporting of security metrics
D. Executive sponsorship
View answer
Correct Answer: A
Question #265
Which of the following is the BEST approach for encouraging business units to assume their roles and responsibilities in an information security program?
A. Perform a risk assessment
B. Conduct an awareness program
C. Conduct a security audit
D. Develop controls and countermeasures
View answer
Correct Answer: B
Question #266
Which of the following is the MOST important reason for performing a risk analysis?
A. Assigning the appropriate level of protection
B. Identifying critical information assets
C. Identifying and eliminating threats
D. Promoting increased security awareness in the organization
View answer
Correct Answer: A
Question #267
Which of the following activities should take place FIRST when a security patch for Internet software is received from a vendor?
A. The patch should be validated using a hash algorithm
B. The patch should be applied to critical systems
C. The patch should be deployed quickly to systems that are vulnerable
D. The patch should be evaluated in a testing environment
View answer
Correct Answer: A
Question #268
Which of the following is the BEST method to securely transfer a message?
A. Password-protected removable media
B. Facsimile transmission in a secured room
C. Using public key infrastructure (PKI) encryption
D. Steganography
View answer
Correct Answer: C
Question #269
Risk management programs are designed to reduce risk to:
A. a level that is too small to be measurable
B. the point at which the benefit exceeds the expense
C. a level that the organization is willing to accept
D. a rate of return that equals the current cost of capital
View answer
Correct Answer: C
Question #270
Which of the following is the MOST important consideration when securing customer credit card data acquired by a point-of-sale (POS) cash register?
A. Authentication
B. Hardening
C. Encryption
D. Nonrepudiation
View answer
Correct Answer: C
Question #271
Which of the following BEST demonstrates alignment between information security governance and corporate governance?
A. Average number of security incidents across business units
B. Security project justifications provided in terms of business value
C. Number of vulnerabilities identified for high-risk information assets
D. Mean time to resolution for enterprise-wide security incidents
View answer
Correct Answer: B
Question #272
Which of the following is the MOST effective type of access control?
A. Centralized
B. Role-based
C. Decentralized
D. Discretionary
View answer
Correct Answer: B
Question #273
Which of the following is the BEST approach to make strategic information security decisions?
A. Establish an information security steering committee
B. Establish periodic senior management meetings
C. Establish regular information security status reporting
D. Establish business unit security working groups
View answer
Correct Answer: D
Question #274
To justify the need to invest in a forensic analysis tool, an information security manager should FIRST:
A. review the functionalities and implementation requirements of the solution
B. review comparison reports of tool implementation in peer companies
C. provide examples of situations where such a tool would be useful
D. substantiate the investment in meeting organizational needs
View answer
Correct Answer: D
Question #275
In a multinational organization, local security regulations should be implemented over global security policy because:
A. deploying awareness of local regulations is more practical than of global policy
B. global security policies include unnecessary controls for local businesses
C. business objectives are defined by local business unit managers
D. requirements of local regulations take precedence
View answer
Correct Answer: D
Question #276
Which of the following would BEST enable an information security manager to identify the risk associated with cloud-based solutions?
A. Assessing the solutions against the organization's security policies
B. Reviewing vendor adherence to service level agreements (SLAs)
C. Reviewing third-party audits of cloud service providers
D. Benchmarking with peer organizations using cloud solutions
View answer
Correct Answer: C
Question #277
Data owners are PRIMARILY responsible for establishing risk mitigation methods to address which of the following areas?
A. Platform security
B. Entitlement changes
C. Intrusion detection
D. Antivirus controls
View answer
Correct Answer: B
Question #278
Which of the following MOST commonly falls within the scope of an information security governance steering committee?
A. Interviewing candidates for information security specialist positions
B. Developing content for security awareness programs
C. Prioritizing information security initiatives
D. Approving access to critical financial systems
View answer
Correct Answer: C
Question #279
The MAIN goal of an information security strategic plan is to:
A. develop a risk assessment plan
B. develop a data protection plan
C. protect information assets and resources
D. establish security governance
View answer
Correct Answer: C
Question #280
The BEST way to establish a recovery time objective (RTO) that balances cost with a realistic recovery time frame is to:
A. perform a business impact analysis (BIA)
B. determine daily downtime cost
C. analyze cost metrics
D. conduct a risk assessment
View answer
Correct Answer: A
Question #281
The MOST basic requirement for an information security governance program is to:
A. be aligned with the corporate business strategy
B. be based on a sound risk management approach
C. provide adequate regulatory compliance
D. provide best practices for security- initiatives
View answer
Correct Answer: A
Question #282
Risk identification, analysis, and mitigation activities can BEST be integrated into business life cycle processes by linking them to:
A. compliance testing
B. configuration management
C. continuity planning
D. change management
View answer
Correct Answer: B
Question #283
Which of the following is MOST important to consider when developing a business case to support the investment in an information security program?
A. Senior management support
B. Results of a cost-benefit analysis
C. Results of a risk assessment
D. Impact on the risk profile
View answer
Correct Answer: D
Question #284
Which of the following is the MOST effective solution for preventing individuals external to the organization from modifying sensitive information on a corporate database?
A. Screened subnets
B. Information classification policies and procedures
C. Role-based access controls
D. Intrusion detection system (IDS)
View answer
Correct Answer: A
Question #285
A validated patch to address a new vulnerability that may affect a mission-critical server has been released.What should be done immediately?
A. Add mitigating controls
B. Check the server’s security and install the patch
C. Conduct an impact analysis
D. Take the server off-line and install the patch
View answer
Correct Answer: C
Question #286
Which of the following is the BEST reason to perform a business impact analysis (BIA)?
A. To help determine the current state of risk
B. To budget appropriately for needed controls
C. To satisfy regulatory requirements
D. To analyze the effect on the business
View answer
Correct Answer: A
Question #287
To help users apply appropriate controls related to data privacy regulation, what is MOST important to communicate to the users?
A. Features of data protection products
B. Data storage procedures
C. Results of penetration testing
D. Data classification policy
View answer
Correct Answer: B
Question #288
When an organization is implementing an information security governance program, its board of directors should be responsible for:
A. drafting information security policies
B. reviewing training and awareness programs
C. setting the strategic direction of the program
D. auditing for compliance
View answer
Correct Answer: C
Question #289
Which of the following is the MOST appropriate course of action when the risk occurrence rate is low but the impact is high?
A. Risk transfer
B. Risk acceptance
C. Risk mitigation
D. Risk avoidance
View answer
Correct Answer: A
Question #290
When considering the value of assets, which of the following would give the information security manager the MOST objective basis for measurement of value delivery in information security governance?
A. Number of controls
B. Cost of achieving control objectives
C. Effectiveness of controls
D. Test results of controls
View answer
Correct Answer: B
Question #291
A multinational organization operating in fifteen countries is considering implementing an information security program. Which factor will MOST influence the design of the Information security program?
A. Representation by regional business leaders
B. Composition of the board
C. Cultures of the different countries
D. IT security skills
View answer
Correct Answer: C
Question #292
An organization has purchased a security information and event management (SIEM) tool. Which of the following is MOST important to consider before implementation?
A. ontrols to be monitored
B. eporting capabilities
C. he contract with the SIEM vendor
D. vailable technical support
View answer
Correct Answer: A
Question #293
Which of the following needs to be established between an IT service provider and its clients to the BESTenable adequate continuity of service in preparation for an outage?
A. Data retention policies
B. Server maintenance plans
C. Recovery time objectives
D. Reciprocal site agreement
View answer
Correct Answer: C
Question #294
The BEST way to determine if an anomaly-based intrusion detection system (IDS) is properly installed is to:
A. simulate an attack and review IDS performance
B. use a honeypot to check for unusual activity
C. audit the configuration of the IDS
D. benchmark the IDS against a peer site
View answer
Correct Answer: A
Question #295
Which of the following factors is a PRIMARY driver for information security governance that does not require any further justification?
A. Alignment with industry best practices
B. Business continuity investment
C. Business benefits
D. Regulatory compliance
View answer
Correct Answer: D
Question #296
Which of the following BEST describes an information security manager's role in a multidisciplinary team that will address a new regulatory requirement regarding operational risk?
A. Ensure that all IT risks are identified
B. Evaluate the impact of information security risks
C. Demonstrate that IT mitigating controls are in place
D. Suggest new IT controls to mitigate operational risk
View answer
Correct Answer: B
Question #297
Within a security governance framework, which of the following is the MOST important characteristic of the information security committee? The committee:
A. conducts frequent reviews of the security policy
B. has established relationships with external professionals
C. has a clearly defined charter and meeting protocols
D. includes a mix of members from all levels of management
View answer
Correct Answer: D
Question #298
When developing a protection strategy for outsourcing applications, the information security manager MUSTensure that:
A. escrow agreements are in place
B. the security requirements are included in the service level agreement (SLA)
C. the responsibility for security is transferred in the service level agreement (SLA)
D. nondisclosure clauses are in the contract
View answer
Correct Answer: B
Question #299
What is the MOST important consideration when establishing metrics for reporting to the information security strategy committee?
A. Agreeing on baseline values for the metrics
B. Developing a dashboard for communicating the metrics
C. Providing real-time insight on the security posture of the organization
D. Benchmarking the expected value of the metrics against industry standards
View answer
Correct Answer: A
Question #300
An organization engages a third-party vendor to monitor and support a financial application under scrutiny by regulators. Maintaining strict data integrity and confidentiality for this application is critical to the business.Which of the following controls would MOST effectively manage risk to the organization?
A. Implementing segregation of duties between systems and data
B. Activating access and data logging
C. Disabling vendor access and only re-enabling when access is needed
D. Implementing periodic access reviews of vendor employees
View answer
Correct Answer: B
Question #301
The PRIMARY objective of a risk management program is to:
A. minimize inherent risk
B. eliminate business risk
C. implement effective controls
D. minimize residual risk
View answer
Correct Answer: D
Question #302
After a risk assessment, it is determined that the cost to mitigate the risk is much greater than the benefit to be derived. The information security manager should recommend to business management that the risk be:
A. transferred
B. treated
C. accepted
D. terminated
View answer
Correct Answer: C
Question #303
Which of the following should an information security manager do FIRST when a legacy application is not compliant with a regulatory requirement, but the business unit does not have the budget for remediation?
A. evelop a business case for funding remediation efforts
B. dvise senior management to accept the risk of noncompliance
C. otify legal and internal audit of the noncompliant legacy application
D. ssess the consequences of noncompliance against the cost of remediation
View answer
Correct Answer: D
Question #304
Key systems necessary for branch operations reside at corporate headquarters. Branch A is negotiating with a third party to provide disaster recovery facilities.Which of the following contract terms would be the MOST significant concern?
A. The hot site for the branch may have to be shared
B. Connectivity is not provided from the hot site to corporate headquarters
C. Penalty clauses for nonperformance are not included in contract
D. The right to audit the hot site is not provided in the contract
View answer
Correct Answer: B
Question #305
Which of the following would be the MOST important factor to be considered in the loss of mobile equipment with unencrypted data?
A. Disclosure of personal information
B. Sufficient coverage of the insurance policy for accidental losses
C. Intrinsic value of the data stored on the equipment
D. Replacement cost of the equipment
View answer
Correct Answer: C
Question #306
Which of the following is a benefit of information security governance?
A. Reduction of the potential for civil or legal liability
B. Questioning trust in vendor relationships
C. Increasing the risk of decisions based on incomplete management information
D. Direct involvement of senior management in developing control processes
View answer
Correct Answer: A
Question #307
Which of the following is the MOST important step in risk ranking?
A. Impact assessment
B. Mitigation cost
C. Threat assessment
D. Vulnerability analysis
View answer
Correct Answer: A
Question #308
A business unit intends to deploy a new technology in a manner that places it in violation of existing information security standards. What immediate action should an information security manager take?
A. Enforce the existing security standard
B. Change the standard to permit the deployment
C. Perform a risk analysis to quantify the risk
D. Perform research to propose use of a better technology
View answer
Correct Answer: C
Question #309
When making an outsourcing decision, which of the following functions is MOST important to retain within the organization?
A. Security management
B. Incident response
C. Risk assessment
D. Security governance
View answer
Correct Answer: D
Question #310
When selecting metrics to monitor the risks associated with an information security program, it is MOSTimportant for an information security manager to:
A. leverage industry benchmarks
B. consider the organization's business strategy
C. identify the program's risk and compensating controls
D. consider the strategic objectives of the program
View answer
Correct Answer: B
Question #311
Which of the following is MOST effective in preventing the introduction of vulnerabilities that may disrupt the availability of a critical business application?
A. A patch management process
B. Change management controls
C. Logical access controls
D. Version control
View answer
Correct Answer: B
Question #312
When supporting an organization’s privacy officer, which of the following is the information security manager’sPRIMARY role regarding primacy requirements?
A. Monitoring the transfer of private data
B. Conducting privacy awareness programs
C. Ensuring appropriate controls are in place
D. Determining data classification
View answer
Correct Answer: C
Question #313
An organization’s marketing department wants to use an online collaboration service which is not in compliance with the information security policy. A risk assessment is performed, and risk acceptance is being pursued. Approval of risk acceptance should be provided by:
A. the information security manager
B. business senior management
C. the chief risk officer
D. the compliance officer
View answer
Correct Answer: B
Question #314
Which of the following is the MOST important factor when determining the frequency of information security reassessment?
A. Risk priority
B. Risk metrics
C. Audit findings
D. Mitigating controls
View answer
Correct Answer: B
Question #315
Which of the following is the MOST appropriate board-level activity for information security governance?
A. Establish security and continuity ownership
B. Develop “what-if” scenarios on incidents
C. Establish measures for security baselines
D. Include security in job-performance appraisals
View answer
Correct Answer: A
Question #316
An organization's recent risk assessment has identified many areas of security risk, and senior management has asked for a five-minute overview of the assessment results. Which of the following is the information security manager's BEST option for presenting this information?
A. Risk register
B. Risk heat map
C. Spider diagram
D. Balanced scorecard
View answer
Correct Answer: B
Question #317
Which of the following is the BEST evidence that an organization's information security governance framework is effective?
A. Threats to the organization have diminished
B. The risk register is reviewed annually
C. The framework focuses primarily on technical controls
D. The framework can adapt to organizational changes
View answer
Correct Answer: A
Question #318
To ensure adequate disaster-preparedness among IT infrastructure personnel, it is MOST important to:
A. have the most experienced personnel participate in recovery tests
B. include end-user personnel in each recovery test
C. assign personnel-specific duties in the recovery plan
D. periodically rotate recovery-test participants
View answer
Correct Answer: D
Question #319
After a risk assessment study, a bank with global operations decided to continue doing business in certain regions of the world where identity theft is rampant. The information security manager should encourage the business to:
A. increase its customer awareness efforts in those regions
B. implement monitoring techniques to detect and react to potential fraud
C. outsource credit card processing to a third party
D. make the customer liable for losses if they fail to follow the bank's advice
View answer
Correct Answer: B
Question #320
Which of the following BEST indicates senior management support for an information security program?
A. Detailed information security policies are established and regularly reviewed
B. The information security manager meets regularly with the lines of business
C. Key performance indicators (KPIs) are defined for the information security program
D. Risk assessments are conducted frequently by the information security team
View answer
Correct Answer: C
Question #321
Which of the following is MOST likely to reduce the effectiveness of a signature-based intrusion detection system (IDS)?
A. The activities being monitored deviate from what is considered normal
B. The information regarding monitored activities becomes stale
C. The pattern of normal behavior changes quickly and dramatically
D. The environment is complex
View answer
Correct Answer: D
Question #322
What is the BEST defense against a Structured Query Language (SQL) injection attack?
A. Regularly updated signature files
B. A properly configured firewall
C. An intrusion detection system
D. Strict controls on input fields
View answer
Correct Answer: D
Question #323
Which of the following is the BEST strategy to implement an effective operational security posture?
A. Threat management
B. Defense in depth
C. Increased security awareness
D. Vulnerability management
View answer
Correct Answer: B
Question #324
An organization has contracted with a third-party e-commerce provider. Which of the following is MOSTimportant for the information security manager to examine during the subsequent compliance review period?
A. Changes to the provider's controls and infrastructure
B. Financial provisions and maintenance expenses
C. Adherence to the service level agreement
D. Right-to-audit provisions in the contract
View answer
Correct Answer: A
Question #325
The MAIN reason for having the Information Security Steering Committee review a new security controls implementation plan is to ensure that:
A. the plan aligns with the organization's business plan
B. departmental budgets are allocated appropriately to pay for the plan
C. regulatory oversight requirements are met
D. the impact of the plan on the business units is reduced
View answer
Correct Answer: A
Question #326
To justify its ongoing security budget, which of the following would be of MOST use to the information security' department?
A. Security breach frequency
B. Annualized loss expectancy (ALE)
C. Cost-benefit analysis
D. Peer group comparison
View answer
Correct Answer: C
Question #327
The implementation of a capacity plan would prevent:
A. file system overload arising from distributed denial-of-service attacks
B. system downtime for scheduled security maintenance
C. software failures arising from exploitation of buffer capacity vulnerabilities
D. application failures arising from insufficient hardware resources
View answer
Correct Answer: D
Question #328
To gain a clear understanding of the impact that a new regulatory requirement will have on an organization’s information security controls, an information security manager should FIRST:
A. interview senior management
B. conduct a risk assessment
C. conduct a cost-benefit analysis
D. perform a gap analysis
View answer
Correct Answer: D
Question #329
An organization's information security processes are currently defined as ad hoc. In seeking to improve their performance level, the next step for the organization should be to:
A. ensure that security processes are consistent across the organization
B. enforce baseline security levels across the organization
C. ensure that security processes are fully documented
D. implement monitoring of key performance indicators for security processes
View answer
Correct Answer: A
Question #330
Senior management has decided to accept a significant risk within a security remediation plan. Which of the following is the information security manager's BEST course of action?
A. Remediate the risk and document the rationale
B. Update the risk register with the risk acceptance
C. Communicate the remediation plan to the board of directors
D. Report the risk acceptance to regulatory agencies
View answer
Correct Answer: C

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: