Tuesday, April 19, 2016

CISMP Exam Engine

CISMP Exam Engine
Powered by: testsnow.net

Questions 1. Evidence from a compromised server has to be acquired for a forensic investigation. What would be the BEST source?
A. A bit-level copy of all hard drive data
B. The last verified backup stored offsite
C. Data from volatile memory
D. Backup servers
-----

Questions 2. In the course of responding 10 an information security incident, the BEST way to treat evidence for possible legal action is defined by:
A. international standards.
B. local regulations.
C. generally accepted best practices.
D. organizational security policies.
-----

Questions 3. From an information security manager perspective, what is the immediate benefit of clearly- defined roles and responsibilities?
A. Enhanced policy compliance
B. Improved procedure flows
C. Segregation of duties
D. Better accountability
-----

Questions 4. Emergency actions are taken at the early stage of a disaster with the purpose of preventing injuries or loss of life and:
A. determining the extent of property damage.
B. preserving environmental conditions.
C. ensuring orderly plan activation.
D. reducing the extent of operational damage.
-----

Questions 5. What is the FIRST action an information security manager should take when a company laptop is reported stolen?
A. Evaluate the impact of the information loss
B. Update the corporate laptop inventory
C. Ensure compliance with reporting procedures
D. Disable the user account immediately
-----

Questions 6. Which of the following actions should lake place immediately after a security breach is reported to an information security manager?
A. Confirm the incident
B. Determine impact
C. Notify affected stakeholders
D. Isolate the incident
-----

Questions 7. When designing the technical solution for a disaster recovery site, the PRIMARY factor that should be taken into consideration is the:
A. services delivery objective.
B. recovery time objective (RTO).
C. recovery window.
D. maximum tolerable outage (MTO).
-----

Questions 8. In designing a backup strategy that will be consistent with a disaster recovery strategy, the PRIMARY factor to be taken into account will be the:
A. volume of sensitive data.
B. recovery point objective (RPO).
C. recovery' time objective (RTO).
D. interruption window.
-----

Questions 9. An intrusion detection system (IDS) should:
A. run continuously
B. ignore anomalies
C. require a stable, rarely changed environment
D. be located on the network
-----

Questions 10. The PRIORITY action to be taken when a server is infected with a virus is to:
A. isolate the infected server(s) from the network.
B. identify all potential damage caused by the infection.
C. ensure that the virus database files are current.
D. establish security weaknesses in the firewall.
-----

Questions 11. Which of the following provides the BEST confirmation that the business continuity/disaster recovery plan objectives have been achieved?
A. The recovery time objective (RTO) was not exceeded during testing.
B. Objective testing of the business continuity/disaster recovery plan has been carried out consistently.
C. The recovery point objective (RPO) was proved inadequate by disaster recovery plan testing.
D. Information assets have been valued and assigned to owners per the business continuity plan, disaster recovery plan.
-----

Questions 12. An internal audit has identified major weaknesses over IT processing. Which of the following should an information security manager use to BEST convey a sense of urgency to management?
A. Security metrics reports
B. Risk assessment reports
C. Business impact analysis (BIA)
D. Return on security investment report.
-----

Questions 13. Which of the following situations would be the MOST concern to a security manager?
A. Audit logs are not enabled on a production server
B. The logon ID for a terminated systems analyst still exists on the system
C. The help desk has received numerous results of users receiving phishing e-mails
D. A Trojan was found to be installed on a system administrator's laptop
-----

Questions 14. A customer credit card database has been breached by hackers. The FIRST step in dealing with this attack should be to:
A. confirm the incident.
B. notify senior management.
C. start containment.
D. notify law enforcement.
-----

Questions 15. A root kit was used to capture detailed accounts receivable information. To ensure admissibility of evidence from a legal standpoint, once the incident was identified and the server isolated, the next step should be to:
A. document how the attack occurred.
B. notify law enforcement.
C. take an image copy of the media.
D. close the accounts receivable system.
-----

Questions 16. When collecting evidence for forensic analysis, it is important to:
A. ensure the assignment of qualified personnel.
B. request the IT department do an image copy.
C. disconnect from the network and isolate the affected devices.
D. ensure law enforcement personnel are present before the forensic analysis commences.
-----

Questions 17. What is the BEST method for mitigating against network denial of service (DoS) attacks?
A. Ensure all servers are up-to-date on OS patches
B. Employ packet filtering to drop suspect packets
C. Implement network address translation to make internal addresses nonroutable
D. Implement load balancing for Internet facing devices
-----

Questions 18. To justify the establishment of an incident management team, an information security manager would find which of the following to be the MOST effective?
A. Assessment of business impact of past incidents
B. Need of an independent review of incident causes
C. Need for constant improvement on the security level
D. Possible business benefits from incident impact reduction
-----

Questions 19. A database was compromised by guessing the password for a shared administrative account and confidential customer information was stolen. The information security manager was able to detect this breach by analyzing which of the following?
A. Invalid logon attempts
B. Write access violations
C. Concurrent logons
D. Firewall logs
-----

Questions 20. Which of the following is an example of a corrective control?
A. Diverting incoming traffic upon responding to the denial of service (DoS) attack
B. Filtering network traffic before entering an internal network from outside
C. Examining inbound network traffic for viruses
D. Logging inbound network traffic
-----

Questions 21. To determine how a security breach occurred on the corporate network, a security manager looks at the logs of various devices. Which of the following BEST facilitates the correlation and review of these logs?
A. Database server
B. Domain name server (DNS)
C. Time server
D. Proxy server
-----

Questions 22. An organization has been experiencing a number of network-based security attacks that all appear to originate internally. The BEST course of action is to:
A. require the use of strong passwords.
B. assign static IP addresses.
C. implement centralized logging software.
D. install an intrusion detection system (IDS).
-----

Questions 23. A serious vulnerability is reported in the firewall software used by an organization. Which of the following should be the immediate action of the information security manager?
A. Ensure that all OS patches are up-to-date
B. Block inbound traffic until a suitable solution is found
C. Obtain guidance from the firewall manufacturer
D. Commission a penetration test
-----

Questions 24. Reviewing which of the following would BEST ensure that security controls are effective?
A. Risk assessment policies
B. Return on security investment
C. Security metrics
D. User access rights
-----

Questions 25. An organization keeps backup tapes of its servers at a warm site. To ensure that the tapes are properly maintained and usable during a system crash, the MOST appropriate measure the organization should perform is to:
A. use the test equipment in the warm site facility to read the tapes.
B. retrieve the tapes from the warm site and test them.
C. have duplicate equipment available at the warm site.
D. inspect the facility and inventory the tapes on a quarterly basis.
-----

Questions 26. Which of the following processes is critical for deciding prioritization of actions in a business continuity plan?
A. Business impact analysis (BIA)
B. Risk assessment
C. Vulnerability assessment
D. Business process mapping
-----

Questions 27. In addition to backup data, which of the following is the MOST important to store offsite in the event of a disaster?
A. Copies of critical contracts and service level agreements (SLAs)
B. Copies of the business continuity plan
C. Key software escrow agreements for the purchased systems
D. List of emergency numbers of service providers
-----

Questions 28. An organization has learned of a security breach at another company that utilizes similar technology. The FIRST thing the information security manager should do is:
A. assess the likelihood of incidents from the reported cause.
B. discontinue the use of the vulnerable technology.
C. report to senior management that the organization is not affected.
D. remind staff that no similar security breaches have taken place.
-----

Questions 29. Which of the following is the MOST important consideration for an organization interacting with the media during a disaster?
A. Communicating specially drafted messages by an authorized person
B. Refusing to comment until recovery
C. Referring the media to the authorities
D. Reporting the losses and recovery strategy to the media
-----

Questions 30. During the security review of organizational servers it was found that a file server containing confidential human resources (HR) data was accessible to all user IDs. As a FIRST step, the security manager should:
A. copy sample files as evidence.
B. remove access privileges to the folder containing the data.
C. report this situation to the data owner.
D. train the
H. team on properly controlling file permissions.
-----

Questions 31. If an organization considers taking legal action on a security incident, the information security manager should focus PRIMARILY on:
A. obtaining evidence as soon as possible.
B. preserving the integrity of the evidence.
C. disconnecting all IT equipment involved.
D. reconstructing the sequence of events.
-----

Questions 32. Which of the following has the highest priority when defining an emergency response plan?
A. Critical data
B. Critical infrastructure
C. Safety of personnel
D. Vital records
-----

Questions 33. The PRIMARY purpose of involving third-party teams for carrying out post event reviews of information security incidents is to:
A. enable independent and objective review of the root cause of the incidents.
B. obtain support for enhancing the expertise of the third-party teams.
C. identify lessons learned for further improving the information security management process.
D. obtain better buy-in for the information security program.
-----

Questions 34. The MOST important objective of a post incident review is to:
A. capture lessons learned to improve the process.
B. develop a process for continuous improvement.
C. develop a business case for the security program budget.
D. identify new incident management tools.
-----

Questions 35. Which of the following is responsible for legal and regulatory liability?
A. Chief security officer (CSO)
B. Chief legal counsel (CLC)
C. Board and senior management
D. Information security steering group
-----

Questions 36. Which of the following is the BEST mechanism to determine the effectiveness of the incident response process?
A. Incident response metrics
B. Periodic auditing of the incident response process
C. Action recording and review
D. Post incident review
-----

Questions 37. The FIRST step in an incident response plan is to:
A. notify- the appropriate individuals.
B. contain the effects of the incident to limit damage.
C. develop response strategies for systematic attacks.
D. validate the incident.
-----

Questions 38. An organization has verified that its customer information was recently exposed. Which of the following is the FIRST step a security manager should take in this situation?
A. Inform senior management.
B. Determine the extent of the compromise.
C. Report the incident to the authorities.
D. Communicate with the affected customers.
-----

Questions 39. A possible breach of an organization's IT system is reported by the project manager. What is the FIRST thing the incident response manager should do?
A. Run a port scan on the system
B. Disable the logon ID
C. Investigate the system logs
D. Validate the incident
-----

Questions 40. The PRIMARY consideration when defining recovery time objectives (RTOs) for information assets is:
A. regulatory' requirements.
B. business requirements.
C. financial value.
D. IT resource availability.
-----

Questions 41. What task should be performed once a security incident has been verified?
A. Identify the incident.
B. Contain the incident.
C. Determine the root cause of the incident.
D. Perform a vulnerability assessment.
-----

Questions 42. An information security manager believes that a network file server was compromised by a hacker. Which of the following should be the FIRST action taken?
A. Unsure that critical data on the server are backed up.
B. Shut down the compromised server.
C. Initiate the incident response process.
D. Shut down the network.
-----

Questions 43. An unauthorized user gained access to a merchant's database server and customer credit card information. Which of the following would be the FIRST step to preserve and protect unauthorized intrusion activities?
A. Shut down and power off the server.
B. Duplicate the hard disk of the server immediately.
C. Isolate the server from the network.
D. Copy the database log file to a protected server.
-----

Questions 44. While implementing information security governance an organization should FIRST:
A. adopt security standards.
B. determine security baselines.
C. define the security strategy.
D. establish security policies.
-----

Questions 45. Which of the following would be a MAJOR consideration for an organization defining its business continuity plan (BCP) or disaster recovery program (DRP)?
A. Setting up a backup site
B. Maintaining redundant systems
C. Aligning with recovery time objectives (RTOs)
D. Data backup frequency
-----

Questions 46. Which of the following would be MOST appropriate for collecting and preserving evidence?
A. Encrypted hard drives
B. Generic audit software
C. Proven forensic processes
D. Log correlation software
-----

Questions 47. Of the following, which is the MOST important aspect of forensic investigations?
A. The independence of the investigator
B. Timely intervention
C. Identifying the perpetrator
D. Chain of custody
-----

Questions 48. In the course of examining a computer system for forensic evidence, data on the suspect media were inadvertently altered. Which of the following should have been the FIRST course of action in the investigative process?
A. Perform a backup of the suspect media to new media.
B. Perform a bit-by-bit image of the original media source onto new media.
C. Make a copy of all files that are relevant to the investigation.
D. Run an error-checking program on all logical drives to ensure that there are no disk errors.
-----

Questions 49. Which of the following recovery strategies has the GREATEST chance of failure?
A. Hot site
B. Redundant site
C. Reciprocal arrangement
D. Cold site
-----

Questions 50. Recovery point objectives (RPOs) can be used to determine which of the following?
A. Maximum tolerable period of data loss
B. Maximum tolerable downtime
C. Baseline for operational resiliency
D. Time to restore backups
-----

Questions 51. The MOST basic requirement for an information security governance program is to:
A. be aligned with the corporate business strategy.
B. be based on a sound risk management approach.
C. provide adequate regulatory compliance.
D. provide best practices for security- initiatives.
-----

Questions 52. Which of the following disaster recovery testing techniques is the MOST cost-effective way to determine the effectiveness of the plan?
A. Preparedness tests
B. Paper tests
C. Full operational tests
D. Actual service disruption
-----

Questions 53. When electronically stored information is requested during a fraud investigation, which of the following should be the FIRST priority?
A. Assigning responsibility for acquiring the data
B. Locating the data and preserving the integrity of the data
C. Creating a forensically sound image
D. Issuing a litigation hold to all affected parties
-----

Questions 54. When creating a forensic image of a hard drive, which of the following should be the FIRST step?
A. Identify a recognized forensics software tool to create the image.
B. Establish a chain of custody log.
C. Connect the hard drive to a write blocker.
D. Generate a cryptographic hash of the hard drive contents.
-----

Questions 55. Information security policy enforcement is the responsibility of the:
A. security steering committee.
B. chief information officer (CIO).
C. chief information security officer (CISO).
D. chief compliance officer (CCO).
-----

Questions 56. A good privacy statement should include:
A. notification of liability on accuracy of information.
B. notification that information will be encrypted.
C. what the company will do with information it collects.
D. a description of the information classification process.
-----

Questions 57. Which of the following would be MOST effective in successfully implementing restrictive password policies?
A. Regular password audits
B. Single sign-on system
C. Security awareness program
D. Penalties for noncompliance
-----

Questions 58. When designing an information security quarterly report to management, the MOST important element to be considered should be the:
A. information security metrics.
B. knowledge required to analyze each issue.
C. linkage to business area objectives.
D. baseline against which metrics are evaluated.
-----

Questions 59. An information security manager at a global organization has to ensure that the local information security program will initially ensure compliance with the:
A. corporate data privacy policy.
B. data privacy policy where data are collected.
C. data privacy policy of the headquarters' country.
D. data privacy directive applicable globally.
-----

Questions 60. A new regulation for safeguarding information processed by a specific type of transaction has come to the attention of an information security officer. The officer should FIRST:
A. meet with stakeholders to decide how to comply.
B. analyze key risks in the compliance process.
C. assess whether existing controls meet the regulation.
D. update the existing security/privacy policy.
-----

Questions 61. The PRIMARY objective of a security steering group is to:
A. ensure information security covers all business functions.
B. ensure information security aligns with business goals.
C. raise information security awareness across the organization.
D. implement all decisions on security management across the organization.
-----

Questions 62. Data owners must provide a safe and secure environment to ensure confidentiality, integrity and availability of the transaction. This is an example of an information security:
A. baseline.
B. strategy.
C. procedure.
D. policy.
-----

Questions 63. At what stage of the applications development process should the security department initially become involved?
A. When requested
B. At testing
C. At programming
D. At detail requirements
-----

Questions 64. A security manager is preparing a report to obtain the commitment of executive management to a security program. Inclusion of which of the following would be of MOST value?
A. Examples of genuine incidents at similar organizations
B. Statement of generally accepted best practices
C. Associating realistic threats to corporate objectives
D. Analysis of current technological exposures
-----

Questions 65. The PRIMARY concern of an information security manager documenting a formal data retention policy would be:
A. generally accepted industry best practices.
B. business requirements.
C. legislative and regulatory requirements.
D. storage availability.
-----

Questions 66. When personal information is transmitted across networks, there MUST be adequate controls over:
A. change management.
B. privacy protection.
C. consent to data transfer.
D. encryption devices.
-----

Questions 67. An organization's information security processes are currently defined as ad hoc. In seeking to improve their performance level, the next step for the organization should be to:
A. ensure that security processes are consistent across the organization.
B. enforce baseline security levels across the organization.
C. ensure that security processes are fully documented.
D. implement monitoring of key performance indicators for security processes.
-----

Questions 68. Who in an organization has the responsibility for classifying information?
A. Data custodian
B. Database administrator
C. Information security officer
D. Data owner
-----

Questions 69. What is the PRIMARY role of the information security manager in the process of information classification within an organization?
A. Defining and ratifying the classification structure of information assets
B. Deciding the classification levels applied to the organization's information assets
C. Securing information assets in accordance with their classification
D. Checking if information assets have been classified properly
-----

Questions 70. Logging is an example of which type of defense against systems compromise?
A. Containment
B. Detection
C. Reaction
D. Recovery
-----

Questions 71. Which of the following is MOST important in developing a security strategy?
A. Creating a positive business security environment
B. Understanding key business objectives
C. Having a reporting line to senior management
D. Allocating sufficient resources to information security
-----

Questions 72. Who is ultimately responsible for the organization's information?
A. Data custodian
B. Chief information security officer (CISO)
C. Board of directors
D. Chief information officer (CIO)
-----

Questions 73. Which of the following factors is a PRIMARY driver for information security governance that does not require any further justification?
A. Alignment with industry best practices
B. Business continuity investment
C. Business benefits
D. Regulatory compliance
-----

Questions 74. A security manager meeting the requirements for the international flow of personal data will need to ensure:
A. a data processing agreement.
B. a data protection registration.
C. the agreement of the data subjects.
D. subject access procedures.
-----

Questions 75. An information security manager mapping a job description to types of data access is MOST likely to adhere to which of the following information security principles?
A. Ethics
B. Proportionality
C. Integration
D. Accountability
-----

Questions 76. Which of the following is the MOST important prerequisite for establishing information security management within an organization?
A. Senior management commitment
B. Information security framework
C. Information security organizational structure
D. Information security policy
-----

Questions 77. What will have the HIGHEST impact on standard information security governance models?
A. Number of employees
B. Distance between physical locations
C. Complexity of organizational structure
D. Organizational budget
-----

Questions 78. In order to highlight to management the importance of integrating information security in the business processes, a newly hired information security officer should FIRST:
A. prepare a security budget.
B. conduct a risk assessment.
C. develop an information security policy.
D. obtain benchmarking information.
-----

Questions 79. Temporarily deactivating some monitoring processes, even if supported by an acceptance of operational risk, may not be acceptable to the information security manager if:
A. it implies compliance risks.
B. short-term impact cannot be determined.
C. it violates industry security practices.
D. changes in the roles matrix cannot be detected.
-----

Questions 80. An outcome of effective security governance is:
A. business dependency assessment
B. strategic alignment.
C. risk assessment.
D. planning.
-----

Questions 81. How would an information security manager balance the potentially conflicting requirements of an international organization's security standards and local regulation?
A. Give organization standards preference over local regulations
B. Follow local regulations only
C. Make the organization aware of those standards where local regulations causes conflicts
D. Negotiate a local version of the organization standards
-----

Questions 82. Who should drive the risk analysis for an organization?
A. Senior management
B. Security manager
C. Quality manager
D. Legal department
-----

Questions 83. The FIRST step in developing an information security management program is to:
A. identify business risks that affect the organization.
B. clarify organizational purpose for creating the program.
C. assign responsibility for the program.
D. assess adequacy of controls to mitigate business risks.
-----

Questions 84. Which of the following is the MOST important to keep in mind when assessing the value of information?
A. The potential financial loss
B. The cost of recreating the information
C. The cost of insurance coverage
D. Regulatory requirement
-----

Questions 85. What would a security manager PRIMARILY utilize when proposing the implementation of a security solution?
A. Risk assessment report
B. Technical evaluation report
C. Business case
D. Budgetary requirements
-----

Questions 86. To justify its ongoing security budget, which of the following would be of MOST use to the information security' department?
A. Security breach frequency
B. Annualized loss expectancy (ALE)
C. Cost-benefit analysis
D. Peer group comparison
-----

Questions 87. Which of the following situations would MOST inhibit the effective implementation of security governance:
A. The complexity of technology
B. Budgetary constraints
C. Conflicting business priorities
D. High-level sponsorship
-----

Questions 88. To achieve effective strategic alignment of security initiatives, it is important that:
A. Steering committee leadership be selected by rotation.
B. Inputs be obtained and consensus achieved between the major organizational units.
C. The business strategy be updated periodically.
D. Procedures and standards be approved by all departmental heads.
-----

Questions 89. What would be the MOST significant security risks when using wireless local area network (LAN) technology?
A. Man-in-the-middle attack
B. Spoofing of data packets
C. Rogue access point
D. Session hijacking
-----

Questions 90. When developing incident response procedures involving servers hosting critical applications, which of the following should be the FIRST to be notified?
A. Business management
B. Operations manager
C. Information security manager
D. System users
-----

Questions 91. In implementing information security governance, the information security manager is PRIMARILY responsible for:
A. developing the security strategy.
B. reviewing the security strategy.
C. communicating the security strategy.
D. approving the security strategy
-----

Questions 92. An information security strategy document that includes specific links to an organization's business activities is PRIMARILY an indicator of:
A. performance measurement.
B. integration.
C. alignment.
D. value delivery.
-----

Questions 93. When an organization is setting up a relationship with a third-party IT service provider, which of the following is one of the MOST important topics to include in the contract from a security standpoint?
A. Compliance with international security standards.
B. Use of a two-factor authentication system.
C. Existence of an alternate hot site in case of business disruption.
D. Compliance with the organization's information security requirements.
-----

Questions 94. To justify the need to invest in a forensic analysis tool, an information security manager should FIRST:
A. review the functionalities and implementation requirements of the solution.
B. review comparison reports of tool implementation in peer companies.
C. provide examples of situations where such a tool would be useful.
D. substantiate the investment in meeting organizational needs.
-----

Questions 95. The MOST useful way to describe the objectives in the information security strategy is through:
A. attributes and characteristics of the 'desired state."
B. overall control objectives of the security program.
C. mapping the IT systems to key business processes.
D. calculation of annual loss expectations.
-----

Questions 96. In order to highlight to management the importance of network security, the security manager should FIRST:
A. develop a security architecture.
B. install a network intrusion detection system (NIDS) and prepare a list of attacks.
C. develop a network security policy.
D. conduct a risk assessment.
-----

Questions 97. When developing an information security program, what is the MOST useful source of information for determining available resources?
A. Proficiency test
B. Job descriptions
C. Organization chart
D. Skills inventory
-----

Questions 98. The MOST important characteristic of good security policies is that they:
A. state expectations of IT management.
B. state only one general security mandate.
C. are aligned with organizational goals.
D. govern the creation of procedures and guidelines.
-----

Questions 99. An information security manager must understand the relationship between information security and business operations in order to:
A. support organizational objectives.
B. determine likely areas of noncompliance.
C. assess the possible impacts of compromise.
D. understand the threats to the business.
-----

Questions 100. The MOST effective approach to address issues that arise between IT management, business units and security management when implementing a new security strategy is for the information security manager to:
A. escalate issues to an external third party for resolution.
B. ensure that senior management provides authority for security to address the issues.
C. insist that managers or units not in agreement with the security solution accept the risk.
D. refer the issues to senior management along with any security recommendations.
-----

Questions 101. Which of the following should be the FIRST step in developing an information security plan?
A. Perform a technical vulnerabilities assessment
B. Analyze the current business strategy
C. Perform a business impact analysis
D. Assess the current levels of security awareness
-----

Questions 102. Obtaining senior management support for establishing a warm site can BEST be accomplished
by:
A. establishing a periodic risk assessment.
B. promoting regulatory requirements.
C. developing a business case.
D. developing effective metrics.
-----

Questions 103. Which of the following would be the BEST option to improve accountability for a system administrator who has security functions?
A. Include security responsibilities in the job description
B. Require the administrator to obtain security certification
C. Train the system administrator on penetration testing and vulnerability assessment
D. Train the system administrator on risk assessment
-----

Questions 104. Which of the following is the MOST important element of an information security strategy?
A. Defined objectives
B. Time frames for delivery
C. Adoption of a control framework
D. Complete policies
-----

Questions 105. A multinational organization operating in fifteen countries is considering implementing an information security program. Which factor will MOST influence the design of the Information security program?
A. Representation by regional business leaders
B. Composition of the board
C. Cultures of the different countries
D. IT security skills
-----

Questions 106. Which of the following is the BEST justification to convince management to invest in an information security program?
A. Cost reduction
B. Compliance with company policies
C. Protection of business assets
D. Increased business value
-----

Questions 107. On a company's e-commerce web site, a good legal statement regarding data privacy should include:
A. a statement regarding what the company will do with the information it collects.
B. a disclaimer regarding the accuracy of information on its web site.
C. technical information regarding how information is protected.
D. a statement regarding where the information is being hosted.
-----

Questions 108. The MOST important factor in ensuring the success of an information security program is effective:
A. communication of information security requirements to all users in the organization.
B. formulation of policies and procedures for information security.
C. alignment with organizational goals and objectives .
D. monitoring compliance with information security policies and procedures.
-----

Questions 109. Which of the following would be MOST helpful to achieve alignment between information security and organization objectives?
A. Key control monitoring
B. A robust security awareness program
C. A security program that enables business activities
D. An effective security architecture
-----

Questions 110. Which of the following BEST contributes to the development of a security governance framework that supports the maturity model concept?
A. Continuous analysis, monitoring and feedback
B. Continuous monitoring of the return on security investment (ROSD
C. Continuous risk reduction
D. Key risk indicator (KRD setup to security management processes
-----

Questions 111. Senior management commitment and support for information security can BEST be obtained through presentations that:
A. use illustrative examples of successful attacks.
B. explain the technical risks to the organization.
C. evaluate the organization against best security practices.
D. tie security risks to key business objectives.
-----

Questions 112. The MOST complete business case for security solutions is one that.
A. includes appropriate justification.
B. explains the current risk profile.
C. details regulatory requirements.
D. identifies incidents and losses.
-----

Questions 113. Which of the following is MOST important to understand when developing a meaningful information security strategy?
A. Regulatory environment
B. International security standards
C. Organizational risks
D. Organizational goals
-----

Questions 114. Which of the following is an advantage of a centralized information security organizational structure?
A. It is easier to promote security awareness.
B. It is easier to manage and control.
C. It is more responsive to business unit needs.
D. It provides a faster turnaround for security requests.
-----

Questions 115. Which of the following would help to change an organization's security culture?
A. Develop procedures to enforce the information security policy
B. Obtain strong management support
C. Implement strict technical security controls
D. Periodically audit compliance with the information security policy
-----

Questions 116. The BEST way to justify the implementation of a single sign-on (SSO) product is to use:
A. return on investment (ROD.
B. a vulnerability assessment.
C. annual loss expectancy (ALE).
D. a business case.
-----

Questions 117. The FIRST step in establishing a security governance program is to:
A. conduct a risk assessment.
B. conduct a workshop for all end users.
C. prepare a security budget.
D. obtain high-level sponsorship.
-----

Questions 118. An IS manager has decided to implement a security system to monitor access to the Internet and prevent access to numerous sites. Immediately upon installation, employees Hood the IT helpdesk with complaints of being unable to perform business functions on Internet sites. This is an example of:
A. conflicting security controls with organizational needs.
B. strong protection of information resources.
C. implementing appropriate controls to reduce risk.
D. proving information security's protective abilities.
-----

Questions 119. An organization's information security strategy should be based on:
A. managing risk relative to business objectives.
B. managing risk to a zero level and minimizing insurance premiums.
C. avoiding occurrence of risks so that insurance is not required.
D. transferring most risks to insurers and saving on control costs.
-----

Questions 120. Which of the following should be included in an annual information security budget that is submitted for management approval?
A. A cost-benefit analysis of budgeted resources
B. All of the resources that are recommended by the business
C. Total cost of ownership (TC'O)
D. Baseline comparisons
-----

Questions 121. Which of the following is a benefit of information security governance?
A. Reduction of the potential for civil or legal liability
B. Questioning trust in vendor relationships
C. Increasing the risk of decisions based on incomplete management information
D. Direct involvement of senior management in developing control processes
-----

Questions 122. Investment in security technology and processes should be based on:
A. clear alignment with the goals and objectives of the organization.
B. success cases that have been experienced in previous projects.
C. best business practices.
D. safeguards that are inherent in existing technology.
-----

Questions 123. The MOST appropriate role for senior management in supporting information security is the:
A. evaluation of vendors offering security products.
B. assessment of risks to the organization.
C. approval of policy statements and funding.
D. monitoring adherence to regulatory requirements.
-----

Questions 124. The data access requirements for an application should be determined by the:
A. legal department.
B. compliance officer.
C. information security manager.
D. business owner.
-----

Questions 125. From an information security perspective, information that no longer supports the main purpose of the business should be:
A. analyzed under the retention policy.
B. protected under the information classification policy.
C. analyzed under the backup policy.
D. protected under the business impact analysis (BIA).
-----

Questions 126. The organization has decided to outsource the majority of the IT department with a vendor that is hosting servers in a foreign country. Of the following, which is the MOST critical security consideration?
A. Laws and regulations of the country of origin may not be enforceable in the foreign country.
B. A security breach notification might get delayed due to the time difference.
C. Additional network intrusion detection sensors should be installed, resulting in an additional cost.
D. The company could lose physical control over the server and be unable to monitor the physical security posture of the servers.
-----

Questions 127. Effective IT governance is BEST ensured by:
A. utilizing a bottom-up approach.
B. management by the IT department.
C. referring the matter to the organization's legal department.
D. utilizing a top-down approach.
-----

Questions 128. The FIRST step to create an internal culture that focuses on information security is to:
A. implement stronger controls.
B. conduct periodic awareness training.
C. actively monitor operations.
D. gain the endorsement of executive management.
-----

Questions 129. Which of the following is the BEST method or technique to ensure the effective implementation of an information security program?
A. Obtain the support of the board of directors.
B. Improve the content of the information security awareness program.
C. Improve the employees' knowledge of security policies.
D. Implement logical access controls to the information systems.
-----

Questions 130. When an organization is implementing an information security governance program, its board of directors should be responsible for:
A. drafting information security policies.
B. reviewing training and awareness programs.
C. setting the strategic direction of the program.
D. auditing for compliance.
-----

Questions 131. A risk assessment and business impact analysis (BIA) have been completed for a major proposed purchase and new process for an organization. There is disagreement between the information security manager and the business department manager who will own the process regarding the results and the assigned risk. Which of the following would be the BES T approach of the information security manager?
A. Acceptance of the business manager's decision on the risk to the corporation
B. Acceptance of the information security manager's decision on the risk to the corporation
C. Review of the assessment with executive management for final input
D. A new risk assessment and BIA are needed to resolve the disagreement
-----

Questions 132. Who is responsible for ensuring that information is categorized and that specific protective measures are taken?
A. The security officer
B. Senior management
C. The end user
D. The custodian
-----

Questions 133. An organization's board of directors has learned of recent legislation requiring organizations within the industry to enact specific safeguards to protect confidential customer information.
What actions should the board take next?
A. Direct information security on what they need to do
B. Research solutions to determine the proper solutions
C. Require management to report on compliance
D. Nothing; information security does not report to the board
-----

Questions 134. Information security should be:
A. focused on eliminating all risks.
B. a balance between technical and business requirements.
C. driven by regulatory requirements.
D. defined by the board of directors.
-----

Questions 135. Which of the following would BEST ensure the success of information security governance within an organization?
A. Steering committees approve security projects
B. Security policy training provided to all managers
C. Security training available to all employees on the intranet
D. Steering committees enforce compliance with laws and regulations
-----

Questions 136. What is the MOST important factor in the successful implementation of an enterprise wide information security program?
A. Realistic budget estimates
B. Security awareness
C. Support of senior management
D. Recalculation of the work factor
-----

Questions 137. What is the MAIN risk when there is no user management representation on the Information Security Steering Committee?
A. Functional requirements are not adequately considered.
B. User training programs may be inadequate.
C. Budgets allocated to business units are not appropriate.
D. Information security plans are not aligned with business requirements
-----

Questions 138. The MAIN reason for having the Information Security Steering Committee review a new security controls implementation plan is to ensure that:
A. the plan aligns with the organization's business plan.
B. departmental budgets are allocated appropriately to pay for the plan.
C. regulatory oversight requirements are met.
D. the impact of the plan on the business units is reduced.
-----

Questions 139. Which of the following should be determined while defining risk management strategies?
A. Risk assessment criteria
B. Organizational objectives and risk appetite
C. IT architecture complexity
D. Enterprise disaster recovery plans
-----

Questions 140. When implementing effective security governance within the requirements of the company's security strategy, which of the following is the MOST important factor to consider?
A. Preserving the confidentiality of sensitive data
B. Establishing international security standards for data sharing
C. Adhering to corporate privacy standards
D. Establishing system manager responsibility for information security
-----

Questions 141. Which of the following is the BEST reason to perform a business impact analysis (BIA)?
A. To help determine the current state of risk
B. To budget appropriately for needed controls
C. To satisfy regulatory requirements
D. To analyze the effect on the business
-----

Questions 142. A risk mitigation report would include recommendations for:
A. assessment.
B. acceptance
C. evaluation.
D. quantification.
-----

Questions 143. A risk management program should reduce risk to:
A. zero.
B. an acceptable level.
C. an acceptable percent of revenue.
D. an acceptable probability of occurrence.
-----

Questions 144. The MOST important reason for conducting periodic risk assessments is because:
A. risk assessments are not always precise.
B. security risks are subject to frequent change.
C. reviewers can optimize and reduce the cost of controls.
D. it demonstrates to senior management that the security function can add value.
-----

Questions 145. Which of the following BEST indicates a successful risk management practice?
A. Overall risk is quantified
B. Inherent risk is eliminated
C. Residual risk is minimized
D. Control risk is tied to business units
-----

Questions 146. Information security governance is PRIMARILY driven by:
A. technology constraints.
B. regulatory requirements.
C. litigation potential.
D. business strategy.
-----

Questions 147. Which of the following would generally have the GREATEST negative impact on an organization?
A. Theft of computer software
B. Interruption of utility services
C. Loss of customer confidence
D. Internal fraud resulting in monetary loss
-----

Questions 148. A successful information security management program should use which of the following to determine the amount of resources devoted to mitigating exposures?
A. Risk analysis results
B. Audit report findings
C. Penetration test results
D. Amount of IT budget available
-----

Questions 149. Which of the following will BEST protect an organization from internal security attacks?
A. Static IP addressing
B. Internal address translation
C. Prospective employee background checks
D. Employee awareness certification program
-----

Questions 150. For risk management purposes, the value of an asset should be based on:
A. original cost.
B. net cash flow.
C. net present value.
D. replacement cost.
-----

Questions 151. In a business impact analysis, the value of an information system should be based on the overall cost: 
A. of recovery.
B. to recreate.
C. if unavailable.
D. of emergency operations.
-----

Questions 152. Acceptable risk is achieved when: 
A. residual risk is minimized.
B. transferred risk is minimized.
C. control risk is minimized.
D. inherent risk is minimized.
-----

Questions 153. The value of information assets is BEST determined by: 
A. individual business managers.
B. business systems analysts.
C. information security management.
D. industry averages benchmarking.
-----

Questions 154. During which phase of development is it MOST appropriate to begin assessing the risk of a new application system? 
A. Feasibility
B. Design
C. Development
D. Testing
-----

Questions 155. Which of the following represents the MAJOR focus of privacy regulations? 
A. Unrestricted data mining
B. Identity theft
C. Human rights protection D.
D. Identifiable personal data
-----

Questions 156. The MOST effective way to incorporate risk management practices into existing production systems is through: 
A. policy development.
B. change management.
C. awareness training.
D. regular monitoring.
-----

Questions 157. Which of the following would be MOST useful in developing a series of recovery time objectives (RTOs)? 
A. Gap analysis
B. Regression analysis
C. Risk analysis
D. Business impact analysis
-----

Questions 158. The recovery time objective (RTO) is reached at which of the following milestones? 
A. Disaster declaration
B. Recovery of the backups
C. Restoration of the system
D. Return to business as usual processing
-----

Questions 159. Which of the following results from the risk assessment process would BEST assist risk management decision making? 
A. Control risk
B. Inherent risk
C. Risk exposure
D. Residual risk
-----

Questions 160. The decision on whether new risks should fall under periodic or event-driven reporting should be based on which of the following? 
A. Mitigating controls
B. Visibility of impact
C. Likelihood of occurrence
D. Incident frequency
-----

Questions 161. Risk acceptance is a component of which of the following? 
A. Assessment
B. Mitigation
C. Evaluation
D. Monitoring
-----

Questions 162. Risk management programs are designed to reduce risk to: 
A. a level that is too small to be measurable.
B. the point at which the benefit exceeds the expense.
C. a level that the organization is willing to accept.
D. a rate of return that equals the current cost of capital.
-----

Questions 163. A risk assessment should be conducted: 
A. once a year for each business process and subprocess.
B. every three to six months for critical business processes.
C. by external parties to maintain objectivity.
D. annually or whenever there is a significant change.
-----

Questions 164. The MOST important function of a risk management program is to: 
A. quantify overall risk.
B. minimize residual risk.
C. eliminate inherent risk.
D. maximize the sum of all annualized loss expectancies (ALEs).
-----

Questions 165. Which of the following risks would BEST be assessed using qualitative risk assessment techniques? 
A. Theft of purchased software
B. Power outage lasting 24 hours
C. Permanent decline in customer confidence
D. Temporary loss of e-mail due to a virus attack
-----

Questions 166. Which of the following will BEST prevent external security attacks? 
A. Static IP addressing
B. Network address translation
C. Background checks for temporary employees
D. Securing and analyzing system access logs
-----

Questions 167. Investments in information security technologies should be based on: 
A. vulnerability assessments.
B. value analysis.
C. business climate.
D. audit recommendations.
-----

Questions 168. In performing a risk assessment on the impact of losing a server, the value of the server should be calculated using the: 
A. original cost to acquire.
B. cost of the software stored.
C. annualized loss expectancy (ALE).
D. cost to obtain a replacement.
-----

Questions 169. A business impact analysis (BIA) is the BEST tool for calculating: 
A. total cost of ownership.
B. priority of restoration.
C. annualized loss expectancy (ALE).
D. residual risk.
-----

Questions 170. When residual risk is minimized: 
A. acceptable risk is probable.
B. transferred risk is acceptable.
C. control risk is reduced.
D. risk is transferable.
-----

Questions 171. Quantitative risk analysis is MOST appropriate when assessment data: 
A. include customer perceptions.
B. contain percentage estimates.
C. do not contain specific details.
D. contain subjective information.
-----

Questions 172. Which of the following is the MOST appropriate use of gap analysis? 
A. Evaluating a business impact analysis (BIA)
B. Developing a balanced business scorecard
C. Demonstrating the relationship between controls
D. Measuring current state vs. desired future state
-----

Questions 173. Identification and prioritization of business risk enables project managers to: 
A. establish implementation milestones.
B. reduce the overall amount of slack time.
C. address areas with most significance.
D. accelerate completion of critical paths.
-----

Questions 174. A risk analysis should: 
A. include a benchmark of similar companies in its scope.
B. assume an equal degree of protection for all assets.
C. address the potential size and likelihood of loss.
D. give more weight to the likelihood vs. the size of the loss.
-----

Questions 175. The recovery point objective (RPO) requires which of the following? 
A. Disaster declaration
B. Before-image restoration
C. System restoration
D. After-image processing
-----

Questions 176. Based on the information provided, which of the following situations presents the GREATEST information security risk for an organization with multiple, but small, domestic processing locations? 
A. Systems operation procedures are not enforced
B. Change management procedures are poor
C. Systems development is outsourced
D. Systems capacity management is not performed
-----

Questions 177. Which of the following BEST describes the scope of risk analysis? 
A. Key financial systems
B. Organizational activities
C. Key systems and infrastructure
D. Systems subject to regulatory compliance
-----

Questions 178. Retention of business records should PRIMARILY be based on: 
A. business strategy and direction.
B. regulatory and legal requirements.
C. storage capacity and longevity.
D. business ease and value analysis.
-----

Questions 179. The decision as to whether a risk has been reduced to an acceptable level should be determined 
by: 
A. organizational requirements.
B. information systems requirements.
C. information security requirements.
D. international standards.
-----

Questions 180. Which of the following is the PRIMARY reason for implementing a risk management program? 
A. Allows the organization to eliminate risk
B. Is a necessary part of management's due diligence
C. Satisfies audit and regulatory requirements
D. Assists in incrementing the return on investment (ROD
-----

Questions 181. Which of the following groups would be in the BEST position to perform a risk analysis for a business? 
A. External auditors
B. A peer group within a similar business
C. Process owners
D. A specialized management consultant
-----

Questions 182. A successful risk management program should lead to: 
A. optimization of risk reduction efforts against cost.
B. containment of losses to an annual budgeted amount.
C. identification and removal of all man-made threats.
D. elimination or transference of all organizational risks.
-----

Questions 183. Which of the following risks would BEST be assessed using quantitative risk assessment techniques? 
A. Customer data stolen
B. An electrical power outage
C. A web site defaced by hackers
D. Loss of the software development team
-----

Questions 184. The impact of losing frame relay network connectivity for 18-24 hours should be calculated using the: 
A. hourly billing rate charged by the carrier.
B. value of the data transmitted over the network.
C. aggregate compensation of all affected business users.
D. financial losses incurred by affected business units.
-----

Questions 185. Which of the following is the MOST usable deliverable of an information security risk analysis? 
A. Business impact analysis (BIA) report
B. List of action items to mitigate risk
C. Assignment of risks to process owners
D. Quantification of organizational risk
-----

Questions 186. Ongoing tracking of remediation efforts to mitigate identified risks can BEST be accomplished through the use of which of the following? 
A. Tree diagrams
B. Venn diagrams
C. Heat charts
D. Bar charts
-----

Questions 187. Who would be in the BEST position to determine the recovery point objective (RPO) for business applications? 
A. Business continuity coordinator
B. Chief operations officer (COO)
C. Information security manager
D. Internal audit
-----

Questions 188. Which two components PRIMARILY must be assessed in an effective risk analysis? 
A. Visibility and duration
B. Likelihood and impact
C. Probability and frequency
D. Financial impact and duration
-----

Questions 189. Information security managers should use risk assessment techniques to: 
A. justify selection of risk mitigation strategies.
B. maximize the return on investment (ROD.
C. provide documentation for auditors and regulators.
D. quantify risks that would otherwise be subjective.
-----

Questions 190. Which of the following is characteristic of centralized information security management? 
A. More expensive to administer
B. Better adherence to policies
C. More aligned with business unit needs
D. Faster turnaround of requests
-----

Questions 191. In assessing risk, it is MOST essential to: 
A. provide equal coverage for all asset types.
B. use benchmarking data from similar organizations.
C. consider both monetary value and likelihood of loss.
D. focus primarily on threats and recent business losses.
-----

Questions 192. When the computer incident response team (CIRT) finds clear evidence that a hacker has penetrated the corporate network and modified customer information, an information security manager should FIRST notify: 
A. the information security steering committee.
B. customers who may be impacted.
C. data owners who may be impacted.
D. regulatory- agencies overseeing privacy.
-----

Questions 193. Data owners are PRIMARILY responsible for establishing risk mitigation methods to address which of the following areas? 
A. Platform security
B. Entitlement changes
C. Intrusion detection
D. Antivirus controls
-----

Questions 194. The PRIMARY goal of a corporate risk management program is to ensure that an organization's: 
A. IT assets in key business functions are protected.
B. business risks are addressed by preventive controls.
C. stated objectives are achievable.
D. IT facilities and systems are always available.
-----

Questions 195. It is important to classify and determine relative sensitivity of assets to ensure that: 
A. cost of protection is in proportion to sensitivity.
B. highly sensitive assets are protected.
C. cost of controls is minimized.
D. countermeasures are proportional to risk.
-----

Questions 196. The service level agreement (SLA) for an outsourced IT function does not reflect an adequate level of protection. In this situation an information security manager should: 
A. ensure the provider is made liable for losses.
B. recommend not renewing the contract upon expiration.
C. recommend the immediate termination of the contract.
D. determine the current level of security.
-----

Questions 197. An information security manager has been assigned to implement more restrictive preventive controls. By doing so, the net effect will be to PRIMARILY reduce the: 
A. threat.
B. loss.
C. vulnerability.
D. probability.
-----

Questions 198. When performing a quantitative risk analysis, which of the following is MOST important to estimate the potential loss? 
A. Evaluate productivity losses
B. Assess the impact of confidential data disclosure
C. Calculate the value of the information or asset
D. Measure the probability of occurrence of each threat
-----

Questions 199. Successful implementation of information security governance will FIRST require: 
A. security awareness training.
B. updated security policies.
C. a computer incident management team.
D. a security architecture.
-----

Questions 200. Before conducting a formal risk assessment of an organization's information resources, an information security manager should FIRST: 
A. map the major threats to business objectives.
B. review available sources of risk information.
C. identify the value of the critical assets.
D. determine the financial impact if threats materialize.
-----

Questions 201. The valuation of IT assets should be performed by:
A. an IT security manager.
B. an independent security consultant.
C. the chief financial officer (CFO).
D. the information owner.
-----

Questions 202. The PRIMARY objective of a risk management program is to:
A. minimize inherent risk.
B. eliminate business risk.
C. implement effective controls.
D. minimize residual risk.
-----

Questions 203. After completing a full IT risk assessment, who can BEST decide which mitigating controls should be implemented?
A. Senior management
B. Business manager
C. IT audit manager
D. Information security officer (ISO)
-----

Questions 204. When performing an information risk analysis, an information security manager should FIRST:
A. establish the ownership of assets.
B. evaluate the risks to the assets.
C. take an asset inventory.
D. categorize the assets.
-----

Questions 205. The PRIMARY benefit of performing an information asset classification is to:
A. link security requirements to business objectives.
B. identify controls commensurate to risk.
C. define access rights.
D. establish ownership.
-----

Questions 206. Which of the following is MOST essential for a risk management program to be effective?
A. Flexible security budget
B. Sound risk baseline
C. New risks detection
D. Accurate risk reporting
-----

Questions 207. Which of the following attacks is BEST mitigated by utilizing strong passwords?
A. Man-in-the-middle attack
B. Brute force attack
C. Remote buffer overflow
D. Root kit
-----

Questions 208. Phishing is BEST mitigated by which of the following?
A. Security monitoring software
B. Encryption
C. Two-factor authentication
D. User awareness
-----

Questions 209. The security responsibility of data custodians in an organization will include:
A. assuming overall protection of information assets.
B. determining data classification levels.
C. implementing security controls in products they install.
D. ensuring security measures are consistent with policy.
-----

Questions 210. A security risk assessment exercise should be repeated at regular intervals because:
A. business threats are constantly changing.
B. omissions in earlier assessments can be addressed.
C. repetitive assessments allow various methodologies.
D. they help raise awareness on security in the business.
-----

Questions 211. Which of the following individuals would be in the BEST position to sponsor the creation of an information security steering group?
A. Information security manager
B. Chief operating officer (COO)
C. Internal auditor
D. Legal counsel
-----

Questions 212. Which of the following steps in conducting a risk assessment should be performed FIRST?
A. Identity business assets
B. Identify business risks
C. Assess vulnerabilities
D. Evaluate key controls
-----

Questions 213. The systems administrator did not immediately notify the security officer about a malicious attack. An information security manager could prevent this situation by:
A. periodically testing the incident response plans.
B. regularly testing the intrusion detection system (IDS).
C. establishing mandatory training of all personnel.
D. periodically reviewing incident response procedures.
-----

Questions 214. Which of the following risks is represented in the risk appetite of an organization?
A. Control
B. Inherent
C. Residual
D. Audit
-----

Questions 215. Which of the following would a security manager establish to determine the target for restoration of normal processing?
A. Recover)' time objective (RTO)
B. Maximum tolerable outage (MTO)
C. Recovery point objectives (RPOs)
D. Services delivery objectives (SDOs)
-----

Questions 216. A risk management program would be expected to:
A. remove all inherent risk.
B. maintain residual risk at an acceptable level.
C. implement preventive controls for every threat.
D. reduce control risk to zero.
-----

Questions 217. Risk assessment should be built into which of the following systems development phases to ensure that risks are addressed in a development project?
A. Programming
B. Specification
C. User testing
D. Feasibility
-----

Questions 218. Which of the following would help management determine the resources needed to mitigate a risk to the organization?
A. Risk analysis process
B. Business impact analysis (BIA)
C. Risk management balanced scorecard
D. Risk-based audit program
-----

Questions 219. A global financial institution has decided not to take any further action on a denial of service (DoS) risk found by the risk assessment team. The MOST likely reason they made this decision is that:
A. there are sufficient safeguards in place to prevent this risk from happening.
B. the needed countermeasure is too complicated to deploy.
C. the cost of countermeasure outweighs the value of the asset and potential loss.
D. The likelihood of the risk occurring is unknown.
-----

Questions 220. Which would be one of the BEST metrics an information security manager can employ to effectively evaluate the results of a security program?
A. Number of controls implemented
B. Percent of control objectives accomplished
C. Percent of compliance with the security policy
D. Reduction in the number of reported security incidents
-----

Questions 221. Which of the following types of information would the information security manager expect to have the LOWEST level of security protection in a large, multinational enterprise?
A. Strategic business plan
B. Upcoming financial results
C. Customer personal information
D. Previous financial results
-----

Questions 222. The PRIMARY purpose of using risk analysis within a security program is to:
A. justify the security expenditure.
B. help businesses prioritize the assets to be protected.
C. inform executive management of residual risk value.
D. assess exposures and plan remediation.
-----

Questions 223. The MOST important component of a privacy policy is:
A. notifications.
B. warranties.
C. liabilities.
D. geographic coverage.
-----

Questions 224. Which of the following is the PRIMARY prerequisite to implementing data classification within an organization?
A. Defining job roles
B. Performing a risk assessment
C. Identifying data owners
D. Establishing data retention policies
-----

Questions 225. An online banking institution is concerned that the breach of customer personal information will have a significant financial impact due to the need to notify and compensate customers whose personal information may have been compromised. The institution determines that residual risk will always be too high and decides to:
A. mitigate the impact by purchasing insurance.
B. implement a circuit-level firewall to protect the network.
C. increase the resiliency of security measures in place.
D. implement a real-time intrusion detection system.
-----

Questions 226. What mechanisms are used to identify deficiencies that would provide attackers with an opportunity to compromise a computer system?
A. Business impact analyses
B. Security gap analyses
C. System performance metrics
D. Incident response processes
-----

Questions 227. A common concern with poorly written web applications is that they can allow an attacker to:
A. gain control through a buffer overflow.
B. conduct a distributed denial of service (DoS) attack.
C. abuse a race condition.
D. inject structured query language (SQL) statements.
-----

Questions 228. Which of the following would be of GREATEST importance to the security manager in determining whether to accept residual risk?
A. Historical cost of the asset
B. Acceptable level of potential business impacts
C. Cost versus benefit of additional mitigating controls
D. Annualized loss expectancy (ALE)
-----

Questions 229. A project manager is developing a developer portal and requests that the security manager assign a public IP address so that it can be accessed by in-house staff and by external consultants outside the organization's local area network (LAN). What should the security manager do FIRST?
A. Understand the business requirements of the developer portal
B. Perform a vulnerability assessment of the developer portal
C. Install an intrusion detection system (IDS)
D. Obtain a signed nondisclosure agreement (NDA) from the external consultants before allowing external access to the server
-----

Questions 230. The cost of implementing a security control should not exceed the:
A. annualized loss expectancy.
B. cost of an incident.
C. asset value.
D. implementation opportunity costs.
-----

Questions 231. A mission-critical system has been identified as having an administrative system account with attributes that prevent locking and change of privileges and name. Which would be the BEST approach to prevent successful brute forcing of the account?
A. Prevent the system from being accessed remotely
B. Create a strong random password
C. Ask for a vendor patch
D. Track usage of the account by audit trails
-----

Questions 232. Attackers who exploit cross-site scripting vulnerabilities take advantage of:
A. a lack of proper input validation controls.
B. weak authentication controls in the web application layer.
C. flawed cryptographic secure sockets layer (SSL) implementations and short key lengths.
D. implicit web application trust relationships.
-----

Questions 233. Which of the following would BEST address the risk of data leakage?
A. File backup procedures
B. Database integrity checks
C. Acceptable use policies
D. Incident response procedures
-----

Questions 234. A company recently developed a breakthrough technology. Since this technology could give this company a significant competitive edge, which of the following would FIRST govern how this information is to be protected?
A. Access control policy
B. Data classification policy
C. Encryption standards
D. Acceptable use policy
-----

Questions 235. What is the BEST technique to determine which security controls to implement with a limited budget?
A. Risk analysis
B. Annualized loss expectancy (ALE) calculations
C. Cost-benefit analysis
D. Impact analysis
-----

Questions 236. A company's mail server allows anonymous file transfer protocol (FTP) access which could be exploited. What process should the information security manager deploy to determine the necessity for remedial action?
A. A penetration test
B. A security baseline review
C. A risk assessment
D. A business impact analysis (BIA)
-----

Questions 237. Which of the following measures would be MOST effective against insider threats to confidential information?
A. Role-based access control
B. Audit trail monitoring
C. Privacy policy
D. Defense-in-depth
-----

Questions 238. Because of its importance to the business, an organization wants to quickly implement a technical solution which deviates from the company's policies. An information security manager should:
A. conduct a risk assessment and allow or disallow based on the outcome.
B. recommend a risk assessment and implementation only if the residual risks are accepted.
C. recommend against implementation because it violates the company's policies.
D. recommend revision of current policy.
-----

Questions 239. After a risk assessment study, a bank with global operations decided to continue doing business in certain regions of the world where identity theft is rampant. The information security manager should encourage the business to:
A. increase its customer awareness efforts in those regions.
B. implement monitoring techniques to detect and react to potential fraud.
C. outsource credit card processing to a third party.
D. make the customer liable for losses if they fail to follow the bank's advice.
-----

Questions 240. The criticality and sensitivity of information assets is determined on the basis of:
A. threat assessment.
B. vulnerability assessment.
C. resource dependency assessment.
D. impact assessment.
-----

Questions 241. Which program element should be implemented FIRST in asset classification and control?
A. Risk assessment
B. Classification
C. Valuation
D. Risk mitigation
-----

Questions 242. When performing a risk assessment, the MOST important consideration is that:
A. management supports risk mitigation efforts.
B. annual loss expectations (ALEs) have been calculated for critical assets.
C. assets have been identified and appropriately valued.
D. attack motives, means and opportunities be understood.
-----

Questions 243. The MAIN reason why asset classification is important to a successful information security program is because classification determines:
A. the priority and extent of risk mitigation efforts.
B. the amount of insurance needed in case of loss.
C. the appropriate level of protection to the asset.
D. how protection levels compare to peer organizations.
-----

Questions 244. The BEST strategy for risk management is to:
A. achieve a balance between risk and organizational goals.
B. reduce risk to an acceptable level.
C. ensure that policy development properly considers organizational risks.
D. ensure that all unmitigated risks are accepted by management.
-----

Questions 245. Which of the following would be the MOST important factor to be considered in the loss of mobile equipment with unencrypted data?
A. Disclosure of personal information
B. Sufficient coverage of the insurance policy for accidental losses
C. Intrinsic value of the data stored on the equipment
D. Replacement cost of the equipment
-----

Questions 246. Minimum standards for securing the technical infrastructure should be defined in a security:
A. strategy.
B. guidelines.
C. model.
D. architecture.
-----

Questions 247. An organization has to comply with recently published industry regulatory requirements-- compliance that potentially has high implementation costs. What should the information security manager do FIRST?
A. Implement a security committee.
B. Perform a gap analysis.
C. Implement compensating controls.
D. Demand immediate compliance.
-----

Questions 248. Which of the following would be MOST relevant to include in a cost-benefit analysis of a two- factor authentication system?
A. Annual loss expectancy (ALE) of incidents
B. Frequency of incidents
C. Total cost of ownership (TCO)
D. Approved budget for the project
-----

Questions 249. One way to determine control effectiveness is by determining:
A. whether it is preventive, detective or compensatory.
B. the capability of providing notification of failure.
C. the test results of intended objectives.
D. the evaluation and analysis of reliability.
-----

Questions 250. What does a network vulnerability assessment intend to identify?
A. 0-day vulnerabilities
B. Malicious software and spyware
C. Security design flaws
D. Misconfiguration and missing updates
-----

Questions 251. Who is responsible for ensuring that information is classified?
A. Senior management
B. Security manager
C. Data owner
D. Custodian
-----

Questions 252. After a risk assessment, it is determined that the cost to mitigate the risk is much greater than the benefit to be derived. The information security manager should recommend to business management that the risk be:
A. transferred.
B. treated.
C. accepted.
D. terminated.
-----

Questions 253. When a significant security breach occurs, what should be reported FIRST to senior management?
A. A summary of the security logs that illustrates the sequence of events
B. An explanation of the incident and corrective action taken
C. An analysis of the impact of similar attacks at other organizations
D. A business case for implementing stronger logical access controls
-----

Questions 254. The PRIMARY reason for initiating a policy exception process is when:
A. operations are too busy to comply.
B. the risk is justified by the benefit.
C. policy compliance would be difficult to enforce.
D. users may initially be inconvenienced.
-----

Questions 255. Which of the following is MOST appropriate for inclusion in an information security strategy?
A. Business controls designated as key controls
B. Security processes, methods, tools and techniques
C. Firewall rule sets, network defaults and intrusion detection system (IDS) settings
D. Budget estimates to acquire specific security tools
-----

Questions 256. Which of (lie following would be the MOST relevant factor when defining the information classification policy?
A. Quantity of information
B. Available IT infrastructure
C. Benchmarking
D. Requirements of data owners
-----

Questions 257. To determine the selection of controls required to meet business objectives, an information security manager should:
A. prioritize the use of role-based access controls.
B. focus on key controls.
C. restrict controls to only critical applications.
D. focus on automated controls.
-----

Questions 258. The MOST appropriate owner of customer data stored in a central database, used only by an organization's sales department, would be the:
A. sales department.
B. database administrator.
C. chief information officer (CIO).
D. head of the sales department.
-----

Questions 259. In assessing the degree to which an organization may be affected by new privacy legislation, information security management should FIRST:
A. develop an operational plan for achieving compliance with the legislation.
B. identify systems and processes that contain privacy components.
C. restrict the collection of personal information until compliant.
D. identify privacy legislation in other countries that may contain similar requirements.
-----

Questions 260. Risk assessment is MOST effective when performed:
A. at the beginning of security program development.
B. on a continuous basis.
C. while developing the business case for the security program.
D. during the business change process.
-----

Questions 261. Which of the following is the MAIN reason for performing risk assessment on a continuous basis'?
A. Justification of the security budget must be continually made.
B. New vulnerabilities are discovered every day.
C. The risk environment is constantly changing.
D. Management needs to be continually informed about emerging risks.
-----

Questions 262. There is a time lag between the time when a security vulnerability is first published, and the time when a patch is delivered. Which of the following should be carried out FIRST to mitigate the risk during this time period?
A. Identify the vulnerable systems and apply compensating controls
B. Minimize the use of vulnerable systems
C. Communicate the vulnerability to system users
D. Update the signatures database of the intrusion detection system (IDS)
-----

Questions 263. Which of the following security activities should be implemented in the change management process to identify key vulnerabilities introduced by changes?
A. Business impact analysis (BIA)
B. Penetration testing
C. Audit and review
D. Threat analysis
-----

Questions 264. Which of the following techniques MOST clearly indicates whether specific risk-reduction controls should be implemented?
A. Countermeasure cost-benefit analysis
B. Penetration testing
C. Frequent risk assessment programs
D. Annual loss expectancy (ALE) calculation
-----

Questions 265. An organization has decided to implement additional security controls to treat the risks of a new process. This is an example of:
A. eliminating the risk.
B. transferring the risk.
C. mitigating the risk.
D. accepting the risk.
-----

Questions 266. Which of the following roles is PRIMARILY responsible for determining the information classification levels for a given information asset?
A. Manager
B. Custodian
C. User
D. Owner
-----

Questions 267. The PRIMARY reason for assigning classes of sensitivity and criticality to information resources is to provide a basis for:
A. determining the scope for inclusion in an information security program.
B. defining the level of access controls.
C. justifying costs for information resources.
D. determining the overall budget of an information security program.
-----

Questions 268. An organization is already certified to an international security standard. Which mechanism would BEST help to further align the organization with other data security regulatory requirements as per new business needs?
A. Key performance indicators (KPIs)
B. Business impact analysis (BIA)
C. Gap analysis
D. Technical vulnerability assessment
-----

Questions 269. When performing a qualitative risk analysis, which of the following will BEST produce reliable results?
A. Estimated productivity losses
B. Possible scenarios with threats and impacts
C. Value of information assets
D. Vulnerability assessment
-----

Questions 270. Senior management commitment and support for information security will BEST be attained by an information security manager by emphasizing:
A. organizational risk.
B. organization wide metrics.
C. security needs.
D. the responsibilities of organizational units.
-----

Questions 271. Which of the following is the BEST method to ensure the overall effectiveness of a risk management program?
A. User assessments of changes
B. Comparison of the program results with industry standards
C. Assignment of risk within the organization
D. Participation by all members of the organization
-----

Questions 272. The MOST effective use of a risk register is to:
A. identify risks and assign roles and responsibilities for mitigation.
B. identify threats and probabilities.
C. facilitate a thorough review of all IT-related risks on a periodic basis.
D. record the annualized financial amount of expected losses due to risks.
-----

Questions 273. After obtaining commitment from senior management, which of the following should be completed NEXT when establishing an information security program?
A. Define security metrics
B. Conduct a risk assessment
C. Perform a gap analysis
D. Procure security tools
-----

Questions 274. Which of the following are the essential ingredients of a business impact analysis (B1A)?
A. Downtime tolerance, resources and criticality
B. Cost of business outages in a year as a factor of the security budget
C. Business continuity testing methodology being deployed
D. Structure of the crisis management team
-----

Questions 275. A risk management approach to information protection is:
A. managing risks to an acceptable level, commensurate with goals and objectives.
B. accepting the security posture provided by commercial security products.
C. implementing a training program to educate individuals on information protection and risks.
D. managing risk tools to ensure that they assess all information protection vulnerabilities.
-----

Questions 276. Which of the following is the MOST effective way to treat a risk such as a natural disaster that has a low probability and a high impact level?
A. Implement countermeasures.
B. Eliminate the risk.
C. Transfer the risk.
D. Accept the risk.
-----

Questions 277. To ensure that payroll systems continue on in an event of a hurricane hitting a data center, what would be the FIRS T crucial step an information security manager would take in ensuring business continuity planning?
A. Conducting a qualitative and quantitative risk analysis.
B. Assigning value to the assets.
C. Weighing the cost of implementing the plan vs. financial loss.
D. Conducting a business impact analysis (BIA).
-----

Questions 278. An information security organization should PRIMARILY:
A. support the business objectives of the company by providing security-related support services.
B. be responsible for setting up and documenting the information security responsibilities of the information security team members.
C. ensure that the information security policies of the company are in line with global best practices and standards.
D. ensure that the information security expectations are conveyed to employees.
-----

Questions 279. When implementing security controls, an information security manager must PRIMARILY focus
on:
A. minimizing operational impacts.
B. eliminating all vulnerabilities.
C. usage by similar organizations.
D. certification from a third party.
-----

Questions 280. All risk management activities are PRIMARILY designed to reduce impacts to:
A. a level defined by the security manager.
B. an acceptable level based on organizational risk tolerance.
C. a minimum level consistent with regulatory requirements.
D. the minimum level possible.
-----

Questions 281. Which of the following roles would represent a conflict of interest for an information security manager?
A. Evaluation of third parties requesting connectivity
B. Assessment of the adequacy of disaster recovery plans
C. Final approval of information security policies
D. Monitoring adherence to physical security controls
-----

Questions 282. After assessing and mitigating the risks of a web application, who should decide on the acceptance of residual application risks?
A. Information security officer
B. Chief information officer (CIO)
C. Business owner
D. Chief executive officer (CF.O)
-----

Questions 283. The purpose of a corrective control is to:
A. reduce adverse events.
B. indicate compromise.
C. mitigate impact.
D. ensure compliance.
-----

Questions 284. Which of the following is the MOST important requirement for setting up an information security infrastructure for a new system?
A. Performing a business impact analysis (BIA)
B. Considering personal information devices as pan of the security policy
C. Initiating IT security training and familiarization
D. Basing the information security infrastructure on risk assessment
-----

Questions 285. Previously accepted risk should be:
A. re-assessed periodically since the risk can be escalated to an unacceptable level due to revised conditions.
B. accepted permanently since management has already spent resources (time and labor) to conclude that the risk level is acceptable.
C. avoided next time since risk avoidance provides the best protection to the company.
D. removed from the risk log once it is accepted.
-----

Questions 286. An information security manager is advised by contacts in law enforcement that there is evidence that his/ her company is being targeted by a skilled gang of hackers known to use a variety of techniques, including social engineering and network penetration. The FIRST step that the security manager should take is to:
A. perform a comprehensive assessment of the organization's exposure to the hacker's techniques.
B. initiate awareness training to counter social engineering.
C. immediately advise senior management of the elevated risk.
D. increase monitoring activities to provide early detection of intrusion.
-----

Questions 287. Which of the following steps should be performed FIRST in the risk assessment process?
A. Staff interviews
B. Threat identification
C. Asset identification and valuation
D. Determination of the likelihood of identified risks
-----

Questions 288. Which of the following authentication methods prevents authentication replay?
A. Password hash implementation
B. Challenge/response mechanism
C. Wired Equivalent Privacy (WEP) encryption usage
D. HTTP Basic Authentication
-----

Questions 289. An organization has a process in place that involves the use of a vendor. A risk assessment was completed during the development of the process. A year after the implementation a monetary decision has been made to use a different vendor. What, if anything, should occur?
A. Nothing, since a risk assessment was completed during development.
B. A vulnerability assessment should be conducted.
C. A new risk assessment should be performed.
D. The new vendor's SAS 70 type II report should be reviewed.
-----

Questions 290. Who can BEST advocate the development of and ensure the success of an information security program?
A. Internal auditor
B. Chief operating officer (COO)
C. Steering committee
D. IT management
-----

Questions 291. Which of the following BEST ensures that information transmitted over the Internet will remain confidential?
A. Virtual private network (VPN)
B. Firewalls and routers
C. Biometric authentication
D. Two-factor authentication
-----

Questions 292. Which of the following situations must be corrected FIRST to ensure successful information security governance within an organization?
A. The information security department has difficulty filling vacancies.
B. The chief information officer (CIO) approves security policy changes.
C. The information security oversight committee only meets quarterly.
D. The data center manager has final signoff on all security projects.
-----

Questions 293. The effectiveness of virus detection software is MOST dependent on which of the following?
A. Packet filtering
B. Intrusion detection
C. Software upgrades
D. Definition tables
-----

Questions 294. Which of the following is the MOST effective type of access control?
A. Centralized
B. Role-based
C. Decentralized
D. Discretionary
-----

Questions 295. Which of the following devices should be placed within a DMZ?
A. Router
B. Firewall
C. Mail relay
D. Authentication server
-----

Questions 296. An intrusion detection system should be placed:
A. outside the firewall.
B. on the firewall server.
C. on a screened subnet.
D. on the external router.
-----

Questions 297. The BEST reason for an organization to have two discrete firewalls connected directly to the Internet and to the same DMZ would be to:
A. provide in-depth defense.
B. separate test and production.
C. permit traffic load balancing.
D. prevent a denial-of-service attack.
-----

Questions 298. An extranet server should be placed:
A. outside the firewall.
B. on the firewall server.
C. on a screened subnet.
D. on the external router.
-----

Questions 299. Which of the following is the BEST metric for evaluating the effectiveness of security awareness twining? The number of:
A. password resets.
B. reported incidents.
C. incidents resolved.
D. access rule violations.
-----

Questions 300. Security monitoring mechanisms should PRIMARILY:
A. focus on business-critical information.
B. assist owners to manage control risks.
C. focus on detecting network intrusions.
D. record all security violations.
-----

Questions 301. Which of the following is the BEST method for ensuring that security procedures and guidelines are known and understood?
A. Periodic focus group meetings
B. Periodic compliance reviews
C. Computer-based certification training (CBT)
D. Employee's signed acknowledgement
-----

Questions 302. When contracting with an outsourcer to provide security administration, the MOST important contractual element is the:
A. right-to-terminate clause.
B. limitations of liability.
C. service level agreement (SLA).
D. financial penalties clause.
-----

Questions 303. Which of the following is the BEST metric for evaluating the effectiveness of an intrusion detection mechanism?
A. Number of attacks detected
B. Number of successful attacks
C. Ratio of false positives to false negatives
D. Ratio of successful to unsuccessful attacks
-----

Questions 304. Which of the following is MOST effective in preventing weaknesses from being introduced into existing production systems?
A. Patch management
B. Change management
C. Security baselines
D. Virus detection
-----

Questions 305. Which of the following tools is MOST appropriate for determining how long a security project will take to implement?
A. Gantt chart
B. Waterfall chart
C. Critical path
D. Rapid Application Development (RAD)
-----

Questions 306. Which of the following is MOST effective in preventing security weaknesses in operating systems?
A. Patch management
B. Change management
C. Security baselines
D. Configuration management
-----

Questions 307. When a proposed system change violates an existing security standard, the conflict would be BEST resolved by:
A. calculating the residual risk.
B. enforcing the security standard.
C. redesigning the system change.
D. implementing mitigating controls.
-----

Questions 308. Who can BEST approve plans to implement an information security governance framework?
A. Internal auditor
B. Information security management
C. Steering committee
D. Infrastructure management
-----

Questions 309. Which of the following is the MOST effective solution for preventing internal users from modifying sensitive and classified information?
A. Baseline security standards
B. System access violation logs
C. Role-based access controls
D. Exit routines
-----

Questions 310. Which of the following requirements would have the lowest level of priority in information security?
A. Technical
B. Regulatory
C. Privacy
D. Business
-----

Questions 311. Which of the following is generally used to ensure that information transmitted over the Internet is authentic and actually transmitted by the named sender?
A. Biometric authentication
B. Embedded steganographic
C. Two-factor authentication
D. Embedded digital signature
-----

Questions 312. Which of the following is the MOST appropriate frequency for updating antivirus signature files for antivirus software on production servers?
A. Daily
B. Weekly
C. Concurrently with O/S patch updates
D. During scheduled change control updates
-----

Questions 313. Which of the following devices should be placed within a demilitarized zone (DMZ )?
A. Network switch
B. Web server
C. Database server
D. File/print server
-----

Questions 314. On which of the following should a firewall be placed?
A. Web server
B. Intrusion detection system (IDS) server
C. Screened subnet
D. Domain boundary
-----

Questions 315. An intranet server should generally be placed on the:
A. internal network.
B. firewall server.
C. external router.
D. primary domain controller.
-----

Questions 316. Access control to a sensitive intranet application by mobile users can BEST be implemented through:
A. data encryption.
B. digital signatures.
C. strong passwords.
D. two-factor authentication.
-----

Questions 317. When application-level security controlled by business process owners is found to be poorly managed, which of the following could BEST improve current practices?
A. Centralizing security management
B. Implementing sanctions for noncompliance
C. Policy enforcement by IT management
D. Periodic compliance reviews
-----

Questions 318. Security awareness training is MOST likely to lead to which of the following?
A. Decrease in intrusion incidents
B. Increase in reported incidents
C. Decrease in security policy changes
D. Increase in access rule violations
-----

Questions 319. The information classification scheme should:
A. consider possible impact of a security breach.
B. classify personal information in electronic form.
C. be performed by the information security manager.
D. classify systems according to the data processed.
-----

Questions 320. When an organization hires a new information security manager, which of the following goals should this individual pursue FIRST?
A. Develop a security architecture
B. Establish good communication with steering committee members
C. Assemble an experienced staff
D. Benchmark peer organizations
-----

Questions 321. Which of the following is the BEST method to provide a new user with their initial password for e-mail system access?
A. Interoffice a system-generated complex password with 30 days expiration
B. Give a dummy password over the telephone set for immediate expiration
C. Require no password but force the user to set their own in 10 days
D. Set initial password equal to the user ID with expiration in 30 days
-----

Questions 322. An information security program should be sponsored by:
A. infrastructure management.
B. the corporate audit department.
C. key business process owners.
D. information security management.
-----

Questions 323. Which of the following is the MOST important item to include when developing web hosting agreements with third-party providers?
A. Termination conditions
B. Liability limits
C. Service levels
D. Privacy restrictions
-----

Questions 324. The BEST metric for evaluating the effectiveness of a firewall is the:
A. number of attacks blocked.
B. number of packets dropped.
C. average throughput rate.
D. number of firewall rules.
-----

Questions 325. Which of the following ensures that newly identified security weaknesses in an operating system are mitigated in a timely fashion?
A. Patch management
B. Change management
C. Security baselines
D. Acquisition management
-----

Questions 326. The MAIN advantage of implementing automated password synchronization is that it:
A. reduces overall administrative workload.
B. increases security between multi-tier systems.
C. allows passwords to be changed less frequently.
D. reduces the need for two-factor authentication.
-----

Questions 327. Which of the following tools is MOST appropriate to assess whether information security governance objectives are being met?
A. SWOT analysis
B. Waterfall chart
C. Gap analysis
D. Balanced scorecard
-----

Questions 328. Which of the following is MOST effective in preventing the introduction of a code modification that may reduce the security of a critical business application?
A. Patch management
B. Change management
C. Security metrics
D. Version control
-----

Questions 329. An operating system (OS) noncritical patch to enhance system security cannot be applied because a critical application is not compatible with the change. Which of the following is the BEST solution?
A. Rewrite the application to conform to the upgraded operating system
B. Compensate for not installing the patch with mitigating controls
C. Alter the patch to allow the application to run in a privileged state
D. Run the application on a test platform; tune production to allow patch and application
-----

Questions 330. Which of the following is MOST important to the success of an information security program?
A. Security' awareness training
B. Achievable goals and objectives
C. Senior management sponsorship
D. Adequate start-up budget and staffing
-----

Questions 331. It is MOST important that information security architecture be aligned with which of the following?
A. Industry best practices
B. Information technology plans
C. Information security best practices
D. Business objectives and goals
-----

Questions 332. Which of the following is MOST important for a successful information security program?
A. Adequate training on emerging security technologies
B. Open communication with key process owners
C. Adequate policies, standards and procedures
D. Executive management commitment
-----

Questions 333. Which of the following is the MOST effective solution for preventing individuals external to the organization from modifying sensitive information on a corporate database?
A. Screened subnets
B. Information classification policies and procedures
C. Role-based access controls
D. Intrusion detection system (IDS)
-----

Questions 334. Which of the following technologies is utilized to ensure that an individual connecting to a corporate internal network over the Internet is not an intruder masquerading as an authorized user?
A. Intrusion detection system (IDS)
B. IP address packet filtering
C. Two-factor authentication
D. Embedded digital signature
-----

Questions 335. What is an appropriate frequency for updating operating system (OS) patches on production servers?
A. During scheduled rollouts of new applications
B. According to a fixed security patch management schedule
C. Concurrently with quarterly hardware maintenance
D. Whenever important security patches are released
-----

Questions 336. Which of the following devices should be placed within a DMZ?
A. Proxy server
B. Application server
C. Departmental server
D. Data warehouse server
-----

Questions 337. A border router should be placed on which of the following?
A. Web server
B. IDS server
C. Screened subnet
D. Domain boundary
-----

Questions 338. An e-commerce order fulfillment web server should generally be placed on which of the following?
A. Internal network
B. Demilitarized zone (DMZ)
C. Database server
D. Domain controller
-----

Questions 339. Which of the following is MOST likely to be discretionary?
A. Policies
B. Procedures
C. Guidelines
D. Standards
-----

Questions 340. Secure customer use of an e-commerce application can BEST be accomplished through:
A. data encryption.
B. digital signatures.
C. strong passwords.
D. two-factor authentication.
-----

Questions 341. What is the BEST defense against a Structured Query Language (SQL) injection attack?
A. Regularly updated signature files
B. A properly configured firewall
C. An intrusion detection system
D. Strict controls on input fields
-----

Questions 342. Which of the following is the MOST important consideration when implementing an intrusion detection system (IDS)?
A. Tuning
B. Patching
C. Encryption
D. Packet filtering
-----

Questions 343. Which of the following is the MOST important consideration when securing customer credit card data acquired by a point-of-sale (POS) cash register?
A. Authentication
B. Hardening
C. Encryption
D. Nonrepudiation
-----

Questions 344. Which of the following practices is BEST to remove system access for contractors and other temporary users when it is no longer required?
A. Log all account usage and send it to their manager
B. Establish predetermined automatic expiration dates
C. Require managers to e-mail security when the user leaves
D. Ensure each individual has signed a security acknowledgement
-----

Questions 345. Primary direction on the impact of compliance with new regulatory requirements that may lead to major application system changes should be obtained from the:
A. corporate internal auditor.
B. System developers/analysts.
C. key business process owners.
D. corporate legal counsel.
-----

Questions 346. Which of the following is the MOST important item to consider when evaluating products to monitor security across the enterprise?
A. Ease of installation
B. Product documentation
C. Available support
D. System overhead
-----

Questions 347. Which of the following is the MOST important guideline when using software to scan for security exposures within a corporate network?
A. Never use open source tools
B. Focus only on production servers
C. Follow a linear process for attacks
D. Do not interrupt production processes
-----

Questions 348. Which of the following BEST ensures that modifications made to in-house developed business applications do not introduce new security exposures?
A. Stress testing
B. Patch management
C. Change management
D. Security baselines
-----

Questions 349. Security technologies should be selected PRIMARILY on the basis of their:
A. ability to mitigate business risks.
B. evaluations in trade publications.
C. use of new and emerging technologies.
D. benefits in comparison to their costs.
-----

Questions 350. The advantage of Virtual Private Network (VPN) tunneling for remote users is that it:
A. helps ensure that communications are secure.
B. increases security between multi-tier systems.
C. allows passwords to be changed less frequently.
D. eliminates the need for secondary authentication.
-----

Questions 351. Which of the following is MOST effective for securing wireless networks as a point of entry into a corporate network?
A. Boundary router
B. Strong encryption
C. Internet-facing firewall
D. Intrusion detection system (IDS)
-----

Questions 352. Which of the following is MOST effective in protecting against the attack technique known as phishing?
A. Firewall blocking rules
B. Up-to-date signature files
C. Security awareness training
D. Intrusion detection monitoring
-----

Questions 353. When a newly installed system for synchronizing passwords across multiple systems and platforms abnormally terminates without warning, which of the following should automatically occur FIRST?
A. The firewall should block all inbound traffic during the outage
B. All systems should block new logins until the problem is corrected
C. Access control should fall back to no synchronized mode
D. System logs should record all user activity for later analysis
-----

Questions 354. Which of the following is the MOST important risk associated with middleware in a client-server environment?
A. Server patching may be prevented
B. System backups may be incomplete
C. System integrity may be affected
D. End-user sessions may be hijacked
-----

Questions 355. An outsource service provider must handle sensitive customer information. Which of the following is MOST important for an information security manager to know?
A. Security in storage and transmission of sensitive data
B. Provider's level of compliance with industry standards
C. Security technologies in place at the facility
D. Results of the latest independent security review
-----

Questions 356. Which of the following security mechanisms is MOST effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the organization's network?
A. Configuration of firewalls
B. Strength of encryption algorithms
C. Authentication within application
D. Safeguards over keys
-----

Questions 357. In the process of deploying a new e-mail system, an information security manager would like to ensure the confidentiality of messages while in transit. Which of the following is the MOST appropriate method to ensure data confidentiality in a new e-mail system implementation?
A. Encryption
B. Digital certificate
C. Digital signature
D. I lashing algorithm
-----

Questions 358. The MOST important reason that statistical anomaly-based intrusion detection systems (slat IDSs) are less commonly used than signature-based IDSs, is that stat IDSs:
A. create more overhead than signature-based IDSs.
B. cause false positives from minor changes to system variables.
C. generate false alarms from varying user or system actions.
D. cannot detect new types of attacks.
-----

Questions 359. Which of the following are seldom changed in response to technological changes?
A. Standards
B. Procedures
C. Policies
D. Guidelines
-----

Questions 360. An information security manager uses security metrics to measure the:
A. performance of the information security program.
B. performance of the security baseline.
C. effectiveness of the security risk analysis.
D. effectiveness of the incident response team.
-----

Questions 361. The MOST important success factor to design an effective IT security awareness program is to:
A. customize the content to the target audience.
B. ensure senior management is represented.
C. ensure that all the staff is trained.
D. avoid technical content but give concrete examples.
-----

Questions 362. Which of the following practices completely prevents a man-in-the-middle (MitM) attack between two hosts?
A. Use security tokens for authentication
B. Connect through an IPSec VPN
C. Use https with a server-side certificate
D. Enforce static media access control (MAC) addresses
-----

Questions 363. Which of the following features is normally missing when using Secure Sockets Layer (SSL) in a web browser?
A. Certificate-based authentication of web client
B. Certificate-based authentication of web server
C. Data confidentiality between client and web server
D. Multiple encryption algorithms
-----

Questions 364. The BEST protocol to ensure confidentiality of transmissions in a business-to-customer (B2C) financial web application is:
A. Secure Sockets Layer (SSL).
B. Secure Shell (SSH).
C. IP Security (IPSec).
D. Secure/Multipurpose Internet Mail Extensions (S/MIME ).
-----

Questions 365. A message* that has been encrypted by the sender's private key and again by the receiver's public key achieves:
A. authentication and authorization.
B. confidentiality and integrity.
C. confidentiality and nonrepudiation.
D. authentication and nonrepudiation.
-----

Questions 366. The MOST important factor in planning for the long-term retention of electronically stored business records is to take into account potential changes in:
A. storage capacity and shelf life.
B. regulatory and legal requirements.
C. business strategy and direction.
D. application systems and media.
-----

Questions 367. When a user employs a client-side digital certificate to authenticate to a web server through Secure Socket Layer (SSI.), confidentiality is MOST vulnerable to which of the following?
A. IP spoofing
B. Man-in-the-middle attack
C. Repudiation
D. Trojan
-----

Questions 368. Which of the following is the MOST relevant metric to include in an information security quarterly report to the executive committee?
A. Security compliant servers trend report
B. Percentage of security compliant servers
C. Number of security patches applied
D. Security patches applied trend report
-----

Questions 369. It is important to develop an information security baseline because it helps to define:
A. critical information resources needing protection.
B. a security policy for the entire organization.
C. the minimum acceptable security to be implemented.
D. required physical and logical access controls.
-----

Questions 370. Which of the following BEST provides message integrity, sender identity authentication and nonrepudiation?
A. Symmetric cryptography
B. Public key infrastructure (PKI)
C. Message hashing
D. Message authentication code
-----

Questions 371. Which of the following controls is MOST effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices?
A. Regular review of access control lists
B. Security guard escort of visitors
C. Visitor registry log at the door
D. A biometric coupled with a PIN
-----

Questions 372. To BEST improve the alignment of the information security objectives in an organization, the chief information security officer (CISO) should:
A. revise the information security program.
B. evaluate a balanced business scorecard.
C. conduct regular user awareness sessions.
D. perform penetration tests.
-----

Questions 373. What is the MOST important item to be included in an information security policy?
A. The definition of roles and responsibilities
B. The scope of the security program
C. The key objectives of the security program
D. Reference to procedures and standards of the security program
-----

Questions 374. In an organization, information systems security is the responsibility of:
A. all personnel.
B. information systems personnel.
C. information systems security personnel.
D. functional personnel.
-----

Questions 375. An organization without any formal information security program that has decided to implement information security best practices should FIRST:
A. invite an external consultant to create the security strategy.
B. allocate budget based on best practices.
C. benchmark similar organizations.
D. define high-level business security requirements.
-----

Questions 376. When considering the value of assets, which of the following would give the information security manager the MOST objective basis for measurement of value delivery in information security governance?
A. Number of controls
B. Cost of achieving control objectives
C. Effectiveness of controls
D. Test results of controls
-----

Questions 377. Which of the following is characteristic of decentralized information security management across a geographically dispersed organization?
A. More uniformity in quality of service
B. Better adherence to policies
C. Better alignment to business unit needs
D. More savings in total operating costs
-----

Questions 378. Which of the following would be the BEST metric for the IT risk management process?
A. Number of risk management action plans
B. Percentage of critical assets with budgeted remedial
C. Percentage of unresolved risk exposures
D. Number of security incidents identified
-----

Questions 379. Which of the following is a key area of the ISO 27001 framework?
A. Operational risk assessment
B. Financial crime metrics
C. Capacity management
D. Business continuity management
Answer: D
Explanation:
-----

Questions 380. The MAIN goal of an information security strategic plan is to:
A. develop a risk assessment plan.
B. develop a data protection plan.
C. protect information assets and resources.
D. establish security governance.
-----

Questions 381. Which of the following, using public key cryptography, ensures authentication, confidentiality and nonrepudiation of a message?
A. Encrypting first by receiver's private key and second by sender's public key
B. Encrypting first by sender's private key and second by receiver's public key
C. Encrypting first by sender's private key and second decrypting by sender's public key
D. Encrypting first by sender's public key and second by receiver's private key
-----

Questions 382. The main mail server of a financial institution has been compromised at the superuser level; the only way to ensure the system is secure would be to:
A. change the root password of the system.
B. implement multifactor authentication.
C. rebuild the system from the original installation medium.
D. disconnect the mail server from the network.
-----

Questions 383. The IT function has declared that, when putting a new application into production, it is not necessary to update the business impact analysis (BIA) because it does not produce modifications in the business processes. The information security manager should:
A. verify the decision with the business units.
B. check the system's risk analysis.
C. recommend update after post implementation review.
D. request an audit review.
-----

Questions 384. A risk assessment study carried out by an organization noted that there is no segmentation of the local area network (LAN). Network segmentation would reduce the potential impact of which of the following?
A. Denial of service (DoS) attacks
B. Traffic sniffing
C. Virus infections
D. IP address spoofing
-----

Questions 385. The PRIMARY objective of an Internet usage policy is to prevent:
A. access to inappropriate sites.
B. downloading malicious code.
C. violation of copyright laws.
D. disruption of Internet access.
Answer: D
Explanation:
-----

Questions 386. An internal review of a web-based application system finds the ability to gain access to all employees' accounts by changing the employee's ID on the URL used for accessing the account.
The vulnerability identified is:
A. broken authentication.
B. unvalidated input.
C. cross-site scripting.
D. structured query language (SQL) injection.
-----

Questions 387. Which of the following is the MOST appropriate position to sponsor the design and implementation of a new security infrastructure in a large global enterprise?
A. Chief security officer (CSO)
B. Chief operating officer (COO)
C. Chief privacy officer (CPO)
D. Chief legal counsel (CLC)
-----

Questions 388. A test plan to validate the security controls of a new system should be developed during which phase of the project?
A. Testing
B. Initiation
C. Design
D. Development
-----

Questions 389. The MOST effective way to ensure that outsourced service providers comply with the organization's information security policy would be:
A. service level monitoring.
B. penetration testing.
C. periodically auditing.
D. security awareness training.
-----

Questions 390. In order to protect a network against unauthorized external connections to corporate systems, the information security manager should BEST implement:
A. a strong authentication.
B. IP antispoofing filtering.
C. network encryption protocol.
D. access lists of trusted devices.
-----

Questions 391. The PRIMARY driver to obtain external resources to execute the information security program is that external resources can:
A. contribute cost-effective expertise not available internally.
B. be made responsible for meeting the security program requirements.
C. replace the dependence on internal resources.
D. deliver more effectively on account of their knowledge.
-----

Questions 392. Priority should be given to which of the following to ensure effective implementation of information security governance?
A. Consultation
B. Negotiation
C. Facilitation
D. Planning
-----

Questions 393. The MAIN reason for deploying a public key infrastructure (PKI) when implementing an information security program is to:
A. ensure the confidentiality of sensitive material.
B. provide a high assurance of identity.
C. allow deployment of the active directory.
D. implement secure sockets layer (SSL) encryption.
-----

Questions 394. Which of the following controls would BEST prevent accidental system shutdown from the console or operations area?
A. Redundant power supplies
B. Protective switch covers
C. Shutdown alarms
D. Biometric readers
-----

Questions 395. Which of the following is the MOST important reason why information security objectives should be defined?
A. Tool for measuring effectiveness
B. General understanding of goals
C. Consistency with applicable standards
D. Management sign-off and support initiatives
-----

Questions 396. What is the BEST policy for securing data on mobile universal serial bus (USB) drives?
A. Authentication
B. Encryption
C. Prohibit employees from copying data to l)SB devices
D. Limit the use of USB devices
-----

Questions 397. When speaking to an organization's human resources department about information security, an information security manager should focus on the need for:
A. an adequate budget for the security program.
B. recruitment of technical IT employees.
C. periodic risk assessments.
D. security awareness training for employees.
-----

Questions 398. Which of the following would BEST protect an organization's confidential data stored on a laptop computer from unauthorized access?
A. Strong authentication by password
B. Encrypted hard drives
C. Multifactor authentication procedures
D. Network-based data backup
-----

Questions 399. What is the MOST important reason for conducting security awareness programs throughout an organization?
A. Reducing the human risk
B. Maintaining evidence of training records to ensure compliance
C. Informing business units about the security strategy
D. Training personnel in security incident response
-----

Questions 400. Which of the following would be the MOST important goal of an information security governance program?
A. Review of internal control mechanisms
B. Effective involvement in business decision making
C. Total elimination of risk factors
D. Ensuring trust in data
-----

Questions 401. At what stage of the applications development process would encryption key management initially be addressed?
A. Requirements development
B. Deployment
C. Systems testing
D. Code reviews
-----

Questions 402. The MOST effective way to ensure network users are aware of their responsibilities to comply with an organization's security requirements is:
A. messages displayed at every logon.
B. periodic security-related e-mail messages.
C. an Intranet web site for information security.
D. circulating the information security policy.
-----

Questions 403. Which of the following would be the BEST defense against sniffing?
A. Password protect the files
B. Implement a dynamic IP address scheme
C. Encrypt the data being transmitted
D. Set static mandatory access control (MAC) addresses
-----

Questions 404. A digital signature using a public key infrastructure (PKI) will:
A. not ensure the integrity of a message.
B. rely on the extent to which the certificate authority (CA) is trusted.
C. require two parties to the message exchange.
D. provide a high level of confidentiality.
-----

Questions 405. When configuring a biometric access control system that protects a high-security data center, the system's sensitivity level should be set:
A. to u higher false reject rate (FRR).
B. to a lower crossover error rate.
C. to a higher false acceptance rate (FAR).
D. exactly to the crossover error rate.
-----

Questions 406. Which of the following is the BEST method to securely transfer a message?
A. Password-protected removable media
B. Facsimile transmission in a secured room
C. Using public key infrastructure (PKI) encryption
D. Steganography
-----

Questions 407. Which of the following would be the FIRST step in establishing an information security program?
A. Develop the security policy.
B. Develop security operating procedures.
C. Develop the security plan.
D. Conduct a security controls study.
-----

Questions 408. An organization has adopted a practice of regular staff rotation to minimize the risk of fraud and encourage crosstraining. Which type of authorization policy would BEST address this practice?
A. Multilevel
B. Role-based
C. Discretionary
D. Attribute-based
-----

Questions 409. Which of the following is the MOST important reason for an information security review of contracts? To help ensure that:
A. the parties to the agreement can perform.
B. confidential data are not included in the agreement.
C. appropriate controls are included.
D. the right to audit is a requirement.
-----

Questions 410. For virtual private network (VPN) access to the corporate network, the information security manager is requiring strong authentication. Which of the following is the strongest method to ensure that logging onto the network is secure?
A. Biometrics
B. Symmetric encryption keys
C. Secure Sockets Layer (SSL)-based authentication
D. Two-factor authentication
-----

Questions 411. Relationships among security technologies are BEST defined through which of the following?
A. Security metrics
B. Network topology
C. Security architecture
D. Process improvement models
-----

Questions 412. Which of the following guarantees that data in a file have not changed?
A. Inspecting the modified date of the file
B. Encrypting the file with symmetric encryption
C. Using stringent access control to prevent unauthorized access
D. Creating a hash of the file, then comparing the file hashes
-----

Questions 413. Which of the following mechanisms is the MOST secure way to implement a secure wireless network?
A. Filter media access control (MAC) addresses
B. Use a Wi-Fi Protected Access (WPA2) protocol
C. Use a Wired Equivalent Privacy (WEP) key
D. Web-based authentication
-----

Questions 414. Which of the following devices could potentially stop a Structured Query Language (SQL) injection attack?
A. An intrusion prevention system (IPS)
B. An intrusion detection system (IDS)
C. A host-based intrusion detection system (HIDS)
D. A host-based firewall
-----

Questions 415. Nonrepudiation can BEST be ensured by using:
A. strong passwords.
B. a digital hash.
C. symmetric encryption.
D. digital signatures.
-----

Questions 416. The BEST way to ensure that security settings on each platform are in compliance with information security policies and procedures is to:
A. perform penetration testing.
B. establish security baselines.
C. implement vendor default settings.
D. link policies to an independent standard.
-----

Questions 417. A web-based business application is being migrated from test to production. Which of the following is the MOST important management signoff for this migration?
A. User
B. Network
C. Operations
D. Database
-----

Questions 418. The BEST way to ensure that information security policies are followed is to:
A. distribute printed copies to all employees.
B. perform periodic reviews for compliance.
C. include escalating penalties for noncompliance.
D. establish an anonymous hotline to report policy abuses.
-----

Questions 419. The MOST appropriate individual to determine the level of information security needed for a specific business application is the:
A. system developer.
B. information security manager.
C. steering committee.
D. system data owner.
-----

Questions 420. A business unit intends to deploy a new technology in a manner that places it in violation of existing information security standards. What immediate action should an information security manager take?
A. Enforce the existing security standard
B. Change the standard to permit the deployment
C. Perform a risk analysis to quantify the risk
D. Perform research to propose use of a better technology
-----

Questions 421. Which of the following will MOST likely reduce the chances of an unauthorized individual gaining access to computing resources by pretending to be an authorized individual needing to have his, her password reset?
A. Performing reviews of password resets
B. Conducting security awareness programs
C. Increasing the frequency of password changes
D. Implementing automatic password syntax checking
-----

Questions 422. Which of the following is the MOST likely to change an organization's culture to one that is more security conscious?
A. Adequate security policies and procedures
B. Periodic compliance reviews
C. Security steering committees
D. Security awareness campaigns
-----

Questions 423. The BEST way to ensure that an external service provider complies with organizational security policies is to:
A. Explicitly include the service provider in the security policies.
B. Receive acknowledgment in writing stating the provider has read all policies.
C. Cross-reference to policies in the service level agreement
D. Perform periodic reviews of the service provider.
-----

Questions 424. When an emergency security patch is received via electronic mail, the patch should FIRST be:
A. loaded onto an isolated test machine.
B. decompiled to check for malicious code.
C. validated to ensure its authenticity.
D. copied onto write-once media to prevent tampering.
-----

Questions 425. In a well-controlled environment, which of the following activities is MOST likely to lead to the introduction of weaknesses in security software?
A. Applying patches
B. Changing access rules
C. Upgrading hardware
D. Backing up files
-----

Questions 426. Which of the following is the BEST indicator that security awareness training has been effective?
A. Employees sign to acknowledge the security policy
B. More incidents are being reported
C. A majority of employees have completed training
D. No incidents have been reported in three months
-----

Questions 427. Which of the following metrics would be the MOST useful in measuring how well information security is monitoring violation logs?
A. Penetration attempts investigated
B. Violation log reports produced
C. Violation log entries
D. Frequency of corrective actions taken
-----

Questions 428. Which of the following change management activities would be a clear indicator that normal operational procedures require examination? A high percentage of:
A. similar change requests.
B. change request postponements.
C. canceled change requests.
D. emergency change requests.
-----

Questions 429. Which of the following is the MOST important management signoff for migrating an order processing system from a test environment to a production environment?
A. User
B. Security
C. Operations
D. Database
-----

Questions 430. Prior to having a third party perform an attack and penetration test against an organization, the MOST important action is to ensure that:
A. the third party provides a demonstration on a test system.
B. goals and objectives are clearly defined.
C. the technical staff has been briefed on what to expect.
D. special backups of production servers are taken.
-----

Questions 431. When a departmental system continues to be out of compliance with an information security policy's password strength requirements, the BEST action to undertake is to:
A. submit the issue to the steering committee.
B. conduct an impact analysis to quantify the risks.
C. isolate the system from the rest of the network.
D. request a risk acceptance from senior management.
-----

Questions 432. Which of the following is MOST important to the successful promotion of good security management practices?
A. Security metrics
B. Security baselines
C. Management support
D. Periodic training
-----

Questions 433. Which of the following environments represents the GREATEST risk to organizational security?
A. Locally managed file server
B. Enterprise data warehouse
C. Load-balanced, web server cluster
D. Centrally managed data switch
-----

Questions 434. Nonrepudiation can BEST be assured by using:
A. delivery path tracing.
B. reverse lookup translation.
C. out-of-hand channels.
D. digital signatures.
-----

Questions 435. Acceptable levels of information security risk should be determined by:
A. legal counsel.
B. security management.
C. external auditors.
D. die steering committee.
-----

Questions 436. Of the following, the BEST method for ensuring that temporary employees do not receive excessive access rights is:
A. mandatory access controls.
B. discretionary access controls.
C. lattice-based access controls.
D. role-based access controls.
-----

Questions 437. Which of the following areas is MOST susceptible to the introduction of security weaknesses?
A. Database management
B. Tape backup management
C. Configuration management
D. Incident response management
-----

Questions 438. Security policies should be aligned MOST closely with:
A. industry' best practices.
B. organizational needs.
C. generally accepted standards.
D. local laws and regulations.
-----

Questions 439. The BEST way to determine if an anomaly-based intrusion detection system (IDS) is properly installed is to:
A. simulate an attack and review IDS performance.
B. use a honeypot to check for unusual activity.
C. audit the configuration of the IDS.
D. benchmark the IDS against a peer site.
-----

Questions 440. The BEST time to perform a penetration test is after:
A. an attempted penetration has occurred.
B. an audit has reported weaknesses in security controls.
C. various infrastructure changes are made.
D. a high turnover in systems staff.
-----

Questions 441. Successful social engineering attacks can BEST be prevented through:
A. preemployment screening.
B. close monitoring of users' access patterns.
C. periodic awareness training.
D. efficient termination procedures.
-----

Questions 442. What is the BEST way to ensure that an intruder who successfully penetrates a network will be detected before significant damage is inflicted?
A. Perform periodic penetration testing
B. Establish minimum security baselines
C. Implement vendor default settings
D. Install a honeypot on the network
-----

Questions 443. Which of the following presents the GREATEST threat to the security of an enterprise resource planning (ERP) system?
A. User ad hoc reporting is not logged
B. Network traffic is through a single switch
C. Operating system (OS) security patches have not been applied
D. Database security defaults to ERP settings
-----

Questions 444. The PRIMARY goal in developing an information security strategy is to:
A. establish security metrics and performance monitoring.
B. educate business process owners regarding their duties.
C. ensure that legal and regulatory requirements are met
D. support the business objectives of the organization.
-----

Questions 445. In a social engineering scenario, which of the following will MOST likely reduce the likelihood of an unauthorized individual gaining access to computing resources?
A. Implementing on-screen masking of passwords
B. Conducting periodic security awareness programs
C. Increasing the frequency of password changes
D. Requiring that passwords be kept strictly confidential
-----

Questions 446. Which of the following will BEST ensure that management takes ownership of the decision making process for information security?
A. Security policies and procedures
B. Annual self-assessment by management
C. Security- steering committees
D. Security awareness campaigns
-----

Questions 447. Which of the following is the MOST appropriate individual to implement and maintain the level of information security needed for a specific business application?
A. System analyst
B. Quality control manager
C. Process owner
D. Information security manager
-----

Questions 448. What is the BEST way to ensure that contract programmers comply with organizational security policies?
A. Explicitly refer to contractors in the security standards
B. Have the contractors acknowledge in writing the security policies
C. Create penalties for noncompliance in the contracting agreement
D. Perform periodic security reviews of the contractors
-----

Questions 449. Which of the following activities is MOST likely to increase the difficulty of totally eradicating malicious code that is not immediately detected?
A. Applying patches
B. Changing access rules
C. Upgrading hardware
D. Backing up files
-----

Questions 450. Security awareness training should be provided to new employees:
A. on an as-needed basis.
B. during system user training.
C. before they have access to data.
D. along with department staff.
-----

Questions 451. What is the BEST method to verify that all security patches applied to servers were properly documented?
A. Trace change control requests to operating system (OS) patch logs
B. Trace OS patch logs to OS vendor's update documentation
C. Trace OS patch logs to change control requests
D. Review change control documentation for key servers
-----

Questions 452. A security awareness program should:
A. present top management's perspective.
B. address details on specific exploits.
C. address specific groups and roles.
D. promote security department procedures.
-----

Questions 453. Senior management commitment and support for information security can BEST be enhanced through:
A. a formal security policy sponsored by the chief executive officer (CEO).
B. regular security awareness training for employees.
C. periodic review of alignment with business management goals.
D. senior management signoff on the information security strategy.
-----

Questions 454. The PRIMARY objective of security awareness is to:
A. ensure that security policies are understood.
B. influence employee behavior.
C. ensure legal and regulatory compliance
D. notify of actions for noncompliance.
-----

Questions 455. Which of the following will BEST protect against malicious activity by a former employee?
A. Preemployment screening
B. Close monitoring of users
C. Periodic awareness training
D. Effective termination procedures
-----

Questions 456. Which of the following represents a PRIMARY area of interest when conducting a penetration test?
A. Data mining
B. Network mapping
C. Intrusion Detection System (IDS)
D. Customer data
-----

Questions 457. The return on investment of information security can BEST be evaluated through which of the following?
A. Support of business objectives
B. Security metrics
C. Security deliverables
D. Process improvement models
-----

Questions 458. To help ensure that contract personnel do not obtain unauthorized access to sensitive information, an information security manager should PRIMARILY:
A. set their accounts to expire in six months or less.
B. avoid granting system administration roles.
C. ensure they successfully pass background checks.
D. ensure their access is approved by the data owner.
-----

Questions 459. Information security policies should:
A. address corporate network vulnerabilities.
B. address the process for communicating a violation.
C. be straightforward and easy to understand.
D. be customized to specific groups and roles.
-----

Questions 460. Which of the following is the BEST way to ensure that a corporate network is adequately secured against external attack?
A. Utilize an intrusion detection system.
B. Establish minimum security baselines.
C. Implement vendor recommended settings.
D. Perform periodic penetration testing.
-----

Questions 461. Which of the following presents the GREATEST exposure to internal attack on a network?
A. User passwords are not automatically expired
B. All network traffic goes through a single switch
C. User passwords are encoded but not encrypted
D. All users reside on a single internal subnet
-----

Questions 462. Which of the following provides the linkage to ensure that procedures are correctly aligned with information security policy requirements?
A. Standards
B. Guidelines
C. Security metrics
D. IT governance
-----

Questions 463. Which of the following are the MOST important individuals to include as members of an information security steering committee?
A. Direct reports to the chief information officer
B. IT management and key business process owners
C. Cross-section of end users and IT professionals
D. Internal audit and corporate legal departments
-----

Questions 464. Security audit reviews should PRIMARILY:
A. ensure that controls operate as required.
B. ensure that controls are cost-effective.
C. focus on preventive controls.
D. ensure controls are technologically current.
-----

Questions 465. Which of the following is the MOST appropriate method to protect a password that opens a confidential file?
A. Delivery path tracing
B. Reverse lookup translation
C. Out-of-band channels
D. Digital signatures
-----

Questions 466. What is the MOST effective access control method to prevent users from sharing files with unauthorized users?
A. Mandatory
B. Discretionary
C. Walled garden
D. Role-based
-----

Questions 467. When identifying legal and regulatory issues affecting information security, which of the following would represent the BEST approach to developing information security policies?
A. Create separate policies to address each regulation
B. Develop policies that meet all mandated requirements
C. Incorporate policy statements provided by regulators
D. Develop a compliance risk assessment
-----

Questions 468. Which of the following is an inherent weakness of signature-based intrusion detection systems?
A. A higher number of false positives
B. New attack methods will be missed
C. Long duration probing will be missed
D. Attack profiles can be easily spoofed
-----

Questions 469. Data owners are normally responsible for which of the following?
A. Applying emergency changes to application data
B. Administering security over database records
C. Migrating application code changes to production
D. Determining the level of application security required
-----

Questions 470. Which of the following is the MOST appropriate individual to ensure that new exposures have not been introduced into an existing application during the change management process?
A. System analyst
B. System user
C. Operations manager
D. Data security officer
-----

Questions 461. Which of the following presents the GREATEST exposure to internal attack on a network?
A. User passwords are not automatically expired
B. All network traffic goes through a single switch
C. User passwords are encoded but not encrypted
D. All users reside on a single internal subnet
-----

Questions 462. Which of the following provides the linkage to ensure that procedures are correctly aligned with information security policy requirements?
A. Standards
B. Guidelines
C. Security metrics
D. IT governance
-----

Questions 463. Which of the following are the MOST important individuals to include as members of an information security steering committee?
A. Direct reports to the chief information officer
B. IT management and key business process owners
C. Cross-section of end users and IT professionals
D. Internal audit and corporate legal departments
-----

Questions 464. Security audit reviews should PRIMARILY:
A. ensure that controls operate as required.
B. ensure that controls are cost-effective.
C. focus on preventive controls.
D. ensure controls are technologically current.
-----

Questions 465. Which of the following is the MOST appropriate method to protect a password that opens a confidential file?
A. Delivery path tracing
B. Reverse lookup translation
C. Out-of-band channels
D. Digital signatures
-----

Questions 466. What is the MOST effective access control method to prevent users from sharing files with unauthorized users?
A. Mandatory
B. Discretionary
C. Walled garden
D. Role-based
-----

Questions 467. When identifying legal and regulatory issues affecting information security, which of the following would represent the BEST approach to developing information security policies?
A. Create separate policies to address each regulation
B. Develop policies that meet all mandated requirements
C. Incorporate policy statements provided by regulators
D. Develop a compliance risk assessment
-----

Questions 468. Which of the following is an inherent weakness of signature-based intrusion detection systems?
A. A higher number of false positives
B. New attack methods will be missed
C. Long duration probing will be missed
D. Attack profiles can be easily spoofed
-----

Questions 469. Data owners are normally responsible for which of the following?
A. Applying emergency changes to application data
B. Administering security over database records
C. Migrating application code changes to production
D. Determining the level of application security required
-----

Questions 470. Which of the following is the MOST appropriate individual to ensure that new exposures have not been introduced into an existing application during the change management process?
A. System analyst
B. System user
C. Operations manager
D. Data security officer
-----

Questions 471. What is the BEST way to ensure users comply with organizational security requirements for password complexity?
A. Include password construction requirements in the security standards
B. Require each user to acknowledge the password requirements
C. Implement strict penalties for user noncompliance
D. Enable system-enforced password configuration
-----

Questions 472. Which of the following is the MOST appropriate method for deploying operating system (OS) patches to production application servers?
A. Batch patches into frequent server updates
B. Initially load the patches on a test machine
C. Set up servers to automatically download patches
D. Automatically push all patches to the servers
-----

Questions 473. Which of the following would present the GREATEST risk to information security?
A. Virus signature files updates are applied to all servers every day
B. Security access logs are reviewed within five business days
C. Critical patches are applied within 24 hours of their release
D. Security incidents are investigated within five business days
-----

Questions 474. The PRIMARY reason for using metrics to evaluate information security is to:
A. identify security weaknesses.
B. justify budgetary expenditures.
C. enable steady improvement.
D. raise awareness on security issues.
-----

Questions 475. What is the BEST method to confirm that all firewall rules and router configuration settings are adequate?
A. Periodic review of network configuration
B. Review intrusion detection system (IDS) logs for evidence of attacks
C. Periodically perform penetration tests
D. Daily review of server logs for evidence of hacker activity
-----

Questions 476. Which of the following is MOST important for measuring the effectiveness of a security awareness program?
A. Reduced number of security violation reports
B. A quantitative evaluation to ensure user comprehension
C. Increased interest in focus groups on security issues
D. Increased number of security violation reports
-----

Questions 477. Which of the following is the MOST important action to take when engaging third-party consultants to conduct an attack and penetration test?
A. Request a list of the software to be used
B. Provide clear directions to IT staff
C. Monitor intrusion detection system (IDS) and firewall logs closely
D. Establish clear rules of engagement
-----

Questions 478. Which of the following will BEST prevent an employee from using a USB drive to copy files from desktop computers?
A. Restrict the available drive allocation on all PCs
B. Disable universal serial bus (USB) ports on all desktop devices
C. Conduct frequent awareness training with noncompliance penalties
D. Establish strict access controls to sensitive information
-----

Questions 479. Which of the following MOST commonly falls within the scope of an information security governance steering committee?
A. Interviewing candidates for information security specialist positions
B. Developing content for security awareness programs
C. Prioritizing information security initiatives
D. Approving access to critical financial systems
-----

Questions 480. Which of the following is the MOST important area of focus when examining potential security compromise of a new wireless network?
A. Signal strength
B. Number of administrators
C. Bandwidth
D. Encryption strength
-----

Questions 481. Good information security standards should:
A. define precise and unambiguous allowable limits.
B. describe the process for communicating violations.
C. address high-level objectives of the organization.
D. be updated frequently as new software is released.
-----

Questions 482. Good information security procedures should:
A. define the allowable limits of behavior.
B. underline the importance of security governance.
C. describe security baselines for each platform.
D. be updated frequently as new software is released.
-----

Questions 483. What is the MAIN drawback of e-mailing password-protected zip files across the Internet? They:
A. all use weak encryption.
B. are decrypted by the firewall.
C. may be quarantined by mail filters.
D. may be corrupted by the receiving mail server.
-----

Questions 484. A major trading partner with access to the internal network is unwilling or unable to remediate serious information security exposures within its environment. Which of the following is the BEST recommendation?
A. Sign a legal agreement assigning them all liability for any breach
B. Remove all trading partner access until the situation improves
C. Set up firewall rules restricting network traffic from that location
D. Send periodic reminders advising them of their noncompliance
-----

Questions 485. Documented standards/procedures for the use of cryptography across the enterprise should PRIMARILY:
A. define the circumstances where cryptography should be used.
B. define cryp,0?raphic algorithms and key lengths.
C. describe handling procedures of cryptographic keys.
D. establish the use of cryptographic solutions.
-----

Questions 486. Which of the following is the MOST immediate consequence of failing to tune a newly installed intrusion detection system (IDS) with the threshold set to a low value?
A. The number of false positives increases
B. The number of false negatives increases
C. Active probing is missed
D. Attack profiles are ignored
-----

Questions 487. What is the MOST appropriate change management procedure for the handling of emergency program changes?
A. Formal documentation does not need to be completed before the change
B. Business management approval must be obtained prior to the change
C. Documentation is completed with approval soon after the change
D. All changes must follow the same process
-----

Questions 488. Who is ultimately responsible for ensuring that information is categorized and that protective measures are taken?
A. Information security officer
B. Security steering committee
C. Data owner
D. Data custodian
-----

Questions 489. The PRIMARY focus of the change control process is to ensure that changes are:
A. authorized.
B. applied.
C. documented.
D. tested.
-----

Questions 490. An information security manager has been asked to develop a change control process. What is the FIRST thing the information security manager should do?
A. Research best practices
B. Meet with stakeholders
C. Establish change control procedures
D. Identify critical systems
-----

Questions 491. Which of the following is the MOST important factor when designing information security architecture?
A. Technical platform interfaces
B. Scalability of the network
C. Development methodologies
D. Stakeholder requirements
-----

Questions 492. A critical device is delivered with a single user and password that is required to be shared for multiple users to access the device. An information security manager has been tasked with ensuring all access to the device is authorized. Which of the following would be the MOST efficient means to accomplish this?
A. Enable access through a separate device that requires adequate authentication
B. Implement manual procedures that require password change after each use
C. Request the vendor to add multiple user IDs
D. Analyze the logs to detect unauthorized access
-----

Questions 493. Which of the following documents would be the BES T reference to determine whether access control mechanisms are appropriate for a critical application?
A. User security procedures
B. Business process flow
C. IT security policy
D. Regulatory requirements
-----

Questions 494. Which of the following is the MOST important process that an information security manager needs to negotiate with an outsource service provider?
A. The right to conduct independent security reviews
B. A legally binding data protection agreement
C. Encryption between the organization and the provider
D. A joint risk assessment of the system
-----

Questions 495. Which resource is the MOST effective in preventing physical access tailgating/piggybacking?
A. Card key door locks
B. Photo identification
C. Awareness training
D. Biometric scanners
-----

Questions 496. In business critical applications, where shared access to elevated privileges by a small group is necessary, the BEST approach to implement adequate segregation of duties is to:
A. ensure access to individual functions can be granted to individual users only.
B. implement role-based access control in the application.
C. enforce manual procedures ensuring separation of conflicting duties.
D. create service accounts that can only be used by authorized team members.
-----

Questions 497. In business-critical applications, user access should be approved by the:
A. information security manager.
B. data owner.
C. data custodian.
D. business management.
-----

Questions 498. In organizations where availability is a primary concern, the MOST critical success factor of the patch management procedure would be the:
A. testing time window prior to deployment.
B. technical skills of the team responsible.
C. certification of validity for deployment.
D. automated deployment to all the servers.
-----

Questions 499. Which of the following characteristics is MOST important when looking at prospective candidates for the role of chief information security officer (CISO)?
A. Knowledge of information technology platforms, networks and development methodologies
B. Ability to understand and map organizational needs to security technologies
C. Knowledge of the regulatory environment and project management techniques
D. Ability to manage a diverse group of individuals and resources across an organization
-----

Questions 500. To ensure that all information security procedures are functional and accurate, they should be designed with the involvement of:
A. end users.
B. legal counsel.
C. operational units.
D. audit management.
-----

Questions 501. An information security manager reviewed the access control lists and observed that privileged access was granted to an entire department. Which of the following should the information security manager do FIRST?
A. Review the procedures for granting access
B. Establish procedures for granting emergency access
C. Meet with data owners to understand business needs
D. Redefine and implement proper access rights
-----

Questions 502. When security policies are strictly enforced, the initial impact is that:
A. they may have to be modified more frequently.
B. they will be less subject to challenge.
C. the total cost of security is increased.
D. the need for compliance reviews is decreased.
-----

Questions 503. A business partner of a factory has remote read-only access to material inventory to forecast future acquisition orders. An information security manager should PRIMARILY ensure that there is:
A. an effective control over connectivity and continuity.
B. a service level agreement (SLA) including code escrow.
C. a business impact analysis (BIA).
D. a third-party certification.
-----

Questions 504. Which of the following should be in place before a black box penetration test begins?
A. IT management approval
B. Proper communication and awareness training
C. A clearly stated definition of scope
D. An incident response plan
-----

Questions 505. What is the MOST important element to include when developing user security awareness material?
A. Information regarding social engineering
B. Detailed security policies
C. Senior management endorsement
D. Easy-to-read and compelling information
-----

Questions 506. What is the MOST important success factor in launching a corporate information security awareness program?
A. Adequate budgetary support
B. Centralized program management
C. Top-down approach
D. Experience of the awareness trainers
-----

Questions 507. Which of the following events generally has the highest information security impact?
A. Opening a new office
B. Merging with another organization
C. Relocating the data center
D. Rewiring the network
-----

Questions 508. The configuration management plan should PRIMARILY be based upon input from:
A. business process owners.
B. the information security manager.
C. the security steering committee.
D. IT senior management.
-----

Questions 509. Which of the following is the MOST effective, positive method to promote security awareness?
A. Competitions and rewards for compliance
B. Lock-out after three incorrect password attempts
C. Strict enforcement of password formats
D. Disciplinary action for noncompliance
-----

Questions 510. An information security program should focus on:
A. best practices also in place at peer companies.
B. solutions codified in international standards.
C. key controls identified in risk assessments.
D. continued process improvement.
-----

Questions 511. Who should determine the appropriate classification of accounting ledger data located on a database server and maintained by a database administrator in the IT department?
A. Database administrator (DBA )
B. Finance department management
C. Information security manager
D. IT department management
-----

Questions 512. Which of the following are likely to be updated MOST frequently?
A. Procedures for hardening database servers
B. Standards for password length and complexity
C. Policies addressing information security governance
D. Standards for document retention and destruction
-----

Questions 513. Which of the following would be the MOST significant security risk in a pharmaceutical institution?
A. Compromised customer information
B. Unavailability of online transactions
C. Theft of security tokens
D. Theft of a Research and Development laptop
-----

Questions 514. Which of the following is the BEST tool to maintain the currency and coverage of an information security program within an organization?
A. The program's governance oversight mechanisms
B. Information security periodicals and manuals
C. The program's security architecture and design
D. Training and certification of the information security team
-----

Questions 515. Which of the following would BEST assist an information security manager in measuring the existing level of development of security processes against their desired state?
A. Security audit reports
B. Balanced scorecard
C. Capability maturity model (CMM)
D. Systems and business security architecture
-----

Questions 516. Who is responsible for raising awareness of the need for adequate funding for risk action plans?
A. Chief information officer (CIO)
B. Chief financial officer (CFO)
C. Information security manager
D. Business unit management
-----

Questions 517. Managing the life cycle of a digital certificate is a role of a(n):
A. system administrator.
B. security administrator.
C. system developer.
D. independent trusted source.
-----

Questions 518. Which of the following would be MOST critical to the successful implementation of a biometric authentication system?
A. Budget allocation
B. Technical skills of staff
C. User acceptance
D. Password requirements
-----

Questions 519. Change management procedures to ensure that disaster recovery/business continuity plans are kept up-to- date can be BEST achieved through which of the following?
A. Reconciliation of the annual systems inventory to the disaster recovery, business continuity plans
B. Periodic audits of the disaster recovery/business continuity plans
C. Comprehensive walk-through testing
D. Inclusion as a required step in the system life cycle process
-----

Questions 520. When a new key business application goes into production, the PRIMARY reason to update relevant business impact analysis (BIA) and business continuity/disaster recovery plans is because:
A. this is a requirement of the security policy.
B. software licenses may expire in the future without warning.
C. the asset inventory must be maintained.
D. service level agreements may not otherwise be met.
-----

Questions 521. Who should be responsible for enforcing access rights to application data?
A. Data owners
B. Business process owners
C. The security steering committee
D. Security administrators
-----

Questions 522. To reduce the possibility of service interruptions, an entity enters into contracts with multiple Internet service providers (ISPs). Which of the following would be the MOS T important item to include?
A. Service level agreements (SLAs)
B. Right to audit clause
C. Intrusion detection system (IDS) services
D. Spam filtering services
-----

Questions 523. To mitigate a situation where one of the programmers of an application requires access to production data, the information security manager could BEST recommend to.
A. create a separate account for the programmer as a power user.
B. log all of the programmers' activity for review by supervisor.
C. have the programmer sign a letter accepting full responsibility.
D. perform regular audits of the application.
-----

Questions 524. Before engaging outsourced providers, an information security manager should ensure that the organization's data classification requirements:
A. are compatible with the provider's own classification.
B. are communicated to the provider.
C. exceed those of the outsourcer.
D. are stated in the contract.
-----

Questions 525. What is the GREATEST risk when there is an excessive number of firewall rules?
A. One rule may override another rule in the chain and create a loophole
B. Performance degradation of the whole network
C. The firewall may not support the increasing number of rules due to limitations
D. The firewall may show abnormal behavior and may crash or automatically shut down
-----

Questions 526. Which of the following would be the MOST appropriate physical security solution for the main entrance to a data center"?
A. Mantrap
B. Biometric lock
C. Closed-circuit television (CCTV)
D. Security guard
-----

Questions 527. What is the GREATEST advantage of documented guidelines and operating procedures from a security perspective?
A. Provide detailed instructions on how to carry out different types of tasks
B. Ensure consistency of activities to provide a more stable environment
C. Ensure compliance to security standards and regulatory requirements
D. Ensure reusability to meet compliance to quality requirements
-----

Questions 528. What is the BEST way to ensure data protection upon termination of employment?
A. Retrieve identification badge and card keys
B. Retrieve all personal computer equipment
C. Erase all of the employee's folders
D. Ensure all logical access is removed
-----

Questions 529. The MOST important reason for formally documenting security procedures is to ensure:
A. processes are repeatable and sustainable.
B. alignment with business objectives.
C. auditability by regulatory agencies.
D. objective criteria for the application of metrics.
-----

Questions 530. Which of the following is the BEST approach for an organization desiring to protect its intellectual property?
A. Conduct awareness sessions on intellectual property policy
B. Require all employees to sign a nondisclosure agreement
C. Promptly remove all access when an employee leaves the organization
D. Restrict access to a need-to-know basis
-----

Questions 531. The chief information security officer (CISO) should ideally have a direct reporting relationship to the:
A. head of internal audit.
B. chief operations officer (COO).
C. chief technology officer (CTO).
D. legal counsel.
-----
Questions 532. The "separation of duties" principle is violated if which of the following individuals has update rights to the database access control list (ACL)?
A. Data owner
B. Data custodian
C. Systems programmer
D. Security administrator
-----

Questions 533. An account with full administrative privileges over a production file is found to be accessible by a member of the software development team. This account was set up to allow the developer to download nonsensitive production data for software testing purposes. The information security manager should recommend which of the following?
A. Restrict account access to read only
B. Log all usage of this account
C. Suspend the account and activate only when needed
D. Require that a change request be submitted for each download
-----

Questions 534. Which would be the BEST recommendation to protect against phishing attacks?
A. Install an antispam system
B. Publish security guidance for customers
C. Provide security awareness to the organization's staff
D. Install an application-level firewall
-----

Questions 535. Which of the following is the BEST indicator that an effective security control is built into an organization?
A. The monthly service level statistics indicate a minimal impact from security issues.
B. The cost of implementing a security control is less than the value of the assets.
C. The percentage of systems that is compliant with security standards.
D. The audit reports do not reflect any significant findings on security.
-----

Questions 536. What is the BEST way to alleviate security team understaffing while retaining the capability in- house?
A. Hire a contractor that would not be included in the permanent headcount
B. Outsource with a security services provider while retaining the control internally
C. Establish a virtual security team from competent employees across the company
D. Provide cross training to minimize the existing resources gap
-----

Questions 537. An information security manager wishing to establish security baselines would:
A. include appropriate measurements in the system development life cycle.
B. implement the security baselines to establish information security best practices.
C. implement the security baselines to fulfill laws and applicable regulations in different jurisdictions.
D. leverage information security as a competitive advantage.
-----

Questions 538. Requiring all employees and contractors to meet personnel security/suitability requirements commensurate with their position sensitivity level and subject to personnel screening is an example of a security:
A. policy.
B. strategy.
C. guideline
D. baseline.
-----

Questions 539. An organization's information security manager has been asked to hire a consultant to help assess the maturity level of the organization's information security management. The MOST important element of the request for proposal (RI P) is the:
A. references from other organizations.
B. past experience of the engagement team.
C. sample deliverable.
D. methodology used in the assessment.
-----

Questions 540. Several business units reported problems with their systems after multiple security patches were deployed. The FIRST step in handling this problem would be to:
A. assess the problems and institute rollback procedures, if needed.
B. disconnect the systems from the network until the problems are corrected.
C. immediately uninstall the patches from these systems.
D. immediately contact the vendor regarding the problems that occurred.
-----

Questions 541. When defining a service level agreement (SLA) regarding the level of data confidentiality that is handled by a third-party service provider, the BEST indicator of compliance would be the:
A. access control matrix.
B. encryption strength.
C. authentication mechanism.
D. data repository.
-----

Questions 542. Which of the following is the MOST essential task for a chief information security officer (CISO) to perform?
A. Update platform-level security settings
B. Conduct disaster recovery test exercises
C. Approve access to critical financial systems
D. Develop an information security strategy paper
-----

Questions 543. The PRIMARY reason for involving information security at each stage in the systems development life cycle (SDLC) is to identify the security implications and potential solutions required for:
A. identifying vulnerabilities in the system.
B. sustaining the organization's security posture.
C. the existing systems that will be affected.
D. complying with segregation of duties.
-----

Questions 544. The implementation of continuous monitoring controls is the BEST option where:
A. incidents may have a high impact and frequency
B. legislation requires strong information security controls
C. incidents may have a high impact but low frequency
D. Electronic commerce is a primary business driver
-----

Questions 545. A third party was engaged to develop a business application. Which of the following would an information security manager BEST test for the existence of back doors?
A. System monitoring for traffic on network ports
B. Security code reviews for the entire application
C. Reverse engineering the application binaries
D. Running the application from a high-privileged account on a test system
-----

Questions 546. An information security manager reviewing firewall rules will be MOST concerned if the firewall allows:
A. source routing.
B. broadcast propagation.
C. unregistered ports.
D. nonstandard protocols.
-----

Questions 547. What is the MOS T cost-effective means of improving security awareness of staff personnel?
A. Employee monetary incentives
B. User education and training
C. A zero-tolerance security policy
D. Reporting of security infractions
-----

Questions 548. Which of the following is the MOST effective at preventing an unauthorized individual from following an authorized person through a secured entrance (tailgating or piggybacking)?
A. Card-key door locks
B. Photo identification
C. Biometric scanners
D. Awareness training
-----

Questions 549. Data owners will determine what access and authorizations users will have by:
A. delegating authority to data custodian.
B. cloning existing user accounts.
C. determining hierarchical preferences.
D. mapping to business needs.
-----

Questions 550. Which of the following is the MOST likely outcome of a well-designed information security awareness course?
A. Increased reporting of security incidents to the incident response function
B. Decreased reporting of security incidents to the incident response function
C. Decrease in the number of password resets
D. Increase in the number of identified system vulnerabilities
-----

Questions 551. Developing a successful business case for the acquisition of information security software products can BEST be assisted by:
A. assessing the frequency of incidents.
B. quantifying the cost of control failures.
C. calculating return on investment (ROD projections.
D. comparing spending against similar organizations.
-----

Questions 552. Which item would be the BEST to include in the information security awareness training program for new general staff employees?
A. Review of various security models
B. Discussion of how to construct strong passwords
C. Review of roles that have privileged access
D. Discussion of vulnerability assessment results
-----

Questions 553. A critical component of a continuous improvement program for information security is:
A. measuring processes and providing feedback.
B. developing a service level agreement (SLA) for security.
C. tying corporate security standards to a recognized international standard.
D. ensuring regulatory compliance.
-----

Questions 554. The management staff of an organization that does not have a dedicated security function decides to use its IT manager to perform a security review. The MAIN job requirement in this arrangement is that the IT manager
A. report risks in other departments.
B. obtain support from other departments.
C. report significant security risks.
D. have knowledge of security standards.
-----

Questions 555. An organization has implemented an enterprise resource planning (ERP) system used by 500 employees from various departments. Which of the following access control approaches is MOST appropriate?
A. Rule-based
B. Mandatory
C. Discretionary
D. Role-based
-----

Questions 556. An organization plans to contract with an outside service provider to host its corporate web site. The MOST important concern for the information security manager is to ensure that:
A. an audit of the service provider uncovers no significant weakness.
B. the contract includes a nondisclosure agreement (NDA) to protect the organization's intellectual property.
C. the contract should mandate that the service provider will comply with security policies.
D. the third-party service provider conducts regular penetration testing.
-----

Questions 557. Which of the following is the MAIN objective in contracting with an external company to perform penetration testing?
A. To mitigate technical risks
B. To have an independent certification of network security
C. To receive an independent view of security exposures
D. To identify a complete list of vulnerabilities
-----

Questions 558. A new port needs to be opened in a perimeter firewall. Which of the following should be the FIRST step before initiating any changes?
A. Prepare an impact assessment report.
B. Conduct a penetration test.
C. Obtain approval from senior management.
D. Back up the firewall configuration and policy files.
-----

Questions 559. An organization plans to outsource its customer relationship management (CRM) to a third-party service provider. Which of the following should the organization do FIRST?
A. Request that the third-party provider perform background checks on their employees.
B. Perform an internal risk assessment to determine needed controls.
C. Audit the third-party provider to evaluate their security controls.
D. Perform a security assessment to detect security vulnerabilities.
-----

Questions 560. Which of the following would raise security awareness among an organization's employees?
A. Distributing industry statistics about security incidents
B. Monitoring the magnitude of incidents
C. Encouraging employees to behave in a more conscious manner
D. Continually reinforcing the security policy
-----

Questions 561. Which of the following is the MOST appropriate method of ensuring password strength in a large organization?
A. Attempt to reset several passwords to weaker values
B. Install code to capture passwords for periodic audit
C. Sample a subset of users and request their passwords for review
D. Review general security settings on each platform
-----

Questions 562. When an information security manager is developing a strategic plan for information security, the timeline for the plan should be:
A. aligned with the IT strategic plan.
B. based on the current rate of technological change.
C. three-to-five years for both hardware and software.
D. aligned with the business strategy.
-----

Questions 563. What is the MOST cost-effective method of identifying new vendor vulnerabilities?
A. External vulnerability reporting sources
B. Periodic vulnerability assessments performed by consultants
C. Intrusion prevention software
D. honey pots located in the DMZ
-----

Questions 564. Which of the following is the BEST approach for improving information security management processes?
A. Conduct periodic security audits.
B. Perform periodic penetration testing.
C. Define and monitor security metrics.
D. Survey business units for feedback.
-----

Questions 565. An effective way of protecting applications against Structured Query Language (SQL) injection vulnerability is to:
A. validate and sanitize client side inputs.
B. harden the database listener component.
C. normalize the database schema to the third normal form.
D. ensure that the security patches are updated on operating systems.
-----

Questions 566. The root cause of a successful cross site request forgery (XSRF) attack against an application is that the vulnerable application:
A. uses multiple redirects for completing a data commit transaction.
B. has implemented cookies as the sole authentication mechanism.
C. has been installed with a non-1egitimate license key.
D. is hosted on a server along with other applications.
-----

Questions 567. Of the following, retention of business records should be PRIMARILY based on:
A. periodic vulnerability assessment.
B. regulatory and legal requirements.
C. device storage capacity and longevity.
D. past litigation.
-----

Questions 568. An organization is entering into an agreement with a new business partner to conduct customer mailings. What is the MOST important action that the information security manager needs to perform?
A. A due diligence security review of the business partner's security controls
B. Ensuring that the business partner has an effective business continuity program
C. Ensuring that the third party is contractually obligated to all relevant security requirements
D. Talking to other clients of the business partner to check references for performance
-----

Questions 569. An organization that outsourced its payroll processing performed an independent assessment of the security controls of the third party, per policy requirements. Which of the following is the MOST useful requirement to include in the contract?
A. Right to audit
B. Nondisclosure agreement
C. Proper firewall implementation
D. Dedicated security manager for monitoring compliance
-----

Questions 570. Which of the following is the MOST critical activity to ensure the ongoing security of outsourced IT services?
A. Provide security awareness training to the third-party provider's employees
B. Conduct regular security reviews of the third-party provider
C. Include security requirements in the service contract
D. Request that the third-party provider comply with the organization's information security policy
-----

Questions 571. Which of the following is the MOST important information to include in a strategic plan for information security?
A. Information security staffing requirements
B. Current state and desired future state
C. IT capital investment requirements
D. information security mission statement
-----

Questions 572. An organization's operations staff places payment files in a shared network folder and then the disbursement staff picks up the files for payment processing. This manual intervention will be automated some months later, thus cost-efficient controls are sought to protect against file alterations. Which of the following would be the BEST solution?
A. Design a training program for the staff involved to heighten information security awareness
B. Set role-based access permissions on the shared folder
C. The end user develops a PC macro program to compare sender and recipient file contents
D. Shared folder operators sign an agreement to pledge not to commit fraudulent activities
-----

Questions 573. Which of the following BEST ensures that security risks will be reevaluated when modifications in application developments are made?
A. A problem management process
B. Background screening
C. A change control process
D. Business impact analysis (BIA)
-----

Questions 574. Which is the BEST way to measure and prioritize aggregate risk deriving from a chain of linked system vulnerabilities?
A. Vulnerability scans
B. Penetration tests
C. Code reviews
D. Security audits
-----

Questions 575. In which of the following system development life cycle (SDLC) phases are access control and encryption algorithms chosen?
A. Procedural design
B. Architectural design
C. System design specifications
D. Software development
-----

Questions 576. Which of the following is generally considered a fundamental component of an information security program?
A. Role-based access control systems
B. Automated access provisioning
C. Security awareness training
D. Intrusion prevention systems (IPSs)
-----

Questions 577. How would an organization know if its new information security program is accomplishing its goals?
A. Key metrics indicate a reduction in incident impacts.
B. Senior management has approved the program and is supportive of it.
C. Employees are receptive to changes that were implemented.
D. There is an immediate reduction in reported incidents.
-----

Questions 578. Information security projects should be prioritized on the basis of:
A. time required for implementation.
B. impact on the organization.
C. total cost for implementation.
D. mix of resources required.
-----

Questions 579. A benefit of using a full disclosure (white box) approach as compared to a blind (black box) approach to penetration testing is that:
A. it simulates the real-1ife situation of an external security attack.
B. human intervention is not required for this type of test.
C. less time is spent on reconnaissance and information gathering.
D. critical infrastructure information is not revealed to the tester.
-----

Questions 580. Which of the following is the BEST method to reduce the number of incidents of employees forwarding spam and chain e-mail messages?
A. Acceptable use policy
B. Setting low mailbox limits
C. User awareness training
D. Taking disciplinary action
-----

Questions 581. Which of the following is the BEST approach to mitigate online brute-force attacks on user accounts?
A. Passwords stored in encrypted form
B. User awareness
C. Strong passwords that are changed periodically
D. Implementation of lock-out policies
-----

Questions 582. Which of the following measures is the MOST effective deterrent against disgruntled stall abusing their privileges?
A. Layered defense strategy
B. System audit log monitoring
C. Signed acceptable use policy
D. High-availability systems
-----

Questions 583. The advantage of sending messages using steganographic techniques, as opposed to utilizing encryption, is that:
A. the existence of messages is unknown.
B. required key sizes are smaller.
C. traffic cannot be sniffed.
D. reliability of the data is higher in transit.
-----

Questions 584. As an organization grows, exceptions to information security policies that were not originally specified may become necessary at a later date. In order to ensure effective management of business risks, exceptions to such policies should be:
A. considered at the discretion of the information owner.
B. approved by the next higher person in the organizational structure.
C. formally managed within the information security framework.
D. reviewed and approved by the security manager.
-----

Questions 585. There is reason to believe that a recently modified web application has allowed unauthorized access. Which is the BEST way to identify an application backdoor?
A. Black box pen test
B. Security audit
C. Source code review
D. Vulnerability scan
-----

Questions 586. Which of the following is the MOST important information to include in an information security standard?
A. Creation date
B. Author name
C. Initial draft approval date
D. Last review date
-----

Questions 587. Simple Network Management Protocol v2 (SNMP v2) is used frequently to monitor networks. Which of the following vulnerabilities does il always introduce?
A. Remote buffer overflow
B. Cross site scripting
C. Clear text authentication
D. Man-in-the-middle attack
-----

Questions 588. Which of the following is the FIRST phase in which security should be addressed in the development cycle of a project?
A. Design
B. Implementation
C. Application security testing
D. Feasibility
-----

Questions 589. Which of the following should be determined FIRST when establishing a business continuity program?
A. Cost to rebuild information processing facilities
B. Incremental daily cost of the unavailability of systems
C. Location and cost of offsite recovery facilities
D. Composition and mission of individual recovery teams
-----

Questions 590. A desktop computer that was involved in a computer security incident should be secured as evidence by:
A. disconnecting the computer from all power sources.
B. disabling all local user accounts except for one administrator.
C. encrypting local files and uploading exact copies to a secure server.
D. copying all files using the operating system (OS) to write-once media.
-----

Questions 591. A company has a network of branch offices with local file/print and mail servers; each branch individually contracts a hot site. Which of the following would be the GRF.ATEST weakness in recovery capability?
A. Exclusive use of the hot site is limited to six weeks
B. The hot site may have to be shared with other customers
C. The time of declaration determines site access priority
D. The provider services all major companies in the area
-----

Questions 592. Which of the following actions should be taken when an online trading company discovers a network attack in progress?
A. Shut off all network access points
B. Dump all event logs to removable media
C. Isolate the affected network segment
D. Enable trace logging on all event
-----

Questions 593. The BEST method for detecting and monitoring a hacker's activities without exposing information assets to unnecessary risk is to utilize:
A. firewalls.
B. bastion hosts.
C. decoy files.
D. screened subnets.
-----

Questions 594. Which of the following would BEST prepare an information security manager for regulatory reviews?
A. Assign an information security administrator as regulatory liaison
B. Perform self-assessments using regulatory guidelines and reports
C. Assess previous regulatory reports with process owners input
D. Ensure all regulatory inquiries are sanctioned by the legal department
-----

Questions 595. The FIRST priority when responding to a major security incident is:
A. documentation.
B. monitoring.
C. restoration.
D. containment.
-----

Questions 596. Which of the following is the MOST important to ensure a successful recovery?
A. Backup media is stored offsite
B. Recovery location is secure and accessible
C. More than one hot site is available
D. Network alternate links are regularly tested
-----

Questions 597. Which of the following is the MOST important element to ensure the success of a disaster recovery test at a vendor-provided hot site?
A. Tests are scheduled on weekends
B. Network IP addresses are predefined
C. Equipment at the hot site is identical
D. Business management actively participates
-----

Questions 598. At the conclusion of a disaster recovery test, which of the following should ALWAYS be performed prior to leaving the vendor's hot site facility?
A. Erase data and software from devices
B. Conduct a meeting to evaluate the test
C. Complete an assessment of the hot site provider
D. Evaluate the results from all test scripts
-----

Questions 599. An incident response policy must contain:
A. updated call trees.
B. escalation criteria.
C. press release templates.
D. critical backup files inventory.
-----

Questions 600. The BEST approach in managing a security incident involving a successful penetration should be to:
A. allow business processes to continue during the response.
B. allow the security team to assess the attack profile.
C. permit the incident to continue to trace the source.
D. examine the incident response process for deficiencies.
-----

Questions 601. A post-incident review should be conducted by an incident management team to determine:
A. relevant electronic evidence.
B. lessons learned.
C. hacker's identity.
D. areas affected.
-----

Questions 602. An organization with multiple data centers has designated one of its own facilities as the recovery site. The MOST important concern is the:
A. communication line capacity between data centers.
B. current processing capacity loads at data centers.
C. differences in logical security at each center.
D. synchronization of system software release versions.
-----

Questions 603. Which of the following is MOST important in determining whether a disaster recovery test is successful?
A. Only business data files from offsite storage are used
B. IT staff fully recovers the processing infrastructure
C. Critical business processes are duplicated
D. All systems are restored within recovery time objectives (RTOs)
-----

Questions 604. Which of the following is MOST important when deciding whether to build an alternate facility or subscribe to a third-party hot site?
A. Cost to build a redundant processing facility and invocation
B. Daily cost of losing critical systems and recovery time objectives (RTOs)
C. Infrastructure complexity and system sensitivity
D. Criticality results from the business impact analysis (BIA)
-----

Questions 605. An information security manager at a global organization that is subject to regulation by multiple governmental jurisdictions with differing requirements should:
A. bring all locations into conformity with the aggregate requirements of all governmental jurisdictions.
B. establish baseline standards for all locations and add supplemental standards as required.
C. bring all locations into conformity with a generally accepted set of industry best practices.
D. establish a baseline standard incorporating those requirements that all jurisdictions have in common.
-----

Questions 606. A new e-mail virus that uses an attachment disguised as a picture file is spreading rapidly over the Internet. Which of the following should be performed FIRST in response to this threat?
A. Quarantine all picture files stored on file servers
B. Block all e-mails containing picture file attachments
C. Quarantine all mail servers connected to the Internet
D. Block incoming Internet mail, but permit outgoing mail
-----

Questions 607. When a large organization discovers that it is the subject of a network probe, which of the following actions should be taken?
A. Reboot the router connecting the DMZ to the firewall
B. Power down all servers located on the DMZ segment
C. Monitor the probe and isolate the affected segment
D. Enable server trace logging on the affected segment
-----

Questions 608. Which of the following terms and conditions represent a significant deficiency if included in a commercial hot site contract?
A. A hot site facility will be shared in multiple disaster declarations
B. All equipment is provided "at time of disaster, not on floor"
C. The facility is subject to a "first-come, first-served" policy
D. Equipment may be substituted with equivalent model
-----

Questions 609. Which of the following should be performed FIRST in the aftermath of a denial-of-service attack?
A. Restore servers from backup media stored offsite
B. Conduct an assessment to determine system status
C. Perform an impact analysis of the outage
D. Isolate the screened subnet
-----

Questions 610. Which of the following is the MOST important element to ensure the successful recovery of a business during a disaster?
A. Detailed technical recovery plans are maintained offsite
B. Network redundancy is maintained through separate providers
C. Hot site equipment needs are recertified on a regular basis
D. Appropriate declaration criteria have been established
-----

Questions 611. The business continuity policy should contain which of the following?
A. Emergency call trees
B. Recovery criteria
C. Business impact assessment (BIA)
D. Critical backups inventory
-----

Questions 612. The PRIMARY purpose of installing an intrusion detection system (IDS) is to identify:
A. weaknesses in network security.
B. patterns of suspicious access.
C. how an attack was launched on the network.
D. potential attacks on the internal network.
-----

Questions 613. When an organization is using an automated tool to manage and house its business continuity plans, which of the following is the PRIMARY concern?
A. Ensuring accessibility should a disaster occur
B. Versioning control as plans are modified
C. Broken hyperlinks to resources stored elsewhere
D. Tracking changes in personnel and plan assets
-----

Questions 614. Which of the following is the BEST way to verify that all critical production servers are utilizing up-to- date virus signature files?
A. Verify the date that signature files were last pushed out
B. Use a recently identified benign virus to test if it is quarantined
C. Research the most recent signature file and compare to the console
D. Check a sample of servers that the signature files are current
-----

Questions 615. Which of the following actions should be taken when an information security manager discovers that a hacker is foot printing the network perimeter?
A. Reboot the border router connected to the firewall
B. Check IDS logs and monitor for any active attacks
C. Update IDS software to the latest available version
D. Enable server trace logging on the DMZ segment
-----

Questions 616. Which of the following are the MOST important criteria when selecting virus protection software?
A. Product market share and annualized cost
B. Ability to interface with intrusion detection system (IDS) software and firewalls
C. Alert notifications and impact assessments for new viruses
D. Ease of maintenance and frequency of updates
-----

Questions 617. Which of the following is the MOST serious exposure of automatically updating virus signature files on every desktop each Friday at 11:00 p.m. (23.00 hrs.)?
A. Most new viruses* signatures are identified over weekends
B. Technical personnel are not available to support the operation
C. Systems are vulnerable to new viruses during the intervening week
D. The update's success or failure is not known until Monday
-----

Questions 618. Which of the following BEST describes an information security manager's role in a multidisciplinary team that will address a new regulatory requirement regarding operational risk?
A. Ensure that all IT risks are identified
B. Evaluate the impact of information security risks
C. Demonstrate that IT mitigating controls are in place
D. Suggest new IT controls to mitigate operational risk
-----

Questions 619. When performing a business impact analysis (BIA), which of the following should calculate the recovery time and cost estimates?
A. Business continuity coordinator
B. Information security manager
C. Business process owners
D. Industry averages benchmarks
-----

Questions 620. Which of the following is MOST closely associated with a business continuity program?
A. Confirming that detailed technical recovery plans exist
B. Periodically testing network redundancy
C. Updating the hot site equipment configuration every quarter
D. Developing recovery time objectives (RTOs) for critical functions
-----

Questions 621. Which of the following application systems should have the shortest recovery time objective (RTO)?
A. Contractor payroll
B. Change management
C. E-commerce web site
D. Fixed asset system
-----

Questions 622. A computer incident response team (CIRT) manual should PRIMARILY contain which of the following documents?
A. Risk assessment results
B. Severity criteria
C. Emergency call tree directory
D. Table of critical backup files
-----

Questions 623. The PRIMARY purpose of performing an internal attack and penetration test as part of an incident response program is to identify:
A. weaknesses in network and server security.
B. ways to improve the incident response process.
C. potential attack vectors on the network perimeter.
D. the optimum response to internal hacker attacks.
-----

Questions 624. Which of the following would represent a violation of the chain of custody when a backup tape has been identified as evidence in a fraud investigation? The tape was:
A. removed into the custody of law enforcement investigators.
B. kept in the tape library' pending further analysis.
C. sealed in a signed envelope and locked in a safe under dual control.
D. handed over to authorized independent investigators.
-----

Questions 625. When properly tested, which of the following would MOST effectively support an information security manager in handling a security breach?
A. Business continuity plan
B. Disaster recovery plan
C. Incident response plan
D. Vulnerability management plan
-----

Questions 626. Isolation and containment measures lor a compromised computer have been taken and information security management is now investigating. What is the MOST appropriate next step?
A. Run a forensics tool on the machine to gather evidence
B. Reboot the machine to break remote connections
C. Make a copy of the whole system's memory
D. Document current connections and open Transmission Control Protocol/User Datagram Protocol (TCP/ I'DP) ports
-----

Questions 627. Why is "slack space" of value to an information security manager as pan of an incident investigation?
A. Hidden data may be stored there
B. The slack space contains login information
C. Slack space is encrypted
D. It provides flexible space for the investigation
-----

Questions 628. What is the PRIMARY objective of a post-event review in incident response?
A. Adjust budget provisioning
B. Preserve forensic data
C. Improve the response process
D. Ensure the incident is fully documented
-----

Questions 629. Detailed business continuity plans should be based PRIMARILY on:
A. consideration of different alternatives.
B. the solution that is least expensive.
C. strategies that cover all applications.
D. strategies validated by senior management.
-----

Questions 630. A web server in a financial institution that has been compromised using a super-user account has been isolated, and proper forensic processes have been followed. The next step should be to:
A. rebuild the server from the last verified backup.
B. place the web server in quarantine.
C. shut down the server in an organized manner.
D. rebuild the server with original media and relevant patches.
-----

5 comments:

  1. Hey Nice Blog!! Thanks For Sharing!!!Wonderful blog & good post.Its really helpful for me, waiting for a more new post. Keep Blogging!
    dot net course training in coimbatore
    IT security training in coimbatore

    ReplyDelete
  2. Thank you will practice the questions

    ReplyDelete
  3. Hi, This is a great article. Loved your efforts on it buddy. Thanks for sharing this with us. CISM training.

    ReplyDelete
  4. Hi, This is a great article. Loved your efforts on it buddy. Thanks for sharing this with us. ceh v10.

    ReplyDelete
  5. I am very much impressed with the quality of the content of the blog the content has been framed very well and also the research has been done nicely by the writer of the blog. Avast From Running At Startup | Avast setup free download for Windows 8.1

    ReplyDelete