CISM Topic 3
Question #: 1014
Topic #: 1
Which of the following is MOST helpful in determining the realization of benefits from an information security program?
A. Vulnerability assessments
B. Key risk indicators (KRIs)
C. Business impact analysis (BIA)
D. Key performance indicators (KPIs)
Selected Answer: C
Question #: 265
Topic #: 1
Which of the following would BEST help to ensure an organization’s security program is aligned with business objectives?
A. The organization’s board of directors includes a dedicated information security advisor.
B. The security strategy is reviewed and approved by the organization’s steering committee.
C. Security policies are reviewed and approved by the chief information officer (CIO)
D. Business leaders receive annual information security awareness training This question has been
Selected Answer: B
Question #: 245
Topic #: 1
An external security audit has reported multiple instances of control noncompliance. Which of the following is MOST important for the information security manager to communicate to senior management?
A. The impact of noncompliance on the organization’s risk profile
B. An accountability report to initiate remediation activities
C. Control owner responses based on a root cause analysis
D. A plan for mitigating the risk due to noncompliance
Selected Answer: A
Question #: 195
Topic #: 1
Management has announced the acquisition of a new company. The information security manager of the parent company is concerned that conflicting access rights may cause critical information to be exposed during the integration of the two companies. To BEST address this concern, the information security manager should:
A. escalate concerns for conflicting access rights to management.
B. review access rights as the acquisition integration occurs.
C. implement consistent access control standards.
D. perform a risk assessment of the access rights.
Selected Answer: C
Question #: 191
Topic #: 1
Which of the following would provide the HIGHEST level of confidence in the integrity of data when sent from one party to another?
A. Harden the communication infrastructure.
B. Require files to be digitally signed before they are transmitted.
C. Enforce multi-factor authentication on both ends of the communication.
D. Require data to be transmitted over a secure connection.
Selected Answer: B
Question #: 187
Topic #: 1
Which of the following is an information security manager’s BEST approach when selecting cost-effective controls needed to meet business objectives?
A. Conduct a gap analysis.
B. Focus on preventive controls.
C. Align with industry best practice.
D. Align with the risk appetite.
Selected Answer: D
Question #: 219
Topic #: 1
To address the issue that performance pressures on IT may conflict with information security controls, it is MOST important that:
A. the steering committee provides guidance and dispute resolution.
B. the security policy is changed to accommodate IT performance pressure.
C. IT policies and procedures are better aligned to security policies.
D. noncompliance issues are reported to senior management.
Selected Answer: C
Question #: 785
Topic #: 1
Which of the following is the BEST approach to reduce unnecessary duplication of compliance activities?
A. Integration of assurance efforts
B. Automation of controls
C. Documentation of control procedures
D. Standardization of compliance requirements
Selected Answer: A
Question #: 705
Topic #: 1
When remote access to confidential information is granted to a vendor for analytic purposes, which of the following is the MOST important security consideration?
A. The vendor must be able to amend data
B. The vendor must agree to the organization’s information security policy
C. Data is encrypted in transit and at rest at the vendor site
D. Data is subject to regular access log review
Selected Answer: B
Question #: 259
Topic #: 1
An organization has implemented a new security control in response to a recently discovered vulnerability. Several employees have voiced concerns that the control disrupts their ability to work. Which of the following is the information security manager’s BEST course of action?
A. Evaluate compensating control options.
B. Educate users about the vulnerability.
C. Accept the vulnerability.
D. Report the control risk to senior management.
Selected Answer: A
Question #: 258
Topic #: 1
Which of the following is the BEST way to strengthen the security of corporate data on a personal mobile device?
A. Implementing a strong password policy
B. Using containerized software
C. Mandating use of pre-approved devices
D. Implementing multi-factor authentication
Selected Answer: B
Question #: 257
Topic #: 1
Which of the following BEST enables the detection of advanced persistent threats (APTs)?
A. Vulnerability scanning
B. Security information and event management system (SIEM)
C. Internet gateway filtering
D. Periodic reviews of intrusion prevention system (IPS)
Selected Answer: B
Question #: 256
Topic #: 1
Which of the following processes can be used to remediate identified technical vulnerabilities?
A. Updating the business impact analysis (BIA)
B. Performing penetration testing
C. Enforcing baseline configurations
D. Conducting a risk assessment
Selected Answer: C
Question #: 180
Topic #: 1
When determining an acceptable risk level, which of the following is the MOST important consideration?
A. Vulnerability scores
B. System criticalities
C. Risk matrices
D. Threat profiles
Selected Answer: B
Question #: 163
Topic #: 1
An organization’s outsourced firewall was poorly configured and allowed unauthorized access that resulted in downtime of 48 hours. Which of the following should be the information security manager’s NEXT course of action?
A. Reconfigure the firewall in accordance with best practices.
B. Obtain supporting evidence that the problem has been corrected.
C. Seek damages from the service provider.
D. Revisit the contract and improve accountability of the service provider.
Selected Answer: B
Question #: 312
Topic #: 1
Which of the following provides the BEST evidence that a newly implemented security awareness program has been effective?
A. There have been no reported successful phishing attempts since the training started.
B. Employees from each department have completed the required training.
C. There has been an increase in the number of phishing attempts reported.
D. Senior management supports funding for ongoing awareness training.
Selected Answer: C
Question #: 252
Topic #: 1
Audit trails of changes to source code and object code are BEST tracked through:
A. use of compilers.
B. code review.
C. program library software.
D. job control statements.
Selected Answer: B
Question #: 918
Topic #: 1
Which of the following is MOST important for responding effectively to security breaches?
A. Chain of custody
B. Incident classification
C. Log monitoring
D. Communication plan
Selected Answer: B
Question #: 906
Topic #: 1
In response to recent ransomware threats, an organization deployed a new endpoint detection and response (EDR) solution in its employee laptops. Of the following, who should be accountable for reviewing the solution to verify it has been properly deployed and configured?
A. The security analyst
B. The chief audit executive (CAE)
C. The chief information security officer (CISO)
D. The system administrator
Selected Answer: C
Question #: 159
Topic #: 1
The MAIN purpose of influenced by a business impact guideline for use within a large, international organization is to:
A. explain the organization’s preferred practices for security.
B. ensure that all business units have the same strategic security goals.
C. ensure that all business units implement identical security procedures.
D. provide evidence for auditors that security practices are adequate.
Selected Answer: B
Question #: 21
Topic #: 1
Over the last year, an information security manager has performed risk assessments on multiple third-party vendors. Which of the following criteria would be
MOST helpful in determining the associated level of risk applied to each vendor?
A. Compliance requirements associated with the regulation
B. Criticality of the service to the organization
C. Corresponding breaches associated with each vendor
D. Compensating controls in place to protect information security
Selected Answer: B
Question #: 12
Topic #: 1
Which of the following is the MOST important consideration in a bring your own device (BYOD) program to protect company data in the event of a loss?
A. The ability to remotely locate devices
B. The ability to centrally manage devices
C. The ability to restrict unapproved applications
D. The ability to classify types of devices
Selected Answer: B
Question #: 330
Topic #: 1
Which of the following is the MOST important consideration when updating procedures for managing security devices?
A. Updates based on changes in risk, technology, and process
B. Review and approval of procedures by management
C. Updates based on the organization’s security framework
D. Notification to management of the procedural changes
Selected Answer: A
Question #: 328
Topic #: 1
Which of the following is MOST effective in reducing the financial impact following a security breach leading to data disclosure?
A. Backup and recovery strategy
B. A business continuity plan (BCP)
C. A data loss prevention (DLP) solution
D. An incident response plan
Selected Answer: D
Question #: 322
Topic #: 1
Which of the following departments should be responsible for classifying customer relationship management (CRM) system data on a database server maintained by IT?
A. Sales
B. Information security
C. Human resources (HR)
D. IT
Selected Answer: A
Question #: 1121
Topic #: 1
Which of the following will have the GREATEST impact on the development of the information classification scheme consisting of various classification levels?
A. Value of the information
B. Data format
C. Owners of the information
D. Organizational structure
Selected Answer: A
Question #: 772
Topic #: 1
Which of the following would BEST ensure that security is integrated during application development?
A. Performing application security testing during acceptance testing
B. Introducing security requirements during the initiation phase
C. Employing global security standards during development processes
D. Providing training on secure development practices to programmers
Selected Answer: B
Question #: 230
Topic #: 1
A new information security manager finds that the organization tends to use short-term solutions to address problems. Resource allocation and spending are not effectively tracked, and there is no assurance that compliance requirements are being met. What should be done FIRST to reverse this bottom-up approach to security?
A. Implement an information security awareness training program.
B. Conduct a threat analysis.
C. Establish an audit committee.
D. Create an information security steering committee.
Selected Answer: D
Question #: 986
Topic #: 1
Which of the following BEST reduces the likelihood of leakage of private information via email?
A. User awareness training
B. Periodic phishing exercises
C. Email signature verification
D. Restricted personal use of company email
Selected Answer: A
Question #: 1042
Topic #: 1
Which of the following control types should be considered FIRST for aligning employee behavior with an organization’s information security objectives?
A. Administrative security controls
B. Access security controls
C. Technical security controls
D. Physical security controls
Selected Answer: A
Question #: 779
Topic #: 1
The MAIN benefit of implementing a data loss prevention (DLP) solution is to:
A. enhance the organization’s antivirus controls.
B. reduce the need for a security awareness program.
C. complement the organization’s detective controls.
D. eliminate the risk of data loss.
Selected Answer: C
Question #: 731
Topic #: 1
Which of the following is a desired outcome of information security governance?
A. Penetration test
B. A maturity model
C. Improved risk management
D. Business agility
Selected Answer: B
Question #: 675
Topic #: 1
Management decisions concerning information security investments will be MOST effective when they are based on:
A. a process for identifying and analyzing threats and vulnerabilities.
B. the formalized acceptance of risk analysis by management.
C. the reporting of consistent and periodic assessments of risks.
D. an annual loss expectancy (ALE) determined from the history of security events.
Selected Answer: C
Question #: 629
Topic #: 1
A high-risk issue is discovered during an information security risk assessment of a legacy application. The business is unwilling to allocate the resources to remediate the issue. Which of the following would be the information security manager’s BEST course of action?
A. Document risk acceptance from the business.
B. Recommend discontinuing the use of the legacy application.
C. Design alternative compensating controls to reduce the risk.
D. Present the worst-case scenario related to the risk.
Selected Answer: D
Question #: 481
Topic #: 1
Which of the following is the BEST indication of a mature information security program?
A. Security spending is below budget.
B. Security incidents are managed properly.
C. Security resources are optimized.
D. Security audit findings are reduced.
Selected Answer: C
Question #: 478
Topic #: 1
Which of the following is MOST important when providing updates during a security incident?
A. Responding immediately to questions from the public
B. Validating the reliability of information prior to dissemination
C. Designating a communications representative
D. Ensuring timely incident information to internal stakeholders
Selected Answer: B
Question #: 452
Topic #: 1
The PRIMARY purpose of a penetration test is to:
A. test network load capability
B. validate firewall and router configuration
C. provide assurance of the security of the network
D. identify vulnerabilities at a particular point in time
Selected Answer: D
Question #: 552
Topic #: 1
An information security manager is recommending an investment in a new security initiative to address recently published threats. Which of the following is MOST important to include in the business case?
A. Alignment with the approved IT strategy
B. Potential impact of threat realization
C. Availability of resources to implement the initiative
D. Peer group threat intelligence report
Selected Answer: B
Question #: 522
Topic #: 1
Key risk indicators (KRIs) are MOST effective when they:
A. are mapped to core strategic initiatives.
B. allow for comparison with industry peers.
C. are redefined on a regular basis.
D. assess progress toward declared goals.
Selected Answer: A
Question #: 789
Topic #: 1
An organization is increasingly using Software as a Service (SaaS) to replace in-house hosting and support of IT applications. Which of the following would be the MOST effective way to help ensure procurement decisions consider information security concerns?
A. Integrate information security risk assessments into the procurement process.
B. Invite IT members into regular procurement team meetings to influence best practice.
C. Enforce the right to audit in procurement contracts with SaaS vendors.
D. Provide regular information security training to the procurement team.
Selected Answer: C
Question #: 453
Topic #: 1
An information security policy was amended recently to support an organization’s new information security strategy. Which of the following should be the information security manager’s NEXT step?
A. Evaluate the alignment with business strategy
B. Update standards and procedures
C. Review technical controls
D. Refresh the security training program
Selected Answer: B
Question #: 217
Topic #: 1
Which of the following is a PRIMARY responsibility of the information security governance function?
A. Administering information security awareness training
B. Advising senior management on optimal levels of risk appetite and tolerance
C. Defining security strategies to support organizational programs
D. Ensuring adequate support for solutions using emerging technologies
Selected Answer: C
Question #: 204
Topic #: 1
Which of the following is the MOST important security feature an information security manager would need for a mobile device management (MDM) program?
A. Ability to inventory devices
B. Ability to remotely wipe devices
C. Ability to locate devices
D. Ability to push updates to devices
Selected Answer: B
Question #: 203
Topic #: 1
Which of the following should an information security manager do FIRST after a new cybersecurity regulation has been introduced?
A. Consult corporate legal counsel.
B. Conduct a cost-benefit analysis.
C. Update the information security policy.
D. Perform a gap analysis.
Selected Answer: A
Question #: 757
Topic #: 1
Which of the following is the PRIMARY reason to monitor key risk indicators (KRIs) related to information security?
A. To alert on unacceptable risk
B. To identity residual risk
C. To reassess risk appetite
D. To benchmark control performance
Selected Answer: A
Question #: 710
Topic #: 1
Which of the following roles is BEST able to influence the security culture within an organization?
A. Chief information security officer (CISO)
B. Chief information officer (CIO)
C. Chief operating officer (COO)
D. Chief executive officer (CEO)
Selected Answer: D
Question #: 383
Topic #: 1
Which of the following is the MOST important consideration when defining security configuration baselines?
A. The baselines address applicable regulatory standards.
B. The baselines are proportionate to risk.
C. The baselines address known system vulnerabilities.
D. The baselines align with lines of business.
Selected Answer: B
Question #: 268
Topic #: 1
An executive’s personal mobile device used for business purposes is reported lost. The information security manager should respond based on:
A. the acceptable use policy.
B. asset management guidelines.
C. the business impact analysis (BIA).
D. incident classification.
Selected Answer: D
Question #: 356
Topic #: 1
Conflicting objectives are MOST likely to compromise the effectiveness of the information security process when information security management is:
A. partially staffed by external security consultants
B. combined with the change management function
C. reporting to the network infrastructure manager
D. outside of information technology
Selected Answer: C
Question #: 160
Topic #: 1
Which of the following is an information security manager’s BEST course of action upon discovering an organization with budget constraints lacks several important security capabilities?
A. Suggest the deployment of open-source security tools to mitigate identified risks.
B. Establish a business case to demonstrate return on investment (ROI) of a security tool.
C. Recommend that the organization avoid the most severe risks.
D. Review the most recent audit report and request funding to address the most serious finding.
Selected Answer: B
Question #: 239
Topic #: 1
Which of the following BEST indicates the effectiveness of the vendor risk management process?
A. Increase in the percentage of vendors certified to a globally recognized security standard
B. Increase in the percentage of vendors with a completed due diligence review
C. Increase in the percentage of vendors conducting mandatory security training
D. Increase in the percentage of vendors that have reported security breaches
Selected Answer: B
Question #: 325
Topic #: 1
Which of the following is MOST important for an information security manager to verify before conducting full-functional continuity testing?
A. Incident response and recovery plans are documented in simple language
B. Copies of recovery and incident response plans are kept offsite
C. Teams and individuals responsible for recovery have been identified
D. Risk acceptance by the business has been documented.
Selected Answer: C
Question #: 323
Topic #: 1
What is the role of the information security manager in finalizing contract negotiations with service providers?
A. To perform a risk analysis on the outsourcing process
B. To obtain a security standard certification from the provider
C. To update security standards for the outsourced process
D. To ensure that clauses for periodic audits are included
Selected Answer: A
Question #: 1059
Topic #: 1
Which of the following is the BEST indicator of the maturity level of a vendor risk management process?
A. Number of vendors rejected because of security review results
B. Percentage of vendors that are regularly reviewed against defined criteria
C. Percentage of vendors that have gone through the vendor on boarding process
D. Average time required to complete the vendor risk management process
Selected Answer: B
Question #: 999
Topic #: 1
Which of the following should be done FIRST when developing an information asset classification policy?
A. Identify accountability for information assets throughout the organization.
B. Establish the criteria that define an asset’s classification level.
C. Identify existing security measures for protecting assets.
D. Obtain executive input to identify high-value assets to be classified.
Selected Answer: A
Question #: 1052
Topic #: 1
Which of the following is the MOST effective control to prevent proliferation of shadow IT?
A. Implement a software allow list.
B. Conduct periodic vulnerability scanning.
C. Install a solution to detect unlicensed software.
D. Conduct software audits.
Selected Answer: A
Question #: 932
Topic #: 1
Senior management has expressed concern that the organization’s intrusion prevention system (IPS) may repeatedly disrupt business operations. Which of the following BEST indicates that the information security manager has tuned the system to address this concern?
A. Decreasing false positives
B. Decreasing false negatives
C. Increasing false negatives
D. Increasing false positives
Selected Answer: A
Question #: 928
Topic #: 1
Which of the following is the GREATEST concern resulting from the lack of severity criteria in incident classification?
A. The service desk will be staffed incorrectly.
B. Timely detection of attacks will be impossible.
C. Statistical reports will be incorrect.
D. Escalation procedures will be ineffective.
Selected Answer: D
Question #: 891
Topic #: 1
An incident response team has established that an application has been breached. Which of the following should be done NEXT?
A. Maintain the affected systems in a forensically acceptable state.
B. Inform senior management of the breach.
C. Isolate the impacted systems from the rest of the network.
D. Conduct a risk assessment on the affected application.
Selected Answer: C
Question #: 889
Topic #: 1
Which of the following has the GREATEST influence on the successful integration of information security within the business?
A. Organizational structure and culture
B. Risk tolerance and organizational objectives
C. Information security personnel
D. The desired state of the organization
Selected Answer: B
Question #: 880
Topic #: 1
Which of the following BEST indicates effective information security governance?
A. Availability of information security policies
B. Regular steering committee meetings
C. Organization-wide attendance at annual security training
D. Regular testing of the security incident response plan
Selected Answer: B
Question #: 878
Topic #: 1
Which of the following BEST minimizes information security risk in deploying applications to the production environment?
A. Conducting penetration testing post implementation
B. Having a well-defined change process
C. Verifying security during the testing process
D. Integrating security controls in each phase of the life cycle
Selected Answer: B
Question #: 873
Topic #: 1
A third-party audit of an organization’s network security has identified several critical risks. Which of the following should the information security manager do NEXT?
A. Assign risk ownership.
B. Identify mitigating controls.
C. Report the findings to senior management.
D. Prioritize the risks.
Selected Answer: C
Question #: 184
Topic #: 1
Which of the following is the MOST effective method of determining security priorities?
A. Vulnerability assessment
B. Gap analysis
C. Threat assessment
D. Impact analysis
Selected Answer: D
Question #: 788
Topic #: 1
Which of the following is MOST important to include in a report to key stakeholders regarding the effectiveness of an information security program?
A. Security incident details
B. Security metrics
C. Security risk exposure
D. Security baselines
Selected Answer: B
Question #: 751
Topic #: 1
Which of the following MUST be defined in order for an information security manager to evaluate the appropriateness of controls currently in place?
A. Security policy
B. Risk management framework
C. Security standards
D. Risk appetite
Selected Answer: D
Question #: 748
Topic #: 1
An information security manager has contracted with a company to design security architecture for an application. Which of the following is accountable for identification associated with this initiative?
A. The project steering committee
B. The information security manager
C. The infrastructure management team
D. The application development team
Selected Answer: A
Question #: 726
Topic #: 1
An information security manager has been notified about a compromised endpoint device. Which of the following is the BEST course of action to prevent further damage?
A. Run a virus scan on the endpoint device
B. Wipe and reset the endpoint device
C. Power off the endpoint device
D. Isolate the endpoint device
Selected Answer: D
Question #: 695
Topic #: 1
Which of the following is the GREATEST benefit of conducting an organization-wide security awareness program?
A. More security incidents are detected
B. Security behavior is improved
C. The security strategy is promoted
D. Fewer security incidents are reported
Selected Answer: C
Question #: 693
Topic #: 1
Which of the following is MOST important to ensuring information stored by an organization is protected appropriately?
A. Defining security asset categorization
B. Assigning information asset ownership
C. Developing a records retention schedule
D. Defining information stewardship roles
Selected Answer: B
Question #: 668
Topic #: 1
Which of the following should be done FIRST when establishing a new data protection program that must comply with applicable data privacy regulations?
A. Encrypt all personal data stored on systems and networks.
B. Evaluate privacy technologies required for data protection.
C. Create an inventory of systems where personal data is stored.
D. Update disciplinary processes to address privacy violations.
Selected Answer: C
Question #: 666
Topic #: 1
The MOST important reason for having an information security manager serve on the change management committee is to:
A. ensure changes are properly documented.
B. advise on change-related risk.
C. identify changes to the information security policy.
D. ensure that changes are tested.
Selected Answer: B
Question #: 662
Topic #: 1
A risk assessment exercise has identified the threat of a denial of service (DoS) attack. Executive management has decided to take no further action related to this risk. The MOST likely reason for this decision is:
A. the cost of implementing controls exceeds the potential financial losses.
B. the risk assessment has not defined the likelihood of occurrence.
C. executive management is not aware of the impact potential.
D. the reported vulnerability has not been validated.
Selected Answer: B
Question #: 661
Topic #: 1
The BEST way to ensure that frequently encountered incidents are reflected in the user security awareness training program is to include:
A. responses to security questionnaires.
B. previous training sessions.
C. examples of help desk requests.
D. results of exit interviews.
Selected Answer: C
Question #: 634
Topic #: 1
Which of the following metrics BEST measures the effectiveness of an organization’s information security program?
A. Return on information security investment
B. Number of information security business cases developed
C. Reduction in information security incidents
D. Increase in risk assessments completed
Selected Answer: C
Question #: 558
Topic #: 1
Which of the following is the PRIMARY objective of a business impact analysis (BIA)?
A. Confirm control effectiveness.
B. Determine recovery priorities.
C. Define the recovery point objective (RPO).
D. Analyze vulnerabilities.
Selected Answer: B
Question #: 557
Topic #: 1
Signature based anti-malware controls are MOST effective against:
A. poorly configured firewall rules.
B. reused virus code.
C. known threats.
D. zero-day exploits.
Selected Answer: B
Question #: 672
Topic #: 1
An organization plans to leverage popular social network platforms to promote its products and services. Which of the following is the BEST course of action for the information security manager to support this initiative?
A. Conduct vulnerability assessments on social network platforms.
B. Assess the security risk associated with the use of social networks.
C. Establish processes to publish content on social networks.
D. Develop security controls for the use of social networks.
Selected Answer: B
Question #: 537
Topic #: 1
Changes have been proposed to a large organization’s enterprise resource planning (ERP) system that would violate existing security standards. Which of the following should be done FIRST to address this conflict?
A. Perform a cost-benefit analysis
B. Calculate business impact levels.
C. Validate current standards.
D. Implement updated standards.
Selected Answer: B
Question #: 534
Topic #: 1
A desktop computer is being used to perpetrate a fraud, and data on the machine must be secured for evidence. Which of the following should be done FIRST?
A. Encrypt the content of the hard drive using a strong algorithm.
B. Obtain a hash of the desktop computer’s internal hard drive.
C. Copy the data on the computer to an external hard drive.
D. Capture a forensic image of the computer.
Selected Answer: B
Question #: 524
Topic #: 1
Which of the following should be the GREATEST consideration when determining the recovery time objective (RTO) for an in-house critical application, database, or server?
A. Direction from senior management
B. Results of recovery testing
C. Determination of recovery point objective (RPO)
D. Impact of service interruption
Selected Answer: D
Question #: 518
Topic #: 1
Which of the following is the BEST reason to consolidate security operations teams across a global organization?
A. Compliance with regulatory requirements
B. Enhanced visibility of threats
C. Detection of fraud
D. Cost reduction
Selected Answer: B
Question #: 505
Topic #: 1
When building support for an information security program, which of the following elements is MOST important?
A. Business impact analysis (BIA)
B. Identification of existing vulnerabilities
C. Threat analysis
D. Information risk assessment
Selected Answer: A
Question #: 503
Topic #: 1
Which of the following should be done FIRST to ensure a new critical cloud application can be supported by internal personnel?
A. Establish a capability maturity model.
B. Develop a training plan.
C. Conduct a risk assessment.
D. Perform a skills gap analysis.
Selected Answer: D
Question #: 523
Topic #: 1
An organization’s intrusion prevention system (IPS) detected and blocked an unusually large number of external intrusion attempts within a 24-hour period. Which of the following should be the information security manager’s FIRST course of action?
A. Perform security assessments on Internet-facing systems.
B. Identify the source and nature of the attempts.
C. Review the server and firewall audit logs.
D. Report the issue to senior management.
Selected Answer: B
Question #: 778
Topic #: 1
A PRIMARY purpose of creating security policies is to:
A. implement management’s security governance strategy.
B. establish the way security tasks should be executed.
C. communicate management’s security expectations.
D. define allowable security boundaries.
Selected Answer: C
Question #: 492
Topic #: 1
Which of the following should be the PRIMARY basis for determining information security objectives?
A. Business strategy
B. Regulatory requirements
C. Information security strategy
D. Data classification
Selected Answer: C
Question #: 440
Topic #: 1
Which of the following recovery approaches generally has the LOWEST periodic cost?
A. Shared contingency center
B. Reciprocal agreement
C. Redundant site
D. Cold site
Selected Answer: D
Question #: 479
Topic #: 1
Which of the following BEST demonstrates the added value of an information security program?
A. Security baselines
B. A gap analysis
C. A SWOT analysis
D. A balanced scorecard
Selected Answer: D
Question #: 438
Topic #: 1
A critical vulnerability is found on a server hosting multiple applications owned by different business units. One of the business units finds its hosted application will not function with the patch applied and chooses to accept the risk. Which of the following should be the information security manager s NEXT course of action?
A. Update the risk register
B. Develop a business case for compensating controls
C. Update the information security policy
D. Consult the incident management process
Selected Answer: A
Question #: 431
Topic #: 1
Who is accountable for ensuring proper controls are in place to address the confidentiality and availability of an information system?
A. Information order
B. Business manager
C. Senior management
D. Information security manager
Selected Answer: D
Question #: 430
Topic #: 1
An information security manager has observed multiple exceptions for a number of different security controls. Which of the following should be the information security manager’s FIRST course of action?
A. Prioritize the risk and implement treatment options
B. Report the noncompliance to the board of directors
C. Inform respective risk owners of the impact of exceptions
D. Design mitigating controls tor the exceptions
Selected Answer: C
Question #: 1030
Topic #: 1
A data discovery project uncovers an unclassified process document. Of the following, who is BEST suited to determine the classification?
A. Creator of the document
B. Data custodian
C. Information security manager
D. Security policy author
Selected Answer: A
Question #: 1021
Topic #: 1
Which of the following is the PRIMARY benefit of an information security awareness training program?
A. Evaluating organizational security culture
B. Enforcing security policy
C. Influencing human behavior
D. Defining risk accountability
Selected Answer: C
Question #: 1010
Topic #: 1
Which of the following is MOST important to include in an information security policy?
A. Maturity levels
B. Baselines
C. Best practices
D. Management objectives
Selected Answer: D
Question #: 1003
Topic #: 1
Which of the following presents the GREATEST challenge for protecting Internet of Things (IoT) devices?
A. IoT vendor reputation
B. IoT architecture diversity
C. IoT-specific training
D. IoT device policies
Selected Answer: B
Question #: 113
Topic #: 1
A critical server for a hospital has been encrypted by ransomware. The hospital is unable to function effectively without this server. Which of the following would
MOST effectively allow the hospital to avoid paying the ransom?
A. A continual server replication process
B. Employee training on ransomware
C. A properly tested offline backup system
D. A properly configured firewall
Selected Answer: C
Question #: 1106
Topic #: 1
Which of the following should be updated FIRST when aligning the incident response plan with the corporate strategy?
A. Security procedures
B. Disaster recovery plan (DRP)
C. Incident notification plan
D. Risk response scenarios
Selected Answer: D
Question #: 1102
Topic #: 1
Which of the following is the BEST indication that an organization has integrated information security governance with corporate governance?
A. Impact is measured according to business loss when assessing IT risk.
B. Service levels for security vendors are defined according to business needs.
C. Security policies are reviewed whenever business objectives are changed.
D. Security performance metrics are measured against business objectives.
Selected Answer: C
Question #: 384
Topic #: 1
An anomaly-based intrusion detection system (IDS) operates by gathering data on:
A. normal network behavior and using it as a baseline for measuring abnormal activity.
B. abnormal network behavior and using it as 4 baseline for measuring normal activity.
C. abnormal network behavior and issuing instructions to the firewall to drop rogue connections.
D. attack pattern signatures from historical data.
Selected Answer: A
Question #: 382
Topic #: 1
A multinational organization is required to follow governmental regulations with different security requirements at each of its operating locations. The chief information security officer (CISO) should be MOST concerned with:
A. developing a security program that meets global and regional requirements.
B. ensuring effective communication with local regulatory bodies.
C. monitoring compliance with defined security policies and standards.
D. using industry best practice to meet local legal regulatory requirements.
Selected Answer: A
Question #: 854
Topic #: 1
Which of the following is MOST effective in preventing the introduction of vulnerabilities that may disrupt the availability of a critical business application?
A. A patch management process
B. Change management controls
C. Version control
D. Logical access controls
Selected Answer: B
Question #: 849
Topic #: 1
Which of the following is MOST helpful for fostering an effective information security culture?
A. Obtaining support from key organizational influencers
B. Implementing comprehensive technical security controls
C. Conducting regular information security awareness training
D. Developing procedures to enforce the information security policy
Selected Answer: A
Question #: 841
Topic #: 1
When performing a business impact analysis (BIA), who should be responsible for determining the initial recovery time objective (RTO)?
A. Information security manager
B. External consultant
C. Business continuity coordinator
D. Information owner
Selected Answer: D
Question #: 838
Topic #: 1
To support effective risk decision making, which of the following is MOST important to have in place?
A. An audit committee consisting of mid-level management
B. Risk reporting procedures
C. Well-defined and approved controls
D. Established risk domains
Selected Answer: C
Question #: 834
Topic #: 1
When deciding to move to a cloud-based model, the FIRST consideration should be:
A. data classification
B. physical location of the data
C. storage in a shared environment
D. availability of the data
Selected Answer: B
Question #: 318
Topic #: 1
An online trading company discovers that a network attack has penetrated the firewall. What should be the information security manager’s FIRST response?
A. Evaluate the impact to the business.
B. Examine firewall logs to identify the attacker.
C. Notify the regulatory agency of the incident.
D. Implement mitigating controls.
Selected Answer: D
Question #: 314
Topic #: 1
From an information security perspective, legal issues associated with a transborder flow of technology-related items are MOST often related to:
A. website transactions and taxation
B. encryption tools and personal data.
C. lack of competition and free trade.
D. software patches and corporate data.
Selected Answer: B
Question #: 313
Topic #: 1
An organization is considering the deployment of encryption software and systems organization-wide. The MOST important consideration should be whether:
A. a classification policy has been developed to incorporate the need for encryption
B. the business strategy includes exceptions to the encryption standard
C. data can be recovered if the encryption keys are misplaced
D. the implementation supports the business strategy
Selected Answer: D
Question #: 62
Topic #: 1
When developing an escalation process for an incident response plan, the information security manager should PRIMARILY consider the:
A. affected stakeholders.
B. incident response team.
C. availability of technical resources.
D. media coverage
Selected Answer: A
Question #: 824
Topic #: 1
The information security manager has been notified of a new vulnerability that affects key data processing systems within the organization. Which of the following should be done FIRST?
A. Re-evaluate the risk.
B. Ask the business owner for the new remediation plan.
C. Inform senior management.
D. Implement compensating controls.
Selected Answer: A
Question #: 310
Topic #: 1
An information security manager has identified that security risks are not being treated in a timely manner. Which of the following is the BEST way to address this situation?
A. Assign a risk owner to each risk.
B. Create mitigating controls to manage the risks.
C. Provide regular updates about the current state of the risks.
D. Re-perform risk analysis at regular intervals.
Selected Answer: A
Question #: 266
Topic #: 1
When defining and communicating roles and responsibilities between an organization and cloud service provider, which of the following situations would present the GREATEST risk to the organization’s ability to ensure information risk is managed appropriately?
A. The service agreement uses a custom-developed RACI instead of an industry standard RACI to document responsibilities
B. The organization believes the provider accepted responsibility for issues affecting security that the provider did not accept
C. The organization and provider identified multiple information security responsibilities that neither party was planning to provide
D. The service agreement results in unnecessary duplication of effort because shared responsibilities have not been clearly defined
Selected Answer: B
Question #: 238
Topic #: 1
It is MOST important for an information security manager to ensure that security risk assessments are performed:
A. during a root cause analysis.
B. as part of the security business case.
C. consistently throughout the enterprise.
D. in response to the threat landscape.
Selected Answer: C
Question #: 236
Topic #: 1
Which of the following will MOST effectively minimize the chance of inadvertent disclosure of confidential information?
A. Applying data classification rules
B. Following the principle of least privilege
C. Restricting the use of removable media
D. Enforcing penalties for security policy violations
Selected Answer: B
Question #: 233
Topic #: 1
When establishing escalation processes for an organization’s computer security incident response team, the organization’s procedures should:
A. require events to be escalated whenever possible to ensure that management is kept informed.
B. provide unrestricted communication channels to executive leadership to ensure direct access.
C. specify step-by-step escalation paths to ensure an appropriate chain of command.
D. recommend the same communication path for events to ensure consistency of communication.
Selected Answer: C
Question #: 229
Topic #: 1
Which of the following is MOST appropriate to communicate to senior management regarding information risk?
A. Risk profile changes
B. Vulnerability scanning progress
C. Defined risk appetite
D. Emerging security technologies
Selected Answer: A
Question #: 281
Topic #: 1
The PRIMARY goal of the eradication phase in an incident response process is to:
A. provide effective triage and containment of the incident.
B. remove the threat and restore affected systems.
C. maintain a strict chain of custody.
D. obtain forensic evidence from the affected system.
Selected Answer: B
Question #: 747
Topic #: 1
Which of the following is the BEST way to reduce the risk associated with a bring your own device (BYOD) program?
A. Implement a mobile device policy and standard.
B. Provide employee training on secure mobile device practices.
C. Implement a mobile device management (MDM) solution.
D. Require employees to install an effective anti-malware app.
Selected Answer: C
Question #: 739
Topic #: 1
An information security manager has been made aware of a new data protection regulation that will soon go into effect. Which of the following is the BEST way to manage the risk of noncompliance?
A. Perform a gap analysis.
B. Consult with senior management on the best course of action.
C. Implement a program of work to comply with the new legislation.
D. Understand the cost of noncompliance.
Selected Answer: A
Question #: 728
Topic #: 1
A user reports a stolen personal mobile device that stores sensitive corporate data. Which of the following will BEST minimize the risk of data exposure?
A. Wipe the device remotely
B. Remove user’s access to corporate data
C. Prevent the user from using personal mobile devices
D. Report the incident to the police
Selected Answer: B
Question #: 684
Topic #: 1
What should be the information security manager’s FIRST step when updating an information security program?
A. Review costs and benchmark them against industry norms.
B. Interview business unit managers and key stakeholders.
C. Identify program components that do not align with business objectives.
D. Re-evaluate the organization’s business expectations and objectives.
Selected Answer: B
Question #: 234
Topic #: 1
Which of the following is the MOST beneficial outcome of testing an incident response plan?
A. The response includes escalation to senior management.
B. Test plan results are documented.
C. Incident response time is improved.
D. The plan is enhanced to reflect the findings of the test.
Selected Answer: D
Question #: 716
Topic #: 1
Which of the following is the MOST critical factor for information security program success?
A. A comprehensive risk assessment program for information security
B. The information security manager’s knowledge of the business
C. Ongoing audits and addressing open items
D. Security staff with appropriate training and adequate resources
Selected Answer: B
Question #: 832
Topic #: 1
Which of the following should an information security manager do FIRST when noncompliance with security standards is identified?
A. Validate the noncompliance
B. Include the noncompliance in the risk register
C. Report the noncompliance to senior management
D. Implement compensating controls to mitigate the noncompliance
Selected Answer: A
Question #: 703
Topic #: 1
Measuring which of the following is the MOST accurate way to determine the alignment of an information security strategy with organizational goals?
A. Number of blocked intrusion attempts
B. Number of business cases reviewed by senior management
C. Trends in the number of identified threats to the business
D. Percentage of controls integrated into business processes
Selected Answer: D
Question #: 698
Topic #: 1
Which of the following BEST supports the incident management process for attacks on an organization’s supply chain?
A. Requiring security awareness training for vendor staff
B. Including service level agreements (SLAs) in vendor contracts
C. Performing integration testing with vendor systems
D. Establishing communication paths with vendors
Selected Answer: D
Question #: 625
Topic #: 1
The PRIMARY purpose for continuous monitoring of security controls is to ensure:
A. alignment with compliance requirements.
B. effectiveness of controls.
C. control gaps are minimized.
D. system availability.
Selected Answer: D
Question #: 565
Topic #: 1
Which of the following is MOST important to consider when developing a business case to support the investment in an information security program?
A. Senior management support
B. Results of a risk assessment
C. Results of a cost-benefit analysis
D. Impact on the risk profile
Selected Answer: C
Question #: 665
Topic #: 1
Which of the following will result in the MOST accurate controls assessment?
A. Mature change management processes
B. Unannounced testing
C. Well-defined security policies
D. Senior management support
Selected Answer: B
Question #: 663
Topic #: 1
Which of the following is the BEST indication of an effective information security awareness training program?
A. An increase in the identification rate during phishing simulations
B. An increase in the speed of incident resolution
C. An increase in positive user feedback
D. An increase in the frequency of phishing tests
Selected Answer: A
Question #: 658
Topic #: 1
Which of the following should be the PRIMARY consideration when developing an incident response plan?
A. Previously reported incidents
B. Management support
C. Compliance with regulations
D. The definition of an incident
Selected Answer: D
Question #: 540
Topic #: 1
Which of the following is the MOST important function of an information security steering committee?
A. Assigning data classifications to organizational assets
B. Defining security standards for logical access controls
C. Developing organizational risk assessment processes
D. Obtaining multiple perspectives from the business
Selected Answer: D
Question #: 627
Topic #: 1
Which of the following messages would be MOST effective in obtaining senior management’s commitment to information security management?
A. Security is a business product and not a process.
B. Effective security eliminates risk to the business.
C. Adopt a recognized framework with metrics.
D. Security supports and protects the business.
Selected Answer: D
Question #: 429
Topic #: 1
Which of the following should be an information security manager’s FIRST course of action when developing an incident management and response plan?
A. Reassess management’s risk appetite
B. Conduct a gap analysis
C. Update the current risk register
D. Revise the business continuity plan (BCP)
Selected Answer: A
Question #: 603
Topic #: 1
A penetration test of a new system has identified a number of critical vulnerabilities, jeopardizing the go-live date. The information security manager is asked by the system owner to approve an exception to allow the system to be implemented without fixing the vulnerabilities. Which of the following is the MOST appropriate course of action?
A. Implement a log monitoring process.
B. Perform a risk assessment.
C. Develop a set of compensating controls.
D. Approve and document the exception.
Selected Answer: B
Question #: 5
Topic #: 1
Which of the following is the BEST way to build a risk-aware culture?
A. Periodically change risk awareness messages.
B. Ensure that threats are communicated organization-wide in a timely manner.
C. Periodically test compliance with security controls and post results.
D. Establish incentives and a channel for staff to report risks.
Selected Answer: D
Question #: 119
Topic #: 1
During a security assessment, an information security manager finds a number of security patches were not installed on a server hosting a critical business application. The application owner did not approve the patch installation to avoid interrupting the application. Which of the following should be the information security manager’s FIRST course of action?
A. Report the risk to the information security steering committee.
B. Determine mitigation options with IT management.
C. Communicate the potential impact to the application owner.
D. Escalate the risk to senior management.
Selected Answer: C
Question #: 583
Topic #: 1
Which of the following is the GREATEST risk of centralized information security administration within a multinational organization?
A. Slower turnaround
B. Less uniformity
C. Less objectivity
D. Violation of local law
Selected Answer: D
Question #: 581
Topic #: 1
Which of the following provides the BEST guidance when establishing a security program?
A. Risk assessment methodology
B. Security audit report
C. Information security budget
D. Information security framework
Selected Answer: D
Question #: 568
Topic #: 1
Which of the following is the MOST important input to the development of an effective information security strategy?
A. Well-defined security policies and procedures
B. Current and desired state of security
C. Business processes and requirements
D. Risk and business impact assessments
Selected Answer: C
Question #: 564
Topic #: 1
Which of the following security initiatives should be the FIRST step in helping an organization maintain compliance with privacy regulations?
A. Implementing a data classification framework
B. Implementing security information and event management (SIEM)
C. Installing a data loss prevention (DLP) solution
D. Developing security awareness training
Selected Answer: A
