CISM Topic 4
Question #: 550
Topic #: 1
Which of the following provides the MOST comprehensive information related to an organization’s current risk profile?
A. Gap analysis results
B. Risk register
C. Heat map
D. Risk assessment results
Selected Answer: B
Question #: 543
Topic #: 1
Which of the following is an information security manager’s BEST course of action when a potential business breach is discovered in a critical business system?
A. Update the incident response plan.
B. Inform affected stakeholders.
C. Inform IT management.
D. Implement mitigating actions immediately.
Selected Answer: B
Question #: 35
Topic #: 1
The chief information security officer (CISO) has developed an information security strategy, but is struggling to obtain senior management commitment for funds to implement the strategy. Which of the following is the MOST likely reason?
A. The strategy does not include a cost-benefit analysis.
B. There was a lack of engagement with the business during development.
C. The strategy does not comply with security standards.
D. The CISO reports to the CIO.
Selected Answer: B
Question #: 530
Topic #: 1
Which of the following is MOST likely to trigger an update and revision of information security policies?
A. Engagement with a new service provider
B. Replacement of the information security manager
C. Attainment of business process maturity
D. Changes in the organization’s risk appetite
Selected Answer: A
Question #: 137
Topic #: 1
An information security manager was informed that a planned penetration test could potentially disrupt some services. Which of the following should be the FIRST course of action?
A. Estimate the impact and inform the business owner.
B. Accept the risk and document it in the risk register.
C. Ensure the service owner is available during the penetration test.
D. Reschedule the activity during an approved maintenance window.
Selected Answer: A
Question #: 140
Topic #: 1
The use of a business case to obtain funding for an information security investment is MOST effective when the business case:
A. relates the investment to the organization’s strategic plan.
B. realigns information security objectives to organizational strategy.
C. articulates management’s intent and information security directives in clear language.
D. translates information security policies and standards into business requirements.
Selected Answer: A
Question #: 131
Topic #: 1
Which of the following is MOST important to do after a security incident has been verified?
A. Notify the appropriate law enforcement authorities of the incident.
B. Follow the escalation process to inform key stakeholders.
C. Prevent the incident from creating further damage to the organization.
D. Contact forensic investigators to determine the root cause.
Selected Answer: C
Question #: 52
Topic #: 1
Which of the following provides the MOST essential input for the development of an information security strategy?
A. Results of an information security gap analysis
B. Measurement of security performance against IT goals
C. Results of a technology risk assessment
D. Availability of capable information security resources
Selected Answer: A
Question #: 69
Topic #: 1
For an organization that provides web-based services, which of the following security events would MOST likely initiate an incident response plan and be escalated to management?
A. Anti-malware alerts on several employees’ workstations
B. Several port scans of the web server
C. Multiple failed login attempts on an employee’s workstation
D. Suspicious network traffic originating from the demilitarized zone (DMZ)
Selected Answer: D
Question #: 19
Topic #: 1
When evaluating vendors for sensitive data processing, which of the following should be the FIRST step to ensure the correct level of information security is provided?
A. Develop metrics for vendor performance.
B. Include information security criteria as part of vendor selection.
C. Review third-party reports of potential vendors.
D. Include information security clauses in the vendor contract.
Selected Answer: B
Question #: 116
Topic #: 1
What is the PRIMARY objective of performing a vulnerability assessment following a business system update?
A. Improve the change control process.
B. Update the threat landscape.
C. Determine operational losses.
D. Review the effectiveness of controls.
Selected Answer: D
Question #: 109
Topic #: 1
A recent audit found that an organization’s new user accounts are not set up uniformly. Which of the following is MOST important for the information security manager to review?
A. Security policies
B. Automated controls
C. Guidelines
D. Standards
Selected Answer: D
Question #: 413
Topic #: 1
Which of the following documents should contain the INITIAL prioritization of recovery of services?
A. Threat assessment
B. IT risk analysis
C. Business impact analysis (BIA)
D. Business process map
Selected Answer: D
Question #: 208
Topic #: 1
Which of the following is the MOST effective way to protect the authenticity of data in transit?
A. Digital signature
B. Hash value
C. Private key
D. Public key
Selected Answer: B
Question #: 405
Topic #: 1
Implementing the principle of least privilege PRIMARILY requires the identification of:
A. job duties.
B. primary risk factors.
C. authentication controls.
D. data owners.
Selected Answer: A
Question #: 386
Topic #: 1
A newly appointed information security manager of a retailer with multiple stores discovers an HVAC (heating, ventilation, and air conditioning) vendor has remote access to the stores to enable real-time monitoring and equipment diagnostics. Which of the following should be the information security manager’s FIRST course of action?
A. Disconnect the real-time access.
B. Conduct a penetration test of the vendor.
C. Review the vendor contract.
D. Review the vendor’s technical security controls.
Selected Answer: D
Question #: 349
Topic #: 1
Which of the following is the MOST effective approach to ensure IT processes are performed in compliance with the information security policies?
A. Ensuring that key controls are embedded in the processes
B. Providing information security policy training to the process owners
C. Allocating sufficient resources
D. Identifying risks in the processes and managing those risks
Selected Answer: D
Question #: 528
Topic #: 1
When developing security processes for handling credit card data on the business unit’s information system, the information security manager should FIRST:
A. ensure that systems that handle credit card data are segmented.
B. review industry best practices for handling secure payments.
C. ensure alignment with industry encryption standards.
D. review corporate policies regarding credit card information.
Selected Answer: D
Question #: 510
Topic #: 1
An information security team must obtain approval from the information security steering committee to implement a key control. Which of the following is the
MOST important input to assist the committee in making this decision?
A. IT strategy
B. Security architecture
C. Risk assessment
D. Business case
Selected Answer: D
Question #: 905
Topic #: 1
Which or the following is the BEST way to monitor for advanced persistent threats (APT) in an organization?
A. Browse the Internet to learn of potential events.
B. Search for threat signatures in the environment.
C. Search for anomalies in the environment.
D. Network with peers in the industry to share information.
Selected Answer: D
Question #: 464
Topic #: 1
Which of the following is a PRIMARY function of an incident response team?
A. To provide a single point of contact for critical incidents
B. To provide a risk assessment for zero-day vulnerabilities
C. To provide a business impact analysis (BIA)
D. To provide effective incident mitigation
Selected Answer: D
Question #: 455
Topic #: 1
Which of the following is the BEST course of action when confidential information is inadvertently disseminated outside the organization?
A. Change the encryption keys
B. Declare an incident
C. Review compliance requirements
D. Communicate the exposure
Selected Answer: D
Question #: 434
Topic #: 1
An organization’s HR department requires that employee account privileges be removed from all corporate IT systems within three days of termination to comply with a government regulation. However, the systems all have different user directories, and it currently takes up to four weeks to remove the privileges. Which of the following would BEST enable regulatory compliance?
A. Identity and access management (IAM) system
B. Privileged access management (PAM) system
C. Multi-factor authentication (MFA) system
D. Governance risk, and compliance (GRC) system
Selected Answer: A
Question #: 389
Topic #: 1
To help ensure that an information security training program is MOST effective, its contents should be:
A. aligned to business processes.
B. based on employees’ roles.
C. based on recent incidents.
D. focused on information security policy.
Selected Answer: A
Question #: 1036
Topic #: 1
Which of the following should be done FIRST when developing an information security strategy that is aligned with organizational goals?
A. Establish a security risk framework with key risk indicators (KRIs).
B. Determine information security’s impact on the achievement of organizational goals.
C. Assess information security risk associated with the organizational goals
D. Select information security projects related to the organizational goals.
Selected Answer: C
Question #: 1025
Topic #: 1
A security incident has been reported within an organization. When should an information security manager contact the information owner?
A. After the potential incident has been logged
B. After the incident has been contained
C. After the incident has been confirmed
D. After the incident has been mitigated
Selected Answer: C
Question #: 1023
Topic #: 1
A new type of ransomware has infected an organization’s network. Which of the following would have BEST enabled the organization to detect this situation?
A. Periodic information security training for end users
B. Use of integrated patch deployment tools
C. Regular review of the threat landscape
D. Monitoring of anomalies in system behavior
Selected Answer: D
Question #: 1017
Topic #: 1
Of the following, who would provide the MOST relevant input when aligning the information security strategy with organizational goals?
A. Data privacy officer (DPO)
B. Chief information security officer (CISO)
C. Information security steering committee
D. Enterprise risk committee
Selected Answer: C
Question #: 973
Topic #: 1
Which of the following BEST indicates that information security governance and corporate governance are integrated?
A. The information security team is aware of business goals.
B. A cost-benefit analysis is conducted on all information security initiatives.
C. The board is regularly informed of information security key performance indicators (KPIs).
D. The information security steering committee is composed of business leaders.
Selected Answer: D
Question #: 965
Topic #: 1
Which of the following should an information security manager do FIRST after identifying suspicious activity on a PC that is not in the organization’s IT asset inventory?
A. Isolate the PC from the network
B. Perform a vulnerability scan.
C. Determine why the PC is not included in the inventory.
D. Reinforce information security training.
Selected Answer: A
Question #: 711
Topic #: 1
Which of the following BEST indicates the effectiveness of a recent information security awareness campaign delivered across the organization?
A. Increase in the frequency of security incident escalations
B. Reduction in the impact of security incidents
C. Decrease in the number of security incidents
D. Increase in the number of reported security incidents
Selected Answer: D
Question #: 132
Topic #: 1
Which of the following should be the PRIMARY driver for selecting and implementing appropriate controls to address the risk associated with weak user passwords?
A. The organization’s risk tolerance
B. The organization’s culture
C. The cost of risk mitigation controls
D. Direction from senior management
Selected Answer: B
Question #: 736
Topic #: 1
Which of the following BEST facilitates an information security manager’s efforts to obtain senior management commitment for an information security program?
A. Presenting evidence of inherent risk
B. Reporting the security maturity level
C. Presenting compliance requirements
D. Communicating the residual risk
Selected Answer: A
Question #: 352
Topic #: 1
Which of the following backup methods requires the MOST time to restore data for an application?
A. Disk mirroring
B. Differential
C. Incremental
D. Full backup
Selected Answer: C
Question #: 290
Topic #: 1
Which of the following is the PRIMARY objective of defining a severity hierarchy for security incidents?
A. To streamline the risk analysis process
B. To facilitate the classification of an organization’s IT assets
C. To prioritize available incident response resources
D. To facilitate root cause analysis of incidents
Selected Answer: C
Question #: 249
Topic #: 1
A corporate information security program is BEST positioned for success when:
A. staff is receptive to the program.
B. senior management supports the program.
C. security is thoroughly assessed in the program.
D. the program aligns with industry best practice.
Selected Answer: B
Question #: 248
Topic #: 1
Which of the following has the MOST direct impact on the usability of an organization’s asset classification policy?
A. The granularity of classifications in the hierarchy
B. The support of IT management for the classification scheme
C. The frequency of updates to the organization’s risk register
D. The business objectives of the organization
Selected Answer: A
Question #: 32
Topic #: 1
Which of the following is the BEST way for an organization to determine the maturity level of its information security program?
A. Review the results of information security awareness testing.
B. Validate the effectiveness of implemented security controls.
C. Benchmark the information security policy against industry standards.
D. Track the trending of information security incidents.
Selected Answer: C
Question #: 740
Topic #: 1
An information security manager learns of a new standard related to an emerging technology the organization wants to implement. Which of the following should the information security manager recommend be done FIRST?
A. Perform a risk assessment on the new technology.
B. Obtain legal counsel’s opinion on the standard’s applicability to regulations.
C. Determine whether the organization can benefit from adopting the new standard.
D. Review industry specialists’ analyses of the new standard.
Selected Answer: C
Question #: 856
Topic #: 1
Which type of plan is PRIMARILY intended to reduce the potential impact of security events that may occur?
A. Incident response plan
B. Business continuity plan (BCP)
C. Security awareness plan
D. Disaster recovery plan (DRP)
Selected Answer: B
Question #: 851
Topic #: 1
Which of the following is the PRIMARY objective of integrating information security governance into corporate governance?
A. To align security goals with the information security program
B. To ensure the business supports information security goals
C. To adequately safeguard the business in achieving its mission
D. To obtain management commitment for sustaining the security program
Selected Answer: C
Question #: 847
Topic #: 1
Which of the following is the PRIMARY role of an information security manager in a software development project?
A. To identify software security weaknesses
B. To identify noncompliance in the early design stage
C. To assess and approve the security application architecture
D. To enhance awareness for secure software design
Selected Answer: C
Question #: 835
Topic #: 1
Which of the following is the PRIMARY objective of incident triage?
A. Containment of threats
B. Coordination of communications
C. Categorization of events
D. Mitigation of vulnerabilities
Selected Answer: C
Question #: 825
Topic #: 1
Which of the following is the BEST way to assess the risk associated with using a Software as a Service (SaaS) vendor?
A. Require vendors to complete information security questionnaires.
B. Request customer references from the vendor.
C. Verify that information security requirements are included in the contract.
D. Review the results of the vendor’s independent control reports.
Selected Answer: D
Question #: 818
Topic #: 1
The MOST appropriate time to conduct a disaster recovery test would be after:
A. the security risk profile has been reviewed.
B. major business processes have been redesigned.
C. the business continuity plan (BCP) has been updated.
D. noncompliance incidents have been filed.
Selected Answer: C
Question #: 801
Topic #: 1
Reevaluation of risk is MOST critical when there is:
A. a management request for updated security reports.
B. resistance to the implementation of mitigating controls.
C. a change in the threat landscape.
D. a change in security policy.
Selected Answer: C
Question #: 745
Topic #: 1
Which of the following is the MOST important reason to implement information security governance?
A. To align the security strategy with the organization’s strategy
B. To monitor the performance of information security resources
C. To monitor the achievement of business goals and objectives
D. To provide adequate resources to achieve business goals
Selected Answer: A
Question #: 826
Topic #: 1
Security administration efforts will be greatly reduced following the deployment of which of the following techniques?
A. Access control lists
B. Distributed access control
C. Discretionary access control
D. Role-based access control
Selected Answer: D
Question #: 796
Topic #: 1
Which of the following has the GREATEST positive impact on the ability to execute a disaster recovery plan (DRP)?
A. Updating the plan periodically
B. Conducting a walk-through of the plan
C. Storing the plan at an offsite location
D. Communicating the plan to all stakeholders.
Selected Answer: B
Question #: 915
Topic #: 1
Which of the following is an example of a deterrent control?
A. Segregation of responsibilities
B. A warning banner
C. An intrusion detection system (IDS)
D. Periodic data restoration
Selected Answer: B
Question #: 692
Topic #: 1
Which of the following is the BEST approach for governing noncompliance with security requirements?
A. Require users to acknowledge the acceptable use policy
B. Base mandatory review and exception approvals on residual risk
C. Require the steering committee to review exception requests
D. Base mandatory review and exception approvals on inherent risk
Selected Answer: C
Question #: 689
Topic #: 1
Which of the following sources is MOST useful when planning a business-aligned information security program?
A. Business impact analysis (BIA)
B. Information security policy
C. Security risk register
D. Enterprise architecture (EA)
Selected Answer: A
Question #: 664
Topic #: 1
Penetration testing is MOST appropriate when a:
A. new system is about to go live.
B. security incident has occurred.
C. security policy is being developed.
D. new system is being designed.
Selected Answer: D
Question #: 1013
Topic #: 1
During a post-incident review, it was determined that a known vulnerability was exploited in order to gain access to a system. The vulnerability was patched as part of the remediation on the offending system. Which of the following should be done NEXT?
A. Scan to determine whether the vulnerability is present on other systems.
B. Review the vulnerability management process.
C. Install patches an all existing systems.
D. Report the root cause of the vulnerability to senior management.
Selected Answer: A
Question #: 920
Topic #: 1
Which of the following should be performed FIRST in response to a new information security regulation?
A. Industry benchmarking
B. Independent audit
C. Risk assessment
D. Gap analysis
Selected Answer: D
Question #: 660
Topic #: 1
A post-incident review identified that user error resulted in a major breach. Which of the following is MOST important to determine during the review?
A. The underlying reason for the user error
B. The time and location that the breach occurred
C. Appropriate disciplinary procedures for user error
D. Evidence of previous incidents caused by the user
Selected Answer: A
Question #: 657
Topic #: 1
Which of the following is MOST helpful for protecting an enterprise from advanced persistent threats (APTs)?
A. Updated security policies
B. Regular antivirus updates
C. Defined security standards
D. Threat intelligence
Selected Answer: D
Question #: 650
Topic #: 1
The BEST way to identify the risk associated with a social engineering attack is to:
A. monitor the intrusion detection system (IDS).
B. review single sign-on (SSO) authentication logs.
C. perform a business risk assessment of the email filtering system.
D. test user knowledge of information security practices.
Selected Answer: D
Question #: 511
Topic #: 1
What should a global information security manager do FIRST when informed that a new regulation with significant impact will go into effect soon?
A. Perform a vulnerability assessment.
B. Perform a business impact analysis (BIA).
C. Perform a privacy impact assessment.
D. Perform a gap analysis.
Selected Answer: D
Question #: 461
Topic #: 1
Which of the following would be the GREATEST threat posed by a distributed denial of service (DDoS) attack on a public-facing web server?
A. Execution of unauthorized commands
B. Unauthorized access to resources
C. Defacement of website content
D. Prevention of authorized access
Selected Answer: D
Question #: 424
Topic #: 1
When evaluating the risk from external hackers the maximum exposure time would be the difference between:
A. log refresh and restoration.
B. identification and resolution.
C. detection and response.
D. compromise and containment.
Selected Answer: C
Question #: 997
Topic #: 1
A finance department director has decided to outsource the organization’s budget application and has identified potential providers. Which of the following actions should be initiated FIRST by the information security manager?
A. Determine the required security controls for the new solution.
B. Obtain audit reports on the service providers’ hosting environment.
C. Review the disaster recovery plans (DRPs) of the providers.
D. Align the roles of the organization’s and the service providers’ staffs.
Selected Answer: A
Question #: 967
Topic #: 1
An organization has multiple data repositories across different departments. The information security manager has been tasked with creating an enterprise strategy for protecting data. Which of the following information security initiatives should be the HIGHEST priority for the organization?
A. Data loss prevention (DLP)
B. Data retention strategy
C. Data encryption standards
D. Data masking
Selected Answer: A
Question #: 392
Topic #: 1
Relationships between critical systems are BEST understood by:
A. performing a business impact analysis (BIA).
B. developing a system classification scheme.
C. evaluating key performance indicators (KPIs).
D. evaluating the recovery time objectives (RTOs).
Selected Answer: A
Question #: 370
Topic #: 1
When implementing a security policy for an organization handling personally identifiable information (PII), the MOST important objective should be:
A. strong encryption
B. regulatory compliance
C. security awareness training
D. data availability
Selected Answer: B
Question #: 367
Topic #: 1
Which of the following presents the GREATEST risk associated with the use of an automated security information and event management (SIEM) system?
A. Low number of false negatives
B. High number of false negatives
C. Low number of false positives
D. High number of false positives
Selected Answer: B
Question #: 359
Topic #: 1
Which of the following should include contact information for representatives of equipment and software vendors?
A. Business continuity plan (BCP)
B. Service level agreements (SLAs)
C. Information security program charter
D. Business impact analysis (BIA)
Selected Answer: A
Question #: 712
Topic #: 1
Which of the following is the BEST evidence of alignment between corporate and information security governance?
A. Security key performance indicators (KPIs)
B. Senior management sponsorship
C. Regular security policy reviews
D. Project resource optimization
Selected Answer: B
Question #: 702
Topic #: 1
Which of the following is the BEST method to protect against emerging advanced persistent threat (APT) actors?
A. Providing ongoing training to the incident response team
B. Updating information security awareness materials
C. Implementing a honeypot environment
D. Implementing proactive systems monitoring
Selected Answer: D
Question #: 337
Topic #: 1
Which of the following should be the PRIMARY basis for an information security strategy?
A. Audit and regulatory requirements
B. Information security policies
C. The organization’s vision and mission
D. Results of a comprehensive gap analysis
Selected Answer: C
Question #: 317
Topic #: 1
An information security manager finds a legacy application has no defined data owner. Of the following, who would be MOST helpful in identifying the appropriate data owner?
A. The individual responsible for providing support for the application
B. The individual who manages the process supported by the application
C. The individual who manages users of the application
D. The individual who has the most privileges within the application
Selected Answer: B
Question #: 315
Topic #: 1
Recovery time objectives (RTOs) are BEST determined by:
A. database administrators (DBAs).
B. business managers.
C. executive management.
D. business continuity officers.
Selected Answer: B
Question #: 308
Topic #: 1
Which of the following should an information security manager do FIRST to address complaints that a newly implemented security control has slowed business operations?
A. Conduct user awareness training.
B. Remove the control and identify alternatives.
C. Discuss the issue with senior management for direction.
D. Validate whether the control is operating as intended.
Selected Answer: C
Question #: 309
Topic #: 1
An information security manager is preparing incident response plans for an organization that processes personal and financial information. Which of the following is the MOST important consideration?
A. Aligning with an established industry framework
B. Determining budgetary constraints
C. Identifying regulatory requirements
D. Aligning with enterprise architecture (EA)
Selected Answer: C
Question #: 307
Topic #: 1
Which of the following would be of GREATEST assistance in determining whether to accept residual risk of a critical security system?
A. Maximum tolerable outage (MTO)
B. Recovery time objective (RTO)
C. Available annual budget
D. Cost-benefit analysis of mitigating controls
Selected Answer: D
Question #: 216
Topic #: 1
In addition to executive sponsorship and business alignment, which of the following is MOST critical for information security governance?
A. Ownership of security
B. Auditability of systems
C. Allocation of training resources
D. Compliance with policies
Selected Answer: A
Question #: 206
Topic #: 1
Management has expressed concerns to the information security manager that shadow IT may be a risk to the organization. What is the FIRST step the information security manager should take?
A. Block the end user’s ability to use shadow IT
B. Update the security policy to address shadow IT
C. Determine the value of shadow IT projects
D. Determine the extent of shadow IT usage
Selected Answer: D
Question #: 1024
Topic #: 1
Which of the following should an information security manager do FIRST upon notification of a potential security risk associated with a third-party service provider?
A. Determine risk treatment options.
B. Conduct a vulnerability analysis.
C. Escalate to the third-party provider.
D. Conduct a risk analysis.
Selected Answer: C
Question #: 681
Topic #: 1
An organization’s marketing department wants to use an online collaboration service, which is not in compliance with the information security policy. A risk assessment is performed, and risk acceptance is being pursued. Approval of risk acceptance should be provided by:
A. business senior management.
B. the compliance officer.
C. the information security manager.
D. the chief risk officer (CRO).
Selected Answer: C
Question #: 649
Topic #: 1
Which of the following should be done FIRST when developing an information security program?
A. Establish security policies.
B. Define the security strategy.
C. Approve security standards.
D. Set security baselines.
Selected Answer: A
Question #: 169
Topic #: 1
Senior management wants to provide mobile devices to its sales force. Which of the following should the information security manager do FIRST to support this objective?
A. Develop an acceptable use policy
B. Conduct a vulnerability assessment on the devices
C. Assess risks introduced by the technology
D. Research mobile device management (MDM) solutions
Selected Answer: C
Question #: 142
Topic #: 1
Which of the following is the PRIMARY responsibility of an information security steering committee?
A. Setting up password expiration procedures
B. Drafting security policies
C. Prioritizing security initiatives
D. Reviewing firewall rules
Selected Answer: C
Question #: 134
Topic #: 1
The business advantage of implementing authentication tokens is that they:
A. provide nonrepudiation.
B. reduce overall cost.
C. reduce administrative workload.
D. improve access security.
Selected Answer: C
Question #: 133
Topic #: 1
Which of the following is MOST important to consider when determining the effectiveness of the information security governance program?
A. Key performance indicators (KPIs)
B. Maturity models
C. Risk tolerance levels
D. Key risk indicators (KRIs)
Selected Answer: A
Question #: 121
Topic #: 1
An organization has experienced multiple instances of privileged users misusing their access. Which of the following processes would be MOST helpful in identifying such violations?
A. Policy exception review
B. Review of access controls
C. Security assessment
D. Log review
Selected Answer: D
Question #: 82
Topic #: 1
The MOST important reason to use a centralized mechanism to identify information security incidents is to:
A. comply with corporate policies
B. detect threats across environments
C. prevent unauthorized changes to networks
D. detect potential fraud
Selected Answer: B
Question #: 74
Topic #: 1
An organization finds unauthorized software has been installed on a number of workstations. The software was found to contain a Trojan, which had been uploading data to an unknown external party. Which of the following would have BEST prevented the installation of the unauthorized software?
A. Banning executable file downloads at the Internet firewall
B. Implementing an intrusion detection system (IDS)
C. Implementing application blacklisting
D. Removing local administrator rights
Selected Answer: D
Question #: 51
Topic #: 1
Which of the following is the MOST important reason for an organization to develop an information security governance program?
A. Establishment of accountability
B. Compliance with audit requirements
C. Creation of tactical solutions
D. Monitoring of security incidents
Selected Answer: A
Question #: 50
Topic #: 1
Which of the following would be MOST useful to help senior management understand the status of information security compliance?
A. Key performance indicators (KPIs)
B. Risk assessment results
C. Industry benchmarks
D. Business impact analysis (BIA) results
Selected Answer: A
Question #: 49
Topic #: 1
Which of the following is the PRIMARY responsibility of an information security manager in an organization that is implementing the use of company-owned mobile devices in its operations?
A. Review and update existing security policies.
B. Enforce passwords and data encryption on the devices.
C. Conduct security awareness training.
D. Require remote wipe capabilities for devices.
Selected Answer: A
Question #: 22
Topic #: 1
Which of the following is the MOST important security consideration when developing an incident response strategy with a cloud provider?
A. Security audit reports
B. Recovery time objective (RTO)
C. Technological capabilities
D. Escalation processes
Selected Answer: D
Question #: 10
Topic #: 1
Which of the following is the MOST effective way to address an organization’s security concerns during contract negotiations with a third party?
A. Review the third-party contract with the organization’s legal department.
B. Communicate security policy with the third-party vendor.
C. Ensure security is involved in the procurement process.
D. Conduct an information security audit on the third-party vendor.
Selected Answer: C
Question #: 176
Topic #: 1
An information security manager notes that security incidents are not being appropriately escalated by the help desk after tickets are logged. Which of the following is the BEST automated control to resolve this issue?
A. Integrating automated service level agreement (SLA) reporting into the help desk ticketing system
B. Changing the default setting for all security incidents to the highest priority
C. Integrating incident response workflow into the help desk ticketing system
D. Implementing automated vulnerability scanning in the help desk workflow
Selected Answer: C
Question #: 4
Topic #: 1
When management changes the enterprise business strategy, which of the following processes should be used to evaluate the existing information security controls as well as to select new information security controls?
A. Access control management
B. Change management
C. Configuration management
D. Risk management
Selected Answer: D
Question #: 983
Topic #: 1
Which of the following is the BEST way to maintain ongoing senior management support for the implementation of a security monitoring toot?
A. Demonstrate return on investment (ROI).
B. Update security plans.
C. Present security monitoring reports.
D. Communicate risk reduction.
Selected Answer: A
Question #: 968
Topic #: 1
Which of the following is ESSENTIAL to ensuring effective incident response?
A. Business continuity plan (BCP)
B. Cost-benefit analysis
C. Classification scheme
D. Senior management support
Selected Answer: C
Question #: 919
Topic #: 1
Which of the following is the BEST method for assisting with incident containment in an Infrastructure as a Service (IaaS) cloud environment?
A. Disabling unnecessary services
B. Implementing privileged identity management
C. Establishing automated detection
D. Implementing network segmentation
Selected Answer: D
Question #: 892
Topic #: 1
A daily monitoring report reveals that an IT employee made a change to a firewall rule outside of the change control process. The information security manager’s FIRST step in addressing the issue should be to:
A. perform an analysis of the change.
B. report the event to senior management.
C. require that the change be reversed.
D. review the change management process.
Selected Answer: A
Question #: 23
Topic #: 1
Executive leadership has decided to engage a consulting firm to develop and implement a comprehensive security framework for the organization to allow senior management to remain focused on business priorities. Which of the following poses the GREATEST challenge to the successful implementation of the new security governance framework?
A. Executive leadership becomes involved in decisions about information security governance.
B. Executive leadership views information security governance primarily as a concern of the information security management team
C. Information security staff has little or no experience with the practice of information security governance.
D. Information security management does not fully accept the responsibility for information security governance.
Selected Answer: B
Question #: 81
Topic #: 1
Which of the following is the MOST effective way for an organization to ensure its third-party service providers are aware of information security requirements and expectations?
A. Including information security clauses within contracts
B. Auditing the service delivery of third-party providers
C. Providing information security training to third-party personnel
D. Requiring third parties to sign confidentiality agreements
Selected Answer: A
Question #: 770
Topic #: 1
Following a successful attack, an information security manager should be confident the malware has not continued to spread at the completion of which incident response phase?
A. Recovery
B. Eradication
C. Identification
D. Containment
Selected Answer: D
Question #: 724
Topic #: 1
The MOST important attribute of a security control is that it is:
A. auditable
B. measurable
C. scalable
D. reliable
Selected Answer: D
Question #: 37
Topic #: 1
What is the PRIMARY purpose of an unannounced disaster recovery exercise?
A. To provide metrics to senior management
B. To evaluate how personnel react to the situation
C. To assess service level agreements (SLAs)
D. To estimate the recovery time objective (RTO)
Selected Answer: B
Question #: 385
Topic #: 1
Which of the following factors would have the MOST significant impact on an organization’s information security governance model?
A. Corporate culture
B. Outsourced processes
C. Number of employees
D. Security budget
Selected Answer: B
Question #: 1040
Topic #: 1
An organization learns that a service provider experienced a breach last month and did not notify the organization. Which of the following should be the information security manager’s FIRST course of action?
A. Terminate the provider contract.
B. Conduct a business impact analysis (BIA).
C. Inform senior management.
D. Review the provider contract.
Selected Answer: D
Question #: 1031
Topic #: 1
Which of the following is MOST important to include in a post-incident report?
A. Forensic analysis results
B. List of potentially compromised assets
C. Root cause analysis
D. Service level agreements (SLAs)
Selected Answer: C
Question #: 1029
Topic #: 1
Which of the following is a viable containment strategy for a distributed denial of service (DDoS) attack?
A. Block IP addresses used by the attacker.
B. Disable firewall ports exploited by the attacker.
C. Power oft affected servers.
D. Redirect the attacker’s traffic.
Selected Answer: D
Question #: 1006
Topic #: 1
After a risk has been identified, analyzed, and evaluated, which of the following should be done NEXT?
A. Monitor the risk.
B. Prioritize the risk for treatment
C. Identify the risk owner.
D. Identify controls for risk mitigation.
Selected Answer: B
Question #: 995
Topic #: 1
When selecting metrics to monitor the effectiveness of an information security program, it is MOST important for an information security manager to:
A. identify the program’s risk and compensating controls.
B. consider the organization’s business strategy.
C. consider the strategic objectives of the program.
D. leverage industry benchmarks.
Selected Answer: C
Question #: 990
Topic #: 1
When responding to a security incident, information security management and the affected business unit management cannot agree whether to escalate the incident to senior management. Which of the following would MOST effectively prevent this situation from recurring?
A. Develop additional communication channels.
B. Obtain senior management buy-in for incident response processes.
C. Periodically test the incident response plan.
D. Create a clear definition of incident classifications.
Selected Answer: B
Question #: 989
Topic #: 1
Which of the following is the BEST defense-in-depth implementation for protecting high value assets or for handling environments that have trust concerns?
A. Continuous monitoring
B. Compartmentalization
C. Multi-factor authentication
D. Overlapping redundancy
Selected Answer: B
Question #: 987
Topic #: 1
Which of the following BEST determines the data retention strategy and subsequent policy for an organization?
A. Business impact analysis (BIA)
B. Risk appetite
C. Business requirements
D. Supplier requirements
Selected Answer: C
Question #: 980
Topic #: 1
Which of the following would be the GREATEST concern with the implementation of key risk indicators (KRIs)?
A. Inability to measure KRIs
B. Poorly defined risk appetite
C. Overly specific KRI definitions
D. Complex organizational structure
Selected Answer: B
Question #: 978
Topic #: 1
The MAIN reason for continuous monitoring of the security program is to:
A. validate reduction of incidents.
B. confirm benefits are being realized.
C. ensure alignment with industry standards.
D. optimize resource allocation.
Selected Answer: D
Question #: 972
Topic #: 1
Which of the following is MOST effective in monitoring an organization’s existing risk?
A. Vulnerability assessment results
B. Security information and event management (SIEM) systems
C. Periodic updates to risk register
D. Risk management dashboards
Selected Answer: D
Question #: 943
Topic #: 1
Which of the following is the BEST way to monitor the effectiveness of security controls?
A. Review application and system audit logs.
B. Conduct regular threat assessments.
C. Establish and report security metrics.
D. Benchmark security controls against similar organizations.
Selected Answer: C
Question #: 939
Topic #: 1
Which of the following is MOST effective in gaining support for the information security strategy from senior management?
A. Cost-benefit analysis results
B. Third-party security audit results
C. Business impact analysis (BIA) results
D. A major breach at a competitor
Selected Answer: A
Question #: 931
Topic #: 1
Which of the following is the MOST important success factor for maintaining an organizational security-aware culture?
A. Senior management sign-off on security projects and resources
B. Regular security training and simulation exercises
C. Regular organization-wide reporting on the risk profile
D. Employee security policy acknowledgment
Selected Answer: B
Question #: 927
Topic #: 1
A penetration test against an organization’s external web application shows several vulnerabilities. Which of the following presents the GREATEST concern?
A. Vulnerabilities were caused by insufficient user acceptance testing (UAT).
B. Exploit code for one of the vulnerabilities is publicly available.
C. Atules of engagement form was not signed prior to the penetration test.
D. Vulnerabilities were not found by internal tests.
Selected Answer: B
Question #: 921
Topic #: 1
To ensure the information security of outsourced IT services, which of the following is the MOST critical due diligence activity?
A. Assess the level of security awareness of the service provider.
B. Review a recent independent audit report of the service provider.
C. Review samples of service level reports from the service provider.
D. Request the service provider comply with information security policy.
Selected Answer: B
Question #: 898
Topic #: 1
The PRIMARY purpose of implementing information security governance metrics is to:
A. measure alignment with best practices.
B. refine control operations.
C. assess operational and program metrics.
D. guide security towards the desired state.
Selected Answer: D
Question #: 897
Topic #: 1
Which of the following is the BEST way to protect against unauthorized access to an encrypted file sent via email?
A. Validating the recipient’s identity
B. Using a digital signature in the email
C. Utilizing a separate distribution channel for the password
D. Ensuring a policy exists for encrypting files in transit
Selected Answer: C
Question #: 883
Topic #: 1
Which of the following should be triggered FIRST when unknown malware has infected an organization’s critical system?
A. Disaster recovery plan (DRP)
B. Vulnerability management plan
C. Incident response plan
D. Business continuity plan (BCP)
Selected Answer: C
Question #: 877
Topic #: 1
Of the following, who is accountable for data loss in the event of an information security incident at a third-party provider?
A. The information security manager
B. The service provider that hosts the data
C. The incident response team
D. The business data owner
Selected Answer: D
Question #: 869
Topic #: 1
The contribution of recovery point objective (RPO) to disaster recovery is to:
A. eliminate single points of failure.
B. reduce mean time between failures (MTBF).
C. define backup strategy.
D. minimize outage periods.
Selected Answer: C
Question #: 867
Topic #: 1
The GREATEST challenge when attempting data recovery of a specific file during forensic analysis is when:
A. high-level disk formatting has been performed.
B. all files in the directory have been deleted.
C. the partition table on the disk has been deleted.
D. the file has been overwritten.
Selected Answer: D
Question #: 866
Topic #: 1
Which of the following is MOST critical to ensure that information security incidents are managed properly?
A. Conducting an incident capability maturity assessment
B. Testing the incident response plan
C. Establishing an incident management performance matrix
D. Assembling the incident response team
Selected Answer: B
Question #: 297
Topic #: 1
Which of the following would provide the MOST useful information when prioritizing controls to be added to a system?
A. The risk register
B. Balanced scorecard
C. Compliance requirements
D. Baseline to industry standards
Selected Answer: A
Question #: 295
Topic #: 1
An organization has established a bring your own device (BYOD) program. Which of the following is the MOST important security consideration when allowing employees to use personal devices for corporate applications remotely?
A. Mandatory controls for maintaining security policy
B. Mobile operating systems support
C. Security awareness training
D. Secure application development
Selected Answer: A
Question #: 291
Topic #: 1
For an enterprise implementing a bring your own device (BYOD) program, which of the following would provide the BEST security of corporate data residing on unsecured mobile devices?
A. Device certification process
B. Acceptable use policy
C. Containerization solution
D. Data loss prevention (DLP)
Selected Answer: C
Question #: 280
Topic #: 1
Which of the following MOST effectively allows for disaster recovery testing without interrupting business operations?
A. Structured walk-through
B. Simulation testing
C. Parallel testing
D. Full interruption testing
Selected Answer: C
Question #: 278
Topic #: 1
Which of the following would BEST help to ensure compliance with an organization’s information security requirements by an IT service provider?
A. Requiring an external security audit of the IT service provider
B. Defining the business recovery plan with the IT service provider
C. Defining information security requirements with internal IT
D. Requiring regular reporting from the IT service provider
Selected Answer: A
Question #: 861
Topic #: 1
Which of the following is the BEST approach for addressing noncompliance with security standards?
A. Maintain a security exceptions process.
B. Apply additional logging and monitoring to affected assets.
C. Discontinue affected activities until security requirements can be met.
D. Develop new security standards.
Selected Answer: A
Question #: 274
Topic #: 1
Which of the following is the BEST way to evaluate the impact of threat events on an organization’s IT operations?
A. Risk assessment
B. Penetration testing
C. Scenario analysis
D. Controls review
Selected Answer: C
Question #: 269
Topic #: 1
What is the BEST approach for the information security manager to reduce the impact on a security program due to turnover within the security staff?
A. Recruit certified staff
B. Revise the information security program
C. Document security procedures
D. Ensure everyone is trained in their roles
Selected Answer: C
Question #: 254
Topic #: 1
Which of the following will protect the confidentiality of data transmitted over the Internet?
A. Message digests
B. Encrypting file system
C. Network address translation
D. IPsec protocol
Selected Answer: D
Question #: 840
Topic #: 1
What should be an information security manager’s MOST important consideration when developing a multi-year plan?
A. Ensuring contingency plans are in place for potential information security risks
B. Ensuring alignment with the plans of other business units
C. Demonstrating projected budget increases year after year
D. Allowing the information security program to expand its capabilities
Selected Answer: B
Question #: 836
Topic #: 1
Who is accountable for ensuring risk mitigation is effective?
A. Application owner
B. Business owner
C. Risk owner
D. Control owner
Selected Answer: C
Question #: 830
Topic #: 1
Which of the following would BEST help to ensure appropriate security controls are built into software?
A. Integrating security throughout the development process
B. Performing security testing prior to deployment
C. Providing standards for implementation during development activities
D. Providing security training to the software development team
Selected Answer: A
Question #: 231
Topic #: 1
An information security manager has been tasked with developing materials to update the board, regulatory agencies, and the media about a security incident.
Which of the following should the information security manager do FIRST?
A. Invoke the organization’s incident response plan.
B. Set up communication channels for the target audience.
C. Create a comprehensive singular communication.
D. Determine the needs and requirements of each audience.
Selected Answer: D
Question #: 220
Topic #: 1
Information security awareness programs are MOST effective when they are:
A. sponsored by senior management.
B. reinforced by computer-based training.
C. customized for each target audience.
D. conducted at employee orientation.
Selected Answer: A
Question #: 218
Topic #: 1
Which of the following is MOST important to the successful implementation of an information security program?
A. Key performance indicators (KPIs) are defined.
B. Adequate security resources are allocated to the program.
C. A balanced scorecard is approved by the steering committee.
D. The program is developed using global security standards.
Selected Answer: B
Question #: 214
Topic #: 1
Which of the following provides the BEST assurance that a contracted third-party provider meets an organization’s security requirements?
A. Continuous monitoring
B. Due diligence questionnaires
C. Right-to-audit clause in the contract
D. Performance metrics
Selected Answer: C
Question #: 211
Topic #: 1
Following a risk assessment, new countermeasures have been approved by management. Which of the following should be performed NEXT?
A. Schedule the target end date for implementation activities.
B. Develop an implementation strategy.
C. Budget the total cost of implementation activities.
D. Calculate the cost for each countermeasure.
Selected Answer: B
Question #: 811
Topic #: 1
Which of the following is the BEST way to achieve compliance with new global regulations related to the protection of personal information?
A. Review contracts and statements of work (SOWs) with vendors.
B. Determine current and desired state of controls.
C. Execute a risk treatment plan.
D. Implement data regionalization controls.
Selected Answer: B
Question #: 808
Topic #: 1
To confirm that a third-party provider complies with an organization’s information security requirements, it is MOST important to ensure:
A. contract clauses comply with the organization’s information security policy.
B. security metrics are included in the service level agreement (SLA).
C. the information security policy of the third-party service provider is reviewed.
D. right to audit is included in the service level agreement (SLA).
Selected Answer: D
Question #: 806
Topic #: 1
Which of the following would be the MOST effective way to present quarterly reports to the board on the status of the information security program?
A. Detailed analysis of security program KPIs
B. An information security risk register
C. An information security dashboard
D. A capability and maturity assessment
Selected Answer: C
Question #: 800
Topic #: 1
Which of the following BEST indicates that information assets are classified accurately?
A. An accurate and complete information asset catalog
B. Appropriate assignment of information asset owners
C. Appropriate prioritization of information risk treatment
D. Increased compliance with information security policy
Selected Answer: A
