8ract Media

1. When performing a business impact analysis (BIA), who should be responsible for determining the initial recovery time objective (RTO)?

Information owners

Information security manager

External consultant

Business continuity coordinator

2. Which of the following would be an information security managers PRIMARY challenge when deploying a bring your own device (BYOD) mobile program in an enterprise?

Mobile application control

End user acceptance

Configuration management

Inconsistent device security

3. To improve the efficiency of the development of a new software application, security requirements should be defined:

after functional requirements.

based on available security assessment tools.

based on code review.

concurrently with other requirements.

4. Which of the following is the MOST likely reason for a vulnerability scanner to return incomplete results?

Zero-day vulnerability signatures have not been ingested.

Unauthenticated vulnerability scans are being performed.

Host names have not been fully enumerated.

Scan results are not ingested into a security information and event management (SIEM) tool.

5. An information security manager learns that a risk owner has approved exceptions to replace key controls with weaker compensating controls to improve process efficiency. Which of the following should be the GREATEST concern?

Noncompliance with industry best practices may result.

Security audits may report more high-risk findings.

Risk levels may be elevated beyond acceptable limits.

The compensating controls may not be cost efficient.

6. Which of the following is the MOST important consideration when updating procedures for managing security devices?

Review and approval of procedures by management

Notification to management of the procedural changes

Updates based on changes m risk technology and process

Updates based on the organization’s security framework

7. Which of the following is the PRIMARY benefit of training service desk staff to recognize incidents?

Incident classification times can be improved.

Risk response options can be identified quickly.

Incident response plan can be activated in a timely manner.

Incident metrics can be communicated.

8. Which of the following is the PRIMARY benefit of an information security awareness training program?

Evaluating organizational security culture

Influencing human behavior

Enforcing security policy

Defining risk accountability

9. Which of the following is BEST to include in a business case when the return on investment (ROI) for an information security initiative is difficult to calculate?

Estimated increase in efficiency

Estimated reduction in risk

Projected Increase in maturity level

Projected costs over time

10. Which of the following BEST enables an organization to maintain an appropriate security control environment?

Alignment to an industry security framework

Budgetary support for security

Monitoring of the threat landscape

Periodic employee security training

11. A post-incident review identified that user error resulted in a major breach. Which of the following is MOST important to determine during the review?

Evidence of previous incidents caused by the user

The time and location that the breach occurred

The underlying reason for the user error

Appropriate disciplinary procedures for user error

12. An organization wants to migrate a proprietary application to be hosted by a third-party cloud hosting provider using a Platform as a Service (PaaS) model. Prior to selecting the cloud provider, what is MOST important for the organization to ensure?

The cloud provider adheres to applicable regulations.

The cloud provider’s service level agreement (SLA) includes availability requirements.

The cloud provider can meet recovery point objectives (RPOs).

The hosting contract has a termination clause.

13. A small organization with limited budget hires a new information security manager who finds the same IT staff member is assigned the responsibility of system administrator, security administrator, database administrator (DBA), and application administrator What is the manager’s BEST course of action?

Automate user provisioning activities.

Maintain strict control over user provisioning activities.

Formally document IT administrator activities.

Implement monitoring of IT administrator activities.

14. Which of the following is the BEST approach when creating a security policy for a global organization subject to varying laws and regulations?

Incorporate policy statements derived from third-party standards and benchmarks.

Require that all locations comply with a generally accepted set of industry

Adhere to a unique corporate privacy and security standard

Establish baseline standards for all locations and add supplemental standards as required

15. Management decisions concerning information security investments will be MOST effective when they are based on:

the formalized acceptance of risk analysis by management,

an annual loss expectancy (ALE) determined from the history of security events,

the reporting of consistent and periodic assessments of risks.

a process for identifying and analyzing threats and vulnerabilities.

16. A startup company deployed several new applications with vulnerabilities into production because security reviews were not conducted. What will BEST help to ensure effective application risk management going forward?

Integrate information security into existing change management.

Create a new governance council for application security.

Supplement existing development teams with security engineers.

Conduct automated scans on applications before deployment.

17. Which of the following BEST helps to ensure a risk response plan will be developed and executed in a timely manner?

Training on risk management procedures

Reporting on documented deficiencies

Assigning a risk owner

Establishing risk metrics

18. Which of the following is the BEST method for determining whether a firewall has been configured to provide a comprehensive perimeter defense9

A port scan of the firewall from an internal source

A simulated denial of service (DoS) attack against the firewall

A validation of the current firewall rule set

A ping test from an external source

19. Which of the following is MOST relevant for an information security manager to communicate to the board of directors?

The level of exposure

The level of inherent risk

Threat assessments

Vulnerability assessments

20. An incident response team recently encountered an unfamiliar type of cyber event. Though the team was able to resolve the issue, it took a significant amount of time to identify. What is the BEST way to help ensure similar incidents are identified more quickly in the future?

Perform a threat analysis

Perform a post-incident review

Establish performance metrics for the team

Implement a SIEM solution

21. Which of the following BEST facilitates recovery of data lost as a result of a cybersecurity incident?

Encrypted data drives

Removable storage media

Disaster recovery plan (DRP)

Offsite data backups

22. An information security manager learns that IT personnel are not adhering to the information security policy because it creates process inefficiencies. What should the information security manager do FIRST?

Determine the risk related to noncompliance with the policy.

Conduct user awareness training within the IT function.

Request that internal audit conduct a review of the policy development process,

Propose that IT update information security policies and procedures.

23. Which of the following is a PRIMARY function of an incident response team?

To provide a single point of contact for critical incidents

To provide a business impact analysis (BIA)

To provide effective incident mitigation

To provide a risk assessment for zero-day vulnerabilities

24. Which of the following is the PRIMARY reason for an information security manager to periodically review existing controls?

To address end-user control complaints

To prioritize security initiatives

To avoid redundant controls

To align with emerging risk

25. Which of the following has the MOST influence on the inherent risk of an information asset?

Return on investment (ROI)

Risk tolerance

Business criticality

Net present value (NPV)

26. An organization is implementing an information security governance framework. To communicate the program’s effectiveness to stakeholders, it is MOST important to establish:

metrics for each milestone.

automated reporting to stakeholders.

a monitoring process for the security policy.

a control self-assessment (CSA) process.

27. Which of the following is the BEST way to assess the risk associated with using a Software as a Service (SaaS) vendor?

Request customer references from the vendor.

Verify that information security requirements are included in the contract.

Require vendors to complete information security questionnaires.

Review the results of the vendor’s independent control reports.

28. Which of the following is the MOST effective defense against malicious insiders compromising confidential information?

Prompt termination procedures

Regular audits of access controls

Strong background checks when hiring staff

Role-based access control (RBAC)

29. When establishing classifications of security incidents for the development of an incident response plan, which of the following provides the MOST valuable input?

The business continuity plan (BCP)

Business impact analysis (BIA) results

Vulnerability assessment results

Recommendations from senior management

30. Which of the following metrics would provide an accurate measure of an information security program’s performance?

A collection of quantitative indicators that are compared against industry benchmarks

A single numeric score derived from various measures assigned to the security program

A collection of qualitative indicators that accurately measure security exceptions

A combination of qualitative and quantitative trends that enable decision making

31. The MOST effective tools for responding to new and advanced attacks are those that detect attacks based on:

behavior analysis.

penetration testing.

data packet analysis.

signature analysis.

32. An organization’s marketing department wants to use an online collaboration service, which is not in compliance with the information security policy, A risk assessment is performed, and risk acceptance is being pursued. Approval of risk acceptance should be provided by:

the chief risk officer (CRO).

the compliance officer.

business senior management.

the information security manager.

33. An information security manager has been made aware of a new data protection regulation that will soon go into effect. Which of the following is the BEST way to manage the risk of noncompliance?

Implement a program of work to comply with the new legislation.

Understand the cost of noncompliance.

Perform a gap analysis.

Consult with senior management on the best course of action.

34. Which of the following is the PRIMARY purpose of an acceptable use policy?

To provide steps for carrying out security-related procedures

To protect the organization from misuse of information assets

To provide minimum security baselines for information assets

To facilitate enforcement of security process workflows

35. The PRIMARY reason to properly classify information assets is to determine:

the business impact if assets are compromised.

user access levels based on the need to know.

the appropriate protection based on sensitivity.

appropriate encryption strength using a risk-based approach.

36. Which of the following presents the GREATEST challenge to a security operations center’s wna GY of potential security breaches?

The patch management system does not deploy patches in a timely manner.

IT system clocks are not synchronized with the centralized logging server.

Operating systems are no longer supported by the vendor.

An organization has a decentralized data center that uses cloud services.

37. During the initiation phase of the system development life cycle (SDLC) for a software project, information security activities should address:

security objectives.

benchmarking security metrics.

cost-benefit analyses.

baseline security controls.

38. Which of the following is PRIMARILY determined by asset classification?

Level of protection required for assets

Priority for asset replacement

Insurance coverage required for assets

Replacement cost of assets

39. The PRIMARY objective of performing a post-incident review is to:

identify the root cause.

identify vulnerabilities

re-evaluate the impact of incidents

identify control improvements.

40. Once a suite of security controls has been successfully implemented for an organization’s business units, it is MOST important for the information security manager to:

perform testing to compare control performance against industry levels.

ensure the controls are regularly tested for ongoing effectiveness.

hand over the controls to the relevant business owners.

prepare to adapt the controls for future system upgrades.

41. Which of the following is the MOST effective way to increase security awareness in an organization?

Include information security requirements in job descriptions.

Require signed acknowledgment of information security policies.

Implement regularly scheduled information security audits.

Conduct periodic simulated phishing exercises.

42. Which of the following is the MOST important reason to ensure information security is aligned with the organization’s strategy?

To optimize security risk management

To identify the organization’s risk tolerance

To improve security processes

To align security roles and responsibilities

43. Which of the following components of an information security risk assessment is MOST valuable to senior management?

Threat profile

Return on investment (ROI)

Mitigation actions

Residual risk

44. During the implementation of a new system, which of the following processes proactively minimizes the likelihood of disruption, unauthorized alterations, and errors?

Version management

Change management

Password management

Configuration management

45. Which of the following is MOST important to include in a report to key stakeholders regarding the effectiveness of an information security program?

Security metrics

Security incident details

Security risk exposure

Security baselines

46. Which of the following is the BEST approach to reduce unnecessary duplication of compliance activities?

Standardization of compliance requirements

Documentation of control procedures

Automation of controls

Integration of assurance efforts

47. A department has reported that a security control is no longer effective. Which of the following is the information security manager’s BEST course of action?

Check for defense in depth

Assess the control state

Replace the control

Report the failure to management

48. Which type of backup BEST enables an organization to recover data after a ransomware attack?

Incremental backup

Online backup

Differential backup

Offline backup

49. Which of the following BEST minimizes information security risk in deploying applications to the production environment?

Verifying security during the testing process

Integrating security controls in each phase of the life cycle

Conducting penetration testing post implementation

Having a well-defined change process

50. Which of the following should include contact information for representatives of equipment and software vendors?

Information security program charter

Service level agreements (SLAs)

Business impact analysis (BIA)

Business continuity plan (BCP)

51. Which of the following should be done FIRST to prioritize response to incidents?

Escalation

Containment

Analysis

Triage

52. Which of the following is the MOST important consideration when defining control objectives?

Threat environment

Budget allocation

Risk appetite

Senior management support

53. Recovery time objectives (RTOs) are an output of which of the following?

Disaster recovery plan (DRP)

Service level agreement (SLA)

Business continuity plan (BCP)

Business impact analysis (BIA)

54. Which of the following is a PRIMARY benefit of managed security solutions?

Wider range of capabilities

Lower cost of operations

Easier implementation across an organization

Greater ability to focus on core business operations

55. A business impact analysis (BIA) BEST enables an organization to establish:

annualized loss expectancy (ALE).

total cost of ownership (TCO).

restoration priorities.

recovery methods.

56. The BEST way to report to the board on the effectiveness of the information security program is to present:

a dashboard illustrating key performance metrics.

peer-group industry benchmarks.

a report of cost savings from process improvements.

a summary of the most recent audit findings.

57. Which of the following is MOST important to maintain integration among the incident response plan, business continuity plan (BCP). and disaster recovery plan (DRP)?

Recovery time objectives (RTOs)

Escalation procedures

Asset classification

Chain of custody

58. Which of the following would be the GREATEST threat posed by a distributed denial of service (DDoS) attack on a public-facing web server?

Unauthorized access to resources

Execution of unauthorized commands

Prevention of authorized access

Defacement of website content

59. Which of the following is the GREATEST benefit of performing a tabletop exercise of the business continuity plan (BCP)?

It allows for greater participation and planning from the business side.

It identifies appropriate follow-up work to address shortcomings in the plan.

It helps in assessing the availability of compatible backup hardware.

It provides a low-cost method of assessing the BCP’s completeness.

60. Which of the following should be updated FIRST to account for new regulatory requirements that impact current information security controls?

Information security policy

Business impact analysis (BIA)

Risk register

Control matrix

61. The PRIMARY purpose of conducting a business impact analysis (BIA) is to determine the:

recovery time objective (RTO).

scope of the incident response plan.

scope of the business continuity program.

resources needed for business recovery.

62. Which of the following is the PRIMARY reason for executive management to be involved in establishing an enterprise’s security management framework?

To satisfy auditors’ recommendations for enterprise security

To ensure industry best practices for enterprise security are followed

To establish the minimum level of controls needed

To determine the desired state of enterprise security

63. Which of the following is MOST important to include in an information security policy?

Management objectives

Baselines

Maturity levels

Best practices

64. Which of the following provides an information security manager with the MOST accurate indication of the organization’s ability to respond to a cyber attack?

Walk-through of the incident response plan

Simulated phishing exercise

Red team exercise

Black box penetration test

65. Which of the following is the PRIMARY objective of a cyber resilience strategy?

Business continuity

Regulatory compliance

Employee awareness

Executive support

66. An employee clicked on a link in a phishing email, triggering a ransomware attack Which of the following should be the information security?

Notify internal legal counsel.

Isolate the impacted endpoints.

Wipe the affected system.

Notify senior management.

67. An organization successfully responded to an information security incident. However, the information security manager learned that some of the steps specified in the incident management procedures were not taken by the response team. What should be the information security manager’s FIRST step?

Review the incident management procedures.

Interview the incident response team.

Remove the steps from the incident management procedures.

Provide additional training to the incident response team.

68. Which of the following should be the PRIMARY focus of a lessons learned exercise following a successful response to a cybersecurity incident?

How incident management processes were executed

When business operations were restored after the incident

Identifying attack vectors utilized in the incident

Establishing the root cause of the incident

69. Which of the following is the PRIMARY objective of information asset classification?

Risk management

Vulnerability reduction

Compliance management

Threat minimization

70. An employee who is a remote user has copied financial data from the corporate server to a laptop using virtual private network (VPN) connectivity. Which of the following is the MOST important factor to determine if it should be classified as a data leakage incident?

Review of the audit logs

Ownership of the data

Valid use case

Employee’s job role

71. Which of the following BEST ensures timely and reliable access to services?

Nonrepudiation

Availability

Authenticity

Recovery time objective (RTO)

72. Which of the following will have the GREATEST influence on the successful adoption of an information security governance program?

Control effectiveness

Security policies

Security management processes

Organizational culture

73. An organization is performing due diligence when selecting a third party. Which of the following is MOST helpful to reduce the risk of unauthorized sharing of information during this process?

Establishing mutual non-disclosure agreements (NDAs)

Obtaining industry references

Requiring third-party privacy policies

Using secure communication channels

74. Which of the following is the PRIMARY reason to involve stakeholders from various business units when developing an information security policy?

To gain acceptance of the policy across the organization

To decrease the workload of the IT department

To reduce the overall cost of policy development

To share responsibility for addressing security breaches

75. Which of the following is the BEST justification for making a revision to a password policy?

Industry best practice

Vendor recommendation

A risk assessment

Audit recommendation

76. An organization that conducts business globally is planning to utilize a third-party service provider to process payroll information. Which of the following issues poses the GREATEST risk to the organization?

The third party’s service level agreement (SLA) does not include guarantees of uptime.

The third-party contract does not include an indemnity clause for compensation in the event of a breach.

The third party does not have an independent assessment of controls available for review.

The third party has not provided evidence of compliance with local regulations where data is generated.

77. Which of the following should be the MOST important consideration when reviewing an information security strategy?

Recent security incidents

Internal audit findings

New business initiatives

Industry security standards

78. Determining the risk for a particular threat/vulnerability pair before controls are applied can be expressed as:

a function of the cost and effectiveness of controls over a vulnerability.

the magnitude of the impact, should a threat exploit a vulnerability.

a function of the likelihood and impact, should a threat exploit a vulnerability.

the likelihood of a given threat attempting to exploit a vulnerability

79. For which of the following is it MOST important that system administrators be restricted to read-only access?

System logging options

Administrator user profiles

Administrator log files

User access log files

80. Which of the following BEST helps to ensure a third-party backup site continues to meet the organization’s information security standards?

Disaster recovery plan (DRP)

Business continuity plan (BCP)

Memorandum of understanding (MoU)

Service level agreement (SLA)

81. Which of the following roles has the PRIMARY responsibility to ensure the operating effectiveness of IT controls?

IT compliance leader

Risk owner

Information security manager

Control tester

82. Which of the following provides the BEST input to determine the level of protection needed for an IT system?

Asset classification

Vulnerability assessment

Threat analysis

Internal audit findings

83. Which of the following is ESSENTIAL to ensuring effective incident response?

Business continuity plan (BCP)

Senior management support

Cost-benefit analysis

Classification scheme

84. Which of the following is the BEST way for an organization to ensure that incident response teams are properly prepared?

Documenting multiple scenarios for the organization and response steps

Providing training from third-party forensics firms

Obtaining industry certifications for the response team

Conducting tabletop exercises appropriate for the organization

85. Which of the following is the MOST important consideration when developing key performance indicators (KPIs) for the information security program?

Alignment with risk appetite

Alignment with financial reporting

Alignment with industry frameworks

Alignment with business initiatives

86. Which of the following is MOST important to include in security incident escalation procedures?

Recovery procedures

Key objectives of the security program

Notification criteria

Containment procedures

87. An information security team has started work to mitigate findings from a recent penetration test. Which of the following presents the GREATEST risk to the organization?

Not all findings from the penetration test report were fixed

Some findings were reclassified to low risk after evaluation

The penetration testing report did not contain any high-risk findings

88. Which of the following is MOST important to the effectiveness of an information security steering committee?

The committee has strong regulatory knowledge.

The committee has cross-organizational representation.

The committee is comprised of representatives from senior management.

The committee uses a risk management framework.

89. Which of the following is the BEST way to prevent insider threats?

Implement strict security policies and password controls.

Conduct organization-wide security awareness training.

Implement logging for all access activities.

Enforce separation of duties and least privilege access.

90. Which of the following is the BEST reason to implement an information security architecture?

Facilitate consistent implementation of security requirements.

Fast-track the deployment of information security components.

Assess the cost-effectiveness of the integration.

Serve as a post-deployment information security road map.

91. An organization plans to implement a new e-commerce operation in a highly regulated market. Which of the following is MOST important to consider when updating the risk management strategy?

Strategy of industry peers

Compliance requirements

Business culture

Outsourcing needs

92. Which of the following is the PRIMARY benefit of implementing an information security governance framework?

The framework is able to confirm the validity of business goals and strategies.

The framework provides a roadmap to maximize revenue through the secure use of technology.

The framework defines managerial responsibilities for risk impacts to business goals.

The framework provides direction to meet business goals while balancing risks and controls.

93. Which of the following should be the FIRST step to gain approval for outsourcing to address a security gap?

Collect additional metrics.

Perform a cost-benefit analysis.

Submit funding request to senior management.

Begin due diligence on the outsourcing company.

94. An organization’s disaster recovery plan (DRP) is documented and kept at a disaster recovery site. Which of the following is the BEST way to ensure the plan can be carried out in an emergency?

Require disaster recovery documentation be stored with all key decision makers.

Provide annual disaster recovery training to appropriate staff.

Store disaster recovery documentation in a public cloud.

Maintain an outsourced contact center in another country.

95. Which of the following is the PRIMARY benefit of implementing a vulnerability assessment process?

Proactive risk management is facilitated.

Security metrics are enhanced.

Compliance status is improved.

Threat management is enhanced.

96. Who is BEST suited to determine how the information in a database should be classified?

Database analyst

Data owner

Database administrator (DBA)

Information security analyst

97. Which of the following BEST facilitates effective strategic alignment of security initiatives?

Procedures and standards are approved by department heads.

Organizational units contribute to and agree on priorities

The business strategy is periodically updated

Periodic security audits are conducted by a third-party.

98. Which of the following change management procedures is MOST likely to cause concern to the information security manager?

A manual rather than an automated process is used to compare program versions.

Users are not notified of scheduled system changes

The development manager migrates programs into production

Fallback processes are tested the weekend before changes are made

99. When selecting metrics to monitor the effectiveness of an information security program, it is MOST important for an information security manager to:

leverage industry benchmarks.

identify the program’s risk and compensating controls.

consider the organizations business strategy.

consider the strategic objectives of the program.

100. Which of the following should be updated FIRST when aligning the incident response plan with the corporate strategy?

Risk response scenarios

Security procedures

Incident notification plan

Disaster recovery plan (DRP)

101. Reverse lookups can be used to prevent successful:

session hacking

phishing attacks

Internet protocol (IP) spoofing

denial of service (DoS) attacks

102. Which type of policy BEST helps to ensure that all employees, contractors, and third-party users receive formal communication regarding an organization’s security program?

Information security training policy

Management review policy

Security incident management policy

Business continuity management policy

103. While classifying information assets an information security manager notices that several production databases do not have owners assigned to them What is the BEST way to address this situation?

Review the databases for sensitive content.

Prepare a report of the databases for senior management.

Assign responsibility to the database administrator (DBA).

Assign the highest classification level to those databases.

104. Management has announced the acquisition of a new company. The information security manager of the parent company is concerned that conflicting access rights may cause critical information to be exposed during the integration of the two companies. To BEST address this concern, the information security manager should:

implement consistent access control standards.

review access rights as the acquisition integration occurs.

escalate concerns for conflicting access rights to management.

perform a risk assessment of the access rights.

105. Which of the following should be an information security manager’s FIRST course of action when one of the organization’s critical third-party providers experiences a data breach?

Inform the public relations officer.

Monitor the third party’s response.

Inform customers of the breach.

Invoke the incident response plan.

106. Which of the following is the MOST important issue in a penetration test?

Performing the test without the benefit of any insider knowledge

Obtaining permission from audit

Having a defined goal as well as success and failure criteria

Having an independent group perform the test

107. The PRIMARY objective of timely declaration of a disaster is to:

assess and correct disaster recovery process deficiencies.

ensure engagement of business management in the recovery process.

protect critical physical assets from further loss.

ensure the continuity of the organization’s essential services.

108. An organization’s information security manager is performing a post-incident review of a security incident in which the following events occurred:
* A bad actor broke into a business-critical FTP server by brute forcing an administrative password
* The third-party service provider hosting the server sent an automated alert message to the help desk, but was ignored
* The bad actor could not access the administrator console, but was exposed to encrypted data transferred to the server
* After three hours, the bad actor deleted the FTP directory, causing incoming FTP attempts by legitimate customers to fail Which of the following could have been prevented by conducting regular incident response testing?

A. Ignored alert messages

D. Stolen data

B. The server being compromised

C. The brute force attack

109. Which of the following MUST be established to maintain an effective information security governance framework?

Security controls automation

Security policy provisions

Defined security metrics

Change management processes

Get a Quote