Isaca CISM

Isaca
CISM
Certified Information
Security Manager
Version: 25.2
Web: www.dumpscollection.com [ Total Questions: 1136]
Email: support@dumpscollection.com
IMPORTANT NOTICE
Feedback
We have developed quality product and state-of-art service to ensure our customers interest. If you have any
suggestions, please feel free to contact us at feedback@dumpscollection.com
Support
If you have any questions about our product, please provide the following items:
exam code
screenshot of the question
login id/email
please contact us at support@dumpscollection.com and our technical experts will provide support within 24 hours.
Copyright
The product of each order has its own encryption code, so you should use it independently. Any unauthorized
changes will inflict legal punishment. We reserve the right of final explanation for this statement.
Dumps Q&A Isaca - CISM
Exam Topic Breakdown

Exam Topic Number of Questions
Topic 1 : Exam Pool A 67
Topic 2 : Exam Pool B 90
Topic 3 : Exam pool C 98
Topic 4 : Exam Pool D 81
Topic 5 : Exam Pool E 9
Topic 6 : Exam Pool F 239
Topic 7 : Exam Pool G 144
Topic 8 : Exam Pool H 408
TOTAL 1136
Success Guaranteed, 100% Valid 1 of 368

Topic 1, Exam Pool A

Question #:1 - (Exam Topic 1)
Which of the following would provide the MOST useful input when creating an information security program?
A. Business case
B. Information security budget
C. Key risk indicators (KRls)
D. Information security strategy
Answer: D
An organization's security policy is to disable access to USB storage devices on laptops and desktops. Which
of the following is the STRONGEST justification foi granting an exception to the policy?
A. Access is restricted to read-only.
B. USB storage devices are enabled based on user roles
C. Users accept the risk of noncompliance.
D. The benefit is greater than the potential risk
Answer: A
The PRIMARY purpose of asset valuation for the management of information security is to:
A. prioritize risk management activities.
B. provide a basis for asset classification.
C. determine the value of each asset
D. eliminate the least significant assets.
Answer: A

The PRIMARY reason an organization would require that users sign an acknowledgment of their system
access responsibilities is to:
A. assign accountability for transactions made with the user's ID.
B. maintain compliance with industry best practices.
C. serve as evidence of security awareness training.
D. maintain an accurate record of users access rights
Answer: A
Which of the following control type is the FIRST consideration for aligning employee behavior with an
organization’s information security objectives?
A. Physical security control
B. Directive security
C. Technical security controls
D. Logical access control
Answer: D
Which of the following is the MOST important consideration when determining the approach for gaining
organization-wide acceptance of an information security plan?
A. Mature security policy
B. Information security roles and responsibilities
C. Organizational information security awareness
D. Organizational culture
Answer: D

A business unit uses e-commerce with a strong password policy. Many customers complain that they cannot
remember their password because they are too long and complex. The business unit states it is imperative to
improve the customer experience. The information security manager should FIRST.
A. Change the password policy to improve the customer experience
B. Reach alternative secure of identify verification
C. Recommended implementing two-factor authentication.
D. Evaluate the impact of the customer’s experience on business revenue.
Answer: C
Over the last year, an information security manager has performed risk assessments on multiple third-party
vendors. Which of the following criteria would be MOST helpful in determining the associated level of risk
applied to each vendor?
A. Criticality of the service to the organization
B. Compliance requirements associated with the regulation
C. Compensating controls in place to protect information security
D. Corresponding breaches associated with each vendor
Answer: A
Which of the following is the MOST effective way to detect social engineering attacks?
A. Implement real-time monitoring of security-related events.
B. Encourage staff to report any suspicious activities.
C. Implement an acceptable use policy.
D. Provide incident management training to all start.
Answer: B

Within a security governance framework, which of the following is the MOST important characteristic of the
information security committee? The committee:
A. has a clearly defined charier and meeting protocols.
B. includes a mix of members from all levels of management.
C. conducts frequent reviews of the security policy.
D. has established relationships with external professionals.
Answer: B
When using a newly implemented security information and event management (SIEM) infrastructure, which
of the following should be considered FIRST?
A. Encryption
B. Retention
C. Report distribution
D. Tuning
Answer: D
Which of the following is the MOST important requirement for the successful implementation of security
governance?
A. Mapping to organizational
B. Implementing a security balanced scorecard
C. Performance an enterprise-wide risk assessment
D. Aligning to an international security framework
Answer: A
Which of the following provides the BEST input to maintain an effective asset classification program?

A. Business impact analysis (BIA)
B. Annual toss expectancy
C. Vulnerability assessment
D. Risk heat map
Answer: A
Which of the following would be MOST effective when justifying the cost of adding security controls to an
existing web application?
A. Vulnerability assessment results
B. Application security policy
C. A business case
D. Internal audit reports
Answer: C
To ensure appropriate control of information processed in IT systems, security safeguards should be based
PRIMARILY on:
A. criteria consistent with classification levels
B. efficient technical processing considerations,
C. overall IT capacity and operational constraints,
D. established guidelines
Answer: A
Which of the following will BEST protect an organization against spear phishing?
A. Antivirus software

B. Acceptable use policy
C. Email content filtering
D. End-user training
Answer: D
The PRIMARY purpose of vulnerability assessments is to:
A. provide clear evidence that the system is sufficiently secure.
B. test intrusion detection systems (IDS) and response procedures
C. detect deficiencies that could lead to a system compromise.
D. determine the impact of potential threats,
Answer: C
Which of the following would present the GREATEST need to revise information security poll'
A. Implementation of a new firewall
B. An increase in reported incidents
C. A merger with a competing company
D. Changes in standards and procedures
Answer: C
Which of the following BEST reduces the likelihood of leakage of private information via email?
A. User awareness training
B. Email encryption
C. Strong user authentication protocols
D.

D. Prohibition on the personal use of email
Answer: B
A threat intelligence report indicates there has been a significant rise in the number of attacks targeting the
industry. What should the information security manager do NEXT?
A. Discuss the risk with senior management.
B. Conduct penetration testing to identity vulnerabilities.
C. Allocate additional resources to monitor perimeter security systems,
D. Update the organization’s security awareness campaign.
Answer: A
Which of the following would BEST justify spending for a compensating control?
A. Risk analysis
B. Vulnerability analysis
C. Threats analysis
D. Peer benchmarking
Answer: C
The GREATEST benefit of choosing a private cloud over a public cloud would be:
A. containment of customer data
B. collection of data forensic
C. online service availability.
D. server protection.
Answer: A

Which of the following activities BEST enables executive management to ensure value delivery within an
information security program?
A. Requiring employees to undergo information security awareness training
B. Assigning an information security manager to a senior management position
C. Approving an industry-recognized information security framework
D. Reviewing business cases for information security initiatives
Answer: D
Which of the following should be PRIMARILY included in a security training program for business process
owners?
A. Application recovery time
B. Impact of security risks
C. Application vulnerabilities
D. List of security incidents reported
Answer: B
Which of the following processes would BEST help to ensure that information security risks will be evaluated
when implementing a new payroll system?
A. Change management
B. Problem management
C. Configuration management
D. Incident management
Answer: A

A third-party contract signed by a business unit manager failed to specify information security requirements
Which of the following is the BEST way for an information security manager to prevent this situation from
reoccurring?
A. Inform business unit management of the information security requirements.
B. Provide information security training to the business units
C. Integrate information security into the procurement process
D. Involve the information security team in contract negotiations
Answer: C
During which phase of an incident response process should corrective actions to the response procedure be
considered and implemented?
A. Review
B. Identification
C. Eradication
D. Containment
Answer: A
Which of the following is the MOST useful metric for determining how well firewall logs are being
monitored?
A. The number of port scanning attempts
B. The number of log entries reviewed
C. The number of investigated alerts
D. The number of dropped malformed packets
Answer: C

Which of the following is the BEST way to improve the timely reporting of information security incidents?
A. Perform periodic simulations with the incident response team.
B. Regularly reassess and update the incident response plan.
C. Integrate an intrusion detection system (IDS) in the DMZ
D. Incorporate security procedures in help desk processes
Answer: B
Which of the following is the BEST way to demonstrate to senior management that organizational security
practices comply with industry standards?
A. Existence of an industry-accepted framework
B. Up-to-date policy and procedures documentation
C. A report on the maturity of controls
D. Results of an independent assessment
Answer: D
Which of the following is an information security manager's BEST course of action to address a significant
materialized risk that was not prevented by organizational controls?
A. Update the business impact analysis (BIA)
B. Update the risk register.
C. Perform root cause analysis.
D. Invoke the incident response plan.
Answer: D

As part of an international expansion plan, an organization has acquired a company located in another
jurisdiction. Which of the following would be the BEST way to maintain an effective information security
program?
A. Determine new factors that could influence the information security strategy.
B. Implement the current information security program in the acquired company.
C. Merge the two information security programs to establish continuity.
D. Ensure information security s included in any change control efforts
Answer: A
A company has purchased a rival organization and is looking to integrate security strategies. Which of the
following is the GREATEST issue to consider?
A. The organizations have different risk appetites
B. Differing security skills within the organizations
C. Confidential information could be leaked
D. Differing security technologies
Answer: D
Which of the following BEST enables an effective escalation process within an incident response program?
A. Dedicated funding for incident management
B. Adequate incident response staffing
C. Monitored program metrics
D. Defined incident thresholds
Answer: D
A policy has been established requiting users to install mobile device management (MDM) software on their
personal devices Which of the following would BEST mitigate the risk created by noncompliance with this

policy?
A. Disabling remote access from the mobile device
B. Requiring users to sign off on terms and conditions
C. Issuing company-configured mobile devices
D. Issuing warnings and documenting noncompliance
Answer: A
Which of the following MOST effectively prevents internal users from modifying sensitive data?
A. Network segmentation
B. Role-based access controls
C. Multi-factor authentication -
D. Acceptable use policies
Answer: B
An information security manager s PRIMARY objective for presenting key risks to the board of directors is to:
A. re-evaluate the risk appetite
B. quantify reputational risks
C. meet information security compliance requirements.
D. ensure appropriate information security governance,
Answer: D
When the inherent risk of a business activity is lower than the acceptable risk level, the BEST course of action
would be to:
A. implement controls to mitigate the risk.
B.

B. monitor for business changes.
C. review the residual risk level
D. report compliance to management
Answer: B
Which of the following is an information security manager’s BEST course of action when informed of
decision to reduce funding for the information security program?
A. Remove overlapping security controls
B. Prioritize security projects based on risk.
C. Design key risk indicators (KRIs)
D. Create a business case appeal decision.
Answer: B
Which of the following is the MOST effective data loss control when connecting a personally owned mobile
device to the corporate email system?
A. Users must agree to allow the mobile device to be wiped if it is lost
B. Email must be stored in an encrypted format on the mobile device
C. A senior manager must approve each new connection
D. Email synchronization must be prevented when connected to a public Wi-Fi hotspot.
Answer: A
Which of the following is the PRIMARY reason social media has become a popular target for attack?
A. The reduced effectiveness of access controls
B. The accessibility of social media from multiple locations
C. The prevalence of strong perimeter protection
D.

D. The element of trust created by social media
Answer: D
An emergency change was made to an IT system as a result of a failure. Which of the following should be of
GREATEST concern to the organizations information security manager?
A. The change did not include a proper assessment of risk.
B. Documentation of the change was made after implementation.
C. The operations team implemented the change without regression testing,
D. The information security manager did not review the change prior to implementation.
Answer: A
Which of the following is MOST important to the successful development of an information security strategy?
A. An implemented development life cycle process
B. A well-implemented governance framework
C. Current state and desired objectives
D. Approved policies and standards
Answer: C
To gain a clear understanding of the impact that a new regulatory will have on an organization’s security
control, an information manager should FIRST.
A. Conduct a risk assessment
B. Interview senior management
C. Perform a gap analysis
D. Conduct a cost-benefit analysis

Answer: C
Which of the following would be of GREATEST concern to an information security manager when evaluating
a cloud service provider (CSP)?
A. Security controls offered by the provider are inadequate
B. Service level agreements (SLAs) art not well defined.
C. Data retention policies may be violated.
D. There is no right to audit the security of the provider
Answer: B
A new program has been implemented to standardize security configurations across a multinational
organization Following implementation, the configuration standards should:
A. remain unchanged to avoid variations across the organization
B. be updated to address emerging threats and vulnerabilities.
C. be changed for different subsets of the systems to minimize impact,
D. not deviate from industry best practice baselines.
Answer: B
Which of the following is the BEST resource for evaluating the strengths and weaknesses of an incident
response plan?
A. Recovery time objectives (RTOs)
B. Mission, goals and objectives
C. Incident response maturity assessment
D. Documentation from preparedness tests

Answer: D
The MOST important factors in determining the scope and timing for testing a business continuity plan are:
A. the experience level of personnel and the function location.
B. prior testing results and the degree of detail of the business continuity plan
C. the importance of the function to be tested and the cost of testing,
D. manual processing capabilities and the test location
Answer: C
After implementing an information security governance framework, which of the following would provide the
BEST information to develop an information security project plan?
A. Risk heat map
B. Recent audit results
C. Balanced scorecard
D. Gap analysis
Answer: C
Which of the following would BEST assist an information security manager in gaining strategic support from
executive management?
A. Risk analysis specific to the organization
B. Research on trends in global information security breaches
C. Rating of the organization s security, based on international standards
D. Annual report of security incidents within the organization
Answer: C

Which of the following would contribute MOST to employees' understanding of data handling
responsibilities?
A. Demonstrating support by senior management of the security program
B. Implementing a tailored security awareness training program
C. Requiring staff acknowledgement of security policies
D. Labeling documents according to appropriate security classification
Answer: B
An access rights review revealed that some former employees' access is still active. Once the access is
revoked, which of the following is the BEST course of action to help prevent recurrence?
A. Implement a periodic recertification program.
B. Initiate an access control policy review.
C. Validate HR offboarding processes.
D. Conduct a root cause analysis.
Answer: A
A contract bid is digitally signed and electronically mailed The PRIMARY advantage to using a digital
signature is that
A. any alteration of the bid will invalidate the signature.
B. the signature can be authenticated even if no encryption is used,
C. the bid cannot be forged even if the keys are compromised.
D. the bid and the signature can be copied from one document to another
Answer: B

An information security manager is concerned that executive management does not su the following is the
BEST way to address this situation?
A. Revise the information security strategy to meet executive management expectations.
B. Escalate noncompliance concerns to the internal audit manager
C. Report the risk and status of the information security program to the board.
D. Demonstrate alignment of the information security function with business needs.
Answer: D
Which of the following is the MOST effective approach for integrating security into application development?
A. Including security in user acceptance testing sign-off
B. Performing vulnerability scans
C. Defining security requirements
D. Developing security models in parallel
Answer: C
An information security manager is concerned that executive management does not support information
security initiatives. Which of the following is the BEST way to address this situation?
A. Revise the information security strategy to meet executive management's expectations.
B. Escalate noncompliance concerns to the internal audit manager
C. Report the risk and status of the information security program to the board.
D. Demonstrate alignment of the information security function with business needs.
Answer: D
What should be information security manager’s FIRST course of action when it is discovered a staff member

has been posting corporate information on social media sites?
A. Asses the classification of the data posted.
B. Implement controls to block the social media sites.
C. Refer the staff member to the information security policy
D. Notify senior management
Answer: A
Which of the following is the BEST method to defend against social engineering attacks?
A. Monitor for unauthorized access attempts and failed logins.
B. Employ the use of a web-content filtering solution.
C. Communicate guideline to limit information posted to public sites
D. Periodically perform antivirus scans to identify malware
Answer: C
Which of the following external entities would provide the BEST guideance to an organization facing
advanced attacks?
A. Recognised threat intelligence communities
B. Open-source reconnaissance
C. Disaster recovery consultants widely endorsed in industry forums
D. Incident response experts from highly regarded peer organizations
Answer: A
Which of the following is the BEST way to prevent employees from making unauthorized comments to the
media about security incidents in progress?
A. Establish standard media responses for employees to control the message

B. Communicate potential disciplinary actions for noncompliance.
C. Include communication policies In regular information security training
D. training Implement controls to prevent discussion with media during an Incident.
Answer: C
An organization has implemented an enhanced password policy for business applications which requires
significantly more business resource to support clients. The BEST approach to obtain the support of business
management would be to:
A. Present an analysis of the cost and benefit of the changes
B. Elaborate on the positive impact to information security
C. Present industry benchmarking results to business units
D. Discuss the risk and impact of security incidents if not implemented
Answer: A
Which of the following is the PRIMARY reason to invoke continuity and recovery plans?
A. To achieve service delivery objectives
B. To coordinate with senior management
C. To enforce service level agreements (SLAs)
D. To protect corporate networks
Answer: A
Which of the following is the PRIMARY objective of a business impact analysis (BIA):
A. Define the recovery point objective (RPO).
B. Determine recovery priorities.
C.

C. Confirm control effectiveness.
D. Analyze vulnerabilities
Answer: A
Explanation
QUESRTION NO: 138
Which of the following should be define* I FIRST when creating an organization's information security
strategy?
A. Budget
B. Policies and processes
C. Objectives
D. Organizational structures
Answer: C
QUESRTION NO: 139
Meeting which of the following security objectives BEST ensures that information is protected against
unauthorized modification?
A. Availability
B. Integrity
C. Confidentiality
D. Authenticity
Answer: B
QUESRTION NO: 140
Which of the following is the BEST way for an information security manager to promote the integration of
information security considerations into key business processes?
A. Provide information security awareness training.
B. Conduct a business impact analysis (BIA).
C. Facilitate the creation of an information security steering group
D. Conduct information security briefings for executives

Answer: C
QUESRTION NO: 141
Senior management learns of several web application security incidents and wants to know the exposure risk
to the organization. What is the information security manager's BEST course of action?
A. Perform a vulnerability assessment.
B. Review audit logs from IT systems.
C. Activate the incident response plan
D. Assess IT system configurations
Answer: A
QUESRTION NO: 142
A message is being sent with a hash. The risk of an attacker changing the message and generating an authentic
hash value c*n be mitigated by:
A. generating hash output that is the same size as the original message,
B. requiring the recipient to use a different hash algorithm,
C. using the senders public key to encrypt the message.
D. using a secret key m conjunction with the hash algorithm.
Answer: D
QUESRTION NO: 1 44
Which of the following sites would be MOST appropriate in the case of a very short recovery time objective
(RTO)?
A. Redundant
B. Shared
C. Warm
D. Mobile
Answer: A
QUESRTION NO: 145
Which of the following is the BEST indication that a recently adopted information security framework is a
good fit for an organization?

A. The framework includes industry-recognized information security best practices.
B. The number of security incidents has significantly declined
C. The business has obtained framework certification.
D. Objectives in the framework correlate directly to business practices
Answer: D
QUESRTION NO: 46
Which of the following is the BEST indication that a recently adopted information security framework is a
good fit for an organization?
A. The framework includes industry-recognized information security best practices.
B. The number of security incidents has significantly declined
C. The business has obtained framework certification.
D. Objectives in the framework correlate directly to business practices
Answer: D
QUESRTION NO: 147
Which of the following is MOST likely to result from a properly conducted post-incident review?
A. Breach information is provided to the organization's key stakeholders and users.
B. The cause of the incident is discovered and remediated.
C. Forensic evidence is reviewed and provided to law enforcement
D. The incident response team discovers inefficiencies in the recovery process.
Answer: D
QUESRTION NO: 148
Labeling information according to its security classification:
A. affects the consequences if information is handled insecurely,
B. induces the number and type of counter measures required
C. enhances the likelihood of people handling information securely,
D. reduces the need to identify baseline controls for each classification.

Answer: B
QUESRTION NO: 149
Which of the following is MOST likely to result from a properly conducted post-incident review?
A. Breach information is provided to the organization's key stakeholders and us«rs.
B. The cause of the incident is discovered and remediated.
C. Forensic evidence is reviewed and provided to law enforcement
D. The incident response team discovers inefficiencies m the recovery process.
Answer: D
QUESRTION NO: 150
Which of the following would provide senior management with the BEST overview of the performance of
information security risk treatment options?
A. Before-and-after heat maps
B. Analysis of recent incident
C. Detailed risk analysis of the treatments
D. individual risk assessments
Answer: A
The PRIMARY benefit of integrating information security activities into change management processes is to:
A. provide greater accountability for security-related changes In the business
B. protect the organization from unauthorized changes.
C. protect the business from collusion and compliance threats.
D. ensure required controls are Included in changes.
Answer: B
Which of the following processes is the FIRST step in establishing an information security policy?

A. Review of current global standards
B. Business risk assessment
C. Security controls evaluation
D. Information security audit
Answer: B
When information security management is receiving an increased number of false positive incident reports,
which of the following is MOST important to review?
A. The security awareness programs
B. Firewall logs
C. The risk management processes
D. Post-incident analysis results
Answer: D
Which of the following is a PRIMARY security responsibility of an information owner?
A. Testing information classification controls
B. Determining the controls associated with information classification
C. Maintaining the integrity of data in the information system
D. Deciding what level of classification the information requires
Answer: D

Topic 2, Exam Pool B

Which of the following is the MOST effective way to identify changes in an information security
environment?
A. Continuous monitoring
B. Security baselining
C. Annual risk assessments
D. Business impact analysts
Answer: B
An organization is in the process of adopting a hybrid data infrastructure, transferring all non-core applications
to cloud service providers and maintaining all core business functions in-house. The information security
manager has determined a defense in depth strategy should be used. Which of the following BEST describes
this strategy?
A. Deployment of nested firewalls within the infrastructure
B. Separate security controls for applications, platforms programs and endpoints
C. Multi-factor login requirements for cloud service applications timeouts, and complex passwords
D. Strict enforcement of role-based access control (RBAC)
Answer: B
Which of the following is MOST likely to drive an update to the information security strategy?
A. A recent penetration test has uncovered a control weakness.
B. A major business application has been upgraded.
C. Management has decided to implement an emerging technology.
D. A new chief technology officer has been hired

Answer: C
What would be an information security manager's BEST course of action when notified that the
implementation of some security controls is being delayed due to budget constraints?
A. Prioritize security controls based on risk.
B. Request a budget exception for the security controls
C. Begin the risk acceptance process
D. Suggest less expensive alternative security controls.
Answer: A
What should be an organization'«. MAIN concern when evaluating an Infrastructure as a Service (laaS) cloud
computing model for an e-commerce application?
A. Internal audit requirements
B. Availability of providers services
C. Where the application resides
D. Application ownership
Answer: B
An organization will be outsourcing mission-critical processes. Which of the following is MOST important to
verify before signing the service level agreement (SLA)?
A. The provider has implemented the latest technologies.
B. The providers technical staff are evaluated annually.
C. The provider is widely known within the organization’s industry.
D. The provider has been audited by a recognized audit firm.

Answer: D
Which of the following is the MOST effective way to detect security incidents?
A. Analyze penetration test results.
B. Analyze recent security risk assessments.
C. Analyze vulnerability assessments.
D. Analyze security anomalies.
Answer: A
The MAIN reason for internal certification of web-based business applications is to ensure:
A. compliance with industry standards-
B. changes to the organizational policy framework are identified,
C. up-to-date web technology is being used.
D. compliance with organizational policies.
Answer: D
Senior management has approved employees working off-site by using a virtual private network (VPN)
connection. It is MOST important for the information security manager to periodically:
A. perform a cost-benefit analysis.
B. perform a risk assessment.
C. review firewall configuration.
D. review the security policy.
Answer: B

For a user of commercial software downloaded from the Internet, which of the following is the MOST
effective means of ensuring authenticity?
A. Digital signatures
B. Digital certificates
C. Digital code signing
D. Steganography
Answer: C
Which of the following would be MOST important to consider when implementing security settings for a new
system?
A. Results from internal and external audits
B. Government regulations and related penalties
C. Business objectives and related IT risk
D. Industry best practices applicable to the business
Answer: C
In an organization with effective IT risk management, the PRIMARY reason to establish key risk indicators
(KRIs) is to:
A. provide information to remediate risk events.
B. demonstrate the alignment of risk management efforts.
C. map potential risk to key organizational strategic initiatives.
D. identify triggers that exceed risk thresholds
Answer: D

A global organization is developing an incident response team (IRT). The organization wants to keep
headquarters informed of aP incidents and wants to be able to present a unified response to widely dispersed
events. Which of the following IRT models BEST supports these objectives?
A. Holistic IRT
B. Central IRT
C. Coordinating IRT
D. Distributed IRT
Answer: B
The PRIMARY benefit of integrating information security risk into enterprise risk management is to:
A. ensure timely risk mitigation.
B. justify the information security budget
C. obtain senior management’s commitment.
D. provide a holistic view of risk
Answer: D
Knowing which of the following is MOST important when the information security manager is seeking senior
management commitment?
A. Security costs
B. Technical vulnerabilities
C. Security technology requirements
D. Implementation tasks
Answer: D

An information security manager determines the organizations critical systems may be vulnerable to a new
zero-day attack. The FIRST course of action is to:
A. analyze the probability of compromise
B. re-assess the firewall configuration
C. advise management of risk and remediation cost
D. survey peer organizations to see how they have addressed the issue.
Answer: A
Which of the following is the BKT approach for an information security manager when developing new
information security policies?
A. Create a stakeholder nap
B. Reference an industry standard.
C. Establish an information security governance committee
D. Download a policy template
Answer: C
An organization has recently experienced unauthorized device access to its network. To proactively manage
the problem and mitigate this risk, the BEST preventive control would be to:
A. keep an inventory of network and hardware addresses of all systems connected to the network
B. implement network-level authentication and login to regulate access of devices to the network
C. deploy an automated asset inventory discovery tool to identify devices that access the network
D. install a stateful inspection firewall to prevent unauthorized network traffic
Answer: C

Business units within an organization are resistant to proposed changes to the information security program.
Which of the following is the BEST way to address this issue?
A. Communicating critical risk assessment results to business unit managers
B. Including business unit representation on the security steering committee
C. Publishing updated information security policies
D. Implementing additional security awareness training
Answer: B
Which of the following is the MOST important outcome from vulnerability scanning?
A. Prioritization of risks
B. Information about steps necessary to hack the system
C. Identification of back doors
D. Verification that systems are property configured
Answer: C
Which of the following is the MOST important consideration when establishing an information security
governance framework?
A. Security steering committee meetings are held at least monthly
B. Executive management support is obtained
C. Members of the security steering committee are trained in information security.
D. Business unit management acceptance is obtained
Answer: B
Which of the following is MOST critical to review when preparing to outsource a data repository to a

cloud-based solution?
A. Disaster recovery plan
B. Identity and access management
C. Vendor’s information security policy
D. A risk assessment
Answer: D
Which of the following contributes MOST to the effective implementation of an information security strategy?
A. Reporting of security metrics
B. Regular security awareness training
C. Endorsement by senior management
D. Implementation of security standards
Answer: C
What is the MOST important consideration when establishing metrics for reporting to the information security
strategy committee?
A. Agreeing on baseline values for the metrics
B. Developing a dashboard for communicating the metrics
C. Providing real-time insight on the security posture of the organization
D. Benchmarking the expected value of the metrics against industry standards
Answer: C
When developing an incident response plan, which of the following is the MOST -effective way to ensure
incidents common to the organization are handled properly?
A.

A. Adopting industry standard response procedures
B. Rehearsing response scenarios
C. Conducting awareness training
D. Creating and distributing a personnel call tree
Answer: A
A new regulation has been announced that requires mandatory reporting of security incidents that affect
personal client information. Which of the following should be the information security manager's FIRST
course of action?
A. Inform senior management of the new regulation.
B. Review the current security policy.
C. Update the security incident management process
D. Determine impact to me business
Answer: D
The decision to escalate an incident should be based PRIMARILY on:
A. organizational hierarchy.
B. prioritization by the information security manager
C. predefined policies and procedures
D. response team experience.
Answer: C
An information security manager is reviewing the impact of a regulation on the organization’s human
resources system. The NEXT course of action should be to:
A. perform a gap analysis of compliance requirements

B. assess the penalties for noncompliance.
C. review the organization s most recent audit report
D. determine the cost of compliance
Answer: A
Which of the following should be done FIRST when selecting performance metrics to report on the vendor
risk management process?
A. Review the confidentiality requirements.
B. Identify the data owner.
C. Select the data source
D. Identify the intended audience.
Answer: A
The MOST likely cause of a security information event monitoring (SIEM) solution failing to identify a
serious incident is that the system:
A. has not been updated with the latest patches
B. is hosted by a cloud service provider
C. has performance issues
D. is not collecting logs from relevant devices.
Answer: D
Which of the following provides the MOST relevant evidence of incident response maturity?
A. Red team testing results
B. Average incident closure time

C. Independent audit assessment
D. Tabletop exercise results
Answer: A
It is suspected that key emails have been viewed by unauthorized parties. The email administrator conducted
an investigation but it has not returned any information relating to the incident, and leaks are continuing.
Which of the following is the BEST recommended course of action to senior management?
A. Commence security training for staff at the organization.
B. Rebuild the email application
C. Arrange for an independent review.
D. Restrict the distribution of confidential emails.
Answer: C
Which of the following is the MOST important step in risk ranking?
A. Threat assessment
B. Mitigation cost
C. Vulnerability analysis
D. Impact assessment
Answer: D
Which of the following is the MOST effective defense against spear phishing attacks?
A. Unified threat management
B. Web filtering
C. Anti-spam solution

D. User awareness training
Answer: D
A newly hired information security manager discovers that the cleanup of accounts for terminated employees
happens only once a year. Which of the following should be the information security manager's FIRST course
of action?
A. Design and document a new process
B. Update the security policy
C. Perform a risk assessment
D. Report the issue to senior management
Answer: D
Which of the following is the BEST way to increase the visibility of information security within an
organization's culture?
A. Requiring cross-functional information security training
B. Implementing user awareness campaigns for the entire company
C. Publishing an acceptable use policy
D. Establishing security policies based on industry standards
Answer: B
A third-party service provider has proposed a data loss prevention (DLP) solution. Which of the following
MUST be in place for this solution to be relevant to the organization?
A. Senior management support
B. An adequate data testing environment
C. A business case
D.

D. A data classification schema
Answer: C
An information security manager suspects that the organization has suffered a ransomware attack. What
should be done FIRST
A. Notify senior management
B. Alert employees to the attack.
C. Confirm the infection.
D. Isolate the affected systems.
Answer: D
Which of the following is the BEST way for an information security manager to identify compliance with
information security policies within an organization?
A. Conduct security awareness testing
B. Perform vulnerability assessments
C. Analyze system logs
D. Conduct per iodic audits.
Answer: D
Which of the following would be MOST effective in ensuring that information security is appropriately
addressed in new systems?
A. Information security staff perform compliance reviews before production begins
B. Information security staff take responsibility for the design of system security
C. Internal audit signs off on security prior to implementation
D. Business requirements must include security objectives.

Answer: D
Implementing a strong password policy is part of an organization s information security strategy for the year.
A business unit believes the strategy may adversely affect a client's adoption of a recently developed mobile
application and has decided not to implement the policy. Which of the following is the information security
manager s BEST course of action?
A. Analyze the risk and impact of not implementing the policy.
B. Develop and implement a password policy for d mobile application
C. Escalate non-implementation of the policy to senior management
D. Benchmark with similar mobile applications to identify gaps
Answer: A
Which of the following helps to ensure that the appropriate resources are applied in a timely manner after an
incident has occurred?
A. Define incident response teams.
B. Initiate an incident management log
C. Classify the incident
D. Broadcast an emergency message
Answer: C
For a business operating in a competitive and evolving online market, it is MOST important for a security
policy to focus on:
A. defining policies for new technologies.
B. enabling adoption of new Technologies.
C. requiring accreditation for new technologies.
D. managing risks of new technologies

Answer: B
Which of the following is the PRIMARY responsibility of the information security steering committee?
A. Developing security policies aligned with the corporate and IT strategies
B. Reviewing business cases where benefits have not been realized
C. Identifying risks associated with new security initiatives
D. Developing and presenting business cases for security initiatives
Answer: A
An information security manager learns users of an application are frequently using emergency elevated
access privileges to process transactions Which of the following should be done FIRST?
A. Request justification from the users managers for emergence access
B. Request the application administrator block all emergency access profiles.
C. Update the frequency and usage of the emergency access profile in the policy
D. Review the security architecture of the application and recommend changes
Answer: A
Which of the following BEST indicates senior management support for an information security program?
A. Detailed information security policies are established and regularly reviewed.
B. The information security manager meets regularly with the lines of business.
C. Key performance indicators (KPIs) are defined for the information security program.
D. Risk assessments are conducted frequently by the information security team.
Answer: A

Which of the following is two MOST important step when establishing guidelines for the use of social
networking sites in an organization?
A. Establish disciplinary actions for noncompliance
B. Define acceptable information for posting.
C. Identify secure social networking sites
D. Perform a vulnerability assessment
Answer: B
Which of the following should an information security manager establish FIRST to ensure security-related
activities are adequately monitored?
A. Regular reviews of computer system logs
B. Internal reporting channels
C. Accountability for security functions
D. Scheduled security assessments
Answer: B
What is the MAIN reason for an organization to develop an incident response plan?
Identify training requirements for the incident response team.
Priorities treatment based on incident critically.
What is the MAIN reason for an organization to develop an incident response plan?
A. Identity training requirements for the incident response team.
B. Prioritize treatment based on incident criticality.
C. Trigger immediate recovery procedures.
D. Provide a process for notifying stakeholders of trie incident.

Answer: C
An organization is MOST at risk from a new worm being introduced through the intranet when:
A. desktop virus definition files are not up to date
B. system software does not undergo integrity checks.
C. hosts have static IP addresses.
D. executable code is run from inside the firewall
Answer: B
When developing a disaster recovery plan, which of the following would be MOST helpful in prioritizing the
order in which systems should be recovered?
A. Reviewing the business strategy
B. Reviewing the information security policy
C. Performing a business impact analysis (BIA)
D. Measuring the volume of data in each system
Answer: C
Which of the following is the- PRIMARY objective of an incident communication plan?
A. To convey information about the incident to those affected by it
B. To prevent reputation damage to the organization
C. To prevent unannounced visits from the media during crisis
D. To fulfill regulatory requirements for incident response
Answer: A

Before final acceptance of residual risk, what is the BEST way for an information security manager to address
risk factors determined to be lower than acceptable risk levels?
A. Implement more stringent countermeasures.
B. Evaluate whether an excessive level of control is being applied.
C. Ask senior management to increase the acceptable risk levels
D. Ask senior management to lower the acceptable risk levels
Answer: B
During an emergency security incident, which of the following would MOST likely predict the worst-case
scenario?
A. Cost-benefit analysis report
B. Business impact analysis (B1A) report
C. Risk assessment report
D. Vulnerability assessment report
Answer: D
The success of a computer forensic investigation depends on the concept of:
A. chain of evidence.
B. chain of attack.
C. forensic chain
D. evidence of attack.
Answer: A

Which of the following is the MOST important driver when developing an effective information security
strategy?
A. Information security standards
B. Compliance requirements
C. Security audit reports
D. Benchmarking reports
Answer: B
Senior management commitment and support will MOST likely be offered when the value of information
security governance is presented from a:
A. threat perspective.
B. compliance perspective
C. risk perspective.
D. policy perspective.
Answer: C
Which of the following would be MOST important to include in a business case to help obtain senior
management's commitment for an information security investment?
A. Results of an independent audit
B. Industry best practices
C. Projected business value
D. Reference to business policies
Answer: C

Which of the following will BEST help to ensure security is addressed when developing a custom application?
A. Conducting security training for the development staff
B. Integrating security requirements into the development process
C. Requiring a security assessment before implementation
D. Integrating a security audit throughout the development process
Answer: B
Which of the following BEST demonstrates that an organization supports information security governance?
A. Employees attend annual organization-wide security training.
B. Information security policies are readily available to employees.
C. The incident response plan is documented and tested regularly.
D. Information security steering committee meetings are held regularly.
Answer: D
Which of the following would BEST enable an organization to effectively monitor the implementation of
standardized configurations?
A. Implement a separate change tracking system to record changes to configurations.
B. Perform periodic audits to detect non-com pliant configurations.
C. Develop policies requiring use of the established benchmarks.
D. Implement automated scanning against the established benchmarks.
Answer: D
Relying on which of the following methods when detecting new threats using IDS should be of MOST
concern?

A. Statistical pattern recognition
B. Attack signatures
C. Heuristic analysis
D. Traffic analysis
Answer: A
When developing a classification method for incidents, the categories MUST be:
A. quantitatively defined.
B. regularly reviewed.
C. specific to situations.
D. assigned to incident handlers.
Answer: A
Before final acceptance of residual risk, what is the BEST way for an information security manager to address
risk factors determined to be lower than acceptable risk levels?
A. Implement more stringent countermeasures.
B. Evaluate whether an excessive level of control is being applied.
C. Ask senior management to increase the acceptable risk levels
D. Ask senior management to lower the acceptable risk levels.
Answer: B
Which of the following activities should take place FIRST when a security patch for Internet software is
received from a vendor?
A. The patch should be applied to critical systems.
B.

B. The patch should be validated using a hash algorithm.
C. The patch should be evaluated in a testing environment.
D. The patch should be deployed quickly to systems that are vulnerable.
Answer: C
The BEST time to ensure that a corporation acquires secure software products when outsourcing software
development is during:
A. contract negotiation.
B. contract performance audits
C. security policy development
D. corporate security reviews.
Answer: A
Which of the following is MOST critical for prioritizing actions in a business continuity plan (BCP)?
A. Risk assessment
B. Business impact analysis (BIA)
C. Asset classification
D. Business process mapping
Answer: B
After an information security business case has been approved by senior management, it should be:
A. used to design functional requirements for the solution
B. used as the foundation for a risk assessment
C. referenced to build architectural blueprints for the solution

D. reviewed at key intervals to ensure intended outcomes.
Answer: A
Which of the following metrics is MOST useful to demonstrate the effectiveness of an incident response plan?
A. Average time to resolve an incident
B. Total number of reported incidents
C. Total number of incident responses
D. Average time to respond to an incident
Answer: A
Which of the following is the BEST reason to reassess risk following an incident?
A. To capture lessons learned
B. To update changes in the threat environment
C. To update roles and responsibilities
D. To accurately document risk to the organization
Answer: B
Which of the following is the BEST approach for encouraging business units to assume their roles and
responsibilities in an information security program?
A. Perform a risk assessment
B. Conduct an awareness program
C. Conduct a security audit.
D. Develop controls and countermeasures

Answer: C
Which of the following is MOST important when selecting a third-party security operations center?
A. Indemnity clauses
B. Independent controls assessment
C. Incident response plans
D. Business continuity plans
Answer: B
Which of the following should be the PRIMARY expectation of management when an organization introduces
an information security governance framework?
A. Optimized information security resources
B. Consistent execution of information security strategy
C. Improved accountability to shareholders
D. Increased influence of security management
Answer: C
Which of the following is the MOST effective method for assessing the effectiveness of a security awareness
program?
A. Post-incident review
B. Social engineering test
C. Vulnerability scan
D. Tabletop test
Answer: B

Which of the following is the MOST important reason for performing vulnerability assessments periodically?
A. The current threat levels are being assessed.
B. Technology risks must be mitigated.
C. The environment changes constantly.
D. Management requires regular reports.
Answer: C
A multinational organization wants to ensure its privacy program appropriately addresses privacy risk
throughout its operations. Which of the following would be of MOST concern to senior management?
A. The organization uses a decentralized privacy governance structure
B. Privacy policies ire only reviewed annually
C. The organization doe* not have a dedicated privacy officer
D. The privacy program does not include a formal warning component
Answer: A
What is the MOST important factor for determining prioritization of incident response?
A. Service level agreements (SLAs) pertaining to the impacted systems
B. The potential impact to the business
C. The time to restore the impacted systems
D. The availability of specialized technical staff
Answer: B

An organization's information security strategy for the coming year emphasizes reducing the risk of
ransomware. Which of the following would be MOST helpful to support this strategy?
A. Provide relevant training to all staff.
B. Create a penetration testing plan
C. Perform a controls gap analysis.
D. Strengthen security controls for the IT environment.
Answer: C
Which of the following should be the information security manager's NEXT step following senior
management approval of the information security strategy?
A. Develop a security pokey.
B. Develop a budget
C. Perform a gap analysis.
D. Form a steering committee
Answer: D
Due lo budget constraints, an internal IT application does not include the necessary controls to meet a client
service level agreement (SLA). Which of the following is the information security manager's BEST course of
action?
A. Inform the legal department of the deficiency
B. Analyze and report the issue to server management
C. Require the application owner to implement the controls.
D. Assess and present the risks to the application owner
Answer: B

Which of the following would provide nonrepudiation of electronic transactions?
A. Two-factor authentication
B. Periodic reaccredinations
C. Third-party certificates
D. Receipt acknowledgment
Answer: D
Following a successful and well-publicized hacking incident, an organization alias plans to improve
application security. Which of the following is a security project risk?
A. Critical evidence may be lost.
B. The reputation of the organization may be damaged
C. A trapdoor may have been installed m the application.
D. Resources may not be available to support the implementation.
Answer: D
After a server has been attacked, which of the following is the BEST course of action?
A. Review vulnerability assessment
B. Conduct a security audit
C. Initiate modem response
D. Isolate the system.
Answer: C
Which is MOST important to enable a timely response to a security breach?
A.

A. Knowledge sharing and collaboration
B. Security event logging
C. Roles and responsibilities
D. Forensic analysis
Answer: C
Which of the following is a MAIN security challenge when conducting a post-incident review related to bring
your own device (BYOD) in a mature, diverse organization?
A. Lack of mobile forensics expertise
B. Ability to obtain possession of devices
C. Diversity of operating systems
D. Ability to access devices remotely
Answer: B
Which of the following is MOST important to enable after completing action plan?
A. Threat profile
B. Inherent risk
C. Residual risk
D. Vulnerability landscape
Answer: C
When developing a new application, which of the following is the BEST approach to ensure compliance with
security requirements?
A. Provide security training for developers.

B. Prepare detailed acceptance criteria
C. Adhere to change management processes.
D. Perform a security gap analysis.
Answer: A
An organization s senior management is encouraging employees to use social media for promotional purposes.
Which of t following should be the information security manager's FIRST step to support this strategy?
A. Develop a guideline on the acceptable use of social media
B. Incorporate social media into the security awareness program.
C. Develop a business case for a data toss prevention (DLP) solution.
D. Employ the use of a web content filtering solution.
Answer: A
When preparing a business case for the implementation of a security information and event management
(SIEM) system, which of the following should be a PRIMARY driver in the feasibility study?
A. Cost of software
B. Cost-benefit analysis
C. Implementation timeframe
D. Industry benchmarks
Answer: B
Executive management is considering outsourcing all IT operations. Which of the following functions should
remain internal?
A. Data encryption

B. Data ownership
C. Data custodian
D. Data monitoring
Answer: B

Topic 3, Exam pool C
A business unit has requested IT to implement simple authentication using IDs and passwords. The
information security policy requires using multi-factor authentication. The information security manager
should FIRST:
A. implement two-factor authentication.
B. escalate the request to senior management
C. perform a risk assessment
D. assess alignment with business objectives.
Answer: C
Which of the following is the BEST method to protect against emerging advanced persistent threat (APT)
actors?
A. Providing ongoing training to the incident response team
B. Implementing proactive systems monitoring
C. Implementing a honeypot environment
D. Updating information security awareness materials
Answer: D
The BEST way to improve the effectiveness of responding to and communicating security incidents is to
ensure:
A. senior management is notified at the onset of incident response.
B. the IT budget includes funding for SIEM tools to log incidents.
C. the incident response plan is regularly tested.

D. additional staff are trained and available to assist with incident response.
Answer: C
Which of the following is the GREATEST risk associated with the head of information security reporting to
the chief information officer (CIO)?
A. Duplicate roles and responsibilities
B. Insufficient authority to perform duties effectively
C. Inadequate IT security controls to protect FT assets
D. Conflict of interest while running IT operations
Answer: D
The MOST effective control to detect fraud inside an organization's network is to:
A. segregate duties
B. apply two-factor authentication
C. review access logs.
D. implement C (IDS).
Answer: C
Which of the following is the MOST effective way to ensure the development of an application system will
align with organizational security standards?
A. Risk assessment is performed in the early stages of the project
B. The system s business case includes required security controls.
C. Organizational security standards are integrated with business objectives.
D. Vendor application security recommendations have been implemented.

Answer: B
What is the GREATEST benefit of classifying assets based on sensitivity?
A. The organization can allocate appropriate levels of protection.
B. Data is available to appropriately assign asset ownership.
C. The organization is in compliance with regulatory guidelines.
D. Staff can create more realistic risk scenarios.
Answer: A
In an organization that has undergone an expansion through an acquisition, which of the following would
BEST secure the enterprise network?
A. Business or rote-based segmentation
B. Log analysis of system access
C. Using security groups
D. Encryption of data traversing networks
Answer: C
An information security manager determines there are a significant number of exceptions to a newly released
industry-required security standard. Which of the following should be done NEXT?
A. Assess the consequences of noncompliance,
B. Revise the organization s security policy
C. Conduct an information security audit
D. Document risk acceptances.
Answer: D

Which of the following is MOST helpful in integrating information security governance with corporate
governance?
A. Including information security processes within operational and management processes
B. Aligning the information security governance to a globally accepted framework
C. Providing independent reports of information security efficiency and effectiveness to the board
D. Assigning the implementation of information security governance to the steering committee
Answer: A
In an organization with a rapidly changing environment, business management has accepted an information
security risk. It is MOS important for the information security manager to ensure:
A. compliance with the risk acceptance framework
B. the acceptance is aligned with business strategy.
C. the rationale for acceptance is periodically reviewed
D. change activities are documented
Answer: B
To integrate security into system development life cycle (SDLC) processes, an organization MUST ensure that
security:
A. roles and responsibilities have been defined.
B. is a prerequisite for completion of major phases.
C. performance metrics have been met
D. is represented on the configuration control board.
Answer: B

To prevent computers on the corporate network from being used as part of a distributed denial of service
(DDoS) attack, the information security manager should use:
A. rate limiting.
B. incoming traffic filtering.
C. outgoing traffic filtering.
D. IT security policy dissemination.
Answer: B
Which of the following measures BEST indicates an improvement in the information security program to
stakeholders?
A. A downward trend in reported security incidents
B. An increase in awareness training quiz pass rates
C. A decrease in click rates during phishing simulations
D. A reduction in reported viruses
Answer: C
Which of the following should be an information security manager's MOST important consideration when
determining if an information asset has been classified appropriate.
A. Value to the business
B. Security policy requirements
C. Ownership of information
D. Level of protection
Answer: A

Which of the following BEST contributes to the successful management of security incidents?
A. Current technologies
B. Tested controls
C. Established procedures
D. Established policies
Answer: C
An information security manager has identified numerous violations of security policy which prohibits text
messaging from personal devices to conduct official business following is the MOST effective way to reduce
the number of violations?
A. Report violations to senior management.
B. Provide awareness training to end users.
C. Require management approval for policy exceptions.
D. Implement a mobile device management (MDM) solution.
Answer: B
Which of the following should an information security manager do FIRST when developing a communication
plan to support incident management?
A. Assess the security risks associated with communication.
B. Determine who will execute the communication plan.
C. Draft incident communication templates.
D. Identify internal and external parties.
Answer: D
Which of the following BEST facilitates the development of a comprehensive information security policy?

A. Key performance indicators (KPIs)
B. References to known industry standards
C. An established internal audit program
D. An adequately funded information security budget
Answer: D
A potential security breach has been reported to an organization s help desk. Which of the following would be
the PRIMARY role of the help desk in the incident response process?
A. Documentation
B. Troubleshooting
C. Escalation
D. Declaration of an incident
Answer: D
Which of the following would provide the MOST helpful information when developing a prioritized list of IT
assets to protect in the event of an incident?
A. The classification of the information processed by the IT asset
B. The service level agreement (SLA) for the IT asset
C. The owner of the IT asset
D. The replacement cost of the IT asset
Answer: A
The PRIMARY advantage of a network intrusion detection system (IDS) is that it can:
A. detect network vulnerabilities
B.

B. simulate denial-of-service attacks.
C. block undesirable network traffic
D. identify an attack on the network.
Answer: D
Which of the following would BEST mitigate identified vulnerabilities in a timely manner?
A. Monitoring of key risk indicators (KRls)
B. Categorization of the vulnerabilities based on system's criticality
C. Continuous vulnerability monitoring tool
D. Action plan with responsibilities and deadlines
Answer: D
Which of the following is the PRIMARY driver of information security compliance?
A. Industry standards
B. Regulatory requirements
C. Risk appetite
D. Threat environment
Answer: D
What is the BEST way for an information security manager to maintain continuous insight into the
effectiveness of the organization's information security program?
A. Establish information security metrics.
B. Develop timely information security risk reporting.
C.

C. Conduct quarterly penetration testing.
D. Solicit feedback from end users
Answer: B
An organization involved in e-commerce activities operating from its home country opened a new office in
another country wit! stringent security laws. In this scenario, the overall security strategy should be based on:
A. international security standards.
B. risk assessment results.
C. the most stringent requirements.
D. the security organization structure
Answer: C
Which of the following is the MOST important incident management consideration for an organization
subscribing to a cloud service?
A. Decision on the classification of cloud-hosted data
B. Implementation of a SIEM in the organization
C. An agreement on the definition of a security incident
D. Expertise of personnel providing incident response
Answer: A
Which of the following would be the BEST course of action to address a privileged user's unauthorized
modifications to a security application?
A. Enforce the security configuration and require the change to be reverted.
B. Report the risk associated with the policy breach.
C. Implement compensating controls to address the risk.

D. Update the applicable security configuration to accommodate the modification
Answer: C
Which of the following is the GREATEST benefit of information asset classification to an organization?
A. It demonstrates the value of information assets for financial reporting.
B. It helps to optimize the investment in protecting information assets.
C. It helps to minimize the cost of regulatory compliance efforts
D. It measures qualitative value of the information.
Answer: B
An information security manager has identified multiple areas of compliance risk that could subject the
organization to significant penalties regarding the handling of personal data. Which of the following is the
manager s BEST course of action?
A. Immediately update the information security policy to address protection of personal data
B. Implement information masking controls to hide personal data
C. Prioritize the risk and present it to senior management.
D. Seek human resources advice to make appropriate changes to the information security policy.
Answer: C
Which of the following provides the BEST justification for an information security investment when creating
a business case
A. The investment can be managed using the organisation's established system development life cycle.
B. Key risk indicators (KRIs) are available to measure the effectiveness and efficiency of the investment
C. The annualized loss expectancy (ALE) is greater than the annual cost of the investment.
D.

D. The investment reduces the protected asset s inherent risk below the asset s residual risk
Answer: C
An organization planning to contract with a cloud service provider is concerned about the risk of account
hijacking at login. What is MOST important for the organization in its security requirements to address this
concern?
A. Create unique login credentials for each user.
B. Utilize encryption for account logins.
C. Utilize multi-factor authentication
D. Rotate account passwords regularly.
Answer: C
Which of the following is the MOST important reason to develop an organizational threat profile?
A. To support business cases for information security investments
B. To support risk treatment decisions
C. To develop threat briefings for senior management
D. To implement a proactive approach for threat management
Answer: B
An information security manager is planning to purchase a mobile device management (MDM) system to
manage personal devices used by employees to access corpor Which of the following is MOST important to
include in the business case?
A. Information security-related metrics
C. Industry best practice benchmarking results

D. Identified risks and mitigating controls
Answer: B
A new privacy regulation is due to take effect in a region where an organization does business. Which of the
following would be MOST helpful in understanding what .. needs to do to maintain compliance?
A. Internal audit review
B. Vulnerability assessment
C. Gap analysis
D. Legal department review
Answer: C
An information security manager has been informed of a new vulnerability in an online banking application,
and a patch to resolve this issue is expected to be released in the next 72 hours. The information security
manager s MOST important course of action is to:
A. identify and implement mitigating controls.
B. run the application system m offline mode.
C. perform a business impact analysis (BIA).
D. assess the risk and advise senior management
Answer: C
When an organization and its IT-hosting service provider are establishing a contract with each other, it is
MOST important that the
contract includes:
A. recovery time objectives (RTOs).
B.

B. details of expected security metrics
C. penalties for noncompliance with security policy
D. each party s security responsibilities.
Answer: A
Authorization can BEST be accomplished by establishing:
A. whether users are who they say they are
B. who users can do when they are granted system access.
C. how users identify themselves to information systems.
D. the ownership of the data
Answer: B
Internal audit has reported a number of information security issues which are not in compliance with
regulatory requirements. What should the information security manager do FIRST?
A. Create a security exception
B. Perform a vulnerability assessment
C. Assess the risk to business operations
D. Perform a gap analysis to determine needed resources.
Answer: D
Which of the following is the MOST important consideration when developing an incident management
program?
A. IT architecture
B. Impact assessment

C. Risk assessment
D. Escalation procedures
Answer: D
The MOST effective way to continuously monitor an organization's cybersecurity posture is to evaluate its
A. key performance indicators (KPIs).
B. compliance with industry regulations.
C. timeliness m responding to attacks.
D. level of support from senior management.
Answer: D
What is a potential issue when emails are encrypted and digitally signed?
A. The receiver can repudiate the receipt of the emails.
B. Hackers can eavesdrop on emails.
C. Hackers can introduce forged messaging within emails.
D. The sender can repudiate the contents of the emails.
Answer: A
Which of the following would BEST detect malicious damage arising from an internal threat?
A. Fraud awareness training
B. Job rotation
C. Access control list
D. Encryption

Answer: B
After a risk has been mitigated, which of the following is the BEST way to help ensure residual risk remains
within an organization's established risk tolerance?
A. Conduct programs to promote user risk awareness
B. Monitor the security environment for changes in risk.
C. Introduce new risk scenarios to test program effectiveness.
D. Perform a business impact analysis (BIA).
Answer: B
When introducing security measures into a software development life cycle, which of the following should be
the FIRST step?
A. Create a threat model.
B. Conduct static code analysis.
C. Perform benchmarking.
D. Institute a peer review
Answer: C
Which of the following is the MOST important element of an effective external information security
communication plan?
A. Regulatory compliance
B. Communications director approval
C. Senior management approval
D. Public relations involvement
Answer: A

Which of the following is the MOST effective way to communicate information security risk to senior
management?
B. Heat map
D. Business impact analysis (BIA)
Answer: B
Which of the following should be the MOST important criteria when defining data retention policies?
A. Regulatory requirements
B. Industry best practices
C. Audit findings
D. Capacity requirements
Answer: A
Which of the following is the MOST important element of a response plan for IT security incidents?
A. Requirements for investigative evidence
B. Appropriate team members
C. Test plans for containment and recovery procedures
D. Guidelines for preserving digital evidence
Answer: A

The BEST way to identify the criticality of systems to the business is through:
A. a vulnerability assessment.
B. a threat assessment.
C. an impact assessment.
D. an asset classification.
Answer: C
Which of the following is MOST critical for the successful implementation of an information security
strategy?
A. Established information security policies
B. Sizeable funding for the information security program
C. Compliance with regulations
D. Ongoing commitment from senior management
Answer: D
Which of the following should be the PRIMARY consideration when creating a business continuity plan
(BCP)?
A. Alternative processing facilities
B. Meeting recovery time objectives (RTOs)
C. Disaster recovery testing
D. Data backup strategies
Answer: B

An IT department has given a vendor remote access to the internal network for troubleshooting network
performance problems. After discovering the remote activity during a firewall log review, which of the
following is the FIRST course of action for an information security manager?
A. Determine the level of access granted
B. Review the related service level agreement (SLA).
C. Revoke the access.
D. Declare a security incident.
Answer: A
Which of the following should an incident response team do NEXT after validating an event is an incident?
A. Contain the incident.
B. Identify the toot cause.
C. Invoke the response plan.
D. Escalate to management
Answer: A
When reporting to senior management on an information security vulnerability that could lead to a potential
breach, what information is MOST likely to facilitate the decision-making process?
A. Cost to remediate
B. Risk treatment options
C. Business impact
D. Regulatory requirements
Answer: C
Following a risk assessment new countermeasures have been approved by management. Which of the

following should be performed NEXT?
A. Schedule the target end date for implementation activities.
B. Develop an implementation strategy
C. Calculate the residual risk for each countermeasure
D. Budget the total cost of implementation activities.
Answer: C
Which of the following is an information security manager's MOST important consideration during the
investigative process of analyzing the hard drive of 3 compromises..
A. Maintaining chain of custody
B. Notifying the relevant stakeholders
C. Identifying the relevant strain of malware
D. Determining the classification of stored data
Answer: D
With limited resources in the information security department which of the following is the BEST approach
for managing security risk?
A. Implement technical solutions to automate security management activities.
B. Hire additional information security staff.
C. Engage a third-party company to provide security support.
D. Prioritize security activities and report to management
Answer: D
A financial institution's privacy department has requested the implementation of multi-factor authentication to

comply with regulations for providing services over the Internet. Which of the following authentication
schemes would BEST meet this compliance requirement?
A. Username and password
B. Thumbprint and facial recognition
C. Four-digit PIN and secret question
D. Passphrase and token key
Answer: D
A system administrator failed to report a security incident where the critical application server was not
available to the business users. Which of the following is the BEST way to prevent a reoccurrence?
A. Communicate disciplinary procedures.
B. Document the incident response plan
C. Define communication processes
D. Conduct incident response plan testing.
Answer: D
Following a recent acquisition, an information security manager has been requested to address the outstanding
risk reported early in the acquisition process. Which of the following is the manager s BEST course of action?
A. Perform a vulnerability assessment of the acquired company s infrastructure.
B. Add the outstanding risk to the acquiring organization's risk registry
C. Re-assess the outstanding risk of the acquired company.
D. Re-evaluate the risk treatment plan for the outstanding risk.
Answer: C

Which of the following would BEST ensure that application security standards are in place?
A. Penetration testing
B. Performing a code review
C. Functional testing
D. Publishing software coding standards
Answer: B
Which of the following should be the FIRST course of action when it becomes apparent that the recovery time
objective (RTO) will not be met during incident response
A. Escalate the emergency status rating.
B. Request additional financial recovery resources.
C. Notify the risk management team.
D Modify the RTO as needed
Answer: C
The PRIMARY disadvantage of using a cold-site recovery facility is that it is:
A. not cost-effective for testing critical applications at the site
B. not possible to reserve test dates m advance
C. only available if not being used by the primary tenant,
D. unavailable for testing during normal business hours.
Answer: A
Which of the following is MOST important to include in an information security strategy?
A. Information security organizational structures and responsibilities

B. Current and future desired state of information security
C. Information security program needs
D. Cost reduction techniques for information security investments
Answer: B
Organization XYZ. a lucrative, Internet-only business, recently suffered a power outage that lasted 2 hours.
The organization s data center was unavailable in the interim. In order to mitigate risk in the MOST
cost-efficient manner, the organization should:
A. create an FT hot site with immediate fail-over capability.
B. install an uninterruptible power supply (UPS) and generator.
C. plan to operate at a reduced capacity from the primary place of business.
D. set up a duplicate business center in a geographically separate area.
Answer: B
Which of the following is the MOST important reason for performing a risk analysis?
A. Assigning the appropriate level of protection
B. Promoting increased security awareness in the organization
C. Identifying critical information assets
D. Identifying and eliminating threats
Answer: A
During the due diligence phase of an acquisition, the MOST important course of action for an information
security manager is to:
A. perform a gap analysis.
B.

B. review the state of security awareness.
C. perform a risk assessment
D. review information security policies
Answer: A
The selection of security controls is PRIMARILY linked to:
A. business impact assessment
B. regulatory requirements
C. best practices of similar organizations.
D. risk appetite of the organization.
Answer: A
Which of the following would BEST help to ensure an organization s security program is aligned with
business objectives?
A. Project managers receive annual information security awareness training.
B. The organization's board of directors includes a dedicated information security specialist
C. Security policies are reviewed and approved by the chief information officer.
D. The security strategy it reviewed and approved by the organization s executive committee.
Answer: D
Which of the following would be an information security manager's BEST course of action upon learning a
third-party cloud provider is not meeting information security with regard to data encryption?
A. Report the risk to relevant stakeholders.
B. Recommend compensating controls to mitigate the risk.
C.

C. Provide a date of remediation to the cloud provider.
D. Discontinue engagement with the cloud provider.
Answer: A
To address the issue that performance pressures on IT may conflict with information security controls, it is
MOST important that:
A. senior management provides guidance and dispute resolution.
B. noncompliance issues are reported to senior management.
C. information security management understands business performance issues.
D. the security policy is changed to accommodate IT performance pressure.
Answer: A
An organization's operations have been significantly impacted by a cyber attack resulting in data loss. Once
the attack has been contained, what should the security team.
A. Perform a root cause analysis.
B. Conduct a lessons learned exercise.
C. Implement compensating controls.
D. Update the incident response plan.
Answer: A
Which of the following is the PRIMARY objective of the incident management process?
A. To reduce the likelihood that security incidents will occur
B. To reduce the impact of security incidents on the business
C. To improve security incident response capabilities
D. To validate the organization's risk tolerance

Answer: B
Which of the following is the PRIMARY objective of implementing an information security strategy?
A. To demonstrate compliance with legal requirements
B. To align with industry best practices
C. To maintain adherence to information security policies
D. To manage risk to an acceptable level
Answer: D
There are concerns that security events are not reported to management in a timely manner. To address this
situation which of the following is MOST important to review?
A. Key risk indicators (KRls)
B. The security event log
C. Control ownership
D. The incident response plan
Answer: D
The MOST important reason that security risk assessments should be conducted frequently throughout an
organization is because:
A. threats to the organization may change.
B. compliance with legal and regulatory standards should be reassessed.
C. control effectiveness may weaken.
D. controls should be regularly tested.
Answer: A

To gain a clear+ understanding of the impact that a new regulatory requirement will have on an organization s
information security controls, an information security manager should FIRST:
A. interview senior management
B. conduct a cost-benefit analysis.
C. conduct a risk assessment
D. perform a gap analysis.
Answer: D
Which of the following is the MOST useful input for an information security manager when refreshing the
organizations security strategy?
A. Results of a vulnerability scan
B. Results of a security pokey review
C. Results of a security risk assessment
D. Results of a red team exercise
Answer: C
Which of the following is the BEST way to facilitate the alignment between an organization's information
security program and business objectives?
A. The information security program is audited by the internal audit department
B. The chief executive officer reviews and approves the information security program.
C. The information security governance committee includes representation from key business areas.
D. Information security is considered at the feasibility stage of all I Perform a business impact analysisT
projects
Answer: C

Human resources is evaluating potential Software as a Service (SaaS) cloud services, Which of the following
should the information security manager do FIRST to support..
A. Conduct a security audit on the cloud service providers.
B. Review the cloud service providers" controls reports.
C. Perform a cost-benefit analysis of using cloud services.
D. Perform a risk assessment of adopting cloud services.
Answer: D
Which of the following would BEST enable management to be aware of an electronic breach to an externally
hosted database?
A. Implement a dedicated firewall configured to block suspicious activity.
B. Obligate the vendor to report suspicious activity and database breaches.
C. Implement tog monitoring of the database environment for suspicious activity.
D. Review independent audit reports of the vendors data center environment.
Answer: B
A review of a number of recent XT system rollouts identified a failure to incorporate security within planning,
development and implementation. Which of the following is the MOST effective way to prevent a recurrence
for future systems?
A. Implement security assessments throughout the systems development life cycle.
B. Conduct regular security audits during system implementation stages.
C. Require penetration tests before production implementation.
D. Train and test system developers m secure coding practices.
Answer: A

Which of the following BEST indicates that an information security strategy is aligned to the business
strategy?
A. An effective information security steering committee
B. An adequately funded security budget
C. A fully staffed security operations center (SOC)
D. Effective information security controls organization-wide
Answer: A
Which of the following is the BEST evidence that proper security monitoring controls are in place?
A. The intrusion detection system (IDS) generates potential alerts.
B. Mature escalation procedures are in place for incidents
C. Staff regularly report suspicious activity.
D. Incidents are contained before they cause damage
Answer: D
Reviewing security objectives and ensuring the integration of security across business units is PRIMARILY
the focus of the:
A. executive management
B. chief information security officer (CISO).
C. steering committee.
D. board of directors.
Answer: C

Which of the following provides the BEST evidence that a recently established information security program
is effective?
A. The number of reported incidents has increased
B. Senior management has reported fewer junk emails
C. Regular IT balanced scorecards are communicated
D. The number of tickets associated with IT incidents have stayed consistent
Answer: C
Which of the following would present the GREATEST challenge to integrating information security
governance into corporate governance?
A. key security processes are outsourced.
B. Information security best practices ant not well understood.
C. The information security function is decentralized.
D. The security organizational structure is loosely defined
Answer: A
Which of the following BEST measures the effectiveness of an organization's information security strategy?
A. Comparison of residual risk to risk appetite
B. Comparison of mitigated risk to accepted risk
C. Comparison of current security budget to previous year's budget
D. Comparison of threats to vulnerabilities
Answer: A

Which of the following is the MOST effective way for senior management to support the integration of
information security governance into corporate governance?
A. Establish a storing committee with representation from across the organization.
B. Appoint a business manager as head of information security
C. Promote organization-wide information security awareness campaigns.
D. Develop the information security strategy based on the enterprise strategy
Answer: A
Which of the following is MOST helpful to review to gain an understanding of the effectiveness of an
organization s information security program?
A. External Audit results
C. Key risk indicators (KRls)
D. Balanced scorecard
Answer: C
Which of the following is the MOST important consideration of the information security manager to ensure
effective security monitoring of outsourced operations?
A. Performing security audits on the outsourcing vendor s IT environment
B. Reflecting monitoring requirements m the contractual indemnity agreement
C. including security requirements and right to audit within the contract
D. Monitoring security incidents and periodic security reports from the outsourcing vendor
Answer: C

Which of the following should be used to attain sustainable and continuous information security process
improvement?
A. Annual audit
B. Plan, Do. Check. Act Process Model
D. System development life cycle (SDLC) process
Answer: B
The PRIMARY goal of a security infrastructure design is the:
A. elimination of risk exposures.
B. protection of corporate assets
C. reduction of security incidents.
D. optimization of IT resources
Answer: B
Which of the following would BEST fulfill a board of directors' request for a concise
A. Business impact analysis
B. Risk heat map
D. Risk register
Answer: D
After assessing risk, the decision to treat the risk should be based PRIMARILY on:
A.

A. whether the level of risk exceeds risk appetite.
B. the criticality of the risk.
C. whether the level of risk exceeds inherent risk.
D. availability of financial resources.
Answer: A
Which of the following is MOST important to consider when developing a security awareness program in an
organization?
A. Industry benchmarks
B. Targeted monthly deliverables
C. Target audience demographics
D. Established key risk indicators (KRIs)
Answer: C
Which of the following should be the PRIMARY factor in prioritizing responses to a security incident?
A. Cost of mitigation
B. Inherent cost of assets
C. Asset classification
D. Incident location
Answer: C

Topic 4, Exam Pool D

Which of the following is the PRIMARY benefit to an organization using an automated event monitoring
solution?
A. Improved network protection
B. Enhanced forensic analysis
C. Reduced need for manual analysis
D. Improved response time to incidents
Answer: D
Which of the following is MOST useful to include in a report to senior management on a regular basis to
demonstrate the effectiveness of the information security program?
A. Key risk indicators (KRIs)
B. Capability maturity models
C. Key performance indicators (KPls)
D. Critical success factors (CSFs)
Answer: C
Which of the following is MOST important to consider when developing a disaster recovery plan?
A. Business continuity plan (BCP)
C. Cost-benefit analysis
D. Feasibility assessment
Answer: B

An organization us& a particular encryption protocol for externally facing web pages and key financial
services. A security firm publicizes a critical security flaw in the encryp manager do FIRST?
A. Isolate potentially vulnerable systems.
B. Perform a risk assessment.
C. Activate the incident response team.
D. Remediate the vulnerability.
Answer: A
Which of the following tools BEST demonstrates the effectiveness of the information security program?
A. Key risk indicators (KRls)
B. A security balanced scorecard
C. Risk heat map
D. Management satisfaction surveys
Answer: A
In which of the following situations is it MOST important to escalate an incident response to senior
management?
A. The owner of the affected business function is not available.
B. The time-related service levels for response are below risk threshold levels.
C. The impact of the incident exceeds the organization's risk tolerance.
D. The incident impacts a business-critical system.
Answer: C

An organization implemented a mandatory information security awareness training program a year ago. What
is the BEST way to determine its effectiveness?
A. Analyze findings from previous audit reports
B. Analyze results from training completion reports.
C. Analyze responses from an employee survey on training satisfaction
D. Analyze results of a social engineering test
Answer: D
Which of the following is MOST important when selecting an information security metric?
A. Aligning the metric to the IT strategy
B. Defining the metric in quantitative terms
C. Ensuring the metric is repeatable
D. Defining the metric in qualitative terms
Answer: B
Which of the following is MOST important for an information security manager to consider when developing
a new information security policy?
A. Organizational goals and objectives
B. Alignment with industry standards
C. Organizational culture and complexity
D. Information security budget allocation
Answer: A
Which of the following is the PRIMARY benefit of using a tabletop method to conduct an incident response
exercise?
A. Potential impact to business operations is minimized.

B. The impact of IT systems on business operations is quantified.
C. The readiness of applications for testing is ensured.
D. Visibility into personnel effectiveness is increased.
Answer: D
Which of the following is the FlRST step to promoting acceptable behavior with regard to information security
throughout an organization?
A. Automate controls that enforce acceptable use.
B. Incorporate information security standards into performance evaluations.
C. Require signed acknowledgment of acceptable use policies.
D. Conduct targeted acceptable use training for management and staff.
Answer: A
Which of the following is the MOST relevant source of information for determining the available internal
human resources for executing the information security program?
A. Roles and responsibilities matrix
B. Job descriptions
C. Skills inventory
D. RACl chart
Answer: C
Which of the following would BEST help to ensure compliance with an organizations information security
requirements by an IT service provider?
A. Defining information security requirements with internal IT
B. Requiring an external security audit of the IT service provider

C. Defining the business recovery plan with the IT service provider
D. Requiring regular reporting from the IT service provider
Answer: D
An audit reveals that some of an organizations software is end-of-life and the vendor will no longer provide
support or security patches. Which of the following is the BEST way for the information security manager to
address this situation?
A. Segment the affected system on the network.
B. Research alternative software solutions.
C. Assess the risk and impact to the business.
D. Research compensating security controls.
Answer: C
The BEST way to establish a recovery time objective (RTO) that balances cost with a realistic recovery time
frame is to:
A. conduct a risk assessment
B. determine daily downtime cost.
C. perform a business impact analysis (BlA).
D. analyze cost metrics
Answer: B
Which of the following is an example of a change to the external threat landscape?
A. New legislation has been enacted in a region where the organization does business.
B. Organizational security standards have been modified.
C. Infrastructure changes to the organization have been implemented.
D.

D. A commonly used encryption algorithm has been compromised.
Answer: A
Which of the following should the information security manager do FIRST after a security incident has been
reported?
A. Identify the scope and size of the affected environment.
B. Identify the possible source of attack.
C. Determine the degree of loss resulting from the incident.
D. Retrieve the information needed to confirm the incident.
Answer: A
A recent audit has identified that security controls required by the organization's policies have not been
implemented for a particular application. What should the information security manager do NEXT to address
this issue?
A. Discuss the issue with data owners to determine the reason for the exception.
B. Discuss the issue with data custodians to determine the reason for the exception.
C. Report the issue to senior management and request funding to fix the issue
D. Deny access to the application until the issue is resolved.
Answer: A
Which of the following is the FIRST task when determining an organization's information security profile?
A. Build an asset inventory.
B. Establish security standards.
C. Complete a threat assessment
D. List administrative privileges.

Answer: A
Which of the following is the PRIMARY product of a business impact analysis (BIA)?
A. Well-defined incident escalation procedures
B. A heat map of business risk scenarios
C. Prioritization of vulnerabilities for remediation
D. Prioritization of assets for business recovery
Answer: D
An organization s HR department would like to outsource its employee management system to a cloud-hosted
solution due to features and cost savings offered. Management has identified this solution as a business need
and wants to move forward. What should be the PRIMARY role of information security in this effort?
A. Ensure a security audit is performed of the service provider.
B. Ensure the service provider has the appropriate certifications.
C. Explain security issues associated with the solution to management.
D. Determine how to securely implement the solution.
Answer: C
Which of the following is the MOST effective way to ensure security policies are relevant to organizational
business practices?
A. Obtain senior management sign-off.
B. Integrate industry best practices.
C. Leverage security steering committee contribution.
D. Conduct an organization-wide security audit.
Answer: C

A cloud service provider is unable to provide an independent assessment of controls. Which of the following is
the BEST way to obtain assurance that the provider can adequately protect the organization's information?
A. Review the providers serf-assessment
B. Check references supplied by the provider's other customers
C. Review the provider s information security policy.
D. Invoke the right to audit per the contract
Answer: D
Which of the following should an information security manager do FIRST when an organization plans to
migrate all internally hosted applications to the cloud?
A. Assess the risk associated with the cloud services.
B. Create an information security action plan.
C. Determine information security requirements for the cloud.
D. Develop key risk indicators (KRIs).
Answer: A
What is the BEST way to manage access to data and applications for large user bases?
A. Mandatory access control
B. Access control lists
C. Discretionary access control
D. Role-based access control
Answer: D

A recent phishing attack investigation showed that several employees had used their work email addresses to
create personal accounts on a shopping site that had been breached. What is the BEST way to prevent this
A. Update the incident response plan to address this situation.
B. Send periodic fake phishing emails to employees and track responses.
C. Conduct information security awareness training for employees.
D. Block personal shopping sites using proxy filtering.
Answer: C
An organization is the victim of a targeted attack, and is unaware of the compromise until a security analyst
notices an additional user account on the firewall. The implementation of which of the following would have
detected the incident?
A. Security information event management (SIEM)
B. Web-application firewall (WAF)
C. Data leakage prevention (OLP)
D. Network access control (NAC)
Answer: C
An organization establishes an internal document collaboration site. To ensure data confidentiality of each
project group, it is MOST important to:
A. periodically recertify access rights
B. conduct a vulnerability assessment
C. enforce document life cycle management.
D. prohibit remote access to the site.
Answer: A

Which of the following is the MOST important consideration when designing information security
architecture?
A. Risk management parameters for the organization are defined.
B. The information security architecture is aligned with industry standards.
C. The level of security supported is based on business decisions.
D. The existing threat landscape is monitored.
Answer: C
Which of the following is PRIMARILY influenced by a business impact analysis (BIA)?
A. IT strategy
B. Security strategy
C. Risk mitigation strategy
D. Recovery strategy
Answer: C
Which of the following is the BEST approach for determining the maturity level of an information security
program?
A. Engage a third-party review.
B. Review internal audit results.
C. Evaluate key performance indicators (KPls).
D. Perform a self-assessment.
Answer: A
Which of the following is the BEST way to provide management with meaningful information regarding the
performance of the information security program against strategic objectives?

A. Develop an information security heat map.
B. Issue periodic reports to demonstrate compliance with security standards.
C. Publish the information security strategy across the organization.
D. Establish a balanced scorecard dashboard.
Answer: D
During an annual security review of an organizations servers, it was found that the customer service team's file
server, which contains sensitive customer data, is accessible to all user IDs in the organization. Which of the
following should the information security manager do FIRST?
A. Report The situation to the data owner.
B. Train the customer service team on properly controlling file permissions.
C. Isolate the server from the network.
D. Remove access privileges to the folder containing the data.
Answer: A
Which of the following is MOST helpful to management in determining whether risks are within an
organization's tolerance level?
A. Audit findings
B. Maturity level
C. Heat map
D. Penetration test results
Answer: C
An information security manager reads a media report of a new type of malware attack. Who should be
notified FIRST"
A. Security operations team

B. Application owners
C. Data owners
D. Communications department
Answer: A
Which of the following is MOST important to the successful implementation of an information security
governance framework across the organization?
A. Security management processes aligned with security objectives
B. The existing organizational security culture
C. Organizational security controls deployed in line with regulations
D. Security policies that adhere to industry best practices
Answer: B
When developing an information security governance framework, which of the following should be the FIRST
activity?
A. Align the information security program with the organization's other risk and control activities.
B. Develop policies and procedures to support the framework.
C. Develop response measures to detect and ensure the closure of security breaches.
D. Integrate security within the system's devetoojtam life cycle process.
Answer: A
Which of the following practices BEST supports the achievement of information security program objectives
in the IT function?
A. Review and approval of IT projects by the information security manager
B. IT management sign-off on information security policies

C. Continuous security auditing of IT service processes
D. Participation of IT stakeholders in the security program steering committee
Answer: D
It is MOST important tot an information security manager to ensure that security risk assessments are
performed:
A. In response to the threat landscape,
B. during a root cause analysis
C. consistently throughout the enterprise.
D. as part of the security business case
Answer: C
Which of the following is the MOST effective way to ensure the information security risk associated with
third-party services is addressed?
A. Perform a risk assessment on the services.
B. Conduct a security test of the services prior to implementation.
C. Include appropriate security requirements in the contract.
D. Provide security awareness training to third-party employees.
Answer: A
A business unit has updated its long-term business plan to include a strategy of upgrading information
management system to increase productivity. To support this initiative, with the information security strategy?
A. the information security framework
B. The business strategy
C.

C. The IT strategy
D. It risk assessment results
Answer: D
Which of the following is the PRIMARY purpose of conducting a business impact analysis (BIA)?
A. Identifying critical business processes
B. Identifying key business risks
C. Identifying risk mitigation options
D. Identifying the threat environment
Answer: A
When preparing a disaster recovery plan, which of the following would BEST help in prioritizing the
restoration of business systems?
A. Recovery time objective (RTO)
B. Annual loss expectancy (ALE)
C. Service level agreement (SLA)
D. System utilization requirements
Answer: A
Which of the following is the MOST important requirement for the successful implementation of security
governance?
A. Implementing a security balanced scorecard
B. Aligning to an international security framework
C. Performing an enterprise-wide risk assessment
D. Mapping to organizational strategies

Answer: D
Information classification is a fundamental step in determining:
A. the type of metrics that should be captured
B. whether risk analysis objectives are met.
C. the security strategy that should be used
D. who has ownership of information.
Answer: C
Which of the following is the BEST evidence that information security governance works as a business
enabler?
A. Business initiatives are within risk tolerance.
B. Security key performance indicators (KPIs) are included in management briefings.
C. Business initiatives are prioritized over security initiatives.
D. Security initiatives have positive return on investment (ROI).
Answer: A
What should an information security manager do NEXT when management does not accept control
recommendations resulting from a risk assessment?
A. Remove the recommendations.
B. Document the decision.
C. Perform a reassessment.
D. Implement the recommendations.
Answer: B

Several significant risks have been identified after a centralized risk register was compiled and prioritized. The
information security manager's MOST important action is to:
A. provide senior management with risk treatment options.
B. design and implement controls to reduce the risk.
C. consult external third parties on how to treat the risk
D. ensure that employees are aware of the risk.
Answer: A
An organization has experienced a ransomware attack. Which of the following is the BEST course of action to
prevent further attacks?
A. Implement application blacklisting.
B. Refuse to pay the ransom.
C. Update the security policy.
D. Implement application whitelisting.
Answer: B
Which of the following is the PRIMARY role of a data custodian?
A. Classifying information
B. Securing information
C. Validating information
D. Processing information
Answer: B
As the security program matures, which of the following reports presented to senior management provides the

MOST insight on the importance of the security program7
A. The status of approved security projects against budget
B. The causes and impacts of security-related incidents
C. The contribution of security investments to business growth
D. The maturity of the security program
Answer: C
Which of the following is the BEST indication of an effective information security program?
A. Key risk indicators (KRIs) are established.
B. Risk is treated to an acceptable level.
C. Policies are approved by senior management.
D. Policies and standards are developed.
Answer: D
Which of the following is the GREATEST benefit of a comprehensive set of security program metrics?
A. Validation of risk assessment results
B. Evaluation of the security strategy
C. Data to support risk assessments
D. Visibility to security compliance
Answer: B
What should be an information security manager's FIRST step when developing a business case for a new
intrusion detection system (IDS) solution?
A. Define the issues to be addressed.

B. Conduct a feasibility study.
C. Calculate the total cost of ownership (TCO).
D. Perform a cost-benefit analysis.
Answer: B
Which of the following BEST supports the risk assessment process to determine criticality of an asset?
A. Threat assessment
C. Business impact analysis (BIA)
D. Residual risk analysis
Answer: C
In the absence of technical controls, what would be the BEST way to reduce unauthorized text messaging on
company-supplied mobile devices?
A. Update the corporate mobile usage policy to prohibit texting.
B. Conduct a business impact analysis (BIA) and provide the report to management
C. Include the topic of prohibited texting in security awareness training.
D. Stop providing mobile devices until the organization is able to implement controls.
Answer: A
Which of the following is the PRIMARY purpose of red team testing?
A. To establish a baseline incident response program
B. To assess the vulnerability of employees to social engineering
C. To confirm the risk profile of the organization
D.

D. To determine the organization s preparedness for an attack
Answer: D
What should the information security manager do FIRST when end users express that new security controls
are too restrictive?
A. Perform a cost-benefit analysis on modifying the control environment
B. Conduct a business impact analysis (BIA).
C. Obtain process owner buy-in to remove the controls.
D. Perform a risk assessment on modifying the control environment.
Answer: D
An investigation of a recent security incident determined that the root cause was negligent handling of incident
alerts by system administrators. What is the BEST way for the information security manager to address this
issue?
A. Provide incident response training to data custodians.
B. Revise the incident response plan to align with business processes.
C. Conduct a risk assessment and share the results with senior management.
D. Provide incident response training to data owners.
Answer: C
Which of the following is the BEST way to rigorously test a disaster recovery plan for a mission-critical
system without disrupting business operations?
A. Simulation testing
B. Checklist review
C. Structured walk-through
D.

D. Parallel testing
Answer: A
A business unit has updated its long-term business plan to include a strategy of upgrading information
management systems to increase productivity. To support this initiative, what should be the PRIMARY basis
for updating the corresponding. information security strategy?
A. The information security framework
B. The business strategy
C. The IT strategy
D. IT risk assessment results
Answer: D
A new mobile application is unable to adhere to the organization's authentication policy. Which of the
following would be the information security manager's BEST course of activity----
A. Modify the policy to accommodate the application capabilities.
B. Accept the risk and document the exception.
C. Determine alternative controls.
D. Investigate alternative mobile applications.
Answer: C
The PRIMARY purpose of a risk assessment is to enable business leaders to:
A. make informed decisions.
B. define key risk indicators (KRIs).
C. manage information security expenditures.
D. align information security to business objectives.
Answer: A

Which of the following is the MOST important outcome of monitoring and reporting on information security
processes?
A. Ensuring information security operations support control objectives
B. Ensuring information security operations are reviewed for effectiveness
C. Ensiling information security operations follow approved procedures
D. Ensuring information security operations meet service level agreements (SLA)
Answer: A
Which of the following is the BEST way to prevent segregation of duties violations?
A. Review access logs for violations.
B. Enable data encryption with strong keys.
C. Implement role-based access.
D. Implement an identity management system.
Answer: C
Which of the following is the GREATEST security threat when an organization allows remote access through
a virtual private network (VPN)?
A. Client logins are subject to replay attack.
B. VPN traffic could be sniffed and captured.
C. Compromised VPN clients could impact the network.
D. Attackers could compromise the VPN gateway.
Answer: C

Which of the following is the MOST important part of an incident response plan?
A. Recovery time objective (RTO)
C. Recovery point objective (RPO)
D. Mean time to report (MTR)
Answer: A
An information security manager has identified the organization is not in compliance with new legislation that
will soon be in effect. Which of the following is MOST important to consider when determining additional
controls to be implemented?
A. The information security strategy
B. The information security policy
C. The organization's risk appetite
D. The organization's cost of noncompliance
Answer: D
Which of the ager to regularly report to senior management?
A. Results of penetration tests
B. Impact of untreated risks
C. Threat analysis reports
D. Audit reports
Answer: C
Which of the following is the BEST way for an information security manager to justify continued investment

in the information security program when the organization is facing significant budget cuts?
A. Demonstrate that implemented program controls are effective.
B. Demonstrate that the program enables business activities.
C. Demonstrate an increase in ransomware attacks targeting peer organizations.
D. Demonstrate the readiness of business continuity plans.
Answer: B
Which of the following incident response team (IRT) models is ideal for an organization that is regionally
managed'
A. Coordinating IRT
B. Distributed IRT
C. Geographical IRT
D. Central IRT
Answer: B
Which of the following would provide nonrepudiation of electronic transactions?
A. Two-factor authentication
B. Receipt acknowledgment
C. Third-party certificates
D. Periodic reaccreditations
Answer: B
Which of the following is MOST important when establishing effective information security metrics?
A. Receiving senior management approval
B.

B. Mapping each metric to a specific control
C. Understanding the business objectives
D. Mapping each metric to information security objectives
Answer: C
Which of the following is an example of a deterrent control?
A. Segregation of responsibilities
B. Periodic data restoration
C. An intrusion detection system (IDS)
D. a warning banner
Answer: A
Which of the following provides the BEST preparation for handling the breach of a corporate web site?
A. Incident response testing
B. Review of cyber liability insurance coverage
C. Documented data recovery procedures
D. Web server penetration testing
Answer: A
Which of the following is the MOST important characteristic of an effective security policy?
A. The policy has been validated by business owners.
B. The policy includes actionable procedures.
C. The policy provides broad organizational direction.
D. The policy is aligned to industry best practice.

Answer: C
What should be the PRIMARY objective of conducting interviews with business unit managers when
developing an information security strategy?
A. Determine information types.
B. Obtain information on departmental goals.
C. Identify data and system ownership.
D. Classify information assets.
Answer: B
Which of the following is MOST important for an information security manager to include in a report to senior
management following a post-incident review?
A. Lessons learned
B. Snapshot of system logs
C. The incident response plan
D. Detailed metrics
Answer: A
The GREATEST benefit of using a maturity model when providing security reports to management is that it
presents the:
A. assessed level of security risk at a particular point m time.
B. current and target security state for the business.
C. security program priorities to achieve an accepted risk level.
D. level of compliance with internal policy.
Answer: B

Which of the following is an information security manager's BEST course of action upon identification of a
shadow IT application being used by a business unit?
A. Perform a vendor due diligence review.
B. Notify senior management of the application.
C. Determine the nature of information within the application.
D. Report the application to the IT department.
Answer: C
Which of the following BEST indicates that information security will be considered when new IT technologies
are implemented across an organization?
A. Employees receive information security awareness training.
B. The information security manager is on the IT architecture review board.
C. IT employee job descriptions include information security roles and responsibilities.
D. The information security function reports to the chief information officer.
Answer: B

Topic 5, Exam Pool E

Which of the following would be the MOST important information to include in a business case for an
information security project in a highly regulated industry?
A. Critical audit findings
B. Number of reported security incidents
C. Compliance risk assessment
D. Industry comparison analysis
Answer: C
The integration of information security risk management processes within corporate risk management
processes will MOST likely result in:
A. senior management approval of the information security budgets.
B. improved efficiencies of security operations.
C. information security controls that reduce enterprise risk.
D. more effective security risk management processes.
Answer: B
An organization plans to leverage popular social network platforms to promote its products and services.
Which of the following is the BEST course of action for the information security manager to support this
initiative?
A. Conduct vulnerability assessments on social network platforms
B. Develop security controls for the use of social networks
C. Assess the security risk associated with the use of social networks
D. Establish processes to publish content on social networks

Answer: B
Which of the following is the MOST important outcome of a well-implemented awareness program?
A. Help desk response time to resolve incidents is improved.
B. The number of successful social engineering attacks is reduced.
C. The board is held accountable for risk management.
D. The number of reported security incidents steadily decreases.
Answer: B
Which of the following is the MOST effective approach to communicate general information security
responsibilities across an organization?
A. Require staff to sign confidentiality agreements.
B. Provide regular security awareness training.
C. Develop a RAO matrix for the organization.
D. Specify information security responsibilities in job descriptions.
Answer: D
An organization enacted several information security policies to satisfy regulatory requirements. Which of the
following situations would MOST likely increase the probability of noncompliance to these requirements?
A. Lack of training for end users on security policies
B. Inadequate buy-in from system owners to support the policies
C. Availability of security policy documents on a public website
D. Lack of an information security governance framework
Answer: B

Which of the following is MOST important for an information security manager to ensure is included in a
business case for a new security system?
A. Risk reduction associated with the system
B. Benchmarking results
C. Effectiveness of controls
D. Audit-logging capabilities
Answer: A
An information security manager has observed multiple exceptions for a number of different security controls.
Which of the following should be the information security manager's FIRST course of action?
A. Report the noncompliance to the board of directors.
B. Prioritize the risk and implement treatment options.
C. Inform respective risk owners of the impact of exceptions.
D. Design mitigating controls for the exceptions.
Answer: B
Which of the following is the MOST important component of a risk profile?
A. Data classification results
B. Risk management framework
C. Risk assessment methodology
D. Penetration test results
Answer: C


Topic 6, Exam Pool F
A legacy application does not comply with new regulatory requirements to encrypt sensitive data at rest, and
remediating this issue would require significant investment. What should the information security manager do
FIRST?
A. Present the noncompliance risk to senior management.
B. Assess the business impact to the organization.
C. Determine the cost to remediate the noncompliance.
D. Investigate alternative options to remediate the noncompliance.
Answer: D
Which of the following would BEST enhance firewall security?
A. Placing the firewall on a screened subnet
B. Logging of security events
C. Implementing change-control practices
D. Providing dynamic address assignment
Answer: A
When an operating system is being hardened, it is MOST important for an information security manager to
ensure that
A. system logs are activated.
B. default passwords are changed.
C. anonymous access is removed.
D.

D. file access is restricted
Answer: B
Which of the following BEST enables effective closure of noncompliance issues?
A. Capturing issues in a risk register
B. Executing an approved mitigation plan
C. Insuring against the risk
D. Performing control self-assessments (CSAs)
Answer: B
Which of the following is the PRIMARY benefit of using agentless endpoint security solutions?
A. More comprehensive information results
B. Decreased administration
C. Increased resiliency
D. Decreased network bandwidth usage
Answer: B
Which of the following provides the MOST comprehensive understanding of an organization's information
security posture?
A. The organization's security incident trends
B. Risk management metrics
C. Results of vulnerability assessments
D. External audit findings
Answer: A

Which of the following metrics is the BEST measure of the effectiveness of an information security program?
A. Reduction in the number of threats to an organization
B. Reduction In the cost of risk remediation for an organization
C. Reduction in the amount of risk exposure man organ nation
D. Reduction In the number of vulnerabilities in an organization
Answer: B
The MOST important reason for an information security manager to be involved in the change management
process is to ensure that:
A. potential vulnerabilities are identified.
B. risks have been evaluated.
C. security controls are updated regularly.
D. security controls drive technology changes.
Answer: D
When management changes the enterprise business strategy, which of the following processes should be used
to evaluate the existing information security controls as well as to select new information security controls?
A. Change management
B. Access control management
C. Configuration management
D. Risk management
Answer: C

Which of the following is MOST critical for prioritizing actions in a business continuity plan (BCP)?
A. Asset classification
B. Risk assessment
C. Business process mapping
D. Business impact analysis (BlA)
Answer: D
An organization that has outsourced its incident management capabilities just discovered a significant privacy
breach by an unknown attacker. Which of the following is the MOST important action of the information
security manager?
A. Alert the appropriate law enforcement authorities.
B. Notify the outsourcer of the privacy breach.
C. Refer to the organization's response plan.
D. Follow the outsourcers response plan.
Answer: B
Which of the following is the BEST evidence that an organization's information security governance
framework is effective?
A. The framework can adapt to organizational changes.
B. The risk register is reviewed annually.
C. Threats to the organization have diminished.
D. The framework focuses primarily on technical controls.
Answer: A
Information security governance is PRIMARILY driven by which of the following?

A. Technology constraints
C. Litigation potential
D. Business strategy
Answer: D
A security incident has resulted in a failure of the enterprise resource planning (ERP) system. While the
incident is handled by the incident response team, the help desk is overrun by queries from department
managers on the state of the ERP system. What is the MOST likely reason for this situation?
A. Lack of knowledgeable help desk staff
B. An inadequate communication plan
C. Lack of organization-wide security awareness
D. An inadequate business impact analysis (BlA)
Answer: B
The PRIMARY objective for using threat modeling in web application development should be to:
A. determine if penetration testing is necessary.
B. build security into the design.
C. develop application development standards.
D. review application source code.
Answer: B
Which of the following will BEST provide an organization with ongoing assurance of the information security
services provided by a cloud provider?
A. Evaluating the provider s security incident response plan
B. Ensuring the provider's roles and responsibilities are established

C. Requiring periodic self-assessments by the provider
D. Continuous monitoring of An information security risk profile
Answer: D
When designing an incident response plan to be agreed upon with a cloud computing vendor, including which
of the following will BEST help to ensure the effectiveness of the plan?
A. Responsibility and accountability assignments
B. Requirements for onsite recovery testing
C. An audit and compliance program
D. A training program for the vendor staff
Answer: A
Who should decide the extent to which an organization will comply with new cybersecurity regulatory
requirements?
A. Information security manager
B. Legal counsel
C. Senior management
D. IT steering committee
Answer: C
An organization's information security manager will find it MOST difficult to perform a post-incident review
of a data leakage event when it is related to:
A. outsourced service providers
B. public cloud services
C. corporate mobile devices,
D. private cloud services.

Answer: B
Senior management has just accepted the risk of noncompliance with a new regulation. What should the
information security manager do NEXT?
A. Assess the impact of the regulation.
B. Reassess the organization's risk tolerance.
C. Update details within the risk register
D. Report the decision to the compliance officer.
Answer: A
Establishing which of the following is the BEST way of ensuring that the emergence of new risk is promptly
identified?
A. Regular risk repotting
B. Risk monitoring processes
C. Change control procedures
D. Incident monitoring activities
Answer: B
An organization's information security manager has learned that similar organizations have become
increasingly susceptible to spear phishing attacks. What is the BEST way to address this concern?
A. Create a new security policy that staff must read and sign.
B. Include tips to identify threats in awareness training.
C. Conduct a business impact analysis (BIA) of the threat.
D. Update data loss prevention (DLP) rules for email.
Answer: B

Which of the following is the MOST effective control to reduce the impact of ransomware attacks?
A. Antivirus software
B. Intrusion detection system (IDS)
C. Backup strategy
D. Security awareness training
Answer: C
Which of the following is the BEST mechanism to prevent data loss in the event personal computing
equipment is stolen or lost?
A. Data encryption
B. Data leakage prevention (DLP)
C. Personal firewall
D. Remote access to device
Answer: A
An organization is considering moving one its critical business application to a cloud hosting service. The
cloud provider may not provider the same level of security for its application as the organization. Which of the
following will provide the BEST information to help maintain the security posture?
A. Risk assessment
C. Risk governance framework
D. Cloud security strategy
Answer: A
Which of the following outsourced services has the GREATEST need for security monitoring?

A. Application development
B. Enterprise infrastructure
C. Web site hosting
D. Virtual private network (VPN) services
Answer: B
Which of the following is MOST critical for responding effectively to security breaches?
A. Counterattack techniques
B. Root cause analysis
C. Management communication
D. Evidence gathering
Answer: B
Which of the following is BEST performed by the security department?
A. Approving standards for accessing the operating system
B. Provisioning users to access the operating system
C. Logging unauthorized access to the operating system
D. Managing user profiles for accessing the operating system
Answer: A
An external security audit has reported multiple instances of control noncompliance. Which of the following is
MOST important for the information security manager to communicate to senior managements.
A. Control owner responses based on a root cause analysis
B. An accountability risk to initiate remediation activities
C.

C. A plan for mitigating the risk due to noncompliance
D. The impact of noncompliance on the organization's risk profile
Answer: D
Which of the following is the MOST effective method for categorizing system and data criticality during the
risk assessment process?
A. Interview the asset owners.
B. Interview senior management.
C. Interview data custodians.
D. Interview members of the board.
Answer: A
Which of the following is the MOST important prerequisite to performing an information security risk
assessment?
A. Classifying assets
B. Reviewing the business impact analysis (BIA)
C. Assessing threats and vulnerabilities
D. Determining risk tolerance
Answer: A
Which is the MOST important driver for effectively communicating the progress of a new information
security program's implementation to key stakeholders?
A. facilitating stakeholder undemanding of program-related technology concepts
B. Designing universal key performance indicators (KPIs) for the program
C. Understanding stakeholder needs that influence program objectives
D.

D. Documenting risk that could impact achievement of program objectives
Answer: C
Explanation
32:35
An organization is developing a disaster recover/ plan for a data center that hosts multiple applications. The
application recovery sequence would BEST be determined through an analysis of:
A. Recovery point objectives (RPOs)
B. The data classification scheme.
C. Recovery time objectives (RTOs)
D. Key performance indicators (KPIs)
Answer: C
The MOST important reason that security risk assesements should be conducted frequently through an
organization is because:
A. Threats to the organization may change
B. Compliance with legal and regulatory should be reassessed.
C. Controls should be regularly tested.
D. Control effectiveness may weaken.
Answer: A
Which of the following is the PRIMARY reason for performing an analysis of the threat landscape on a
regular basis?
A. To determine if existing business continuity plans are adequate
B. To determine the basis for proposing an increase in security budgets
C. To determine if existing vulnerabilities present a risk

D. To determine critical information for executive management
Answer: C
In an organization implementing a data classification program, ultimate responsibility for the data on the
database server lies with the:
A. database administrator
B. information technology manager.
C. business unit manager
D. information security manager.
Answer: C
The PRIMARY objective of a risk response strategy should be:
A. regulatory compliance.
B. senior management buy-in.
C. appropriate control selection.
D. threat reduction.
Answer: B
When supporting an organization's privacy officer, which of the following is the information security
managers PRIMARY role regarding privacy requirements?
A. Conducting privacy awareness programs
B. Ensuring appropriate controls are in place
C. Monitoring the transfer of private data
D. Determining data classification

Answer: B
When supporting a large corporation's board of directors in the development of governance, which of the
following is the PRIMARY function of the information security manager?
A. Gaining commitment of senior management
B. Preparing the security budget
C. Providing advice and guidance
D. Developing a balanced scorecard
Answer: A
Which of the following is MOST likely to reduce the effectiveness of a signature-based intrusion detection
system (IDS)?
A. The environment is complex.
B. The activities being monitored deviate from what is considered normal.
C. The information regarding monitored activities becomes stale.
D. The pattern of normal behavior changes quickly and dramatically.
Answer: D
Which of the following is the PRIMARY advantage of having an established information security governance
framework in place when an organization is adopting emerging technologies?
A. A cost-benefit analysis process would be easier to perform.
B. An emerging technologies strategy would be in place.
C. End-user acceptance of emerging technologies has been established.
D. An effective security risk management process is established.
Answer: D

Management decisions concerning information security investments will be MOST effective when they are
based on:
A. an annual loss expectancy (ALE) determined from the history of security events.
B. the reporting of consistent and periodic assessments of risks.
C. a process for identifying and analyzing threats and vulnerabilities
D. the formalized acceptance of risk analysis by management.
Answer: D
Which of the following is an example of a vulnerability?
A. Defective software
B. Natural disasters
C. Unauthorized users
D. Ransomware
Answer: A
Which of the following is a PRIMARY objective of incident classification?
A. Increasing response efficiency
B. Enabling incident reporting
C. Complying with regulatory requirements
D. Reducing escalations to management
Answer: A
In a risk assessment after the identification of threats to organizational assets, the information security

manager would:
A. determine threats to be reported to upper management.
B. implement controls to achieve target risk levels.
C. request funding for the security program.
D. evaluate the controls currently in place.
Answer: D
Which of the following is the responsibility of a data owner?
A. Maintaining the integrity of the database
B. Investigating and resolving suspicious database activity
C. Classifying the data in accordance with security policy
D. Testing to determine whether the data can be recovered successfully
Answer: C
Which of the following processes would BEST aid an information security manager in resolving systemic
security issues?
A. Business impact anal/sis (BIA)
B. Security reviews
C. Reinforced security controls
D. Root cause analysis
Answer: D
Which of the following is the MOST effective way of ensuring that business units comply with an information
security governance framework?

A. Conducting a business impact analysis (BIA)
B. Conducting information security awareness training
C. Integrating security requirements with processes
D. Performing security assessments and gap analyses
Answer: B
Which of the following enables compliance with a nonrepudiation policy requirement for electronic
transactions?
A. Digital signatures
B. One-time passwords
C. Encrypted passwords
D. Digital certificates
Answer: A
An organization s senior management wants to allow employees to access an internal application using their
personal mobile devices. Which of the following should be the information security managers FIRST course
of action?
A. Develop a personal device policy
B. Conduct security testing
C. Require device encryption
D. Assess the security risk
Answer: D
When responding to an incident, which of the following is required to ensure evidence remains legally
admissible in court?

A. Certified forensics examiners
B. A documented incident response plan
C. Law enforcement oversight
D. Chain of custody
Answer: D
A risk analysis for a new system is being performed. For which of the following is business knowledge MORE
important than IT knowledge?
A. Vulnerability analysis
B. Balanced scorecard
D. Impact analysis
Answer: D
An organization wants to ensure its confidential data is isolated in a multi-tenanted environment at a

well-known cloud service provider. Which of the following is the BEST way to ensure the data is adequately
protected?
A. Ensure an audit of the provider is conducted to identify control gaps.
B. Review the provider's information security policies and procedures.
C. Obtain documentation of the encryption management practices.
D. Verify the provider follows a cloud service framework standard.
Answer: B
A risk profile supports effective security decisions PRIMARILY because it:
A. identifies priorities for risk reduction.

B. describes security threats.
C. enables comparison with industry best practices.
D. defines how to best mitigate future risks.
Answer: A
An information security manager is asked to provide evidence that the organization is fulfilling its legal
obligation to protect personal identifiable information (Pll). Which of the f<
A. Metrics related to program effectiveness
B. Written policies and standards
C. Privacy awareness training
D. Risk assessments of privacy-related applications
Answer: A
Which of the following will BEST facilitate the understanding of information security responsibilities by users
across the organization?
A. Conducting security awareness training with performance incentives
B. Communicating security responsibilities as an acceptable usage policy
C. Warning users that disciplinary action will be taken for violations
D. Incorporating information security into the organization's code of conduct
Answer: A
Which of the following security characteristics is MOST important to the protection of customer data in an
online transaction system?
A. Data segregation
B. Audit monitoring

C. Availability
D. Authentication
Answer: D
A hacking group has posted an organization's employee data on social media. What should the information
security manager do FIRST?
A. Initiate the incident response process.
B. Inform the impacted employees.
C. Notify law enforcement.
D. Review system audit logs.
Answer: D
Application data integrity risk would be MOST directly addressed by a design that includes:
A. reconciliation routines such as checksums, hash totals, and record counts
B. strict application of an authorized data dictionary.
C. access control technologies such as role-based entitlements.
D. application log requirements such as field-level audit trails and user activity logs.
Answer: C
Explanation
QUESRTION NO: 143
Which of the following metrics BEST evaluates the completeness of disaster-recovery preparations?
A. Ratio of successful to unsuccessful tests
B. Number of published application-recovery plans
C. Ratio of recovery-plan documents to total applications
D. Ratio of tested applications to total applications

Answer: A
Which of the following is MOST relevant for an information security manager to communicate to the board of
directors?
A. Vulnerability assessments
B. The level of inherent risk
C. Threat assessments
D. The level of exposure
Answer: B
The risk of mishandling alerts identified by an intrusion detection system (lDS) would be the GREATEST
when:
A. operations and monitoring are handled by different teams.
B. The IT infrastructure is diverse.
C. IDS sensors are misconfigured.
D. standard operating procedures are not formalized.
Answer: D
Adding security requirements late in the software development life cycle (SDLC) would MOST likely result
in:
A. clearer understanding of requirements.
B. operational efficiency.
C. compensating controls.
D. cost savings.
Answer: C

Which of the following would BEST help to ensure an organization's information security strategy is aligned
with business objectives?
A. Requesting senior management to periodically review security incidents
B. Establishing a change control process for continued updating of security policies
C. Implementing an automated solution for monitoring information security processes
D. Establishing metrics to measure the effectiveness of the information security program
Answer: A
Which of the following would be MOST helpful to reduce the amount of time needed by an incident response
team to determine appropriate actions?
A. Rehearsing incident response procedures rote, and responsibilities
B. Providing annual awareness training regarding incident response for team members
C. Validating the incident response plan against industry best practices
D. Defining modern seventy levels during a business impact analysis (BIA)
Answer: A
When determining an acceptable risk level, which of the following is the MOST important consideration?
A. Risk matrices
B. Vulnerability scores
C. System criticality
D. Threat profile
Answer: D
Which of the following is the MOST beneficial outcome of testing an incident response plan?

A. Incident response time is improved.
B. The plan is enhanced to reflect the findings of the test
C. The response includes escalation to senior management
D. Test plan results are documented.
Answer: A
Which of the following should be the PRIMARY consideration when developing a security governance
framework for an enterprise?
A. Benchmarking against industry best practice
B. Assessment of the current security architecture
C. Results of a business impact analysis (BIA)
D. Understanding of the current business strategy
Answer: D
Which of the following should be the FIRST step to ensure system updates are applied in a timely manner?
A. Run a patch management scan to discover which patches are missing from each machine.
B. Create a regression test plan to ensure business operation is not interrupted.
C. Cross-reference all missing patches to establish the date each patch was introduced.
D. Establish a risk-based assessment process for prioritizing patch implementation.
Answer: D
An information security manager is preparing an incident response plan. Which of the following is the MOST
important consideration when responding to an incident involving sensitive customer data?
A. The ability to recover from the incident in a timely manner
B.

B. The assignment of a forensics team
C. The ability to obtain incident information in a timely manner
D. Following defined post-incident review procedures
Answer: B
Penetration testing is MOST appropriate when a:
A. new system is being designed.
B. security incident has occurred.
C. security policy is being developed
D. new system is about to go live.
Answer: C
A new organization has been hit with a ransomware attack that is critically impacting its business operations.
The organization does not yet have a proper incident response plan, but it does have a backup procedure for
restoration of data. Which of the following should be the FIRST course of action?
A. Isolate the affected system.
B. Contact the legal department.
C. Recommend that management pay the ransom.
D. Establish an incident response plan.
Answer: D
The MOST likely reason to use qualitative security risk assessments instead of quantitative methods is when:
A. a security program requires independent expression of risks.
B. an organization provides services instead of hard goods.
C.

C. available data is too subjective.
D. a mature security program is in place.
Answer: C
An information security manager is preparing a presentation to obtain support for a security initative. Which of
the following is the BEST way to obtain management's commitment for the initiative?
A. Provide the estimated return on investment (ROI)
B. Provide an analysis of current risk exposures.
C. Include historical data of reported incidents.
D. include industry benchmarking comparisons.
Answer: A
A large organization is considering a policy that would allow employees to briog their own smartphones into
the organizational environment. The MOST important concern to the information security manager should be
the:
A. decrease in end user productivity.
B. impact on network capacity.
C. lack of a device management solution.
D. higher costs in supporting end users.
Answer: C
An information security manager is implementing controls to protect the organization's data. The FIRST step
in this process should be to:
A. classify the data.
B. implement access controls.
C. monitor access to the data.
D. encrypt the data.

Answer: A
Which of the following is the PRIMARY purpose for establishing a bring your own device (BYOD) policy
that only permits application downloads from designated online markets.
A. Enhance IT application support for users.
B. Protect against malware-based attacks.
C. Conserve storage for approved applications.
D. Allow IT to monitor application usage.
Answer: B
What should be an information security manager's FIRST course of action upon learning of a security threat
that has occurred in the industry for the first time?
A. Revise the organization's incident response plan.
B. Update the relevant information security policy.
C. Examine responses of victims that have been exposed to similar threats.
D. Perform a control gap analysis of the organization's environment
Answer: D
An information security manager has implemented an ongoing security awareness training program. Employee
participation has been decreasing over the year, while the number of malware and phishing incidents from
email has been increasing. What is the information security manager's BEST course of action?
A. Include regular phishing campaigns after each training session.
B. Make the training program mandatory and enforce sanctions for noncompliance.
C. Perform a risk assessment and share results with employees.
D. Report the findings to senior management with recommendations.

Answer: B
What should an information security team do FIRST when notified by the help desk that an employee's
computer has been infected with ma I ware?
A. Isolate the computer from the network.
B. Take a forensic copy of the hard drive.
C. Use anti-malware software to clean the infected computer.
D. Restore the files from a secure backup.
Answer: A
Following a malicious security incident, an organization has decided to prosecute those responsible. Which of
the following will BEST facilitate the forensic investigation?
A. Identifying the affected environment
B. Performing a backup of affected systems
C. Determining the degree of loss
D. Maintaining chain of custody
Answer: D
Which of the following should be reviewed to obtain a structured overview of relevant information about an
information security investment?
A. Security balanced scorecard
B. Information security strategy
C. Business case
D. Quantitative risk analysis report
Answer: C

Failure to include information security requirements within the build/buy decision would MOST likely result
in the need for:
A. commercial product compliance with corporate standards.
B. more stringent source programming standards.
C. compensating controls in the operational environment.
D. security scanning of operational platforms
Answer: C
The BEST way to determine the current state of information security with regard to defined security objectives
is by performing a:
A. cost-benefit analysis.
B. business impact analysis (BIA).
C. gap analysis.
D. risk assessment.
Answer: C
Which of the following MUST be established before implementing a data loss prevention (DLP) system?
A. A data backup policy
B. A data recovery policy
C. Data classification
D. Privacy impact assessment
Answer: C
Which of the following metrics would BEST determine the effectiveness of an application security testing

program?
A. Number of detected security defects per thousand lines of code
B. Average time to release code into production
C. Average time to fix each discovered security defect
D. Number of security defects discovered in development versus production
Answer: D
When evaluating vendors for sensitive data processing, which of the following should be the FIRST step to
ensure the correct level of information security is provided?
A. Include information security clauses in the vendor contract.
B. Develop metrics for vendor performance.
C. Include information security criteria as part of vendor selection.
D. Review third-party reports of potential vendors.
Answer: D
When developing security standards, which of the following would be MOST appropriate to include?
A. Acceptable use of IT assets
B. Accountability for licenses
C. Inventory management
D. Operating system requirements
Answer: D
A business unit manager wants to adopt an emerging technology that may affect the organization. Which of
the following would be the information security manager's BEST course of action?
A. Review vendor documentation.

B. Perform a threat analysis.
C. Perform a business impact analysis (BIA).
D. Review the business case.
Answer: D
Which of the following is the BEST way to determine if an organization's current risk level is within the risk
appetite?
A. Implementing key risk indicators (KRIs)
B. Conducting a business impact analysis (BIA)
C. Implementing key performance indicators (KPIs)
D. Developing additional mitigating controls
Answer: A
An internal audit has found that critical patches were not implemented within the timeline established by
policy without a valid reason. Which of the following is the BEST course of action to address the audit
findings?
A. Evaluate patch management training.
B. Monitor and notify IT staff of critical patches
C. Perform regular audits on the implementation of critical patches.
D. Assess the patch management process
Answer: D
Risk reporting requirements should be PRIMARILY based on:
A. policies approved by information security.
B. the criticality of assets.

C. criteria approved by management,
D. events defined by information security.
Answer: C
Which of the following should be the FIRST step to ensure an information security program meets the
requirements of new regulations?
A. Conduct a gap analysis to determine necessary changes.
B. Validate the asset classification schema.
C. Integrate compliance into the risk management process.
D. Assess organizational security controls.
Answer: A
An organization is considering whether to allow employees to use personal computing devices for business
purposes To BEST facilitate senior management's decision, the information security manager should:
A. conduct a risk assessment.
B. develop a business case.
C. map the strategy to business objectives.
D, perform a cost-benefit analysis.
Answer: B
Ensuring that activities performed by outsourcing providers comply with information security policies can
BEST be accomplished through the use of:
A. contractual obligations.
B. Independent audits
C. service level agreements (SLAs).
D. industry standard alignment.

Answer: B
Which of the following needs to be established between an IT service provider and its clients to BEST enable
adequate continuity of service in preparation for an outage?
A. Reciprocal site agreement
B. Server maintenance plans
C. Recovery time objectives (RTOs)
D. Data retention policies
Answer: C
What should be the PRIMARY basis for establishing a recovery time objective (RTO) for a critical business
application?
A. Risk assessment results
B. Business impact analysis (BIA) results
C. Related business benchmarks
D. Legal and regulatory requirements
Answer: B
The PRIMARY purpose of aligning information security with corporate governance objectives is to:
A. identity an organization s tolerance for risk
B. re-align roles and responsibilities.
C. build capabilities to improve security processes
D. consistently manage significant areas of risk.
Answer: D

Which of the following is the BEST way to identify the potential impact of a successful attack on an
organization's mission critical applications?
A. Conduct penetration testing
B. Execute regular vulnerability scans.
C. Perform an application vulnerability review,
D. Perform an independent code review.
Answer: A
An information security manager has been tasked with developing materials to update the board, regulatory
agencies, and the media about a security incident. Which of the following should the information security
manager do FIRST?
A. Invoke the organization's incident response plan.
B. Determine the needs and requirements of each audience.
C. Create a comprehensive singular communication.
D. Set up communication channels for the target audience.
Answer: D
An information security manager has been alerted to a possible incident involving a breach at one of the
organization's vendors. Which of the following should be done FIRST?
A. Perform incident eradication.
B. Engage the incident response team.
C. Perform incident recovery.
D. Discontinue the relationship with the vendor.
Answer: B

Which of the following should be the PRIMARY consideration when selecting a recovery site?
A. Recovery time objective
B. Recovery point objective
C. Geographical location
D. Regulatory requirements
Answer: A
What is the PRIMARY benefit to executive management when audit risk, and security functions are aligned?
A. More effective decision making
B. More timely risk reporting
C. Reduced number of assurance reports
D. More efficient incident handling
Answer: A
Which of the following BEST describes an intrusion detection system (IDS) that learns the system behaviors
prior to detecting potential intrusions?
A. Host-based IDS
B. Anomaly-based IDS
C. Network-based IDS
D. Application-based IDS
Answer: B
In an organization where IT is critical to its business strategy and where there is a high level of operational
dependence on IT, senior management commitment to security is BEST demonstrated by the:
A. segregation of duties policy
B. existence of an IT steering committee.
C.

C. size of the IT security function,
D. reporting The of the chief information security officer (CISO)
Answer: B
Calculation of the recovery time objective (RTO) is necessary to determine the:
A. annual loss expectancy (ALE)
B. priority of restoration.
C. time required to restore files.
D. point of synchronization
Answer: B
Which of the following should be done FIRST when handling multiple confirmed incidents raised at the same
time?
A. Categorize incidents by the value of the affected asset.
B. Update the business impact assessment.
C. Activate the business continuity plan (BCP).
D. Inform senior management.
Answer: A
From a business perspective the MOST important function of information security is to support:
A. predictable operations.
B. international standards
C. security awareness
D. corporate policy

Answer: A
When preventative controls to appropriately mitigate risk are not feasible, which of the following is the MOST
important action for the information security manager to perform?
A. Manage the impact.
B. Assess vulnerabilities.
C. Evaluate potential threats.
D. Identify unacceptable risk levels.
Answer: D
An organization has concerns regarding a potential advanced persistent threat (APT). To ensure that the risk
associated with this threat is appropriately managed, what should be the organization 5 FIRST action?
A. Report to senior management.
B. Conduct an impact analysis.
C. Initiate incident response processes.
D. Implement additional controls.
Answer: D
Which of the following is the PRIMARY purpose of data classification?
A. To select encryption technology
B. To determine access rights to data
C. To ensure integrity of data
D. To provide a basis for protecting data
Answer: D

Which of the following is MOST important for an information security manager to consider when identifying
information security resource requirements?
A. Information security strategy
B. Current resourcing levels
C. Availability of potential resources
D. Information security incidents
Answer: B
Which type of test is MOST effective in communicating the roles of end users to support timely identification
and response to information security incidents?
A. Simulation
B. Walk-through
C. Parallel
D. Complete failover
Answer: A
An information security manager terms that the root password of an external FTP server may be subject to
brute force attacks. Which of the following would be the MOST appropriate way to reduce the likelihood of a
successful attack?.
A. Lock remote logon after multiple failed attempts.
B. Install an intrusion detection system (IDS).
C. Disable access to the externally facing server.
D. Block the source IP address of the attacker.
Answer: A

Which of the following is the KEY outcome of conducting a post-incident review?
A. Risk appetite is validated.
B. Root cause is validated.
C. Compliance requirements are met.
D. Chain of custody is maintained.
Answer: B
An IT department plans to migrate an application to the public cloud. Which of the following is the
information security manager's MOST important action in support of this initiative?
A. Calculate security implementation costs.
B. Evaluate service level agreements (SLAs).
C. Provide cloud security requirements.
D. Review cloud provider independent assessment reports.
Answer: B
Which of the following BEST demonstrates effective information security management within an
organization?
A. Excessive risk exposure in one department can be absorbed by other departments.
B. Employees support decisions made by information security management.
C. Information security governance is incorporated into organizational governance.
D. Control ownership is assigned to parties who can accept losses related to control failure.
Answer: C
Which of the following is the GREATEST risk of single sign-on?
A. Integration of single sign-on with the rest of the infrastructure is complicated
B.

B. It is a single point of failure for an enterprise access control process.
C. Password carelessness by one user may render the entire infrastructure vulnerable
D. One administrator maintains the single sign-on solutions without segregation of duty.
Answer: B
Which of the following is the BEST way to demonstrate to senior management that organizational security
practices comply with industry standards?
A. Existence of an industry-accepted framework
B. Up-to-date policy and procedures documentation
C. A report on the maturity of controls
D. Results of an independent assessment
Answer: D
Which of the following is the- BEST method to determine whether an information security program meets an
organization s business objectives?
A. Implement performance measures.
B. Perform a business impact analysis (BIA)
C. Review against international security standards.
D. Conduct an annual enterprise-wide security evaluation.
Answer: A
When establishing the trigger levels for an organization's key risk indicators (KRIs), the thresholds should be
based PRIMARILY on the organization's:
A. risk register.
B. risk appetite.
C. risk response capability.

D. current threat level.
Answer: B
Which of the following is the BEST way to ensure information security metrics are meaningful?
A. Requiring information security metrics to be approved by senior management
B. Aligning information security metrics with business drivers
C. Correlating information security metrics to industry best practices
D. Using a dashboard to present the information security metrics
Answer: B
Which of the following should be of GREATEST concern to a newly hired information security manager
regarding security compliance?
A. Lack of security audits
B. Lack of standard operating procedures
C. Lack of risk assessments
D. Lack of executive support
Answer: D
Which of the following is the MOST important factor when determining the frequency of information security
risk reassessment?
A. Risk priority
B. Risk metrics
C. Mitigating controls
D. Audit findings

Answer: A
Web application firewalls are needed in addition to other intrusion prevention and detection technology
PRIMARILY because:
A. web services require unique forensic evidence
B. they prevent modification of application source code
C. they recognize web application protocols.
D. web services are prone to attacks.
Answer: D
Cold sites for disaster recovery events are MOST helpful in situations in which a company:
A. is located in close proximity to the cold she.
B. does not require any telecommunications connectivity.
C. has a limited budget for coverage.
D. uses highly specialized equipment that must be custom manufactured.
Answer: C
Which of the following would provide senior management with the BEST information to better understand the
organization's information security risk profile?
A. Scenarios that impact business goals
B. Scenarios that have a monetary impact
C. Scenarios that disrupt client services
D. Scenarios that impact business operations
Answer: A

The FIRST step in establishing an information security program is to:
A. define polices and standards that mitigate the organization's risks.
B. secure organizational commitment and support
C. assess the organization s compliance with regulatory requirements
D. determine the level of risk that is acceptable to some management
Answer: B
Which of the following BIST validates that security controls are implemented in a new business process?
A. Assess the process according to information security policy
B. Benchmark the process against industry practices
C. Verify the use of a recognized control framework
D. Review the process for conformance with information security best practices
Answer: A
Which of the following should be of GREATEST concern to an information security manager when
establishing a set of key risk indicators (KRIs)?
A. The organization has no historical data on previous security events
B. Risk tolerance levels have not yet been established
C. Several business functions have been outsourced to third-party vendors.
D. The impact of security risk on organizational objectives is not well understood
Answer: B
When creating an information security governance program, which of the following will BEST enable the
organization to address regulatory compliance requirements?

A. A security control framework
B. Input from the security steering committee
C. Guidelines for processes and procedures
D. An approved security strategy plan
Answer: B
Which of the following defines the minimum security requirements that a specific system must meet?
A. Security baseline
B. Security procedure
C. Security policy
D. Security guideline
Answer: A
Deciding the level of protection a particular asset should be given is BEST determined by:
A. a risk analysis.
B. a threat assessment.
C. a vulnerability assessment
D. corporate risk appetite.
Answer: D
Using which of the following metrics will BEST help to determine the resiliency of IT infrastructure security
controls?
A. Frequency of updates to system software
B. Percentage of outstanding high-risk audit issues
C.

C. Number of successful disaster recovery tests
D. Number of incidents resulting in disruptions
Answer: C
An information security manager has discovered a potential security breach in a server that supports a critical
business process. Which of the following should be the information security manager's FIRST course of
action?
A. Notify the business process owner.
B. Shut down the server in an organized manner.
C. Inform senior management of the incident.
D. Validate that there has been an incident
Answer: D
An organization has implemented a new customer relationship management (CRM) system. Who should be
responsible for enforcing authorized and controlled access to the CRM data?
A. Internal II audit
B. The data custodian
C. The data owner
D. The information security manager
Answer: C
The PRIMARY role of an information security steering group is to ensure that:
A. security procedures and practices are in line with formal policies.
B. there is compliance with software-copyright legislation.
C. there is compliance with security standards.

D. security policies address business issues.
Answer: D
An information security manager has been asked to identify potential threats to the organization's information.
Which of the following should be done FIRST'
A. Develop a risk profile.
B. Engage a third-parry consultant
C. Select a governance framework.
D. Review cyber insurance coverage.
Answer: A
When preparing a strategy for protection from SQL injection attacks, it is MOST important for the information
security manager to involve:
A. the security operations center.
B. business owners.
C. application developers.
D. senior management.
Answer: C
An information security steering group should:
A. establish information security baselines.
B. oversee the daily operations of the security program.
C. develop information security policies.
D. provide general oversight and guidance.
Answer: D

Which of the following is the BEST way for an organization that outsources many business processes to gain
assurance that services provided are adequately secured?
A. Perform regular audits on the service providers' applicable controls.
B. Provide information security awareness training to service provider staff.
C. Conduct regular vulnerability assessments on the service providers' IT systems.
D. Review the service providers' information security policies and procedures.
Answer: A
Which of the following BEST enables a more efficient incident reporting process?
A. Training executive management for communication with external entities
B. Educating the incident response team on escalation procedures
C. Educating IT teams on compliance requirements
D. Training end users to identify abnormal events
Answer: D
Explanation
QUESRTION NO: 136
Which of the following is MOST likely to be included in an enterprise information security policy?
A. Password composition requirements
B. Consequences of noncompliance
C. Audit trail review requirements
D. Security monitoring strategy
Answer: B
A new mobile application is unable to adhere to the organization's authentication policy. Which of the

following would be the information security manager's BEST course of action?
A. Provide the estimated return on investment (ROI).
B. Provide an analysis of current risk exposures.
C. Include industry benchmarking comparisons.
D. Include historical data of reported incidents.
Answer: A
Which of the following is BEST determined by using technical metrics?
A. How well the security strategy is aligned with organizational objectives
B. How well security risk is being managed
C. Whether security resources are adequately allocated
D. Whether controls are operating effectively.
Answer: A
Which of the following should be the PRIMARY consideration for an information security manager when
designing security center for a newly acquired business application?
A. The IT security architecture framework
B. Known vulnerabilities in the application
C. Business processes supported by the application
D. Cost-benefit analysis of current controls
Answer: B
Which of the following would BEST support a business case to implement a data leakage prevention (DLP)
solution?
A. An unusual upward trend in outbound email volume

B. Industry benchmark of DLP investments
C. A risk assessment on the threat of data leakage
D. Lack of visibility into previous data leakage incidents
Answer: C
When establishing classifications of security incidents for the development of an incident response plan, which
of the following provides the MOST valuable input?
A. Business impact analysis (BIA) results
B. Recommendations from senior management
C. The business continuity plan (BCP)
D. Vulnerability assessment results
Answer: B
When drafting the corporate privacy statement for a public web site, which of the following MUST be
included?
A. Limited liability clause
B. Explanation of information usage
C. Information encryption requirements
D. Access control requirements
Answer: C
Which of the following is the STRONGEST indicator of effective alignment between corporate governance
and information security governance?
A. Information security initiatives meet scope, schedule, and budget.
B. Senior management sponsors information security efforts.
C.

C. Key performance indicators (KPIs) for controls trend positively.
D. Senior management requests periodic information security updates.
Answer: B
Which of the following is MOST important for an information security manager to communicate to senior
management regarding the security program?
A. User roles and responsibilities
B. Potential risks and exposures
C. Security architecture changes
D. Impact analysis results
Answer: B
Key systems necessary for branch operations reside at corporate headquarters. Branch A is negotiating with a
third party to provide disaster recovery facilities. Which of the following contract terms would be the MOST
significant concern?
A. Penalty clauses for nonperformance are not included in the contract
B. The right to audit the hot site Is not provided In the contract.
C. The hot site for the branch may have to be shared.
D. Connectivity Is not provided from the hot site to corporate headquarters.
Answer: A
Which of the following is the BEST advantage of a centralized information security organizational structure?
A. It is easier to manage and control business unit security teams.
B. It provides a faster turnaround for security waiver requests.
C. It is more responsive to business unit needs.

D. It allows for a common level of assurance across The enterprise.
Answer: D
Business applications should be selected for disaster recovery testing on the basis of:
A. recovery time objectives (RTOs).
B. the number of failure points that are being tested.
C. the results of contingency desktop checks.
D. criticality to the enterprise.
Answer: D
Which of the following approaches is BEST for selecting controls to minimize information security risks?
A. Control-effectiveness evaluation
B. Risk assessment
D. Industry best practices
Answer: C
Which of the following provides the BEST opportunity to evaluate the capabilities of incident response team
members?
A. Black box penetration test
B. Breach simulation exercise
C. Disaster recovery exercise
D. Tabletop test
Answer: A

Which of the following is MOST important to consider when handling digital evidence during the forensics
investigation of a cybercrime?
A. Industry best practices
B. Local regulations
C. Global standards
D. Business strategies
Answer: B
Which of the following sites is MOST appropriate in the case of a very short recovery time objective (RTO)?
A. Redundant
B. Mobile
C. Warm
D. Shared
Answer: A
When customer data has been compromised, an organization should contact law enforcement authorities:
A. if there is potential impact to the organization.
B. in accordance with the corporate communication policy.
C. if the attack comes from an international source.
D. when directed by the information security manager.
Answer: B
Which of the following is the KST way to align security and business strategies?

A. Include security risk as part of corporate risk management,
B. Integrate information security governance into corporate governance
C. Establish key performance indicators (KPls) for business through security processes.
D. Develop a balanced scorecard for security
Answer: D
Which of the following is the BEST approach to identify noncompliance issues with legal, regulatory, and
contractual requirements?
A. Risk assessment
B. Gap analysis
D. Business impact analysis (B1A)
Answer: B
An information security manager is implementing a bring your own device (BYOD) program. Which of the
following would BEST ensure that users adhere to the security standards?
A. Establish an acceptable use policy.
B. Monitor user activities on the network.
C. Publish the standards on the intranet landing page.
D. Deploy a device management solution.
Answer: A
Which of the following is the MOST effective method to help ensure information security incidents are
reported?
A. Integrating information security language in corporate compliance rules

B. Providing information security awareness training to employees
C. Implementing an incident management system
D. Integrating information security language in conditions of employment
Answer: B
When multiple Internet intrusions on a server are detected, the PRIMARY concern of the information security
manager should be to ensure that the:
A. forensic investigation software is loaded on the server.
B. server is unplugged from power.
C. integrity of evidence is preserved.
D. server is backed up to the network.
Answer: D
To implement a security framework, an information security manager must FIRST develop:
A. a security policy
B. security guidelines
C. security procedures
D. security standards.
Answer: A
An organization is leveraging tablets to replace desktop computers shared by shift-based staff. These tables
contain critical business data and are inherently at increased risk of theft. Which of the following will BEST
help to mitigate this risk?
A. Conduct a mobile device risk assessment.
B. Create an acceptable use policy.
C.

C. Deploy mobile device management (MDM).
D. Implement remote wipe capability.
Answer: D
Which of the following is the BEST reason to initiate a reassessment of current risk?
A. Certification requirements
B. Follow-jp to an audit report
C. A recent security incident
D. Changes to security personnel
Answer: C
An organization was forced to pay a ransom to regain access to a critical database that had been encrypted in a
ransomware attack. What would have BEST prevented The need to make this ransom payment?
A. Storing backups on a segregated network.
B. Training employees on ransomware
C. Verifying the firewall is configured properly
D. Ensuring all changes are approved
Answer: A
An information security manager is developing evidence preservation procedures for an incident response
plan. Which of the following would be the BEST source of guidance for requirements associated with the
procedures?
A. Legal counsel
B. Executive management
C. Data owners

D. IT management
Answer: A
During a new user provisioning process, who should have PRIMARY responsibility for determining
appropriate access levels?
A. IT service manager
B. System owner
C. Security staff
D. Human resources manager
Answer: B
An information security manager is asked to provide a short presentation on the organization's current IT risk
posture to the board of directors. Which of the following would be MOST effective To include in this
presentation?
A. Risk heat map
B. Risk register
C. Threat assessment results
D. Gap analysis results
Answer: D
An organization with a maturing incident response program conducts post-incident reviews for all major
information security incidents. The PRIMARY goal of these reviews should be to:
A. prepare properly vetted notifications regarding the incidents to external parties
B. identify who should be held accountable for the security incidents.
C. document and report the root cause of the incidents for senior management
D. identify security program gaps or systemic weaknesses that need correction.

Answer: D
Which of the following is the BEST criterion to use when classifying assets?
A. Annual loss expectancy (ALE)
B. Recovery time objective (RTO)
C. The market value of the assets
D. Value of the assets relative to the organization
Answer: D
Which of the following is the MOST important outcome of senior management's analysis of information
security metrics?
A. The alignment of the information security budget to corporate funding
B. The integration of information security with corporate governance
C. The establishment of a risk acceptance process
D. The alignment of security and IT objectives
Answer: B
An employee is found to be using an external cloud storage service to share corporate information with a
third-party consultant, which is against company policy. Which of the following should be the information
security manager s FIRST course of action?
A. Determine the classification level of the information
B. Seek business justification from the employee
C. Block access to the cloud storage service.
D. Inform higher management of a security breach
Answer: D

Which of the following is the GREATEST risk to consider when a rival organization purchases a business unit
within an organization?
A. Access and permissions to the corporate network from the business unit will remain after the sale.
B. The business unit's confidential information will be transferred to the rival organization during the
separation.
C. Senior business management will not understand technical risks.
D. Loss of corporate knowledge.
Answer: A
Which of the following BEST describes a buffer overflow?
A. A program contains a hidden and unintended function that presents a security risk.
B. Malicious code designed to interfere with normal operations.
C. A function is carried out with more data than the function can handle.
D. A type of covert channel that captures data.
Answer: B
Which of the following is the MOST significant benefit of effective change management?
A. Information security management is Involved with the change advisory board.
B. Release management is considered in the process.
C. Security implications are considered as a standard practice.
D. All provisioned modifications are approved by information security.
Answer: C
Which of the following is the MOST critical security risk to consider for a start-up company in an emerging

field?
A. Loss of Intellectual property
B. A lack of security policies and procedures
C. New entries into the emerging marketplace
D. Disclosure of financial statements
Answer: A
An organization has a policy in which all criminal activity is prosecuted. What is MOST important for the
information security manager to ensure when an employee is suspected of using a company computer to
commit fraud?
A. The forensics process is immediately initiated.
B. The employee's log Ales are backed up.
C. The Incident response plan is initiated.
D. Senior management is informed of the situation.
Answer: A
In addition to business alignment and security ownership, which of the following is MOST critical for
information security governance?
A. Auditability of systems
B. Compliance with policies
C. Reporting of security metrics
D. Executive sponsorship
Answer: D
Without prior approval, a training department enrolled the company in a free cloud-based collaboration site

and invited employees to use it. Which of the following is the BEST response of the information security
manager?
A. Conduct a risk assessment and develop an impact analysis.
B. Report the activity to senior management.
C. Update the risk register and review the information security strategy.
D. Allow temporary use of the site and monitor for data leakage.
Answer: C
Planning for the implementation of an information security program is MOST effective when it:
A. uses decision trees to prioritize security projects
B. applies gap analysts to current and future business plans
C. applies techno logy-driven solutions to Identified needs.
D. uses risk-based analysis for security projects.
Answer: C
Which of the following is MOST important to have in place to help secure ongoing funding for the
information security program?
A. Information security risk register
B. Threat assessment repot
C. Information security strategy
D. Security balanced scorecard
Answer: D
Which of the following would be MOST helpful in gaining support for a business case for an information
security initiative?
A.

A. Presenting a solution comparison matrix
B. Emphasizing threats to the organization
C. Demonstrating organizational alignment
D. Referencing control deficiencies
Answer: C
For proper escalation of events, it is MOST important for the information security manager to ensure:
A. the incident team is adequately staffed.
B. incident severity levels are defined.
C. the incident response plan is approved.
D. incident documentation templates are created.
Answer: B
To ensure adequate disaster-preparedness among IT infrastructure personnel, it is MOST important to:
A. have the most experienced personnel participate in recovery tests.
B. periodically rotate recovery-test participants.
C. include end-user personnel in each recovery test.
D. assign personnel-specific duties in the recovery plan.
Answer: B
Which of the following is the MOST effective way to achieve the integration of information security
governance into corporate governance?
A. Ensure information security aligns with IT strategy.
B. Ensure information security efforts support business goals

C. Align information security budget requests to organizational goals.
D. Provide periodic IT balanced scorecards to senior management.
Answer: B
Which of the following is the MOST important factor to consider when establishing a severity hierarchy for
information security incidents?
A. Regulatory compliance
B. Management support
C. Business impact
D. Residual risk
Answer: C
A business unit uses e-commerce with a strong password policy. Many customers complain that they cannot
remember their password because they are too long and complex. The business unit states it is imperative to
improve the customer experience. The information security manager should FIRST.
A. Change the password policy to improve the customer experience
B. Reach alternative secure of identify verification
C. Recommended implementing two-factor authentication.
D. Evaluate the impact of the customer’s experience on business revenue.
Answer: C
When information security management is receiving an increased number of false positive incident reports,
which of the following is MOST important to review?
A. The security awareness programs
B. firewall logs
C. The risk management processes

D. Post-incident analysis results
Answer: D
Several significant risks have been identified after a centralized risk register was compiled and prioritized. The
information security manager s MOST important action is to:
A. provide senior management with risk treatment options.
B. design and implement controls to reduce the risk.
C. consult external third parties on how to treat the risk.
D. ensure that employees are aware of the risk.
Answer: A
A team developing an interface to a key financial system has identified a security flaw in one of the libraries.
Remediating the flaw would require major system redesign. What should the information security manager do
NEXT?
A. Hire a consultant to design proper remediation controls.
B. Instruct the development team to remediate the flaw.
C. Confirm the impact with the business owner.
D. Conduct a comprehensive source code review.
Answer: C
Which of the following circumstances would MOST likely require a review and update to an organization's
information security incident response plan?
A. A new business application has been implemented.
B. A new business strategy has been developed.
C. The organizational structure has changed.
D. A high-risk vulnerability has been detected.

Answer: B
In information security governance, the PRIMARY role of the board of directors is to ensure:
A. alignment with the strategic goals of the organization
B. compliance with regulations and best practices
C. approval of relevant policies and standards.
D. communication of security posture to stakeholders.
Answer: A
Which of the following is the BEST type of access control for an organization with employees who move
between departments?
A. Mandatory
B. Discretionary
C. Role-based
D. Identity
Answer: B
Which of the following provides the GREATEST assurance that an organization allocates appropriate
resources to respond to information security events?
A. Information security policies and standards
B. Threat analysis and intelligence reports
C. Incident classification procedures
D. An approved IT staffing plan
Answer: C

When defining responsibilities with a cloud computing vendor, which of the following should be regarded as a
shared responsibility between user and provider?
A. Data ownership
B. Application logging
C. Incident response
D. Access log review
Answer: C
Which of the following is MOST important for an information security manager to regularly report to senior
management?
A. Results of penetration tests
B. Audit reports
C. Impact of unremediated risks
D. Threat analysis reports
Answer: D
A CEO requests access to corporate documents from a mobile device that does not comply with organizational
policy. The information security manager should FIRST:
A. evaluate the business risk.
B. deploy additional security controls.
C. evaluate a third-party solution.
D. initiate an exception approval process.
Answer: A

Which of the following BEST demonstrates the maturity of an information security monitoring program?
A. The information security program was introduced with a thorough business case.
B. Risk scenarios are regularly entered into a risk register.
C. Senior management regularly reviews security standards.
D. Information security key risk indicators (KRls) are tied to business operations.
Answer: D
The PRIMARY purpose of implementing information security governance metrics is to:
A. measure alignment with best practices.
B. guide security towards the desired state.
C. refine control operations.
D. asses operational and program metrics
Answer: D
Of the following, who should have PRIMARY responsibility for assessing the security risk associated with an
outsourced cloud provider contract?
A. Compliance manager
B. Service delivery manager
C. Information security manager
D. Chief information officer
Answer: D
A newly hired information security manager for a small organization has been tasked with improving data
security. The BEST way to understand the organizations security postuie would be to:
A.

A. engage a third party to perform a security assessment.
B. perform a gap analysis based on Industry best practices.
C. review previous vulnerabilities.
D. identify and classify business processes.
Answer: D
What should be an information security manager's PRIMARY objective in the event of a security incident?
A. Identify the source of the breach and how it was perpetrated.
B. Identify lapses in operational control effectiveness.
C. Contain the threat and restore operations in a timely manner.
D. Ensure that normal operations are not disrupted.
Answer: C
A risk assessment report shows that phishing attacks are an emerging threat for an organization that supports
online financial services. Which of the following is the information security manager's BEST course of action?
A. Conduct corporate awareness training.
B. Implement spam protection.
C. Transfer risk with insurance coverage.
D. Update antivirus software
Answer: A
An organization's IT department is undertaking a large virtualization project to reduce its physical server
footprint. Which of the following should be the HIGHEST priority of the information security manager?
A. Selecting the virtualization software
B.

B. Determining how incidents will be managed
C. Being involved at the design stage of the project
D. Ensuring the project has appropriate security funding
Answer: C
Which of the following is the BEST approach when using sensitive customer data during the testing phase of a
systems development project?
A. Establish the test environment on a separate network.
B. Monitor the test environment for data loss.
C. Implement equivalent controls to those on the source system
D. Sanitize customer data.
Answer: D
The PRIMARY reason for implementing scenario-based training for incident response is to:
A. assess the timeliness of the incident team response and remediation.
B. help incident response team members understand their assigned roles.
C. ensure staff knows where to report in the event evacuation is required.
D. verify threats and vulnerabilities faced by the incident response team.
Answer: B
The MOST important outcome of information security governance is:
A. business risk avoidance
B. informed decision making.
C. alignment with business goals.
D. alignment with compliance requirements.

Answer: C
Who is MOST important to include when establishing the response process for a significant security breach
that would impact the IT infrastructure and cause customer data toss?
A. An independent auditor for identification of control deficiencies
B. A penetration tester to validate the attack
C. A forensics expert for evidence management
D. A damage assessment expert for calculating losses
Answer: C
The value of information assets relative to the organization is BEST determined by:
A. a risk assessment.
B. an impact analysis.
C. a threat assessment.
D. an asset classification.
Answer: A
What is the PRIMARY role of the information security program?
A. To develop and enforce a set of security policies aligned with the business
B. To provide guidance in managing organizational security risk
C. To perform periodic risk assessments and business impact analyses (BIAs)
D. To educate stakeholders regarding information security requirements
Answer: C

Information security governance is PRIMARILY a:
A. regulatory issue.
B. people issue.
C. business issue.
D. process issue.
Answer: C
Which of the following is the MOST important action when using a web application that has recognized
vulnerabilities?
A. Deploy host-based intrusion detection.
B. Monitor application level logs.
C. Install anti-spyware software.
D. Deploy an application firewall.
Answer: A
Which of the following is MOST important for an information security manager to highlight when presenting
the organization s security posture to an executive audience?
A. Performance metrics specific to business urn! security awareness training
B. Published sophisticated security threats targeting the Industry
C. The number of emails blocked by the data loss prevention (DLP) system
D. Security risks that may inhibit business objectives
Answer: D
Which of the following has the PRIMARY responsibility of ensuring an organizations information security

strategy supports business goals?
A. Chief information security officer (CISO)
B. Information security steering committee
C. Audit committee
D. Chief executive officer (CEO)
Answer: B
Within the confidentiality, integrity, and availability (CIA) triad, which of the following activities BEST
supports the concept of integrity?
A. Utilizing a formal change management process
B. Enforcing service level agreements (SLAs)
C. Implementing a data classification schema
D. Ensuring encryption for data in transit
Answer: A
An information security manager that is utilizing a public cloud is performing a root cause investigation of an
incident that took place in that environment. Which of the following should be the security manager’s MAIN
concern?
A. Limited access to information
B. Shared infrastructure with other subscribers
C. Transaction records split into multiple cloud locations
D. Lack of security log filtering
Answer: D
Explanation
QUESRTION NO: 137
An organization's marketing department has requested access to cloud-based collaboration sites for
exchanging media files with external marketing companies. As a result, the information security manager has
been asked to perform a risk assessment. Which of the following should be the MOST important
consideration?
A. Methods for transferring the information

B. The security of the third-party cloud provider
C. Reputations of the external marketing companies
D. The information to be exchanged
Answer: D
Which of the following statements indicates that a previously failing security program is becoming successful?
A. Management's attention and budget are now focused on risk reduction.
B. More employees and stakeholders are attending security awareness programs.
C. The number of threats has been reduced.
D. The number of vulnerability false positives is decreasing.
Answer: A
After logging in to a web application, additional authentication is required at various application points. Which
of the following is the PRIMARY reason for such an approach?
A. To ensure access rights meet classification requirements
B. To support strong two-factor authentication protocols
C. To meet single sign-on authentication standards
D. To implement a challenge response test
Answer: D
Which of the following will identify a deviation in the information security management process from
generally accepted standards of good practices?
A. Gap analysis
B. Penetration resting
C.

C. Risk assessment
D. Business
E. impact analysis (BIA)
Answer: A
Which of the following is the BEST way to sustain employee interest in information security awareness in an
organization?
A. Ensuring a common security awareness program for all staff
B. Relating security awareness programs to security policies
C. Ensuring all staff are involved
D. Using a variety of delivery methods
Answer: D
Mitigating technology risks to acceptable levels should be based PRIMARILY upon:
A. information security budget.
B. legal and regulatory requirements.
C. business process reengineering.
D. business process requirements.
Answer: C
An organization is concerned with the risk of information leakage caused by incorrect use of personally owned
smart devices by employees. What is the BEST way for the information security manager to mitigate the
associated risk?
A. Require employees to sign a nondisclosure agreement
B. Implement a mobile device management solution.
C. implement a multi-factor authentication solution.
D. Document a bong-your-own-device (BYOD) policy.

Answer: B
Which of the following would provide the MOST comprehensive view of the effectiveness of the information
security function within an organization?
A. An incident reporting system
B. Examples of compliance with security processes
C. A balanced scorecard
D. An interview with senior managers
Answer: A
Which of the following is the BEST way to ensure the effectiveness of a role-based access scheme?
A. Implement a self-service password system.
B. Review the number of unauthorized access attempts.
C. Implement centralized event logging.
D. Review the number of exceptions granted.
Answer: D
Which of the following should be an information security manager's FIRST course of action if notified by a
third party that the organization's client data is being sold online?
A. Validate whether the information is accurate.
B. Report the incident to senior management
C. Shut down the applications that contain the client data.
D. Determine how the client data was compromised.
Answer: A

Which of the following should be done FIRST when implementing policies to address an upcoming new data
privacy regulation?
A. Understand which types of personal data are covered by the new regulation.
B. Prohibit further collection of personal data until the regulation is implemented.
C. Segregate systems processing personal data from other systems on the network-
D. Understand what technologies are required for personal data protection.
Answer: A
During the restoration of several servers, a critical process that services external customers was restored late
due to a failure, resulting in lost revenue. Which of the following would have BEST helped to prevent this
occurrence?
A. Improvements to incident identification methods
B. Updates to the business impact analysis (BIA)
C. More effective disaster recovery plan (DRP) testing
D. Validation of senior management's risk tolerance
Answer: B
An organization's recent risk assessment has identified many areas of security risk, and senior management has
asked for a five-minute overview of The assessment results. Which of the following is the information security
manager's BEST option for presenting this information?
A. Risk register
B. Spider diagram
C. Risk heat map
D. BalarKed scorecard
Answer: C
Which of the following is the MOST challenging aspect of securing Internet of Things (loT) devices?
A.

A. Training staff on loT architecture
B. Managing the diversity of loT architecture
C. Evaluating the reputations of loT vendors
D. Updating policies to include loT devices
Answer: B
The BEST way to minimize errors in the response to an incident is to:
A. analyze the situation during the incident.
B. reference system administration manuals.
C. implement vendor recommendations.
D. follow standard operating procedures.
Answer: D
The effectiveness of security awareness programs in fostering positive security cultures is MOST dependent
upon employee:
A. awareness of regulatory requirements.
B. understanding of the penalties for noncompliance.
C. ability to carry out security-related procedures.
D. ownership of security responsibilities.
Answer: D
Which of the following is the MOST effective way to ensure the process for granting access to new employees
is standardized and meets organizational security requirements?
A. Adopt a standard template of access levels for all employees to be enacted upon hiring.
B. Embed the authorization and creation of accounts with HR onboarding procedures.
C.

C. Require managers of new hires be responsible for account setup and access during employee orientation.
D. Grant authorization to individual systems as required with the approval of information security
management.
Answer: B
Which of the following metrics provides the BEST indication of the effectiveness of a security awareness
campaign?
A. User approval rating of security awareness classes
B. The number of reported security events
C. Quiz scores for users who took security awareness classes
D. Percentage of users who have taken the courses
Answer: B
Which of the following provides the BEST means of ensuring business units outside of IT have their
information security concerns addressed?
A. Inclusion of business unit management In the Information security steering committee
B. A comprehensive list of business processes performed by each business unit
C. Involvement of senior management in information security policy development
D. Targeted user security awareness programs for business units outside of IT
Answer: A
Which of the following will BEST enable an effective information asset classification process?
A. Including security requirements in the classification process
B. Analyzing audit findings
C. Assigning ownership
D. Reviewing the recovery time objective (RTO) requirements of the asset

Answer: A
The frequency of conducting business impact analysis (BIA) should PRIMARILY be based on:
A. changes in regulatory requirements.
B. the number of security incidents.
C. business continuity plan (BCP) testing.
D. changes in business processes.
Answer: D
The BEST defense against phishing attempts within an organization is:
A. an intrusion detection system (IDS).
B. an intrusion protection system (IPS).
C. strengthening of firewall rules.
D. filtering of e-mail.
Answer: D
Which of the following metrics is the BEST indicator of an abuse of the change management process that
could compromise information security?
A. Percentage of changes that include post-approval supplemental add-ons
B. Large percentage decrease in monthly change requests
C. High ratio of lines of code changed to total lines of code
D. Small number of change requests
Answer: A

Topic 7, Exam Pool G

Which of the following is the MOST effective way to mitigate the risk of data loss in the event of a stolen
laptop?
A. Deploying end-point data loss prevention software on the laptop
B. Providing end-user awareness training focused on traveling with laptops
C. Encrypting the hard drive
D. Utilizing a strong password
Answer: C
The MOST important reason for an information security manager to be involved in a new software purchase
initiative is to:
A. ensure the appropriate controls are considered.
B. ensure there is software escrow in place.
C. choose the software with the most control options.
D. provide input for user requirements.
Answer: A
An information security manager learns that a departmental system is out of compliance with the information
security policy's authentication requirements. Which of the following should be the information security
manager's FIRST course of action?
A. Isolate the noncompliant system from the rest of the network.
B. Conduct an impact analysis to quantify the associated risk
C. Request risk acceptance from senior management.
D. Submit the issue to the steering committee for escalation.
Answer: B

Which of the following is the MOST effective method to prevent a SQL injection in an employee portal?
A. Conduct code reviews.
B. Enforce referential integrity on the database.
C. Reconfigure the database schema.
D. Conduct network penetration testing.
Answer: A
In which of the following ways can an information security manager BEST ensure that security controls are
adequate for supporting business goals and objectives?
A. Enforcing strict disciplinary procedures in case of noncompliance
B. Using the risk management process
C. Reviewing results of the annual company external audit
D. Adopting internationally accepted controls
Answer: B
Which of the following is the FIRST step required to achieve effective performance measurement?
A. Select and place sensors.
B. Define meaningful metrics.
C. Validate and calibrate metrics.
D. Implement control objectives.
Answer: B

When implementing a new risk assessment methodology, which of the following is the MOST important
requirement?
A. Risk assessments must be reviewed annually.
B. Risk assessments must be conducted by certified staff.
C. The methodology used must be consistent across the organization.
D. The methodology must be approved by the chief executive officer.
Answer: C
Which of the following should be an information security managers FIRST course of action following a
decision to implement a new technology?
A. Determine security controls needed to support the new technology.
B. Perform a business impact analysis (BIA) on the new technology.
C. Determine whether the new technology will comply with regulatory requirements.
D. Perform a return-on-investment (R01) analysis for the new technology.
Answer: A
Which of the following is the MOST important reason for logging firewall activity?
A. Auditing purposes
B. Incident investigation
C. Firewall tuning
D. Intrusion detection
Answer: A
When facilitating the alignment of corporate governance and information security governance, which of the
following is the MOST important role of an organizations security steering committee?
A.

A. Obtaining support for the integration from business owners
B. Evaluating and reporting the degree of integration
C. Obtaining approval for the information security budget
D. Defining metrics to demonstrate alignment
Answer: D
The PRIMARY reason for classifying assets is to:
A. balance asset value and protection measures.
B. inform senior management of the organization's risk posture.
C. identify low-value assets with insufficient controls.
D. establish clear lines of authority and ownership for the asset
Answer: A
Risk management is MOST cost-effective;
A. when performed on a continuous basis.
B. at the beginning of security program development
C. while developing the business case for the security program
D. when integrated into other corporate assurance functions.
Answer: D
The use of a business case to obtain funding for an information security investment is MOST effective when
the business case:
A. realigns information security objectives to organizational strategy,
B. articulates management s intent and information security directives in clear language.
C.

C. relates the investment to the organization's strategic plan.
D. translates information security policies and standards into business requirements.
Answer: A
Which of the following is the MOST important reason to document information security incidents that are
reported across the organization?
A. Prevent incident recurrence.
B. Identify unmitigated risk.
C. Support business investments in security
D. Evaluate the security posture of the organization.
Answer: C
What should the information security manager recommend to support the development of a new web
application that will allow retail customers to view inventory and order products?
A. Building an access control matrix
B. Implementation of secure transmission protocols
C. Access through a virtual private network (VPN)
D. Request customers adhere to baseline security standards
Answer: B
The PRIMARY goal of a post-incident review should be to
A. determine why the incident occurred
B. determine how to improve the incident handling process
C. establish the cost of the incident to the business.
D. identify policy changes to prevent a recurrence

Answer: D
Which of the following will BEST ensure that risk is evaluated on system level changes?
A. Senior management must sign-off on changes.
B. Security should be integrated in the change control process.
C. System development staff receives regular security training.
D. Implement a centralized change management system.
Answer: B
When trying to integrate information security across an organization, the MOST important goal for a
governing body should be to ensure:
A. funding is approved for requested information security projects.
B. the resources used for information security projects are kept to a minimum.
C. periodic information security audits are conducted.
D. information security is treated as a business critical issue.
Answer: D
Which of the following BEST helps to identify vulnerabilities introduced by changes to an organization's
technical infrastructure?
A. Log aggregation and correlation
B. Established security baselines
C. An intrusion detection system (IDS)
D. Penetration testing
Answer: A

Management is questioning the need for several items in the information security budget proposal. Which of
the following would have been MOST helpful prior to budget submission?
A. Benchmarking information security efforts of industry competitors
B. Obtaining better pricing from information security service vendors
C. Presenting a report of current threats to the organization
D. Educating management on information security best practices
Answer: C
Which of the following is the PRIMARY reason to avoid alerting certain users of an upcoming penetration
test?
A. To aid in the success of the penetration
B. To reduce the scope and duration of the test
C. To prevent exploitation by malicious parties
D. To evaluate detection and response capabilities
Answer: D
Which of the following is the BEST approach for an information security manager to effectively manage
third-party risk?
A. Ensure vendor governance controls are in place.
B. Ensure senior management has approved the vendor relationship.
C. Ensure controls are implemented to address changes in risk.
D. Ensure risk management efforts are commensurate with risk exposure.
Answer: B
The MOST effective way to communicate the level of impact of information security risks on organizational
objectives is to present:
A. detailed threat analysis results.
B.

B. business impact analysis (BIA) results.
C. risk treatment options.
D. a risk heat map.
Answer: D
Which of the following BEST determines an information asset's classification?
A. Directives from the data owner
B. Value of the information asset to competitors
C. Cost of producing the information asset
D. Criticality to a business process
Answer: A
For an organization with a large and complex IT infrastructure, which of the following elements of a disaster
recovery hot site service will require the closest monitoring?
A. Number of subscribers
B. Audit tights
C. Systems configurations
D. Employee access
Answer: C
An organization recently rolled out a new procurement program that does not include any security
requirements. Which of the following should the information security manager do FIRST?
A. Escalate the procurement program gaps to the compliance department in case of noncompliance issues.
B. Ask internal audit to conduct an assessment of the current state of third-party security controls.
C. Conduct security assessments of vendors based on value of annual spend with each vendor.

D. Meet with the head of procurement to discuss aligning security with the organization's operational
objectives.
Answer: D
Senior management has decided to accept a significant risk within a security remediation plan. Which of the
following is the information security manager's BEST course of action?
A. Report the risk acceptance to regulatory agencies.
B. Communicate the remediation plan to the board of directors.
C. Update the risk register with the risk acceptance.
D. Remediate the risk and document the rationale.
Answer: C
An internal security audit has reported several control weaknesses. The information security manager's BEST
course of action should be to:
A. present the report to the steering committee.
B. determine the effect on the risk profile.
C. remediate the vulnerabilities.
D. assign accountability for the findings.
Answer: B
In a large organization, which of the following is the BEST source for identifying ownership of a PC?
A. Asset management register
B. Domain name server (DNS) records
C. Identity management system
D. User ID register

Answer: A
Which of the following is the BEST control to minimize the risk associated with loss of information as a result
of ransomware exploiting a zero-day vulnerability?
A. A public key infrastructure
B. A data recovery process
C. A patch management process
D. A security operation center
Answer: B
Which of the following is the MOST important consideration for designing an effective information security
A. Security controls automation
B. Defined security metrics
C. Continuous audit cycle
D. Security policy provisions
Answer: B
Which of the following is the PRIMARY goal of an incident response team during a security incident?
A. Shut down the affected systems to limit the business impact.
B. Minimize disruption to business-critical operations.
C. Ensure the attackers are detected and stopped.
D. Maintain a documented chain of evidence.
Answer: B

A third-party service provider is developing a mobile app for an organization's customers. Which of the
following issues should be of GREATEST concern to the information security management.
A. Software escrow is not addressed in the contract
B. The contract has no requirement for secure development practices
C. The mobile app s programmers are all offshore contractors.
D. SLAs after deployment are not clearly defined.
Answer: A
Which of the following threats is prevented by using token-based authentication?
A. Denial of service attack over the network
B. Password sniffing attack on the network
C. Man-in-the-middle attack on the client
D. Session eavesdropping attack on the network
Answer: B
Which of the following is the PRIMARY objective of reporting security metrics to stakeholders?
A. To demonstrate alignment to the business strategy
B. To provide support for security audit activities
C. To identify key controls within the organization
D. To communicate the effectiveness of the security program
Answer: D
BEST way to isolate corporate data stored on employee-owned mobile devices would be to implement:
A. a sandbox environment
B.

B. device encryption,
C. two-factor authentication
D. a strong password policy
Answer: A
Which of the following is the BEST reason to separate short-term from long-term plans within an information
security roadmap?
A. To update the roadmap according to current risks
B. To allocate resources for initiatives
C. To allow for reactive initiatives
D. To facilitate business plan reporting to management
Answer: C
The BEST way to obtain funding from senior management for a security awareness program is to:
A. demonstrate that the program will adequately reduce risk
B. produce an impact analysis report of potential breaches.
C. meet regulatory requirements.
D. produce a report of organizational risks.
Answer: A
Ensuring that an organization can conduct security reviews within third-party facilities is PRIMARILY
enabled by:
A. contractual agreements.
B. service level agreements (SLAs).
C.

C. acceptance of the organization s security policies.
D. audit guidelines.
Answer: A
Which of the following is the BEST indication that an information security control is no longer relevant?
A. Users regularly bypass or ignore the control
B. The control does not support a specific business function.
C. IT management does not support the control.
D. Following the control costs the business more than not following it.
Answer: D
Which of the following provides the BEST evidence that the information security program is aligned to the
business strategy?
A. Information security initiatives are directly correlated to business processes.
B. The information security team is able to provide key performance indicators (KPIs) to senior
management.
C. Business senior management supports the information security policies.
D. The information security program manages risk within the business1* risk tolerance.
Answer: C
The PRIMARY focus of a training curriculum for members of an incident response team should be:
A. technology training.
B. external corporate communication
C. security awareness
D. specific role training,

Answer: D
Which of the following stakeholders would provide the BEST guidance in aligning the information security
strategy with organizational goals?
A. Board of directors
B. Chief information officer (CIO)
C. Chief information security officer (CISO)
D. information security steering committee
Answer: D
When selecting risk response options to manage risk, an information security manager's MAIN focus should
be on reducing:
A. exposure to meet risk tolerance levels.
B. the number of security vulnerabilities.
C. the likelihood of threat.
D. financial loss by transferring risk.
Answer: A
Which of the following is a PRIMARY responsibility of an information security steering committee?
A. Developing an Information security architecture
B. Updating the information security threat profile
C. Approving business cases for information security initiatives
D. Drafting information security policies in line with business objectives
Answer: C

The MAIN purpose of documenting information security guidelines for use within a large, international
organization is to:
A. explain the organization's preferred practices for security.
B. ensure that all business units have the same strategic security goals.
C. provide evidence for auditors that security practices are adequate.
D. ensure that all business units implement identical security procedures.
Answer: B
Which of the following is the MOST important function of information security?
A. Managing risk to the organization
B. Identifying system vulnerabilities
C. Preventing security incidents
D. Reducing the financial impact of security breaches
Answer: A
Which of the following is the MOST important outcome of testing incident response plans?
A. Areas requiring investment are identified.
B. Staff is educated about current threats.
C. An action plan is available for senior management.
D. Internal procedures are improved.
Answer: D
An organization has detected potential risk emerging from noncompliance with new regulations in its industry.

Which of the following is the MOST important reason to report this situation to senior management?
A. The risk profile needs to be updated
B. An external review of the risk nods to be conducted
C. Specific monitoring controls need to be implemented
D. A benchmark analysis needs to be performed.
Answer: A
Which of the following is MOST important to consider when prioritizing threats during the risk assessment
process?
A. The potential impact on operations
B. The criticality of threatened systems
C. The capability of threat actors
D. The severity of exploited vulnerabilities
Answer: B
An inexperienced information security manager is relying on its internal audit department to design and
implement key security controls. Which of the following is the GREATEST risk?
A. Conflict of interest
B. Inadequate audit skills
C. Violation of the audit charter
D. Inadequate implementation of controls
Answer: A
Which of the following is the BEST method to ensure that data owners take responsibility for implementing
information security processes?
A.

A. Increase security awareness training
B. Include security tasks into employee job descriptions
C. Include membership on project teams
D. Provide job rotation into the security organization.
Answer: A
Which of the following is the PRIMARY reason an information security strategy should be deployed across an
organization?
A. To ensure that security-related industry best practices are adopted
B. To ensure that employees adhere to security standards
C. To ensure that the business complies with security regulations
D. To ensure that management's intent is reflected in security activities
Answer: D
In a resource-restricted security program, which of the following approaches will provide the BEST use of the
limited resources?
A. Cross-training
B. Risk avoidance
C. Risk prioritization
D. Threat management
Answer: C
A PRIMARY advantage of involving business management in evaluating and managing information security
risks is that they:
A. better understand organizational risks.
B.

B. are more objective than security management,
C. better understand the security architecture.
D. can balance technical and business risks.
Answer: A
Which of the following BEST promotes stakeholder accountability in the management of information security
risks?
A. Establishment of information ownership
B. Establishment of security baselines
C. Regular reviews for noncompliance
D. Targeted security procedures
Answer: A
Which of the following is the BIST course of action for the information security manager when residual risk is
above the acceptable level of risk?
A. Defer to business management.
B. Carry out a risk assessment
C. Perform a cost-benefit analysis.
D. Recommend additional controls.
Answer: D
The head of a department affected by a recent security incident expressed concern about not being aware of
the actions taken to resolve the incident. Which of the following is the BEST way to address this issue?
A. Require management approval of the incident response plan.
B. Ensure better identification of incidents in the incident response plan.

C. Discuss the definition of roles in the incident response plan.
D. Disseminate the incident response plan throughout the organization.
Answer: D
Which of the following would be an information security manager's PRIMARY challenge when deploying a
bring your own device (BYOD) mobile program in an enterprise?
A. End user acceptance
B. Disparate device security
C. Mobile application control
D. Configuration management
Answer: C
In addition to cost what is the BEST criteria for selecting countermeasures following a risk assessment?
A. Maintenance requirements
B. Effectiveness of each option
C. Skill requirements for implementation
D. Effort of implementation
Answer: B
Which of the following is MOST important to building an effective information security program?
A. logical access controls for information systems
B. Information security architecture to increase monitoring activities
C. Relevant and timely content included in awareness programs

D. Management support for information security
Answer: D
Which of the following is an indicator of improvement in the ability to identify security risks?
A. Increased number of reported security incidents
B. Decreased number of staff requiring information security training
C. Increased number of security audit issues resolved
D. Decreased number of information security risk assessments
Answer: A
Which of the following is MOST helpful when justifying the funding required for a compensating control?
A. Business impact analysis (B1A)
B. Risk analysis
C. Business case
D. Threat assessment
Answer: C
Which of the following BEST demonstrates alignment between information security governance and corporate
governance?
A. Average number of security incidents across business units
B. Number of vulnerabilities identified for high-risk information assets
C. Security project justifications provided in terms of business value
D. Mean time to resolution for enterprise-wide security incidents
Answer: C

The MAIN consideration when designing an incident escalation plan should be ensuring that:
A. requirements cover forensic analysis.
B. information assets are classified.
C. appropriate stakeholders are involved,
D. high-impact risks have been identified.
Answer: C
An executive's personal mobile device used for business purposes is reported lost. The information security
manager should respond based on:
A. the business impact analysis (BIA).
B. incident classification.
C. asset management guidelines.
D. mobile device configuration.
Answer: D
Which of the following is the MOST important criterion for complete closure of a security incident?
A. Documenting and reporting to senior management
B. Level of potential impact
C. Root cause analysis and lessons learned
D. Identification of affected resources
Answer: C

When recommending a preventive control against cross-site scripting in web applications, an information
security manager is MOST likely to suggest:
A. consolidating multiple sites into a single portal.
B. coding standards and code review.
C. using https in place of http.
D. hardening of the web server s operating system.
Answer: B
Which of the following MOST effectively helps an organization to align information security governance with
corporate governance?
A. Promoting security as enabler 10 achieve business objectives
B. Prioritizing security initiatives based on IT strategy
C. Developing security performance metrics
D. Adopting global security standards to achieve business goals
Answer: A
Which of the following is the PRIMARY goal of a risk management program?
A. Manage compliance with organizational polices.
B. Implement preventive controls against threats
C. Reduce the organization s risk appetite
D. Manage the business impact of inherent risks.
Answer: D
An information security manager is developing a new information security strategy. Which of the following
functions would serve as the BEST resource to review the strategy and provide guidance for business
alignment?

A. The board of directors
B. Internal audit
C. The steering committee
D. The legal department
Answer: C
An organization with a strict need-to-know information access policy is about to launch a knowledge
management intranet. Which of the following is the MOST important activity to ensure compliance with
existing security policies?
A. Develop a control procedure to check content before it is published.
B. Change organization policy to allow wider use of the new web site.
C. Password-protect documents that contain confidential information.
D. Ensure that access to the web site is limited to senior managers and the board.
Answer: A
To ensure IT equipment meets organizational security standards, the MOST efficient approach is to:
A. assess security during equipment deployment.
B. ensure compliance during user acceptance testing.
C. develop an approved equipment list.
D. assess the risks of all new equipment.
Answer: A
Which of the following defines the triggers within a business continuity plan (BCP)?
A. Needs of the organization

B. Gap analysis
C. Disaster recovery plan
D. Information security policy
Answer: D
Which of the following should be an information security manager's PRIMARY focus during the development
of a critical system storing highly confidential data?
A. Complying with regulatory requirement
B. Ensuring the amount of residual risk is acceptable
C. Avoiding identified system threats
D. Reducing the number of vulnerabilities detected
Answer: A
When creating an incident response plan, the PRIMARY benefit of establishing a clear definition of a security
incident is that it helps to:
A. communicate the incident response process to stakeholders
B. make tabletop testing more effective.
C. develop effective escalation and response procedures.
D. adequately staff and train incident response teams.
Answer: D
What should be the information security manager s MOST important consideration when planning a disaster
recovery test?
A. Organization-wide involvement
B. Documented escalation processes

C. Impact to production systems
D. Stakeholder notification procedures
Answer: C
The PRIMARY purpose of a security information and event management (SIEM) system is to:
A. provide status of incidents
B. resolve incidents
C. track ongoing incidents
D. identify potential incidents.
Answer: D
Which of the following would BEST help an information security manager prioritize remediation activities to
meet regulatory requirements?
A. Alignment with the IT strategy
B. Annual toss expectancy (ALE) of noncompliance
C. Cost of associated controls
D. A capability maturity model matrix
Answer: B
Exceptions to a security policy should be approved based PRIMARILY on:
A. risk appetite.
B. the external threat probability.
C. results of a business impact analysis (BIA).
D. the number of security incidents.

Answer: C
When implementing security architecture, an information security manager MUST ensure that security
controls:
A. are the least expensive.
B. are transparent.
C. are communicated through security policies.
D. form multiple barriers against threats.
Answer: D
Which of the following metrics would be considered an accurate measure of an information security program's
performance?
A. The number of key risk indicators (KRIs) identified, monitored, and acted upon
B. A collection of qualitative indicators that accurately measure security exceptions
C. A combination of qualitative and quantitative trends that enable decision making
D. A single numeric score derived from various measures assigned to the security program
Answer: A
Which of the following is MOST important when prioritizing an information security incident?
A. Organizational risk tolerance
B. Cost to contain and remediate the incident
C. Criticality of affected resources
D. Short-term impact to shareholder value
Answer: C

Which of the following techniques is MOST useful when an incident response team needs to respond to
external attacks on multiple corporate network devices?
A. Endpoint baseline configuration analysis
B. Security event correlation analysis
C. Vulnerability assessment of network devices
D. Penetration testing of network devices
Answer: B
Which of the following has the GREATEST impact on efforts to improve an organization's security posture?
A. Well-documented security policies and procedures
B. Automation of security controls
C. Supportive tone at the top regarding security
D. Regular reporting 10 senior management
Answer: D
An information security manager is evaluating the key risk indicators (KRls) for an organization s information
security program. Which of the following would be the information security manager s GREATEST concern?
A. Use of qualitative measures
B. Multiple KRls for a single control process
C. Undefined thresholds to trigger alerts
D. Lack of formal KRI approval from IT management
Answer: C
Reviewing which of the following would provide the GREATEST Input to the asset classification process?
A.

A. Sensitivity of the data
B. Compliance requirements
C. Replacement cost of the asset
D. Risk assessment
Answer: A
Which of the following is MOST helpful for protecting an enterprise from advanced persistent threats (APTs)?
A. Defined security standards
B. Threat intelligence
C. Regular antivirus updates
D. Updated security policies
Answer: C
When developing a protection strategy for outsourcing applications, the information se<urity manager MUST
ensure that:
A. the security requirements are included in the service level agreement (SLA).
B. escrow agreements are in place.
C. the responsibility for security is transferred in the service level agreement (SLA).
D. nondisclosure clauses are in the contract.
Answer: A
To minimize security exposure introduced by changes to the IT environment, which of the following is MOST
important to implement as part of change management?
A. Performing post-change reviews before closing change tickets
B. Requiring approval by senior management
C. Performing a business impact analysis (B1A) prior to implementation
D.

D. Conducting a security risk assessment prior to go-live
Answer: D
Which of the following is the MOST effective way to mitigate the risk of confidential data leakage to
unauthorized stakeholders?
A. Create a data classification policy.
B. Conduct information security awareness training.
C. Require the use of login credentials and passwords.
D. Implement role-based access controls.
Answer: B
An organization is planning to open a new office in another country. Sensitive data will be routinely sent
between the two offices. What should be the information security manager s FIRST course of action?
A. Apply the current corporate security policies to the new office.
B. Encrypt the data for transfer to the head office based on security manager approval
C. Update privacy policies to include the other country's laws and regulations.
D. Identify applicable regulatory requirements to establish security policies
Answer: C
When considering whether to adopt a new information security framework, an organization's information
security manager should FIRST:
A. perform a financial viability study.
B. compare the framework with the current business strategy.
C. perform a technical feasibility analysis.
D. analyze the framework's legal implications and business impact.
Answer: B

When conducting a post-incident review, the GREATEST benefit of collecting mean time to resolution
(MTTR) data is the ability to:
A. verify compliance with the service level agreement (SLA).
B. reduce the costs of future preventive controls.
C. provide metrics for reporting to senior management
D. learn of potential areas of improvement.
Answer: A
An information security manager discovers that the organization's new information security policy is not being
followed across all departments. Which of the following should be of GREATEST concern to the information
security manager?
A. Business unit management has not emphasized the importance of the new policy.
B. Different communication methods may be required for each business unit
C. The corresponding controls are viewed as prohibitive to business operations.
D. The wording of the policy Is not tailored to the audience
Answer: A
Which of the following is MOST relevant for an information security manager to communicate to business
units?
A. Risk ownership
B. Vulnerability assessments
D. Threat assessments
Answer: C
An organization is about to purchase a rival organization. The PRIMARY reason for performing information

security due diligence prior to making the purchase is to:
A. determine the security exposures.
B. evaluate the security policy and standards.
C. ensure compliance with international standards.
D. assess the ability to integrate the security department operations.
Answer: B
Which of the following is MOST likely to increase end user security awareness in an organization?
A. A dedicated channel for reporting suspicious emails
B. Security objectives included in job descriptions
C. Simulated phishing attacks
D. Red team penetration testing
Answer: C
After undertaking a security assessment of a production system, the information security manager is MOST
likely to:
A. inform the system owner of any residual risks and propose measures to reduce them.
B. establish an overall security program that minimizes the residual risks of that production system
C. inform the IT manager of the residual risks and propose measures to reduce them.
D. inform the development team of any residual risks and together formulate risk reduction measures.
Answer: A
Which of the following is the MOST important influence to the continued success of an organization's
information security strategy?
A. Information systems

B. Security processes
C. Organizational culture
D. Policy development
Answer: C
Which of the following is the MOST important factor to ensure information security is meeting the
organization's objectives?
A. Implementation of a control self-assessment (CSA) process
B. Establishment of acceptable risk thresholds
C. Internal audit's involvement in the security process
D. Implementation of a security awareness program
Answer: B
Which of the following BEST ensures timely and reliable access to services?
A. Nonrepudiation
B. Recovery lime objective (RTO)
C. Availability
D. Authenticity
Answer: B
What should be an information security manager's FIRST course of action when an organization is subject to a
new regulatory requirement?
A. Submit a business case to support compliance.
B. Perform a gap analysis,
C. Complete a control assessment.

D. Update the risk register.
Answer: B
Which of the following is the BEST strategy to implement an effective operational security posture?
A. Defense in depth
B. Threat management
C. Vulnerability management
D. Increased security awareness
Answer: D
Which of the following is the PRIMARY reason to conduct periodic business impact assessments?
A. Update recovery objectives based on new risks.
B. Decrease the recovery times.
C. Improve the results of last business impact assessment (BIA).
D. Meet the needs of the business continuity policy.
Answer: A
Which of the following should be an information security manager's PRIMARY role when an organization
initiates a data classification process?
A. Assign the asset classification level.
B. Apply security in accordance with specific classification.
C. Verify that assets have been appropriately classified.
D. Define the classification structure to be implemented.
Answer: D

An organization has established information security policies, but the information security the MOST likely
reason for this situation?
A. The information security policies are not communicated across the organization.
B. The information security policies lack alignment with corporate goals.
C. The information security program is not adequately funded.
D. The organization is operating in a highly regulated industry.
Answer: B
An organization has determined that one of its web servers has been compromised. Which of the following
actions should be taken to preserve the evidence of the intrusion for forensic analysis and potential litigation?
A. Run analysis tools to detect the source of the intrusion.
B. Reboot the server in a secure area to search for digital evidence.
C. Unplug the server from the power.
D. Restrict physical and logical access to the server.
Answer: D
An information security manager has been made aware that some employees are discussing confidential
corporate business on social media sites. Which of the following is the BEST response to this situation?
A. Block workplace access to social media sites and monitor employee usage.
B. Scan social media sites for company-related information.
C. Train employees how to set up privacy rules on social media sites.
D. Communicate social media usage requirements and monitor compliance.
Answer: D

Which of the following should an information security manager do FIRST after learning about a new
regulation that affects the organization?
A. Assess the noncompliance risk.
B. Notify the affected business units.
C. Evaluate the changes with legal counsel.
D. Inform senior management of the new regulation.
Answer: C
The MOST important reason to maintain key risk indicators (KRIs) is that:
A. threats and vulnerabilities continuously evolve.
B. they help assess the performance of the security program.
C. they are needed to verify compliance with laws and regulations
D. management uses them to make informed business decisions.
Answer: A
What should an information security manager do FIRST when a service provider that stores the organization's
confidential customer data experiences a breach in its data center?
A. Determine the impact of the breach.
B. Engage an audit of the provider's data center.
C. Apply remediation actions to counteract the breach.
D. Recommend canceling the outsourcing contract.
Answer: A

After adopting an information security framework, an information security manager is working with senior
management to change the organization-wide perception that information security is solely the responsibility
of the information security department. To achieve this objective, what should be the information security
manager's FIRST initiative?
A. Develop an information security awareness campaign with senior managements support.
B. Implement a formal process to conduct periodic compliance reviews.
C. Develop an operational plan providing best practices for information security projects.
D. Document and publish the responsibilities of the information security department
Answer: A
Executive leadership has decided to engage a consulting firm to develop and implement a comprehensive
security framework for the organization to allow senior management to remain focused on business priorities.
Which of the following poses the GREATEST challenge to the successful implementation of the new security
A. Executive leadership becomes involved in decisions about information security governance
B. Information security staff has little or no experience with the practice of information security
governance.
C. Executive leadership views information security governance primarily as a concern of the information
security management team.
D. Information Security management does not fully accept the responsibility for information security
governance.
Answer: C
Inadvertent disclosure of internal business information on social media is BEST minimized by which of the
following?
A. Implementing data loss prevention (DLP) solutions
B. Developing social media guidelines
C. Educating users on social media risks
D. Limiting access to social media sites
Answer: B

Which of the following would BEST demonstrate the maturity level of an organization's security incident
response program?
A. An increase in the number of reported incidents
B. Ongoing review and evaluation of the incident response team
C. A decrease in the number of reported incidents
D. A documented and live-tested incident response process
Answer: D
Which of the following is the MOST reliable source of information about emerging information security
threats and vulnerabilities?
A. A social media group of hackers
B. Industry bloggers
C. Vulnerability scanning alerts
D. Threat intelligence groups
Answer: D
Which of the following is the BEST reason to develop comprehensive information security policies?
A. To align the information security program to organizational strategy
B. To comply with external industry and government regulations
C. To support development of effective risk indicators
D. To gain senior management support for the information security program
Answer: A

What is the PRIMARY purpose of communicating business impact to an incident response team?
A. To facilitate resource allocation tor preventive measures
B. To enable effective prioritization of incidents
C. To provide information for communication of incidents
D. To provide monetary values for post-incident review
Answer: D
Which of the following is MOST helpful for prioritizing the recovery of IT assets during a disaster?
A. Vulnerability assessment
C. Cost- benefit analysis
D. Risk assessment
Answer: B
When integrating information security requirements into software development, which of the following
practices should be FIRST in the development lifecycle?
A. Penetration testing
B. Source code review
C. Dynamic code analysis
D. Threat modeling
Answer: D
A security team is conducting its annual disaster recovery test. Post-restoration testing shows the system
response time is significantly slower due to insufficient bandwidth for Internet connectivity at the recovery
center. Which of the following is the security manager's BEST course of action?
A. Reduce the number of applications marked as critical.
B.

B. Halt the test until the network bandwidth is increased.
C. Document the deficiency for review by business leadership.
D. Pursue risk acceptance for the slower response time
Answer: C
Which of the following would BEST protect against web-based cross-domain attacks?
A. Network addressing scheme
B. Encryption controls
C. Application controls
D. Database hardening
Answer: C
Which of the following is MOST important for effective communication during incident response?
A. Establishing a mean time to resolve (MTTR) metric
B. Maintaining a relationship with media and law enforcement
C. Maintaining an updated contact list
D. Establishing a recovery time objective (RTO)
Answer: C
When aligning an organization's information security program with other risk and control activities, it is
MOST important to:
A. ensure adequate financial resources are available,.
B. have information security management report to the chief risk officer.
C. integrate security within the system development life cycle.
D.

D. develop an information security governance framework.
Answer: D
Which of the following is the BEST way to prevent recurrence of a security incident?
A. An appropriate investigation into the root cause with corrective measures applied
B. Review and update security policy on a regular basis
C. An expanded and more effective monitoring and detection process for incidents
D. Management support and approval of the incident response plan
Answer: A
Vulnerability scanning has detected a critical risk in a vital business application. Which of the following
should the information security manager do FIRST?
A. Report the business risk to senior management.
B. Confirm the risk with the business owner.
C. Create an emergency change request
D. Update the risk register.
Answer: B
An organization has an approved bring your own device (BYOD) program. Which of the following is the
MOST effective method to enforce application control on personal devices?
A. Implement a mobile device management solution.
B. Implement a web application firewall.
C. Educate users regarding the use of approved applications.
D. Establish a mobile device acceptable use policy

Answer: A
Which of the following is BEST to include in a business case when the return on investment (RIO) for an
information security initiative is difficult to calculate?
A. Projected increase in maturity level
B. Estimated increase in efficiency
C. Projected costs over time
D. Estimated reduction in risk
Answer: B
Which of the following would be MOST effective in preventing malware from being launched through an
email attachment?
A. Up-to-date security policies
B. Security awareness training
C. A network intrusion detection system (NlDS)
D. Placing the e-mail server on a screened subnet
Answer: B
Which of the following is MOST important when establishing a successful information security governance
framework?
A. Developing an Information security strategy
B. Identifying information security risk scenarios
C. Selecting information security steering committee members
D. Determining balanced scorecard metrics for information security
Answer: A

Which of the following should be communicated FIRST to senior management once an information security
incident has been contained?
A. Whether the recovery time objective was met
B. The initial business impact of the incident
C. Details on containment activities
D. A summary of key lessons learned from the incident
Answer: B
Which of the following presents the GREATEST information security concern when deploying an identity and
access management solution?
A. Supporting legacy applications
B. Complying with the human resource policy
C. Supporting multiple user repositories
D. Gaining end user acceptance
Answer: A
When granting a vendor remote access to a system, which of the following is the MOST important
consideration?
A. Password hashing
B. Session monitoring
C. Multi- factor authentication
D. Hard drive encryption
Answer: B

When developing a new system, detailed information security functionality should FIRST be addressed:
A. during the system design phase.
B. as part of prototyping.
C. as part of application development.
D. when system requirements are defined.
Answer: D
Which of the following devices, when placed in a demilitarized zone (DMZ). would be considered a
significant exposure?
A. Authentication server
B. Web server
C. Proxy server
D. Intrusion detection server
Answer: A
Which of the following is MOST critical for an effective information security governance framework?
A. The CIO is accountable for the information security program.
B. The information security program is continually monitored.
C. Board members are committed to the information security program
D. Information security policies are reviewed on a regular basis.
Answer: C
After a security incident has been contained, which of the following should be done FIRST?
A. Notify local authorities.

B. Perform a complete wipe of the affected system.
C. Conduct forensic analysis.
D. Restore the affected system from backup.
Answer: B
The BEST way to encourage good security practices is to:
A. recognize appropriate security behavior by individuals
B. publish the information security policy.
C. schedule periodic compliance audits.
D. discipline those who fail to comply with the security policy.
Answer: A
Which of the following is the BEST way to address any gaps identified during an outsourced provider
selection and contract negotiation process?
A. Make the provider accountable for security and compliance.
B. Implement compensating controls.
C. Perform continuous gap assessments.
D. Include audit rights in the service level agreement (SLA).
Answer: A
Which of the following functions is MOST critical when initiating the removal of system access for terminated
employees?
A. Help desk
B.

B. Information security
C. Human resources
D. Legal
Answer: B
Which of the following should be the FIRST step of incident response procedures?
A. Evaluate the cause of the control failure.
B. Perform a risk assessment to determine the business impact.
C. Identify if there is a need for additional technical assistance.
D. Classify the event depending on seventy and type.
Answer: B
Which of the following would be the MOST effective incident response team structure for an organization
with a large headquarters and worldwide branch offices?
A. Coordinated
B. Decentralized
C. Outsourced
D. Centralized
Answer: D
Which of the following metrics would provide management with the MOST useful information about the
effectiveness of a security awareness program?
A. Decreased number of phishing attacks
B. Decreased number of security incidents
C.

C. Increased number of reported security incidents
D. Increased number of downloads of the organization's security policy
Answer: C

Topic 8, Exam Pool H
Which of the following is the MOST important consideration to provide meaningful information security
reporting to senior management?
A. Mapping to business initiatives
B. Benchmarking against industry peers
C. Communicating risk in financial terms
D. Compliance with industry best practice
Answer: C
Which of the following is MOST helpful in determining the prioritization of available incident response
resources?
A. Adequate funding allocation
B. Security metrics based on previous incidents
C. Training of the incident response team
D. Defined incident escalation processes
Answer: D
Which of the following would be the GREATEST threat posed by a distributed denial of service (DDoS)
attack on a publicly facing …..
A. Prevention of authorized access
B. Execution of unauthorized commands
C. Defacement of website content
D. Unauthorized access to resources

Answer: C
Which of the following is the MOST important security consideration when planning to use a cloud service
provider in a different country?
A. Ability to enforce contractual obligations
B. Ability to meet service level agreements (SLAs)
C. Ability to logically separate client data
D. Ability to meet business resiliency requirements
Answer: C
Which of the following factors is MOST likely to increase the chances of a successful social engineering
attack?
A. Technical skills
B. Potential financial gain
C. Knowledge of internal procedures
D. Weak authentication for remote access
Answer: C
Which of the following approaches would MOST likely ensure that risk management is integrated into the
business life cycle processes?
A. Understanding the risk tolerance of corporate management
B. Integrating security risk into corporate risk management
C. Conducting periodic risk assessments
D. Integrating risk management into the software development life cycle
Answer: B

The responsibility for approving access to data according to the organization's data classification policy
belongs to the:
A. data owner
B. system administrator.
C. data end user
D. information security manager
Answer: A
What is the role of the information security manager in finalizing contract negotiations with service providers?
A. To obtain a security standard certification from the provider
B. To perform a risk analysis on the outsourcing process
C. To ensure that clauses for periodic audits are included
D. To update security standards for the outsourced process
Answer: B
Which of the following is the BEST way to monitor for advanced persistent threats (APT) in an organization?
A. Search for threat signatures in the environment.
B. Network with peers in the industry to share information
C. Search for anomalies in the environment.
D. Browse the Internet to learn of potential events.
Answer: B
An organization is considering the purchase of a competitor. To determine the competitor's security posture,
the BEST course of action for the organization's information security manager would be to:

A. assess the key technical controls of the competitor.
B. assess the security policy of the competitor.
C. conduct a penetration test of the competitor,
D. perform a security gap analysis on the competitor.
Answer: B
Which of the following is the MOST effective way to facilitate the implementation of IT security program
objectives?
A. Establishing a steering committee with executive and business involvement
B. Developing a suite of policy, standards, and procedure documents
C. Designing a compulsory IT security training program for all employees
D. Creating a help desk and change management platform
Answer: B
When an organization lacks internal expertise to conduct highly technical forensics investigations, what is the
BEST way to ensure effective and timely investigations following an information security incident?
A. Provide forensics training to the information security team.
B. Purchase forensic standard operating procedures.
C. Ensure the incident response policy allows hiring a forensics firm.
D. Retain a forensics firm prior to experiencing an incident.
Answer: B
Which of the following is MOST important for an information security manager to present to senior
management on a regular basis?
A.

A. Details of reported vulnerabilities
B. Changes to the organization's threat environment
C. False positives found on the intrusion prevention system
D. Security controls in place to prevent the threats
Answer: B
Which of the following is the BEST way to measure the effectiveness of a newly implemented social
engineering training program?
A. Track the trending of reported security incidents
B. Administer quizzes upon completion of training.
C. Track the trending of malware infections.
D. Test end user response to simulated scenarios
Answer: D
A global organization has developed a strategy to share a customer information database between offices in
two countries. In this situation, it is MOST important to ensure:
A. data is encrypted in transit and at rest
B. data sharing complies with local laws and regulations at both locations.
C. a nondisclosure agreement is signed.
D. risk coverage is split between the two locations sharing data.
Answer: B
Which of the following is the PRIMARY purpose for defining key performance indicators (KPIs) for a
security program?
A. To ensure controls meet regulatory requirements
B. To compare security program effectiveness to best practice

C. To evaluate the performance of security staff
D. To measure the effectiveness of the security program
Answer: D
An organization has contracted with an outsourcing company to address a security gap. Which of the
following is the BEST way to determine if the security gap has been addressed?
A. Vulnerability scan
B. Service level agreement (SLA)
C. Security risk assessment
D. Security audit
Answer: D
Which of the following is the GREATEST security concern when an organization allows the use of social
networks?
A. Network performance degradation
B. Browser vulnerability exploitation
C. Decreased user productivity
D. Inadvertent data disclosure
Answer: D
Which of the following is the MAIN concern when securing emerging technologies?
A. Compatibility with legacy systems
B. Unknown vulnerabilities
C. Applying the corporate hardening standards
D.

D. Integrating with existing access controls
Answer: D
The PRIMARY responsibility to communicate with legal authorities regarding unauthorized disclosure of
customer information should be defined in the:
A. Incident response plan
B. disaster recovery plan (DRP).
C. risk mitigation plan
D. information security policy.
Answer: A
What information is MOST helpful in demonstrating to senior management how information security
governance aligns with business objectives?
A. Metrics of key information security deliverables
B. A list of monitored threats, risks and exposures
C. Drafts of proposed policy changes
D. Updates on information security projects in development
Answer: A
Which of the following will BEST facilitate the development of appropriate incident response procedures?
A. Performing vulnerability assessments
B. Assessing capability maturity
C. Conducting scenario testing
D. Analyzing key risk indicators (KRIs)
Answer: D

An online payment provider's computer security incident response team has confirmed that a customer credit
card database was breached. Which of the following would be MOST important to include in a report to senior
management?
A. A summary of the security togs illustrating the sequence of events
B. A business case for implementing stronger logical access controls
C. An explanation of the potential business impact
D. An analysis of similar attacks and recommended remediation
Answer: C
When creating a bring your own device (BYOD) program, it is MOST important to:
A. ensure the organization's ownership of data and management of the device.
B. establish metrics to evaluate the effectiveness of the program.
C. develop remote wipe capabilities and procedures.
D. balance the costs between private versus business usage and define the method to track usage.
Answer: A
An internal control audit has revealed a control deficiency related to a legacy system where the compensating
controls no longer appear to be effective. Which of the following would BEST help the information security
manager determine the security requirements to resolve the control deficiency?
A. Risk assessment
B. Gap analysis
D. Business case
Answer: B
While auditing a data center's IT architecture, an information security manager discovers that required

encryption for data communications has not been implemented. Which of the following should be done
NEXT?
A. Evaluate compensating and mitigating controls.
B. Document and report the findings.
C. Perform a cost benefit analysis.
D. Perform a business impact analysis (BIA).
Answer: A
The BEST way 10 establish a security baseline is by documenting
A. a standard of acceptable settings
B. a framework of operational standards
C. the desired range of security settings
D. the organization's preferred security level.
Answer: D
Which of the following is the PRIMARY responsibility of an information security manager in an organization
that is implementing the use of company-owned mobile devices in its operations?
A. Require remote wipe capabilities for devices.
B. Enforce passwords and data encryption on the devices.
C. Review and update existing security policies.
D. Conduct security awareness training.
Answer: B
Which of the following roles should be separated?
A. Help desk and security administration
B.

B. Firewall management and security operations
C. Systems analysis and application programming
D. Data security and database administration
Answer: D
An IT department is having difficulty controlling the installation and use of unauthorized software that is in
breach of organizational policy. Which of the following is the MOST effective solution?
A. Restrict local desktop administration rights.
B. Install a software monitoring tool on the network.
C. Train users on the acceptable use policies.
D. Conduct random workstation audits.
Answer: A
An information security manager wants to implement a security Information and event management (SIEM)
system that will aggregate log data from all systems that control perimeter access. Which of the following
would BEST support the business case for this initiative to senior management?
A. Metrics related to the number of systems to be consolidated
B. Independent evidence of SIEM system's ability to reduce risk
C. Alignment with industry best practices
D. Industry examples of threats detected using a SIEM system
Answer: D
When building a corporate-wide business continuity plan {BCP), it is discovered there are two separate lines
of business systems that could be impacted by the same threat. Which of the following is the BEST method to
determine the priority of system recovery in the event of a disaster?
A. Evaluating the cost associated with each system's outage
B.

B. Comparing the recovery point objectives (RPOs)
C. Reviewing the business plans of each department
D. Reviewing each system's key performance indicators (KPIs)
Answer: B
What is the BEST approach for the information security manager to reduce the impact on a security program
due to turnover within the security staff?
A. Recruit certified staff.
B. Revise the information security program.
C. Ensure everyone is trained in their roles.
D. Document security procedures.
Answer: D
During which stage of the software development life cycle (SDLC) should application security controls FIRST
be addressed?
A. Application system design
B. Configuration management
C. Requirements gathering
D. Software code development
Answer: A
Which of the following is a PRIMARY responsibility of a data owner?
A. Conducting data privacy impact assessments
B. Approving access to information
C. Performing user access audits

D. Processing entitlement changes
Answer: B
A business impact analysis (BIA) should be periodically executed PRIMARILY to:
A. analyze the importance of assets.
B. check compliance with regulations.
C. verify the effectiveness of controls
D. validate vulnerabilities on environmental changes.
Answer: C
An organization has announced company-wide budget cuts due to poor financial performance, impacting
delivery of the information security program. What should the information security manager do FIRST?
A. Prioritize projects within the information security program.
B. Reduce the scope of existing security Initiatives to lower the total cost.
C. Reduce the number of Information security projects to adhere to the new budget.
D. Inform senior management of the increased risk associated with lack of funding.
Answer: A
The BEST way to establish a security baseline is by documenting:
A. a standard of acceptable settings
B. a framework of operational standards
C. the desired range of security settings
D. the organization's preferred security level.
Answer: A

Which of the following provides a sound basis for effective security change management?
A. Configuration management
B. Password management
C. Incident management
D. Version management
Answer: A
An information security manager recently received funding for a vulnerability scanning tool to replace manual
assessment techniques and needs to justify the expense of the tool going forward. Which of the following
metrics would BEST indicate the tool is effective?
A. An increase in the severity of detected vulnerabilities
B. An increase in the number of detected vulnerabilities
C. A decrease in the lime needed to detect vulnerabilities
D. A decrease in staff needed to detect vulnerabilities
Answer: C
An organization has announced new initiatives to establish a big data platform and develop mobile apps. What
is the FIRST step when defining new human resource requirements?
A. Determine the security technology requirements for the initiatives
B. Analyze the skills necessary to support the new initiatives.
C. Request additional funding for recruiting and training
D. Benchmark to an industry peer
Answer: B
Which of the following presents the GREATEST concern to the information security manager when using

account locking features on an online application? It can increase vulnerability to.
A. social engineering.
B. phishing.
C. brute force attacks.
D. denial of service.
Answer: D
Which is the BEST way for an organization to monitor security risk?
A. Analyzing key performance indicators (KPIs)
B. Using a dashboard to assess vulnerabilities
C. Using external risk intelligence services
D. Analyzing key risk indicators (KRIs)
Answer: D
An information security manager has discovered an external break-in to the corporate network Which of the
following actions should be taken FIRST?
A. Switch on trace logging
B. Shut down the network
C. Copy event logs to a different server
D. isolate the affected portion of the network
Answer: D
Which of the following is MOST critical to the successful implementation of information security within an
organization?
A.

A. Strong risk management skills exist within the information security group.
B. The information security manager is responsible for setting information security policy.
C. Budget is allocated for information security tools
D. Information Security is effectively marketed to all managers and employees,
Answer: D
Which of the following is the MOST appropriate board-level activity for information security governance?
A. Include security in job performance appraisals
B. Develop 'what-if’ scenarios on incidents
C. Establish measures for security baselines.
D. Establish security and continuity ownership
Answer: D
Which of the following is the NEXT course of action for an incident response team if an Incident cannot be
investigated in the allocated time?
A. Discontinue the investigation.
B. Activate the business continuity plan (BCP).
C. Request an exception to the service level agreement (SLA).
D. Escalate to senior management for resolution.
Answer: D
Which of the following recovery approaches generally has the LOWEST periodic cost?
A. Redundant site
B. Reciprocal agreement
C. Shared contingency center

D. Cold site
Answer: D
Senior management is concerned a security solution may not adequately protect its multiple global data centers
following recent industry breaches. What should be done NEXT?
A. Conduct a business impact analysis (BIA).
B. Perform a gap analysis.
C. Require an internal audit review.
D. Perform a risk assessment.
Answer: D
Which of the following is MOST important when allowing employees to work at home using personally
owned devices?
A. Approving personally owned devices
B. Enforcing an end-point security policy
C. Assessing vulnerabilities of home wireless connections
D. Reviewing OS on personal devices
Answer: B
Which of the following would provide the HIGHEST level of confidence in the integrity of data when sent
from one party to another?
A. Require files to be digitally signed before they are transmitted.
B. Harden the communication infrastructure.
C. Require data to be transmitted over a secure connection.
D. Enforce multi-factor authentication (MFA) on both ends of the communication.

Answer: A
Which of the following is MOST effective in preventing the introduction of vulnerabilities that may disrupt
the availability of a critical business application?
A. Change management controls
B. A patch management process
C. Version control
D. Logical access controls
Answer: B
Which of the following will provide the MOST accurate test results for a disaster recovery plan (DRP)?
A. Full interruption test
B. Structured walk-through
C. Parallel test
D. Simulation test
Answer: A
An information security manager wants to justify the Investment required to integrate information security into
business processes. What should be the FIRST course of action?
A. Prepare a security budget including necessary changes.
B. Conduct a risk assessment
C. Develop an information security policy
D. Benchmark against peer organizations.
Answer: B

A core business unit relies on an effective legacy system that does not meet the current security standards and
threatens that enterprise network. Which of the following is the BEST course of action to address the
situation?
A. Require that new systems that can meet the standards be implemented.
B. Document the deficiencies in the risk register.
C. Develop processes to compensate for the deficiencies.
D. Disconnect the legacy system from the rest of the network.
Answer: C
Which of the following is MOST important when developing a security strategy?
A. Management direction on security
B. A well-defined security organization
C. Sufficient resource allocation by management
D. A risk-aware security culture
Answer: A
Which of the following is MOST helpful in identifying external and internal factors that could influence the
organization's future information security posture?
A. SWOT analysis
B. Penetration testing
C. Current risk tolerance
D. IT balanced scorecard
Answer: A
A multinational organization has developed a bring your own device (BYOD) policy that requires the

installation of mobile device management (MDM) software on personally owned devices. Which of the
following poses the GREATEST challenge for implementing the policy?
A. Differences in mobile OS platforms
B. Varying employee data privacy rights
C. Differences in corporate cultures
D. Translation and communication of policy
Answer: B
Which of the following poses the GREATEST risk to the operational effectiveness of an incident response
team?
A. The lack of automated communication channels
B. The lack of forensic investigation skills
C. The lack of delegated authority
D. The lack of a security information and event management (SIEM) system
Answer: C
An organization has decided to migrate a customer facing on-premise application to a cloud provider. Which
of the following would be MOST helpful when assessing the proposed data backup requirements prior to the
migration?
A. Vendor controls report analysis
B. Control assessment
C. Risk assessment
Answer: D
The criticality of an information asset is derived from its:

A. replacement cost
B. threat level
C. business value
D. frequency of use.
Answer: C
Which of the following is the PRIMARY purpose of establishing an information security governance
framework?
A. To proactively address security objectives
B. To enhance business continuity planning
C. To reduce security audit issues
D. To minimize security risks
Answer: A
Which of the following is the MOST effective approach to ensure IT processes are performed in compliance
with the information security policies?
A. Ensuring that key controls are embedded in the processes
B. Providing information security policy training to the process owners
C. Allocating sufficient resources
D. Identifying risks in the processes and managing those risks
Answer: D
The MOST effective way to determine the resources required by internal Incident response teams is to
A. determine the scope and charter of incident response
B.

B. request guidance (rom incident management consultants.
C. benchmark against other incident management programs
D. test response capabilities with event scenarios.
Answer: D
Which of the following would be MOST helpful to an information security manager tasked with enforcing
enhanced password standards?
A. Implementing technical password controls to include strong complexity
B. Conducting password strength testing
C. Reeducating end users on creating strong, complex passwords
D. Implementing a centralized identity management system
Answer: A
Which of the following is MOST important for the alignment of an information security program with the
information security strategy?
A. Input from senior management
B. Adoption of an industry recognized framework
C. Benchmarking against industry peers
D. Identification of business-specific risk factors
Answer: A
Which is MOST important when aligning security priorities with business unit strategies?
A. Risk mitigation plans
B. Stakeholder feedback
C. Gap analysis

Answer: B
An internal security audit has reported that authentication controls are not operating effectively. Which of the
following is MOST important to c management?
A. The impact of the control weakness on the risk profile of the organization
B. The results of a business impact analysis (BIA)
C. A business case for implementing stronger authentication controls
D. An analysis of the impact of this type of control weakness on other organizations
Answer: A
Which of the following provides the MOST essential input for the development of an information security
strategy?
A. Availability of capable information security resources
B. Measurement of security performance against IT goals
C. Results of a technology risk assessment
D. Results of an information security gap analysis
Answer: D
An information security manager is reviewing the organization's incident response policy affected by a
proposed public cloud integration. Which of the following will be the MOST difficult to resolve with the cloud
service provider?
A. Obtaining physical hardware for forensic analysis
B. Regular testing of incident response plan
C. Defining incidents and notification criteria
D. Accessing information security event data

Answer: A
Senior management is concerned several security incidents were not reported in a timely manner. Which of the
following should the information security manager do FIRST to address this situation?
A. Request a review from internal audit.
B. Perform a root cause analysis of the issue.
C. Assess the communication skills of the Incident response Team.
D. Update reporting requirements in the incident response plan.
Answer: B
An organization's security was compromised by outside attackers. The organization believed that the incident
was resolved. After a few days, the IT staff is still noticing unusual network traffic. Which of the following is
the BEST course of action to address this situation?
A. Identify potential incident impact.
B. Assess the level of the residual risk.
C. Initiate the incident response process.
D. Implement additional incident response monitoring tools.
Answer: C
A new version of an information security regulation is published that requires an organization's compliance.
The information security manager should FIRST
A. perform an audit based on the new version of the regulation
B. conduct a risk assessment to determine the risk of noncompliance.
C. conduct benchmarking against similar organizations.
D. perform a gap analysis against the new regulation.
Answer: D

Which of the following is the MOST effective preventive control?
A. Review of audit logs
B. Segregation of duties
C. Warning banners on login screens
D. Restoration of a system from backup
Answer: B
What is the BEST way for a customer to authenticate an e-commerce vendor?
A. Use a secure communications protocol for the connection.
B. Verify the vendor's certificate with a certificate authority.
C. Request email verification of the order
D. Encrypt the order using the vendor s private key
Answer: B
Which of the following is MOST important when carrying out a forensic examination of a laptop to determine
an employee s involvement in a fraud?
A. The investigation should be conducted on an image of the original disk drive.
B. The laptop should not be removed from the company premises.
C. The employee's network access should be suspended.
D. An HR representative should be present during the laptop examination.
Answer: A
An organization manages payroll and accounting systems for multiple client companies Which of the
following contract terms would indicate a potential weakness for a disaster recovery hot site?
A.

A. Servers will be provided at time of disaster (not on floor).
B. Work-area size Is limited but can be augmented with nearby office space
C. Timestamp of declaration will determine priority of access to facility
D. Exclusive use of hot site is limited to six weeks (following declaration)
Answer: A
Which of the following would BEST enable an effective response to a network-based attack?
A. Deploying counterattacks on the source network
B. Maintaining an incident playbook
C. Enabling network time protocol synchronization
D. Notifying the network service provider of incidents
Answer: B
Which of the following activities would BEST incorporate security into the software development life cycle
{SOLO7
A. Test applications before go-live
B. Minimize the use of open source software
C. Include security training for the development team
D. Scan operating systems for vulnerabilities
Answer: C
If the inherent risk of a business activity is higher than the acceptable risk level, the information security
manager should FIRST
A. transfer risk to a third party to avoid cost of impact
B. recommend that management avoids the business activity

C. implement controls to mitigate the risk to an acceptable level
D. assess the gap between current and acceptable level of risk
Answer: C
The MOST important reason to use a centralized mechanism to identify information security incidents is to:
A. prevent unauthorized changes to networks
B. detect threats across environments
C. detect potential fraud.
D. comply with corporate policies
Answer: B
An organization has purchased a security Information and event management (SIEM) tool. Which of the
following is MOST important lo consider before implementation?
A. Controls to be monitored
B. Reporting capabilities
C. The contract with the SIEM vendor
D. Available technical support
Answer: A
The MAIN reason for an information security manager to monitor industry level changes in the business and
IT is to:
A. evaluate the effect of the changes on the levels of residual risk.
B. identify changes in the risk environment
C. update information security policies in accordance with the changes
D.

D. change business objectives based on potential impact
Answer: B
Conducting a cost-benefit analysis for a security investment is important because it
A. supports asset classification.
B. quantifies return on security investment
C. supports justification for expenditure.
D. quantifies residual risk
Answer: A
What would be an information security manager's BEST recommendation upon learning that an existing
contract with a third party does not clearly identify requirements for safeguarding the organization's critical
data?
A. Transfer the risk to the provider.
B. Cancel the outsourcing contract.
C. Initiate an external audit of the provider's data center.
D. Create an addendum to the existing contract.
Answer: D
Which of the following would be MOST important to include in a bring your own device (BYOD) policy with
regard to lost or stolen devices? The need for employees to:
A. seek advice from the mobile service provider
B. initiate the company's incident reporting process
C. notify local law enforcement.
D. request a remote wipe of the device

Answer: B
What should be an information security manager's NEXT activity following the remediation of a security
incident?
A. Update the incident testing timeline
B. Review system logs.
C. Review lessons learned.
D. Update post-incident training.
Answer: C
An organization rolled out information security awareness training and wants to perform an end-ot-year
assessment to determine the program's success. Which of the following would be the BEST indicator of the
program's effectiveness?
A. An increase in the number of security incidents throughout the organization
B. An increase in the number of employees completing training in a timely manner
C. An increase in the number of security-related inquiries to the help desk
D. An increase in the number of positive comments in trainee feedback surveys
Answer: C
Which of the following is the BEST reason for delaying the application of a critical security patch?
A. Conflicts with software development life cycle
B. Resource limitations
C. Lack of vulnerability management
D. Technology interdependences

Answer: D
An information security manager has developed a strategy to address new information security risks resulting
from recent change the business. Which of the following would be MOST important to include when
presenting the strategy to senior management?
A. The costs associated with business process changes
B. The impact of organizational changes on the security risk profile
C. Results of benchmarking against industry peers
D. Security controls needed for risk mitigation
Answer: B
Which of the following would BEST enable effective decision-making?
A. Annualized loss estimates determined from past security events
B. Formalized acceptance of risk analysis by business management
C. A universally applied list of generic threats, impacts, and vulnerabilities
D. A consistent process to analyze new and historical information risk
Answer: D
From an Information security perspective, legal issues associated with a transborder flow of
technology-related items are MOST often related to
A. website transactions and taxation.
B. lack of competition and free trade
C. software patches and corporate data
D. encryption tools and personal data
Answer: A

Utilizing external resources for highly technical information security tasks allows an information security
manager to:
A. outsource responsibility,
B. leverage limited resources,
C. transfer business risk,
D. distribute technology risk
Answer: D
When preparing a risk treatment plan, which of the following is the MOST important consideration when
reviewing options for mitigating risk?
A. Cost-benefit analysis
B. User acceptance
C. Control identification
Answer: A
The MOST important reason to maintain metrics for incident response activities is to
A. support continual process improvement.
B. analyze security incident bends
C. ensure that evidence collection and preservation are standardized
D. prevent incidents from reoccurring.
Answer: A
Which of the following is MOST important for an information security manager to verify when selecting a
third-party forensics provider?
A. Existence of the provider's Incident response plan
B. Results of the provider's business continuity tests
C.

C. Existence of a right-to-audit clause
D. Technical capabilities of the provider
Answer: C
Which of the following models provides a client organization with the MOST administrative control over a
cloud-hosted environment?
A. Software as a Service (SaaS)
B. Infrastructure as a Service (laaS)
C. Platform as a Service (PaaS)
D. Storage as a Service (SaaS)
Answer: B
System logs and audit logs for sensitive systems should be stored
A. on a shared Internal server
B. on a dedicated encrypted storage server,
C. In an encrypted folder on each server.
D. on a cold site server.
Answer: B
In order to understand an organization's security posture, it is MOST important for an organizations senior
leadership to:
A. review the number of reported security Incidents,
B. evaluate results of the most recent incident response test
C. ensure established security metrics are reported.
D. assess progress of risk mitigation efforts.

Answer: B
Which of the following BEST protects against phishing attacks?
A. Email filtering
B. Security strategy training
C. Application whitelisting
D. Network encryption
Answer: A
An information security manager has identified and implemented mitigating controls according to industry
best practices. Which of the following is the GREATEST risk associated with this approach?
A. The security program may not be aligned with organizational objectives.
B. Important security controls may be missed without senior management input.
C. The mitigation measures may not be updated in a timely manner.
D. The cost of control implementation may be too high.
Answer: A
Which of the following is the MOST effective approach of delivering security incident response training?
A. Provide on-the-job training and mentoring for the incident response team.
B. Engage external consultants to present real-world examples within the industry.
C. Include incident response training within new staff orientation.
D. Perform role-playing exercises to simulate real-world incident response scenarios.
Answer: A

Which of the following is the BEST method for management to obtain assurance of compliance with its
security policy?
A. Question staff concerning their security duties.
B. Conduct regular independent reviews.
C. Train staff on their compliance responsibilities.
D. Review security incident logs.
Answer: B
Senior management is alarmed by recent media reports of severe security incidents at competing organizations
Which of the following would provide the BEST assurance that the organization's current security measures
are performing adequately?
A. Review the intrusion prevention system (IPS) logs
B. Require third-party penetration testing
C. Review the intrusion detection system (IDS) logs
D. Require internal penetration testing
Answer: B
In the development of an information security strategy, recovery time objectives (RTOs) will serve as
indicators of:
A. senior management support.
B. risk tolerances.
C. maturity levels.
D. open vulnerabilities.
Answer: B
An information security manager is reviewing the business case for a security project that is entering the

development phase It is determined that the estimates cost of the controls is now greater than the risk being
mitigated. What is the information security manager's BEST recommendation?
A. Slow the pace of the project to spread costs over a longer period.
B. Discontinue the project to release funds for other efforts
C. Eliminate some of the controls from the project scope.
D. Pursue the project until the benefits cover the costs.
Answer: C
Senior management has endorsed a comprehensive information security policy. Which of the following should
the organization do NEXT?
A. Promote awareness of the policy among employees.
B. Implement an authentication and authorization system.
C. Identify relevant information security frameworks for adoption.
D. Seek policy buy-in from business stakeholders.
Answer: A
When creating security baselines, it is MOST important to:
A. demonstrate adherence to compliance criteria
B. establish consistent enterprise-wide controls
C. identify critical systems storing sensitive data
D. establish maximum security requirements.
Answer: A
Which of the following provides the GREATEST assurance that information security is addressed in change
management?
A. Performing a security audit on changes

B. Requiring senior management sign-off on change management
C. Reviewing changes from a security perspective
D. Providing security training for change advisory board
Answer: C
Which of the following would be MOST helpful in gaming support for a business case for an Information
security initiative9
A. Referencing control deficiencies
B. Demonstrating organizational alignment
C. Emphasizing threats to the organization
D. Presenting a solution comparison matrix
Answer: B
Recovery time objectives (RTOs) are an output of which of the following?
A. Business continuity plan
B. Disaster recovery plan
C. Service level agreement (SLA)
D. Business impact assessment (BIA)
Answer: B
An organization has decided to store production data in a cloud environment. What should be the FIRST
consideration?
A. Data isolation
B. Data classification
C.

C. Data transfer
D. Data backup
Answer: B
When a critical incident cannot be contained in a timely manner and the affected system needs to be taken
offline, which of the following stakeholders MUST receive priority communication?
A. System end-users
B. System administrator
C. Business process owner
D. Senior management
Answer: C
An organization is considering moving to a cloud service provider for the storage of sensitive data. Which of
the following should be considered FIRST?
A. Requirements for data encryption
B. Results of the cloud provider's control report
C. A destruction-of-data clause in the contract
D. Right to terminate clauses in the contract
Answer: B
Communicating which of the following would be MOST helpful to gain senior management support for risk
treatment options?
A. industry benchmarks
B. Threat analysis
C. Root cause analysis
D.

D. Quantitative loss
Answer: C
For computer forensics evidence to be admissible in a court of law, the evidence MUST:
A. meet standards of relevance
B. be identifiable and reproducible
C. have integrity and accountability
D. be stored in the original media.
Answer: C
A data-hosting organization's data center houses servers, applications, and data for a large number of
geographically dispersed customers. Which of the following strategies is the BEST approach for developing a
physical access control policy for the organization?
A. Design single sign-on or federated access.
B. Develop access control requirements for each system and application.
C. Review customers' security policies.
D. Conduct a risk assessment 10 determine security risks and mitigating controls.
Answer: B
Which aspect of an incident response plan will MOST effectively help to limit reputational damage when
multiple media services are seeking a response following a major security breach?
A. The plan has been approved by executive management.
B. The plan establishes clear lines of responsibility.
C. The plan complies with regulatory requirements.
D. The plan has been reviewed by the media relations team.

Answer: C
Which of the following would BEST enable integration of information security governance into corporate
governance?
A. Ensuring appropriate business representation on the information security steering committee
B. Having the CIO chair the information security steering committee
C. Using a balanced scorecard to measure the performance of the information security strategy
D. Implementing IT governance, risk and compliance (IT GRC) dashboards
Answer: C
Which of the following should be the PRIMARY input when defining the desired state of security within an
organization?
A. Acceptable risk level
B. Annual loss expectancy
C. External audit results
D. Level of business impact
Answer: D
Which of the following has the MOST influence on an organization's adoption of information security
policies?
A. Enforcement of penalties for noncompliance
B. A comprehensive security awareness program
C. Demonstrated senior management commitment
D. Established key performance indicators (KPIs)
Answer: C

A business unit is preparing the business case for acquiring an e-commerce solution Which of Ihe following
should be provided by the information security manager?
A. A cost-benefit analysis of the solution to be acquired
B. An analysis of the solution's security requirements
C. Information security staff training requirements to support the solution
D. A return on investment (ROI) assessment of the solution to be acquired
Answer: B
When two different controls are available to mitigate a risk, an information security manager's
recommendation should be based on the results of a:
A. control evaluation
B. cost-benefit analysis
C. countermeasure analysis
D. threat analysis.
Answer: B
Which of the following provides the BEST indication that the information security program is in alignment
with enterprise requirements?
A. Security strategy objectives are defined in business terms.
B. An IT governance committee is m place.
C. The security strategy is benchmarked with similar organizations
D. The information security manager reports to the chief executive officer.
Answer: A
Which of the following is the MOST relevant risk factor to an organization when employees use social media?
A. Social media can be used to gather intelligence for attacks.

B. Social media increases the velocity of risk and the threat capacity.
C. Social media offers a platform that can host cyber-attacks.
D. Social media can be accessed from multiple locations.
Answer: A
Which of the following should be of MOST influence to an information security manager when developing IT
security policies?
A. Put and current threats
B. Compliance with regulations
C. IT security framework
D. Business strategy
Answer: B
Which of the following is the PRIMARY responsibility of the information security manager when an
organization implements the use of personally-owned devices on the corporate network?
A. Requiring remote wipe capabilities
B. Conducting security awareness training
C. Enforcing defined policy and procedures
D. Encrypting the data on mobile devices
Answer: C
The authorization to transfer the handling of an internal security incident to a third-party support provider is
PRIMARILY defined by the:
A. information security manager
B. escalation procedures

C. disaster recovery plan (DRP)
D. chain of custody.
Answer: B
Information security policies should be designed PRIMARILY on the basis of:
A. international standards.
B. inherent risks.
C. business risks.
D. business demands.
Answer: C
Which of the following is MOST helpful in protecting against hacking attempts on the production network?
A. Intrusion prevention systems
B. Security information and event management (SIEM) tools
C. Network penetration testing
D. Decentralized honeypot networks
Answer: D
An organization has remediated a security flaw in a system Which of the following should be done NEXT?
A. Allocate budget for penetration testing
B. Assess the residual risk
C. Update the system's documentation
D. Share lessons learned with the organization
Answer: D

What should an information security manager do FIRST when made aware of a new regulation which may
require the redesign of existing information security processes?
A. Develop a future state roadmap.
B. Perform a cost-benefit analysis.
C. Perform a gap analysis.
D. Develop a business case.
Answer: C
Which of the following security controls should be integrated FIRST into procurement processes to improve
the security of the services provided by suppliers'?
A. Performing risk assessments to identify security concerns
B. Conducting penetration testing to identify security vulnerabilities
C. Performing regular security audits to determine control deficiencies
D. Creating service contract templates to include security provisions
Answer: D
Which of the following is the MOST effective way for an organization to ensure its third-party service
providers are aware of information security requirements and expectations?
A. Inducting information security clauses within contracts
B. Auditing the service delivery of third-party providers
C. Requiring third parties to sign confidentiality agreements
D. Providing information security training to third-party personnel
Answer: A
What is the BEST reason to keep information security policies separate from procedures?
A.

A. To ensure policies receive the appropriate approvals
B. To ensure that individual documents do not contain conflicting information
C. To keep policy documents from becoming too large
D. To keep policies from having to be changed too frequently
Answer: D
An incident was detected where customer records were altered without authorization. The GREATEST
concern for forensic analysis would be that the log data:
A. has been disclosed.
B. could be temporarily available.
C. may not be time-synchronized.
D. may be modified.
Answer: D
Which of the following is the BEST source of information to help determine whether a third party's
connections to the organization's internal network are aligned with internal control requirements?
A. Security architectural diagrams
B. Service level agreements (SLAs)
C. Contractual requirements
D. Data classification standards
Answer: C
In a multinational organization, local security regulations should be implemented over global security policy
because:
A. deploying awareness of local regulations is more practical than of global policy.
B. global security policies include unnecessary controls for local businesses

C. requirements of local regulations take precedence
D. business objectives are defined by local business unit managers.
Answer: C
Which of the following BEST demonstrates the performance of the information security program to Key
stakeholders?
A. Disaster recovery testing results
B. Risk heat map
C. Security risk register
D. Security dashboard
Answer: D
Which of the following is the MOST important security consideration when using Infrastructure as a Service
(laaS)?
A. Compliance with internal standards
B. Segmentation among tenants
C. Backup and recovery strategy
D. User access management
Answer: B
An organization is the victim of an attack generating multiple incident reports. Which of the following will
BEST enable incident handling and contain exposure?
A. The ability to effectively escalate incidents
B. The ability to acquire the appropriate resources
C. The ability to sort and classify events
D.

D. The ability to isolate and secure the affected systems
Answer: D
An organization plans to implement a document collaboration solution to allow employees to share company
information. Which of the following is the MOST important control to mitigate the risk associated with the
new solution?
A. Assign write access to data owners.
B. Allow a minimum number of users access to the solution.
C. Have data owners perform regular user access reviews.
D. Permit only non-sensitive information on the solution.
Answer: C
Which of the following is the MOST important reason for performing a cost-benefit analysis when
implementing a security control?
A. To ensure that the mitigation effort does not exceed the asset value
B. To present a realistic information security budget
C. To ensure that benefits are aligned with business strategies
D. To justify information security program activities
Answer: A
When scoping a risk assessment, assets need lo be classified by
A. redundancy and recoverability
B. sensitivity and criticality.
C. threats and opportunities
D. likelihood and impact.
Answer: B

An organization has detected sensitive data leakage caused by an employee of a third-party contractor. What is
the BEST course of action to address this issue?
A. Activate the organization's incident response plan.
B. Limit access to the third-party contractor
C. Include security requirements in outsourcing contracts
D. Terminate the agreement with the third-party contractor
Answer: A
Which of the following is the MOST important criterion when deciding whether to accept residual risk?
A. Annual loss expectancy (ALE)
B. Cost of replacing the asset
C. Annual rate of occurrence (ARO)
D. Cost of additional mitigation
Answer: B
For an organization that provides web-based services, which of the following security events would MOST
likely initiate an incident response plan and be escalated to management?
A. Several port scans of the web server
B. Multiple failed login attempts on an employee's workstation
C. Suspicious network traffic originating from the demilitarized zone (DMZ)
D. Anti-malware alerts on several employees' workstations
Answer: D

An application system stores customer confidential data and encryption is not practical. The BEST measure to
protect against data disclosure is:
A. nondisclosure agreements (NDA).
B. single sign-on.
C. multi-factor access controls.
D. regular review of access logs.
Answer: D
In a large organization requesting outsourced services, which of the following contract clauses is MOST
important to the information security manager?
A. Compliance with security requirements
B. Frequency of status reporting
C. Nondisclosure clause
D. Intellectual property
Answer: A
Which of the following is MOST helpful to an information security manager when determining service level
requirements for an outsourced application?
A. Data classification
B. Information security policy
C. Business functionality
D. Application capabilities
Answer: C
Which of the following is MOST effective in reducing the financial impact following a security breach leading

to data disclosure9
A. An incident response plan
B. Backup and recovery strategy
C. A data loss prevention (DLP) solution
D. A business continuity plan (BCP)
Answer: B
Which of the following would MOST effectively help to restrict sensitive data from being transmitted outside
the organization?
A. Intrusion detection system (IDS)
B. Data forensics
C. Data loss prevention (DLP)
D. Security information and event management (SIEM)
Answer: C
An information security manager has been asked to integrate security into the software development life cycle
(SDLC) after requirements have already been gathered. In this situation during which phase would integration
be MOST effectrve?
A. Quality assurance analysis
B. Code review
C. Penetration testing
D. User acceptance testing
Answer: A
When reporting on the effectiveness of the information security program, which of the following is the BEST
way lo demonstrate improvement m security performance?
A. Report the results of a security control self-assessment (CSA).

B. Benchmark security metrics against industry standard
C. Provide a summary of security project return on investments (ROls) for the past year.
D. Present a penetration testing report conducted by a third party
Answer: D
An organization is adopting a standardized corporate chat messaging technology to help facilitate

communication among business units. Which of the following is an ESSENTIAL task associated with this
initiative?
A. Increasing security and operational staffing to support the technology
B. Restricting the use of the technology in departments with sensitive information
C. Enforcing encryption of chat communications
D. Reviewing existing organizational policies regarding the new technology
Answer: D
Which of the following should be done FIRST when establishing security measures for personal data stored
and processed on a human resources….system?
A. Evaluate data encryption technologies.
B. Conduct a vulnerability assessment.
C. Move the system into a separate network.
D. Conduct a privacy impact assessment (PIA).
Answer: D
Threat and vulnerability assessments are important PRIMARILY because they are:
A. used to establish security investments.
B. needed to estimate risk.
C. the basis for setting control objectives.
D.

D. elements of the organization's security posture.
Answer: C
Which of the following should be the PRIMARY goal of an Information security manager when designing
Information security policies?
A. Improving the protection of information
B. Minimizing the cost of security controls
C. Achieving organizational objectives
D. Reducing organizational security risk
Answer: D
Which of the following is the BEST way for an Information security manager to gain wider acceptance for an
information security policy that is perceived as restrictive?
A. Remove the restrictive requirements from the policy.
B. Communicate the policy across the organization using various media.
C. Establish sanctions for failure to follow the policy
D. Review the policy with the information security steering committee.
Answer: D
Which of the following is the MOST significant security risk in IT asset management?
A. Unregistered IT assets may riot be included in security documentation.
B. Unregistered IT assets may not be configured properly.
C. IT assets may be used by staff for private purposes.
D. Unregistered IT assets may not be supported.
Answer: B

Which of the following is the BEST course of action for an information security manager to align security and
business goals?
A. Actively engaging with stakeholders
B. Defining key performance indicators (KPIs)
C. Reviewing the business strategy
D. Conducting a business impact analysis (6IAJ
Answer: C
Which of the following should be the FIRST step when creating an organization's bring your own device
(BYOD) program?
A. identify data to be stored on the device
B. Develop an acceptable use policy.
C. Develop employee training.
D. Pretest approved devices
Answer: B
Which of the following is an important criterion for developing effective key risk indicators (KRIs) to monitor
information security risk?
A. The indicator should align with key performance indicators (KPIs) and measure root causes of process
performance issues.
B. The indicator should possess a high correlation with a specific risk and be measured on a regular basis
C. The indicator should focus on IT and accurately represent risk variances.
D. The indicator should provide a retrospective view of risk impacts and be measured annually.
Answer: A

An organization establishes an internal document collaboration site. To ensure data confidently of each project
group, it is MOST important to:
A. Prohibit remote access to the site
B. Periodically recertify access rights.
C. Conduct vulnerability assessment
D. Enforce document life cycle management
Answer: B
Which of the following trends BEST indicates that the maturity level of an information security program is
improving?
A. A decrease in residual risk
B. An increase in control self-assessments (CSAs) performed
C. A decrease in the number of security incidents
D. An increase in overall security funding
Answer: C
What should an information security manager do FIRST after a number of security gaps have been identified
that need to be resolved?
A. Develop and implement incident response strategies.
B. Consolidate overlapping controls.
D. Prioritize responses based on likelihood and impact.
Answer: D
Due to recent cyber-attacks on industry peers, an organization has decided to create a separate Internal

network to reduce the risk of similar attacks. Which of the following should the Information security manager
do FIRST?
A. Update security policies and procedures.
B. Evaluate the impact on the business functions.
C. Update the risk register to include the network separation
D. Identify resources required for implementation.
Answer: B
Which of the following is MOST important to the successful implementation of an information security
program?
A. Understanding current and emerging technologies
B. Establishing key performance indicators (KPIs)
C. Obtaining stakeholder input
D. Conducting periodic risk assessments
Answer: C
Which of the following BEST supports the alignment of information security with business functions?
A. A focus on technology security risk within business processes
B. IT management support of security assessments
C. Business management participation in security penetration tests
D. Creation of a security steering committee
Answer: C
Which of the following should an information security manager do FIRST upon learning that a data loss
prevention (DLP) scanner has identified payment card information (PCI) stored in cleartext within accounting
file shares?
A.

A. Assess the level of noncompliance.
B. Report the issue to senior management.
C. Initiate the incident response process.
D. Perform an organization-wide risk assessment.
Answer: A
Which of the following is the FIRST step when assessing risk?
A. Identifying vulnerabilities
B. Identifying assets
C. Analyzing existing threats
D. Analyzing existing controls
Answer: B
What should be the PRIMARY basis for defining the appropriate level of access control to information assets?
A. Business needs
B. Management requests
C. Audit findings
D. Compensating controls
Answer: A
Which of the following metrics is the MOST appropriate for measuring how well information security is
performing in dealing with outside attacks?
A. Number of incident detected.
B. Number of emergencies declared
C. Elapsed time to resolve incidents

D. Elapsed time to declare emergencies.
Answer: C
Which of the following would BEST demonstrate the status of an organization's information security program
to the board of directors?
A. The information security operations matrix
B. Changes to information security risks
C. Results of a recent external audit
D. Information security program metrics
Answer: C
Which of the following is MOST important to consider when determining the effectiveness of the Information
security governance program?
B. Risk tolerance levels
C. Maturity models
D. Key risk indicators (KRIs)
Answer: A
Which of the following metrics would BEST monitor how well information security requirements are
incorporated into the change management process?
A. Information security related changes
B. Unauthorized changes in the environment
C. Information security incidents caused due to unauthorized changes
D. Denied changes due to insufficient security details

Answer: C
A core business function has created a significant risk. Budget constraints do not allow for effective
remediation. Who should be accountable for selecting the appropriate risk treatment?
A. Business process owner
B. Security officer
C. Audit team
D. Senior management
Answer: A
Which of the following will MOST effectively minimize the chance of inadvertent disclosure of confidential
information?
A. Restricting the use of removable media
B. Applying data classification rules
C. Following the principle of least privilege
D. Enforcing penalties for security policy violations
Answer: C
Which of the following activities should be performed by someone other than the system administrator to
ensure a secure audit trail?
A. Maintaining logs of privileged users
B. Managing user provisioning and access control
C. Reviewing system utilization logs
D. Reviewing data backups and restoration
Answer: A

Which of the following is the BEST way to determine if an information security program aligns with corporate
governance?
A. Evaluate funding for security initiatives.
B. Review the balanced scorecard.
C. Survey end users about corporate governance.
D. Review information security policies.
Answer: B
The FIRST step in a risk assessment for a business application is to:
A. identify the threats to the application
B. identify the vulnerabilities of the application
C. rank the threats to the application
D. identify the assets used by the application.
Answer: D
Which of the following should be an information security manager's PRIMARY consideration when
developing an incident response plan?
A. The organization's risk tolerance and appetite
B. The organization's external communications plan
C. Skills and competencies of the help desk
D. Incident response plan testing methods and frequency
Answer: D
An awareness program is implemented to mitigate the risk of infections introduced through the use of social
media Which of the following will BEST determine the effectiveness of the awareness program''

A. Employee attendance rate at the awareness program
B. A simulated social engineering attack
C. A post-awareness program survey
D. A quiz based on the awareness program materials
Answer: B
What should be the FIRST step when developing an asset management program?
A. Create a configuration management database
B. Encrypt assets containing sensitive data.
C. Classify assets according to risk.
D. Create an asset inventory.
Answer: D
Which of the following is MOST important in the development of metrics for the effectiveness of information
security?
A. Using clearly defined objectives
B. Using quantitative measurement
C. Using qualitative risk assessment results
D. Using standard reporting tools
Answer: A
Which of the following is the MOST reliable way to ensure network security incidents are Identified as soon
as possible'
A. Tram help desk staff to identify and prioritize security incidents
B. Conduct workshops and training sessions with end users.

C. Install stateful inspection firewalls
D. Collect and correlate IT Infrastructure event logs
Answer: D
Who within an organization is accountable for ensuring incident notification and escalation processes are in
place?
A. Data owner
B. Senior management
C. Information security manager
D. Security operations center management
Answer: B
Which of the following BEST indicates the value a purchased information security solution brings to an
organization?
A. Cost savings the solution brings to the information security department
B. Degree to which the solution matures the information security program
C. Costs and benefits of the solution calculated over time
D. Alignment to security threats and risks
Answer: D
When outsourcing sensitive data to a cloud service provider, which of the following should be the information
security manager's MOST important.....
A. Data stored at the cloud service provider is not co-hosted.
B. The cloud service provider contract includes right to audit.
C. Access authorization includes biometric security verification.
D.

D. Roles and responsibilities have been defined for the service provider.
Answer: B
Which of the following is MOST important lo track for determining the effectiveness of an information
security program?
A. Return on investment (ROl)
B. Key performance indicators (KPls)
C. Service level agreements (SLAs)
D. Key risk indicators (KRIs)
Answer: B
Which of the following would be MOST useful in a report to senior management for evaluating changes in the
organization's information security risk position?
A. Trend analysis
B. Industry benchmarks
C. Management action plan
D. Risk register
Answer: A
Which of the following is MOST important for the effectiveness of an incident response function?
A. Automated modem tracking and reporting tools
B. Enterprise security management system and forensic tools
C. Training of all users on when and how to report
D. Establishing prior contacts with law enforcement
Answer: C

Which of the following service offerings in a typical Infrastructure as a Service (IaaS) model will BEST
enable a cloud service provider to assist customers when recovering from a security incident?
A. Availability of current infrastructure documentation
B. Capability to take a snapshot of virtual machines
C. Availability of web application firewall logs
D. Capability of online virtual machine analysis
Answer: D
A newly appointed Information security manager finds mere is minimal interaction between departments in
identifying ...risk due to the organization's current decentralized structure What is the managers BEST course
of action?
A. Modify the current practices within the governance framework.
B. identify appropriate risk management training for relevant staff in the departments
C. Propose the creation of a consolidated organizational risk register to track risk
D. Recommend consolidating all risk management activities under a central authority.
Answer: D
The BEST way to ensure information security efforts and initiatives continue to support corporate strategy is
by:
A. including the CIO in the information security steering committee.
B. conducting benchmarking with industry best practices.
C. including information security metrics in the organizational metrics.
D. performing periodic internal audits of the information security program
Answer: C

Which of the following is MOST likely to occur following a security awareness campaign''
A. An increase in the number of viruses detected in incoming email
B. An increase in reported social engineering attempts
C. A decrease in number of account lockouts
D. A decrease in user-reported false positive incidents
Answer: D
Which of the following is the MOST important delivery outcome of information security governance?
A. Strategic alignment
B. Data classification
D. Asset protection
Answer: A
Several identified risks have been mitigated to an acceptable level with appropriate controls Which of the
following activities would BEST help to maintain acceptable risk levels?
A. Frequent assessments of inherent risks
B. Periodic reviews of changes to the environment
C. Periodic cost-benefit analyses of the implemented controls
D. Frequent assessments of risks action plans
Answer: B
Senior management has allocated funding to each of the organization s divisions to address information
security vulnerabilities The funding is based on each division's technology budget from the previous fiscal
year. Which of the following should be of GREATEST concern to the information security manager?
A. Redundant controls may be implemented across divisions.

B. Information security governance could be decentralized by division.
C. Areas of highest risk may not be adequately prioritized for treatment.
D. Return on investment may be inconsistently reported to senior management
Answer: C
The MOST important objective of security awareness training for business staff is to:
A. modify behavior
B. understand intrusion methods
C. reduce negative audit findings
D. increase compliance.
Answer: A
An organization is considering a self-service solution for the deployment of virtualized development servers.
Which of the following should be information security manager's PRIMARY concern?
A. Ability to maintain server security baseline
B. Generation of excessive security event logs
C. Segregation of servers from the production environment
D. Ability to remain current with patches
Answer: A
An online trading company discovers that a network attack has penetrated the firewall What should be the
information security manager's FIRST response?
A. Implement mitigating controls
B. Examine firewall logs to identity the attacker
C. Notify the regulatory agency of the incident
D.

D. Evaluate the impact to the business.
Answer: B
Which of the following is the MOST effective way for an information security manager to protect the
organization from misuse of social media?
A. Deliver regular social media awareness training to all employees.
B. Hire a social media manager to control content delivered via social media.
C. Restrict the use of social media on corporate networks and devices
D. Scan social media platforms for company references
Answer: D
The use of digital signatures ensures that a message:
A. sender obtains acknowledgment of delivery
B. remains available during transmission
C. is not intercepted during transmission
D. is not altered during transmission.
Answer: D
Web-server security can BEST be enhanced by:
A. removing unnecessary services
B. enabling logging of all events
C. disabling automatic directory listing
D. implementing host-based intrusion detection.
Answer: A

Which of the following is the BEST indicator to demonstrate whether information security investments are
optimally supporting organizational objecti.....
A. Percentage of security-related initiatives completed within budget
B. Percentage of current security resource utilization
C. Ratio of security costs to the value of assets
D. Ratio of security incidents from known risk versus unidentified risk
Answer: C
Senior management wants to provide mobile devices to its sales force. Which of the following should the
Information security manager do FIRST to support this objective?
A. Research mobile device management (MDM) solutions.
B. Assess risks introduced by the technology
C. Conduct a vulnerability assessment on the devices.
D. Develop an acceptable use policy.
Answer: B
For an organization with operations in different parts of the world, the BEST approach for ensuring that
security policies do not conflict with local laws and regulations is to:
A. refer to an external global standard to avoid any regional conflict
B. adopt uniform policies.
C. make policies at a sufficiently high level, so they are globally applicable.
D. establish a hierarchy of global and local policies.
Answer: D

Which of the following is the PRIMARY reason to include message templates for communications with
external parties in an incident response plan?
A. To ensure that messages to external parties are complete and accurate
B. To communicate efficiently and consistently
C. To eliminate reliance on a communications specialist
D. To automate communication with external parties without delay
Answer: B
Which of the following is the information security manager's PRIMARY role in the information assets
classification process?
A. Developing an asset classification model
B. Assigning the asset classification level
C. Securing assets in accordance with their classification
D. Assigning asset ownership
Answer: C
An information security manager learns of a new international standard related to information security. Which
of the following would be the BEST course of action?
A. Review industry peers responses to the new standard.
B. Consult with legal counsel on the standard's applicability to regulations
C. Determine whether the organization can benefit from adopting the new standard.
D. Perform a gap analysis between the new standard and existing practices.
Answer: D
The MAIN objective of identifying and evaluating risk at each software development life cycle (SDLC) stage
is to reduce the:

A. acceptance test time
B. development time
C. number of software security controls
D. mitigation costs.
Answer: D
Which of the following would provide the BEST justification for a new information security investment?
A. Defined key performance indicators (KPls)
B. Senior management involvement in project prioritization
C. Projected reduction in risk
D. Results of a comprehensive threat analysis
Answer: C
Which of the following is the MOST important reason for an organization to develop an information security
governance program?
A. Compliance with audit requirements
B. Creation of tactical solutions
C. Establishment of accountability
D. Monitoring of security incidents
Answer: C
Which of the following is the MOST effective way to help ensure information security programs are aligned
with business objectives?
A. Implement information security awareness campaigns for business units.

B. Include business unit representation in the information security steering committee.
C. Develop information security policies based on laws and regulations.
D. Establish and monitor information security performance metrics for the business.
Answer: B
Which of the following BEST demonstrates the effectiveness of the vulnerability management process?
A. Average time from patch release to catch installation
B. Performance of periodic internal vulnerability scans
C. Resource allocation for remediating vulnerabilities
D. Results of third-party penetration testing
Answer: A
Which of the following is the MOST effective way to incorporate risk management practices into a new
business process?
A. Conduct quality assurance reviews.
B. Review threat assessments.
C. Update company policies.
D. Enforce change management.
Answer: D
Which of the following is the BEST way to ensure that organizational security policies comply with data
security regulatory requirements?
A. Obtain annual sign-off from executive management.
B. Outsource compliance activities
C. Align the policies to the most stringent global regulations.

D. Send the policies to stakeholders for review
Answer: D
A data leakage prevention (DLP) solution has identified that several employees are sending confidential
company data to their personal email addresses in violation of company policy. The information security
manager should FIRST.
A. contact the employees involved to retake security awareness training
B. limit access to the Internet for employees involved.
C. initiate an investigation to determine the full extent of noncompliance
D. notify senior management that employees are reaching policy.
Answer: C
Which of the following is the BEST way to integrate information security into corporate governance?
A. Engage external security consultants in security initiatives.
B. Conduct comprehensive information security management training for key stakeholders.
C. Ensure information security processes are part of the existing management processes.
D. Require periodic security risk assessments be performed.
Answer: C
An incident response team has determined there is a need to isolate a system that is communicating with a
known malicious host on the Internet, following stakeholders should be contacted FIRST?
A. The business owner
B. Key customers
C. System administrator
D. Executive management
Answer: A

Information security awareness programs are MOST effective when they are:
A. customized for each target audience
B. sponsored by senior management
C. reinforced by computer-based training
D. conducted at employee orientation.
Answer: A
Noncompliance issues were identified through audit. Which of the following is the BEST approach for the
information security manager to ensure that issues are resolved in a timely manner?
A. Develop a solution independently
B. Collaborate with the business process owner to implement mitigation controls.
C. Escalate the noncompliance issues to senior management
D. Perform a risk assessment.
Answer: B
A risk assessment has been conducted following a data owner's decision to outsource an application to a cloud
provider Which of the following should be the information security manager's NEXT course of action?
A. Conduct an application vulnerability scan
B. Review the contract with the cloud provider
C. Inform senior management
D. Conduct a security assessment on the cloud provider.
Answer: D
A payroll application system accepts individual user sign-on IDs and then connects to its database using a

single application ID. The GREATEST weakness under this system architecture is that:
A. the database becomes unavailable if the password of The application ID expires.
B. an incident involving unauthorized access to data cannot be tied to a specific user
C. users can gam direct access to the application ID and circumvent data controls,
D. when multiple sessions with the same application ID collide, the database locks up
Answer: B
Which of the following BEST enables an information security manager to communicate the capability of
security program functions?
A. Security maturity assessments
B. Security architecture diagrams
C. Vulnerability scan results
D. Key risk indicators (KRls)
Answer: A
An organization wants to implement an emerging technology to support operations. What should the
information security manager do FIRST when .............. recommendation?
A. Review key risk indicators (KRIs).
B. Review existing security policies.
C. Develop a business case.
D. Assess the potential security impact.
Answer: D
Which of the following is the GREATEST benefit of a centralized approach to coordinating information
security?
A. Business user buy-in
B.

B. Optimal use of security resources
C. Reduction in the number of policies
D. Integration with business functions
Answer: B
During a post-incident review, the sequence and correlation of actions must be analyzed PRIMARILY based
on:
A. a consolidated event timeline
B. interviews with personnel.
C. logs from systems involved.
D. documents created during the incident.
Answer: C
Which of the following is MOST important to present to stakeholders to help obtain support for implementing
a new information
A. A statement of generally accepted good practices
B. An overview of competitors' information security strategies
C. The potential impact of current threats
D. An assessment of current technological exposures
Answer: C
The MOST important objective of monitoring key risk indicators (KRIs) related to information security is to:
A. minimize loss from security incidents.
B. identify change in security exposures.
C. reduce risk management costs
D.

D. meet regulatory compliance requirements.
Answer: B
Which of the following is the BEST way for an information security manager to justify ongoing annual
maintenance fees associated with an intrusion prevention system (IPS)*?
A. Provide yearly competitive pricing to illustrate the value of the IPS.
B. Establish and present appropriate metrics that track performance
C. Perform industry research annually and document the overall ranking of the IPS
D. Perform a penetration test to demonstrate the ability to protect
Answer: B
Which of the following is the BEST method to obtain senior management buy-in for an information security
investment?
A. Demonstrating the reduction in risk
B. Providing benchmark results from alternate vendors
C. Communicating the end-of-life support plan from vendor
D. Including sign-off from key stakeholders
Answer: A
Which of the following is the MAIN objective of classifying a security incident as soon as it is discovered?
A. Preserving relevant evidence
B. Engaging appropriate resources
C. Enabling appropriate incident investigation
D. Downgrading the impact of the incident
Answer: B

Which of the following is the BEST method to protect against data exposure when a mobile device is stolen?
A. Password protection
B. Insurance
C. Encryption
D. Remote wipe capability
Answer: C
An information security manager wants to document requirements detailing the minimum security controls
required for user workstations. Which of the following resources would be MOST appropriate for this
purpose?
A. Procedures
B. Guidelines
C. Standards
D. Policies
Answer: D
Which of the following presents the MOST significant challenge when classifying IT assets?
A. Disagreement between asset owners and custodians
B. Complex asset classification scheme
C. Vulnerabilities in information assets
D. Information assets without owners
Answer: D
Which is MOST important when contracting an external party to perform a penetration test?

A. Define the project scope
B. Increase the frequency of log reviews.
C. Provide network documentation.
D. Obtain approval from IT management.
Answer: D
Which of the following is the MOST important reason to consider the role of the IT service desk when
developing incident handling procedures?
A. The service desk provides a source for the identification of security incidents.
B. Service desk personnel have information on how to resolve common systems issues
C. The service desk provides information to prioritize systems recovery based on user demand
D. Untrained service desk personnel may be a cause of security incidents.
Answer: A
After a recent malware Incident an organization's IT steering committee has asked the information security
manager for a presentation on the status of the information security program. Which of the following is MOST
important to address in the presentation?
A. Measures taken to prevent the risk of a data breach
B. Disaster recovery and continuity program plans
C. Remediation schedule for patch management
D. Antivirus program and incident response plans
Answer: D
An organization is automating data protection by implementing a data loss prevention (DLP) solution. Which
of the following should the Information security manager do FIRST?
A. Perform a cost-benefit analysis.
B.

B. Define the threshold for reporting data loss
C. Define a data classification schema
D. Evaluate potential DLP solutions.
Answer: C
Which of the following methods BEST ensures that a comprehensive approach is used to direct information
security activities?
A. Establishing a steering committee
B. Molding periodic meetings with business owners
C. Creating communication channels
D. Promoting security training
Answer: A
For an organization that encourages sales activities using mobile devices, which of the following should be the
MOST important security requirement?
A. User operation logging
B. Remote wipe capabilities
C. Password logic enhancement
D. Periodic device monitoring
Answer: B
When making an outsourcing decision, which of the following functions is MOST important to retain within
the organization?
A. Security management
B. Incident response
C.

C. Risk assessment
D. Security governance
Answer: D
The PRIMARY reason for using information security metrics is to:
A. achieve senior management commitment.
B. adhere to legal and regulatory requirements
C. monitor the effectiveness of controls
D. ensure alignment with corporate requirements.
Answer: C
Which of the following is the GREATEST benefit of integrating information security program requirements
into vendor management?
A. The ability to reduce risk in the supply chain
B. The ability to meet industry compliance requirements
C. The ability to define service level agreements (SLAs)
D. The ability to improve vendor performance
Answer: A
Which of the following BEST enables new third-party suppliers to support an organization's information
security objectives?
A. Mandating a right-to-audit clause in supplier contracts
B. Requiring approval of new suppliers by the information security manager
C. Conducting security awareness training courses for third parties
D. Addressing security risk in the supplier sourcing process

Answer: D
Which of the following is MOST important to consider when developing a business continuity plan (BCP)?
A. Disaster recovery plan (DRP)
B. Business communication plan
C. Incident management requirements
Answer: D
Which of the following should provide the PRIMARY basis for formulating an information security strategy?
A. The regulatory environment
B. The information security framework
C. The business strategy
D. The IT strategy
Answer: C
A risk was identified during a risk assessment. The business process owner has chosen to accept the risk
because the cost of remediation is greater than the projected cost of a worst-case scenario. What should be the
information security manager's NEXT course of action?
A. Document and schedule a date to revisit the issue.
B. Document and escalate to senior management.
C. Shut down the business application.
D. Determine a lower-cost approach to remediation.
Answer: A

Which of the following is an organization's BEST approach for media communications when experiencing a
disaster?
A. Hold a press conference and advise the media to refer to legal authorities.
B. Defer public comment until partial recovery has been achieved.
C. Report high-level details of the losses and recovery strategy to the media.
D. Authorize a qualified representative to convey specially drafted messages.
Answer: D
An organization has identified an increased threat of external brute force attacks in its environment. Which of
the following is the MOST effective way to mitigate this risk to the organization's critical systems?
A. Increase the frequency of log monitoring and analysis.
B. Increase the sensitivity of intrusion detection systems.
C. Implement a security information and event management system (SIEM).
D. Implement multi-factor authentication (MFA).
Answer: C
Which of the following is MOST useful to an information security manager when conducting a post-incident
review of an attack?
A. Method of operation used by the attacker
B. Cost of the attack to the organization
C. Location of the attacker
D. Details from intrusion detection system (IDS) logs
Answer: D
Which of the following is a PRIMARY responsibility of an information security governance committee?
A.

A. Approving the purchase of information security technologies
B. Approving the information security awareness training strategy
C. Reviewing the information security strategy
D. Analyzing information security policy compliance reviews
Answer: C
Presenting which of the following to senior management will be MOST helpful in securing ongoing support
for the information security strategy?
A. Historical security incidents
B. Current vulnerability metrics
C. Return on security investment
D. Completed business impact analyses (BIAs)
Answer: C
Which of the following is the MOST important consideration m a bring your own device (BYOD) program to
protect company data in the event of a loss?
A. The ability to restrict unapproved applications
B. The ability to classify types of devices
C. The ability to remotely locate devices
D. The ability to centrally manage devices
Answer: D
An organizations ability to prevent a security incident In a Software as a Service (SaaS) cloud-com puling
environment is MOST dependent on the:
A. ability to implement a web application firewall.
B. ability to monitor and analyze system logs

C. configuration and sensitivity of an intrusion detection system (IDS)
D. granularity with which access rights can be configured
Answer: D
Which of the following BEST supports information security management in the event of organizational
changes in security personnel?
A. Developing an awareness program for staff
B. Ensuring current documentation of security processes
C. Formalizing a security strategy and program
D. Establishing processes within the security operations team
Answer: D
Which of the following is a benefit of using key risk indicators (KRIs)?
A. Reduction in the annual loss expectancy (ALE)
B. Determination of the residual risk value
C. Ability to analyze risk trends
D. Support for the incident response process
Answer: C
The PRIMARY reason to classify information assets should be to ensure
A. proper ownership is established
B. proper access control
C. senior management buy-in
D. Insurance valuation is appropriate.

Answer: B
An information security manager has determined that the mean time to prioritize information security
incidents has increased to an unacceptable level. Which of the following processes would BEST enable the
information security manager to address this concern?
A. Forensic analysis
B. Incident response
C. Incident classification
D. Vulnerability assessment
Answer: C
Following a highly sensitive data breach at a large company, all servers and workstations were patched. The
information security manager s NEXT step should be to:
A. inform senior management of changes in risk metrics.
B. perform an assessment to measure the current state
C. deliver security awareness training.
D. ensure baseline back-ups are performed.
Answer: B
Shortly after installation, an intrusion detection system (IDS) reports a violation. Which of the following is the
MOST likely explanation?
A. The violation is a false positive.
B. A routine IDS log file upload has occurred,
C. An intrusion has occurred-
D. A routine IDS signature file download has occurred.
Answer: A

Which of the following is MOST effective in the strategic alignment of security initiatives?
A. A security steering committee is set up within the IT deployment.
B. Key information security policy are updated on a regular basis
C. Policies are created with input from business unit managers.
D. Business leaders participate in information security decision making
Answer: C
Which of the following should be the MOST important consideration when implementing an information
security framework?
A. Compliance requirements
B. Audit findings
C. Risk appetite
D. Technical capabilities
Answer: A
An organization has decided to implement a security information and event management (SIEM) system. It is
MOST important for the organization to consider:
A. threat assessments.
B. data ownership.
C. industry best practices.
D. log sources.
Answer: D
Which of the following should be the PRIMARY basis for a severity hierarchy for information security

incident classification?
A. Root cause analysis results
B. Adverse effects on the business
C. Availability of resources
Answer: A
When is the BEST time to identify the potential regulatory risk a new service provider presents to the
organization?
A. During contract negotiations
B. During business case analysis
C. During due diligence
D. During integration planning
Answer: B
Which of the following is the BEST way for an information security manager to protect against a zero-day
attack?
A. Configure daily runs of the virus protection software.
B. Conduct vulnerability scans on a daily basis.
C. Perform a business impact analysis (BIA).
D. Implement heuristic-based monitoring tools
Answer: D
Which of the following is the MOST important security consideration when developing an incident response
strategy with a cloud provider?
A.

A. Technological capabilities
B. Escalation processes
C. Security audit reports
D. Recovery time objective (RTO)
Answer: D
The PRIMARY goal of conducting a business impact analysis (BIA) as part of an overall continuity planning
process is to:
A. document the disaster recovery process.
B. obtain the support of executive management.
C. map the business process to supporting IT and other corporate resources.
D. identify critical processes and the degree of reliance on support services.
Answer: B
Segregation of duties is a security control PRIMARILY used to:
A. limit malicious behavior.
B. decentralize operations.
C. establish dual check.
D. establish hierarchy.
Answer: A
Which of the following is the MOST appropriate party to approve an information security strategy?
A. Information security management committee
B. Chief information officer
C. Chief information security officer

D. Executive leadership team
Answer: D
Which of the following is MOST helpful to developing a comprehensive Information security strategy?
A. Performing a business impact analysts (BIA).
B. Conducting a risk assessment
C. Adopting an industry framework
D. Gathering business objectives
Answer: D
Which of the following is an information security manager's BEST course of action upon learning of new
cybersecurity regulatory requirements that apply to the organization?
A. Escalate the issue to senior management.
B. Implement the new requirements immediately.
C. Treat the new requirements as an operational issue.
D. Perform a gap analysis of the new requirements.
Answer: D
Which of the following would be the BEST way for a company to reduce the risk of data loss resulting from
employee-owned devices accessing the corporate email system?
A. Link the bring-your-own-device (BYOD) policy to the existing staff disciplinary policy.
B. Require employees to undergo training before permitting access to the corporate email service
C. Require employees to install a reputable mobile anti-virus solution on their personal devices.
D. Use a mobile device management (MDM) solution to isolate the local corporate email storage.
Answer: D

Which of the following is the GREATEST benefit of information asset classification?
A. Supporting segregation of duties
B. Defining resource ownership
C. Helping to determine the recovery point objective (RPO)
D. Providing a basis for implementing a need-to-know policy
Answer: B
The PRIMARY purpose of a periodic threat and risk assessment report to senior management is to
communicate the:
A. probability of future incidents.
B. status of the security posture.
C. risk acceptance criteria
D. cost-benefit of security controls,
Answer: B
A significant gap in an organization's breach containment process has been identified. Which of the following
is MOST important for the information security manager to consider updating?
A. Incident test plan
B. Business continuity plan (BCP)
C. Crisis management plan
D. Incident response plan
Answer: D
Which of the following should provide the PRIMARY justification to approve the implementation of a disaster
recovery (DR) site on the recommendation of an external audit report?

A. Recovery time objectives (RTOs)
D. Security controls at the DR site
Answer: B
Which of the following should be the PRIMARY objective when developing an information security strategy?
A. To reduce potential business exposure
B. To establish security metrics and performance monitoring
C. To delegate regulatory compliance activities
D. To educate business owners regarding security responsibilities
Answer: A
Which of the following is the MOST important reason to have documented security procedures and
guidelines?
A. To facilitate collection of security metrics
B. To meet regulatory compliance requirements
C. To allocate security responsibilities to staff
D. To enable standard security practices
Answer: D
An information security manager has been made aware that implementing a control would have an adverse
impact to the business. The business manager has suggested accepting the risk. The BEST course of action by
the information security manager would be to:
A. document the risk exception
B.

B. review existing technical controls.
C. recommend compensating controls
D. continue implementing the control.
Answer: C
An organization is considering moving lo a cloud service provider for the storage of sensitive data Which of
the following .... consideration FIRST?
A. Results of the cloud provider's control report
B. A destruction-of-data clause m the contract
C. Right to terminate clauses In the contract
D. Requirements for data encryption
Answer: D
A new key business application has gone to production. What is the Most important reason to classify and
determine the sensitivity of the data used by this application?
A. To determine retention requirements
B. To update the business impact analysis (BIA)
C. To ensure countermeasures are proportional to risk
D. To minimize the cost of controls.
Answer: C
Which of the following would BEST ensure that security risk assessment is integrated into the life cycle of
major IT projects?
A. Having the Information security manager participate on the project steering committees
B. Applying global security standards to the IT projects
C. Integrating the risk assessment into the internal audit program

D. Training project managers on risk assessment
Answer: B
An organization plans to acquire and implement a new web-based solution to enhance service functionality.
Which of the following is the BEST way to ensure that information handled by the solution is secure?
A. Integrate the organization's security requirements into the contract.
B. Adopt secure coding practices during the solution's development.
C. Conduct a security audit before implementing the solution in production.
D. Embed security requirements throughout the life cycle of the solution.
Answer: D
An organization's information security manager is performing a post-incident review of a security incident in

which the following events occurred:
• A bad actor broke into a business-critical FTP server by brute forcing an administrative password
• The third-party service provider hosting the server sent an automated alert message to the help desk, but was
ignored
• The bad actor could not access the administrator console, but was exposed to encrypted data transferred to
the server
• After three (3) hours, the bad actor deleted the FTP directory causing incoming FTP attempts by legitimate
customers to fail
Which of the following poses the GREATEST risk to the organization related to This event?
A. Downtime of the service
B. Potential access to the administrator console
C. Disclosure of stolen data
D. Removal of data
Answer: A

What is the MOST effective way to ensure information security incidents will be managed effectively and in a
timely manner?
A. Establish and measure key performance indicators (KPIs)
B. Test incident response procedures regularly.
C. Communicate incident response procedures to staff.
D. Obtain senior management commitment
Answer: B
Which of the following is necessary to determine what would constitute a disaster for an organization?
A. Threat probability analysis
B. Backup strategy analysis
C. Recovery strategy analysis
D. Risk analysis
Answer: D
Which of the following is MOST important to help ensure an intrusion prevention system (IPS) can view all
traffic in a demilitarized zone (DMZ)?
A. All Internal traffic is routed to the IPS.
B. Connected devices can contact the IPS.
C. The IPS is placed outside of the firewall.
D. Traffic is decrypted before processing by the IPS.
Answer: D
The MOST important reason to have a well-documented and tested incident response plan in place is to:
A.

A. outline external communications
B. promote a coordinated effort
C. facilitate the escalation process
D. standardize the chain of custody procedure.
Answer: B
Which of the following defines the MOST comprehensive set of security requirements for a newly developed
information system?
A. Baseline controls
B. Risk assessment results
C. Audit findings
D. Key risk indicators (KRls)
Answer: B
The BEST way to avoid session hijacking is to use:
A. strong password controls.
B. a reverse lookup.
C. a secure protocol.
D. a firewall
Answer: C
An organization wants to enable digital forensics for a business-critical application. Which of the following
will BEST help to support this objective?
A. Enable activity logging.
B. Define data retention criteria.

C. Install biometric access control.
D. Develop an incident response plan.
Answer: A
A business previously accepted the risk associated with a zero-day vulnerability The same vulnerability was
recently exploited in a high-profile attack on another organization m the same Industry Which of the following
should be the information security manager's FIRST course of action?
A. Reassess the risk in terms of likelihood and impact
B. Develop best and worst case scenarios
C. Report the breach of the other organization to senior management
D. Evaluate the cost of remediating the vulnerability
Answer: A
Which of the following is the GREATEST risk associated with the installation of an intrusion prevention
system (IPS)?
A. Staff may not be able to access the Internet.
B. Critical business processes may be blocked.
C. Data links can no longer be encrypted end-to-end.
D. IPS logfiles may become too large to process.
Answer: B
What should an information security manager do FIRST upon learning that the third-party provider
responsible for a mission-critical process is subcontracting critical functions to other providers?
A. Adjust the insurance policy coverage.
B. Engage an external audit of the third party.
C. Request a formal explanation from the third party.

D. Review the provider's contract
Answer: D
Following a significant change to the underlying code of an application, it is MOST important for the
information security manager to:
A. modify key risk indicators (KRIs).
B. validate the user acceptance testing (UAT).
C. inform senior management.
D. update the risk assessment.
Answer: D
A validated patch to address a new vulnerability that may affect a mission-critical server has been released.
What should be done immediately?
A. Conduct an impact analysis.
B. Check the server s security and install the patch.
C. Add mitigating controls.
D. Take the server off-line and install the patch.
Answer: A
Which of the following is the MOST important consideration when deciding whether to continue outsourcing
to a managed security service provider?
A. The business need for the function
B. The ability to meet deliverables
C. The vendor's reputation m the industry
D. The cost of the services

Answer: B
An information security program should be established PRIMARILY on the basis of:
A. the approved information security strategy.
B. the approved risk management approach.
C. data security regulatory requirements.
D. senior management input
Answer: A
Which of the following should be the MOST important consideration when reporting sensitive risk-related
information to stakeholders?
A. Customizing the communication to the audience
B. Ensuring nonrepudiation of communication
C. Transmitting the internal communication securely
D. Consulting with the public relations director
Answer: A
What should be the PRIMARY basis for prioritizing incident containment?
A. The business value of affected assets
B. Input from senior management
C. The recovery cost of affected assets
Answer: A

An attacker was able to gain access to an organizations perimeter firewall and made changes to allow wider
external access and to steal data. Which of the following would have BEST provided timely identification of
this incident?
A. Implementing a data loss prevention (DLP) suite
B. Conducting regular system administrator awareness training
C. Deploying an intrusion prevention system (IPS)
D. Deploying a security information and event management system (SIEM)
Answer: D
What is the MOST important role of an organization's data custodian in support of the information security
function?
A. Assessing data security risks to the organization
B. Applying approved security policies
C. Evaluating data security technology vendors
D. Approving access rights to departmental data
Answer: B
Which of the following should be done FIRST when considering a new security initiative?
A. Conduct a benchmarking exercise.
B. Conduct a feasibility study.
D. Develop a business case.
Answer: C
When designing security controls, it is MOST important to:

A. evaluate the costs associated with the controls.
B. apply controls to confidential information.
C. apply a risk-based approach.
D. focus on preventive controls.
Answer: A
Management has expressed concerns to the information security manager that shadow IT may be a risk to the
organization. What is the FIRST step the information security manager should take?
A. Update the security policy to address shadow IT.
B. Block the end user's ability to use shadow IT
C. Determine the extent of shadow IT usage.
D. Determine the value of shadow IT projects.
Answer: A
Which of the following should an information security manager do FIRST when a recent internal audit reveals
a security risk is more severe than previously assessed?
A. Escalate the finding to the business owner and obtain a remediation plan.
B. Update the risk register and notify the CISC
C. Validate the finding is legitimate and not a false positive.
D. Review the remainder of the internal audit report.
Answer: A
Which of the following provides the BEST indication of strategic alignment between an organization's
information security program and business objectives?
A. Security audit reports

B. A balanced scorecard
C. Key risk indicators (KRIs)
D. A business impact analysis (BIA)
Answer: B
When establishing an information security strategy, which of the following activities Is MOST helpful in
Identifying critical areas to be protected?
A. Adopting an information security framework
B. Establishing a baseline of network operations
C. Conducting a risk assessment
D. Performing vulnerability scans
Answer: C
Which of the following should be an information security manager s MOST important consideration when
conducting a physical security review of a potential outsourced data center?
A. Environmental factors of the surrounding location
B. Availability of network circuit connections
C. Distance of the data center from the corporate office
D. Proximity to law enforcement
Answer: A
The BEST way to report to the board on the effectiveness of the Information security program is to present:
A. a report of cost savings from process improvements
B. poor-group Industry benchmark.
C. a dashboard illustrating key performance metrics.
D.

D. a summary of the most recent audit findings.
Answer: A
Which of the following provides the GREATEST assurance that existing controls meet compliance
requirements?
A. Performing independent tests
B. Evaluating metrics
C. Performing a risk assessment
D. Reviewing policies
Answer: B
The effectiveness of an information security governance framework will BEST be enhanced if:
A. a culture of legal and regulatory compliance is promoted by management.
B. IS auditors are empowered to evaluate governance activities,
C. consultants review the information security governance framework
D. risk management is built into operational and strategic activities.
Answer: A
When training an incident response team, the advantage of using tabletop exercises is that they:
A. enable the team to develop effective response interactions.
B. ensure that the team can respond to any incident
C. provide the team with practical experience in responding to incidents.
D. remove the need to involve senior managers in the response process.
Answer: B

Which of the following BEST enables effective information security governance9
A. Established information security metrics
B. Security-aware corporate culture
C. Advanced security technologies
D. Periodic vulnerability assessments
Answer: B
What is the BEST way to determine the level of risk associated with information assets processed by an IT
application?
A. Evaluate the potential value of information for an attacker.
B. Review the cost of acquiring the information assets for the business.
C. Calculate the business value of the information assets.
D. Research compliance requirements associated with the information.
Answer: C
Which of the following is MOST important to include in contracts with key third-party providers?
A. Right-to-audit clauses
B. Financial penalties for breaches
C. Right-to-terminate clauses
D. Provisions to protect sensitive data
Answer: A

Which of the following BEST demonstrates that the objectives of an information security governance
framework are being met?
A. Penetration test results
B. Balanced scorecard
C. Risk dashboard
D. Key performance indicators (KPIs)
Answer: D
When monitoring the security of a web-based application, which of the following is MOST frequently
reviewed?
A. Access logs
B. Threat metrics
C. Audit reports
D. Access lists
Answer: A
Conflicting objectives are MOST likely to compromise the effectiveness of the information security process
when information security management is:
A. reporting to the network infrastructure manager.
B. outside of information technology
C. combined with the change management function.
D. partially staffed by external security consultants
Answer: B
Which of the following is the BEST indication that an organization is able to comply with information security
requirements?
A.

A. Internal audit has not identified significant information security findings
B. Maturity assessments have been performed for key business processes.
C. Senior management has approved the information security strategy.
D. Information security is included in business processes
Answer: D
During the establishment of a service level agreement (SLA) with a cloud service provider, it is MOST
important for the information security manager to:
A. understand the cloud storage architecture in use to determine security risk.
B. ensure security requirements are contractually enforceable.
C. update the security policy to reflect the provider's terms of service.
D. set up proper communication paths with the provider.
Answer: B
Which of the following factors are the MAIN reasons why large networks are vulnerable?
A. Connectivity and complexity
B. Inadequate training and user errors
C. Network operating systems and protocols
D. Hacking and malicious software
Answer: A
Which of the following should be of MOST concern to an information security manager reviewing an
organization's data classification program*?
A. The classifications do not follow Industry best practices.
B. Data retention requirements are not defined.
C.

C. The program allows exceptions to be granted.
D. Labeling is not consistent throughout the organization
Answer: D
Which of the following is a PRIMARY goal of an information security program?
A. To provide metrics to support management's assertion that information security is
an organizational objective
B. To provide the highest level of protection available to an organization's
information assets
C. To provide assurance that information security controls protect assets in
accordance with the risk
D. To provide guidance to users, managers, and IT on organizational goals and
objectives to protect data
Answer: C
What is the BEST course of action when an Information security manager finds an external service provider
has not implemented adequate controls for safeguarding the organization's critical data?
A. Initiate contract renegotiations.
B. Assess the impact of the control gap.
C. Conduct a controls audit of the provider.
D. Purchase additional insurance.
Answer: B
Which of the following should be the GREATEST concern when considering launching a counterattack in
response to a network attack?
A.

A. Incident impact escalation
B. Digital evidence contamination
C. Denial of service attacks on the external source
D. Legal ramifications
Answer: D
When scoping a risk assessment, assets need to be classified by:
A. sensitivity and criticality.
B. threats and opportunities
C. likelihood and impact
D. redundancy and recoverability.
Answer: B
The GREATEST advantage of defining multiple types of system administrator accounts with different
privileges is that it helps to ensure:
A. compliance with the acceptable use policy
B. adequate control of system administration responsibilities
C. load balancing of system administration processing activities
D. increased productivity of system administrators.
Answer: B
Which of the following will BEST ensure that possible security incidents are correctly distinguished from
typical help desk requests?
A. Reviewing the help desk log
B. Periodic training of help desk personnel
C.

C. Updating the help desk manual
D. Establishing a security incident hotline
Answer: B
The chief information security officer (ClSO) has developed an information security strategy, but is struggling
to obtain senior management commitment for funds to implement the strategy Which of the following is the
MOST likely reason?
A. The C1SO reports to the CIO.
B. The strategy does not comply with security standards
C. There was a lack of engagement with the business during development.
D. The strategy does not include a cost-benefit analysis
Answer: C
The Information security manager and senior management of a global financial institution have been notified
of a potential breach to its database containing a large volume of sensitive information Which of the following
should be done FIRST?
A. Assess the possible impact
B. Isolate the breached database.
C. Notify law enforcement
D. Implement mitigating controls.
Answer: A
Which of the following is the GREATEST benefit of integrating a security information and event management
(SIEM) solution with traditional security tools such as IDS, anti-malware. and email screening solutions?
A. The elimination of false positive detections
B. A reduction in operational costs
C. An increase in visibility into patterns of potential threats

D. The consolidation of tools into a single console
Answer: C
Which of the following is the MOST important consideration when updating procedures for managing security
devices?
A. Updates based on the organization's security framework
B. Updates based on changes in risk, technology, and process
C. Review and approval of procedures by management
D. Notification to management of the procedural changes
Answer: A
Which of the following is MOST effective against system intrusions?
A. Continuous monitoring
B. Two-factor authentication
C. Layered protection
D. Penetration testing
Answer: C
A regulatory organization sends an email to an information security manager warning of an Impending cyber
attack. What should the information security manager do FIRST?
A. Determine whether the attack is in progress.
B. Validate the authenticity of the alert.
C. Reply asking for more details.
D. Alert the network operations center
Answer: B

An outsourced vendor handles an organization's business-critical data. Which of the following is the MOST
effective way for the client organization to obtain assurance of the vendor's security practices?
A. Verifying security certifications held by the vendor
B. Reviewing the vendor's security audit reports
C. Requiring business continuity plans (BCPs) from the vendor
D. Requiring periodic independent third-party reviews
Answer: B
A risk has been formally accepted and documented. Which of the following is the MOST important action for
an information security manager?
A. Update risk tolerance levels.
B. Notify senior management and the board.
C. Monitor the environment for changes
D. Re-evaluate the organization's risk appetite
Answer: C
Which of the following is the MOST likely outcome from the implementation of a security governance
framework?
A. Increased availability of information systems
B. Compliance with international standards
C. Cost reduction of information security initiatives
D. Realized business value from information security initiatives
Answer: D

Which of the following is MOST appropriate to include in an information security policy?
A. Statements of management's intent to support the goals of information security
B. A set of information security controls to maintain regulatory compliance
C. A definition of minimum level of security that each system must meet
D. The strategy for achieving security program outcomes desired by management
Answer: A
When considering whether to adopt bring your own device (BYOD). it is MOST important for the information
security manager to ensure that
A. security controls are applied to each device when joining the network.
B. the applications are tested prior to implementation
C. users have read and signed acceptable use agreements.
D. business leaders have an understanding of security risks
Answer: A
Which of the following is the STRONGEST indication that senior management commitment to information
security is lacking within an organization?
A. Inconsistent enforcement of information security policies
B. A high level of information security risk acceptance
C. A reduction in information security investment
D. The information security manager reports to the chief risk officer
Answer: A
An information security manager is concerned about the risk of fire at its data processing center To address
this concern, an automatic fire suppression system has been installed Which of the following risk treatments
has been applied?
A.

A. Acceptance
B. Transfer
C. Mitigation
D. Avoidance
Answer: C
Which of the following is MOST important to consider when developing a business case to support the
investment In an information security program?
A. Senior management support
B. Results of a cost-benefit analysis
C. Results of a risk assessment
D. Impact on the risk profile
Answer: A
Which of the following is the MOST important reason to identify and classify the sensitivity of assets?
A. To determine the scope of the information security program
B. To allocate the information security program budget
C. To assign appropriate controls
D. To reduce the cost of protective controls
Answer: C
Which of the following is MOST helpful for aligning security operations with the IT governance framework?
A. Information security policy
B. Security risk assessment
C. Business impact analysis (B1A)

D. Security operations program
Answer: B
An organization has outsourced many application development activities to a third party that uses contract
programmers extensively. Which of the following would provide the BEST assurance that the third party's
contract programmers comply with the organization's security policies?
A. Conduct periodic vulnerability scans of the application.
B. Require annual signed agreements of adherence to security policies
C. Perform periodic security assessments of the contractors' activities.
D. Include penalties for noncompliance in the contracting agreement.
Answer: A
Who should be responsible for determining the classification of data within a database used in conjunction
with an enterprise application?
A. Data owner
B. Information security manager
C. Database architect
D. Database administrator
Answer: A
Which of the following is the MOST effective way for an Information security manager to ensure that security
is incorporated into an organization's project development processes?
A. Participate in project initiation, approval, and funding.
B. Develop good communications with the project management office
C. Integrate organization's security requirements into project management.
D.

D. Conduct security reviews during design, testing and implementation
Answer: C
Which of the following should be the PRIMARY basis for determining risk appetite?
A. Independent audit results
B. Organizational objectives
C. Industry benchmarks
D. Senior management input
Answer: D
What should be an information security manager's BEST course of action if funding for a security-related
initiative is denied by a steering committee?
A. Discuss the initiative with senior management.
B. Look for other ways to fund the initiative.
C. Provide information from industry benchmarks
D. Document the accepted risk
Answer: D
Which of the following would provide the BEST evidence to senior management that security control
performance has improved?
A. Demonstrated return on security investment
B. Reduction in inherent risk
C. Results of an emerging threat analysis
D. Review of security metrics trends
Answer: C

Which of the following is the BEST way to ensure that Incidents are Identified and reported?
A. Develop and communicate a comprehensive incident response plan.
B. Publish a punitive action policy for failure to report Incidents.
C. Implement an ongoing incident response training program for employees.
D. Implement an automated monitoring program to detect incidents.
Answer: C
In a large organization, defining recovery time objectives (RTOs) is PRIMARILY the responsibility of;
A. the information security manager.
B. the IT manager
C. senior management
D. the business unit manager.
Answer: D
Which of the following would provide the BEST input to a business case for a technical solution to address
potential system vulnerabilities?
A. Penetration test results
C. Risk assessment
D. Vulnerability scan results
Answer: B

When developing an information security strategy, the MOST important requirement is that:
A. a schedule is developed to achieve objectives.
B. critical success factors (CSFs) are developed.
C. standards capture the intent of management.
D. the desired outcome is known.
Answer: D
Which of the following is MOST important to consider when defining control objectives?
A. The current level of residual risk
B. The organization's risk appetite
C. Control recommendations from a recent audit
D. The organization's strategic objectives
Answer: A
Which of the following is the BEST evidence of an effectively designed key risk indicator (KRI)?
A. The KRI is quantitative
B. The KRI measures inherent risk.
C. The KRI predicts threats
D. The KRI incorporates risk appetite
Answer: B
Which of the following is the BEST way to reduce the risk of a ransomware attack?
A. Perform a network vulnerability assessment.
B. Authenticate inbound email and enable strong content filtering
C.

C. Perform regular backups and validate the restoration process
D. Confirm backups are not connected to the network.
Answer: C
Which of the following should cause the GREATEST concern for an information security manager reviewing
the effectiveness of an intrusion prevention system (IDS)?
A. Decrease in false positives
B. Increase in false negatives
C. Decrease in malicious packets
D. Increase in crossover error rate
Answer: B
During which process is regression testing MOST commonly used?
A. System modification
B. Program development
C. Unit testing
D. Stress testing
Answer: A
An information security manager has researched several options for handling ongoing security concerns and
will be presenting these solutions to business managers. Which of the following with BEST enable business
managers to make an informed decision?
A. Business impact analysis (BIA)
C. Risk analysis
D. Gap analysis

Answer: A
Which of the following elements of risk is MOST difficult to quantify?
A. Countermeasures
B. Asset values
C. Threats
D. vulnerabilities
Answer: C
Which of the following is the BEST option for addressing regulations that will adversely affect the allocation
of information security program resources?
A. Prioritize compliance efforts based on probability.
B. Determine compliance levels of peer organizations.
C. Conduct assessments for management decisions.
D. Delay implementation of compliance activities.
Answer: C
Which of the following is the PRIMARY benefit of implementing a maturity model for information security
management?
A. Information security strategy will be in line with industry best practice
B. Information security management costs will be optimized.
C. Gaps between current and desirable levels will be addressed.
D. Staff awareness of information security compliance will be promoted.
Answer: C

Which of the following is the MOST effective mitigation strategy to protect confident information from inside
threats?
A. Defining segregation of duties
B. Performing an entitlement review process
C. Establishing authorization controls
D. Implementing authentication mechanisms
Answer: B
While conducting a test of a business continuity plan (BCP). which of the following is the MOST important
consideration?
A. The test involves IT members in the test process
B. The test simulates actual prime-time processing conditions.
C. The test addresses the critical components
D. The test is scheduled to reduce operational impact
Answer: B
Which of the following is the FIRST step when defining and prioritizing security controls to be implemented
under an information security program?
A. Review the applicable regulations tn place and their impact to each business function
B. Understand the company's risk appetite and its alignment with the information security strategy
C. Interview function owners across the company to determine the best plan of action.
D. Review recent information security incidents to determine organizational focus areas and priorities
Answer: A

A hash algorithm is used to:
A. encrypt sensitive data files
B. verify the integrity of data files
C. verify the validity of the data in an email message
D. provide data confidentiality.
Answer: B
Which of the following would MOST likely require a business continuity plan to be invoked?
A. An unauthorized visitor discovered in the data center
B. A distributed denial of service attack on an email server
C. An epidemic preventing staff from performing job functions
D. A hacker holding personally identifiable information hostage
Answer: C
Which of the following is MOST critical when creating an incident response plan?
A. Aligning with the risk assessment process
B. Documenting incident notification and escalation processes
C. identifying what constitutes an incident
D. identifying vulnerable data assets
Answer: B
An information security manager finds that corporate information has been stored on a public cloud storage
site for business collaboration purposes. Which of the following should be the manager's FIRST action?
A. Update service level agreements (SLAs).
B.

B. Assign a data classification label.
C. Implement a data encryption strategy.
D. Determine the risk to the data.
Answer: D
Information security can BEST be enforced by making security:
A. a business process owner activity.
B. an integral component of corporate policies.
C. a part of each employee's Job objectives.
D. a flexible system of procedures and guidelines.
Answer: C
Which of the following is the MOST effective method of preventing deliberate internal security breaches?
A. Well-designed firewall system
B. Biometric security access control
C. Screening prospective employees
D. Well-designed intrusion detection system (IDS)
Answer: C
A risk management program will be MOST effective when:
A. business units are involved in risk assessments,
B. risk assessments are conducted by a third party.
C. risk appetite is sustained for a long period risk
D. assessments are repeated periodically

Answer: A
The BEST way for an information security manager to understand the critically of an online application is to
perform a
A. threat assessment
B. business process analysis
C. business impact analysis (BlA)
D. vulnerability assessment
Answer: C
Risk identification, analysis, and mitigation activities can BCST be integrated into business life cycle
processes by linking them to:
A. continuity planning
B. compliance testing
C. configuration management.
D. change management
Answer: D
During a review to approve a penetration test plan, which of the following should be an information security
manager’s PRIMARY concern?
A. Penetration test team’s deviation from scope
B. Unauthorized access to administrative utilities
C. False positive alarms to operations staff
D. Impact on production systems
Answer: D

Which of the following provides the BEST evidence that a control is being applied effectively?
A. Key risk indicators (KUIs)
B. Key performance indicators (KPIs)
D. Number of incidents reported
Answer: B
When developing an incident response plan, the information security manager should:
A. allow IT to decide which systems can be removed from the infrastructure.
B. require IT to invoke the business continuity plan (BCP).
C. include response scenarios that have been approved previously by business management.
D. determine recovery time objectives (RTOs).
Answer: C
An Information security risk analysis BEST assists an organization in ensuring that;
A. cost-effective decisions are made with regard to which assets need protection
B. the infrastructure has the appropriate level of access control
C. an appropriate level of funding is applied to security processes
D. the organization implements appropriate security technologies
Answer: A
An organization has remediated a security flaw in a system. Which of the following should be done NEXT?

A. Update the system's documentation
B. Allocate budget for penetration testing
C. Share lessons learned with the organization
D. Assess the residual risk.
Answer: A
An organization recently implemented a data loss prevention (DLP) system. A senior business executive has
complained that the system seriously impedes departmental effectiveness. What is the information security
manager's BEST course of action?
A. Request risk acceptance.
B. Review alternative controls.
C. Perform a risk assessment.
D. Change the DLP system.
Answer: B
An organization plans to process marketing data using a Software as a Service (SaaS) application via the
Internet To mitigate the associated risk, what is the information security manager's MOST important course of
action?
A. Include service level agreements (SLAs) in the contract
B. Evaluate the application functionality
C. Include right to audit in the contract
D. Conduct a vendor security assessment
Answer: C
The PRIMARY objective of periodically testing an incident response plan should be to:
A. improve internal processes and procedures,
B. harden the technical infrastructure.
C.

C. improve employee awareness of the incident response process,
D. highlight the importance of incident response and recovery.
Answer: D
An organization is developing a disaster recovery plan (DRP) for a data center that hosts multiple applications
The application recovery sequence would BEST be determined through an analysis of:
A. key performance indicators (KPls).
B. recovery time objectives (RTOs)
C. the data classification scheme.
D. recovery point objectives (RPOs)
Answer: B
What should an Information security manager do FIRST to ensure an organization's security policies remain
relevant for a cloud adoption?
A. Conduct a gap analysis
B. Include policy updates in the change control process.
C. Notify senior management of potential exposure.
D. Implement a cloud security policy.
Answer: A
An organization is planning to create a website that will collect site-visitor details from around the world and
use them as marketing lists for operations in several countries. Which of the following should be of MOST
concern to the information security manager?
A. Legislation regarding marketing in foreign countries
B. Privacy laws in each of the countries using the details for marketing
C. Using cryptography for transborder data flow
D.

D. Wording of the website's policy statement on how the details will be used
Answer: B
Which of the following is the BEST indicator that an organization is appropriately managing risk?
A. The number of events reported from the intrusion detection system (IDS) has declined.
B. Risk assessment results are within tolerance
C. A penetration test does not identify any high-risk system vulnerabilities
D. The number of security incident events reported by staff has increased
Answer: B
An information security manager has been tasked with implementing a security awareness training program
Which of this ..... have the MOST influence on the effectiveness of this program?
A. Basing the training program on industry best practices
B. Obtaining buy-in from end users
C. Tailoring the training to the organization's environment
D. Obtaining buy-in from senior management
Answer: C
Which of the following BEST supports effective information security governance"*
A. A steering committee is established
B. A baseline risk assessment is performed.
C. Compliance with regulations is demonstrated.
D. The information security manager develops the strategy
Answer: A

To meet operational business needs. IT staff bypassed the change process and applied an unauthorized update
to a critical business system Which of the following is the information security manager's BEST course of
action?
A. Assess the security risks introduced by the change.
B. Consult with supervisors of IT staff regarding disciplinary action
C. Update the system configuration item to reflect the change
D. Instruct IT staff to revert the unauthorized update
Answer: A
Which of the following is MOST relevant for an information security manager to communicate to IT
operations?
A. Vulnerability assessments
B. The level of exposure
C. The level of inherent risk
D. Threat assessments
Answer: A
Which of the following messages would be MOST effective in obtaining senior management's commitment to
information security management?
A. Security supports and protects the business.
B. Adopt a recognized framework with metrics.
C. Security is a business product and not a process.
D. Effective security eliminates risk to the business.
Answer: C

When developing an escalation process for an incident response plan, the information security manager should
PRIMARILY consider the:
A. affected stakeholders
B. media coverage
C. incident response team
D. availability of technical resources.
Answer: A
Which activity is MOST important when identifying the appropriate security controls for a new business
application?
A. Interviewing senior management
B. Conducting a risk assessment
C. Assigning data classification to assets
D. Performing a business impact analysts (BIA)
Answer: B
To integrate security into system development fie cycle (SDLC) processes, an organization MUST ensure that
security.
A. Roles and responsibly have been defined
B. Is a prerequisite for complete of major phases
C. Is a represented on the configuration control board.
D. Performance metrics have been met.
Answer: B
When a security weakness is detected at facilities provided by an IT service provider, which of the following

tasks must the information security manager perform FIRST?
A. Advise the service provider of countermeasures.
B. Assess compliance with the service provider's security policy.
C. Reiterate the relevant security policy and standards
D. Confirm the service providers contractual obligations.
Answer: D
The PRIMARY advantage of challenge-response authentication over password authentication is that:
A. it is less expensive to implement.
B. there is no requirement for end-to-end encryption.
C. user accounts are less likely to be compromised.
D. credentials sent across the network are encrypted.
Answer: C
Which of the following is MOST important for an information security manager to ensure when evaluating
change requests?
A. Residual risk is within risk tolerance.
B. Requests are approved by process owners.
C. Contingency plans have been created.
D. Requests add value to the business.
Answer: A
Which of the following is the BEST way to define responsibility for information security throughout an
organization?
A. Policies
B.

B. Standards
C. Guidelines
D. Training
Answer: A
A corporate web site has become compromised as a result of a malicious attack. Which of the following
should the information security manager do FIRST?
A. Contain the incident.
B. Perform a root cause analysis.
C. Restore the system from backup.
D. Escalate the incident to senior management.
Answer: A
Which of the following will BEST enable the identification of appropriate controls to prevent repeated
occurrences of similar types of information………..
A. Review existing preventive controls for security weaknesses.
B. Perform a root cause analysis of the security incidents.
C. Review lessons learned with key stakeholders.
D. Perform a business impact analysis (BIA) of the security incidents.
Answer: B
Risk scenarios simplify the risk assessment process by:
A. reducing the need for subsequent risk evaluation.
B. covering the full range of possible risk.
C. ensuring business risk is mitigated.

D. focusing on important and relevant risk.
Answer: C
The PRIMARY reason for defining the information security roles and responsibilities of staff throughout an
organization is to:
A. reinforce the need for training.
B. comply with security policy.
C. increase corporate accountability
D. enforce individual accountability.
Answer: D

About dumpscollection.com
dumpscollection.com was founded in 2007. We provide latest & high quality IT / Business Certification Training
Exam Questions, Study Guides, Practice Tests.
We help you pass any IT / Business Certification Exams with 100% Pass Guaranteed or Full Refund. Especially
Cisco, CompTIA, Citrix, EMC, HP, Oracle, VMware, Juniper, Check Point, LPI, Nortel, EXIN and so on.
View list of all certification exams: All vendors
We prepare state-of-the art practice tests for certification exams. You can reach us at any of the email addresses listed
below.
Sales: sales@dumpscollection.com
Feedback: feedback@dumpscollection.com
Support: support@dumpscollection.com
Skype ID: crack4sure@gmail.com
Any problems about IT certification or our products, You can write us back and we will get back to you within 24
hours.
15% Discount Coupon Code:

DC15disc

Isaca CISM

Uploaded by

Copyright:

Available Formats

You might also like

Isaca CISM

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Isaca CISM

Uploaded by

Copyright:

Available Formats

Isaca

Web: www.dumpscollection.com [ Total Questions: 1136]

Exam Topic Breakdown

Success Guaranteed, 100% Valid 1 of 368

Topic 1, Exam Pool A

B. Information security budget

C. Key risk indicators (KRls)

D. Information security strategy

Question #:2 - (Exam Topic 1)

A. Access is restricted to read-only.

B. USB storage devices are enabled based on user roles

C. Users accept the risk of noncompliance.

D. The benefit is greater than the potential risk

Question #:3 - (Exam Topic 1)

A. prioritize risk management activities.

B. provide a basis for asset classification.

C. determine the value of each asset

D. eliminate the least significant assets.

Success Guaranteed, 100% Valid 2 of 368

Question #:4 - (Exam Topic 1)

A. assign accountability for transactions made with the user's ID.

B. maintain compliance with industry best practices.

C. serve as evidence of security awareness training.

D. maintain an accurate record of users access rights

Question #:5 - (Exam Topic 1)

A. Physical security control

C. Technical security controls

D. Logical access control

Question #:6 - (Exam Topic 1)

A. Mature security policy

B. Information security roles and responsibilities

C. Organizational information security awareness

Question #:7 - (Exam Topic 1)

Success Guaranteed, 100% Valid 3 of 368

A. Change the password policy to improve the customer experience

B. Reach alternative secure of identify verification

C. Recommended implementing two-factor authentication.

D. Evaluate the impact of the customer’s experience on business revenue.

Question #:8 - (Exam Topic 1)

A. Criticality of the service to the organization

B. Compliance requirements associated with the regulation

C. Compensating controls in place to protect information security

D. Corresponding breaches associated with each vendor

Question #:9 - (Exam Topic 1)

A. Implement real-time monitoring of security-related events.

B. Encourage staff to report any suspicious activities.

C. Implement an acceptable use policy.

D. Provide incident management training to all start.

Question #:10 - (Exam Topic 1)

Success Guaranteed, 100% Valid 4 of 368

A. has a clearly defined charier and meeting protocols.

B. includes a mix of members from all levels of management.

C. conducts frequent reviews of the security policy.

D. has established relationships with external professionals.

Question #:11 - (Exam Topic 1)

Question #:12 - (Exam Topic 1)

B. Implementing a security balanced scorecard