NEW QUESTION 1
When an organization claims it is secure because it is PCI-DSS certified, what is a good first question to ask towards assessing the effectiveness of their security program?

• A. How many credit card records are stored?
• B. How many servers do you have?
• C. What is the scope of the certification?
• D. What is the value of the assets at risk?

Answer: C

NEW QUESTION 2
In which of the following cases, would an organization be more prone to risk acceptance vs. risk mitigation?

• A. The organization uses exclusively a quantitative process to measure risk
• B. The organization uses exclusively a qualitative process to measure risk
• C. The organization’s risk tolerance is high
• D. The organization’s risk tolerance is lo

Answer: C

NEW QUESTION 3
Which of the following is the MOST important component of any change management process?

• A. Scheduling
• B. Back-out procedures
• C. Outage planning
• D. Management approval

Answer: D

NEW QUESTION 4
When selecting a security solution with reoccurring maintenance costs after the first year (choose the BEST answer):

• A. The CISO should cut other essential programs to ensure the new solution’s continued use
• B. Communicate future operating costs to the CIO/CFO and seek commitment from them to ensure the new solution’s continued use
• C. Defer selection until the market improves and cash flow is positive
• D. Implement the solution and ask for the increased operating cost budget when it is time

Answer: B

NEW QUESTION 5
A Security Operations Centre (SOC) manager is informed that a database containing highly sensitive corporate strategy information is under attack. Information has been stolen and the database server was disconnected. Who must be informed of this incident?

• A. Internal audit
• B. The data owner
• C. All executive staff
• D. Government regulators

Answer: B

Explanation: Topic 2, IS Management Controls and Auditing Management

NEW QUESTION 6
A global retail organization is looking to implement a consistent Disaster Recovery and Business Continuity Process across all of its business units. Which of the following standards and guidelines can BEST address this organization’s need?

• A. International Organization for Standardizations – 22301 (ISO-22301)
• B. Information Technology Infrastructure Library (ITIL)
• C. Payment Card Industry Data Security Standards (PCI-DSS)
• D. International Organization for Standardizations – 27005 (ISO-27005)

Answer: A

NEW QUESTION 7
According to ISO 27001, of the steps for establishing an Information Security Governance program listed below, which comes first?

• A. Identify threats, risks, impacts and vulnerabilities
• B. Decide how to manage risk
• C. Define the budget of the Information Security Management System
• D. Define Information Security Policy

Answer: D

NEW QUESTION 8
A CISO implements smart cards for credential management, and as a result has reduced costs associated with help desk operations supporting password resets. This demonstrates which of the following principles?

• A. Security alignment to business goals
• B. Regulatory compliance effectiveness
• C. Increased security program presence
• D. Proper organizational policy enforcement

Answer: A

NEW QUESTION 9
What is the BEST reason for having a formal request for proposal process?

• A. Creates a timeline for purchasing and budgeting
• B. Allows small companies to compete with larger companies
• C. Clearly identifies risks and benefits before funding is spent
• D. Informs suppliers a company is going to make a purchase

Answer: C

NEW QUESTION 10
An organization licenses and uses personal information for business operations, and a server containing that information has been compromised. What kind of law would require notifying the owner or licensee of this incident?

• A. Data breach disclosure
• B. Consumer right disclosure
• C. Security incident disclosure
• D. Special circumstance disclosure

Answer: A

NEW QUESTION 11
In effort to save your company money which of the following methods of training results in the lowest cost for the organization?

• A. Distance learning/Web seminars
• B. Formal Class
• C. One-One Training
• D. Self –Study (noncomputerized)

Answer: D

NEW QUESTION 12
Scenario: An organization has made a decision to address Information Security formally and consistently by adopting established best practices and industry standards. The organization is a small retail merchant but it is expected to grow to a global customer base of many millions of customers in just a few years.
Which of the following frameworks and standards will BEST fit the organization as a baseline for their security program?

• A. NIST and Privacy Regulations
• B. ISO 27000 and Payment Card Industry Data Security Standards
• C. NIST and data breach notification laws
• D. ISO 27000 and Human resources best practices

Answer: B

NEW QUESTION 13
Which of the following is considered the foundation for the Enterprise Information Security Architecture (EISA)?

• A. Security regulations
• B. Asset classification
• C. Information security policy
• D. Data classification

Answer: C

NEW QUESTION 14
SCENARIO: A Chief Information Security Officer (CISO) recently had a third party conduct an audit of the security program. Internal policies and international standards were used as audit baselines. The audit report was presented to the CISO and a variety of high, medium and low rated gaps were identified.
After determining the audit findings are accurate, which of the following is the MOST logical next activity?

• A. Begin initial gap remediation analyses
• B. Review the security organization’s charter
• C. Validate gaps with the Information Technology team
• D. Create a briefing of the findings for executive management

Answer: A

NEW QUESTION 15
Quantitative Risk Assessments have the following advantages over qualitative risk assessments:

• A. They are objective and can express risk / cost in real numbers
• B. They are subjective and can be completed more quickly
• C. They are objective and express risk / cost in approximates
• D. They are subjective and can express risk /cost in real numbers

Answer: A

NEW QUESTION 16
Which of the following represents the best method of ensuring business unit alignment with security program requirements?

• A. Provide clear communication of security requirements throughout the organization
• B. Demonstrate executive support with written mandates for security policy adherence
• C. Create collaborative risk management approaches within the organization
• D. Perform increased audits of security processes and procedures

Answer: C

NEW QUESTION 17
Scenario: Your organization employs single sign-on (user name and password only) as a convenience to your employees to access organizational systems and data. Permission to individual systems and databases is vetted and approved through supervisors and data owners to ensure that only approved personnel can use particular applications or retrieve information. All employees have access to their own human resource information, including the ability to change their bank routing and account information and other personal details through the Employee Self-Service application. All employees have access to the organizational VPN.
Recently, members of your organization have been targeted through a number of sophisticated phishing attempts and have compromised their system credentials. What action can you take to prevent the misuse of compromised credentials to change bank account information from outside your organization while still allowing employees to manage their bank information?

• A. Turn off VPN access for users originating from outside the country
• B. Enable monitoring on the VPN for suspicious activity
• C. Force a change of all passwords
• D. Block access to the Employee-Self Service application via VPN

Answer: D

NEW QUESTION 18
What is the BEST way to achieve on-going compliance monitoring in an organization?

• A. Only check compliance right before the auditors are scheduled to arrive onsite.
• B. Outsource compliance to a 3rd party vendor and let them manage the program.
• C. Have Compliance and Information Security partner to correct issues as they arise.
• D. Have Compliance direct Information Security to fix issues after the auditors report.

Answer: C