NEW QUESTION 1
An example of professional unethical behavior is:

• A. Gaining access to an affiliated employee’s work email account as part of an officially sanctioned internal investigation
• B. Sharing copyrighted material with other members of a professional organization where all members have legitimate access to the material
• C. Copying documents from an employer’s server which you assert that you have an intellectual property claim to possess, but the company disputes
• D. Storing client lists and other sensitive corporate internal documents on a removable thumb drive

Answer: C

NEW QUESTION 2
Which of the following is of MOST importance when security leaders of an organization are required to align security to influence the culture of an organization?

• A. Poses a strong technical background
• B. Understand all regulations affecting the organization
• C. Understand the business goals of the organization
• D. Poses a strong auditing background

Answer: C

NEW QUESTION 3
The risk found after a control has been fully implemented is called:

• A. Residual Risk
• B. Total Risk
• C. Post implementation risk
• D. Transferred risk

Answer: A

NEW QUESTION 4
Which of the following best describes the purpose of the International Organization for Standardization (ISO) 27002 standard?

• A. To give information security management recommendations to those who are responsible for initiating, implementing, or maintaining security in their organization.
• B. To provide a common basis for developing organizational security standards
• C. To provide effective security management practice and to provide confidence in inter- organizational dealings
• D. To established guidelines and general principles for initiating, implementing, maintaining, and improving information security management within an organization

Answer: D

NEW QUESTION 5
Which of the following statements about Encapsulating Security Payload (ESP) is true?

• A. It is an IPSec protocol.
• B. It is a text-based communication protocol.
• C. It uses TCP port 22 as the default port and operates at the application layer.
• D. It uses UDP port 22

Answer: A

NEW QUESTION 6
Scenario: Your company has many encrypted telecommunications links for their world-wide operations. Physically distributing symmetric keys to all locations has proven to be administratively burdensome, but symmetric keys are preferred to other alternatives.
Symmetric encryption in general is preferable to asymmetric encryption when:

• A. The number of unique communication links is large
• B. The volume of data being transmitted is small
• C. The speed of the encryption / deciphering process is essential
• D. The distance to the end node is farthest away

Answer: C

NEW QUESTION 7
As the CISO for your company you are accountable for the protection of information resources commensurate with:

• A. Customer demand
• B. Cost and time to replace
• C. Insurability tables
• D. Risk of exposure

Answer: D

NEW QUESTION 8
File Integrity Monitoring (FIM) is considered a

• A. Network based security preventative control
• B. Software segmentation control
• C. Security detective control
• D. User segmentation control

Answer: C

NEW QUESTION 9
How often should an environment be monitored for cyber threats, risks, and exposures?

• A. Weekly
• B. Monthly
• C. Quarterly
• D. Daily

Answer: D

NEW QUESTION 10
SCENARIO: A CISO has several two-factor authentication systems under review and selects the one that is most sufficient and least costly. The implementation project planning is completed and the teams are ready to implement the solution. The CISO then discovers that the product it is not as scalable as originally thought and will not fit the organization’s needs.
The CISO discovers the scalability issue will only impact a small number of network segments. What is the next logical step to ensure the proper application of risk management methodology within the two-facto implementation project?

• A. Create new use cases for operational use of the solution
• B. Determine if sufficient mitigating controls can be applied
• C. Decide to accept the risk on behalf of the impacted business units
• D. Report the deficiency to the audit team and create process exceptions

Answer: B

NEW QUESTION 11
Knowing the potential financial loss an organization is willing to suffer if a system fails is a determination of which of the following?

• A. Cost benefit
• B. Risk appetite
• C. Business continuity
• D. Likelihood of impact

Answer: B

NEW QUESTION 12
IT control objectives are useful to IT auditors as they provide the basis for understanding the:

• A. Desired results or purpose of implementing specific control procedures.
• B. The audit control checklist.
• C. Techniques for securing information.
• D. Security policy

Answer: A

NEW QUESTION 13
Which of the following international standards can be BEST used to define a Risk Management process in an organization?

• A. National Institute for Standards and Technology 800-50 (NIST 800-50)
• B. International Organization for Standardizations – 27005 (ISO-27005)
• C. Payment Card Industry Data Security Standards (PCI-DSS)
• D. International Organization for Standardizations – 27004 (ISO-27004)

Answer: B

NEW QUESTION 14
Scenario: You are the newly hired Chief Information Security Officer for a company that has not previously had a senior level security practitioner. The company lacks a defined security policy and framework for their Information Security Program. Your new boss, the Chief Financial Officer, has asked you to draft an outline of a security policy and recommend an industry/sector neutral information security control framework for implementation.
Which of the following industry / sector neutral information security control frameworks should you recommend for implementation?

• A. National Institute of Standards and Technology (NIST) Special Publication 800-53
• B. Payment Card Industry Digital Security Standard (PCI DSS)
• C. International Organization for Standardization – ISO 27001/2
• D. British Standard 7799 (BS7799)

Answer: C

NEW QUESTION 15
Which of the following provides an audit framework?

• A. Control Objectives for IT (COBIT)
• B. Payment Card Industry-Data Security Standard (PCI-DSS)
• C. International Organization Standard (ISO) 27002
• D. National Institute of Standards and Technology (NIST) SP 800-30

Answer: A

NEW QUESTION 16
Creating a secondary authentication process for network access would be an example of?

• A. Nonlinearities in physical security performance metrics
• B. Defense in depth cost enumerated costs
• C. System hardening and patching requirements
• D. Anti-virus for mobile devices

Answer: A

NEW QUESTION 17
The total cost of security controls should:

• A. Be equal to the value of the information resource being protected
• B. Be greater than the value of the information resource being protected
• C. Be less than the value of the information resource being protected
• D. Should not matter, as long as the information resource is protected

Answer: C

NEW QUESTION 18
Which of the following is the MAIN security concern for public cloud computing?

• A. Unable to control physical access to the servers
• B. Unable to track log on activity
• C. Unable to run anti-virus scans
• D. Unable to patch systems as needed

Answer: A