NEW QUESTION 1
Which of the following intellectual Property components is focused on maintaining brand recognition?

• A. Trademark
• B. Patent
• C. Research Logs
• D. Copyright

Answer: A

NEW QUESTION 2
Acceptable levels of information security risk tolerance in an organization should be determined by?

• A. Corporate legal counsel
• B. CISO with reference to the company goals
• C. CEO and board of director
• D. Corporate compliance committee

Answer: C

NEW QUESTION 3
Scenario: Your organization employs single sign-on (user name and password only) as a convenience to your employees to access organizational systems and data. Permission to individual systems and databases is vetted and approved through supervisors and data owners to ensure that only approved personnel can use particular applications or retrieve information. All employees have access to their own human resource information, including the ability to change their bank routing and account information and other personal details through the Employee Self-Service application. All employees have access to the organizational VPN.
Once supervisors and data owners have approved requests, information system administrators will implement

• A. Technical control(s)
• B. Management control(s)
• C. Policy control(s)
• D. Operational control(s)

Answer: A

NEW QUESTION 4
Risk appetite is typically determined by which of the following organizational functions?

• A. Security
• B. Business units
• C. Board of Directors
• D. Audit and compliance

Answer: B

NEW QUESTION 5
After a risk assessment is performed, a particular risk is considered to have the potential of costing the organization 1.2 Million USD. This is an example of

• A. Risk Tolerance
• B. Qualitative risk analysis
• C. Risk Appetite
• D. Quantitative risk analysis

Answer: D

NEW QUESTION 6
When considering using a vendor to help support your security devices remotely, what is the BEST choice for allowing access?

• A. Vendors uses their own laptop and logins with same admin credentials your security team uses
• B. Vendor uses a company supplied laptop and logins using two factor authentication with same admin credentials your security team uses
• C. Vendor uses a company supplied laptop and logins using two factor authentication with their own unique credentials
• D. Vendor uses their own laptop and logins using two factor authentication with their own unique credentials

Answer: C

NEW QUESTION 7
You have a system with 2 identified risks. You determine the probability of one risk occurring is higher than the

• A. Controlled mitigation effort
• B. Risk impact comparison
• C. Relative likelihood of event
• D. Comparative threat analysis

Answer: C

NEW QUESTION 8
When dealing with Security Incident Response procedures, which of the following steps come FIRST when reacting to an incident?

• A. Escalation
• B. Recovery
• C. Eradication
• D. Containment

Answer: D

NEW QUESTION 9
Which of the following functions MUST your Information Security Governance program include for formal organizational reporting?

• A. Audit and Legal
• B. Budget and Compliance
• C. Human Resources and Budget
• D. Legal and Human Resources

Answer: A

NEW QUESTION 10
Which of the following methodologies references the recommended industry standard that Information security project managers should follow?

• A. The Security Systems Development Life Cycle
• B. The Security Project And Management Methodology
• C. Project Management System Methodology
• D. Project Management Body of Knowledge

Answer: D

NEW QUESTION 11
SCENARIO: A Chief Information Security Officer (CISO) recently had a third party conduct an audit of the security program. Internal policies and international standards were used as audit baselines. The audit report was presented to the CISO and a variety of high, medium and low rated gaps were identified.
The CISO has validated audit findings, determined if compensating controls exist, and started initial remediation planning. Which of the following is the MOST logical next step?

• A. Validate the effectiveness of current controls
• B. Create detailed remediation funding and staffing plans
• C. Report the audit findings and remediation status to business stake holders
• D. Review security procedures to determine if they need modified according to findings

Answer: C

NEW QUESTION 12
Who in the organization determines access to information?

• A. Legal department
• B. Compliance officer
• C. Data Owner
• D. Information security officer

Answer: C

NEW QUESTION 13
What two methods are used to assess risk impact?

• A. Cost and annual rate of expectance
• B. Subjective and Objective
• C. Qualitative and percent of loss realized
• D. Quantitative and qualitative

Answer: D

NEW QUESTION 14
Scenario: Your company has many encrypted telecommunications links for their world-wide operations. Physically distributing symmetric keys to all locations has proven to be administratively burdensome, but symmetric keys are preferred to other alternatives.
How can you reduce the administrative burden of distributing symmetric keys for your
employer?

• A. Use asymmetric encryption for the automated distribution of the symmetric key
• B. Use a self-generated key on both ends to eliminate the need for distribution
• C. Use certificate authority to distribute private keys
• D. Symmetrically encrypt the key and then use asymmetric encryption to unencrypt it

Answer: A

NEW QUESTION 15
You are just hired as the new CISO and are being briefed on all the Information Security projects that your section has on going. You discover that most projects are behind schedule and over budget.
Using the best business practices for project management you determine that the project correct aligns with the company goals. What needs to be verified FIRST?

• A. Scope of the project
• B. Training of the personnel on the project
• C. Timeline of the project milestones
• D. Vendor for the project

Answer: A

NEW QUESTION 16
With respect to the audit management process, management response serves what function?

• A. placing underperforming units on notice for failing to meet standards
• B. determining whether or not resources will be allocated to remediate a finding
• C. adding controls to ensure that proper oversight is achieved by management
• D. revealing the “root cause” of the process failure and mitigating for all internal and external units

Answer: B

NEW QUESTION 17
Which of the following is the MAIN reason to follow a formal risk management process in an organization that hosts and uses privately identifiable information (PII) as part of their business models and processes?

• A. Need to comply with breach disclosure laws
• B. Need to transfer the risk associated with hosting PII data
• C. Need to better understand the risk associated with using PII data
• D. Fiduciary responsibility to safeguard credit card information

Answer: C

NEW QUESTION 18
The mean time to patch, number of virus outbreaks prevented, and number of vulnerabilities mitigated are examples of what type of performance metrics?

• A. Risk metrics
• B. Management metrics
• C. Operational metrics
• D. Compliance metrics

Answer: C

Explanation: Topic 3, Management – Projects and Operations (Projects, Technology & Operations)