NEW QUESTION 1
Which of the following has the GREATEST impact on the implementation of an information security governance model?

• A. Organizational budget
• B. Distance between physical locations
• C. Number of employees
• D. Complexity of organizational structure

Answer: D

NEW QUESTION 2
What is the term describing the act of inspecting all real-time Internet traffic (i.e., packets) traversing a major Internet backbone without introducing any apparent latency?

• A. Traffic Analysis
• B. Deep-Packet inspection
• C. Packet sampling
• D. Heuristic analysis

Answer: B

NEW QUESTION 3
When dealing with risk, the information security practitioner may choose to:

• A. assign
• B. transfer
• C. acknowledge
• D. defer

Answer: C

NEW QUESTION 4
A recent audit has identified a few control exceptions and is recommending the implementation of technology and processes to address the finding. Which of the following is the MOST likely reason for the organization to reject the implementation of the recommended technology and processes?

• A. The auditors have not followed proper auditing processes
• B. The CIO of the organization disagrees with the finding
• C. The risk tolerance of the organization permits this risk
• D. The organization has purchased cyber insurance

Answer: C

NEW QUESTION 5
Which International Organization for Standardization (ISO) below BEST describes the performance of risk management, and includes a five-stage risk management methodology.

• A. ISO 27001
• B. ISO 27002
• C. ISO 27004
• D. ISO 27005

Answer: D

NEW QUESTION 6
Which of the following is a benefit of a risk-based approach to audit planning?

• A. Resources are allocated to the areas of the highest concern
• B. Scheduling may be performed months in advance
• C. Budgets are more likely to be met by the IT audit staff
• D. Staff will be exposed to a variety of technologies

Answer: A

NEW QUESTION 7
Your incident response plan should include which of the following?

• A. Procedures for litigation
• B. Procedures for reclamation
• C. Procedures for classification
• D. Procedures for charge-back

Answer: C

NEW QUESTION 8
Creating a secondary authentication process for network access would be an example of?

• A. An administrator with too much time on their hands.
• B. Putting undue time commitment on the system administrator.
• C. Supporting the concept of layered security
• D. Network segmentation.

Answer: C

NEW QUESTION 9
The effectiveness of an audit is measured by?

• A. The number of actionable items in the recommendations
• B. How it exposes the risk tolerance of the company
• C. How the recommendations directly support the goals of the company
• D. The number of security controls the company has in use

Answer: C

NEW QUESTION 10
Your company has limited resources to spend on security initiatives. The Chief Financial Officer asks you to prioritize the protection of information resources based on their value to the company. It is essential that you be able to communicate in language that your fellow executives will understand. You should:

• A. Create timelines for mitigation
• B. Develop a cost-benefit analysis
• C. Calculate annual loss expectancy
• D. Create a detailed technical executive summary

Answer: B

NEW QUESTION 11
Which of the following represents the BEST method of ensuring security program alignment to business needs?

• A. Create a comprehensive security awareness program and provide success metrics to business units
• B. Create security consortiums, such as strategic security planning groups, that include business unit participation
• C. Ensure security implementations include business unit testing and functional validation prior to production rollout
• D. Ensure the organization has strong executive-level security representation through clear sponsorship or the creation of a CISO role

Answer: B

NEW QUESTION 12
Which of the following is considered a project versus a managed process?

• A. monitoring external and internal environment during incident response
• B. ongoing risk assessments of routine operations
• C. continuous vulnerability assessment and vulnerability repair
• D. installation of a new firewall system

Answer: D

NEW QUESTION 13
Scenario: Your program is developed around minimizing risk to information by focusing on people, technology, and operations.
You have decided to deal with risk to information from people first. How can you minimize risk to your most sensitive information before granting access?

• A. Conduct background checks on individuals before hiring them
• B. Develop an Information Security Awareness program
• C. Monitor employee browsing and surfing habits
• D. Set your firewall permissions aggressively and monitor logs regularly.

Answer: A

NEW QUESTION 14
The ultimate goal of an IT security projects is:

• A. Increase stock value
• B. Complete security
• C. Support business requirements
• D. Implement information security policies

Answer: C

NEW QUESTION 15
Which of the following is considered one of the most frequent failures in project management?

• A. Overly restrictive management
• B. Excessive personnel on project
• C. Failure to meet project deadlines
• D. Insufficient resources

Answer: C

NEW QUESTION 16
Scenario: An organization has recently appointed a CISO. This is a new role in the organization and it signals the increasing need to address security consistently at the enterprise level. This new CISO, while confident with skills and experience, is constantly on the defensive and is unable to advance the IT security centric agenda.
From an Information Security Leadership perspective, which of the following is a MAJOR concern about the CISO’s approach to security?

• A. Lack of risk management process
• B. Lack of sponsorship from executive management
• C. IT security centric agenda
• D. Compliance centric agenda

Answer: C

NEW QUESTION 17
Scenario: You are the CISO and have just completed your first risk assessment for your organization. You find many risks with no security controls, and some risks with inadequate controls. You assign work to your staff to create or adjust existing security controls to ensure they are adequate for risk mitigation needs.
You have identified potential solutions for all of your risks that do not have security controls. What is the NEXT step?

• A. Get approval from the board of directors
• B. Screen potential vendor solutions
• C. Verify that the cost of mitigation is less than the risk
• D. Create a risk metrics for all unmitigated risks

Answer: C

NEW QUESTION 18
Annual Loss Expectancy is derived from the function of which two factors?

• A. Annual Rate of Occurrence and Asset Value
• B. Single Loss Expectancy and Exposure Factor
• C. Safeguard Value and Annual Rate of Occurrence
• D. Annual Rate of Occurrence and Single Loss Expectancy

Answer: D