How to Get CISM Certified?

1. Wh e n d eveloping s e curity processes for handling credit card data on the business unit ’ s information system, the information s e curity manager should FIRS T :

2. W h at is the MAIN r e ason f o r an o rganization to develop an incident response pla n ? A. T rigger immediate rec o very proced u res.

B. Identify training r e qui r emen t s for t h e incident response te a m. C. Prioritize treatment ba s ed on incid e nt criticalit y .

D. Provide a process for noti f ying stak e holders of the inciden t .

3. The M AIN consideration when d esigning an i ncident escalation plan should be ens u ring that: A. appropria t e stakeholders are involved

B. informati o n assets are class i fied

C. requirem e nts c o ver forensic analysis D. high-imp a ct risks have been id e ntified

4. Which of the following groups wou l d be in the BEST pos i tion to perform a risk analysis for a business?

5. An org a nization is e n tering into an agreem e nt with a new b usiness partner to cond u ct customer mailings.

What is the MOST important action t h at the information security manager n eeds to perf o rm? A. A due diligence security review of the business partner's se c urity controls

B. E n s uring that the business partner has an e f f e ctive business continuity p r ogram

C. Ensuring that the third party is contractually obligated to all relevant security requireme n ts D. T alking to other clients of the business partner to check references for performance

6. The impact of losing frame relay n etwork connectivity for 1 8-24 ho u rs should be cal c ulated using the: A. hourly billing rate charged by the carrie r .

B. v alue of t h e data transmitted over t he network.

C. aggr e gate compensation of a ll a f f e cted business users. D. financial l osses i n curred by a f fect e d business units.

7. Which of the following is MO S T important to the success of an informati o n security program? A. S e c urity' awa r eness training

B. Achievable goals and objectives

C. Senior managem e nt sponsorship

D. Adequate start-up bu d get and sta f fing

8. Which of the following practic e s is BEST to remove system a ccess for contractors and other temporary users when it is no longer re quire d ?

9. A new system has b een developed that does not comply w ith p assword-aging r ules. This noncompliance can BEST be id e ntified through:

10. Which of the following is t he BEST defense aga i nst a brute f o rce attack? A. Discretionary access control

B. Intruder detection lockout

C. T ime-of- d ay restrictions

D. Mandato r y access control

11. Risk assessment shou l d be cond u cted on a c o ntinuing bas i s b ecause: A. controls chan g e on a continuing bas is

B. the number of hacking incidents is increasing

C. manage m ent should be updated ab out changes in risk

D. factors t h at a f fect info r mation security change

12. Which of the following is the MOST important driver when d e veloping an e f fective inf o rmation security strategy?

13. Which of the following device s , when placed in a demilitarized zone (D M Z), wou l d be considered a significant exposure?

14. Which of the following would be MOST helpful when justifying the funding requ i red for a compensating control?

15. Which of the following is t he BEST approach w h en using sen s itive customer data dur in g the testing phase of a systems de v elopment proj e ct?

16. An org a nization ’ s m a rketing depa r tment wants to use an onl i ne collabor a tion servi c e which is not in compliance with the information s e curity poli c y . A r i sk a sse s s m e nt is performed, and risk acceptance is being p u rsu e d. Approval o f risk acceptance shou l d be provid e d b y:

17. Which of the following measu r es would be MOST e f fective a g a inst insider threats to confidential information?

18. Which of the following is the PRIMA R Y role of a data cust o dian? A. V alidating information

B. Processi n g information C. Classifyi n g information D. Securing information

19. What is the BEST course of acti o n when an information security mana g er finds an external service provider has not implemented ade q ua t e controls for safeguardi n g the organi z ation ’ s critic a l data?

20. Followi n g a significa n t change to the un d erlying code of an application, it is MOST i m portant for the information security manager to:

21. Access control to a s ensitive intranet application by mobi l e users can BEST be implemented through: A. data encryption.

B. digital si g natures. C. strong passwords.

D. two-factor authentication.

22. Wh e n security policies are strictly enforced, the initial impact is that: A. they may have to be modified more frequ e ntl y .

B. they will b e less subject to challenge. C. the total c ost of s e curi t y i s increased.

D. the need for compliance reviews is decreased.

23. The PRIMA R Y focus of the change control process is to ensure that changes are: A. authorized.

B. applied.

C. documented. D. tested.

24. W h en i mplementing a new risk a ssessment methodol o g y , which of the following is the MOST

important r e quirem e nt?

25. Which of the following is the M O ST important element to e n sure the succe s s of a disaster recovery test at a ve n dor - provided hot site?

26. A core b usiness unit relies on an e f fective legacy system that does not meet the current security standards a n d threatens the enter p rise network.

Which of the following is the BEST course of acti o n to address the situation? A. Document the deficiencies in the risk registe r .

B. Disconnect the lega c y system from the rest of t h e network.

C. Require t hat new systems that can meet the s t andards be imp l emented. D. Develop p rocesses to compen s ate for the deficiencies.

27. The G R E A TEST benefit of choosing a private cloud over a public cloud would be: A. server pr o tection.

B. collection of data fore ns ics. C. online servi c e availabilit y .

D. containment of customer data.

28. Information security manag e rs should use risk assessment t e chniques to: A. justify selection of risk mitigation strategies.

B. maximize the return on investment (ROD.

C. provide documentation f o r auditors and regu l at o rs. D. quantify risks that would otherwise be subjectiv e .

29. Data owners are normally responsible for which of the foll o wing? A. Applying emergency changes to ap p lication data

B. Administering security over databa s e records

C. Migrating application code chan g es to production

D. Determining the level of application security required

30. Which of the following devices could potentially stop a Structured Q u ery Lang u age ( S QL) injection attack?

31. Which of the following situat i ons would MOST i n hibit the e f f e c tive implementa t ion of security govern a nce?

32. Which of the following vulnerabilities presents t h e GRE A TE S T risk of e xt e rnal hackers gaining access to the corporate network?

33. In a well-controlled environment, which of the following a c tivities is MO S T like l y to lead to the introduction of weaknesses in security software?

34. Which of the following is gene r ally used to ensure that in f ormation transmitted o v er t he Internet is authentic and actually tr a nsmitted by the named s e nde r ?

35. R evie w ing which of the follow i ng would p r ovide the GRE A TE S T input to the asset classification process?

36. Which of the following would be MOST e f f e c t iv e in succ e ss f ully implem e nting restrictive password policies?

37. Which of the following is the BEST way to determine if an information security progr a m aligns with corporate gov ernance?

38. Within a security governance framework, which of the fol l o w ing is the MOST important characteristic of the information security committe e ? The committee:

39. When performing a quantitati v e risk analysis, which of the following is MOST important to es t i m ate the potential loss?

40. The PRIMA R Y benefit of performing an infor m ation asset cla s sif i cation i s to: A. link s e curity requirem e n t s to busin e ss objectives.

B. identify c o ntrols co m mensurate to risk. C. define access rights.

D. establish own e rship.

41. Which of the following is the BEST app r oach to mitigate online brute-for c e attacks on user accounts? A. P a sswords stored in encrypted form

B. User awareness

C. Strong passwords that are chang e d periodically

D. Implementation of lo ck -out policies

42. In implementing infor m ation security governance, the information security manager is PRIMARI L Y

responsible for:

43. Which of the following are the essential ingredients of a b usiness impact analysis (B 1 A)? A. Downtime tolerance, r esources and criticality

B. Cost of business outages in a year as a factor of the secur i ty bud g et

C. Business continuity t e sting method o logy being d eployed

D. Structure of the crisis management team

44. During an incident, which of t he following ent i ties would MOST likely b e conta c ted directly by an org a nization ' s incident r e s ponse team without management a pp ro v al?

45. Which of the following is the MOST important consideration i n a bring yo u r own device (BYOD)

pro g ram to protect company data in t h e event of a loss? A. The ability to remotely l ocate devices

B. The ability to centrally manage devices

C. The ability to restrict u n approved applications D. The ability to cl a ss i fy types of devices

46. Which of the following wou l d BEST just i fy spending for a c o mpensating control? A. Threat analysis

B. Risk analysis

C. Peer benchmarking D. V ulnerability analysis

47. Which of the following is the MOST e f fective w a y to communicate information security risk to senior managem e nt?

48. Which of the following is MO S T likely to be inc l uded in an enterprise information security poli c y? A. S e c urity monitoring strategy

B. Audit trail review re q ui r ements

C. Password composition requirem e nts D. Consequ e nces of noncompliance

49. Wh e n e stablishing an informati o n security govern a nce framework, it i s MOST important for an information security manager to und ers tand:

50. An org a nization has implemented an en h anced password policy for business applications which requi r es significantly mo r e business unit resource to support clients. The BEST approa c h to obtain the support of b us iness unit mana g ement would be to:

51. Which of the following is MO S T important to consider when developi n g a business case to support the investm e nt in an infor m ation security program?

52. Which of the following would be MOST useful i n a report to senior management for evaluating changes in the or g anization ’ s information security r isk positi o n?

53. Which of the following is the BEST method for ensuring that security procedu r es and g uidelines are known and u nderstoo d ?

54. Wh e n a pplication-level security c o ntrolled by business process owners is found to be poorly managed, which of the f o llowing could BEST improve current pra c tices?

55. Which of the following is a benefit of information security governance? A. Reduction of the potential f o r c i vil or legal liability

B. Questioning trust in v e ndor re l atio ns hips

C. Increasing the risk of deci s ions based on incomplete manage m ent info r mation D. Direct involvement of senior man a gement in d e veloping co n tr o l processes

56. Which of the following is the MAIN objective in contracting with an extern a l company to perform penet r ation testing?

57. The PRIMA R Y objective of security awareness is to: A. ensure that securi t y p olicies are understood.

B. influence emp l oyee b e havio r .

C. ensure legal and r e gu l atory compliance D. notify of a ctions for noncompliance.

58. Relation s hips among security t ec h nologies are BEST defin e d through wh ich of the followin g ? A. S e c urity metrics

B. Network topology

C. Security architecture

D. Process im p rovement models

59. A newly hired inform a tion security manag e r reviewing an ex i sting security inve s tment plan is MOST

likely to be concern e d w h en the plan:

60. Which of the following is the MOST usable deliverable of an information security ri s k a nalysis? A. B u s iness impact analysis (BIA) report

B. Li s t of act i on ite m s to mitigate risk

C. Assignm e nt of ri s ks to process owners D. Quantification of organ i zational risk

61. Which of the following actions s hould be tak e n wh e n an o nline tradi n g c ompany discovers a network attack in progress?

62. Which of the following is MOST helpful to management in determining wheth e r risks are within an org a nization ’ s tolerance level?

63. Senior management commitment a n d support for information sec u rity can BEST be obtained through presentatio n s that:

64. What is the BEST defense against a Structured Query Language (SQ L ) injection attack? A. Regularly updat e d signature files

B. A properly configured firewall C. An intrusion detection system D. Stri c t controls on input fields

65. Which of the following provides the linkage to ensure that procedures are correctly aligned with information security policy requirem e nts?

66. Which of the following is MO S T likely to reduce the e f fect i v e ness of a si g nature - bas e d intrusion detection system (IDS)?

67. Which of the following is MOST d i f f icult to achieve in a p u blic cloud-computing enviro n ment? A. Cost red u ction

B. P a y per use

C. On-dem a nd provisioning

D. Ability to a udit

68. Which of the following is the GRE A TEST benefit of integrating a security information a nd event managem e nt (SIEM) solution with traditional security tools such as IDs, anti-m a lware, and email screening solutions?

69. In a business impact analysis, the value of an information system should be based on the overall cost:

70. An ex e cutive's personal mobile device used for business pur p oses is report e d lost. The information security manager shou l d respond bas e d on:

71. The likelihood of a successf u l attack is a function of: A. i n centive and capability of t h e intruder

B. opportunity and asset value

C. threat and vu l nerability levels

D. value and desirability to the intruder

72. Which of the following should be the PRIMA R Y input when de f ining the desired state of security within an or g anization?

73. An o rg anization experienc e d a breach w hich was succ e ssful l y contained a n d re m ediated. Based o n industry regulations, the b reach needs to be communicated externall y .

What should the information security manag e r do NEXT?

74. W h at is the PRIMA R Y goal o f an incident management p ro gra m ? A. Mini m ize i mpact to the organization.

B. Contain the incident. C. Identify root cause.

D. Communicate to external entities.

75. An info r mation security manager i s assisting in the develo p ment of the r equest for p r oposal (RF P ) for a new outs o urced service. This will require the thi r d party to have access to critical business information. The security manag e r should focus P R IMARI L Y on defining:

76. T o ensu r e app r opria t e control of information p rocessed in I T systems, security s a feguards should be based PRIMARI L Y on:

77. A busin e ss case for investme n t in an information security m anagem e nt infrastructu r e MUST include: A. evidence that the proposed infrastructure is certified.

B. specifics on the sec u rity applicatio n s needed.











C. data management methods current l y in use.

D. impact of noncomplia nc e with applicable standards.

78. Which of the following is t he BEST approach to identify noncompliance issues wi t h legal, regulator y , and contractual requ i re m ents?

79. Which of the following is the BEST way to sustain employee interest in information a w are n ess in a n org a nization?

80. During the initiation phase of the system deve l opment life cycle (SDLC) for a software project, information security ac t ivities should address:

81. In order t o highlight to management, the importance of integrating inform a tion sec u rity in the business processes, a newly hired information security o f fic e r should F I RS T :

82. What is the MOST important c onsideration w h e n establishing metrics for reporting to t he information security strategy committee?

83. Which of the following techn i ques MOST clearly indicates whether specific risk-reduction controls should be implemente d ?

84. Which of the following function is the MOST cr i tical when initiating the removal of system access for terminated e mployees?

85. After undertaking a security assessment of a p r oduction sy s tem, the information security manager i s

MOST l i k ely to:

86. A risk has been formally accepted and do c um e nted.

Which of the following is the MOST i m portant action for an inf o rmation security manage r ? A. Update risk tolerance levels.

B. Notify senior manage m ent and the b oard. C. Monitor the environment for changes.

D. Re-evalu a te the organ i zation ’ s risk appetite.

87. Which of the following would be the information security m a nag e r ’ s BEST course of a ction to gain











app r oval for investment in a technical control? A. Perform a cost-benefit analysis.

B. Conduct a risk assessment.

C. Calculate the exposure facto r .

D. Conduct a business i m pact analysis (BIA).

88. Which of the following i s the MOST important information to include in a st r ategic plan for informati o n security?

89. How w ou l d an information security manag e r ba l ance the poten t ially conflicting requir e ments of an internatio n al org a nization ' s s e curity st a nda r ds and local regu l at i on?

90. An info r mation security m anager has recently been n otified of potential security r isks associated with a third-p a rty service provide r .

What should be do n e NEXT to address this conce r n? A. Conduct a risk analysis

B. E scalate t o the chief r i sk o f f i cer

C. Conduct a vulnerability analysis

D. Determine compen s ating controls

91. Which of the following is the BEST method to ensure that d ata owners take responsibility for implementing information security processes?

92. What wo u ld a security manag e r PRIMARI L Y utilize when pr o posing the implementation of a security solution?

93. An account with full a dministrative privileges over a pro d uction file is found to be accessible by a member of the software development team. Th i s a ccount was s et u p to allow the devel o per to down l oad nonsensitive pro d uction data for soft w are testing purposes. The information security manager shou l d recommend which of the following?

94. Which of the following would BEST help to identify vulnerabil i ties introduced by changes to an org a nization ’ s technical infrastructure?

95. The chi e f information secur i ty o f ficer (CISO) h a s developed an informati o n security st r ateg y , but is struggling to obtain senior management commitment for funds to implement the strateg y .

Which of the following is t he MOST likely reason?

96. The M AIN reason for an inf o r m ation security manager to mo n itor ind u stry le v el ch a nges in the business and IT is t o :

97. The PRIMA R Y purpose of aligning information security with c orporate g overnance o bjectives is to: A. build capabilities to im p rove security processes.

B. consistently manage significant areas of risk. C. identify an organizatio n ’ s tolerance for risk.

D. re-align roles and responsibilities.

98. Which of the following BEST descr i bes the sco p e of risk analys i s? A. K e y financial systems

B. Organizational activiti e s

C. Key syst e ms and infrastructure

D. S y s tems s ubject to r e gulatory compliance

99. An org a nization shares cust o mer information ac ross its globally dispersed branches.

Which of the following sh o uld be the GRE A TEST concern to information security manag e ment? A. Cross-cultural di f ferences between branches

B. Conflicting data pro t e c tion regulati o ns C. Insecure wide area networks ( W A N s) D. Decentralization of inf o rmation security

100. The ad v antage of V irtual Priv a te Network (VPN) tunneli n g f o r remote users is that it : A. helps ensure that communications are secure.

B. increases security be t w een multi-tier systems.

C. allows passwords to b e changed l e ss frequentl y . D. eliminates the need for secondary authentication.

101. Which of the following is t he BEST approach for an informa t ion security manag e r w h en developi n g new informa t ion security policies?

102. The M O ST important reason for formally documenting security proced u res is to ensure: A. processes are rep e at a ble and sustainable.

B. alignment with business objectives. C. auditability by regulatory agencies.

D. objective c riteria for t h e application of metrics.

103. The imp l ementation o f a c apacity plan wou l d p revent:

104. An inf o rmation security manager learns users of an application are fre q uently using emerg e ncy elevated access privileges to process transactions.

Which of the following s h o uld be do n e FIRST?

105. An info r mation security manager r eviewing fir e wall rules w i ll be MOST concern e d if the firewall allows:

106. Which of the following are the MOST important individuals t o include as members of an informati o n security s te e ring commit t ee?

107. When conducting a post-incident revie w , the GRE A TEST benefit of collecting mean time to resolution (MTTR) da t a is the ability t o :

108. Which of the following is t he PRIMA R Y purpose of conducti n g a business impact a n alysis (BIA)? A. Identifying risk mitigati o n options

B. Identifying critical busi n ess processes

C. Identifying key business risks

D. Identifying the threat environment

109. T o dete r mine the selection o f co n trols required to meet bu s iness objectives, an information security manag e r should:

110. A global financial inst i tution has decided not to take any further action on a denial of service (DoS)

risk found by the risk assessment te a m. The MOST like l y reason they made this de c ision is that: A. there are su f f i c ient s a f eguards in place to p revent this ri s k f r om happ e ni n g.

B. the needed counterm e asure is too complicated to deplo y .

C. the cost o f countermeasure outweighs the value of the asset and potential loss. D. The likeli h ood of the risk occurring is unknown.

111. An info r mation security manager i s asked to provide evide nc e that the o r ganization is fulfilling its legal obligat i on to protect pe r sonally identifiable information (PII).

Which of the following w o uld be MOST helpful for this purpose? A. Metr i cs related to p rog r am e f fectiv e ness

B. W ritten policies and standa r ds

C. Priva c y a wareness training

D. Risk ass e ssments of p rivacy-related applicatio n s

112. Which of the following should be the information security m a nag e r ’ s NEXT step following senior management approval of the infor m ation security st r ategy?

113. The valuation of IT a ssets should be performed by: A. an IT security manag e r .

B. an indep e ndent secu r ity consultant. C. the chief financial o f fic e r (CFO).

D. the information own e r .

114. Which of the following metrics i s MOST u s eful to demonstrate the e f f e ctiveness of an incident response pl a n?

115. Which of the following BEST supports the risk assessme n t process to determine critically of an asset?

116. In which of the follow i ng ways can an informati o n security manager BEST ensure that security controls are ade q uate for s upporting b usiness goals and objectives?

117. Which of the following secur i ty m e c hanisms i s MOST e f fect i v e in protecting classified data that have been e ncrypted to prevent disclo s ure a nd transmission outside t he or g anization's networ k ?

118. Which of the following is the MOST e f fective w a y to identi f y chan g es in an information security environmen t ?

119. The cost of implementing a s e curity control should not exceed the: A. annualized loss expectanc y .

B. cost o f an incident. C. asset value.

D. implementation oppor t unity costs.

120. Prior to having a thi r d party perf o rm an attack and p enetrat i on test agai ns t an organization, the MOST

important action is to ensure that:

121. Which of the following is the M O ST e f fect i ve way to ensure information security policies are followed?

122. One wa y to determine control e f fectiveness is by determining: A. whether it is preventiv e , detective or compensator y .

B. the capab i lity of provid i ng notification of failure. C. the test results o f inte n ded objectives.

D. the evaluation and analysis of reli a bilit y .

123. Which of the following metri c s would provide management wi t h the MOST useful information about the prog r ess of a security awa r eness prog r am?

124. Which of the following would be MOST helpful i n determining an org a nization ’ s current capacity to mitigate risk?

125. Information security policy enforcement is the responsibili t y of the: A. security steering committee.

B. chief information o f fic e r (CIO).

C. chief info r mation security o f f i c er (CISO). D. chief compliance o f fic e r (CCO).

126. Wh e n a new key business application goes into production, t he PRIMA R Y reason to update re l evant business im p act analysis ( BIA) and business contin u ity/disaster r ecovery plans is because:

127. The PRIMA R Y driver to obtain external reso u rces to execute the information security pro g ram is t h at external res o urces can:

128. E f fective IT governance is BEST e nsured by: A. utilizing a bottom-up a ppr o ach.

B. management by the IT dep a rtment.

C. referring the matter to the organiza t ion's legal d e partment. D. utilizing a top-down approach.

129. An info r mation security manager i s reviewing the business c ase for a s e curity project that is entering the development phase. It i s determined that the estimated cost of the controls is now g r eater than t h e risk being mitigated.

The information security manag e r ’ s BEST recommendation would be to: A. eliminate some of the con t rols from the project scope.

B. discontinue the project to r elease funds for other e f forts. C. pursue the project until the benefits cover the c o sts.

D. slow the pace of the proje c t to spread costs ov e r a longer p e riod.

130. Mitigating techno l ogy risks to acc e ptable levels should be b a sed PRIMA R I L Y upon: A. business process ree n gineer i ng.

B. business process req u irement.

C. legal and regulat o ry requirem e nts. D. information security budget.

131. Which of the following metrics would be the MOST useful in measuring h ow well info r mation security is monitoring violation logs?

132. Which of the following would MO ST e f f e c t i vely ensure that information security is implemented in a new system?

133. Which of the following is the MOST important consideration for designing an e f fective information security govern a nce framework?

134. An inf o rmation security manager discovers that newly hired privileged users are not taking necessary st eps to protect cri t ical info r mation at their workstati o ns.

Which of the following is the BEST w a y to address this situation?

135. The MOST appr o priate role f o r seni o r managem e nt in supporting informati o n security is the: A. evaluation of vendors o f fering security products.

B. assessment of risks to the organiza t ion.

C. approval of policy statements and funding.

D. monitoring adh e rence to regulatory requi r ements.

136. The ad v antage of sending messages using stega n og r aph i c techniques, as opposed to utilizing encryption, is that:

137. The se l ection of s e c urity controls is PRIMARI L Y linked to: A. best practices of similar organizatio n s

B. risk appetite of the organization

C. regulatory requirem e nts

D. business impact assessment

138. An information security m anager s uspects th a t the organiza t ion has su f fered a ran s omware att a ck. What should be do n e FIRST?

139. Which is the BEST w ay to mea s ure and pri o ritize aggre g ate risk deriving from a chain of linked system vulnerabilities?

140. Senior management has alloca t ed funding to each of the organization ’ s divisions to add r ess











information security vuln e ra b ilities. T h e funding is based on each division ’ s te c hnology budget from the previous fiscal yea r .

Which of the following sh o uld be of GRE A TEST co n cern to the in f ormation security mana g er? A. Areas of h ighest risk may not be adequately pri o ritized for tr e atment

B. Redund an t controls may be i m plemented across divisions

C. Information security governan c e could be dece n tralized by d i vision

D. Return on invest m ent may be inc o nsis t ently reported to se n ior manage m ent

141. Which of the following is the MOST important consideration when d esign i ng informati o n security architecture?

142. W h at is the PRIMA R Y purpose of an unan n o u nced disaster re c overy exercise? A. T o evaluate how personnel react to the situation

B. T o provide metrics to senior man ag ement

C. T o estimate the recov e ry t i me object i ve ( R T O) D. T o a s sess service level agreem e nts (SLAs)

143. Risk assessment is MOST e f fective when per f ormed: A. at the beginning of security progr a m development.

B. on a con t inuous basis.

C. while developing the b usiness case for the secu r ity program. D. during the business change p rocess.

144. R elying on which of the f o llowing methods when detecting new thr e ats using IDS s h ould be of

MOST concern?

145. Which of the following would be the MOST appropriate physical security solution for the main entrance to a data center"?

146. During a security assessment, an information security manager finds a number of security patches were n ot installed on a server hosting a criti c al business app l ication. The app l ica t ion own e r did not app r ove the patch install a tion to avoid interrupting t he appli c ati o n.

Which of the following sh o uld be the information security manage r ’ s FIRST c o urse of acti o n? A. E scalate t he risk to s e nior management.

B. Communicate the potential impact to the appli c ation own e r .

C. Report the risk to the i nforma t ion security steering committ e e. D. Determine mitigation options with IT manage m ent.

147. An org a nization has decided to implement a d ditional securi t y controls t o treat t he risks of a new process.

This is an example of: A. eliminati n g the risk. B. transferring the risk. C. mitigating the risk. D. accepting the risk.

148. An or g anization ’ s marketing de p artment has req u ested acce s s to cloud-based coll a boration sites for exchanging media files with external marketing companies. As a result, the inf o rmati o n security manag e r has been asked to perform a risks ass e ssment.

Which of the following sh o uld be the MOST important consideration? A. The info r mation to be exchanged

B. Methods for transferri n g the information

C. Reputations of the external marketing companies D. The security of the t h i r d-p a rty cloud provider

149. Which of the following would be MOST e f f e c t i ve in ensuring that information security is appropriat e ly add r essed in new systems?

150. A we b - b ased busin e ss applica t i o n is being migrated from te s t to production. Which of the following is the MOST important ma n agement signo f f for th i s migration? A. User

B. Network

C. Operatio n s D. Database

151. At the conclusion of a disa s ter recovery t e st, which of t h e following sh o uld A L W A YS be perform e d prior to leaving the vend o r's hot site facility?

152. Which of the following would BEST ass i st an information security manag e r in measuring the existi n g level of development of security processes again s t their desir e d state?

153. The re c overy point objective (RPO) is requir e d in which of the followin g ? A. Informati o n security plan

B. I n cident response plan C. Business continuity pl a n D. Disaster r ecovery plan

154. A post- i ncident review shou l d be conducted by an incident management team to determine: A. relevant electronic evi d ence.

B. le s sons l e arned. C. hacker's identit y . D. areas a f fected.

155. Ensuri n g that activities perf o rm e d by outsourcing provide r s comply with information security policies can BEST be accomplis h ed through the use of:

156. Which of the following controls i s MOST e f fect i ve in provi d ing reaso n ab l e assurance of physical access com p liance to an unman n ed server room controlled wi t h b i ometric devices?

157. Which of the following activit i es i s MOST likely to increa s e the di f ficulty o f totally eradicating malicious code that is not immediately detected?

158. The M OST important factors in determining t he scope and timing for testing a bu s iness continuity plan are:

159. Which of the following will B E ST e nable an e f fect i v e information asset cl a ss i fication process? A. Reviewing the recovery time ob j ective ( R T O) re q uirements of the asset

B. Analyzing audit findings

C. Including security requiremen t s in the class i fication process

D. Assigning own e rship

160. Which of the following is the MOST important area of focus when exam i ning po t enti a l security compromise of a new wi r eless network?

161. At what s tage of the applicat i ons development p r ocess should the security dep a rtment initially bec o me involved?

162. An org a nization with a ma t uring i n cident response prog r am c onducts p o s t-incident reviews for all major information security in c idents. The PRIMA R Y goal of t h ese reviews should be to:

163. Senior management commitment and support will MOST likely b e o f fered when the value of information security governance is presented from a:

164. Which of the following will protect the con f identiality of data transmitted o v er the Internet? A. Message digests

B. Network address translation

C. Encrypti n g file s y s tem D. I P sec pro t ocol

165. The PRIMA R Y benefit of i n tegra t ing informati o n security ri s k into enterprise r i sk ma n agement is to: A. ensure timely risk mitigation.

B. justify the information security budget.

C. obtain senior mana ge ment ’ s commitment. D. provide a holistic view of risk.

166. Which of the following is the MOST important factor to ens u re information secu r ity is meeting the org a nization ’ s objectives?

167. Which of the following shou l d be done FIRST when establish i ng security measures for personal d a ta stored and p rocessed on a human re s ources man a gement system?

168. Which of the following is MO S T e f fective in protecting aga ins t the attack t echnique known as phishing?

169. The re c overy time o bjective ( R T O) is reached at which of t h e following milestones? A. Disa s ter declaration

B. Recovery of the back u ps

C. Restoration of the system

D. Return to business as usual processing

170. A rec e nt audit has identified that security co n trols by t h e organization ’ s policies have not been implemented for a particular application.

What should the information s e curity manag e r do NEXT to address this i s s u e?

171. Priority should be gi v en to which of the following to ensure e f fective implemen t ation o f information security govern a nce?

172. Planni n g for the implementation of an informati o n security program is MOST e f fective when it: A. uses dec i s ion trees to pr i oritize security projects

B. applies gap analysis to current and future busin e ss plans

C. uses risk - based anal y s is for security projects

D. applies technology-dr i ven solutions to identified needs

173. Before conducting a formal risk assessment of an or g anization's information resourc e s, an information security manager should FIRS T :

174. Which i s MOST im p ortant when contracting an external p a rty to perform a penetration test? A. Provide n etwork documentation

B. Obtain approval from IT manage m ent

C. Define the project scope

D. Increase the frequ e ncy of log reviews

175. Which of the following is the MOST important reason for performing vulnerability ass e ssments periodically?

176. The MAIN advantage of imple m enting automated password sy n c h ronization is that it: A. reduces o verall admi n istrative workload.

B. increases security be t w een multi-tier systems.

C. allows passwords to b e changed l e ss frequentl y . D. reduces the ne e d for two-factor au t hentication.

177. The PRIMA R Y reason for initiati n g a policy exception proce s s is when: A. operatio n s are too busy to compl y .

B. the risk is justified by t h e benefit.

C. policy c o mpliance would be di f ficu l t to enforce. D. users m a y initia l l y b e in c onvenien c ed.

178. Ensuri n g that activities perf o rm e d by outsourcing provide r s comply with information security policies can BEST be accomplis h ed through the use of:

179. Which of the following is the M O ST important reason for performing a cost-benefit analysis when implementing a security control?

180. Which of the following is the M O ST important factor when d etermining t he frequ e ncy of information security rea s sessment?

181. The systems administrator did not immediately notify the s e curity o f ficer about a malicious attack. An information security manager cou l d prevent this s i tuation by:

182. The MOST important factor in planning for the long-term re t ention of electronically stored b usiness records is to take into account potenti a l changes in:

183. Who in an organization has t he responsibility for classifying information? A. Data custodian

B. Database administrator

C. Information security o f f icer

D. Data ow n er

184. Which of the following is the BEST approach for improving information security mana g ement processes?

185. Which of the following BEST p repares a computer incident response team for a variety of information security scenarios?

186. Which of the following should be done FIRST when selecting perform a nce metrics to report on t he vendor risk managem e nt process?

187. W h en designing an incident response plan to be agr e ed upon with a cloud computing vendo r , including wh ic h of the fol l owing will BEST help to ensure the e f fectiveness o f the plan?

188. An information security manager at a global or g anization that is subject to regulation b y multiple government a l jurisdictions with di f fering requi r em e nts should:

189. Which of the following is the MOST important outcome from vulnerability scanning? A. Prioritization of risks

B. Informati o n about steps ne c essary to hack the system

C. Identification of back d oors

D. V erificati o n that s yst e ms are pro p erly configured

190. Which of the following is the BEST tool to maintain the curr e ncy and covera g e of an information security program within an org a nization?

191. When a security standard con f licts with a business objectiv e , the situation should be r e solved by: A. changing t he sec u rity standa r d.

B. changing t he business objective. C. performi n g a risk analysis.

D. authorizing a risk a cc e ptance.

192. Retention of business r ecords should PRIMARI L Y be based on: A. business strategy and direction.

B. regulatory and legal r e quirem e nts. C. storage capacity and longevit y .

D. business ease and value analysis.

193. An intr u sion detection system should be pla c ed: A. outside the firewall.

B. on the fir e wall serve r . C. on a scr e ened sub n et. D. on the external r o ute r .

194. Which of the following would be MOST cr i tical to the succ e s sful implem e ntation of a biometric











authentication system? A. Budget allocation

B. T echnical skills of sta f f

C. User acc e ptance

D. Password requirem e nts

195. Which of the following is the PRIMA R Y responsibility of an information security manager in an org a nization that is implement i ng the use of co m p any-ow n ed mob i le devices in its operations?

196. Over t h e last yea r , an infor m ation security m a nag e r has p e rformed risk assessments on multiple third-p a rty v e ndors.

Which of the following criteria w ould b e MOST helpful in deter m ining the associated level of risk appli e d to each vendo r ?

197. Which of the following BEST r educes the likeli h ood of leakage of private information via email? A. Email encryption

B. User awareness training

C. Strong user authen t ic a tion protocols

D. Prohibition on the per s onal use of email

198. Which of the following is t he BEST approach to reduce unne c essary duplication of c o mpliance activ i ties?

199. The MAIN goal of an information security strategic plan is to: A. develop a risk assessment plan.

B. develop a data protection plan.

C. protect information assets and resources. D. establish security govern a nce.

200. The FI R ST step in e stablishing an information security pro g ram is to: A. define policies and st a nda r ds t hat mitigate the org a nization ’ s ri s k s

B. secure organizational c ommitment and supp o rt.

C. assess the org a nization ’ s complia n c e with regulatory requir e ments. D. determine the level of r isk that is acceptable to senior man ag e m en t.

201. Which of the following is the MOST important consideration when selecting members for an information security steering committ e e?

202. Which of the following would present the GRE A TEST r i s k to information security? A. V irus signature files updates a re a p plied to all s e rvers ev e ry d ay

B. S e c urity a cce s s logs a r e re v iewed w ithin five business days C. Critical patches are applied within 24 hours of their relea s e D. Security incidents are investigated within five business days

203. What wo u ld be the MOST significant security risks when using wireless local area net w ork (LAN)

technology?

204. The MAIN reason for continuous monitoring of a security strategy is to: A. optimize r esource all o cation.

B. confirm benefits are being realize d .

C. evaluate the impleme n tation of the strateg y . D. allocate f u nds for i n formation security

205. After an information security busi n ess case has been ap p ro v ed by senior manageme n t, it should be: A. used to d esign functional r equ i re m ents for the solution.

B. used as t h e foundation for a risk a s sessment.

C. referenc e d to build architectural blueprints for the solution. D. reviewed at key intervals to ensure intended ou t comes.

206. D u ring which phase of an incident respon s e process should c orrective a c tions to the response proced u re b e considered and implemented?

207. Which of the following is the MOST appropriate method of e n suring password strength in a large org a nization?

208. Which of the following is MO S T useful to inc l ude in a rep o rt to senior management on a regular basis to demonstrate the e f fect i v eness of the information security program?

209. Foll o wing a successful and well - publicized h a cking incide n t, an organization has plans to improve application securit y .

Which of the following is a security project risk? A. Critical evidence may be lost.

B. The reputation of the organization may be damaged. C. A trapdoor may have b een installed in the application.

D. Resources may not be available to support the implementation.

210. When developing an information security strateg y , the M O ST important requirem e nt is that: A. standards capture the intent of management.

B. a schedule is developed to achieve objectives. C. the desired outc o me is known.

D. crit i cal s u cce s s f a ctors (CSFs) are develop e d.

211. W h en aligning an o rganization's information security program with ot h er risk and control activities, it is MO S T im p ortant to:

212. Which of the following has t he GRE A TEST influence on an o r g a nization's information security strategy?

213. Which of the following roles is PRIMARI L Y responsible for determining t he informati o n classific a tion levels for a g iven information asset?

214. Which of the following techniques would be the BEST test o f security e f fectiveness? A. Performi n g an ext e rnal penetration t est

B. Reviewing security policies and st a nda r ds

C. Reviewi n g security logs

D. Analyzing technical se c urity practic e s

215. Obtaining senior management s upport for establishing a warm site can BEST be accomplished by: A. establishing a peri o dic risk assessment.

B. promoting regulatory r equire m ents. C. developi n g a business case.

D. developi n g e f fective metrics.

216. The e f fectiveness of virus detection software is MOST depend e nt on which of the f o llowing? A. P a cket fil t ering

B. Intru s ion detection C. Software upg r ades D. Definition tables

217. Which of the following should be PRIMARI L Y i n cluded in a security training pr o gram for business process owners?

218. An e f fective way of prote c ting ap p lications against Structured Query La n gua g e (SQL) injection vulnerability is to:

219. Which of the following is the MOST important process that a n information security m a nag e r needs to negotiate wi t h an outsou r ce service provider?

220. Which of the following wou l d BEST enable an organization to e f fectively monitor the implementation of standardized configura t ions?

221. The PRIMA R Y purpose of vulnerability assessments is to: A. determine the impact o f potential threats.

B. t e st i n trus i on detection sys t ems (IDS) and response procedu r es. C. provide clear evidence that the system is su f fici e ntly secure.

D. detect deficiencies that could lead to a s y s tem c ompromise.

222. Minimum standards for securing the technical infrastructure should be d efined in a security: A. strateg y .

B. guidelines. C. model.

D. architect u re.

223. Which of the following is the PRIMA R Y reason for implementing a risk mana g ement p rog r am? A. Allows the organization to eliminate risk

B. Is a necessary part of management's due diligence

C. Satisfies audit and r eg ulatory requi r ements

D. Ass i s t s in incrementing the return o n investment (ROD

224. Which of the following enables compliance with a nonrepudiation policy requirement for electronic transactions?

225. The BEST protocol to ensure confidentiality of transmissio n s in a business-to-customer (B2C)

financial web application is:

226. Which of the following is MO S T critical for prioritizing a c tions in a business continuity plan (BCP)? A. B u s iness impact analysis (BIA)

B. Ri s k a s s e ssment

C. Asset cl a s sif i cation

D. Business process mapping

227. Which of the following is the MOST important reason for an information security r evi e w of contracts? T o help ensure that:

228. Which of the following is the MOST important factor in an o rganization ’ s selection of a key risk indicator (KRI)?

229. W h at information is MOST he l pful in demonstrating to senior manage m ent how info r mation security govern a nce aligns with business objectives?

230. An org a nization is considering m o ving one of its critical business applications to a cl o ud hosting service. The cloud provi d er may not provide the same level of security for this application as the org a nization.

Which of the following will pro v ide the BEST information to he l p maintain the security posture? A. Ri s k a s s e ssment

B. Cloud security strategy

C. V ulnerability a ssessm e nt

D. Risk governance fra m ework

231. The e f fectiveness of an infor m ati o n security governance fr a mework will BEST be e n hanced if: A. IS auditors are empo w ered to e val u ate govern anc e activiti e s

B. risk management is built into operational and strategic act i vit i es

C. a culture of legal and r egulatory compliance is p romoted by managem e nt D. consultants review the infor m ation security governance fram e work

232. Which of the following is t he M O ST important component of information security governance? A. Approved Information security strategy

B. Documented informati o n security policies

C. Compre h ensive information security awareness program

D. Appro p riate information security metrics

233. Which of the following needs to be established between an I T service provider and its clients to the

BEST enable adequate continuity of service in preparation for an outag e ? A. Data retention policies

B. Server m a intenance p l ans C. Recovery time objectives D. Reciprocal site agree m ent

234. Which of the following is MO S T i mportant when selecting a third-p a rty security operations center? A. Indemnity clauses

B. Indepen d ent controls assessment

C. Incident r esponse plans D. Business continuity pl a ns

235. An inte r nal review of a web - ba s ed application system finds the ability to g ain access to all employee s ' accounts by changing the employee ' s ID on the U R L used for accessing the account. The vulnerability identified is:

236. A critical device is delive r ed with a s ingle user and p asswo r d that is req u ired to be s h ared for mult i ple users to access the de v ice. An information security manager h as been tasked with ens u ring all access to the device is authorized.

Which of the following w o uld be the MOST e f f icient means to ac c omplish this?

237. Which of the following is the BEST approach for determining the maturity l e v el of an information security program?

238. The MOST basic requ i rement for an information security govern a nce pr o gram is to: A. be aligned with the co r porate busi n ess strateg y .

B. be based on a sound r i sk manage m ent appr o ac h . C. provide adeq u ate re g ulatory compliance.











D. provide best pract i c es for security- initiatives.

239. What is the BEST w a y to all e viate security team understa f f i ng while retaining the capability in-house? A. Hire a contractor that w ou l d not be included in the perma n ent headcount

B. Outsource with a security se r vices p rovider while retaining the control internally C. Establish a virtual security team from competent employees across the company D. Provide c r oss training to mi n imize the existing r esources gap

240. Which of the following would the BEST demonstrate the added value of an information security pro g ram?

241. Which of the following is t he PRIMA R Y reason to conduct p eriodic business impact a ssessments? A. I mprove t he results of last business impact a ss e ssment

B. Update recovery objectives based on new risks

C. Decrease the recovery times

D. Meet the needs of the business co n tinuity policy

242. Wh e n supp o rting an org a nization ’ s privacy o f fice r , which of the following is the information security manag e r ’ s PRIMA R Y role regard i ng p r imacy requirements?

243. Which of the following will B E ST p r event an employee from u sing a USB drive to copy files from desktop computers?

244. The P RIMA R Y benefit of integr at ing information security a ctivities into change ma n agement processes is to:

245. Successful implementation of information security governance will FIRST require: A. security awar e ness training.

B. updated security policies.

C. a computer incident management team. D. a securi t y architecture.

Answer: B

Explanation:

Updat e d security policies are re q uir e d to align management ob je ctives with security procedu r es; managem e nt objectives t r anslate into policy; policy translates i n to procedu res . Sec u rity procedures will necessitate specialized teams such as the computer incident re s ponse and m ana g ement g roup as well as specializ e d tools such as the security m e c hanisms that comprise the security architecture. Security awareness will promote the poli c ies, p r ocedures and appropria t e use of the security mechanisms.





1 1.Which of the following i ndividuals would be in the BEST position to sponsor the creation of an information security steering gr o up?

246. T o ensu r e IT equipment mee t s organizational security stand a rds, the M O ST e f ficient a pproach is t o : A. assess s e curity during equipm e nt deployment.

B. ensure c o mpliance du r ing user acceptance testing. C. asse s s the risks of a ll new e q uip m ent.

D. develop a n app r o v ed e quipment list.

247. Foll o wing a highly sensitive data brea c h at a large compa n y , all servers and w o rkstations were patched. The information secur i ty manag e r ’ s NEXT step should be to:

248. Which of the following is the PRIMA R Y reason social media has become a popular target for attack? A. The prevalence of str o ng perimet e r .

B. The reduced e f fectiveness of access controls. C. The element of trust c r eated by so c ial media.

D. The acc e ssibility of s o cial media f r om multiple locations.

249. Within the confidentialit y , integrit y , and availabil i ty (C I A) triad, which of the following act i vities B ES T

supports the concept of i n tegrity?

250. Which of the following is MO S T important for an information security m a nager to regularly report to senior man a gement?

251. Which of the following ter m s and conditions r epresent a significant deficiency if i n c luded in a commercial hot site contract?

252. Which of the following would be the BEST met r ic for the IT risk manage m ent process? A. Number of risk management action plans

B. Percentage of critical a ssets with budgeted re me dial

C. Percentage of unre s olved risk exp o sures D. Number o f security i n cidents identified

253. An info r mation security manager has researc h ed several options for handling o n go i ng security concerns and will be presenting these solutions to business m a n ag e rs.

Which of the following will BEST enable business managers to make an informed decision? A. B u s iness impact analysis

B. Cost-benefit analysis

C. Risk analysis D. Gap analysis

254. Which of the following would BEST help to ensure the align m ent between information security and business functions?

255. What is the BEST technique to d etermine whi c h security c on t rols to implement with a limited bud g et? A. Risk analysis

B. Annualized loss expectancy (ALE) calculations

C. Cost-be n efit analysis D. Impact analysis

256. A busin e ss unit uses an e-c o mm e rce application with a st r ong passwo r d polic y . Many c u s tomers complain that they cannot remember their passwo r ds because they are too long a n d complex. The business unit stat e s it is imperative to improve the customer experience.

The information secur i ty manag e r should FIRS T :

257. Which of the following outsourced services has the GRE A TEST need for security monitoring? A. Enterprise infrastructu r e

B. Applicati o n developm e nt

C. V irtual private network (VPN) serv i c es











D. W eb site hosting

258. Wh e n a user employs a client- s ide digital certificate to authenticate to a web server thro u gh Secure

Socket Layer (SSL), confidentiali t y is MOST vulnerable to which of the foll o wing? A. IP spoofing

B. Man-in-the-middle att a ck

C. Repudiat i on D. T rojan

259. The M OST likely c a use of a s ecurity information event m o nitoring (SIEM) s olution failing to identify a serious incident is that t h e s y stem:

260. An or g anization h a s determined that one of its web servers has been compromised.

Which of the following actions should be taken to preserve the evidence of t h e intrusion for forensic analysis and potential litigation?

261. An org a nization pla n s to con t ract with an ou t side service provider to host its corpora t e web site. The

MOST important concern for the information security manager i s to ensure that: A. an audit of the serv i c e provider un c overs no si g nificant we a kness.

B. the contract i n c ludes a nond i sclosure agr e ement (NDA) to protect the organization's intellectual pro p ert y .

C. the contract should mandate that the ser v ice provider will c o mply with security policies. D. the third- p arty service pro v ider co n ducts regular penetration t esting.

262. Which of the following should be an information security m anag e r ’ s MOST important consideration when con duc ting a physical secur i ty r eview of a potential outs o urced data center?

263. Which of the following MOST e f f ectively prevents internal users from modifying sensitive data? A. Network segmentation

B. Acceptable use policies

C. Role-bas e d access co n trols D. Multi-factor authentic a tion

264. Which of the following are the MOST important criteria when selecting virus protection software?

265. The dec ision to e scalate an incident should be based P R IM A RI L Y on: A. organizational hie r arc h y .

B. prioritization by the information security manag e r . C. predefin e d policies and proced u res.

D. response team experi e nce.

266. Which of the following is MO S T important to consider when developi n g a disaster recovery plan? A. B u s iness continuity pl a n (BCP)

B. B u s iness impact analysis (BIA) C. Cost-be n efit analysis

D. Feasibility assessment

267. Which of the following is the MOST e f fective so l ution for preventing indivi d uals external to the org a nization from modifying sen s itive information o n a corpora t e database?

268. A digital signature using a public key in f rastructure (PKI) will: A. not ensure the integrity of a mess a ge.

B. rely on the extent to w hich the cert i ficate authority (CA) i s tr u s ted. C. require t w o parties to the message exchange.

D. provide a high level of confidentialit y .

269. Wh e n contracting with an outsou r cer to provide security ad m inistration, the MOST important contractual element is the:

270. Which of the following is the PRIMA R Y purpose of establis h ing an info r mation security governance framework?

271. Which of the following is MO S T closely a ss o ciated with a business co n tinuity progr a m? A. Confirming that detailed technical r ecovery plans ex i st

B. Periodically testing network red u n d ancy

C. Updating the hot site e quip m ent configuration ev ery quarter

D. Developi n g recovery time obje c tiv e s ( R T Os) for critical fun c tions

272. A comp a ny's mail server allows anonymous file transfer pro t ocol (FTP) access which could be exploited.

What process should the informa t ion security manager d e ploy to determine the necessity for remedial action?

273. W h en outsourcing information security administration, it i s MO S T im p ortant for an organization to include:

274. A risk assessment and business impact analysis (BIA) have been com p leted for a major pr o pos e d purchase a n d new p r ocess for an or g anization. There is disagreement bet w een the info r mation security manager and the business department manager who will own the p r ocess reg a rding t h e results and the assigned risk.

Which of the following would be the BEST approach of the information security manage r ? A. Acceptance of the business manager's decision on the risk to the corporation

B. Acceptance of the information security manage r' s decision on the risk to the corporation

C. Review of the assessment wi t h executive ma n agement for final input

D. A new risk assessment and BIA are nee d ed to r es olve the dis a gr e ement

275. A benefit of using a full dis c losure (white box) appr o ach a s compar e d to a blind (black box) appr o ach to penetrati o n testing is that:

276. Which of the following is the GRE A TEST benefit of integrating information security program requi r ements into vendor managem e nt?

277. Which of the following chara c terist i cs is MOST i mportant to a bank in a high-v a lue on l ine financial transaction system?

278. An inf o rmation security manager has determi n ed that the m ean time to p rioritize information security incidents has increased to an unacceptable level.

Which of the following process e s would BEST enable the informa t ion security manager t o add r ess this concern?

279. Which of the following is the BEST approach to make strate g ic informati o n se c urity decisions? A. Establish an informati o n s e curity steering committee.

B. Establish periodic senior mana g ement meetings.

C. Establish regul a r info r mation security stat u s reporting. D. Establish business unit security working groups.

280. Which of the following would BEST mitigate id e ntified vuln e rabilities in a timely manner? A. Continuous vulnerability monitoring tool

B. Categorization of the vulnerabilities based on system ’ s cr i t ic a lity

C. Monitoring of key risk i ndicators (KRIs)

D. Action pl a n with responsibilities a n d deadlines

281. An org a nization without any formal information security program that has decided to implement information security be s t practices should FIRS T :

282. Which of the following change management procedures is MOST likely to cause concern to the information security manager?

283. What w o uld be an information security manag e r ’ s BEST recom m endati o n upon le a rn i ng that an existing contract with a t h ird party do e s not c learly identify requi r ements for safegu a rding t he org a nization ’ s critical dat a ?

284. Which of the following is the PRIMA R Y reason for executive management to be invo lv ed in establishing an enterprise ’ s security management framework?

285. An info r mation security program should focus on: A. best practices also i n place at peer companies.











B. solutions codified in internatio n al stand a rds. C. key controls identified in risk a ssessments. D. continued process im p rovement.

286. Which of the following is the FI R ST step to p erform before outsourcing critical information processing to a third party?

287. On g oing tracking of r emediation e f forts to miti g ate identified risks can BEST be acc o mplished throu g h the use of which of the following?

288. Which of the following types o f inf o rmation wou l d the information security m anager expect to have the LOWEST level of s e curity pr o tection in a larg e , multinatio n al enterpris e ?

289. Which of the following is MO S T important for measuring the e f fectiveness of a s e c urity awar e ness pro g ram?

290. Security awa r eness training is MOST likely to lead to which of the follow i ng? A. Decrease in intrusion incidents

B. I n crease in reported incidents

C. Decrease in se c urity policy chang e s D. Increase i n access rule violations

291. Which of the following would be MOST e f f e c t i ve in the stra t egic alignment of s e c urity initiativ e s? A. A security steering committee is set up within the IT department.

B. K e y information security policies a r e updated o n a regular b asi s .

C. Business lead e rs participate in information security decision making. D. Policies are created w i th input from business unit managers.

292. Which of the following would be MOST helpful to the inform a tion security manag e r tasked with enforcing e n hanced password stand ar ds?

293. Which of the following provides the MOST co m prehensive understand i ng of an organ i zation ’ s information security post u re?

294. The r e is reason to believe t hat a r e c ently modified web appl i cation has allowed un a ut h orized access. Which is the BEST way to identify an a pplication backdoor?

295. What is the MOST important f a ctor in the successful i mplem e ntation of an enter p rise wide information security prog r am?

296. Which of t he following would BEST prepare an information se c urity manager for re g ulatory reviews? A. Assign an information security administrator as r egulatory liaison

B. Perform self-assessments u s ing regulatory gu id elines and r e ports

C. Ass e ss p r evious regu l atory reports with process owners inp u t

D. Ensure all regulatory i n qu i ries are sanctioned by the legal department

297. Which of the following is the PRIMA R Y prerequisite to implementing data classificati o n within an org a nization?

298. Implem e nting a strong password policy is part of an organi z ation ’ s information security strategy for the yea r . A business unit believ e s the strategy may adversely a f fect a client ’ s adop t ion of a recently developed mobile applica t ion and has dec i ded not to implement the polic y .

Which of the following is the inf o rmati o n security mana g e r ’ s B E ST course of action? A. Analyze t h e risk and impact of not implementing the polic y .

B. Develop and impleme n t a passwo r d policy for t h e mobile ap p lication. C. Escalate non-imple m entation of the policy to se n ior manage me nt.

D. Benchmark with similar mobile applications to i d entify gaps.

299. For an org a nization that is experiencing outa g es due to malicious c ode, which of the following is the

BEST index of the e f fect i v eness of c o untermeasures? A. Number of virus infections detected

B. Amount of infection-related do w ntime

C. A verage recovery time per incident

D. Number o f downtime- r elated help d esk calls

300. What is the GRE A TEST risk w hen there is an excessive n u mber of firewall rules? A. One rule may override another r u l e in the chain and create a loopho l e

B. Performance degrada t i on of the whole network

C. The firewall may not support the increasing number of rules due to limit a tions

D. The firewall may show abnormal b e havior and m ay crash or au t omatically shut down