QUESTION 1

1. In order to enhance security for certain departments or users in an organization,

the Microsoft domain offers PCI DSS Lock Down Policy. This method enables security
settings to be increased for some computers or users and allows security gaps to close.

 True

 False

10 points   
QUESTION 2
1. In order to enhance the training experience and emphasize the core security
goals and mission, it is recommended that the executives _______________________.
issue a written welcome letter to new employees
remove themselves from the process because it doesn’t concern them
schedule multiple training sessions with new employees for face-to-face interaction
video record a message from one the leaders in a senior role to share with new
employees
10 points   
QUESTION 3
1. Microsoft domains offer _______________ in order to enhance security for
certain departments or users in an organization. This method allows security gaps to
close and security settings to be increased for some computers or users.
group policy
change management policies
configuration management policies
Simple Network Management Protocol (SNMP)
10 points   
QUESTION 4
1. A(n) ______________________ is a centrally located device that is capable and
permitted to extend and connect to distributed services.
malware tool
inventory assessment
agentless central management tool
distributed infrastructure
10 points   
QUESTION 5
1. Though organizational challenges to security policy implementation vary
depending on the culture and industry, the main hurdle has to do with a lack of sufficient
budget to support implementation.
  True

 False

10 points   
QUESTION 6
1. Which of the following scenarios illustrates an ideal time to implement security
policies in order to gain the maximum level of organizational commitment?
The policies should be implemented following a new product launch.
The policies should be implemented at the same time the new customer service
policies are introduced.
The policies should be implemented to coincide with audit findings in order to
minimize security risks.
The policies should be implemented at the same time of a new product launch.
10 points   
QUESTION 7
1. In information security, the individual responsible for setting goals for
implementing security policies is the _________________.
chief information security officer
supervisor
human resources manager
executive manager
10 points   
QUESTION 8
1. The information security organization performs a significant role in the
implementation of solutions that mitigate risk and control solutions. Because the security
organization institutes the procedures and policies to be executed, they occupy role of
____________________.
front-line manager
executive management
general counsel
subject matter expert (SME)
10 points   
QUESTION 9
1. The type and frequency of security awareness training is contingent on the type
of user. For instance, all users might be required to attend refresher training courses on
an annual basis, whereas a vendor should be required to attend outside training only as
outlined in the vendor-company contract.

 True
  False

10 points   
QUESTION 10
1. Because some security work is heavily reliant on human judgment, not all
controls are subjected to automation. However, manual controls are not appropriate to
use with respect to background checks, log reviews, attestations, and access rights
reviews.

 True

 False
 QUESTION 1
1. Which of the following committees is responsible for the review of concepts,
testing phases, and designs of new initiatives as well as determining when a project can
enter the production phase?
the external connection committee
the architecture review committee
the operational risk committee
the project committee
10 points   
QUESTION 2
1. It is standard practice for organizations to use imaging techniques to establish
baselines. Images can include all the desired configuration and security settings for a
system, applications, system settings, and the full operating system.

 True

 False

10 points   
QUESTION 3
1. The scope of security awareness training must be customized based on the type
of user assigned to each role in an organization. For instance, it is important that
________________ receives training in security basic requirement, regulatory and legal
requirement, detail policy review, and reporting suspicious activity.
middle management
senior management
the end users
the IT custodians
10 points   
QUESTION 4
1. There are a number of automated tools created by Microsoft that can be used to
verify compliance. Once such tool is the ____________________, which is a free
download that locates system vulnerabilities by sending queries. This tool can scan
multiple systems in a network and maintain a history of reports for all prior scans.
System Center Configuration Manager (SCCM)
Systems Management Server (SMS)
Microsoft Baseline Security Analyzer (MBSA)
Nessus
10 points   
QUESTION 5
1. Depending on staffing availability, the complexity of implementation, backlog, and
how many approvals are needed, manual access requests can take weeks or days.
Thus, automation can make the process far more efficient and minimize the time
required. Which of the following is not one of the areas in which the time required can
be reduced through automation?
Appropriate request—automated controls can verify request completion and that no
policy requirements have been violated.
Employee verifications—automated controls can be put in place to verify
information on a employee’s background.
Implementation—automated controls can implement a change upon its approval.
Approval workflow—automated controls can put a request in route so that it
reaches those who need to grant approval in as expedient a manner as possible.
10 points   
QUESTION 6
1. Consider this scenario: A sales organization with an onsite IT staff experiences a
major outage due to a minor change to a printer. Though systems were working
successfully, the printer stopped working when a new server was added to the network.
The new server that was added to the network shared the same IP address as the
printer. Which of the following statements captures a contributing cause of the problem
with the IP compatibility?
The IP address conflict prevented the printer from printing and prohibited the new
server from communicating on the network.
The IP address conflict demonstrates that the organization failed to comply with
change management policies.
The IP address conflict should have been fixed by a technician hired as an outside
consultant.
The IP address conflict was a sign of another conflict in the default gateway, so
none of the servers on the subnet were able to move traffic out of the subnet.
10 points   
QUESTION 7
1. When any tool makes any changes on a network, it is necessary that these
changes are captured in a change management record for the purpose of creating an
audit trail. Then, the tool making the change can capture any changes it makes on any
systems. Audit trails are valuable tools for determining the existence of unauthorized
changes.

 True

 False

10 points   
QUESTION 8
1. A major defense corporation rolls out a campaign to manage persistent threats to
its infrastructure. The corporation decides to institute a ___________________ to
 identify and evaluate the knowledge gaps that can be addressed through additional
training for all employees, even administrators and management.
needs assessment
new policy
communications plan
branding campaign
10 points   
QUESTION 9
1. When a CISO is seeking executive buy-in for implementing security policies with
respect to a target state, the dialogue should make certain to address each of the
following except:
the degree of commitment being solicited of the executive and his or her team
how the policies will impact the present environment
what risks are specifically addressed by the policy
the names of the teams members who were consulted to create the policy
10 points   
QUESTION 10
1. Of the many tools that can be used in training to connect with an audience of
employees, _______________ can inspire a sense of fun that leads to community and
commitment.
case studies
humor
brainstorming
training videos
 Test Information
Description
Instructions
Multiple This test allows multiple
Attempts attempts.
Force This test can be saved and
Completion resumed later.
Your answers are saved
automatically.
 Question Completion Status:
QUESTION 1
1. A policy framework definition helps organizations align policies to domains
throughout their IT infrastructure to help:
mitigate the risks, threats, and vulnerabilities that are commonly found.
identify the areas of the organization that are most vulnerable to attack.
determine what attacks are most likely to adversely affect the organization.
assign organizational liability in case of a security breach.
10 points   
QUESTION 2
1. Which of the following statements is true regarding a security policy framework?
Your policies should be born from a well-thought-out framework.
The process of writing policies for your business ends with crafting a framework.
The framework should outline how a single policy addresses every risk to the
business.
The framework is only used for writing new policies and does not apply to existing
IT policies.
10 points   
QUESTION 3
1. In the lab, for any risk that did not match to a policy, you needed to:
identify the employee(s) who could be most vulnerable to the risk.
identify the machine(s) or network(s) that could be most vulnerable to the risk.
recommend an IT security policy that could eliminate the gap.
determine the potential cost if an attack was targeted at that risk.
10 points   
QUESTION 4
1. A layered security approach means having:
the same or similar controls and safeguards as other organizations.
the same or similar controls and safeguards cover multiple machines.
multiple controls and safeguards to cover the same or similar threats.
 minimal controls and safeguards in order to optimize performance.
10 points   
QUESTION 5
1. Based on your work in the lab, to which policy definition does the following policy
statement apply? 
Employees are permitted to access the work Local Area Network (LAN) from home or
outside the protected LAN, provided the devices are issued and configured by the
company and are not altered.
Internet ingress/egress traffic and Web content filter
Wide Area Network (WAN) service availability
Internet and e-mail acceptable use
Remote access Virtual Private Network (VPN)
10 points   
QUESTION 6
1. Based on your work in the lab, to which policy definition does the following policy
statement apply? 
Users are not allowed to connect personal devices which are not issued by the
company. Users are not allowed to run applications without business justification and
expressed written authorization. Users are permitted to access Internet content during
non-working hours.
Internet ingress/egress traffic and Web content filter
Access control
Asset protection
Remote access Virtual Private Network (VPN)
10 points   
QUESTION 7
1. Based on your work in the lab, to which policy definition does the following policy
statement apply? 
Network traffic configuration should monitor and, when necessary, react to restrict
traffic, which when left unrestricted could make the business network unavailable.
Internet ingress/egress availability (denial of service/distributed denial of
service)
Wide Area Network (WAN) service availability
Internet and e-mail acceptable use
Wireless Local Area Network (WLAN) access control and authentication
10 points   
QUESTION 8
1. An IT security policy framework outlines the policies, their standards and
guidelines, and the procedures necessary for __________ risks, threats, and
vulnerabilities commonly found in an IT infrastructure.
assigning individual liability for the
identifying individual employee’s strengths in responding to
directing an organization’s security responses to
directing management’s reactions toward
10 points   
QUESTION 9
1. Based on your work in the lab, to which policy definition does the following policy
statement apply? 
All the company’s encryption must employ at least Triple Data Encryption Standard
Secure Hash Algorithm (DES SHA) III and Secure Sockets Layer/Transport Layer
Security (SSL/TLS). Symmetric keys must be 128 bits in length.
Data classification standard and encryption
Internet ingress/egress traffic and Web content filter
Production data backup
Audit and monitoring
10 points   
QUESTION 10
1. Based on your work in the lab, to which policy definition does the following policy
statement apply? 
Every asset must be cataloged to include its perceived fair market value.
Computer security incident response team (CSIRT)
Access control
Audit and monitoring
Asset protection
 QUESTION 1
1. Vulnerability scanning is created with the intention of exploiting weaknesses in
the computing environment or system architecture. In most cases, vulnerability
scanning involves a group of people posing as hackers who deploy social engineering
and other techniques to try to hack the systems or network.

 True

 False

10 points   
QUESTION 2
1. The value of an early adopter on security policy is that such a user can illustrate
the efficacy of the policy. Locating an early adopter can also help lay to rest objections
and concerns about policy change.

 True

 False

10 points   
QUESTION 3
1. There are several different best practices available for implementation when
creating a plan for IT security policy compliance monitoring. One such practice is to
design a baseline derived from the security policy, which entails _________________.
using a security policy document as a blueprint
using images when feasible in the implementation of new operating systems
formally tracking any rule and regulatory changes in a routinized way
regularly checking systems after the baseline being deployed
10 points   
QUESTION 4
1. There are number of issues to consider when composing security policies. One
such issue concerns the use of security devices. One such device is a ____________,
which is a network security device with characteristics of a decoy that serves as a target
that might tempt a hacker.
honeypot
data leakage
threat vector
agent
10 points   
QUESTION 5
1. When any tool makes any changes on a network, it is necessary that these
changes are captured in a change management record for the purpose of creating an
audit trail. Then, the tool making the change can capture any changes it makes on any
systems. Audit trails are valuable tools for determining the existence of unauthorized
changes.

 True

 False

10 points   
QUESTION 6
1. It is standard practice for organizations to use imaging techniques to establish
baselines. Images can include all the desired configuration and security settings for a
system, applications, system settings, and the full operating system.

 True

 False

10 points   
QUESTION 7
1. A firecall system is rapid access for the purposes of performing and emergency
fix. Such a process is vital to change management.

 True

 False

10 points   
QUESTION 8
1. Which of the following is not one the consequences of having an unmotivated
employee?
employees prone to bad decision-making
employees targeted for social engineering pretexts
employees failing to report a control weakness
employees lacking in self-interest
10 points   
QUESTION 9
1. It is necessary that writing policies to advocate a mutually agreed-upon target
state requires clarity and flexibility. It is recommended that language like “expected” and
“should” is favorable to encourage employees to offer their own interpretation of how
policies might be applied.

 True
  False

10 points   
QUESTION 10
1. The window of ________________ is the time between when an opportunity for
risk is identified and when the risk is ultimately eliminated by a patch.
threat
risk
vulnerability
danger