Isaca CISM 1

Isaca
CISM
Certified Information
Security Manager
Version: 22.2
Web: www.dumpscollection.com [ Total Questions: 430]
Email: support@dumpscollection.com
IMPORTANT NOTICE
Feedback
We have developed quality product and state-of-art service to ensure our customers interest. If you have any
suggestions, please feel free to contact us at feedback@dumpscollection.com
Support
If you have any questions about our product, please provide the following items:
exam code
screenshot of the question
login id/email
please contact us at support@dumpscollection.com and our technical experts will provide support within 24 hours.
Copyright
The product of each order has its own encryption code, so you should use it independently. Any unauthorized
changes will inflict legal punishment. We reserve the right of final explanation for this statement.
Dumps Q&A Isaca - CISM
Exam Topic Breakdown

Exam Topic Number of Questions
Topic 1 : Exam Pool (Nov) 150
Topic 2 : Exam Pool (Dec) 280
TOTAL 430
Success Guaranteed, 100% Valid 1 of 136

Topic 1, Exam Pool (Nov)

Question #:1 - (Exam Topic 1)
An internal security audit has reported several control weaknesses. The information security manager's BEST
course of action should be to:
A. present the report to the steering committee.
B. determine the effect on the risk profile.
C. remediate the vulnerabilities.
D. assign accountability for the findings.
Answer: B
Which of the following defines the triggers within a business continuity plan (BCP)?
A. Needs of the organization
B. Gap analysis
C. Disaster recovery plan
D. Information security policy
Answer: D
Which of the following would be the MOST effective incident response team structure for an organization
with a large headquarters and worldwide branch offices?
A. Coordinated
B. Decentralized
C. Outsourced
D. Centralized
Answer: D

To minimize security exposure introduced by changes to the IT environment, which of the following is MOST
important to implement as part of change management?
A. Performing post-change reviews before closing change tickets
B. Requiring approval by senior management
C. Performing a business impact analysis (B1A) prior to implementation
D. Conducting a security risk assessment prior to go-live
Answer: D
Which of the following is the BEST way to prevent recurrence of a security incident?
A. An appropriate investigation into the root cause with corrective measures applied
B. Review and update security policy on a regular basis
C. An expanded and more effective monitoring and detection process for incidents
D. Management support and approval of the incident response plan
Answer: A
When considering whether to adopt a new information security framework, an organization's information
security manager should FIRST:
A. perform a financial viability study.
B. compare the framework with the current business strategy.
C. perform a technical feasibility analysis.
D. analyze the framework's legal implications and business impact.
Answer: B

The PRIMARY goal of a post-incident review should be to
A. determine why the incident occurred
B. determine how to improve the incident handling process
C. establish the cost of the incident to the business.
D. identify policy changes to prevent a recurrence
Answer: D
An organization has established information security policies, but the information security the MOST likely
reason for this situation?
A. The information security policies are not communicated across the organization.
B. The information security policies lack alignment with corporate goals.
C. The information security program is not adequately funded.
D. The organization is operating in a highly regulated industry.
Answer: B
When recommending a preventive control against cross-site scripting in web applications, an information
security manager is MOST likely to suggest:
A. consolidating multiple sites into a single portal.
B. coding standards and code review.
C. using https in place of http.
D. hardening of the web server s operating system.
Answer: B
When developing a new system, detailed information security functionality should FIRST be addressed:
A. during the system design phase.
B.

B. as part of prototyping.
C. as part of application development.
D. when system requirements are defined.
Answer: D
Which of the following is the BEST reason to develop comprehensive information security policies?
A. To align the information security program to organizational strategy
B. To comply with external industry and government regulations
C. To support development of effective risk indicators
D. To gain senior management support for the information security program
Answer: A
Which of the following is the MOST important reason to document information security incidents that are
reported across the organization?
A. Prevent incident recurrence.
B. Identify unmitigated risk.
C. Support business investments in security
D. Evaluate the security posture of the organization.
Answer: C
In a resource-restricted security program, which of the following approaches will provide the BEST use of the
limited resources?
A. Cross-training
B. Risk avoidance
C. Risk prioritization

D. Threat management
Answer: C
Which of the following is MOST helpful for prioritizing the recovery of IT assets during a disaster?
A. Vulnerability assessment
B. Business impact analysis (BIA)
C. Cost- benefit analysis
D. Risk assessment
Answer: B
The PRIMARY purpose of a security information and event management (SIEM) system is to:
A. provide status of incidents
B. resolve incidents
C. track ongoing incidents
D. identify potential incidents.
Answer: D
Which of the following BEST helps to identify vulnerabilities introduced by changes to an organization's
technical infrastructure?
A. Log aggregation and correlation
B. Established security baselines
C. An intrusion detection system (IDS)
D. Penetration testing
Answer: A

Which of the following should be an information security manager's PRIMARY role when an organization
initiates a data classification process?
A. Assign the asset classification level.
B. Apply security in accordance with specific classification.
C. Verify that assets have been appropriately classified.
D. Define the classification structure to be implemented.
Answer: D
Which of the following is the MOST important function of information security?
A. Managing risk to the organization
B. Identifying system vulnerabilities
C. Preventing security incidents
D. Reducing the financial impact of security breaches
Answer: A
The MOST important reason to maintain key risk indicators (KRIs) is that:
A. threats and vulnerabilities continuously evolve.
B. they help assess the performance of the security program.
C. they are needed to verify compliance with laws and regulations
D. management uses them to make informed business decisions.
Answer: A
A PRIMARY advantage of involving business management in evaluating and managing information security

risks is that they:
A. better understand organizational risks.
B. are more objective than security management,
C. better understand the security architecture.
D. can balance technical and business risks.
Answer: A
Which of the following is MOST helpful for protecting an enterprise from advanced persistent threats (APTs)?
A. Defined security standards
B. Threat intelligence
C. Regular antivirus updates
D. Updated security policies
Answer: C
Which of the following is the MOST reliable source of information about emerging information security
threats and vulnerabilities?
A. A social media group of hackers
B. Industry bloggers
C. Vulnerability scanning alerts
D. Threat intelligence groups
Answer: D
An information security manager has been made aware that some employees are discussing confidential
corporate business on social media sites. Which of the following is the BEST response to this situation?
A.

A. Block workplace access to social media sites and monitor employee usage.
B. Scan social media sites for company-related information.
C. Train employees how to set up privacy rules on social media sites.
D. Communicate social media usage requirements and monitor compliance.
Answer: D
Which of the following is an indicator of improvement in the ability to identify security risks?
A. Increased number of reported security incidents
B. Decreased number of staff requiring information security training
C. Increased number of security audit issues resolved
D. Decreased number of information security risk assessments
Answer: A
Which of the following would BEST help an information security manager prioritize remediation activities to
meet regulatory requirements?
A. Alignment with the IT strategy
B. Annual toss expectancy (ALE) of noncompliance
C. Cost of associated controls
D. A capability maturity model matrix
Answer: B
An organization is planning to open a new office in another country. Sensitive data will be routinely sent
between the two offices. What should be the information security manager s FIRST course of action?
A. Apply the current corporate security policies to the new office.
B. Encrypt the data for transfer to the head office based on security manager approval
C.

C. Update privacy policies to include the other country's laws and regulations.
D. Identify applicable regulatory requirements to establish security policies
Answer: C
Which of the following should be an information security manager's PRIMARY focus during the development
of a critical system storing highly confidential data?
A. Complying with regulatory requirement
B. Ensuring the amount of residual risk is acceptable
C. Avoiding identified system threats
D. Reducing the number of vulnerabilities detected
Answer: A
An organization with a strict need-to-know information access policy is about to launch a knowledge
management intranet. Which of the following is the MOST important activity to ensure compliance with
existing security policies?
A. Develop a control procedure to check content before it is published.
B. Change organization policy to allow wider use of the new web site.
C. Password-protect documents that contain confidential information.
D. Ensure that access to the web site is limited to senior managers and the board.
Answer: A
When creating an incident response plan, the PRIMARY benefit of establishing a clear definition of a security
incident is that it helps to:
A. communicate the incident response process to stakeholders
B. make tabletop testing more effective.
C. develop effective escalation and response procedures.
D.

D. adequately staff and train incident response teams.
Answer: D
An information security manager learns that a departmental system is out of compliance with the information
security policy's authentication requirements. Which of the following should be the information security
manager's FIRST course of action?
A. Isolate the noncompliant system from the rest of the network.
B. Conduct an impact analysis to quantify the associated risk
C. Request risk acceptance from senior management.
D. Submit the issue to the steering committee for escalation.
Answer: B
Which of the following is the MOST effective method to prevent a SQL injection in an employee portal?
A. Conduct code reviews.
B. Enforce referential integrity on the database.
C. Reconfigure the database schema.
D. Conduct network penetration testing.
Answer: A
What should be an information security manager's FIRST course of action when an organization is subject to a
new regulatory requirement?
A. Submit a business case to support compliance.
B. Perform a gap analysis,
C. Complete a control assessment.
D. Update the risk register.

Answer: B
Inadvertent disclosure of internal business information on social media is BEST minimized by which of the
following?
A. Implementing data loss prevention (DLP) solutions
B. Developing social media guidelines
C. Educating users on social media risks
D. Limiting access to social media sites
Answer: B
Which of the following is MOST important to building an effective information security program?
A. logical access controls for information systems
B. Information security architecture to increase monitoring activities
C. Relevant and timely content included in awareness programs
D. Management support for information security
Answer: D
When facilitating the alignment of corporate governance and information security governance, which of the
following is the MOST important role of an organizations security steering committee?
A. Obtaining support for the integration from business owners
B. Evaluating and reporting the degree of integration
C. Obtaining approval for the information security budget
D. Defining metrics to demonstrate alignment
Answer: D

For an organization with a large and complex IT infrastructure, which of the following elements of a disaster
recovery hot site service will require the closest monitoring?
A. Number of subscribers
B. Audit tights
C. Systems configurations
D. Employee access
Answer: C
When aligning an organization's information security program with other risk and control activities, it is
MOST important to:
A. ensure adequate financial resources are available,.
B. have information security management report to the chief risk officer.
C. integrate security within the system development life cycle.
D. develop an information security governance framework.
Answer: D
Which of the following BEST promotes stakeholder accountability in the management of information security
risks?
A. Establishment of information ownership
B. Establishment of security baselines
C. Regular reviews for noncompliance
D. Targeted security procedures
Answer: A

The use of a business case to obtain funding for an information security investment is MOST effective when
the business case:
A. realigns information security objectives to organizational strategy,
B. articulates management s intent and information security directives in clear language.
C. relates the investment to the organization's strategic plan.
D. translates information security policies and standards into business requirements.
Answer: A
Vulnerability scanning has detected a critical risk in a vital business application. Which of the following
should the information security manager do FIRST?
A. Report the business risk to senior management.
B. Confirm the risk with the business owner.
C. Create an emergency change request
D. Update the risk register.
Answer: B
Which of the following has the GREATEST impact on efforts to improve an organization's security posture?
A. Well-documented security policies and procedures
B. Automation of security controls
C. Supportive tone at the top regarding security
D. Regular reporting 10 senior management
Answer: D
Which of the following is the FIRST step required to achieve effective performance measurement?

A. Select and place sensors.
B. Define meaningful metrics.
C. Validate and calibrate metrics.
D. Implement control objectives.
Answer: B
Which of the following is the MOST important security consideration when using Infrastructure as a Service
(laaS)?
A. Compliance with internal standards
B. Segmentation among tenants
C. Backup and recovery strategy
D. User access management
Answer: B
An organization has determined that one of its web servers has been compromised. Which of the following
actions should be taken to preserve the evidence of the intrusion for forensic analysis and potential litigation?
A. Run analysis tools to detect the source of the intrusion.
B. Reboot the server in a secure area to search for digital evidence.
C. Unplug the server from the power.
D. Restrict physical and logical access to the server.
Answer: D
Which of the following is the BIST course of action for the information security manager when residual risk is
above the acceptable level of risk?

A. Defer to business management.
B. Carry out a risk assessment
C. Perform a cost-benefit analysis.
D. Recommend additional controls.
Answer: D
Which of the following is the BEST approach for an information security manager to effectively manage
third-party risk?
A. Ensure vendor governance controls are in place.
B. Ensure senior management has approved the vendor relationship.
C. Ensure controls are implemented to address changes in risk.
D. Ensure risk management efforts are commensurate with risk exposure.
Answer: B
Which of the following is a PRIMARY responsibility of an information security steering committee?
A. Developing an Information security architecture
B. Updating the information security threat profile
C. Approving business cases for information security initiatives
D. Drafting information security policies in line with business objectives
Answer: C
Reviewing which of the following would provide the GREATEST Input to the asset classification process?
A. Sensitivity of the data
B. Compliance requirements
C.

C. Replacement cost of the asset
D. Risk assessment
Answer: A
In a large organization, which of the following is the BEST source for identifying ownership of a PC?
A. Asset management register
B. Domain name server (DNS) records
C. Identity management system
D. User ID register
Answer: A
An organization is considering the purchase of a competitor. To determine the competitor's security posture,
the BEST course of action for the organization's information security manager would be to:
A. assess the key technical controls of the competitor.
B. assess the security policy of the competitor.
C. conduct a penetration test of the competitor,
D. perform a security gap analysis on the competitor.
Answer: B
When conducting a post-incident review, the GREATEST benefit of collecting mean time to resolution
(MTTR) data is the ability to:
A. verify compliance with the service level agreement (SLA).
B. reduce the costs of future preventive controls.
C. provide metrics for reporting to senior management
D. learn of potential areas of improvement.

Answer: A
When selecting risk response options to manage risk, an information security manager's MAIN focus should
be on reducing:
A. exposure to meet risk tolerance levels.
B. the number of security vulnerabilities.
C. the likelihood of threat.
D. financial loss by transferring risk.
Answer: A
After undertaking a security assessment of a production system, the information security manager is MOST
likely to:
A. inform the system owner of any residual risks and propose measures to reduce them.
B. establish an overall security program that minimizes the residual risks of that production system
C. inform the IT manager of the residual risks and propose measures to reduce them.
D. inform the development team of any residual risks and together formulate risk reduction measures.
Answer: A
Exceptions to a security policy should be approved based PRIMARILY on:
A. risk appetite.
B. the external threat probability.
C. results of a business impact analysis (BIA).
D. the number of security incidents.
Answer: C
The MAIN purpose of documenting information security guidelines for use within a large, international

organization is to:
A. explain the organization's preferred practices for security.
B. ensure that all business units have the same strategic security goals.
C. provide evidence for auditors that security practices are adequate.
D. ensure that all business units implement identical security procedures.
Answer: B
Which of the following is the MOST important consideration for designing an effective information security
governance framework?
A. Security controls automation
B. Defined security metrics
C. Continuous audit cycle
D. Security policy provisions
Answer: B
Which of the following is MOST likely to increase end user security awareness in an organization?
A. A dedicated channel for reporting suspicious emails
B. Security objectives included in job descriptions
C. Simulated phishing attacks
D. Red team penetration testing
Answer: C
The MOST effective way to communicate the level of impact of information security risks on organizational
objectives is to present:
A.

A. detailed threat analysis results.
B. business impact analysis (BIA) results.
C. risk treatment options.
D. a risk heat map.
Answer: D
An organization's security was compromised by outside attackers. The organization believed that the incident
was resolved. After a few days, the IT staff is still noticing unusual network traffic. Which of the following is
the BEST course of action to address this situation?
A. Identify potential incident impact.
B. Assess the level of the residual risk.
C. Initiate the incident response process.
D. Implement additional incident response monitoring tools.
Answer: C
An organization has detected sensitive data leakage caused by an employee of a third-party contractor. What is
the BEST course of action to address this issue?
A. Activate the organization's incident response plan.
B. Limit access to the third-party contractor
C. Include security requirements in outsourcing contracts
D. Terminate the agreement with the third-party contractor
Answer: A
Which of the following is the MOST important factor to ensure information security is meeting the
organization's objectives?
A.

A. Implementation of a control self-assessment (CSA) process
B. Establishment of acceptable risk thresholds
C. Internal audit's involvement in the security process
D. Implementation of a security awareness program
Answer: B
Which of the following is the BEST reason to separate short-term from long-term plans within an information
security roadmap?
A. To update the roadmap according to current risks
B. To allocate resources for initiatives
C. To allow for reactive initiatives
D. To facilitate business plan reporting to management
Answer: C
Which of the following is the MOST important influence to the continued success of an organization's
information security strategy?
A. Information systems
B. Security processes
C. Organizational culture
D. Policy development
Answer: C
Which of the following should be the FIRST step of incident response procedures?
A. Evaluate the cause of the control failure.
B. Perform a risk assessment to determine the business impact.
C.

C. Identify if there is a need for additional technical assistance.
D. Classify the event depending on seventy and type.
Answer: B
Which of the following is the MOST effective way to mitigate the risk of data loss in the event of a stolen
laptop?
A. Deploying end-point data loss prevention software on the laptop
B. Providing end-user awareness training focused on traveling with laptops
C. Encrypting the hard drive
D. Utilizing a strong password
Answer: C
Which of the following metrics would be considered an accurate measure of an information security program's
performance?
A. The number of key risk indicators (KRIs) identified, monitored, and acted upon
B. A collection of qualitative indicators that accurately measure security exceptions
C. A combination of qualitative and quantitative trends that enable decision making
D. A single numeric score derived from various measures assigned to the security program
Answer: A
Which of the following should be an information security managers FIRST course of action following a
decision to implement a new technology?
A. Determine security controls needed to support the new technology.
B. Perform a business impact analysis (BIA) on the new technology.
C. Determine whether the new technology will comply with regulatory requirements.
D.

D. Perform a return-on-investment (R01) analysis for the new technology.
Answer: A
The PRIMARY reason for classifying assets is to:
A. balance asset value and protection measures.
B. inform senior management of the organization's risk posture.
C. identify low-value assets with insufficient controls.
D. establish clear lines of authority and ownership for the asset
Answer: A
Which of the following presents the GREATEST information security concern when deploying an identity and
access management solution?
A. Supporting legacy applications
B. Complying with the human resource policy
C. Supporting multiple user repositories
D. Gaining end user acceptance
Answer: A
Which of the following is the PRIMARY reason an information security strategy should be deployed across an
organization?
A. To ensure that security-related industry best practices are adopted
B. To ensure that employees adhere to security standards
C. To ensure that the business complies with security regulations
D. To ensure that management's intent is reflected in security activities
Answer: D

Which of the following provides the BEST evidence that the information security program is aligned to the
business strategy?
A. Information security initiatives are directly correlated to business processes.
B. The information security team is able to provide key performance indicators (KPIs) to senior
management.
C. Business senior management supports the information security policies.
D. The information security program manages risk within the business1* risk tolerance.
Answer: C
Which of the following BEST ensures timely and reliable access to services?
A. Nonrepudiation
B. Recovery lime objective (RTO)
C. Availability
D. Authenticity
Answer: B
The PRIMARY focus of a training curriculum for members of an incident response team should be:
A. technology training.
B. external corporate communication
C. security awareness
D. specific role training,
Answer: D

Which of the following MOST effectively helps an organization to align information security governance with
corporate governance?
A. Promoting security as enabler 10 achieve business objectives
B. Prioritizing security initiatives based on IT strategy
C. Developing security performance metrics
D. Adopting global security standards to achieve business goals
Answer: A
The BEST way to encourage good security practices is to:
A. recognize appropriate security behavior by individuals
B. publish the information security policy.
C. schedule periodic compliance audits.
D. discipline those who fail to comply with the security policy.
Answer: A
Which of the following is the BEST indication that an information security control is no longer relevant?
A. Users regularly bypass or ignore the control
B. The control does not support a specific business function.
C. IT management does not support the control.
D. Following the control costs the business more than not following it.
Answer: D
Which of the following threats is prevented by using token-based authentication?
A. Denial of service attack over the network
B.

B. Password sniffing attack on the network
C. Man-in-the-middle attack on the client
D. Session eavesdropping attack on the network
Answer: B
Which of the following is MOST important to consider when prioritizing threats during the risk assessment
process?
A. The potential impact on operations
B. The criticality of threatened systems
C. The capability of threat actors
D. The severity of exploited vulnerabilities
Answer: B
What is the PRIMARY purpose of communicating business impact to an incident response team?
A. To facilitate resource allocation tor preventive measures
B. To enable effective prioritization of incidents
C. To provide information for communication of incidents
D. To provide monetary values for post-incident review
Answer: D
When granting a vendor remote access to a system, which of the following is the MOST important
consideration?
A. Password hashing
B. Session monitoring
C. Multi- factor authentication
D.

D. Hard drive encryption
Answer: B
Which of the following is the PRIMARY goal of an incident response team during a security incident?
A. Shut down the affected systems to limit the business impact.
B. Minimize disruption to business-critical operations.
C. Ensure the attackers are detected and stopped.
D. Maintain a documented chain of evidence.
Answer: B
Which of the following is the BEST control to minimize the risk associated with loss of information as a result
of ransomware exploiting a zero-day vulnerability?
A. A public key infrastructure
B. A data recovery process
C. A patch management process
D. A security operation center
Answer: B
Which of the following is MOST helpful when justifying the funding required for a compensating control?
A. Business impact analysis (B1A)
B. Risk analysis
C. Business case
D. Threat assessment
Answer: C

Which of the following is the MOST important outcome of testing incident response plans?
A. Areas requiring investment are identified.
B. Staff is educated about current threats.
C. An action plan is available for senior management.
D. Internal procedures are improved.
Answer: D
An executive's personal mobile device used for business purposes is reported lost. The information security
manager should respond based on:
A. the business impact analysis (BIA).
B. incident classification.
C. asset management guidelines.
D. mobile device configuration.
Answer: D
Which of the following is MOST critical to the successful implementation of information security within an
organization?
A. Strong risk management skills exist within the information security group.
B. The information security manager is responsible for setting information security policy.
C. Budget is allocated for information security tools
D. Security is effectively marketed to all managers and employees,
Answer: D

What should be the information security manager s MOST important consideration when planning a disaster
recovery test?
A. Organization-wide involvement
B. Documented escalation processes
C. Impact to production systems
D. Stakeholder notification procedures
Answer: C
Which of the following is the BEST strategy to implement an effective operational security posture?
A. Defense in depth
B. Threat management
C. Vulnerability management
D. Increased security awareness
Answer: D
Which of the following should an information security manager do FIRST after learning about a new
regulation that affects the organization?
A. Assess the noncompliance risk.
B. Notify the affected business units.
C. Evaluate the changes with legal counsel.
D. Inform senior management of the new regulation.
Answer: C
What should the information security manager recommend to support the development of a new web
application that will allow retail customers to view inventory and order products?
A.

A. Building an access control matrix
B. Implementation of secure transmission protocols
C. Access through a virtual private network (VPN)
D. Request customers adhere to baseline security standards
Answer: B
In addition to cost what is the BEST criteria for selecting countermeasures following a risk assessment?
A. Maintenance requirements
B. Effectiveness of each option
C. Skill requirements for implementation
D. Effort of implementation
Answer: B
BEST way to isolate corporate data stored on employee-owned mobile devices would be to implement:
A. a sandbox environment
B. device encryption,
C. two-factor authentication
D. a strong password policy
Answer: A
A security team is conducting its annual disaster recovery test. Post-restoration testing shows the system
response time is significantly slower due to insufficient bandwidth for Internet connectivity at the recovery
center. Which of the following is the security manager's BEST course of action?
A. Reduce the number of applications marked as critical.
B.

B. Halt the test until the network bandwidth is increased.
C. Document the deficiency for review by business leadership.
D. Pursue risk acceptance for the slower response time
Answer: C
Which of the following is the PRIMARY reason to conduct periodic business impact assessments?
A. Update recovery objectives based on new risks.
B. Decrease the recovery times.
C. Improve the results of last business impact assessment (BIA).
D. Meet the needs of the business continuity policy.
Answer: A
Which of the following would BEST demonstrate the maturity level of an organization's security incident
response program?
A. An increase in the number of reported incidents
B. Ongoing review and evaluation of the incident response team
C. A decrease in the number of reported incidents
D. A documented and live-tested incident response process
Answer: D
To ensure IT equipment meets organizational security standards, the MOST efficient approach is to:
A. assess security during equipment deployment.
B. ensure compliance during user acceptance testing.
C. develop an approved equipment list.
D. assess the risks of all new equipment.

Answer: A
Which of the following BEST determines an information asset's classification?
A. Directives from the data owner
B. Value of the information asset to competitors
C. Cost of producing the information asset
D. Criticality to a business process
Answer: A
When trying to integrate information security across an organization, the MOST important goal for a
governing body should be to ensure:
A. funding is approved for requested information security projects.
B. the resources used for information security projects are kept to a minimum.
C. periodic information security audits are conducted.
D. information security is treated as a business critical issue.
Answer: D
Which of the following stakeholders would provide the BEST guidance in aligning the information security
strategy with organizational goals?
A. Board of directors
B. Chief information officer (CIO)
C. Chief information security officer (CISO)
D. information security steering committee
Answer: D

Management is questioning the need for several items in the information security budget proposal. Which of
the following would have been MOST helpful prior to budget submission?
A. Benchmarking information security efforts of industry competitors
B. Obtaining better pricing from information security service vendors
C. Presenting a report of current threats to the organization
D. Educating management on information security best practices
Answer: C
An organization has an approved bring your own device (BYOD) program. Which of the following is the
MOST effective method to enforce application control on personal devices?
A. Implement a mobile device management solution.
B. Implement a web application firewall.
C. Educate users regarding the use of approved applications.
D. Establish a mobile device acceptable use policy
Answer: A
Which of the following is the BEST way to address any gaps identified during an outsourced provider
selection and contract negotiation process?
A. Make the provider accountable for security and compliance.
B. Implement compensating controls.
C. Perform continuous gap assessments.
D. Include audit rights in the service level agreement (SLA).
Answer: A
After adopting an information security framework, an information security manager is working with senior

management to change the organization-wide perception that information security is solely the responsibility
of the information security department. To achieve this objective, what should be the information security
manager's FIRST initiative?
A. Develop an information security awareness campaign with senior managements support.
B. Implement a formal process to conduct periodic compliance reviews.
C. Develop an operational plan providing best practices for information security projects.
D. Document and publish the responsibilities of the information security department
Answer: A
The BEST way to obtain funding from senior management for a security awareness program is to:
A. demonstrate that the program will adequately reduce risk
B. produce an impact analysis report of potential breaches.
C. meet regulatory requirements.
D. produce a report of organizational risks.
Answer: A
When developing a protection strategy for outsourcing applications, the information se<urity manager MUST
ensure that:
A. the security requirements are included in the service level agreement (SLA).
B. escrow agreements are in place.
C. the responsibility for security is transferred in the service level agreement (SLA).
D. nondisclosure clauses are in the contract.
Answer: A
Which of the following is MOST important for effective communication during incident response?
A. Establishing a mean time to resolve (MTTR) metric

B. Maintaining a relationship with media and law enforcement
C. Maintaining an updated contact list
D. Establishing a recovery time objective (RTO)
Answer: C
Which of the following is the PRIMARY goal of a risk management program?
A. Manage compliance with organizational polices.
B. Implement preventive controls against threats
C. Reduce the organization s risk appetite
D. Manage the business impact of inherent risks.
Answer: D
An organization recently rolled out a new procurement program that does not include any security
requirements. Which of the following should the information security manager do FIRST?
A. Escalate the procurement program gaps to the compliance department in case of noncompliance issues.
B. Ask internal audit to conduct an assessment of the current state of third-party security controls.
C. Conduct security assessments of vendors based on value of annual spend with each vendor.
D. Meet with the head of procurement to discuss aligning security with the organization's operational
objectives.
Answer: D
When integrating information security requirements into software development, which of the following
practices should be FIRST in the development lifecycle?
A. Penetration testing
B. Source code review
C.

C. Dynamic code analysis
D. Threat modeling
Answer: D
An inexperienced information security manager is relying on its internal audit department to design and
implement key security controls. Which of the following is the GREATEST risk?
A. Conflict of interest
B. Inadequate audit skills
C. Violation of the audit charter
D. Inadequate implementation of controls
Answer: A
Which of the following functions is MOST critical when initiating the removal of system access for terminated
employees?
A. Help desk
B. Information security
C. Human resources
D. Legal
Answer: B
Senior management has decided to accept a significant risk within a security remediation plan. Which of the
following is the information security manager's BEST course of action?
A. Report the risk acceptance to regulatory agencies.
B. Communicate the remediation plan to the board of directors.
C. Update the risk register with the risk acceptance.
D. Remediate the risk and document the rationale.

Answer: C
Which of the following is the PRIMARY objective of reporting security metrics to stakeholders?
A. To demonstrate alignment to the business strategy
B. To provide support for security audit activities
C. To identify key controls within the organization
D. To communicate the effectiveness of the security program
Answer: D
Which of the following is MOST important when establishing a successful information security governance
framework?
A. Developing an Information security strategy
B. Identifying information security risk scenarios
C. Selecting information security steering committee members
D. Determining balanced scorecard metrics for information security
Answer: A
Which of the following is MOST critical for an effective information security governance framework?
A. The CIO is accountable for the information security program.
B. The information security program is continually monitored.
C. Board members are committed to the information security program
D. Information security policies are reviewed on a regular basis.
Answer: C

An organization has detected potential risk emerging from noncompliance with new regulations in its industry.
Which of the following is the MOST important reason to report this situation to senior management?
A. The risk profile needs to be updated
B. An external review of the risk nods to be conducted
C. Specific monitoring controls need to be implemented
D. A benchmark analysis needs to be performed.
Answer: A
Executive leadership has decided to engage a consulting firm to develop and implement a comprehensive
security framework for the organization to allow senior management to remain focused on business priorities.
Which of the following poses the GREATEST challenge to the successful implementation of the new security
governance framework?
A. Executive leadership becomes involved in decisions about information security governance
B. Information security staff has little or no experience with the practice of information security
governance.
C. Executive leadership views information security governance primarily as a concern of the information
security management team.
D. Information Security management does not fully accept the responsibility for information security
governance.
Answer: C
An organization is about to purchase a rival organization. The PRIMARY reason for performing information
security due diligence prior to making the purchase is to:
A. determine the security exposures.
B. evaluate the security policy and standards.
C. ensure compliance with international standards.
D. assess the ability to integrate the security department operations.
Answer: B

Which of the following is the MOST important criterion for complete closure of a security incident?
A. Documenting and reporting to senior management
B. Level of potential impact
C. Root cause analysis and lessons learned
D. Identification of affected resources
Answer: C
An information security manager is developing a new information security strategy. Which of the following
functions would serve as the BEST resource to review the strategy and provide guidance for business
alignment?
A. The board of directors
B. Internal audit
C. The steering committee
D. The legal department
Answer: C
What should an information security manager do FIRST when a service provider that stores the organization's
confidential customer data experiences a breach in its data center?
A. Determine the impact of the breach.
B. Engage an audit of the provider's data center.
C. Apply remediation actions to counteract the breach.
D. Recommend canceling the outsourcing contract.
Answer: A
Risk management is MOST cost-effective;

A. when performed on a continuous basis.
B. at the beginning of security program development
C. while developing the business case for the security program
D. when integrated into other corporate assurance functions.
Answer: D
Which of the following should be communicated FIRST to senior management once an information security
incident has been contained?
A. Whether the recovery time objective was met
B. The initial business impact of the incident
C. Details on containment activities
D. A summary of key lessons learned from the incident
Answer: B
Which of the following would be an information security manager's PRIMARY challenge when deploying a
bring your own device (BYOD) mobile program in an enterprise?
A. End user acceptance
B. Disparate device security
C. Mobile application control
D. Configuration management
Answer: C
Which of the following BEST demonstrates alignment between information security governance and corporate
governance?
A. Average number of security incidents across business units

B. Number of vulnerabilities identified for high-risk information assets
C. Security project justifications provided in terms of business value
D. Mean time to resolution for enterprise-wide security incidents
Answer: C
Which of the following is the BEST method to ensure that data owners take responsibility for implementing
information security processes?
A. Increase security awareness training
B. Include security tasks into employee job descriptions
C. Include membership on project teams
D. Provide job rotation into the security organization.
Answer: A
Which of the following devices, when placed in a demilitarized zone (DMZ). would be considered a
significant exposure?
A. Authentication server
B. Web server
C. Proxy server
D. Intrusion detection server
Answer: A
An information security manager is evaluating the key risk indicators (KRls) for an organization s information
security program. Which of the following would be the information security manager s GREATEST concern?
A. Use of qualitative measures
B. Multiple KRls for a single control process
C.

C. Undefined thresholds to trigger alerts
D. Lack of formal KRI approval from IT management
Answer: C
The MOST important reason for an information security manager to be involved in a new software purchase
initiative is to:
A. ensure the appropriate controls are considered.
B. ensure there is software escrow in place.
C. choose the software with the most control options.
D. provide input for user requirements.
Answer: A
Which of the following techniques is MOST useful when an incident response team needs to respond to
external attacks on multiple corporate network devices?
A. Endpoint baseline configuration analysis
B. Security event correlation analysis
C. Vulnerability assessment of network devices
D. Penetration testing of network devices
Answer: B
A third-party service provider is developing a mobile app for an organization's customers. Which of the
following issues should be of GREATEST concern to the information security management.
A. Software escrow is not addressed in the contract
B. The contract has no requirement for secure development practices
C. The mobile app s programmers are all offshore contractors.
D. SLAs after deployment are not clearly defined.

Answer: A
After a security incident has been contained, which of the following should be done FIRST?
A. Notify local authorities.
B. Perform a complete wipe of the affected system.
C. Conduct forensic analysis.
D. Restore the affected system from backup.
Answer: B
In which of the following ways can an information security manager BEST ensure that security controls are
adequate for supporting business goals and objectives?
A. Enforcing strict disciplinary procedures in case of noncompliance
B. Using the risk management process
C. Reviewing results of the annual company external audit
D. Adopting internationally accepted controls
Answer: B
Which of the following will BEST ensure that risk is evaluated on system level changes?
A. Senior management must sign-off on changes.
B. Security should be integrated in the change control process.
C. System development staff receives regular security training.
D. Implement a centralized change management system.
Answer: B

Which of the following would be MOST effective in preventing malware from being launched through an
email attachment?
A. Up-to-date security policies
B. Security awareness training
C. A network intrusion detection system (NlDS)
D. Placing the e-mail server on a screened subnet
Answer: B
The MAIN consideration when designing an incident escalation plan should be ensuring that:
A. requirements cover forensic analysis.
B. information assets are classified.
C. appropriate stakeholders are involved,
D. high-impact risks have been identified.
Answer: C
When implementing a new risk assessment methodology, which of the following is the MOST important
requirement?
A. Risk assessments must be reviewed annually.
B. Risk assessments must be conducted by certified staff.
C. The methodology used must be consistent across the organization.
D. The methodology must be approved by the chief executive officer.
Answer: C
When implementing security architecture, an information security manager MUST ensure that security

controls:
A. are the least expensive.
B. are transparent.
C. are communicated through security policies.
D. form multiple barriers against threats.
Answer: D
Which of the following is the MOST effective way to mitigate the risk of confidential data leakage to
unauthorized stakeholders?
A. Create a data classification policy.
B. Conduct information security awareness training.
C. Require the use of login credentials and passwords.
D. Implement role-based access controls.
Answer: B
Which of the following metrics would provide management with the MOST useful information about the
effectiveness of a security awareness program?
A. Decreased number of phishing attacks
B. Decreased number of security incidents
C. Increased number of reported security incidents
D. Increased number of downloads of the organization's security policy
Answer: C
In a large organization requesting outsourced services, which of the following contract clauses is MOST
important to the information security manager?
A. Compliance with security requirements

B. Frequency of status reporting
C. Nondisclosure clause
D. Intellectual property
Answer: A
The head of a department affected by a recent security incident expressed concern about not being aware of
the actions taken to resolve the incident. Which of the following is the BEST way to address this issue?
A. Require management approval of the incident response plan.
B. Ensure better identification of incidents in the incident response plan.
C. Discuss the definition of roles in the incident response plan.
D. Disseminate the incident response plan throughout the organization.
Answer: D
Which of the following is MOST relevant for an information security manager to communicate to business
units?
A. Risk ownership
B. Vulnerability assessments
C. Business impact analysis (BIA)
D. Threat assessments
Answer: C
Which of the following is BEST to include in a business case when the return on investment (RIO) for an
information security initiative is difficult to calculate?
A. Projected increase in maturity level
B.

B. Estimated increase in efficiency
C. Projected costs over time
D. Estimated reduction in risk
Answer: B
Which of the following is the PRIMARY reason to avoid alerting certain users of an upcoming penetration
test?
A. To aid in the success of the penetration
B. To reduce the scope and duration of the test
C. To prevent exploitation by malicious parties
D. To evaluate detection and response capabilities
Answer: D
Which of the following is the MOST important reason for logging firewall activity?
A. Auditing purposes
B. Incident investigation
C. Firewall tuning
D. Intrusion detection
Answer: A
An information security manager discovers that the organization's new information security policy is not being
followed across all departments. Which of the following should be of GREATEST concern to the information
security manager?
A. Business unit management has not emphasized the importance of the new policy.
B. Different communication methods may be required for each business unit
C. The corresponding controls are viewed as prohibitive to business operations.

D. The wording of the policy Is not tailored to the audience
Answer: A
Which of the following would BEST protect against web-based cross-domain attacks?
A. Network addressing scheme
B. Encryption controls
C. Application controls
D. Database hardening
Answer: C
Ensuring that an organization can conduct security reviews within third-party facilities is PRIMARILY
enabled by:
A. contractual agreements.
B. service level agreements (SLAs).
C. acceptance of the organization s security policies.
D. audit guidelines.
Answer: A
Which of the following is MOST important when prioritizing an information security incident?
A. Organizational risk tolerance
B. Cost to contain and remediate the incident
C. Criticality of affected resources
D. Short-term impact to shareholder value
Answer: C

Topic 2, Exam Pool (Dec)
Which of the following would be the BEST way for a company to reduce the risk of data loss resulting from
employee-owned devices accessing the corporate email system?
A. Link the bring-your-own-device (BYOD) policy to the existing staff disciplinary policy.
B. Require employees to undergo training before permitting access to the corporate email service
C. Require employees to install a reputable mobile anti-virus solution on their personal devices.
D. Use a mobile device management (MDM) solution to isolate the local corporate email storage.
Answer: D
A hash algorithm is used to:
A. encrypt sensitive data files
B. verify the integrity of data files
C. verify the validity of the data in an email message
D. provide data confidentiality.
Answer: B
What information is MOST helpful in demonstrating to senior management how information security
governance aligns with business objectives?
A. Metrics of key information security deliverables
B. A list of monitored threats, risks and exposures
C. Drafts of proposed policy changes
D. Updates on information security projects in development

Answer: A
Which of the following is the MAIN concern when securing emerging technologies?
A. Compatibility with legacy systems
B. Unknown vulnerabilities
C. Applying the corporate hardening standards
D. Integrating with existing access controls
Answer: D
A core business function has created a significant risk. Budget constraints do not allow for effective
remediation. Who should be accountable for selecting the appropriate risk treatment?
A. Business process owner
B. Security officer
C. Audit team
D. Senior management
Answer: A
Which of the following would provide the BEST evidence to senior management that security control
performance has improved?
A. Demonstrated return on security investment
B. Reduction in inherent risk
C. Results of an emerging threat analysis
D. Review of security metrics trends
Answer: C

Recovery time objectives (RTOs) are an output of which of the following?
A. Business continuity plan
B. Disaster recovery plan
C. Service level agreement (SLA)
D. Business impact assessment (BIA)
Answer: B
Which of the following is MOST likely to occur following a security awareness campaign''
A. An increase in the number of viruses detected in incoming email
B. An increase in reported social engineering attempts
C. A decrease in number of account lockouts
D. A decrease in user-reported false positive incidents
Answer: D
An organization recently implemented a data loss prevention (DLP) system. A senior business executive has
complained that the system seriously impedes departmental effectiveness. What is the information security
manager's BEST course of action?
A. Request risk acceptance.
B. Review alternative controls.
C. Perform a risk assessment.
D. Change the DLP system.
Answer: B
Which of the following is MOST critical when creating an incident response plan?
A. Aligning with the risk assessment process

B. Documenting incident notification and escalation processes
C. identifying what constitutes an incident
D. identifying vulnerable data assets
Answer: B
During a post-incident review, the sequence and correlation of actions must be analyzed PRIMARILY based
on:
A. a consolidated event timeline
B. interviews with personnel.
C. logs from systems involved.
D. documents created during the incident.
Answer: C
A new version of an information security regulation is published that requires an organization's compliance.
The information security manager should FIRST
A. perform an audit based on the new version of the regulation
B. conduct a risk assessment to determine the risk of noncompliance.
C. conduct benchmarking against similar organizations.
D. perform a gap analysis against the new regulation.
Answer: D
An information security manager recently received funding for a vulnerability scanning tool to replace manual
assessment techniques and needs to justify the expense of the tool going forward. Which of the following
metrics would BEST indicate the tool is effective?
A. An increase in the severity of detected vulnerabilities
B. An increase in the number of detected vulnerabilities
C.

C. A decrease in the lime needed to detect vulnerabilities
D. A decrease in staff needed to detect vulnerabilities
Answer: C
Which of the following would be MOST helpful to an information security manager tasked with enforcing
enhanced password standards?
A. Implementing technical password controls to include strong complexity
B. Conducting password strength testing
C. Reeducating end users on creating strong, complex passwords
D. Implementing a centralized identity management system
Answer: A
What should an information security manager do FIRST upon learning that the third-party provider
responsible for a mission-critical process is subcontracting critical functions to other providers?
A. Adjust the insurance policy coverage.
B. Engage an external audit of the third party.
C. Request a formal explanation from the third party.
D. Review the provider's contract
Answer: D
Which of the following is MOST important lo track for determining the effectiveness of an information
security program?
A. Return on investment (ROl)
B. Key performance indicators (KPls)
C. Service level agreements (SLAs)
D.

D. Key risk indicators (KRIs)
Answer: B
Which of the following BEST supports effective information security governance"*
A. A steering committee is established
B. A baseline risk assessment is performed.
C. Compliance with regulations is demonstrated.
D. The information security manager develops the strategy
Answer: A
ON NO: 994
When two different controls are available to mitigate a risk, an information security manager's
recommendation should be based on the results of a:
A. control evaluation
B. cost-benefit analysis
C. countermeasure analysis
D. threat analysis.
Answer: B
If the inherent risk of a business activity is higher than the acceptable risk level, the information security
manager should FIRST
A. transfer risk to a third party to avoid cost of impact
B. recommend that management avoids the business activity
C. implement controls to mitigate the risk to an acceptable level
D. assess the gap between current and acceptable level of risk

Answer: C
Which of the following service offerings in a typical Infrastructure as a Service (IaaS) model will BEST
enable a cloud service provider to assist customers when recovering from a security incident?
A. Availability of current infrastructure documentation
B. Capability to take a snapshot of virtual machines
C. Availability of web application firewall logs
D. Capability of online virtual machine analysis
Answer: D
For an organization with operations in different parts of the world, the BEST approach for ensuring that
security policies do not conflict with local laws and regulations is to:
A. refer to an external global standard to avoid any regional conflict
B. adopt uniform policies.
C. make policies at a sufficiently high level, so they are globally applicable.
D. establish a hierarchy of global and local policies.
Answer: D
Which of the following is the MOST important reason to consider the role of the IT service desk when
developing incident handling procedures?
A. The service desk provides a source for the identification of security incidents.
B. Service desk personnel have information on how to resolve common systems issues
C. The service desk provides information to prioritize systems recovery based on user demand
D. Untrained service desk personnel may be a cause of security incidents.
Answer: A

The MOST important reason to have a well-documented and tested incident response plan in place is to:
A. outline external communications
B. promote a coordinated effort
C. facilitate the escalation process
D. standardize the chain of custody procedure.
Answer: B
When is the BEST time to identify the potential regulatory risk a new service provider presents to the
organization?
A. During contract negotiations
B. During business case analysis
C. During due diligence
D. During integration planning
Answer: B
What should be the PRIMARY basis for prioritizing incident containment?
A. The business value of affected assets
B. Input from senior management
C. The recovery cost of affected assets
D. Legal and regulatory requirements
Answer: A

The BEST way 10 establish a security baseline is by documenting
A. a standard of acceptable settings
B. a framework of operational standards
C. the desired range of security settings
D. the organization's preferred security level.
Answer: D
For computer forensics evidence to be admissible in a court of law, the evidence MUST:
A. meet standards of relevance
B. be identifiable and reproducible
C. have integrity and accountability
D. be stored in the original media.
Answer: C
The authorization to transfer the handling of an internal security incident to a third-party support provider is
PRIMARILY defined by the:
A. information security manager
B. escalation procedures
C. disaster recovery plan (DRP)
D. chain of custody.
Answer: B
Which of the following is the BEST way for an information security manager to protect against a zero-day
attack?
A. Configure daily runs of the virus protection software.

B. Conduct vulnerability scans on a daily basis.
C. Perform a business impact analysis (BIA).
D. Implement heuristic-based monitoring tools
Answer: D
Segregation of duties is a security control PRIMARILY used to:
A. limit malicious behavior.
B. decentralize operations.
C. establish dual check.
D. establish hierarchy.
Answer: A
An organization is developing a disaster recovery plan (DRP) for a data center that hosts multiple applications
The application recovery sequence would BEST be determined through an analysis of:
A. key performance indicators (KPls).
B. recovery time objectives (RTOs)
C. the data classification scheme.
D. recovery point objectives (RPOs)
Answer: B
Which of the following is the FIRST step when defining and prioritizing security controls to be implemented
under an information security program?
A. Review the applicable regulations tn place and their impact to each business function
B. Understand the company's risk appetite and its alignment with the information security strategy
C.

C. Interview function owners across the company to determine the best plan of action.
D. Review recent information security incidents to determine organizational focus areas and priorities
Answer: A
Which of the following is an organization's BEST approach for media communications when experiencing a
disaster?
A. Hold a press conference and advise the media to refer to legal authorities.
B. Defer public comment until partial recovery has been achieved.
C. Report high-level details of the losses and recovery strategy to the media.
D. Authorize a qualified representative to convey specially drafted messages.
Answer: D
Which of the following is the MOST effective way to facilitate the implementation of IT security program
objectives?
A. Establishing a steering committee with executive and business involvement
B. Developing a suite of policy, standards, and procedure documents
C. Designing a compulsory IT security training program for all employees
D. Creating a help desk and change management platform
Answer: B
When scoping a risk assessment, assets need to be classified by:
A. sensitivity and criticality.
B. threats and opportunities
C. likelihood and impact
D. redundancy and recoverability.

Answer: B
Which of the following BEST enables effective information security governance9
A. Established information security metrics
B. Security-aware corporate culture
C. Advanced security technologies
D. Periodic vulnerability assessments
Answer: B
Which of the following is MOST effective in preventing the introduction of vulnerabilities that may disrupt
the availability of a critical business application?
A. Change management controls
B. A patch management process
C. Version control
D. Logical access controls
Answer: B
Which of the following is the BEST reason for delaying the application of a critical security patch?
A. Conflicts with software development life cycle
B. Resource limitations
C. Lack of vulnerability management
D. Technology interdependences
Answer: D

Which of the following is the information security manager's PRIMARY role in the information assets
classification process?
A. Developing an asset classification model
B. Assigning the asset classification level
C. Securing assets in accordance with their classification
D. Assigning asset ownership
Answer: C
Which of the following activities would BEST incorporate security into the software development life cycle
{SOLO7
A. Test applications before go-live
B. Minimize the use of open source software
C. Include security training for the development team
D. Scan operating systems for vulnerabilities
Answer: C
Which of the following is the BEST way to determine if an information security program aligns with corporate
governance?
A. Evaluate funding for security initiatives.
B. Review the balanced scorecard.
C. Survey end users about corporate governance.
D. Review information security policies.
Answer: B
Information security awareness programs are MOST effective when they are:

A. customized for each target audience
B. sponsored by senior management
C. reinforced by computer-based training
D. conducted at employee orientation.
Answer: A
Which of the following should be of MOST concern to an information security manager reviewing an
organization's data classification program*?
A. The classifications do not follow Industry best practices.
B. Data retention requirements are not defined.
C. The program allows exceptions to be granted.
D. Labeling is not consistent throughout the organization
Answer: D
Which of the following is the BEST course of action for an information security manager to align security and
business goals?
A. Actively engaging with stakeholders
B. Defining key performance indicators (KPIs)
C. Reviewing the business strategy
D. Conducting a business impact analysis (6IAJ
Answer: C
Which of the following is the GREATEST security concern when an organization allows the use of social
networks?
A. Network performance degradation
B.

B. Browser vulnerability exploitation
C. Decreased user productivity
D. Inadvertent data disclosure
Answer: D
Which of the following is the STRONGEST indication that senior management commitment to information
security is lacking within an organization?
A. Inconsistent enforcement of information security policies
B. A high level of information security risk acceptance
C. A reduction in information security investment
D. The information security manager reports to the chief risk officer
Answer: A
Which of the following is MOST important to consider when developing a business continuity plan (BCP)?
A. Disaster recovery plan (DRP)
B. Business communication plan
C. Incident management requirements
D. Business impact analysis (BIA)
Answer: D
Which of the following is the MOST appropriate board-level activity for information security governance?
A. Include security in job performance appraisals
B. Develop 'what-if’ scenarios on incidents
C. Establish measures for security baselines.
D. Establish security and continuity ownership

Answer: D
Senior management is concerned a security solution may not adequately protect its multiple global data centers
following recent industry breaches. What should be done NEXT?
A. Conduct a business impact analysis (BIA).
B. Perform a gap analysis.
C. Require an internal audit review.
D. Perform a risk assessment.
Answer: D
A data leakage prevention (DLP) solution has identified that several employees are sending confidential
company data to their personal email addresses in violation of company policy. The information security
manager should FIRST.
A. contact the employees involved to retake security awareness training
B. limit access to the Internet for employees involved.
C. initiate an investigation to determine the full extent of noncompliance
D. notify senior management that employees are reaching policy.
Answer: C
The chief information security officer (ClSO) has developed an information security strategy, but is struggling
to obtain senior management commitment for funds to implement the strategy Which of the following is the
MOST likely reason?
A. The C1SO reports to the CIO.
B. The strategy does not comply with security standards
C. There was a lack of engagement with the business during development.
D. The strategy does not include a cost-benefit analysis
Answer: C

Which of the following is MOST important when carrying out a forensic examination of a laptop to determine
an employee s involvement in a fraud?
A. The investigation should be conducted on an image of the original disk drive.
B. The laptop should not be removed from the company premises.
C. The employee's network access should be suspended.
D. An HR representative should be present during the laptop examination.
Answer: A
Which of the following should provide the PRIMARY justification to approve the implementation of a disaster
recovery (DR) site on the recommendation of an external audit report?
A. Recovery time objectives (RTOs)
B. Regulatory requirements
C. Cost-benefit analysis
D. Security controls at the DR site
Answer: B
Communicating which of the following would be MOST helpful to gain senior management support for risk
treatment options?
A. industry benchmarks
B. Threat analysis
C. Root cause analysis
D. Quantitative loss
Answer: C

Which of the following should be an information security manager's PRIMARY consideration when
developing an incident response plan?
A. The organization's risk tolerance and appetite
B. The organization's external communications plan
C. Skills and competencies of the help desk
D. Incident response plan testing methods and frequency
Answer: D
Information security can BEST be enforced by making security:
A. a business process owner activity.
B. an integral component of corporate policies.
C. a part of each employee's Job objectives.
D. a flexible system of procedures and guidelines.
Answer: C
Information security policies should be designed PRIMARILY on the basis of:
A. international standards.
B. inherent risks.
C. business risks.
D. business demands.
Answer: C
What should be an information security manager's NEXT activity following the remediation of a security
incident?
A. Update the incident testing timeline
B. Review system logs.
C.

C. Review lessons learned.
D. Update post-incident training.
Answer: C
An information security manager finds that corporate information has been stored on a public cloud storage
site for business collaboration purposes. Which of the following should be the manager's FIRST action?
A. Update service level agreements (SLAs).
B. Assign a data classification label.
C. Implement a data encryption strategy.
D. Determine the risk to the data.
Answer: D
An information security manager has been asked to integrate security into the software development life cycle
(SDLC) after requirements have already been gathered. In this situation during which phase would integration
be MOST effectrve?
A. Quality assurance analysis
B. Code review
C. Penetration testing
D. User acceptance testing
Answer: A
An organization plans to implement a document collaboration solution to allow employees to share company
information. Which of the following is the MOST important control to mitigate the risk associated with the
new solution?
A. Assign write access to data owners.
B. Allow a minimum number of users access to the solution.
C.

C. Have data owners perform regular user access reviews.
D. Permit only non-sensitive information on the solution.
Answer: C
Which of the following is the MOST important reason for performing a cost-benefit analysis when
implementing a security control?
A. To ensure that the mitigation effort does not exceed the asset value
B. To present a realistic information security budget
C. To ensure that benefits are aligned with business strategies
D. To justify information security program activities
Answer: A
Which of the following is the GREATEST benefit of a centralized approach to coordinating information
security?
A. Business user buy-in
B. Optimal use of security resources
C. Reduction in the number of policies
D. Integration with business functions
Answer: B
Which of the following is the MOST important reason for an organization to develop an information security
governance program?
A. Compliance with audit requirements
B. Creation of tactical solutions
C. Establishment of accountability
D. Monitoring of security incidents

Answer: C
An information security manager has determined that the mean time to prioritize information security
incidents has increased to an unacceptable level. Which of the following processes would BEST enable the
information security manager to address this concern?
A. Forensic analysis
B. Incident response
C. Incident classification
D. Vulnerability assessment
Answer: C
Which of the following is the BEST method to protect against data exposure when a mobile device is stolen?
A. Password protection
B. Insurance
C. Encryption
D. Remote wipe capability
Answer: C
A validated patch to address a new vulnerability that may affect a mission-critical server has been released.
What should be done immediately?
A. Conduct an impact analysis.
B. Check the server s security and install the patch.
C. Add mitigating controls.
D. Take the server off-line and install the patch.
Answer: A

Which of the following is a PRIMARY goal of an information security program?
A. To provide metrics to support management's assertion that information security is
an organizational objective
B. To provide the highest level of protection available to an organization's
information assets
C. To provide assurance that information security controls protect assets in
accordance with the risk
D. To provide guidance to users, managers, and IT on organizational goals and
objectives to protect data
Answer: C
Which of the following would BEST ensure thai security risk assessment is integrated into the life cycle of
major IT projects
A. Having the Information security manager participate on the project steering committees
B. Applying global security standards to the IT projects
C. Integrating the risk assessment into the internal audit program
D. Training project managers on risk assessment
Answer: B
What is the MOST important role of an organization's data custodian in support of the information security
function?
A. Assessing data security risks to the organization
B. Applying approved security policies
C. Evaluating data security technology vendors
D.

D. Approving access rights to departmental data
Answer: B
For an organization that provides web-based services, which of the following security events would MOST
likely initiate an incident response plan and be escalated to management?
A. Several port scans of the web server
B. Multiple failed login attempts on an employee's workstation
C. Suspicious network traffic originating from the demilitarized zone (DMZ)
D. Anti-malware alerts on several employees' workstations
Answer: D
Which of the following provides a sound basis for effective security change management?
A. Configuration management
B. Password management
C. Incident management
D. Version management
Answer: A
Which of the following is MOST appropriate to include in an information security policy?
A. Statements of management's intent to support the goals of information security
B. A set of information security controls to maintain regulatory compliance
C. A definition of minimum level of security that each system must meet
D. The strategy for achieving security program outcomes desired by management
Answer: A

A newly appointed Information security manager finds mere is minimal interaction between departments in
identifying ...risk due to the organization's current decentralized structure What is the managers BEST course
of action?
A. Modify the current practices within the governance framework.
B. identify appropriate risk management training for relevant staff in the departments
C. Propose the creation of a consolidated organizational risk register to track risk
D. Recommend consolidating all risk management activities under a central authority.
Answer: D
Which of the following would provide the BEST input to a business case for a technical solution to address
potential system vulnerabilities?
A. Penetration test results
B. Business impact analysis (BIA)
C. Risk assessment
D. Vulnerability scan results
Answer: B
What should an information security manager do FIRST when made aware of a new regulation which may
require the redesign of existing information security processes?
A. Develop a future state roadmap.
B. Perform a cost-benefit analysis.
C. Perform a gap analysis.
D. Develop a business case.
Answer: C

Which of the following is MOST important to help ensure an intrusion prevention system (IPS) can view all
traffic in a demilitarized zone (DMZ)?
A. All Internal traffic is routed to the IPS.
B. Connected devices can contact the IPS.
C. The IPS is placed outside of the firewall.
D. Traffic is decrypted before processing by the IPS.
Answer: D
Which of the following is MOST helpful for aligning security operations with the IT governance framework?
A. Information security policy
B. Security risk assessment
C. Business impact analysis (B1A)
D. Security operations program
Answer: B
While conducting a test of a business continuity plan (BCP). which of the following is the MOST important
consideration?
A. The test involves IT members in the test process
B. The test simulates actual prime-time processing conditions.
C. The test addresses the critical components
D. The test is scheduled to reduce operational impact
Answer: B
A risk assessment has been conducted following a data owner's decision to outsource an application to a cloud
provider Which of the following should be the information security manager's NEXT course of action?

A. Conduct an application vulnerability scan
B. Review the contract with the cloud provider
C. Inform senior management
D. Conduct a security assessment on the cloud provider.
Answer: D
Which of the following is the MOST effective way for an organization to ensure its third-party service
providers are aware of information security requirements and expectations?
A. Inducting information security clauses within contracts
B. Auditing the service delivery of third-party providers
C. Requiring third parties to sign confidentiality agreements
D. Providing information security training to third-party personnel
Answer: A
Which of the following defines the MOST comprehensive set of security requirements for a newly developed
information system?
A. Baseline controls
B. Risk assessment results
C. Audit findings
D. Key risk indicators (KRls)
Answer: B
The MOST important reason to maintain metrics for incident response activities is to
A. support continual process improvement.
B.

B. analyze security incident bends
C. ensure that evidence collection and preservation are standardized
D. prevent incidents from reoccurring.
Answer: A
Which of the following is the MOST appropriate party to approve an information security strategy?
A. Information security management committee
B. Chief information officer
C. Chief information security officer
D. Executive leadership team
Answer: D
Which of the following is MOST important in the development of metrics for the effectiveness of information
security?
A. Using clearly defined objectives
B. Using quantitative measurement
C. Using qualitative risk assessment results
D. Using standard reporting tools
Answer: A
When building a corporate-wide business continuity plan {BCP), it is discovered there are two separate lines
of business systems that could be impacted by the same threat. Which of the following is the BEST method to
determine the priority of system recovery in the event of a disaster?
A. Evaluating the cost associated with each system's outage
B. Comparing the recovery point objectives (RPOs)
C. Reviewing the business plans of each department
D. Reviewing each system's key performance indicators (KPIs)

Answer: B
Which of the following is the MOST effective approach of delivering security incident response training?
A. Provide on-the-job training and mentoring for the incident response team.
B. Engage external consultants to present real-world examples within the industry.
C. Include incident response training within new staff orientation.
D. Perform role-playing exercises to simulate real-world incident response scenarios.
Answer: A
Which of the following is the BEST option for addressing regulations that will adversely affect the allocation
of information security program resources?
A. Prioritize compliance efforts based on probability.
B. Determine compliance levels of peer organizations.
C. Conduct assessments for management decisions.
D. Delay implementation of compliance activities.
Answer: C
When considering whether to adopt bring your own device (BYOD). it is MOST important for the information
security manager to ensure that
A. security controls are applied to each device when joining the network.
B. the applications are tested prior to implementation
C. users have read and signed acceptable use agreements.
D. business leaders have an understanding of security risks
Answer: A

Which of the following should be the MOST important consideration when reporting sensitive risk-related
information to stakeholders?
A. Customizing the communication to the audience
B. Ensuring nonrepudiation of communication
C. Transmitting the internal communication securely
D. Consulting with the public relations director
Answer: A
Which of the following would be MOST useful in a report to senior management for evaluating changes in the
organization's information security risk position?
A. Trend analysis
B. Industry benchmarks
C. Management action plan
D. Risk register
Answer: A
Which of the following presents the MOST significant challenge when classifying IT assets?
A. Disagreement between asset owners and custodians
B. Complex asset classification scheme
C. Vulnerabilities in information assets
D. Information assets without owners
Answer: D
Risk identification, analysis, and mitigation activities can BCST be integrated into business life cycle

processes by linking them to:
A. continuity planning
B. compliance testing
C. configuration management.
D. change management
Answer: D
What is the BEST way to determine the level of risk associated with information assets processed by an IT
application?
A. Evaluate the potential value of information for an attacker.
B. Review the cost of acquiring the information assets for the business.
C. Calculate the business value of the information assets.
D. Research compliance requirements associated with the information.
Answer: C
Which of the following should be the MOST important consideration when implementing an information
security framework?
A. Compliance requirements
B. Audit findings
C. Risk appetite
D. Technical capabilities
Answer: A
Presenting which of the following to senior management will be MOST helpful in securing ongoing support
for the information security strategy?
A. Historical security incidents
B.

B. Current vulnerability metrics
C. Return on security investment
D. Completed business impact analyses (BIAs)
Answer: C
A global organization has developed a strategy to share a customer information database between offices in
two countries. In this situation, it is MOST important to ensure:
A. data is encrypted in transit and at rest
B. data sharing complies with local laws and regulations at both locations.
C. a nondisclosure agreement is signed.
D. risk coverage is split between the two locations sharing data.
Answer: B
The MOST important objective of monitoring key risk indicators (KRIs) related to information security is to:
A. minimize loss from security incidents.
B. identify change in security exposures.
C. reduce risk management costs
D. meet regulatory compliance requirements.
Answer: B
Which of the following is a benefit of using key risk indicators (KRIs)?
A. Reduction in the annual loss expectancy (ALE)
B. Determination of the residual risk value
C. Ability to analyze risk trends
D. Support for the incident response process

Answer: C
A corporate web site has become compromised as a result of a malicious attack. Which of the following
should the information security manager do FIRST?
A. Contain the incident.
B. Perform a root cause analysis.
C. Restore the system from backup.
D. Escalate the incident to senior management.
Answer: A
The MAIN objective of identifying and evaluating risk at each software development life cycle (SDLC) stage
is to reduce the:
A. acceptance test time
B. development time
C. number of software security controls
D. mitigation costs.
Answer: D
Which of the following is the PRIMARY purpose of establishing an information security governance
framework?
A. To proactively address security objectives
B. To enhance business continuity planning
C. To reduce security audit issues
D. To minimize security risks

Answer: A
Which of the following is the BEST source of information to help determine whether a third party's
connections to the organization's internal network are aligned with internal control requirements?
A. Security architectural diagrams
B. Service level agreements (SLAs)
C. Contractual requirements
D. Data classification standards
Answer: C
An organization has announced new initiatives to establish a big data platform and develop mobile apps. What
is the FIRST step when defining new human resource requirements?
A. Determine the security technology requirements for the initiatives
B. Analyze the skills necessary to support the new initiatives.
C. Request additional funding for recruiting and training
D. Benchmark to an industry peer
Answer: B
A risk management program will be MOST effective when:
A. business units are involved in risk assessments,
B. risk assessments are conducted by a third party.
C. risk appetite is sustained for a long period risk
D. assessments are repeated periodically
Answer: A

In a large organization, defining recovery time objectives (RTOs) is PRIMARILY the responsibility of;
A. the information security manager.
B. the IT manager
C. senior management
D. the business unit manager.
Answer: D
Which of the following BEST demonstrates that the objectives of an information security governance
framework are being met?
A. Penetration test results
B. Balanced scorecard
C. Risk dashboard
D. Key performance indicators (KPIs)
Answer: D
Several identified risks have been mitigated to an acceptable level with appropriate controls Which of the
following activities would BEST help to maintain acceptable risk levels?
A. Frequent assessments of inherent risks
B. Periodic reviews of changes to the environment
C. Periodic cost-benefit analyses of the implemented controls
D. Frequent assessments of risks action plans
Answer: B
Which of the following is MOST effective in reducing the financial impact following a security breach leading
to data disclosure9

A. An incident response plan
B. Backup and recovery strategy
C. A data loss prevention (DLP) solution
D. A business continuity plan (BCP)
Answer: B
Which of the following would provide the BEST justification for a new information security investment?
A. Defined key performance indicators (KPls)
B. Senior management involvement in project prioritization
C. Projected reduction in risk
D. Results of a comprehensive threat analysis
Answer: C
To meet operational business needs. IT staff bypassed the change process and applied an unauthorized update
to a critical business system Which of the following is the information security manager's BEST course of
action?
A. Assess the security risks introduced by the change.
B. Consult with supervisors of IT staff regarding disciplinary action
C. Update the system configuration item to reflect the change
D. Instruct IT staff to revert the unauthorized update
Answer: A
An organization has decided to store production data in a cloud environment. What should be the FIRST
consideration?
A. Data isolation
B.

B. Data classification
C. Data transfer
D. Data backup
Answer: B
Which of the following should cause the GREATEST concern for an information security manager reviewing
the effectiveness of an intrusion prevention system (IDS)?
A. Decrease in false positives
B. Increase in false negatives
C. Decrease in malicious packets
D. Increase in crossover error rate
Answer: B
Which of the following is MOST effective against system intrusions?
A. Continuous monitoring
B. Two-factor authentication
C. Layered protection
D. Penetration testing
Answer: C
Which of the following should be of MOST influence to an information security manager when developing IT
security policies?
A. Put and current threats
B. Compliance with regulations
C. IT security framework
D.

D. Business strategy
Answer: B
When a security weakness is detected at facilities provided by an IT service provider, which of the following
tasks must the information security manager perform FIRST?
A. Advise the service provider of countermeasures.
B. Assess compliance with the service provider's security policy.
C. Reiterate the relevant security policy and standards
D. Confirm the service providers contractual obligations.
Answer: D
The PRIMARY purpose of a periodic threat and risk assessment report to senior management is to
communicate the:
A. probability of future incidents.
B. status of the security posture.
C. risk acceptance criteria
D. cost-benefit of security controls,
Answer: B
Which of the following would be MOST helpful in gaming support for a business case for an Information
security initiative9
A. Referencing control deficiencies
B. Demonstrating organizational alignment
C. Emphasizing threats to the organization
D. Presenting a solution comparison matrix

Answer: B
The effectiveness of an information security governance framework will BEST be enhanced if:
A. a culture of legal and regulatory compliance is promoted by management.
B. IS auditors are empowered to evaluate governance activities,
C. consultants review the information security governance framework
D. risk management is built into operational and strategic activities.
Answer: A
An online trading company discovers that a network attack has penetrated the firewall What should be the
information security manager's FIRST response?
A. Implement mitigating controls
B. Examine firewall logs to identity the attacker
C. Notify the regulatory agency of the incident
D. Evaluate the impact to the business.
Answer: B
System logs and audit logs for sensitive systems should be stored
A. on a shared Internal server
B. on a dedicated encrypted storage server,
C. In an encrypted folder on each server.
D. on a cold site server.
Answer: B

An information security manager has developed a strategy to address new information security risks resulting
from recent change the business. Which of the following would be MOST important to include when
presenting the strategy to senior management?
A. The costs associated with business process changes
B. The impact of organizational changes on the security risk profile
C. Results of benchmarking against industry peers
D. Security controls needed for risk mitigation
Answer: B
Which of the following should an information security manager do FIRST upon learning that a data loss
prevention (DLP) scanner has identified payment card information (PCI) stored in cleartext within accounting
file shares?
A. Assess the level of noncompliance.
B. Report the issue to senior management.
C. Initiate the incident response process.
D. Perform an organization-wide risk assessment.
Answer: A
During which stage of the software development life cycle (SDLC) should application security controls FIRST
be addressed?
A. Application system design
B. Configuration management
C. Requirements gathering
D. Software code development
Answer: A

Following a significant change to the underlying code of an application, it is MOST important for the
information security manager to:
A. modify key risk indicators (KRIs).
B. validate the user acceptance testing (UAT).
C. inform senior management.
D. update the risk assessment.
Answer: D
Which of the following is the MOST significant security risk in IT asset management?
A. Unregistered IT assets may riot be included in security documentation.
B. Unregistered IT assets may not be configured properly.
C. IT assets may be used by staff for private purposes.
D. Unregistered IT assets may not be supported.
Answer: B
An organization has identified an increased threat of external brute force attacks in its environment. Which of
the following is the MOST effective way to mitigate this risk to the organization's critical systems?
A. Increase the frequency of log monitoring and analysis.
B. Increase the sensitivity of intrusion detection systems.
C. Implement a security information and event management system (SIEM).
D. Implement multi-factor authentication (MFA).
Answer: C
When developing an escalation process for an incident response plan, the information security manager should
PRIMARILY consider the:
A.

A. affected stakeholders
B. media coverage
C. incident response team
D. availability of technical resources.
Answer: A
Which of the following would MOST likely require a business continuity plan to be invoked?
A. An unauthorized visitor discovered in the data center
B. A distributed denial of service attack on an email server
C. An epidemic preventing staff from performing job functions
D. A hacker holding personally identifiable information hostage
Answer: C
Which of the following is the PRIMARY responsibility of the information security manager when an
organization implements the use of personally-owned devices on the corporate network?
A. Requiring remote wipe capabilities
B. Conducting security awareness training
C. Enforcing defined policy and procedures
D. Encrypting the data on mobile devices
Answer: C
A risk was identified during a risk assessment. The business process owner has chosen to accept the risk
because the cost of remediation is greater than the projected cost of a worst-case scenario. What should be the
information security manager's NEXT course of action?
A. Document and schedule a date to revisit the issue.
B. Document and escalate to senior management.

C. Shut down the business application.
D. Determine a lower-cost approach to remediation.
Answer: A
Which of the following is the MOST effective preventive control?
A. Review of audit logs
B. Segregation of duties
C. Warning banners on login screens
D. Restoration of a system from backup
Answer: B
An organization is planning to create a website that will collect site-visitor details from around the world and
use them as marketing lists for operations in several countries. Which of the following should be of MOST
concern to the information security manager?
A. Legislation regarding marketing in foreign countries
B. Privacy laws in each of the countries using the details for marketing
C. Using cryptography for transborder data flow
D. Wording of the website's policy statement on how the details will be used
Answer: B
Which of the following is the MOST relevant risk factor to an organization when employees use social media?
A. Social media can be used to gather intelligence for attacks.
B. Social media increases the velocity of risk and the threat capacity.
C. Social media offers a platform that can host cyber-attacks.

D. Social media can be accessed from multiple locations.
Answer: A
Which of the following should be the PRIMARY basis for determining risk appetite?
A. Independent audit results
B. Organizational objectives
C. Industry benchmarks
D. Senior management input
Answer: D
Conflicting objectives are MOST likely to compromise the effectiveness of the information security process
when information security management is:
A. reporting to the network infrastructure manager.
B. outside of information technology
C. combined with the change management function.
D. partially staffed by external security consultants
Answer: B
Which of the following should be the PRIMARY input when defining the desired state of security within an
organization?
A. Acceptable risk level
B. Annual loss expectancy
C. External audit results
D. Level of business impact
Answer: D

An application system stores customer confidential data and encryption is not practical. The BEST measure to
protect against data disclosure is:
A. nondisclosure agreements (NDA).
B. single sign-on.
C. multi-factor access controls.
D. regular review of access logs.
Answer: D
An information security manager has researched several options for handling ongoing security concerns and
will be presenting these solutions to business managers. Which of the following with BEST enable business
managers to make an informed decision?
A. Business impact analysis (BIA)
B. Cost-benefit analysis
C. Risk analysis
D. Gap analysis
Answer: A
An IT department is having difficulty controlling the installation and use of unauthorized software that is in
breach of organizational policy. Which of the following is the MOST effective solution?
A. Restrict local desktop administration rights.
B. Install a software monitoring tool on the network.
C. Train users on the acceptable use policies.
D. Conduct random workstation audits.
Answer: A

The PRIMARY reason for using information security metrics is to:
A. achieve senior management commitment.
B. adhere to legal and regulatory requirements
C. monitor the effectiveness of controls
D. ensure alignment with corporate requirements.
Answer: C
An information security manager has been made aware that implementing a control would have an adverse
impact to the business. The business manager has suggested accepting the risk. The BEST course of action by
the information security manager would be to:
A. document the risk exception
B. review existing technical controls.
C. recommend compensating controls
D. continue implementing the control.
Answer: C
Which of the following is the MOST effective way for an Information security manager to ensure that security
is incorporated into an organization's project development processes?
A. Participate in project initiation, approval, and funding.
B. Develop good communications with the project management office
C. Integrate organization's security requirements into project management.
D. Conduct security reviews during design, testing and implementation
Answer: C
Which of the following is the MAIN objective of classifying a security incident as soon as it is discovered?
A. Preserving relevant evidence

B. Engaging appropriate resources
C. Enabling appropriate incident investigation
D. Downgrading the impact of the incident
Answer: B
Which of the following is the MOST important reason to identify and classify the sensitivity of assets?
A. To determine the scope of the information security program
B. To allocate the information security program budget
C. To assign appropriate controls
D. To reduce the cost of protective controls
Answer: C
Which of the following is necessary to determine what would constitute a disaster for an organization?
A. Threat probability analysis
B. Backup strategy analysis
C. Recovery strategy analysis
D. Risk analysis
Answer: D
Which of the following is the GREATEST benefit of integrating information security program requirements
into vendor management?
A. The ability to reduce risk in the supply chain
B. The ability to meet industry compliance requirements
C. The ability to define service level agreements (SLAs)
D.

D. The ability to improve vendor performance
Answer: A
Following a highly sensitive data breach at a large company, all servers and workstations were patched. The
information security manager s NEXT step should be to:
A. inform senior management of changes in risk metrics.
B. perform an assessment to measure the current state
C. deliver security awareness training.
D. ensure baseline back-ups are performed.
Answer: B
Which of the following is the BEST method for management to obtain assurance of compliance with its
security policy?
A. Question staff concerning their security duties.
B. Conduct regular independent reviews.
C. Train staff on their compliance responsibilities.
D. Review security incident logs.
Answer: B
When making an outsourcing decision, which of the following functions is MOST important to retain within
the organization?
A. Security management
B. Incident response
C. Risk assessment
D. Security governance

Answer: D
The PRIMARY reason for defining the information security roles and responsibilities of staff throughout an
organization is to:
A. reinforce the need for training.
B. comply with security policy.
C. increase corporate accountability
D. enforce individual accountability.
Answer: D
An organization is adopting a standardized corporate chat messaging technology to help facilitate

communication among business units. Which of the following is an ESSENTIAL task associated with this
initiative?
A. Increasing security and operational staffing to support the technology
B. Restricting the use of the technology in departments with sensitive information
C. Enforcing encryption of chat communications
D. Reviewing existing organizational policies regarding the new technology
Answer: D
Which is MOST important when contracting an external party to perform a penetration test?
A. Define the project scope
B. Increase the frequency of log reviews.
C. Provide network documentation.
D. Obtain approval from IT management.
Answer: D

Which of the following factors are the MAIN reasons why large networks are vulnerable?
A. Connectivity and complexity
B. Inadequate training and user errors
C. Network operating systems and protocols
D. Hacking and malicious software
Answer: A
Which of the following is MOST important to consider when developing a business case to support the
investment In an information security program?
A. Senior management support
B. Results of a cost-benefit analysis
C. Results of a risk assessment
D. Impact on the risk profile
Answer: A
Which of the following is the MOST reliable way to ensure network security incidents are Identified as soon
as possible'
A. Tram help desk staff to identify and prioritize security incidents
B. Conduct workshops and training sessions with end users.
C. Install stateful inspection firewalls
D. Collect and correlate IT Infrastructure event logs
Answer: D

Which of the following provides the BEST indication of strategic alignment between an organization's
information security program and business objectives?
A. Security audit reports
B. A balanced scorecard
C. Key risk indicators (KRIs)
D. A business impact analysis (BIA)
Answer: B
An information security manager has been tasked with implementing a security awareness training program
Which of this ..... have the MOST influence on the effectiveness of this program?
A. Basing the training program on industry best practices
B. Obtaining buy-in from end users
C. Tailoring the training to the organization's environment
D. Obtaining buy-in from senior management
Answer: C
The GREATEST advantage of defining multiple types of system administrator accounts with different
privileges is that it helps to ensure:
A. compliance with the acceptable use policy
B. adequate control of system administration responsibilities
C. load balancing of system administration processing activities
D. increased productivity of system administrators.
Answer: B
The BEST way to ensure information security efforts and initiatives continue to support corporate strategy is
by:
A.

A. including the CIO in the information security steering committee.
B. conducting benchmarking with industry best practices.
C. including information security metrics in the organizational metrics.
D. performing periodic internal audits of the information security program
Answer: C
From an Information security perspective, legal issues associated with a transborder flow of
technology-related items are MOST often related to
A. website transactions and taxation.
B. lack of competition and free trade
C. software patches and corporate data
D. encryption tools and personal data
Answer: A
Which of the following will provide the MOST accurate test results for a disaster recovery plan (DRP)?
A. Full interruption test
B. Structured walk-through
C. Parallel test
D. Simulation test
Answer: A
Which of the following is MOST important for an information security manager to ensure when evaluating
change requests?
A. Residual risk is within risk tolerance.
B. Requests are approved by process owners.
C. Contingency plans have been created.
D.

D. Requests add value to the business.
Answer: A
The MOST important reason to use a centralized mechanism to identify information security incidents is to:
A. prevent unauthorized changes to networks
B. detect threats across environments
C. detect potential fraud.
D. comply with corporate policies
Answer: B
When scoping a risk assessment, assets need lo be classified by
A. redundancy and recoverability
B. sensitivity and criticality.
C. threats and opportunities
D. likelihood and impact.
Answer: B
Which of the following is the BEST way for an information security manager to justify ongoing annual
maintenance fees associated with an intrusion prevention system (IPS)*?
A. Provide yearly competitive pricing to illustrate the value of the IPS.
B. Establish and present appropriate metrics that track performance
C. Perform industry research annually and document the overall ranking of the IPS
D. Perform a penetration test to demonstrate the ability to protect
Answer: B

Which of the following is the BEST evidence of an effectively designed key risk indicator (KRI)?
A. The KRI is quantitative
B. The KRI measures inherent risk.
C. The KRI predicts threats
D. The KRI incorporates risk appetite
Answer: B
Which of the following poses the GREATEST risk to the operational effectiveness of an incident response
team?
A. The lack of automated communication channels
B. The lack of forensic investigation skills
C. The lack of delegated authority
D. The lack of a security information and event management (SIEM) system
Answer: C
Which of the following provides the GREATEST assurance that existing controls meet compliance
requirements?
A. Performing independent tests
B. Evaluating metrics
C. Performing a risk assessment
D. Reviewing policies
Answer: B

A payroll application system accepts individual user sign-on IDs and then connects to its database using a
single application ID. The GREATEST weakness under this system architecture is that:
A. the database becomes unavailable if the password of The application ID expires.
B. an incident involving unauthorized access to data cannot be tied to a specific user
C. users can gam direct access to the application ID and circumvent data controls,
D. when multiple sessions with the same application ID collide, the database locks up
Answer: B
An organization plans to acquire and implement a new web-based solution to enhance service functionality.
Which of the following is the BEST way to ensure that information handled by the solution is secure?
A. Integrate the organization's security requirements into the contract.
B. Adopt secure coding practices during the solution's development.
C. Conduct a security audit before implementing the solution in production.
D. Embed security requirements throughout the life cycle of the solution.
Answer: D
A business unit is preparing the business case for acquiring an e-commerce solution Which of Ihe following
should be provided by the information security manager?
A. A cost-benefit analysis of the solution to be acquired
B. An analysis of the solution's security requirements
C. Information security staff training requirements to support the solution
D. A return on investment (ROI) assessment of the solution to be acquired
Answer: B
Which of the following is a PRIMARY responsibility of an information security governance committee?
A. Approving the purchase of information security technologies
B.

B. Approving the information security awareness training strategy
C. Reviewing the information security strategy
D. Analyzing information security policy compliance reviews
Answer: C
When reporting on the effectiveness of the information security program, which of the following is the BEST
way lo demonstrate improvement m security performance?
A. Report the results of a security control self-assessment (CSA).
B. Benchmark security metrics against industry standard
C. Provide a summary of security project return on investments (ROls) for the past year.
D. Present a penetration testing report conducted by a third party
Answer: D
Which of the following presents the GREATEST concern to the information security manager when using
account locking features on an online application? It can increase vulnerability to.
A. social engineering.
B. phishing.
C. brute force attacks.
D. denial of service.
Answer: D
Which of the following is MOST useful to an information security manager when conducting a post-incident
review of an attack?
A. Method of operation used by the attacker
B. Cost of the attack to the organization
C. Location of the attacker
D. Details from intrusion detection system (IDS) logs

Answer: D
An attacker was able to gain access to an organizations perimeter firewall and made changes to allow wider
external access and to steal data. Which of the following would have BEST provided timely identification of
this incident?
A. Implementing a data loss prevention (DLP) suite
B. Conducting regular system administrator awareness training
C. Deploying an intrusion prevention system (IPS)
D. Deploying a security information and event management system (SIEM)
Answer: D
Which of the following is the MOST important consideration when deciding whether to continue outsourcing
to a managed security service provider?
A. The business need for the function
B. The ability to meet deliverables
C. The vendor's reputation m the industry
D. The cost of the services
Answer: B
During the establishment of a service level agreement (SLA) with a cloud service provider, it is MOST
important for the information security manager to:
A. understand the cloud storage architecture in use to determine security risk.
B. ensure security requirements are contractually enforceable.
C. update the security policy to reflect the provider's terms of service.
D. set up proper communication paths with the provider.

Answer: B
An organization is considering a self-service solution for the deployment of virtualized development servers.
Which of the following should be information security manager's PRIMARY concern?
A. Ability to maintain server security baseline
B. Generation of excessive security event logs
C. Segregation of servers from the production environment
D. Ability to remain current with patches
Answer: A
Which of the following is the BEST way to integrate information security into corporate governance?
A. Engage external security consultants in security initiatives.
B. Conduct comprehensive information security management training for key stakeholders.
C. Ensure information security processes are part of the existing management processes.
D. Require periodic security risk assessments be performed.
Answer: C
Which of the following recovery approaches generally has the LOWEST periodic cost?
A. Redundant site
B. Reciprocal agreement
C. Shared contingency center
D. Cold site
Answer: D

Which of the following metrics would BEST monitor how well information security requirements are
incorporated into the change management process?
A. Information security related changes
B. Unauthorized changes in the environment
C. Information security incidents caused due to unauthorized changes
D. Denied changes due to insufficient security details
Answer: C
Which of the following is the MOST important reason to have documented security procedures and
guidelines?
A. To facilitate collection of security metrics
B. To meet regulatory compliance requirements
C. To allocate security responsibilities to staff
D. To enable standard security practices
Answer: D
An organization is considering moving lo a cloud service provider for the storage of sensitive data Which of
the following .... consideration FIRST?
A. Results of the cloud provider's control report
B. A destruction-of-data clause m the contract
C. Right to terminate clauses In the contract
D. Requirements for data encryption
Answer: D
An organization's information security manager is performing a post-incident review of a security incident in

which the following events occurred:

• A bad actor broke into a business-critical FTP server by brute forcing an administrative password
• The third-party service provider hosting the server sent an automated alert message to the help desk, but was
ignored
• The bad actor could not access the administrator console, but was exposed to encrypted data transferred to
the server
• After three (3) hours, the bad actor deleted the FTP directory causing incoming FTP attempts by legitimate
customers to fail
Which of the following poses the GREATEST risk to the organization related to This event?
A. Downtime of the service
B. Potential access to the administrator console
C. Disclosure of stolen data
D. Removal of data
Answer: A
To integrate security into system development fie cycle (SDLC) processes, an organization MUST ensure that
security.
A. Roles and responsibly have been defined
B. Is a prerequisite for complete of major phases
C. Is a represented on the configuration control board.
D. Performance metrics have been met.
Answer: B
The criticality of an information asset is derived from its:
A. replacement cost
B. threat level
C. business value
D. frequency of use.

Answer: C
Which of the following security controls should be integrated FIRST into procurement processes to improve
the security of the services provided by suppliers'?
A. Performing risk assessments to identify security concerns
B. Conducting penetration testing to identify security vulnerabilities
C. Performing regular security audits to determine control deficiencies
D. Creating service contract templates to include security provisions
Answer: D
Which of the following would be MOST important to include in a bring your own device (BYOD) policy with
regard to lost or stolen devices? The need for employees to:
A. seek advice from the mobile service provider
B. initiate the company's incident reporting process
C. notify local law enforcement.
D. request a remote wipe of the device
Answer: B
Which of the following BEST supports information security management in the event of organizational
changes in security personnel?
A. Developing an awareness program for staff
B. Ensuring current documentation of security processes
C. Formalizing a security strategy and program
D. Establishing processes within the security operations team
Answer: D

When an organization lacks internal expertise to conduct highly technical forensics investigations, what is the
BEST way to ensure effective and timely investigations following an information security incident?
A. Provide forensics training to the information security team.
B. Purchase forensic standard operating procedures.
C. Ensure the incident response policy allows hiring a forensics firm.
D. Retain a forensics firm prior to experiencing an incident.
Answer: B
Which of the following should be the PRIMARY objective when developing an information security strategy?
A. To reduce potential business exposure
B. To establish security metrics and performance monitoring
C. To delegate regulatory compliance activities
D. To educate business owners regarding security responsibilities
Answer: A
An internal control audit has revealed a control deficiency related to a legacy system where the compensating
controls no longer appear to be effective. Which of the following would BEST help the information security
manager determine the security requirements to resolve the control deficiency?
A. Risk assessment
B. Gap analysis
C. Cost-benefit analysis
D. Business case
Answer: B

Threat and vulnerability assessments are important PRIMARILY because they are:
A. used to establish security investments.
B. needed to estimate risk.
C. the basis for setting control objectives.
D. elements of the organization's security posture.
Answer: C
Which of the following would BEST enable effective decision-making?
A. Annualized loss estimates determined from past security events
B. Formalized acceptance of risk analysis by business management
C. A universally applied list of generic threats, impacts, and vulnerabilities
D. A consistent process to analyze new and historical information risk
Answer: D
The responsibility for approving access to data according to the organization's data classification policy
belongs to the:
A. data owner
B. system administrator.
C. data end user
D. information security manager
Answer: A
Which of the following is MOST important for an information security manager to verify when selecting a
third-party forensics provider?
A.

A. Existence of the provider's Incident response plan
B. Results of the provider's business continuity tests
C. Existence of a right-to-audit clause
D. Technical capabilities of the provider
Answer: C
Who should be responsible for determining the classification of data within a database used in conjunction
with an enterprise application?
A. Data owner
B. Information security manager
C. Database architect
D. Database administrator
Answer: A
A core business unit relies on an effective legacy system that does not meet the current security standards and
threatens that enterprise network. Which of the following is the BEST course of action to address the
situation?
A. Require that new systems that can meet the standards be implemented.
B. Document the deficiencies in the risk register.
C. Develop processes to compensate for the deficiencies.
D. Disconnect the legacy system from the rest of the network.
Answer: C
Which of the following is an important criterion for developing effective key risk indicators (KRIs) to monitor
information security risk?
A. The indicator should align with key performance indicators (KPIs) and measure root causes of process
performance issues.

B. The indicator should possess a high correlation with a specific risk and be measured on a regular basis
C. The indicator should focus on IT and accurately represent risk variances.
D. The indicator should provide a retrospective view of risk impacts and be measured annually.
Answer: A
Which of the following will MOST effectively minimize the chance of inadvertent disclosure of confidential
information?
A. Restricting the use of removable media
B. Applying data classification rules
C. Following the principle of least privilege
D. Enforcing penalties for security policy violations
Answer: C
Which of the following would BEST demonstrate the status of an organization's information security program
to the board of directors?
A. The information security operations matrix
B. Changes to information security risks
C. Results of a recent external audit
D. Information security program metrics
Answer: C
Which of the following messages would be MOST effective in obtaining senior management's commitment to
information security management?
A. Security supports and protects the business.
B. Adopt a recognized framework with metrics.

C. Security is a business product and not a process.
D. Effective security eliminates risk to the business.
Answer: C
When establishing an information security strategy, which of the following activities Is MOST helpful in
Identifying critical areas to be protected?
A. Adopting an information security framework
B. Establishing a baseline of network operations
C. Conducting a risk assessment
D. Performing vulnerability scans
Answer: C
What is the BEST way for a customer to authenticate an e-commerce vendor?
A. Use a secure communications protocol for the connection.
B. Verify the vendor's certificate with a certificate authority.
C. Request email verification of the order
D. Encrypt the order using the vendor s private key
Answer: B
When training an incident response team, the advantage of using tabletop exercises is that they:
A. enable the team to develop effective response interactions.
B. ensure that the team can respond to any incident
C. provide the team with practical experience in responding to incidents.
D. remove the need to involve senior managers in the response process.
Answer: B

A risk has been formally accepted and documented. Which of the following is the MOST important action for
an information security manager?
A. Update risk tolerance levels.
B. Notify senior management and the board.
C. Monitor the environment for changes
D. Re-evaluate the organization's risk appetite
Answer: C
Which of the following will BEST facilitate the development of appropriate incident response procedures?
A. Performing vulnerability assessments
B. Assessing capability maturity
C. Conducting scenario testing
D. Analyzing key risk indicators (KRIs)
Answer: D
When preparing a risk treatment plan, which of the following is the MOST important consideration when
reviewing options for mitigating risk?
A. Cost-benefit analysis
B. User acceptance
C. Control identification
D. Business impact analysis (BIA)
Answer: A

Which of the following provides the GREATEST assurance that information security is addressed in change
management?
A. Performing a security audit on changes
B. Requiring senior management sign-off on change management
C. Reviewing changes from a security perspective
D. Providing security training for change advisory board
Answer: C
Which of the following BEST supports the alignment of information security with business functions?
A. A focus on technology security risk within business processes
B. IT management support of security assessments
C. Business management participation in security penetration tests
D. Creation of a security steering committee
Answer: C
Which of the following models provides a client organization with the MOST administrative control over a
cloud-hosted environment?
A. Software as a Service (SaaS)
B. Infrastructure as a Service (laaS)
C. Platform as a Service (PaaS)
D. Storage as a Service (SaaS)
Answer: B
A multinational organization has developed a bring your own device (BYOD) policy that requires the
installation of mobile device management (MDM) software on personally owned devices. Which of the

following poses the GREATEST challenge for implementing the policy?
A. Differences in mobile OS platforms
B. Varying employee data privacy rights
C. Differences in corporate cultures
D. Translation and communication of policy
Answer: B
An information security manager is reviewing the organization's incident response policy affected by a
proposed public cloud integration. Which of the following will be the MOST difficult to resolve with the cloud
service provider?
A. Obtaining physical hardware for forensic analysis
B. Regular testing of incident response plan
C. Defining incidents and notification criteria
D. Accessing information security event data
Answer: A
Web-server security can BEST be enhanced by:
A. removing unnecessary services
B. enabling logging of all events
C. disabling automatic directory listing
D. implementing host-based intrusion detection.
Answer: A
A data-hosting organization's data center houses servers, applications, and data for a large number of
geographically dispersed customers. Which of the following strategies is the BEST approach for developing a
physical access control policy for the organization?
A.

A. Design single sign-on or federated access.
B. Develop access control requirements for each system and application.
C. Review customers' security policies.
D. Conduct a risk assessment 10 determine security risks and mitigating controls.
Answer: B
An outsourced vendor handles an organization's business-critical data. Which of the following is the MOST
effective way for the client organization to obtain assurance of the vendor's security practices?
A. Verifying security certifications held by the vendor
B. Reviewing the vendor's security audit reports
C. Requiring business continuity plans (BCPs) from the vendor
D. Requiring periodic independent third-party reviews
Answer: B
Which of the following is the MOST important consideration m a bring your own device (BYOD) program to
protect company data in the event of a loss?
A. The ability to restrict unapproved applications
B. The ability to classify types of devices
C. The ability to remotely locate devices
D. The ability to centrally manage devices
Answer: D
Which of the following is MOST helpful to developing a comprehensive Information security strategy?
A. Performing a business impact analysts (BIA).
B. Conducting a risk assessment

C. Adopting an industry framework
D. Gathering business objectives
Answer: D
Which of the following provides the BEST indication that the information security program is in alignment
with enterprise requirements?
A. Security strategy objectives are defined in business terms.
B. An IT governance committee is m place.
C. The security strategy is benchmarked with similar organizations
D. The information security manager reports to the chief executive officer.
Answer: A
During a review to approve a penetration test plan, which of the following should be an information security
manager’s PRIMARY concern?
A. Penetration test team’s deviation from scope
B. Unauthorized access to administrative utilities
C. False positive alarms to operations staff
D. Impact on production systems
Answer: D
Which of the following is MOST helpful in protecting against hacking attempts on the production network?
A. Intrusion prevention systems
B. Security information and event management (SIEM) tools
C. Network penetration testing
D. Decentralized honeypot networks

Answer: D
Which of the following should be the FIRST step when creating an organization's bring your own device
(BYOD) program?
A. identify data to be stored on the device
B. Develop an acceptable use policy.
C. Develop employee training.
D. Pretest approved devices
Answer: B
When monitoring the security of a web-based application, which of the following is MOST frequently
reviewed?
A. Access logs
B. Threat metrics
C. Audit reports
D. Access lists
Answer: A
Which of the following is the BEST way to reduce the risk of a ransomware attack?
A. Perform a network vulnerability assessment.
B. Authenticate inbound email and enable strong content filtering
C. Perform regular backups and validate the restoration process
D. Confirm backups are not connected to the network.
Answer: C

An organization is the victim of an attack generating multiple incident reports. Which of the following will
BEST enable incident handling and contain exposure?
A. The ability to effectively escalate incidents
B. The ability to acquire the appropriate resources
C. The ability to sort and classify events
D. The ability to isolate and secure the affected systems
Answer: D
Which of the following will BEST ensure that possible security incidents are correctly distinguished from
typical help desk requests?
A. Reviewing the help desk log
B. Periodic training of help desk personnel
C. Updating the help desk manual
D. Establishing a security incident hotline
Answer: B
An organization has decided to implement a security information and event management (SIEM) system. It is
MOST important for the organization to consider:
A. threat assessments.
B. data ownership.
C. industry best practices.
D. log sources.
Answer: D
Which of the following is the PRIMARY purpose for defining key performance indicators (KPIs) for a

security program?
A. To ensure controls meet regulatory requirements
B. To compare security program effectiveness to best practice
C. To evaluate the performance of security staff
D. To measure the effectiveness of the security program
Answer: D
Which of the following is the BEST indicator that an organization is appropriately managing risk?
A. The number of events reported from the intrusion detection system (IDS) has declined.
B. Risk assessment results are within tolerance
C. A penetration test does not identify any high-risk system vulnerabilities
D. The number of security incident events reported by staff has increased
Answer: B
In order to understand an organization's security posture, it is MOST important for an organizations senior
leadership to:
A. review the number of reported security Incidents,
B. evaluate results of the most recent incident response test
C. ensure established security metrics are reported.
D. assess progress of risk mitigation efforts.
Answer: B
An organization has purchased a security Information and event management (SIEM) tool. Which of the
following is MOST important lo consider before implementation?
A. Controls to be monitored

B. Reporting capabilities
C. The contract with the SIEM vendor
D. Available technical support
Answer: A
Which of the following is the MOST important security consideration when developing an incident response
strategy with a cloud provider?
A. Technological capabilities
B. Escalation processes
C. Security audit reports
D. Recovery time objective (RTO)
Answer: D
Which of the following should be an information security manager s MOST important consideration when
conducting a physical security review of a potential outsourced data center?
A. Environmental factors of the surrounding location
B. Availability of network circuit connections
C. Distance of the data center from the corporate office
D. Proximity to law enforcement
Answer: A
The FIRST step in a risk assessment for a business application is to:
A. identify the threats to the application
B. identify the vulnerabilities of the application
C. rank the threats to the application

D. identify the assets used by the application.
Answer: D
Which of the following trends BEST indicates that the maturity level of an information security program is
improving?
A. A decrease in residual risk
B. An increase in control self-assessments (CSAs) performed
C. A decrease in the number of security incidents
D. An increase in overall security funding
Answer: C
Which of the following approaches would MOST likely ensure that risk management is integrated into the
business life cycle processes?
A. Understanding the risk tolerance of corporate management
B. Integrating security risk into corporate risk management
C. Conducting periodic risk assessments
D. Integrating risk management into the software development life cycle
Answer: B
What would be an information security manager's BEST recommendation upon learning that an existing
contract with a third party does not clearly identify requirements for safeguarding the organization's critical
data?
A. Transfer the risk to the provider.
B. Cancel the outsourcing contract.
C. Initiate an external audit of the provider's data center.
D. Create an addendum to the existing contract.

Answer: D
Senior management has allocated funding to each of the organization s divisions to address information
security vulnerabilities The funding is based on each division's technology budget from the previous fiscal
year. Which of the following should be of GREATEST concern to the information security manager?
A. Redundant controls may be implemented across divisions.
B. Information security governance could be decentralized by division.
C. Areas of highest risk may not be adequately prioritized for treatment.
D. Return on investment may be inconsistently reported to senior management
Answer: C
Which of the following is MOST important when allowing employees to work at home using personally
owned devices?
A. Approving personally owned devices
B. Enforcing an end-point security policy
C. Assessing vulnerabilities of home wireless connections
D. Reviewing OS on personal devices
Answer: B
Conducting a cost-benefit analysis for a security investment is important because it
A. supports asset classification.
B. quantifies return on security investment
C. supports justification for expenditure.
D. quantifies residual risk
Answer: A

While auditing a data center's IT architecture, an information security manager discovers that required
encryption for data communications has not been implemented. Which of the following should be done
NEXT?
A. Evaluate compensating and mitigating controls.
B. Document and report the findings.
C. Perform a cost benefit analysis.
D. Perform a business impact analysis (BIA).
Answer: A
What should be the PRIMARY basis for defining the appropriate level of access control to information assets?
A. Business needs
B. Management requests
C. Audit findings
D. Compensating controls
Answer: A
The MOST important objective of security awareness training for business staff is to:
A. modify behavior
B. understand intrusion methods
C. reduce negative audit findings
D. increase compliance.
Answer: A
What should be an information security manager's BEST course of action if funding for a security-related
initiative is denied by a steering committee?
A.

A. Discuss the initiative with senior management.
B. Look for other ways to fund the initiative.
C. Provide information from industry benchmarks
D. Document the accepted risk
Answer: D
An organization establishes an internal document collaboration site. To ensure data confidently of each project
group, it is MOST important to:
A. Prohibit remote access to the site
B. Periodically recertify access rights.
C. Conduct vulnerability assessment
D. Enforce document life cycle management
Answer: B
The BEST way to establish a security baseline is by documenting:
A. a standard of acceptable settings
B. a framework of operational standards
C. the desired range of security settings
D. the organization's preferred security level.
Answer: A
An information security manager is concerned about the risk of fire at its data processing center To address
this concern, an automatic fire suppression system has been installed Which of the following risk treatments
has been applied?
A. Acceptance
B. Transfer

C. Mitigation
D. Avoidance
Answer: C
Which of the following is MOST effective in the strategic alignment of security initiatives?
A. A security steering committee is set up within the IT deployment.
B. Key information security policy are updated on a regular basis
C. Policies are created with input from business unit managers.
D. Business leaders participate in information security decision making
Answer: C
Shortly after installation, an intrusion detection system (IDS) reports a violation. Which of the following is the
MOST likely explanation?
A. The violation is a false positive.
B. A routine IDS log file upload has occurred,
C. An intrusion has occurred-
D. A routine IDS signature file download has occurred.
Answer: A
An organization wants to enable digital forensics for a business-critical application. Which of the following
will BEST help to support this objective?
A. Enable activity logging.
B. Define data retention criteria.
C. Install biometric access control.
D. Develop an incident response plan.

Answer: A
The MOST effective way to determine the resources required by internal Incident response teams is to
A. determine the scope and charter of incident response
B. request guidance (rom incident management consultants.
C. benchmark against other incident management programs
D. test response capabilities with event scenarios.
Answer: D
Senior management has endorsed a comprehensive information security policy. Which of the following should
the organization do NEXT?
A. Promote awareness of the policy among employees.
B. Implement an authentication and authorization system.
C. Identify relevant information security frameworks for adoption.
D. Seek policy buy-in from business stakeholders.
Answer: A
Which of the following is the MOST important criterion when deciding whether to accept residual risk?
A. Annual loss expectancy (ALE)
B. Cost of replacing the asset
C. Annual rate of occurrence (ARO)
D. Cost of additional mitigation
Answer: B

The use of digital signatures ensures that a message:
A. sender obtains acknowledgment of delivery
B. remains available during transmission
C. is not intercepted during transmission
D. is not altered during transmission.
Answer: D
The MAIN reason for an information security manager to monitor industry level changes in the business and
IT is to:
A. evaluate the effect of the changes on the levels of residual risk.
B. identify changes in the risk environment
C. update information security policies in accordance with the changes
D. change business objectives based on potential impact
Answer: B
An information security manager wants to document requirements detailing the minimum security controls
required for user workstations. Which of the following resources would be MOST appropriate for this
purpose?
A. Procedures
B. Guidelines
C. Standards
D. Policies
Answer: D
Which of the following provides the MOST essential input for the development of an information security

strategy?
A. Availability of capable information security resources
B. Measurement of security performance against IT goals
C. Results of a technology risk assessment
D. Results of an information security gap analysis
Answer: D
An online payment provider's computer security incident response team has confirmed that a customer credit
card database was breached. Which of the following would be MOST important to include in a report to senior
management?
A. A summary of the security togs illustrating the sequence of events
B. A business case for implementing stronger logical access controls
C. An explanation of the potential business impact
D. An analysis of similar attacks and recommended remediation
Answer: C
An awareness program is implemented to mitigate the risk of infections introduced through the use of social
media Which of the following will BEST determine the effectiveness of the awareness program''
A. Employee attendance rate at the awareness program
B. A simulated social engineering attack
C. A post-awareness program survey
D. A quiz based on the awareness program materials
Answer: B
An organizations ability to prevent a security incident In a Software as a Service (SaaS) cloud-com puling
environment is MOST dependent on the:
A. ability to implement a web application firewall.
B.

B. ability to monitor and analyze system logs
C. configuration and sensitivity of an intrusion detection system (IDS)
D. granularity with which access rights can be configured
Answer: D
An incident was detected where customer records were altered without authorization. The GREATEST
concern for forensic analysis would be that the log data:
A. has been disclosed.
B. could be temporarily available.
C. may not be time-synchronized.
D. may be modified.
Answer: D
An organization rolled out information security awareness training and wants to perform an end-ot-year
assessment to determine the program's success. Which of the following would be the BEST indicator of the
program's effectiveness?
A. An increase in the number of security incidents throughout the organization
B. An increase in the number of employees completing training in a timely manner
C. An increase in the number of security-related inquiries to the help desk
D. An increase in the number of positive comments in trainee feedback surveys
Answer: C
When creating security baselines, it is MOST important to:
A. demonstrate adherence to compliance criteria
B. establish consistent enterprise-wide controls
C. identify critical systems storing sensitive data

D. establish maximum security requirements.
Answer: A
The PRIMARY objective of periodically testing an incident response plan should be to:
A. improve internal processes and procedures,
B. harden the technical infrastructure.
C. improve employee awareness of the incident response process,
D. highlight the importance of incident response and recovery.
Answer: D
Which of the following is MOST important to the successful implementation of an information security
program?
A. Understanding current and emerging technologies
B. Establishing key performance indicators (KPIs)
C. Obtaining stakeholder input
D. Conducting periodic risk assessments
Answer: C
When a critical incident cannot be contained in a timely manner and the affected system needs to be taken
offline, which of the following stakeholders MUST receive priority communication?
A. System end-users
B. System administrator
C. Business process owner
D. Senior management
Answer: C

An organization has contracted with an outsourcing company to address a security gap. Which of the
following is the BEST way to determine if the security gap has been addressed?
A. Vulnerability scan
B. Service level agreement (SLA)
C. Security risk assessment
D. Security audit
Answer: D
A business previously accepted the risk associated with a zero-day vulnerability The same vulnerability was
recently exploited in a high-profile attack on another organization m the same Industry Which of the following
should be the information security manager's FIRST course of action?
A. Reassess the risk in terms of likelihood and impact
B. Develop best and worst case scenarios
C. Report the breach of the other organization to senior management
D. Evaluate the cost of remediating the vulnerability
Answer: A
Which of the following should an information security manager do FIRST when a recent internal audit reveals
a security risk is more severe than previously assessed?
A. Escalate the finding to the business owner and obtain a remediation plan.
B. Update the risk register and notify the CISC
C. Validate the finding is legitimate and not a false positive.
D. Review the remainder of the internal audit report.
Answer: A

What is the MOST effective way to ensure information security incidents will be managed effectively and in a
timely manner?
A. Establish and measure key performance indicators (KPIs)
B. Test incident response procedures regularly.
C. Communicate incident response procedures to staff.
D. Obtain senior management commitment
Answer: B
An information security manager learns of a new international standard related to information security. Which
of the following would be the BEST course of action?
A. Review industry peers responses to the new standard.
B. Consult with legal counsel on the standard's applicability to regulations
C. Determine whether the organization can benefit from adopting the new standard.
D. Perform a gap analysis between the new standard and existing practices.
Answer: D
An organization has outsourced many application development activities to a third party that uses contract
programmers extensively. Which of the following would provide the BEST assurance that the third party's
contract programmers comply with the organization's security policies?
A. Conduct periodic vulnerability scans of the application.
B. Require annual signed agreements of adherence to security policies
C. Perform periodic security assessments of the contractors' activities.
D. Include penalties for noncompliance in the contracting agreement.
Answer: A

The BEST way for an information security manager to understand the critically of an online application is to
perform a
A. threat assessment
B. business process analysis
C. business impact analysis (BlA)
D. vulnerability assessment
Answer: C
Which of the following would BEST enable integration of information security governance into corporate
governance?
A. Ensuring appropriate business representation on the information security steering committee
B. Having the CIO chair the information security steering committee
C. Using a balanced scorecard to measure the performance of the information security strategy
D. Implementing IT governance, risk and compliance (IT GRC) dashboards
Answer: C
Which aspect of an incident response plan will MOST effectively help to limit reputational damage when
multiple media services are seeking a response following a major security breach?
A. The plan has been approved by executive management.
B. The plan establishes clear lines of responsibility.
C. The plan complies with regulatory requirements.
D. The plan has been reviewed by the media relations team.
Answer: C

An information security manager has identified and implemented mitigating controls according to industry
best practices. Which of the following is the GREATEST risk associated with this approach?
A. The security program may not be aligned with organizational objectives.
B. Important security controls may be missed without senior management input.
C. The mitigation measures may not be updated in a timely manner.
D. The cost of control implementation may be too high.
Answer: A
An organization manages payroll and accounting systems for multiple client companies Which of the
following contract terms would indicate a potential weakness for a disaster recovery hot site?
A. Servers will be provided at time of disaster (not on floor).
B. Work-area size Is limited but can be augmented with nearby office space
C. Timestamp of declaration will determine priority of access to facility
D. Exclusive use of hot site is limited to six weeks (following declaration)
Answer: A
Senior management is alarmed by recent media reports of severe security incidents at competing organizations
Which of the following would provide the BEST assurance that the organization's current security measures
are performing adequately?
A. Review the intrusion prevention system (IPS) logs
B. Require third-party penetration testing
C. Review the intrusion detection system (IDS) logs
D. Require internal penetration testing
Answer: B

About dumpscollection.com
dumpscollection.com was founded in 2007. We provide latest & high quality IT / Business Certification Training
Exam Questions, Study Guides, Practice Tests.
We help you pass any IT / Business Certification Exams with 100% Pass Guaranteed or Full Refund. Especially
Cisco, CompTIA, Citrix, EMC, HP, Oracle, VMware, Juniper, Check Point, LPI, Nortel, EXIN and so on.
View list of all certification exams: All vendors
We prepare state-of-the art practice tests for certification exams. You can reach us at any of the email addresses listed
below.
Sales: sales@dumpscollection.com
Feedback: feedback@dumpscollection.com
Support: support@dumpscollection.com
Skype ID: crack4sure@gmail.com
Any problems about IT certification or our products, You can write us back and we will get back to you within 24
hours.
15% Discount Coupon Code:

DC15disc

Isaca CISM 1

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Isaca CISM 1

Uploaded by

Copyright:

Available Formats

Isaca

Web: www.dumpscollection.com [ Total Questions: 430]

Exam Topic Breakdown

Success Guaranteed, 100% Valid 1 of 136

Topic 1, Exam Pool (Nov)

A. present the report to the steering committee.

B. determine the effect on the risk profile.

C. remediate the vulnerabilities.

D. assign accountability for the findings.

Question #:2 - (Exam Topic 1)

A. Needs of the organization

C. Disaster recovery plan

D. Information security policy

Question #:3 - (Exam Topic 1)

Success Guaranteed, 100% Valid 2 of 136

Question #:4 - (Exam Topic 1)

A. Performing post-change reviews before closing change tickets

B. Requiring approval by senior management

C. Performing a business impact analysis (B1A) prior to implementation

D. Conducting a security risk assessment prior to go-live

Question #:5 - (Exam Topic 1)

B. Review and update security policy on a regular basis

D. Management support and approval of the incident response plan

Question #:6 - (Exam Topic 1)

A. perform a financial viability study.

B. compare the framework with the current business strategy.

C. perform a technical feasibility analysis.

D. analyze the framework's legal implications and business impact.

Question #:7 - (Exam Topic 1)

Success Guaranteed, 100% Valid 3 of 136

The PRIMARY goal of a post-incident review should be to

A. determine why the incident occurred

B. determine how to improve the incident handling process

C. establish the cost of the incident to the business.

D. identify policy changes to prevent a recurrence

Question #:8 - (Exam Topic 1)

B. The information security policies lack alignment with corporate goals.

C. The information security program is not adequately funded.

D. The organization is operating in a highly regulated industry.

Question #:9 - (Exam Topic 1)

A. consolidating multiple sites into a single portal.

B. coding standards and code review.

C. using https in place of http.

D. hardening of the web server s operating system.

Question #:10 - (Exam Topic 1)

A. during the system design phase.

Success Guaranteed, 100% Valid 4 of 136

C. as part of application development.

D. when system requirements are defined.

Question #:11 - (Exam Topic 1)

A. To align the information security program to organizational strategy

B. To comply with external industry and government regulations

C. To support development of effective risk indicators

D. To gain senior management support for the information security program

Question #:12 - (Exam Topic 1)

A. Prevent incident recurrence.

B. Identify unmitigated risk.

C. Support business investments in security

D. Evaluate the security posture of the organization.

Question #:13 - (Exam Topic 1)

Success Guaranteed, 100% Valid 5 of 136

Question #:14 - (Exam Topic 1)

B. Business impact analysis (BIA)