Professional Documents
Culture Documents
Sample Exam
2. Which of the following is MOST likely to remain constant over time? An information security:
A. policy.
B. standard.
C. strategy.
D. procedure.
3. What is the PRIMARY factor to be taken into account when designing a backup strategy that
will be consistent with a disaster recovery strategy?
A. Volume of sensitive data
B. Recovery point objective
C. Recovery time objective
D. Interruption window
4. When performing a business impact analysis, which of the following should calculate the
recovery time and cost estimates?
A. Business continuity coordinator
B. Information security manager
C. Business process owners
D. IT management
6. Which of the following choices should be assessed after the likelihood of a loss event has
been determined?
A. The magnitude of impact
B. Risk tolerance
C. The replacement cost of assets
D. The book value of assets
7. What is the BEST method to confirm that all firewall rules and router configuration settings
are adequate?
A. Periodic review of network configuration
B. Review of intrusion detection system logs for evidence of attacks
C. Periodically perform penetration tests
D. Daily review of server logs for evidence of hacker activity
8. Which of the following is the BEST method for ensuring that temporary employees do not
receive excessive access rights?
A. Mandatory access controls
B. Discretionary access controls
C. Lattice-based access controls
D. Role-based access controls
10. To BEST improve the alignment of the information security objectives in an enterprise, the
chief information security officer should:
A. revise the information security program.
B. evaluate a business balanced scorecard.
C. conduct regular user awareness sessions.
D. perform penetration tests.
11. Which of the following factors is MOST important for the successful implementation of an
enterprise’s information security program?
A. Senior management support
B. Budget for security activities
C. Regular vulnerability assessments
D. Knowledgeable security administrators
12. Management decided that the enterprise will not achieve compliance with a recently issued
set of regulations. Which of the following is the MOST likely reason for the decision?
A. The regulations are ambiguous and difficult to interpret.
B. Management has a low level of risk tolerance.
C. The cost of compliance exceeds the cost of possible sanctions.
D. The regulations are inconsistent with the organizational strategy.
15. What is the BEST method to verify that all security patches applied to servers were properly
documented?
A. Trace change control requests to operating system (OS) patch logs.
B. Trace OS patch logs to OS vendor’s update documentation.
C. Trace OS patch logs to change control requests.
D. Review change control documentation for key servers.
16. Which of the following should be determined FIRST when establishing a business continuity
program?
A. Cost to rebuild information processing facilities
B. Incremental daily cost of the unavailability of systems
C. Location and cost of offsite recovery facilities
D. Composition and mission of individual recovery teams
18. What is the BEST way to ensure that security settings on each platform are in compliance
with information security policies and procedures?
A. Perform penetration testing.
B. Establish security baselines.
C. Implement vendor default settings.
D. Link policies to an independent standard.
19. New regulatory and legal compliance requirements that will have an effect on information
security will MOST likely come from the:
A. corporate legal officer.
B. internal audit department.
C. affected departments.
D. compliance officer.
20. Addressing the root cause of an incident is one aspect of which of the following incident
management processes?
A. Eradication
B. Recovery
C. Lessons learned
D. Containment
22. Which of the following is MOST important when collecting evidence for forensic analysis?
A. Ensure the assignment of qualified personnel.
B. Request the IT department do an image copy.
C. Disconnect from the network and isolate the affected devices.
D. Ensure law enforcement personnel are present before the forensic analysis commences.
24. Which of the following has the highest priority when defining an emergency response plan?
A. Critical data
B. Critical infrastructure
C. Safety of personnel
D. Vital records
26. Which of the following do security policies need to be MOST closely aligned with?
A. Industry good practices
B. Organizational needs
C. Generally accepted standards
D. Local laws and regulations
27. When creating an effective data-protection strategy, the information security manager must
understand the flow of data and its protection at various stages. This is BEST achieved with:
A. a third-party vulnerability assessment.
B. a tailored methodology based on exposure.
C. an insurance policy for accidental data losses.
D. a tokenization system set up in a secure network environment.
30. An enterprise has verified that its customer information was recently exposed. Which of the
following is the FIRST step a security manager should take in this situation?
A. Inform senior management.
B. Determine the extent of the compromise.
C. Report the incident to the authorities.
D. Communicate with the affected customers.
31. Which of the following is the BEST approach for an enterprise desiring to protect its
intellectual property?
A. Conduct awareness sessions on intellectual property policy.
B. Require all employees to sign a nondisclosure agreement.
C. Promptly remove all access when an employee leaves the enterprise.
D. Restrict access to a need-to-know basis.
32. Which of the following steps should be FIRST in developing an information security plan?
A. Perform a technical vulnerabilities assessment.
B. Analyze the current business strategy.
C. Perform a business impact analysis.
D. Assess the current levels of security awareness.
34. What mechanism should be used to identify deficiencies that would provide attackers with
an opportunity to compromise a computer system?
A. Business impact analysis
B. Security gap analysis
C. System performance metrics
D. Incident response processes
35. The MOST direct way to accurately determine the control baseline in an IT system is to do
which of the following activities?
A. Review standards and system compliance.
B. Sample hardware and software configurations.
C. Review system and server logs for anomalies.
D. Perform internal and external penetration tests.
36. Which of the following provides the BEST confirmation that the business continuity
plan/disaster recovery plan (BCP/DRP) objectives have been achieved?
A. The recovery time objective was not exceeded during testing.
B. Objective testing of the BCP/DRP has been carried out consistently.
C. The recovery point objective was proved inadequate by DRP testing.
D. Information assets have been valued and assigned to owners according to the BCP/DRP.
38. Which of the following would BEST prepare an information security manager for regulatory
reviews?
A. Assign an information security administrator as regulatory liaison.
B. Perform self-assessments using regulatory guidelines and reports.
C. Assess previous regulatory reports with process owner’s input.
D. Ensure all regulatory inquiries are sanctioned by the legal department.
40. Which of the following techniques MOST clearly indicates whether specific risk-reduction
controls should be implemented?
A. Cost-benefit analysis
B. Penetration testing
C. Frequent risk assessment programs
D. Annual loss expectancy calculation
42. Which of the following choices is the BEST indicator of the state of information security
governance?
A. A defined maturity level
B. A developed security strategy
C. Complete policies and standards
D. Low numbers of incidents
43. What is a desirable sensitivity setting for a biometric access control system that protects a
high-security data center?
A. A high false reject rate
B. A high false acceptance rate
C. Lower than the crossover error rate
D. The exact crossover error rate
44. The MOST useful way to describe the objectives in the information security strategy is
through:
A. attributes and characteristics of the desired state.
B. overall control objectives of the security program.
C. mapping the IT systems to key business processes.
D. calculation of annual loss expectations.
47. Which of the following measures would be MOST effective against insider threats to
confidential information?
A. Role-based access control
B. Audit trail monitoring
C. Privacy policy
D. Defense in depth
50. Which of the following will MOST likely reduce the chances of an unauthorized individual
gaining access to computing resources by pretending to be an authorized individual needing to
have their password reset?
A. Performing reviews of password resets
B. Conducting security awareness programs
C. Increasing the frequency of password changes
D. Implementing automatic password syntax checking
51. An information security strategy presented to senior management for approval MUST
incorporate:
A. specific technologies.
B. compliance mechanisms.
C. business priorities.
D. detailed procedures.
52. When outsourcing, to ensure that third-party service providers comply with an enterprise
security policy, which of the following should occur?
A. A predefined meeting schedule
B. A periodic security audit
C. Inclusion in the contract of a list of individuals to be called in the event of an incident (call
tree)
D. Inclusion in the contract of a confidentiality clause
54. The BEST process for assessing an existing risk level is:
A. an impact analysis.
B. a security review.
C. a vulnerability assessment.
D. a threat analysis.
56. Which of the following poses the GREATEST challenge to an enterprise seeking to prioritize
risk management activities?
A. An incomplete catalog of information assets
B. A threat assessment that is not comprehensive
C. A vulnerability assessment that is outdated
D. An inaccurate valuation of information assets
58. The factor that is MOST likely to result in identification of security incidents is:
A. effective communication and reporting processes.
B. clear policies detailing incident severity levels.
C. intrusion detection system capabilities.
D. security awareness training.
59. The MOST basic requirement for an information security governance program is to:
A. be aligned with the corporate business strategy.
B. be based on a sound risk management approach.
C. provide adequate regulatory compliance.
D. provide good practices for security initiatives.
60. What is the BEST way to determine if an anomaly-based intrusion detection system (IDS) is
properly installed?
A. Simulate an attack and review IDS performance.
B. Use a honeypot to check for unusual activity.
C. Audit the configuration of the IDS.
D. Benchmark the IDS against a peer site.
63. Which of the following factors is the MOST significant in determining an enterprise’s risk
appetite?
A. The nature and extent of threats
B. Organizational policies
C. The overall security strategy
D. The organizational culture
64. From an information security perspective, which of the following will have the GREATEST
impact on a financial enterprise with offices in various countries and involved in transborder
transactions?
A. Current and future technologies
B. Evolving data protection regulations
C. Economizing the costs of network bandwidth
D. Centralization of information security
66. The MOST effective way to limit actual and potential impacts of e-discovery in the event of
litigation is to:
A. implement strong encryption of all sensitive documentation.
B. ensure segregation of duties and limited access to sensitive data.
C. enforce a policy of not writing or storing potentially sensitive information.
D. develop and enforce comprehensive retention policies.
67. Which of the following choices is the MOST significant single point of failure in a public key
infrastructure?
A. A certificate authority’s (CA) public key
B. A relying party’s private key
C. A CA’s private key
D. A relying party’s public key
68. Which of the following choices is the BEST input for the definition of escalation guidelines?
A. Risk management issues
B. A risk and impact analysis
C. Assurance review reports
D. The effectiveness of resources
70. Information security managers should use risk assessment techniques to:
A. justify selection of risk mitigation strategies.
B. maximize the return on investment.
C. provide documentation for auditors and regulators.
D. quantify risk that would otherwise be subjective.
71. Which of the following functions is responsible for determining the members of the
enterprise’s response teams?
A. Governance
B. Risk management
C. Compliance
D. Information security
72. When a large enterprise discovers that it is the subject of a network probe, which of the
following actions should be taken?
A. Reboot the router connecting the demilitarized zone (DMZ) to the firewall.
B. Power down all servers located on the DMZ segment.
C. Monitor the probe and isolate the affected segment.
D. Enable server trace logging on the affected segment.
74. An enterprise’s board of directors is concerned about recent fraud attempts that originated
over the Internet. What action should the board take to address this concern?
A. Direct information security operations regarding specific solutions that are needed to address
the risk.
B. Research solutions to determine appropriate actions for the enterprise.
C. Take no action; information security does not report to the board.
D. Direct executive management to assess the risk and to report the results to the board.
75. Under what circumstances do good information security practices dictate a full
reassessment of risk?
A. After a material control failure
B. When regular assessments show unremediated risk
C. Subsequent to installing an updated operating system
D. After emergency changes have been initiated