1.
An information security risk analysis BEST assists an organization in
ensuring that:
A: cost-effective decisions are made with regard to which assets need
protection
2. In a multinational organization, local security regulations should be
implemented over global security policy because:
A: requirements of local regulations take precedence
3. To gain a clear understanding of the impact that a new regulatory
requirement will have on an organization's information security controls,
an information security manager should FIRST:
A: conduct a risk assessment.
4. When management changes the enterprise business strategy, which of
the following processes should be used to evaluate the existing
information security controls as well as to select new information security
controls?
A: Risk management
5. Which of the following is the BEST way to build a risk-aware culture?
A: Establish incentives and a channel for staff to report risks.
6. What would be an information security manager's BEST recommendation
upon learning that an existing contract with a third party does not clearly
identify requirements for safeguarding the organization's critical data?
A: Create an addendum to the existing contract.
7. An organization has purchased a security information and event
management (SIEM) tool. Which of the following is MOST important to
consider before implementation?
A: Controls to be monitored
8. Which of the following is MOST likely to be included in an enterprise
security policy?
A: Definitions of responsibilities
9. Which of the following should an information security manager do FIRST
when a legacy application is not compliant with a regulatory requirement,
but the business unit does not have the budget for remediation?
A: Assess the consequences of noncompliance against the cost of
remediation.
10. Which of the following is the MOST effective way to address an
organization's security concerns during contract negotiations with a third
party?
A: Ensure security is involved in the procurement process
11. Which of the following is the BEST method to protect consumer private
information for an online public website?
A: Encrypt consumer data in transit and at rest
12. Which of the following is the MOST important consideration in a bring your
own device (BYOD) program to protect company data in the event of a
loss?
A: The ability to centrally manage devices
13. An information security manager has been asked to determine whether an
information security initiative has reduced risk to an acceptable level.
Which of the following activities would provide the BEST information for
the information security manager to draw a conclusion?
A: Performing a risk assessment
14. An organization that uses external cloud services extensively is concerned
with risk monitoring and timely response. The BEST way to address this
concern is to ensure:
A: appropriate service level agreements (SLAs) are in place.
15. Which of the following is the BEST way to ensure that organizational
security policies comply with data security regulatory requirements?
A: Align the policies to the most stringent global regulations.
16. The PRIMARY reason for defining the information security roles and
responsibilities of staff throughout an organization is to:
A: enforce individual accountability. *
17. Threat and vulnerability assessments are important PRIMARILY because
they are:
A: needed to estimate risk.
18. Which of the following should be an information security managers
PRIMARY focus during the development of a critical system storing highly
confidential data?
A: Ensuring the amount of residual risk is acceptable *
19. When evaluating vendors for sensitive data processing, which of the
following should be the FIRST step to ensure the correct level of
information security is provided?
A: Include information security criteria as part of vendor selection *
20. An information security team is investigating an alleged breach of an
organization's network. Which of the following would be the BEST single
source of evidence to review?
A: Security information and event management (SIEM) tool
21. Over the last year, an information security manager has performed risk
assessments on multiple third-party vendors. Which of the following
criteria would be
MOST helpful in determining the associated level of risk applied to each
vendor?
A: Criticality of the service to the organization
22. Which of the following is the MOST important security consideration when
developing an incident response strategy with a cloud provider?
A: Escalation processes *
23. Executive leadership has decided to engage a consulting firm to develop
and implement a comprehensive security framework for the organization
to allow senior management to remain focused on business priorities.
Which of the following poses the GREATEST challenge to the successful
implementation of the new security governance framework?
A: Executive leadership views information security governance primarily
as a concern *of the information security management team
24. Risk scenarios simplify the risk assessment process by:
A: focusing on important and relevant risk. *
25. Which of the following is the MOST important consideration when
developing information security objectives?
A: They are clear and can be understood by stakeholders
26. A legacy application does not comply with new regulatory requirements to
encrypt sensitive data at rest, and remediating this issue would require
significant investment. What should the information security manager do
FIRST?
A: Assess the business impact to the organization.
27. Which of the following BEST enables effective information security
governance?
A: Security-aware corporate culture
28. Application data integrity risk is MOST directly addressed by a design that
includes
A: reconciliation routines such as checksums, hash totals, and record
counts.
29. Deciding the level of protection a particular asset should be given is BEST
determined by:
A: a risk analysis.
30. What should be an information security manager's FIRST step when
developing a business case for a new intrusion detection system (IDS)
solution?
A: Define the issues to be addressed.
31. Which of the following should be the FIRST step in
developing an information security plan?
A: Analyse the current business strategy
32. Senior management commitment and support for
information security can BEST be obtained through
presentations that:
A: Tie security risks to key business objectives.
33.
