NEW QUESTION 1

Scenario: Your program is developed around minimizing risk to information by focusing on people, technology, and operations.
An effective way to evaluate the effectiveness of an information security awareness program for end users, especially senior executives, is to conduct periodic:

• A. Controlled spear phishing campaigns
• B. Password changes
• C. Baselining of computer systems
• D. Scanning for viruses

Answer: A

NEW QUESTION 2

You are the Chief Information Security Officer of a large, multinational bank and you suspect there is a flaw in a two factor authentication token management process. Which of the following represents your BEST course of action?

• A. Validate that security awareness program content includes information about the potential vulnerability
• B. Conduct a thorough risk assessment against the current implementation to determine system functions
• C. Determine program ownership to implement compensating controls
• D. Send a report to executive peers and business unit owners detailing your suspicions

Answer: B

NEW QUESTION 3

SCENARIO: A Chief Information Security Officer (CISO) recently had a third party conduct an audit of the security program. Internal policies and international standards were used as audit baselines. The audit report was presented to the CISO and a variety of high, medium and low rated gaps were identified.
Which of the following is the FIRST action the CISO will perform after receiving the audit report?

• A. Inform peer executives of the audit results
• B. Validate gaps and accept or dispute the audit findings
• C. Create remediation plans to address program gaps
• D. Determine if security policies and procedures are adequate

Answer: B

NEW QUESTION 4

When you develop your audit remediation plan what is the MOST important criteria?

• A. To remediate half of the findings before the next audit.
• B. To remediate all of the findings before the next audit.
• C. To validate that the cost of the remediation is less than the risk of the finding.
• D. To validate the remediation process with the auditor.

Answer: C

NEW QUESTION 5

Which of the following functions MUST your Information Security Governance program include for formal organizational reporting?

• A. Audit and Legal
• B. Budget and Compliance
• C. Human Resources and Budget
• D. Legal and Human Resources

Answer: A

NEW QUESTION 6

Which of the following set of processes is considered to be one of the cornerstone cycles of the International Organization for Standardization (ISO) 27001 standard?

• A. Plan-Check-Do-Act
• B. Plan-Do-Check-Act
• C. Plan-Select-Implement-Evaluate
• D. SCORE (Security Consensus Operational Readiness Evaluation)

Answer: B

NEW QUESTION 7

The Information Security Governance program MUST:

• A. integrate with other organizational governance processes
• B. support user choice for Bring Your Own Device (BYOD)
• C. integrate with other organizational governance processes
• D. show a return on investment for the organization

Answer: A

NEW QUESTION 8

The ultimate goal of an IT security projects is:

• A. Increase stock value
• B. Complete security
• C. Support business requirements
• D. Implement information security policies

Answer: C

NEW QUESTION 9

What is the first thing that needs to be completed in order to create a security program for your organization?

• A. Risk assessment
• B. Security program budget
• C. Business continuity plan
• D. Compliance and regulatory analysis

Answer: A

NEW QUESTION 10

Assigning the role and responsibility of Information Assurance to a dedicated and independent security group is an example of:

• A. Detective Controls
• B. Proactive Controls
• C. Preemptive Controls
• D. Organizational Controls

Answer: D

NEW QUESTION 11

Scenario: An organization has made a decision to address Information Security formally and consistently by adopting established best practices and industry standards. The organization is a small retail merchant but it is expected to grow to a global customer base of many millions of customers in just a few years.
This global retail company is expected to accept credit card payments. Which of the following is of MOST concern when defining a security program for this organization?

• A. International encryption restrictions
• B. Compliance to Payment Card Industry (PCI) data security standards
• C. Compliance with local government privacy laws
• D. Adherence to local data breach notification laws

Answer: B

NEW QUESTION 12

Which of the following is MOST beneficial in determining an appropriate balance between uncontrolled innovation and excessive caution in an organization?

• A. Define the risk appetite
• B. Determine budget constraints
• C. Review project charters
• D. Collaborate security projects

Answer: A

NEW QUESTION 13

A CISO decides to analyze the IT infrastructure to ensure security solutions adhere to the concepts of how hardware and software is implemented and managed within the organization. Which of the following principles does this best demonstrate?

• A. Alignment with the business
• B. Effective use of existing technologies
• C. Leveraging existing implementations
• D. Proper budget management

Answer: A

NEW QUESTION 14

Network Forensics is the prerequisite for any successful legal action after attacks on your Enterprise Network. Which is the single most important factor to introducing digital evidence into a court of law?

• A. Comprehensive Log-Files from all servers and network devices affected during the attack
• B. Fully trained network forensic experts to analyze all data right after the attack
• C. Uninterrupted Chain of Custody
• D. Expert forensics witness

Answer: C

NEW QUESTION 15

Scenario: As you begin to develop the program for your organization, you assess the corporate culture and determine that there is a pervasive opinion that the security program only slows things down and limits the performance of the “real workers.”
What must you do first in order to shift the prevailing opinion and reshape corporate culture to understand the value of information security to the organization?

• A. Cite compliance with laws, statutes, and regulations – explaining the financial implications for the company for non-compliance
• B. Understand the business and focus your efforts on enabling operations securely
• C. Draw from your experience and recount stories of how other companies have been compromised
• D. Cite corporate policy and insist on compliance with audit findings

Answer: B

NEW QUESTION 16

SCENARIO: A CISO has several two-factor authentication systems under review and
selects the one that is most sufficient and least costly. The implementation project planning is completed and the teams are ready to implement the solution. The CISO then discovers that the product it is not as scalable as originally thought and will not fit the organization’s needs.
What is the MOST logical course of action the CISO should take?

• A. Review the original solution set to determine if another system would fit the organization’s risk appetite and budgetregulatory compliance requirements
• B. Continue with the implementation and submit change requests to the vendor in order to ensure required functionality will be provided when needed
• C. Continue with the project until the scalability issue is validated by others, such as an auditor or third party assessor
• D. Cancel the project if the business need was based on internal requirements versus regulatory compliance requirements

Answer: A

NEW QUESTION 17
......