NEW QUESTION 1

Which of the following is the BEST indicator of a successful project?

• A. it is completed on time or early as compared to the baseline project plan
• B. it meets most of the specifications as outlined in the approved project definition
• C. it comes in at or below the expenditures planned for in the baseline budget
• D. the deliverables are accepted by the key stakeholders

Answer: D

NEW QUESTION 2

Which of the following represents the HIGHEST negative impact resulting from an ineffective security governance program?

• A. Reduction of budget
• B. Decreased security awareness
• C. Improper use of information resources
• D. Fines for regulatory non-compliance

Answer: D

NEW QUESTION 3

Which of the following illustrates an operational control process:

• A. Classifying an information system as part of a risk assessment
• B. Installing an appropriate fire suppression system in the data center
• C. Conducting an audit of the configuration management process
• D. Establishing procurement standards for cloud vendors

Answer: :B

NEW QUESTION 4

An organization is looking for a framework to measure the efficiency and effectiveness of their Information Security Management System. Which of the following international standards can BEST assist this organization?

• A. International Organization for Standardizations – 27004 (ISO-27004)
• B. Payment Card Industry Data Security Standards (PCI-DSS)
• C. Control Objectives for Information Technology (COBIT)
• D. International Organization for Standardizations – 27005 (ISO-27005)

Answer: A

NEW QUESTION 5

Which of the following are primary concerns for management with regard to assessing internal control objectives?

• A. Confidentiality, Availability, Integrity
• B. Compliance, Effectiveness, Efficiency
• C. Communication, Reliability, Cost
• D. Confidentiality, Compliance, Cost

Answer: B

NEW QUESTION 6

Which of the following represents the best method of ensuring business unit alignment with security program requirements?

• A. Provide clear communication of security requirements throughout the organization
• B. Demonstrate executive support with written mandates for security policy adherence
• C. Create collaborative risk management approaches within the organization
• D. Perform increased audits of security processes and procedures

Answer: C

NEW QUESTION 7

The regular review of a firewall ruleset is considered a

• A. Procedural control
• B. Organization control
• C. Technical control
• D. Management control

Answer: A

NEW QUESTION 8

What two methods are used to assess risk impact?

• A. Cost and annual rate of expectance
• B. Subjective and Objective
• C. Qualitative and percent of loss realized
• D. Quantitative and qualitative

Answer: D

NEW QUESTION 9

With respect to the audit management process, management response serves what function?

• A. placing underperforming units on notice for failing to meet standards
• B. determining whether or not resources will be allocated to remediate a finding
• C. adding controls to ensure that proper oversight is achieved by management
• D. revealing the “root cause” of the process failure and mitigating for all internal and external units

Answer: B

NEW QUESTION 10

Which of the following set of processes is considered to be one of the cornerstone cycles of the International Organization for Standardization (ISO) 27001 standard?

• A. Plan-Check-Do-Act
• B. Plan-Do-Check-Act
• C. Plan-Select-Implement-Evaluate
• D. SCORE (Security Consensus Operational Readiness Evaluation)

Answer: B

NEW QUESTION 11

Scenario: The new CISO was informed of all the Information Security projects that the section has in progress. Two projects are over a year behind schedule and way over budget.
Which of the following will be most helpful for getting an Information Security project that is behind schedule back on schedule?

• A. Upper management support
• B. More frequent project milestone meetings
• C. More training of staff members
• D. Involve internal audit

Answer: A

NEW QUESTION 12

You have implemented a new security control. Which of the following risk strategy options have you engaged in?

• A. Risk Avoidance
• B. Risk Acceptance
• C. Risk Transfer
• D. Risk Mitigation

Answer: D

NEW QUESTION 13

The Annualized Loss Expectancy (Before) minus Annualized Loss Expectancy (After) minus Annual Safeguard Cost is the formula for determining:

• A. Safeguard Value
• B. Cost Benefit Analysis
• C. Single Loss Expectancy
• D. Life Cycle Loss Expectancy

Answer: B

NEW QUESTION 14

The exposure factor of a threat to your organization is defined by?

• A. Asset value times exposure factor
• B. Annual rate of occurrence
• C. Annual loss expectancy minus current cost of controls
• D. Percentage of loss experienced due to a realized threat event

Answer: D

NEW QUESTION 15

Scenario: You are the CISO and have just completed your first risk assessment for your organization. You find many risks with no security controls, and some risks with inadequate controls. You assign work to your staff to create or adjust existing security controls to ensure they are adequate for risk mitigation needs.
When adjusting the controls to mitigate the risks, how often should the CISO perform an audit to verify the controls?

• A. Annually
• B. Semi-annually
• C. Quarterly
• D. Never

Answer: D

NEW QUESTION 16

The ultimate goal of an IT security projects is:

• A. Increase stock value
• B. Complete security
• C. Support business requirements
• D. Implement information security policies

Answer: C

NEW QUESTION 17

The effectiveness of social engineering penetration testing using phishing can be used as a Key Performance Indicator (KPI) for the effectiveness of an organization’s

• A. Risk Management Program.
• B. Anti-Spam controls.
• C. Security Awareness Program.
• D. Identity and Access Management Program.

Answer: C

NEW QUESTION 18

Which wireless encryption technology makes use of temporal keys?

• A. Wireless Application Protocol (WAP)
• B. Wifi Protected Access version 2 (WPA2)
• C. Wireless Equivalence Protocol (WEP)
• D. Extensible Authentication Protocol (EAP)

Answer: B

NEW QUESTION 19

Risk appetite directly affects what part of a vulnerability management program?

• A. Staff
• B. Scope
• C. Schedule
• D. Scan tools

Answer: B

NEW QUESTION 20

When updating the security strategic planning document what two items must be included?

• A. Alignment with the business goals and the vision of the CIO
• B. The risk tolerance of the company and the company mission statement
• C. The executive summary and vision of the board of directors
• D. The alignment with the business goals and the risk tolerance

Answer: D

NEW QUESTION 21

As the CISO you need to write the IT security strategic plan. Which of the following is the MOST important to review before you start writing the plan?

• A. The existing IT environment.
• B. The company business plan.
• C. The present IT budget.
• D. Other corporate technology trends.

Answer: B

NEW QUESTION 22

To have accurate and effective information security policies how often should the CISO review the organization policies?

• A. Every 6 months
• B. Quarterly
• C. Before an audit
• D. At least once a year

Answer: D

NEW QUESTION 23

According to ISO 27001, of the steps for establishing an Information Security Governance program listed below, which comes first?

• A. Identify threats, risks, impacts and vulnerabilities
• B. Decide how to manage risk
• C. Define the budget of the Information Security Management System
• D. Define Information Security Policy

Answer: D

NEW QUESTION 24

The process to evaluate the technical and non-technical security controls of an IT system to validate that a given design and implementation meet a specific set of security requirements is called

• A. Security certification
• B. Security system analysis
• C. Security accreditation
• D. Alignment with business practices and goals.

Answer: A

NEW QUESTION 25

What is the main purpose of the Incident Response Team?

• A. Ensure efficient recovery and reinstate repaired systems
• B. Create effective policies detailing program activities
• C. Communicate details of information security incidents
• D. Provide current employee awareness programs

Answer: A

NEW QUESTION 26

Which of the following functions MUST your Information Security Governance program include for formal organizational reporting?

• A. Audit and Legal
• B. Budget and Compliance
• C. Human Resources and Budget
• D. Legal and Human Resources

Answer: A

NEW QUESTION 27

Which International Organization for Standardization (ISO) below BEST describes the performance of risk management, and includes a five-stage risk management methodology.

• A. ISO 27001
• B. ISO 27002
• C. ISO 27004
• D. ISO 27005

Answer: :D

NEW QUESTION 28

The remediation of a specific audit finding is deemed too expensive and will not be implemented. Which of the following is a TRUE statement?

• A. The asset is more expensive than the remediation
• B. The audit finding is incorrect
• C. The asset being protected is less valuable than the remediation costs
• D. The remediation costs are irrelevant; it must be implemented regardless of cost.

Answer: C

NEW QUESTION 29
......