Q1. - (Topic 5) 

The Chief Information Officer (CIO) is focused on improving IT governance within the organization to reduce system downtime. The CIO has mandated that the following improvements be implemented: 

-All business units must now identify IT risks and include them in their business risk profiles. 

-Key controls must be identified and monitored. 

-Incidents and events must be recorded and reported with management oversight. 

-Exemptions to the information security policy must be formally recorded, approved, and managed. 

-IT strategy will be reviewed to ensure it is aligned with the businesses strategy and objectives. 

In addition to the above, which of the following would BEST help the CIO meet the requirements? 

A. Establish a register of core systems and identify technical service owners 

B. Establish a formal change management process 

C. Develop a security requirement traceability matrix 

D. Document legacy systems to be decommissioned and the disposal process 

View Answer

Q2. - (Topic 2) 

Company policy requires that all company laptops meet the following baseline requirements: 

Software requirements: 

Antivirus Anti-malware Anti-spyware Log monitoring Full-disk encryption 

Terminal services enabled for RDP 

Administrative access for local users 

Hardware restrictions: 

Bluetooth disabled 

FireWire disabled 

WiFi adapter disabled 

Ann, a web developer, reports performance issues with her laptop and is not able to access any network resources. After further investigation, a bootkit was discovered and it was trying to access external websites. Which of the following hardening techniques should be applied to mitigate this specific issue from reoccurring? (Select TWO). 

A. Group policy to limit web access 

B. Restrict VPN access for all mobile users 

C. Remove full-disk encryption 

D. Remove administrative access to local users 

E. Restrict/disable TELNET access to network resources 

F. Perform vulnerability scanning on a daily basis 

G. Restrict/disable USB access 

View Answer

Q3. - (Topic 1) 

A government agency considers confidentiality to be of utmost importance and availability issues to be of least importance. Knowing this, which of the following correctly orders various vulnerabilities in the order of MOST important to LEAST important? 

A. Insecure direct object references, CSRF, Smurf 

B. Privilege escalation, Application DoS, Buffer overflow 

C. SQL injection, Resource exhaustion, Privilege escalation 

D. CSRF, Fault injection, Memory leaks 

View Answer

Q4. - (Topic 5) 

An intruder was recently discovered inside the data center, a highly sensitive area. To gain access, the intruder circumvented numerous layers of physical and electronic security measures. Company leadership has asked for a thorough review of physical security controls to prevent this from happening again. Which of the following departments are the MOST heavily invested in rectifying the problem? (Select THREE). 

A. Facilities management 

B. Human resources 

C. Research and development 

D. Programming 

E. Data center operations 

F. Marketing 

G. Information technology 

View Answer

Q5. - (Topic 5) 

A large organization that builds and configures every data center against distinct requirements loses efficiency, which results in slow response time to resolve issues. However, total uniformity presents other problems. Which of the following presents the GREATEST risk when consolidating to a single vendor or design solution? 

A. Competitors gain an advantage by increasing their service offerings. 

B. Vendor lock in may prevent negotiation of lower rates or prices. 

C. Design constraints violate the principle of open design. 

D. Lack of diversity increases the impact of specific events or attacks. 

View Answer

Q6. DRAG DROP - (Topic 2) 

IT staff within a company often conduct remote desktop sharing sessions with vendors to troubleshoot vendor product-related issues. Drag and drop the following security controls to match the associated security concern. Options may be used once or not at all. 

View Answer

Q7. - (Topic 1) 

Joe, a hacker, has discovered he can specifically craft a webpage that when viewed in a browser crashes the browser and then allows him to gain remote code execution in the context of the victim’s privilege level. The browser crashes due to an exception error when a heap memory that is unused is accessed. Which of the following BEST describes the application issue? 

A. Integer overflow 

B. Click-jacking 

C. Race condition 

D. SQL injection 

E. Use after free 

F. Input validation 

View Answer

Q8. - (Topic 5) 

The risk manager has requested a security solution that is centrally managed, can easily 

be updated, and protects end users' workstations from both known and unknown malicious attacks when connected to either the office or home network. Which of the following would BEST meet this requirement? 

A. HIPS 

B. UTM 

C. Antivirus 

D. NIPS 

E. DLP 

View Answer

Q9. - (Topic 2) 

A company is trying to decide how to manage hosts in a branch location connected via a slow WAN link. The company desires to provide the same level of performance and functionality to the branch office as it provides to the main campus. The company uses Active Directory for its directory service and host configuration management. The branch location does not have a datacenter, and the physical security posture of the building is weak. Which of the following designs is MOST appropriate for this scenario? 

A. Deploy a branch location Read-Only Domain Controller in the DMZ at the main campus with a two-way trust. 

B. Deploy a corporate Read-Only Domain Controller to the branch location. 

C. Deploy a corporate Domain Controller in the DMZ at the main campus. 

D. Deploy a branch location Read-Only Domain Controller to the branch office location with a one-way trust. 

E. Deploy a corporate Domain Controller to the branch location. 

F. Deploy a branch location Domain Controller to the branch location with a one-way trust. 

View Answer

Q10. - (Topic 2) 

A security administrator was recently hired in a start-up company to represent the interest of security and to assist the network team in improving security in the company. The programmers are not on good terms with the security team and do not want to be distracted with security issues while they are working on a major project. Which of the following is the BEST time to make them address security issues in the project? 

A. In the middle of the project 

B. At the end of the project 

C. At the inception of the project 

D. At the time they request 

View Answer