No Exams Available
0 of 140 Questions completed
Questions:
You have already completed the quiz before. Hence you can not start it again.
Quiz is loading…
You must sign in or sign up to start the quiz.
You must first complete the following:
0 of 140 Questions answered correctly
Your time:
Time has elapsed
You have reached 0 of 0 point(s), (0)
Earned Point(s): 0 of 0, (0)
0 Essay(s) Pending (Possible Point(s): 0)
You’re reporting to senior management on a proposal to establish a government process. What is the most crucial factor you should highlight?
Which of the following is most important to identify when you define an organizational risk management strategy?
What is the primary benefit of having an effective security governance process?
A global restaurant chain wants to develop a uniform process for Business Continuity and Disaster Recovery. Which of the following standards is most appropriate?
Every evening a security manager checks work areas looking for security violations such as systems left unlocked or sensitive materials left in the open. What kind of security practice does this most closely relate to?
Why is it MOST important for an organization that handles personally identifiable information (PII) to follow a formal risk management process?
Which of the following is an example of risk transference?
A misconfigured server for a major e-retailer caused personal customer data to be exposed to the internet. They fixed the vulnerability, but did not tell anyone outside the company. What kind of law are they most likely to be breaking?
An organization’s IT department has just adopted a new set of security policies. Why is it essential that management endorse the new policies?
A security leader is expected to influence the organization’s culture to bring it into alignment with security needs. What ability will do the most to allow them to succeed?
What is the primary goal you should work toward when developing a security awareness program?
What kind of security document is LEAST likely to be mandatory?
When designing a governance model for information security, which of the following factors will likely have the greatest impact on the results?
When responding to a security incident, which of the following steps should come FIRST?
Which of the following statements most accurately describes the relationship between information security and regulatory compliance?
What person in the organization decides who has access to sensitive information?
What is the most critical element of an information security program that has a positive influence on organizational culture?
When establishing a security governance program, which of the following steps should be performed FIRST?
A potential partner organization claims to be secure because of its PCI-DSS certification. Which of the following questions will tell you the most about how effective their security program is?
A security manager at your company has just created a risk management program. Which of the following will do the most to ensure the program’s success?
Senior management wants to develop a new program ensuring that the actions of people and systems alike follow the organization’s stated rules and policies. What kind of policy does this best describe?
An organization wants to define a risk management process that will align with those used by its international partners. Which standard is most likely to be applicable?
A colleague of yours was recently hired as an organization’s CISO, and was assigned to create a new organizational security policy. Unfortunately, once the security policy was published, nothing really changed because users and managers alike routinely ignored it or enforced it inconsistently. What element would most likely have prevented the issue?
What kind of security controls are most often required by regulatory mandates?
As an information security professional, what should you do with information that no longer has a clear business purpose?
Your new employer is a global retailer. What regulation is MOST important to investigate when reviewing their compliance management policies?
Which of the following goals is most important to address when designing a Business Continuity Plan?
What is the primary organizational benefit of having a well-designed Information Security Policy?
What organizational process is typically responsible for monitoring security status, alerting security personnel about security-related events, and responding to alerts?:
A security analyst identifies an attack against a database containing highly sensitive trade secrets. Who is the first person that needs to be informed?
You’ve just defined a standard set of security controls and the conditions under which they should apply. What is the next step you should perform?
One of your job duties is developing the organization’s security program including policies and the processes that support them. Which of the following goals should have the highest priority?
How often should security awareness training be provided to employees, according to international standards and industry best practices?
An organization uses individual customer information to better target its products and services. What should be its primary security concern regarding that data?
An organization has decided to adopt an “assumption of breach” model for its information assets. What security strategy would be most appropriate under the new model?
What element of a risk management process is most affected by the thoroughness of the asset classification step?
During a risk management process you’ve identified multiple significant risks, and would like to focus on those which would be most costly if they occurred. What kind of analysis should you perform?
How can practicing information security governance benefit your organization even if it doesn’t prevent a major security incident?
When developing security controls, what two factors are most likely to be at odds with one another?
Stakeholders in business operations are expected to meet a minimum standard of attention to detail and compliance with security and business principles, even when there is no specific procedure in place, such as maintaining security awareness in the workplace and not sharing sensitive business information with outside parties. What is the term for this?
Which of the following security controls is MOST important for preventing social engineering attacks??
You’re evaluating the company’s security architecture. Which of the following should you include in your analysis?
What is the primary objective for developing an information security program?
A recent risk assessment estimated that the risk of a customer data breach was equivalent to a $500,000 annual revenue loss. What type of analysis was performed?
What are the primary advantages of quantitative risk assessments over qualitative ones?
You’ve been assigned to an information governance steering committee. Which of the following will you be most likely to do?
You’re helping a company hire a new CISO that will be expected to design and implement a whole new security program. Which set of qualifications will do the most to identify an ideal candidate?
What type of intellectual property is mostly related to brand recognition?
What term describes credit card information, medical records, and sensitive government records?
You address a risk to a web-based financial application by implementing a stronger multifactor authentication system. What risk management strategy are you employing?
Which of the following best describes the difference between quantitative and qualitative risk assessments?
Following a risk assessment you choose to purchase cyber insurance. What risk management strategy are you employing?
What formula can you use to calculate the value of a risk in both qualitative and quantitative assessments?
A new technology your organization is deploying will violate existing security standards, but it is valuable for business goals. As a security manager, what is the most appropriate approach?
When deploying a new information system, what is the FINAL step of the system authorization process?
An organization deploying a new network chooses a less capable but less expensive firewall to protect it. Which of the following statements is most likely to be correct?
Which of the following is most important when developing an Information Security Steering committee?
Once you’ve applied all risk mitigations, what is the term for the remaining risk?
You want an international standard that will help you to measure the effectiveness of an information security management system. What standard should you review first?
A colleague is a firm believer that every organization can benefit from a centralized, top-down security policy. What counter-example could you provide of an organizational structure that would benefit from a more decentralized approach?
You’re preparing for an IT audit and internal review has identified several procedural oversights. Which of the following is MOST likely to concern the external auditor?
You’ve been asked to calculate the Annual Loss Expectancy (ALE) associated with an identified risk. What formula should you use??
Which of the following is most important for an Information Security Management program to protect?
How is an IT auditor most likely to use a data flow diagram?
Which framework is most likely to contain useful metrics you can use to measure the effectiveness of an Information Security Management System?
In the NIST System Certification and Accreditation Project , SP 800-53 provides standardized security controls to protect which aspects of security operations?
Your organization performs background checks on all employees who have access to credit card data. What type of security control does this represent?
Which of the following is an appropriate review process and frequency for an information security policy?
Which of the following formulas best describes how to calculate the overall level of a risk?
Which of the following aspects of a risk management process makes it more likely that an organization will choose risk acceptance over risk mitigation?
The network security team has a scheduled procedure for reviewing firewall rulesets. What kind of security control is that?:
You’re evaluating threats to your IT infrastructure. What is the best definition for the exposure factor of a particular threat?
Which of the following is a necessary feature of an Informational Security Governance program?
A security manager just drafted revisions to the company’s information security policy. Which of the following executive endorsements will do the most to ensure that the changes are implemented??
You’ve been advised to take a risk-based approach to audit-planning. Which of the following practices would be most in keeping with that advice?
Which of the following will do the most to help you proactively identify system vulnerabilities?
What is the most important factor when selecting a risk mitigation strategy?
Which of the following has the greatest impact on your organization’s PCI DSS compliance requirements?
When scoping a PCI environment, which of the following roles is the duty of the CISO?
An IT auditor is validating compliance with the uptime requirements specified in a Service Level Agreement (SLA). Which reports will they find most useful?
What risk management technique is a good way to identify the most critical risks to a project so that you can perform in-depth analysis?
You’re doing consulting work for a multinational healthcare company. Which regulatory compliance issue is likely to be the most important concern for them?
An organization’s security governance program is chronically ineffective and mismanaged. What is the most severe impact that will likely have, apart from the increased risk of security incidents?
You’re revising the organization’s vulnerability management processes and assigning job responsibilities. After vulnerability scans, who is responsible for implementing remediation actions?
What is the term for the amount of risk an organization is willing to accept in pursuit of its primary goals?
Which of the following is most important to include in an Incident Response Program (IRP)?
You’re designing a new security program for an IT startup that has taken an ad hoc approach to security so far. What is the first step you should perform?
When meeting an administrator at the data center, you notice a security door propped open so that workers can get back in easily without re-swiping a badge. What is the most appropriate response?
An audit report you’re reviewing has every bit of required technical data, but not much else. Which of the following is most important to add?
Which of the following standards includes an auditing framework?
What practice focuses primarily on ensuring that information security practices remain aligned with organizational goals?
What is the most important goal of risk management?
According to NIST SP 800-30, what is the SECOND step in creating a risk management methodology?
An Information Systems auditor selects a sample or programs in order to ensure that the source and object versions are the same. What kind of test is being performed?
You’re designing a schedule for vulnerability scans and want to minimize their impact on business operations. Who is the primary person that you should contact?
What are the two most common methods for risk analysis?
What is the primary goal of an organization’s information security policy?
While performing an audit, you notice that the operations team is understaffed. You’re told that a security administrator works a late shift one night a week as operations manager to fill the staffing gap until a new employee is hired. What should you do?
Which of the following is most useful for determining an appropriate patching and monitoring schedule?
Why are IT control objectives useful to IT auditors?
Which of the following is most likely to cause conflict between IT and Information Security programs?
In an Information Security Governance program, which two functions are most critical for formal organizational reporting?
As part of addressing risks related to email, you deployed anti-malware and anti-phishing controls on central email servers. What type of security control did you implement?
In a risk assessment, what term represents the expected frequency of a specific threat?
You’re helping the vulnerability management team to plan a vulnerability scanning schedule. They’re concerned about the volume of data output they will need to analyze on a large network. What approach can minimize the data output of routine scans while still giving a realistic view of the network’s vulnerability levels?
Which of the following will do the most to ensure that your organization’s Business Continuity (BC) Plan is sound?
According to guidelines from NIST SP 800-40, what are the three most important considerations for developing a vulnerability management program?
What configuration for a network-based Intrusion Prevention System (IPS) will provide the strongest protection against attack?
What is the most appropriate term for a weakness in an asset that can be exploited by a threat?
How often should a computing environment be monitored for cyber threats?
As a CISO, you’re being asked to report to the Board of Directors about the organization’s current cybersecurity posture and how it has changed since you took the position. What metrics should you focus on?
An organization implements two-factor authentication for access to sensitive network services. What security principle are they practicing?
In the typical organization, what team is responsible for monitoring the Network Intrusion Detection System (NIDS) logs for a critical database application?
What framework document is based on the Code of Practice for Information Security Management?
Once an organization implements new security controls, what team is typically responsible for validating their implementation and effectiveness?
A recent security review uncovered a critical vulnerability on a production system. Tight budget constraints make it impractical to quickly implement the recommended fix. What is the best approach for mitigating the vulnerability?
You’re developing a security awareness program for call center employees. Which of the following would be the most appropriate Key Performance Indicator (KPI) to evaluate program effectiveness?
What kind of program would use “the effectiveness of social engineering by penetration testers” as a Key Performance Indicator (KPI?)
You’ve recently deployed new security controls to a perimeter network. What testing method will give you the most accurate idea of how effective they are?
A business unit at your organization assigned internal IT auditing responsibilities to the IT team. What is the primary problem with this approach?
Which of the following activities is most critical to performing a risk assessment?
You’ve just read a security bulletin about a new attack targeting two-factor authentication systems similar to those used in your organization’s critical financial systems. As a CISO, what is the most appropriate course of action?
What IT governance framework is intended to balance the conflicting concerns of business risks, control requirements, and technical implementations?
What security solution is most likely to identify changes to the configuration of a critical server?
What is the strongest argument for adopting COBIT as an IT governance framework?
What metric category might include “Mean time to patch,” “number of vulnerabilities mitigated,” and “Number of viruses detected?”?
What situation poses the strongest argument for outsourcing the management of an IT security project?
An organization assigns responsibility for Information Assurance to an independent security group. What type of security control does this decision represent?
A multinational company wants to implement new storage encryption technologies across data centers in six countries. Which of the following regulatory constraints is most likely to be a problem?
After being hired for a new CISO position, you see that the latest audit report is over 18 months old. What should be your first priority?
What is the term for a newly discovered risk that has not been implemented? ?
Which set of processes is also known as the Deming Cycle?
A US-based healthcare organization needs to guard the privacy of patient data. What is the most appropriate set of security guidelines they should use?
How often should an organization review and update its information security policy?
In information asset management, what is the primary rule of the data custodian?
A disaster has affected multiple systems in your data center. What document should you refer to first?
What is the primary threat that a Data Loss Prevention (DLP) system is intended to prevent?
When developing a new incident response program, which step is the most critical?
Your organization is implementing a new security awareness program. What practice will provide the most accurate evaluation of the program’s effectiveness?