March Special Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: buysanta

Exact2Pass Menu

Question # 4

You are having a penetration test done on your company network and the leader of the team says they discovered all the network devices because no one had changed the Simple Network Management Protocol (SNMP) community strings from the defaults. Which of the following is a default community string?

A.

Execute

B.

Read

C.

Administrator

D.

Public

Full Access
Question # 5

While designing a secondary data center for your company what document needs to be analyzed to determine to how much should be spent on building the data center?

A.

Enterprise Risk Assessment

B.

Disaster recovery strategic plan

C.

Business continuity plan

D.

Application mapping document

Full Access
Question # 6

Information security policies should be reviewed:

A.

by stakeholders at least annually

B.

by the CISO when new systems are brought online

C.

by the Incident Response team after an audit

D.

by internal audit semiannually

Full Access
Question # 7

As the Risk Manager of an organization, you are task with managing vendor risk assessments. During the assessment, you identified that the vendor is engaged with high profiled clients, and bad publicity can jeopardize your own brand.

Which is the BEST type of risk that defines this event?

A.

Compliance Risk

B.

Reputation Risk

C.

Operational Risk

D.

Strategic Risk

Full Access
Question # 8

Which of the following is a symmetric encryption algorithm?

A.

3DES

B.

MD5

C.

ECC

D.

RSA

Full Access
Question # 9

A newly-hired CISO needs to understand the organization’s financial management standards for business units

and operations. Which of the following would be the best source of this information?

A.

The internal accounting department

B.

The Chief Financial Officer (CFO)

C.

The external financial audit service

D.

The managers of the accounts payables and accounts receivables teams

Full Access
Question # 10

When selecting a security solution with reoccurring maintenance costs after the first year (choose the BEST answer):

A.

The CISO should cut other essential programs to ensure the new solution’s continued use

B.

Communicate future operating costs to the CIO/CFO and seek commitment from them to ensure the new solution’s continued use

C.

Defer selection until the market improves and cash flow is positive

D.

Implement the solution and ask for the increased operating cost budget when it is time

Full Access
Question # 11

Which of the following is the MOST important component of any change management process?

A.

Scheduling

B.

Back-out procedures

C.

Outage planning

D.

Management approval

Full Access
Question # 12

Information Security is often considered an excessive, after-the-fact cost when a project or initiative is completed. What can be done to ensure that security is addressed cost effectively?

A.

User awareness training for all employees

B.

Installation of new firewalls and intrusion detection systems

C.

Launch an internal awareness campaign

D.

Integrate security requirements into project inception

Full Access
Question # 13

Which of the following methods are used to define contractual obligations that force a vendor to meet customer expectations?

A.

Terms and Conditions

B.

Service Level Agreements (SLA)

C.

Statement of Work

D.

Key Performance Indicators (KPI)

Full Access
Question # 14

Which of the following can the company implement in order to avoid this type of security issue in the future?

A.

Network based intrusion detection systems

B.

A security training program for developers

C.

A risk management process

D.

A audit management process

Full Access
Question # 15

A department within your company has proposed a third party vendor solution to address an urgent, critical business need. As the CISO you have been asked to accelerate screening of their security control claims. Which of the following vendor provided documents is BEST to make your decision:

A.

Vendor’s client list of reputable organizations currently using their solution

B.

Vendor provided attestation of the detailed security controls from a reputable accounting firm

C.

Vendor provided reference from an existing reputable client detailing their implementation

D.

Vendor provided internal risk assessment and security control documentation

Full Access
Question # 16

What type of attack requires the least amount of technical equipment and has the highest success rate?

A.

War driving

B.

Operating system attacks

C.

Social engineering

D.

Shrink wrap attack

Full Access
Question # 17

Your incident handling manager detects a virus attack in the network of your company. You develop a signature based on the characteristics of the detected virus. Which of the following phases in the incident handling process will utilize the signature to resolve this incident?

A.

Containment

B.

Recovery

C.

Identification

D.

Eradication

Full Access
Question # 18

Physical security measures typically include which of the following components?

A.

Physical, Technical, Operational

B.

Technical, Strong Password, Operational

C.

Operational, Biometric, Physical

D.

Strong password, Biometric, Common Access Card

Full Access
Question # 19

The process of creating a system which divides documents based on their security level to manage access to private data is known as

A.

security coding

B.

data security system

C.

data classification

D.

privacy protection

Full Access
Question # 20

The general ledger setup function in an enterprise resource package allows for setting accounting periods. Access to this function has been permitted to users in finance, the shipping department, and production scheduling. What is the most likely reason for such broad access?

A.

The need to change accounting periods on a regular basis.

B.

The requirement to post entries for a closed accounting period.

C.

The need to create and modify the chart of accounts and its allocations.

D.

The lack of policies and procedures for the proper segregation of duties.

Full Access
Question # 21

The process of identifying and classifying assets is typically included in the

A.

Threat analysis process

B.

Asset configuration management process

C.

Business Impact Analysis

D.

Disaster Recovery plan

Full Access
Question # 22

The process for identifying, collecting, and producing digital information in support of legal proceedings is called

A.

chain of custody.

B.

electronic discovery.

C.

evidence tampering.

D.

electronic review.

Full Access
Question # 23

A customer of a bank has placed a dispute on a payment for a credit card account. The banking system uses digital signatures to safeguard the integrity of their transactions. The bank claims that the system shows proof that the customer in fact made the payment. What is this system capability commonly known as?

A.

non-repudiation

B.

conflict resolution

C.

strong authentication

D.

digital rights management

Full Access
Question # 24

What is the FIRST step in developing the vulnerability management program?

A.

Baseline the Environment

B.

Maintain and Monitor

C.

Organization Vulnerability

D.

Define Policy

Full Access
Question # 25

An organization licenses and uses personal information for business operations, and a server containing that information has been compromised. What kind of law would require notifying the owner or licensee of this incident?

A.

Data breach disclosure

B.

Consumer right disclosure

C.

Security incident disclosure

D.

Special circumstance disclosure

Full Access
Question # 26

Which of the following international standards can be BEST used to define a Risk Management process in an organization?

A.

National Institute for Standards and Technology 800-50 (NIST 800-50)

B.

International Organization for Standardizations – 27005 (ISO-27005)

C.

Payment Card Industry Data Security Standards (PCI-DSS)

D.

International Organization for Standardizations – 27004 (ISO-27004)

Full Access
Question # 27

Which of the following intellectual Property components is focused on maintaining brand recognition?

A.

Trademark

B.

Patent

C.

Research Logs

D.

Copyright

Full Access
Question # 28

The network administrator wants to strengthen physical security in the organization. Specifically, to implement a

solution stopping people from entering certain restricted zones without proper credentials. Which of following

physical security measures should the administrator use?

A.

Video surveillance

B.

Mantrap

C.

Bollards

D.

Fence

Full Access
Question # 29

Which of the following is true regarding expenditures?

A.

Capital expenditures are never taxable

B.

Operating expenditures are for acquiring assets, capital expenditures are for support costs of that asset

C.

Capital expenditures are used to define depreciation tables of intangible assets

D.

Capital expenditures are for acquiring assets, whereas operating expenditures are for support costs of that

asset

Full Access
Question # 30

Bob waits near a secured door, holding a box. He waits until an employee walks up to the secured door and

uses the special card in order to access the restricted area of the target company. Just as the employee opens

the door, Bob walks up to the employee (still holding the box) and asks the employee to hold the door open so

that he can enter. What is the best way to undermine the social engineering activity of tailgating?

A.

Post a sign that states, “no tailgating” next to the special card reader adjacent to the secure door

B.

Issue special cards to access secure doors at the company and provide a one-time only brief description of

use of the special card

C.

Educate and enforce physical security policies of the company to all the employees on a regular basis

D.

Setup a mock video camera next to the special card reader adjacent to the secure door

Full Access
Question # 31

When project costs continually increase throughout implementation due to large or rapid changes in customer

or user requirements, this is commonly known as:

A.

Cost/benefit adjustments

B.

Scope creep

C.

Prototype issues

D.

Expectations management

Full Access
Question # 32

Which of the following best describes an access control process that confirms the identity of the entity seeking access to a logical or physical area?

A.

Identification

B.

Authorization

C.

Authentication

D.

Accountability

Full Access
Question # 33

Which of the following conditions would be the MOST probable reason for a security project to be rejected by the executive board of an organization?

A.

The Net Present Value (NPV) of the project is positive

B.

The NPV of the project is negative

C.

The Return on Investment (ROI) is larger than 10 months

D.

The ROI is lower than 10 months

Full Access
Question # 34

Scenario: You are the CISO and have just completed your first risk assessment for your organization. You find many risks with no security controls, and some risks with inadequate controls. You assign work to your staff to create or adjust existing security controls to ensure they are adequate for risk mitigation needs.

When formulating the remediation plan, what is a required input?

A.

Board of directors

B.

Risk assessment

C.

Patching history

D.

Latest virus definitions file

Full Access
Question # 35

When analyzing and forecasting a capital expense budget what are not included?

A.

Network connectivity costs

B.

New datacenter to operate from

C.

Upgrade of mainframe

D.

Purchase of new mobile devices to improve operations

Full Access
Question # 36

A CISO decides to analyze the IT infrastructure to ensure security solutions adhere to the concepts of how hardware and software is implemented and managed within the organization. Which of the following principles does this best demonstrate?

A.

Alignment with the business

B.

Effective use of existing technologies

C.

Leveraging existing implementations

D.

Proper budget management

Full Access
Question # 37

Your company has limited resources to spend on security initiatives. The Chief Financial Officer asks you to prioritize the protection of information resources based on their value to the company. It is essential that you be able to communicate in language that your fellow executives will understand. You should:

A.

Create timelines for mitigation

B.

Develop a cost-benefit analysis

C.

Calculate annual loss expectancy

D.

Create a detailed technical executive summary

Full Access
Question # 38

Knowing the potential financial loss an organization is willing to suffer if a system fails is a determination of which of the following?

A.

Cost benefit

B.

Risk appetite

C.

Business continuity

D.

Likelihood of impact

Full Access
Question # 39

Which of the following methodologies references the recommended industry standard that Information security project managers should follow?

A.

The Security Systems Development Life Cycle

B.

The Security Project And Management Methodology

C.

Project Management System Methodology

D.

Project Management Body of Knowledge

Full Access
Question # 40

To get an Information Security project back on schedule, which of the following will provide the MOST help?

A.

Upper management support

B.

More frequent project milestone meetings

C.

Stakeholder support

D.

Extend work hours

Full Access
Question # 41

A CISO implements smart cards for credential management, and as a result has reduced costs associated with help desk operations supporting password resets. This demonstrates which of the following principles?

A.

Security alignment to business goals

B.

Regulatory compliance effectiveness

C.

Increased security program presence

D.

Proper organizational policy enforcement

Full Access
Question # 42

Which of the following are the triple constraints of project management?

A.

Time, quality, and scope

B.

Cost, quality, and time

C.

Scope, time, and cost

D.

Quality, scope, and cost

Full Access
Question # 43

A global retail organization is looking to implement a consistent Disaster Recovery and Business Continuity Process across all of its business units. Which of the following standards and guidelines can BEST address this organization’s need?

A.

International Organization for Standardizations – 22301 (ISO-22301)

B.

Information Technology Infrastructure Library (ITIL)

C.

Payment Card Industry Data Security Standards (PCI-DSS)

D.

International Organization for Standardizations – 27005 (ISO-27005)

Full Access
Question # 44

According to the National Institute of Standards and Technology (NIST) SP 800-40, which of the following considerations are MOST important when creating a vulnerability management program?

A.

Susceptibility to attack, mitigation response time, and cost

B.

Attack vectors, controls cost, and investigation staffing needs

C.

Vulnerability exploitation, attack recovery, and mean time to repair

D.

Susceptibility to attack, expected duration of attack, and mitigation availability

Full Access
Question # 45

The FIRST step in establishing a security governance program is to?

A.

Conduct a risk assessment.

B.

Obtain senior level sponsorship.

C.

Conduct a workshop for all end users.

D.

Prepare a security budget.

Full Access
Question # 46

In which of the following cases, would an organization be more prone to risk acceptance vs. risk mitigation?

A.

The organization uses exclusively a quantitative process to measure risk

B.

The organization uses exclusively a qualitative process to measure risk

C.

The organization’s risk tolerance is high

D.

The organization’s risk tolerance is lo

Full Access
Question # 47

The framework that helps to define a minimum standard of protection that business stakeholders must attempt to achieve is referred to as a standard of:

A.

Due Protection

B.

Due Care

C.

Due Compromise

D.

Due process

Full Access
Question # 48

Payment Card Industry (PCI) compliance requirements are based on what criteria?

A.

The types of cardholder data retained

B.

The duration card holder data is retained

C.

The size of the organization processing credit card data

D.

The number of transactions performed per year by an organization

Full Access
Question # 49

What two methods are used to assess risk impact?

A.

Cost and annual rate of expectance

B.

Subjective and Objective

C.

Qualitative and percent of loss realized

D.

Quantitative and qualitative

Full Access
Question # 50

Dataflow diagrams are used by IT auditors to:

A.

Order data hierarchically.

B.

Highlight high-level data definitions.

C.

Graphically summarize data paths and storage processes.

D.

Portray step-by-step details of data generation.

Full Access
Question # 51

Which of the following is the MOST effective way to measure the effectiveness of security controls on a perimeter network?

A.

Perform a vulnerability scan of the network

B.

External penetration testing by a qualified third party

C.

Internal Firewall ruleset reviews

D.

Implement network intrusion prevention systems

Full Access
Question # 52

Which of the following best describes the purpose of the International Organization for Standardization (ISO) 27002 standard?

A.

To give information security management recommendations to those who are responsible for initiating, implementing, or maintaining security in their organization.

B.

To provide a common basis for developing organizational security standards

C.

To provide effective security management practice and to provide confidence in inter-organizational dealings

D.

To established guidelines and general principles for initiating, implementing, maintaining, and improving information security management within an organization

Full Access
Question # 53

Which of the following is a term related to risk management that represents the estimated frequency at which a threat is expected to transpire?

A.

Single Loss Expectancy (SLE)

B.

Exposure Factor (EF)

C.

Annualized Rate of Occurrence (ARO)

D.

Temporal Probability (TP)

Full Access
Question # 54

Which of the following activities is the MAIN purpose of the risk assessment process?

A.

Creating an inventory of information assets

B.

Classifying and organizing information assets into meaningful groups

C.

Assigning value to each information asset

D.

Calculating the risks to which assets are exposed in their current setting

Full Access
Question # 55

During the course of a risk analysis your IT auditor identified threats and potential impacts. Next, your IT auditor should:

A.

Identify and evaluate the existing controls.

B.

Disclose the threats and impacts to management.

C.

Identify information assets and the underlying systems.

D.

Identify and assess the risk assessment process used by management.

Full Access
Question # 56

As a new CISO at a large healthcare company you are told that everyone has to badge in to get in the building. Below your office window you notice a door that is normally propped open during the day for groups of people to take breaks outside. Upon looking closer you see there is no badge reader. What should you do?

A.

Nothing, this falls outside your area of influence.

B.

Close and chain the door shut and send a company-wide memo banning the practice.

C.

Have a risk assessment performed.

D.

Post a guard at the door to maintain physical security

Full Access
Question # 57

Creating good security metrics is essential for a CISO. What would be the BEST sources for creating security metrics for baseline defenses coverage?

A.

Servers, routers, switches, modem

B.

Firewall, exchange, web server, intrusion detection system (IDS)

C.

Firewall, anti-virus console, IDS, syslog

D.

IDS, syslog, router, switches

Full Access
Question # 58

The risk found after a control has been fully implemented is called:

A.

Residual Risk

B.

Total Risk

C.

Post implementation risk

D.

Transferred risk

Full Access
Question # 59

IT control objectives are useful to IT auditors as they provide the basis for understanding the:

A.

Desired results or purpose of implementing specific control procedures.

B.

The audit control checklist.

C.

Techniques for securing information.

D.

Security policy

Full Access
Question # 60

Which International Organization for Standardization (ISO) below BEST describes the performance of risk management, and includes a five-stage risk management methodology.

A.

ISO 27001

B.

ISO 27002

C.

ISO 27004

D.

ISO 27005

Full Access