A.  

Review the original solution set to determine if another system would fit the organization’s risk appetite and budget

regulatory compliance requirements

B.  

Continue with the implementation and submit change requests to the vendor in order to ensure required functionality will be provided when needed

C.  

Continue with the project until the scalability issue is validated by others, such as an auditor or third party assessor

D.  

Cancel the project if the business need was based on internal requirements versus regulatory compliance requirements

A.  

The Net Present Value (NPV) of the project is positive

B.  

The NPV of the project is negative

C.  

The Return on Investment (ROI) is larger than 10 months

D.  

The ROI is lower than 10 months

A.  

Safeguard Value

B.  

Cost Benefit Analysis

C.  

Single Loss Expectancy

D.  

Life Cycle Loss Expectancy

A.  

Authentication, Authorize, Validation

B.  

Provision, Administration, Enforcement

C.  

Administration, Validation, Protect

D.  

Provision, Administration, Authentication

A.  

Video surveillance

B.  

Mantrap

C.  

Bollards

D.  

Fence

A.  

Technology governance defines technology policies and standards while security governance does not.

B.  

Security governance defines technology best practices and Information Technology governance does not.

C.  

Technology Governance is focused on process risks whereas Security Governance is focused on business risk.

D.  

The effective implementation of security controls can be viewed as an inhibitor to rapid Information Technology implementations.

A.  

Weekly program budget reviews to ensure the percentage of program funding remains constant.

B.  

Annual review of program charters, policies, procedures and organizational agreements.

C.  

Daily monitoring of vulnerability advisories relating to your organization’s deployed technologies.

D.  

Monthly program tests to ensure resource allocation is sufficient for supporting the needs of the organization

A.  

Control Objectives for IT (COBIT)

B.  

Payment Card Industry-Data Security Standard (PCI-DSS)

C.  

International Organization Standard (ISO) 27002

D.  

National Institute of Standards and Technology (NIST) SP 800-30

A.  

Test every three years to ensure that things work as planned

B.  

Conduct periodic tabletop exercises to refine the BC plan

C.  

Outsource the creation and execution of the BC plan to a third party vendor

D.  

Conduct a Disaster Recovery (DR) exercise every year to test the plan

A.  

Chief Information Security Officer (CISO)

B.  

Security Operations Center (SO

C.  

Disaster Recovery (DR) manager

D.  

Incident Response Team (IRT)

A.  

security threat and vulnerability management process

B.  

risk assessment process

C.  

risk management process

D.  

governance, risk, and compliance tools

A.  

Cost and annual rate of expectance

B.  

Subjective and Objective

C.  

Qualitative and percent of loss realized

D.  

Quantitative and qualitative

A.  

Multiple certifications, strong technical capabilities and lengthy resume

B.  

Industry certifications, technical knowledge and program management skills

C.  

College degree, audit capabilities and complex project management

D.  

Multiple references, strong background check and industry certifications

A.  

Chief Information Security Officer

B.  

Chief Executive Officer

C.  

Chief Information Officer

D.  

Chief Legal Counsel

A.  

tell him to shut down the server

B.  

tell him to call the police

C.  

tell him to invoke the incident response process

D.  

tell him to analyze the problem, preserve the evidence and provide a full analysis and report

A.  

Grant her access, the employee has been adequately warned through the AUP.

B.  

Assist her with the request, but only after her supervisor signs off on the action.

C.  

Reset the employee’s password and give it to the supervisor.

D.  

Deny the request citing national privacy laws.

A.  

Upper management support

B.  

More frequent project milestone meetings

C.  

More training of staff members

D.  

Involve internal audit

A.  

Vested in the success and/or failure of a project or initiative regardless of budget implications.

B.  

Vested in the success and/or failure of a project or initiative and is tied to the project budget.

C.  

That has budget authority.

D.  

That will ultimately use the system.

A.  

Scope creep

B.  

Deadline extension

C.  

Scope modification

D.  

Deliverable expansion

A.  

Change management

B.  

Business continuity planning

C.  

Security Incident Response

D.  

Thought leadership

A.  

Download open source security tools and deploy them on your production network

B.  

Download trial versions of commercially available security tools and deploy on your production network

C.  

Download open source security tools from a trusted site, test, and then deploy on production network

D.  

Download security tools from a trusted source and deploy to production network

A.  

Risk averse

B.  

Risk tolerant

C.  

Risk conditional

D.  

Risk minimal

A.  

Cold site

B.  

Hot site

C.  

Warm site

D.  

Mobile backup site

A.  

Real-time off-site replication

B.  

Daily incremental backup

C.  

Daily full backup

D.  

Daily differential backup

A.  

non-repudiation

B.  

conflict resolution

C.  

strong authentication

D.  

digital rights management

A.  

The need to change accounting periods on a regular basis.

B.  

The requirement to post entries for a closed accounting period.

C.  

The need to create and modify the chart of accounts and its allocations.

D.  

The lack of policies and procedures for the proper segregation of duties.

A.  

Secure the area and shut-down the computer until investigators arrive

B.  

Secure the area and attempt to maintain power until investigators arrive

C.  

Immediately place hard drive and other components in an anti-static bag

D.  

Secure the area.

A.  

All vulnerabilities found on servers and desktops

B.  

Only critical and high vulnerabilities on servers and desktops

C.  

Only critical and high vulnerabilities that impact important production servers

D.  

All vulnerabilities that impact important production servers

A.  

Weekly

B.  

Monthly

C.  

Quarterly

D.  

Daily

A.  

Preventive actions

B.  

Inspection

C.  

Defect repair

D.  

Corrective actions

A.  

Upper management support

B.  

More frequent project milestone meetings

C.  

More training of staff members

D.  

Involve internal audit

A.  

1) Information technology strategic planning, 2) Enterprise strategic planning, 3) Cybersecurity or

information security strategic planning

B.  

1) Cybersecurity or information security strategic planning, 2) Enterprise strategic planning, 3) Information

technology strategic planning

C.  

1) Enterprise strategic planning, 2) Information technology strategic planning, 3) Cybersecurity or

information security strategic planning

D.  

1) Enterprise strategic planning, 2) Cybersecurity or information security strategic planning, 3) Information

technology strategic planning

A.  

Security Governance

B.  

Compliance management

C.  

Vendor management

D.  

Disaster recovery

A.  

Technical control(s)

B.  

Management control(s)

C.  

Policy control(s)

D.  

Operational control(s)

A.  

Network based security preventative control

B.  

Software segmentation control

C.  

Security detective control

D.  

User segmentation control

A.  

The portfolio is used to manage and track individual projects

B.  

The portfolio is used to manage incidents and events

C.  

A portfolio typically consists of several programs

D.  

A portfolio delivers one specific service or program to the business

A.  

The budget is in a temporary state of imbalance

B.  

The budget is operating at a deficit

C.  

She can realign the budget through moderate capital expense (CAPEX) allocation

D.  

She has a surplus of operational expenses (OPEX)

A.  

Staff

B.  

Scope

C.  

Schedule

D.  

Scan tools

A.  

Poses a strong technical background

B.  

Understand all regulations affecting the organization

C.  

Understand the business goals of the organization

D.  

Poses a strong auditing background

A.  

Susceptibility to attack, mitigation response time, and cost

B.  

Attack vectors, controls cost, and investigation staffing needs

C.  

Vulnerability exploitation, attack recovery, and mean time to repair

D.  

Susceptibility to attack, expected duration of attack, and mitigation availability

A.  

Security alignment to business goals

B.  

Regulatory compliance effectiveness

C.  

Increased security program presence

D.  

Proper organizational policy enforcement

A.  

Security

B.  

Business units

C.  

Board of Directors

D.  

Audit and compliance

A.  

Create a comprehensive security awareness program and provide success metrics to business units

B.  

Create security consortiums, such as strategic security planning groups, that include business unit participation

C.  

Ensure security implementations include business unit testing and functional validation prior to production rollout

D.  

Ensure the organization has strong executive-level security representation through clear sponsorship or the creation of a CISO role

A.  

Risk management governance becomes easier since most risks remain low once mitigated

B.  

Resources are not wasted on risks that are already managed to an acceptable level

C.  

Risk budgets are more easily managed due to fewer identified risks as a result of using a methodology

D.  

Risk appetite can increase within the organization once the levels are understood

A.  

security coding

B.  

data security system

C.  

data classification

D.  

privacy protection

A.  

Unable to control physical access to the servers

B.  

Unable to track log on activity

C.  

Unable to run anti-virus scans

D.  

Unable to patch systems as needed

A.  

Wireless Application Protocol (WAP)

B.  

Wifi Protected Access version 2 (WPA2)

C.  

Wireless Equivalence Protocol (WEP)

D.  

Extensible Authentication Protocol (EAP)

A.  

It is an IPSec protocol.

B.  

It is a text-based communication protocol.

C.  

It uses TCP port 22 as the default port and operates at the application layer.

D.  

It uses UDP port 22

A.  

Session encryption

B.  

Removing all stored procedures

C.  

Input sanitization

D.  

Library control

A.  

Shared key

B.  

Asynchronous

C.  

Open

D.  

None

A.  

Covert government networks

B.  

War driving maps

C.  

Government networks in Tora

D.  

Virtual network tunnels

A.  

Single loss expectancy multiplied by the annual rate of occurrence

B.  

Total loss expectancy multiplied by the total loss frequency

C.  

Value of the asset multiplied by the loss expectancy

D.  

Replacement cost multiplied by the single loss expectancy

A.  

Qualitative analysis

B.  

Quantitative analysis

C.  

Risk mitigation

D.  

Estimate activity duration

A.  

Executive summary

B.  

Penetration test agreement

C.  

Names and phone numbers of those who conducted the audit

D.  

Business charter

A.  

Procedural control

B.  

Management control

C.  

Technical control

D.  

Administrative control

A.  

The number of actionable items in the recommendations

B.  

How it exposes the risk tolerance of the company

C.  

How the recommendations directly support the goals of the company

D.  

The number of security controls the company has in use

A.  

At the end of the day once the employee is off site

B.  

During the monthly review cycle

C.  

Immediately so the employee account(s) can be disabled

D.  

Before an audit

A.  

An administrator with too much time on their hands.

B.  

Putting undue time commitment on the system administrator.

C.  

Supporting the concept of layered security

D.  

Network segmentation.

A.  

IT Management

B.  

Internal Audit

C.  

IT Security

D.  

BOD Audit Committee

A.  

Determine the annual loss expectancy (ALE)

B.  

Create a crisis management plan

C.  

Create technology recovery plans

D.  

Build a secondary hot site