SQL injection is a very popular and successful injection attack method. Identify the basic SQL injection text:

Which of the following is considered a project versus a managed process?

This occurs when the quantity or quality of project deliverables is expanded from the original project plan.

Which of the following can the company implement in order to avoid this type of security issue in the future?

An example of professional unethical behavior is:

Which of the following functions implements and oversees the use of controls to reduce risk when creating an information security program?

Which of the following terms is used to describe countermeasures implemented to minimize risks to physical

property, information, and computing systems?

Scenario: You are the CISO and have just completed your first risk assessment for your organization. You find many risks with no security controls, and some risks with inadequate controls. You assign work to your staff to create or adjust existing security controls to ensure they are adequate for risk mitigation needs.

When formulating the remediation plan, what is a required input?

Scenario: You are the newly hired Chief Information Security Officer for a company that has not previously had a senior level security practitioner. The company lacks a defined security policy and framework for their Information Security Program. Your new boss, the Chief Financial Officer, has asked you to draft an outline of a security policy and recommend an industry/sector neutral information security control framework for implementation.

Which of the following industry / sector neutral information security control frameworks should you recommend for implementation?

Scenario: Your corporate systems have been under constant probing and attack from foreign IP addresses for more than a week. Your security team and security infrastructure have performed well under the stress. You are confident that your defenses have held up under the test, but rumors are spreading that sensitive customer data has been stolen and is now being sold on the Internet by criminal elements. During your investigation of the rumored compromise you discover that data has been breached and you have discovered the repository of stolen data on a server located in a foreign country. Your team now has full access to the data on the foreign server.

Your defenses did not hold up to the test as originally thought. As you investigate how the data was compromised through log analysis you discover that a hardworking, but misguided business intelligence analyst posted the data to an obfuscated URL on a popular cloud storage service so they could work on it from home during their off-time. Which technology or solution could you deploy to prevent employees from removing corporate data from your network? Choose the BEST answer.

Which of the following is an accurate description of a balance sheet?

Scenario: Your program is developed around minimizing risk to information by focusing on people, technology, and operations.

You have decided to deal with risk to information from people first. How can you minimize risk to your most sensitive information before granting access?

Which type of physical security control scan a person’s external features through a digital video camera before

granting access to a restricted area?

Which of the following is a symmetric encryption algorithm?

Which of the following backup sites takes the longest recovery time?

The process of creating a system which divides documents based on their security level to manage access to private data is known as

Your incident handling manager detects a virus attack in the network of your company. You develop a signature based on the characteristics of the detected virus. Which of the following phases in the incident handling process will utilize the signature to resolve this incident?

The general ledger setup function in an enterprise resource package allows for setting accounting periods. Access to this function has been permitted to users in finance, the shipping department, and production scheduling. What is the most likely reason for such broad access?

You are having a penetration test done on your company network and the leader of the team says they discovered all the network devices because no one had changed the Simple Network Management Protocol (SNMP) community strings from the defaults. Which of the following is a default community string?

The ability to hold intruders accountable in a court of law is important. Which of the following activities are needed to ensure the highest possibility for successful prosecution?

What is the term describing the act of inspecting all real-time Internet traffic (i.e., packets) traversing a major Internet backbone without introducing any apparent latency?

Physical security measures typically include which of the following components?

In terms of supporting a forensic investigation, it is now imperative that managers, first-responders, etc., accomplish the following actions to the computer under investigation:

How often should the Statements of Standards for Attestation Engagements-16 (SSAE16)/International Standard on Assurance Engagements 3402 (ISAE3402) report of your vendors be reviewed?

An international organization is planning a project to implement encryption technologies to protect company confidential information. This organization has data centers on three continents. Which of the following would be considered a MAJOR constraint for the project?

Which of the following represents the BEST method for obtaining business unit acceptance of security controls within an organization?

Which of the following best summarizes the primary goal of a security program?

The company decides to release the application without remediating the high-risk vulnerabilities. Which of the following is the MOST likely reason for the company to release the application?

Risk appetite is typically determined by which of the following organizational functions?

You currently cannot provide for 24/7 coverage of your security monitoring and incident response duties and your company is resistant to the idea of adding more full-time employees to the payroll. Which combination of solutions would help to provide the coverage needed without the addition of more dedicated staff? (choose the best answer):

Which of the following is critical in creating a security program aligned with an organization’s goals?

Which of the following will be MOST helpful for getting an Information Security project that is behind schedule back on schedule?

When managing the critical path of an IT security project, which of the following is MOST important?

To get an Information Security project back on schedule, which of the following will provide the MOST help?

The security team has investigated the theft/loss of several unencrypted laptop computers containing sensitive corporate information. To prevent the loss of any additional corporate data it is unilaterally decided by the CISO that all existing and future laptop computers will be encrypted. Soon, the help desk is flooded with complaints about the slow performance of the laptops and users are upset. What did the CISO do wrong? (choose the BEST answer):

As the CISO for your company you are accountable for the protection of information resources commensurate with:

A system was hardened at the Operating System level and placed into the production environment. Months later an audit was performed and it identified insecure configuration different from the original hardened state. Which of the following security issues is the MOST likely reason leading to the audit findings?

Knowing the potential financial loss an organization is willing to suffer if a system fails is a determination of which of the following?

Which of the following represents the best method of ensuring business unit alignment with security program requirements?

A CISO has recently joined an organization with a poorly implemented security program. The desire is to base the security program on a risk management approach. Which of the following is a foundational requirement in order to initiate this type of program?

Which of the following information may be found in table top exercises for incident response?

An organization has a stated requirement to block certain traffic on networks. The implementation of controls will disrupt a manufacturing process and cause unacceptable delays, resulting in sever revenue disruptions. Which of the following is MOST likely to be responsible for accepting the risk until mitigating controls can be implemented?

When is an application security development project complete?

Which business stakeholder is accountable for the integrity of a new information system?

When considering using a vendor to help support your security devices remotely, what is the BEST choice for allowing access?

You manage a newly created Security Operations Center (SOC), your team is being inundated with security alerts and don’t know what to do. What is the BEST approach to handle this situation?

Which of the following functions evaluates risk present in IT initiatives and/or systems when implementing an information security program?

When gathering security requirements for an automated business process improvement program, which of the following is MOST important?

SCENARIO: A Chief Information Security Officer (CISO) recently had a third party conduct an audit of the security program. Internal policies and international standards were used as audit baselines. The audit report was presented to the CISO and a variety of high, medium and low rated gaps were identified.

The CISO has validated audit findings, determined if compensating controls exist, and started initial remediation planning. Which of the following is the MOST logical next step?

Michael starts a new job and discovers that he has unnecessary access to a variety of systems. Which of the

following best describes the problem he has encountered?

File Integrity Monitoring (FIM) is considered a

Smith, the project manager for a larger multi-location firm, is leading a software project team that has 18

members, 5 of which are assigned to testing. Due to recent recommendations by an organizational quality audit

team, the project manager is convinced to add a quality professional to lead to test team at additional cost to

the project.

The project manager is aware of the importance of communication for the success of the project and takes the

step of introducing additional communication channels, making it more complex, in order to assure quality

levels of the project. What will be the first project management document that Smith should change in order to

accommodate additional communication channels?

Which of the following is a common technology for visual monitoring?

You are just hired as the new CISO and are being briefed on all the Information Security projects that your section has on going. You discover that most projects are behind schedule and over budget.

Using the best business practices for project management you determine that the project correct aligns with the company goals. What needs to be verified FIRST?

Which of the following is MOST useful when developing a business case for security initiatives?

A system is designed to dynamically block offending Internet IP-addresses from requesting services from a secure website. This type of control is considered

What is the BEST reason for having a formal request for proposal process?

The primary purpose of a risk register is to:

Scenario: Your corporate systems have been under constant probing and attack from foreign IP addresses for more than a week. Your security team and security infrastructure have performed well under the stress. You are confident that your defenses have held up under the test, but rumors are spreading that sensitive customer data has been stolen and is now being sold on the Internet by criminal elements. During your investigation of the rumored compromise you discover that data has been breached and you have discovered the repository of stolen data on a server located in a foreign country. Your team now has full access to the data on the foreign server.

What action should you take FIRST?

Scenario: Your company has many encrypted telecommunications links for their world-wide operations. Physically distributing symmetric keys to all locations has proven to be administratively burdensome, but symmetric keys are preferred to other alternatives.

How can you reduce the administrative burden of distributing symmetric keys for your employer?

The new CISO was informed of all the Information Security projects that the organization has in progress. Two projects are over a year behind schedule and over budget. Using best business practices for project management you determine that the project correctly aligns with the company goals.

Which of the following needs to be performed NEXT?

Scenario: You are the CISO and have just completed your first risk assessment for your organization. You find many risks with no security controls, and some risks with inadequate controls. You assign work to your staff to create or adjust existing security controls to ensure they are adequate for risk mitigation needs.

You have identified potential solutions for all of your risks that do not have security controls. What is the NEXT step?

Scenario: Most industries require compliance with multiple government regulations and/or industry standards to meet data protection and privacy mandates.

What is one proven method to account for common elements found within separate regulations and/or standards?

Bob waits near a secured door, holding a box. He waits until an employee walks up to the secured door and

uses the special card in order to access the restricted area of the target company. Just as the employee opens

the door, Bob walks up to the employee (still holding the box) and asks the employee to hold the door open so

that he can enter. What is the best way to undermine the social engineering activity of tailgating?

Scenario: Your organization employs single sign-on (user name and password only) as a convenience to your employees to access organizational systems and data. Permission to individual systems and databases is vetted and approved through supervisors and data owners to ensure that only approved personnel can use particular applications or retrieve information. All employees have access to their own human resource information, including the ability to change their bank routing and account information and other personal details through the Employee Self-Service application. All employees have access to the organizational VPN.

Once supervisors and data owners have approved requests, information system administrators will implement

Where does bottom-up financial planning primarily gain information for creating budgets?

Which of the following best describes revenue?

Your company has limited resources to spend on security initiatives. The Chief Financial Officer asks you to prioritize the protection of information resources based on their value to the company. It is essential that you be able to communicate in language that your fellow executives will understand. You should:

Which of the following is true regarding expenditures?

Which of the following information would MOST likely be reported at the board-level within an organization?

During the 3rd quarter of a budget cycle, the CISO noticed she spent more than was originally planned in her

annual budget. What is the condition of her current budgetary posture?

A cloud computing environment that is bound together by technology that allows data and applications to be shared between public and private clouds is BEST referred to as a?

Which of the following BEST mitigates ransomware threats?

When developing the Business Impact Assessment (BIA), which of the following MOST closely relates to data backup and restoration?

What is an approach to estimating the strengths and weaknesses of alternatives used to determine options, which provide the BEST approach to achieving benefits while preserving savings called?

While Cost Benefit Analysis (CBA) is the easiest calculation among financial tools, what is its main weakness?

A bastion host should be placed:

What is a Statement of Objectives (SOA)?

A university recently hired a CISO. One of the first tasks is to develop a continuity of operations plan (COOP).

In developing the business impact assessment (BIA), which of the following MOST closely relate to the data backup and restoral?

What organizational structure combines the functional and project structures to create a hybrid of the two?

The Board of Directors of a publicly-traded company is concerned about the security implications of a strategic project that will migrate 50% of the organization’s information technology assets to the cloud. They have requested a briefing on the project plan and a progress report of the security stream of the project. As the CISO, you have been tasked with preparing the report for the Chief Executive Officer to present.

Using the Earned Value Management (EVM), what does a Cost Variance (CV) of -1,200 mean?

An organization has decided to develop an in-house BCM capability. The organization has determined it is best to follow a BCM standard published by the International Organization for Standardization (ISO).

The BEST ISO standard to follow that outlines the complete lifecycle of BCM is?

What is protected by Federal Information Processing Standards (FIPS) 140-2?

From the CISO’s perspective in looking at financial statements, the statement of retained earnings of an organization:

A Security Operations Manager is finding it difficult to maintain adequate staff levels to monitor security operations during off-hours. To reduce the impact of staff shortages and increase coverage during off-hours, the SecOps manager is considering outsourcing off-hour coverage.

What Security Operations Center (SOC) model does this BEST describe?

What is the purpose of the statement of retained earnings of an organization?

To make sure that the actions of all employees, applications, and systems follow the organization’s rules and regulations can BEST be described as which of the following?

When evaluating a Managed Security Services Provider (MSSP), which service(s) is/are most important:

A CISO decides to analyze the IT infrastructure to ensure security solutions adhere to organizational implementation and management requirements. Which of the following principles does this BEST demonstrate?

Effective information security management programs require the active involvement of_________

What is the THIRD state of the Tuckman Stages of Group Development?

What is the MOST critical output of the incident response process?

Which of the following provides the BEST approach to achieving positive outcomes while preserving savings?

Which of the following strategies provides the BEST response to a ransomware attack?

With a focus on the review and approval aspects of board responsibilities, the Data Governance Council recommends that the boards provide strategic oversight regarding information and information security, include these four things:

Optical biometric recognition such as retina scanning provides access to facilities through reading the unique characteristics of a person’s eye.

However, authorization failures can occur with individuals who have?

Providing oversight of an information security program for the organization is the primary responsibility of which group?

What standard would you use to help determine key performance indicators?

The alerting, monitoring, and lifecycle management of security-related events are typically managed by the:

If a CISO wants to understand the liabilities of the company, she will refer to the:

What is the primary difference between Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS)?

Which of the following is a countermeasure to prevent unauthorized database access from web applications?

What is the FIRST step in developing the vulnerability management program?

One of your executives needs to send an important and confidential email. You want to ensure that the message cannot be read by anyone but the recipient. Which of the following keys should be used to encrypt the message?

While designing a secondary data center for your company what document needs to be analyzed to determine to how much should be spent on building the data center?

Which of the following is MOST important when tuning an Intrusion Detection System (IDS)?

Which wireless encryption technology makes use of temporal keys?

The process for identifying, collecting, and producing digital information in support of legal proceedings is called

Which of the following is the MAIN security concern for public cloud computing?

What type of attack requires the least amount of technical equipment and has the highest success rate?

An access point (AP) is discovered using Wireless Equivalent Protocol (WEP). The ciphertext sent by the AP is encrypted with the same key and cipher used by its stations. What authentication method is being used?

The process of identifying and classifying assets is typically included in the

A customer of a bank has placed a dispute on a payment for a credit card account. The banking system uses digital signatures to safeguard the integrity of their transactions. The bank claims that the system shows proof that the customer in fact made the payment. What is this system capability commonly known as?

An anonymity network is a series of?

Security related breaches are assessed and contained through which of the following?

Your penetration testing team installs an in-line hardware key logger onto one of your network machines. Which of the following is of major concern to the security organization?

As a CISO you need to understand the steps that are used to perform an attack against a network. Put each step into the correct order.

1.Covering tracks

2.Scanning and enumeration

3.Maintaining Access

4.Reconnaissance

5.Gaining Access

Your organization provides open guest wireless access with no captive portals. What can you do to assist with law enforcement investigations if one of your guests is suspected of committing an illegal act using your network?

Network Forensics is the prerequisite for any successful legal action after attacks on your Enterprise Network. Which is the single most important factor to introducing digital evidence into a court of law?

Which of the following statements about Encapsulating Security Payload (ESP) is true?

An organization has implemented a change management process for all changes to the IT production environment. This change management process follows best practices and is expected to help stabilize the availability and integrity of the organization’s IT environment. Which of the following can be used to measure the effectiveness of this newly implemented process:

Which of the following is MOST important when dealing with an Information Security Steering committee:

When creating a vulnerability scan schedule, who is the MOST critical person to communicate with in order to ensure impact of the scan is minimized?

When an organization claims it is secure because it is PCI-DSS certified, what is a good first question to ask towards assessing the effectiveness of their security program?

Which of the following is the PRIMARY purpose of International Organization for Standardization (ISO) 27001?

As the new CISO at the company you are reviewing the audit reporting process and notice that it includes only detailed technical diagrams. What else should be in the reporting process?

Credit card information, medical data, and government records are all examples of:

Which of the following are necessary to formulate responses to external audit findings?

To have accurate and effective information security policies how often should the CISO review the organization policies?

Which of the following is the MOST important goal of risk management?

Which of the following provides an audit framework?

A global health insurance company is concerned about protecting confidential information. Which of the following is of MOST concern to this organization?

If your organization operates under a model of "assumption of breach", you should:

Which of the following reports should you as an IT auditor use to check on compliance with a service level agreement’s requirement for uptime?

A Chief Information Security Officer received a list of high, medium, and low impact audit findings. Which of the following represents the BEST course of action?

An organization is required to implement background checks on all employees with access to databases containing credit card information. This is considered a security

Which of the following is MOST likely to be discretionary?

The MOST common method to get an unbiased measurement of the effectiveness of an Information Security Management System (ISMS) is to

According to the National Institute of Standards and Technology (NIST) SP 800-40, which of the following considerations are MOST important when creating a vulnerability management program?

Which of the following functions MUST your Information Security Governance program include for formal organizational reporting?

When measuring the effectiveness of an Information Security Management System which one of the following would be MOST LIKELY used as a metric framework?

Which of the following most commonly falls within the scope of an information security governance steering committee?

An audit was conducted and many critical applications were found to have no disaster recovery plans in place. You conduct a Business Impact Analysis (BIA) to determine impact to the company for each application. What should be the NEXT step?

What should an organization do to ensure that they have a sound Business Continuity (BC) Plan?

The patching and monitoring of systems on a consistent schedule is required by?

Quantitative Risk Assessments have the following advantages over qualitative risk assessments:

During the course of a risk analysis your IT auditor identified threats and potential impacts. Next, your IT auditor should:

Which of the following is the MAIN reason to follow a formal risk management process in an organization that hosts and uses privately identifiable information (PII) as part of their business models and processes?