You are having a penetration test done on your company network and the leader of the team says they discovered all the network devices because no one had changed the Simple Network Management Protocol (SNMP) community strings from the defaults. Which of the following is a default community string?

While designing a secondary data center for your company what document needs to be analyzed to determine to how much should be spent on building the data center?

Information security policies should be reviewed:

As the Risk Manager of an organization, you are task with managing vendor risk assessments. During the assessment, you identified that the vendor is engaged with high profiled clients, and bad publicity can jeopardize your own brand.

Which is the BEST type of risk that defines this event?

Which of the following is a symmetric encryption algorithm?

A newly-hired CISO needs to understand the organization’s financial management standards for business units

and operations. Which of the following would be the best source of this information?

When selecting a security solution with reoccurring maintenance costs after the first year (choose the BEST answer):

Which of the following is the MOST important component of any change management process?

Information Security is often considered an excessive, after-the-fact cost when a project or initiative is completed. What can be done to ensure that security is addressed cost effectively?

Which of the following methods are used to define contractual obligations that force a vendor to meet customer expectations?

Which of the following can the company implement in order to avoid this type of security issue in the future?

A department within your company has proposed a third party vendor solution to address an urgent, critical business need. As the CISO you have been asked to accelerate screening of their security control claims. Which of the following vendor provided documents is BEST to make your decision:

What type of attack requires the least amount of technical equipment and has the highest success rate?

Your incident handling manager detects a virus attack in the network of your company. You develop a signature based on the characteristics of the detected virus. Which of the following phases in the incident handling process will utilize the signature to resolve this incident?

Physical security measures typically include which of the following components?

The process of creating a system which divides documents based on their security level to manage access to private data is known as

The general ledger setup function in an enterprise resource package allows for setting accounting periods. Access to this function has been permitted to users in finance, the shipping department, and production scheduling. What is the most likely reason for such broad access?

The process of identifying and classifying assets is typically included in the

The process for identifying, collecting, and producing digital information in support of legal proceedings is called

A customer of a bank has placed a dispute on a payment for a credit card account. The banking system uses digital signatures to safeguard the integrity of their transactions. The bank claims that the system shows proof that the customer in fact made the payment. What is this system capability commonly known as?

What is the FIRST step in developing the vulnerability management program?

An organization licenses and uses personal information for business operations, and a server containing that information has been compromised. What kind of law would require notifying the owner or licensee of this incident?

Which of the following international standards can be BEST used to define a Risk Management process in an organization?

Which of the following intellectual Property components is focused on maintaining brand recognition?

The network administrator wants to strengthen physical security in the organization. Specifically, to implement a

solution stopping people from entering certain restricted zones without proper credentials. Which of following

physical security measures should the administrator use?

Which of the following is true regarding expenditures?

Bob waits near a secured door, holding a box. He waits until an employee walks up to the secured door and

uses the special card in order to access the restricted area of the target company. Just as the employee opens

the door, Bob walks up to the employee (still holding the box) and asks the employee to hold the door open so

that he can enter. What is the best way to undermine the social engineering activity of tailgating?

When project costs continually increase throughout implementation due to large or rapid changes in customer

or user requirements, this is commonly known as:

Which of the following best describes an access control process that confirms the identity of the entity seeking access to a logical or physical area?

Which of the following conditions would be the MOST probable reason for a security project to be rejected by the executive board of an organization?

Scenario: You are the CISO and have just completed your first risk assessment for your organization. You find many risks with no security controls, and some risks with inadequate controls. You assign work to your staff to create or adjust existing security controls to ensure they are adequate for risk mitigation needs.

When formulating the remediation plan, what is a required input?

When analyzing and forecasting a capital expense budget what are not included?

A CISO decides to analyze the IT infrastructure to ensure security solutions adhere to the concepts of how hardware and software is implemented and managed within the organization. Which of the following principles does this best demonstrate?

Your company has limited resources to spend on security initiatives. The Chief Financial Officer asks you to prioritize the protection of information resources based on their value to the company. It is essential that you be able to communicate in language that your fellow executives will understand. You should:

Knowing the potential financial loss an organization is willing to suffer if a system fails is a determination of which of the following?

Which of the following methodologies references the recommended industry standard that Information security project managers should follow?

To get an Information Security project back on schedule, which of the following will provide the MOST help?

A CISO implements smart cards for credential management, and as a result has reduced costs associated with help desk operations supporting password resets. This demonstrates which of the following principles?

Which of the following are the triple constraints of project management?

A global retail organization is looking to implement a consistent Disaster Recovery and Business Continuity Process across all of its business units. Which of the following standards and guidelines can BEST address this organization’s need?

According to the National Institute of Standards and Technology (NIST) SP 800-40, which of the following considerations are MOST important when creating a vulnerability management program?

The FIRST step in establishing a security governance program is to?

In which of the following cases, would an organization be more prone to risk acceptance vs. risk mitigation?

The framework that helps to define a minimum standard of protection that business stakeholders must attempt to achieve is referred to as a standard of:

Payment Card Industry (PCI) compliance requirements are based on what criteria?

What two methods are used to assess risk impact?

Dataflow diagrams are used by IT auditors to:

Which of the following is the MOST effective way to measure the effectiveness of security controls on a perimeter network?

Which of the following best describes the purpose of the International Organization for Standardization (ISO) 27002 standard?

Which of the following is a term related to risk management that represents the estimated frequency at which a threat is expected to transpire?

Which of the following activities is the MAIN purpose of the risk assessment process?

During the course of a risk analysis your IT auditor identified threats and potential impacts. Next, your IT auditor should:

As a new CISO at a large healthcare company you are told that everyone has to badge in to get in the building. Below your office window you notice a door that is normally propped open during the day for groups of people to take breaks outside. Upon looking closer you see there is no badge reader. What should you do?

Creating good security metrics is essential for a CISO. What would be the BEST sources for creating security metrics for baseline defenses coverage?

The risk found after a control has been fully implemented is called:

IT control objectives are useful to IT auditors as they provide the basis for understanding the:

Which International Organization for Standardization (ISO) below BEST describes the performance of risk management, and includes a five-stage risk management methodology.