Q17. An organization has defined a set of standard security controls. This organization has also defined the circumstances and conditions in which they must be applied. What is the NEXT logical step in applying the controls in the organization?

Q18. The FIRST step in establishing a security governance program is to?

Q19. Providing oversight of a comprehensive information security program for the entire organization is the primary responsibility of which group under the InfoSec governance framework?

Q20. Scenario: Your program is developed around minimizing risk to information by focusing on people, technology, and operations.
An effective way to evaluate the effectiveness of an information security awareness program for end users, especially senior executives, is to conduct periodic:

Q21. A CISO implements smart cards for credential management, and as a result has reduced costs associated with help desk operations supporting password resets. This demonstrates which of the following principles?

Q22. Which business stakeholder is accountable for the integrity of a new information system?

Q23. An IT auditor has recently discovered that because of a shortage of skilled operations personnel, the security administrator has agreed to work one late night shift a week as the senior computer operator. The most appropriate course of action for the IT auditor is to:

Q24. A Chief Information Security Officer received a list of high, medium, and low impact audit findings.
Which of the following represents the BEST course of action?

Q25. What type of attack requires the least amount of technical equipment and has the highest success rate?

Q26. The FIRST step in establishing a security governance program is to?

Q27. You are having a penetration test done on your company network and the leader of the team says they discovered all the network devices because no one had changed the Simple Network Management Protocol (SNMP) community strings from the defaults. Which of the following is a default community string?

Q28. An organization is looking for a framework to measure the efficiency and effectiveness of their Information Security Management System. Which of the following international standards can BEST assist this organization?

Q29. Which of the following is MOST likely to be discretionary?

Q30. Which of the following represents the BEST method of ensuring security program alignment to business needs?

Q31. Risk appetite is typically determined by which of the following organizational functions?

Q32. Which of the following is a fundamental component of an audit record?

Q33. Scenario: Critical servers show signs of erratic behavior within your organization’s intranet. Initial information indicates the systems are under attack from an outside entity. As the Chief Information Security Officer (CISO), you decide to deploy the Incident Response Team (IRT) to determine the details of this incident and take action according to the information available to the team.
In what phase of the response will the team extract information from the affected systems without altering original data?

Q34. Scenario: You are the CISO and have just completed your first risk assessment for your organization. You find many risks with no security controls, and some risks with inadequate controls. You assign work to your staff to create or adjust existing security controls to ensure they are adequate for risk mitigation needs.
You have identified potential solutions for all of your risks that do not have security controls. What is the NEXT step?

Q35. As the CISO for your company you are accountable for the protection of information resources commensurate with:

Q36. Which of the following is true regarding expenditures?