1-Security audit reviews should PRIMARILY:

Select an answer:
A. ensure that controls operate as required.

B. ensure that controls are cost-effective.

C. focus on preventive controls.

D. ensure controls are technologically current.

2-Which of the following is the BEST tool to maintain the

currency and coverage of an information security program
within an organization?

Select an answer:
A. The program's governance oversight mechanisms

B. Information security periodicals and manuals

C. The program's security architecture and design

D. Training and certification of the information security team

3-A PRIMARY characteristic of a well-established information

security culture is an alignment of:

Select an answer:
A. information security and business objectives.
 B. security controls with information technology.

C. concurrent security strategies.

D. values to protect corporate assets.

4-What is the GREATEST risk when there is an excessive

number of firewall rules?

Select an answer:
A. One rule may override another rule in the chain and create a loophole

B. Performance degradation of the whole network

C. The firewall may not support the increasing number of rules due to limitations

The firewall may show abnormal behavior and may crash or automatically shut
D.
down

5-Which of the following are the MOST important individuals to

include as members of an information security steering
committee?

Select an answer:
A. Direct reports to the chief information officer
 B. IT management and key business process owners

C. Cross-section of end users and IT professionals

D. Internal audit and corporate legal departments

6-Who is responsible for raising awareness of the need for

adequate funding to support risk mitigation plans?

Select an answer:
A. Chief information officer (CIO)

B. Chief financial officer (CFO)

C. Information security manager

D. Business unit management

7-Which of the following represents a PRIMARY area of interest

when conducting a penetration test?

Select an answer:
A. Data mining
 B. Network mapping

C. Intrusion Detection System (IDS)

D. Customer data

8-The implementation of continuous monitoring controls is the

BEST option where:

Select an answer:
A. incidents may have a high impact and frequency.

B. legislation requires strong information security controls.

C. incidents may have a high impact but low frequency.

D. electronic commerce is a primary business driver.

9-As an organization grows, exceptions to information security

policies that were not originally specified may become
necessary at a later date. In order to ensure effective
management of business risks, exceptions to such policies
should be:

Select an answer:
 A. considered at the discretion of the information owner.

B. approved by the next higher person in the organizational structure.

C. formally managed within the information security management framework.

D. reviewed and approved by the security manager.

10-The purpose of a corrective control is to:

Select an answer:
A. reduce adverse events.

B. indicate compromise.

C. mitigate impact.

D. ensure compliance.

11-To BEST improve the alignment of the information security

objectives in an organization, the chief information security
officer (CISO) should:

Select an answer:
A. revise the information security program.

B. evaluate a balanced business scorecard.

C. conduct regular user awareness sessions.

 D. perform penetration tests.

12-Which of the following is MOST important to the successful

promotion of good security management practices?

Select an answer:
A. Security metrics

B. Security baselines

C. Management support

D. Periodic training

13-Who can BEST advocate the development of and ensure

the success of an information security program?

Select an answer:
A. Internal auditor

B. Chief operating officer (COO)

C. Steering committee
 D. IT management

14-Which of the following will BEST ensure that management

takes ownership of the decision making process for information
security?

Select an answer:
A. Security policies and procedures

B. Annual self-assessment by management

C. Security steering committees

D. Security awareness campaigns

15-The PRIMARY goal of developing an information security

program is to:

Select an answer:
A. implement the strategy.

B. optimize resources.

C. deliver on metrics.

D. achieve assurance.
16-An information security manager reviewed the access
control lists and observed that privileged access was granted to
an entire department. Which of the following should the
information security manager do FIRST?

Select an answer:
A. Review the procedures for granting access

B. Establish procedures for granting emergency access

C. Meet with data owners to understand business needs

D. Redefine and implement proper access rights

17-The BEST evidence of a mature information security

program is:

Select an answer:
A. a comprehensive risk assessment and analysis.

B. the development of a physical security architecture.

C. completion of a controls statement of applicability.

D. an effective information security strategy.

18-Which web application attack facilitates unauthorized access

to a database?
 Select an answer:
A. Cross site request forgery

B. Structured Query Language (SQL) injection

C. Metasploit

D. Cross site scripting

19-To determine the selection of controls required to meet

business objectives, an information security manager should:

Select an answer:
A. prioritize the use of role-based access controls.

B. focus on key controls.

C. restrict controls to only critical applications.

D. focus on automated controls.

20-The return on investment of information security can BEST

be evaluated through which of the following?

Select an answer:
A. Support of business objectives
 B. Security metrics

C. Security deliverables

D. Process improvement models

21-When developing an information security program, what is

the MOST useful source of information for determining available
resources?

Select an answer:
A. Proficiency test

B. Job descriptions

C. Organization chart

D. Skills inventory

22-One of the MOST likely benefits of decentralized security

management is:

Select an answer:
A. reduction of the total cost of ownership (TCO).
 B. improved compliance with organizational policies and standards.

C. better alignment of security to business needs.

D. easier administration.

23-Which of the following is the MOST immediate consequence

of failing to tune a newly installed intrusion detection system
(IDS) with the threshold set to a low value?

Select an answer:
A. The number of false positives increases

B. The number of false negatives increases

C. Active probing is missed

D. Attack profiles are ignored

24-Which of the following constitutes the MAIN project activities

undertaken in developing an information security program?

Select an answer:
A. Controls design and deployment

B. Security organization development

 C. Logical and conceptual architecture design

D. Development of risk management objectives

25-Security policies should be aligned MOST closely with:

Select an answer:
A. industry best practices.

B. organizational needs.

C. generally accepted standards.

D. local laws and regulations.

26-Serious security incidents typically lead to renewed focus by

management on information security that then usually fades
over time. To BEST utilize this renewed focus, the information
security manager should make the case to:

Select an answer:
A. improve the integration of business and information security processes.

B. increase information security budgets and staffing levels.

C. develop tighter controlsand stronger compliance efforts.

 D. acquire better supplemental technical security controls.

27-The development of an information security program begins

with:

Select an answer:
A. a comprehensive risk assessment and analysis.

B. the development of a security architecture.

C. completion of a controls statement of applicability.

D. an effective information security strategy.

28-The effectiveness of virus detection software is MOST

dependent on which of the following?

Select an answer:
A. Packet filtering

B. Intrusion detection

C. Software upgrades

D. Definition files
29-Which of the following is the MOST critical success factor of
an information security program?

Select an answer:
A. Developing information security policies and procedures

B. Senior management commitment

C. Conducting security training and awareness for all users

D. Establishing an information security management system

30-Which of the following is MOST important to the success of

an information security program?

Select an answer:
A. Security awareness training

B. Achievable goals and objectives

C. Senior management sponsorship

D. Adequate start-up budget and staffing