1.

Senior management commitment and support for information security can BEST be obtained through
presentations that:
use illustrative examples of successful attacks.
explain the technical risks to the organization.
evaluate the organization against best security practices.
tie security risks to key business objectives.

Explanation:
Senior management seeks to understand the business justification for investing in security. This can best be
accomplished by tying security to key business objectives. Senior management will not be as interested in technical
risks or examples of successful attacks if they are not tied to the impact on business environment and objectives.
Industry best practices are important to senior management but, again, senior management will give them the right
level of importance when they are presented in terms of key business objectives.

2. Which of the following is characteristic of centralized information security management?

More expensive to administer
Better adherence to policies
More aligned with business unit needs
Faster turnaround of requests

Explanation:
Centralization of information security management results in greater uniformity and better adherence to security
policies. It is generally less expensive to administer due to the economies of scale. However, turnaround can be
slower due to the lack of alignment with business units.
3. The MOST important component of a privacy policy is:
Notifications
Warranties
Liabilities
geographic coverage

Explanation:
Privacy policies must contain notifications and opt-out provisions; they are a high-level management statement of
direction. They do not necessarily address warranties, liabilities or geographic coverage, which are more specific.

4. It is MOST important that information security architecture be aligned with which of the following?
Industry best practices
Information technology plans
Information security best practices
Business objectives and goals

Explanation:
Information security architecture should always be properly aligned with business goals and objectives. Alignment
with IT plans or industry and security best practices is secondary by comparison.

5. Security technologies should be selected PRIMARILY on the basis of their:

ability to mitigate business risks
evaluations in trade publications
use of new and emerging technologies
benefits in comparison to their costs

Explanation:
The most fundamental evaluation criteria for the appropriate selection of any security technology is its ability to
reduce or eliminate business risks. Investments in security technologies should be based on their overall value in
relation to their cost; the value can be demonstrated in terms of risk mitigation. This should take precedence over
whether they use new or exotic technologies or how they are evaluated in trade publications.

6. Renee recently imaged a drive for use during a criminal investigation. She
is working with law enforcement officers to conduct an analysis of the drive.
If Renee is called to testify in court, what will be one of the primary things
she must prove?
That the image was made using a write-blocker
That she holds a degree in forensic analysis
That the drive image is on hardware identical to the original drive
That the chain of custody of the evidence was preserved

The chain of custody requires that Renee be able to clearly document every change in contro

7. Which one of the following plans is not important to coordinate with the other th
Disaster recovery
Incident response
Data classification
Business continuity

Organizations should strive to integrate their incident response, disaster recovery and busine
8. Matt is developing a business continuity plan for his organizations

website. The organization requires 24x7 availability for the site and any
outage of more than a few minutes will have a critical reputational impact
on the business. What would be the best control for use in this situation?
RAID
Geographically diverse failover site
Offsite backups
Insurance
A geographically distant failover site is the best control against a lengthy outage, as
the backup site can assume operations in a matter of minutes.
9. Vivian recently completed a review of her organizations business
continuity and disaster recovery plans. During the review, she encountered

the following statement:

In the event that our storage system fails, we must be able to recover all
files modified 60 minutes or more prior to the failure. Files modified in the
60 minutes leading up to the failure should be recovered if possible but are
an acceptable loss.
What type of statement is this?
RPO
MTA
RTO
SLA
The Recovery Point Objective (RPO) is the amount of acceptable data loss in the event
of a disaster, expressed as the period of time from which data may be lost.
10. Alan is performing a forensic examination of a disk drive and makes a
copy for use in his analysis. What is the most important action he must take
to provide evidence that the image is an exact copy of the original?
Use identical hardware to read the image that was used with the original disk.
Copy each file individually.
Perform digital hashing on the original and the copy.
Manually verify the contents of the image.
Digital hashes are a convenient and secure way to verify that two disks contain
identical content.
11. Loraine is conducting a post-incident review after a breach of her
organizations information security controls. Which one of the following
actions is not normally part of a post-incident review?
Take appropriate remedial actions.
Reassess risks.
Punish those responsible for the incident.
Determine the root cause of the incident.
Organizations should conduct post-incident reviews that determine the root cause of
information security incidents, develop corrective actions, reassess risk, evaluate
response effectiveness and take appropriate remedial actions.

12. Tom recently hired a new team member for his organizations incident
response team. The new team member comes from another organization
and has information security experience but has never had incident
response duties in the past. What type of training is most appropriate for
this situation?

Undergraduate degree
Awareness
Hands-on experience
Formal incident response training

A new team member with no prior incident response experience should almost always receiv
13. Tyler would like to conduct a disaster recovery test and wants to use the
most rigorous testing method possible that does not pose a significant risk
of disrupting normal business operations. What type of test should Tyler
conduct?
Parallel test
Full interruption test
Checklist review
Structured walkthrough
The full interruption test is the most effective way to test an organizations disaster
recovery capabilities as it simulates a real disaster. However, it is also the most
dangerous type of test because it could disrupt operations if it fails.
Structured walk-throughs provide the organization with important insight into their
disaster recovery capabilities but they are not as effective as full interruption or
parallel tests.
During a checklist review, individuals review their disaster recovery responsibilities
and provide input on the plan but they do not gain the real-world practical test results
that you would gain from a parallel or full interruption test.
14. Which one of the following attributes of an organization can an
information security team best use to determine the appropriate level of
resources to apply to mitigating an identified risk?
Budget
Risk
transference
CVE rating
Risk appetite
While budgetary concerns may dictate available resources, the budget does not
identify the appropriate level of risk mitigation. Organizations with insufficient funding
to mitigate risk to the required level should pursue additional security funding.
CVE ratings are used to identify the significance of a vulnerability and are not directly
applicable in determining how to mitigate a risk.
Risk transference is a risk management strategy used to shift risk to a third party. It is
not used in determining the level of resources that should be applied toward
mitigating a risk.
15. Bev is developing a risk management strategy for the effects of a
cybersecurity incident on her organization. She chooses to purchase an

insurance policy to cover the financial risks. What risk management strategy
is Bev pursuing?
Risk mitigation
Risk transference
Risk avoidance
Risk acceptance

Risk mitigation actions reduce the likelihood and/or impact of a risk if it occurs.
Purchasing insurance does not reduce either the likelihood or impact but it does
transfer some of the risk to a third party.
Risk acceptance involves a business decision to take no action in response to a risk.
Purchasing insurance is an action, so this is not an example of risk acceptance.
Risk avoidance alters business operations to eliminate a risk. There is no indication
that Bev is changing any business operations so this is not an example of risk
avoidance.