DOMAIN 1

1. An organization recently implemented a risk management program to measure the

risk of IT projects. Which of the following cases would this organization be MORE willing
to accept vs. mitigate risk?
A. The organization uses a quantitative process to measure risk.
Incorrect because it is a method to analyze risk in terms of asset
value
B. The organization uses a qualitative process to measure risk.
Incorrect because it is an assessment methodology that applies
estimates
C. The organization’s risk tolerance is high.
High tolerance means willing to continue with high risk conditions
D. The organization’s risk tolerance is low.
If an organization will not accept a high level of risk, it indicates a
low tolerance for it.
2. An organization is looking for a framework to measure the efficiency and
effectiveness of their Information Security Management System (ISMS). Which of the
following international standards can BEST assist this organization?
A. Payment Card Industry Data Security Standards (PCI-DSS).
PCI is not a complete ISMS, but a set of standards for protecting
credit card transactions
B. Control Objectives for Information Technology (COBIT).
This is a definition of Control Objectives for Information and Related
Technologies, focused on IT operations
C. International Organization for Standardizations (ISO) – 27004.
ISO/IEC 27004 provides guidelines intended to assist organizations
in evaluating the information security performance and the
effectiveness of an information security management system.
D. International Organization for Standardizations (ISO) – 27005.
ISO 27005 is the international standard that describes how to
conduct an information security risk assessments
3. A global healthcare company is concerned about protecting confidential information.
Which of the following is of MOST concern to this organization?
A. Compliance to Payment Card Industry (PCI) Data Security Standard.
PCI standards are applied to credit card transactions. A healthcare
company might have to deal with these transactions but it is not
focused on the core of their business
B. Compliance to privacy laws and regulations for each country where they
operate.
Healthcare organizations have stringent compliance laws regarding
the protection of patient data protections, such as HIPAA.
C. Conformance to local employment laws for each country where they operate.
While employment law compliance is important, it is not critical to the core
operation of the healthcare provider
D. Alignment to International Organization for Standardization (ISO).
This answer is too vague to consider as valid – which ISO?
4. A retail company is working on defining a compliance management process. Which of
the following are MOST likely to be included?
A. Payment Card Industry Data Security Standards (PCI-DSS).
PCI standards are applied to credit card transactions, and since we
are talking about a retail operation, this is the best choice.
B. Information Technology Infrastructure Library (ITIL).
This is generic to all types of companies, and not always applied. It
is a framework designed to standardize the selection, planning,
delivery, maintenance, and overall lifecycle of IT (information
technology) services.
C. International Organization for Standardization (ISO) standards.
ISOs are optional, plus the answer is very generic – which ISOs?
D. National Institute for Standards and Technology (NIST) standards.
Again, very generic. NIST develops and disseminates a wide range
of standards that allow technology to work seamlessly and
business to operate smoothly.
5. An organization is looking to implement a consistent Disaster Recovery and Business
Continuity Process across all its business units. Which of the following standards and
guidelines can BEST address this organization’s need?
A. International Organization for Standardizations – 27005 (ISO-27005).
This standard describes risk assessment methodology.
B. International Organization for Standardizations – 22301 (ISO-22301).
ISO 22301 is the International Standard for implementing and
maintaining effective business continuity plans, systems and
processes.
C. Information Technology Infrastructure Library (ITIL).
ITIL is a set of controls applied to IT services. It includes some
DR/BCP management guidance, but is not focused on it.
D. Payment Card Industry Data Security Standards (PCI-DSS).
PCI is focused on securing card transactions.
DOMAIN 2
1. The Information Technology Infrastructure Library Version 4 (ITIL® 4) Information
Security Management Practice is based on which standard? Choose the BEST answer.
A. International Organization for Standardization (ISO) 27799.
These are security guidelines taking into consideration the
organization's information security risk environment(s).
B. International Organization for Standardization (ISO) 27001.
ITIL is based on 27001, a framework that helps organizations
establish, implement, operate, monitor, review, maintain and
continually improve an ISMS
C. National Institute of Standards & Technology (NIST) Special Publication 800-
30.
Special Publication 800-30 is focused on risk assessments of
federal information systems and organizations
D. National Institute of Standards & Technology (NIST) Special Publication 800-
124.
800-124 provides guidelines for managing the security of mobile
devices in the enterprise.
2. Your information-security program is technically well provisioned; however, you
observe employee data and financial information exposed through compromised
account credentials. From the choices provided, what should you do FIRST to minimize
this threat?
A. Reset passwords for suspected compromised accounts.
This is the fastest method of immediately addressing compromised
credentials
B. Educate users about the threat of phishing.
This takes time while the compromise is active
C. Monitor the perimeter firewall for signs of phishing.
This is wrong because you are not directly addressing the active
threat condition, you are only monitoring the situation.
D. Contact a reputable security vendor to install an anti-phishing appliance.
Again, this is not an effective resolution to the current active threat.
3. An effective method for reducing the impact of credential theft is: Choose the BEST
answer.
A. Gaining the trust of your users so they will listen to you.
Having trust does not equate to applying effective security controls
B. Implementing employee monitoring so they don’t go to unauthorized sites.
You don’t know if visiting sites is the only credential leakage vector.
C. Deploying multi-factor authentication so accounts are better protected.
Multifactor authentication would add an effective layer of control for
remediating credential leakage and compromise
D. Resetting passwords every thirty days
This may seem correct, but we don’t know how often they are
currently set nor does simply resetting them correct a credential
protection issue.
4. Metrics capable of demonstrating that an organization is susceptible to, or has a high
probability of being susceptible to, a risk that exceeds the acceptable risk appetite are
KNOWN AS:
A. Key Performance Indicators (KPI).
KPI is too generic - can be applied in a wide range of metrics,
systems, processes, etc.

B. Key Risk Indicators (KRI).

KRIs provide the ‘fence’ if you will – they tell you when you have
exceeded certain risk conditions
C. Insurance Actuary Tables (IAT).
Incorrect because IATs are used by insurance companies to
determine the probability of certain events occurring
D. Risk Assumption Tables (RAT).
Incorrect because it is a repository, not a metric.
5. A primary consideration when selecting to transfer risk as a risk treatment option is?
Choose the BEST answer.
A. Capital cost.
Capital cost typically relates to the purchase of equipment
B. Selection of a security control vendor.
Just selecting a vendor does not transfer the risk.
C. Security consultant fees.
Fees do not address any risk condition
D. Insurance cost.
Transference of risk typically involves purchasing cyber insurance
DOMAIN 3

1. A CISO has a limited budget for security-technology purchases. The desire is to

create a tiered security architecture using a phased approach. Which of the following
represents the BEST approach for obtaining the security program’s objectives and
supporting the organization’s security needs?
A. Complete the easiest hardening actions first to demonstrate positive action
toward the security goal.
This is good for showing rapid positive program impact, but not so
much for managing risk with limited funds
B. Apply technology against the highest target value infrastructure while closely
monitoring spending.
This is correct for getting maximum benefit from limited funds –
attack the highest threat first
C. Install protections on Information Technology (IT) assets experiencing the
highest number of intrusive activities.
This did not say ‘successful’. High volume attack points do not
always equate to the highest risk
D. Determine the necessary security- program reporting metrics and apply
protections according to monthly report results.
This answer does not include the funding factor, which is what we
are trying to solve
2. For a CISO to have true consolidated situational awareness, there is a need to
deploy technology that can give a real-time view of security events across the
enterprise. Which of the following tools represents the BEST choice to achieve this
awareness?
A. Vulnerability scanning system.
Scanning finds vulnerabilities but does not provide real-time
situational awareness
B. Intrusion Detection System (IDS).
An IDS might be applied to high risk system and collect attack
information, but not necessarily consolidate attack data across a
wide range of systems and environments
C. Firewalls.
Firewalls use rules to analyze, block, and report, but are not
consolidation points for other security tech
D. Security Incident Event Management (SIEM).
SIEM consolidates real-time data from a wide range of systems and
environments, providing the ‘single pane’ view of security in the
enterprise
3. What is the MAIN responsibility of a Purple Security Testing team?
A. They defend against simulated hacker attacks.
Defenders are typically called Blue Team
B. They emulate hackers to compromise systems.
This is done by the Red Team
C. The integrate the defensive tactics and controls from the Blue Team with the
threats and vulnerabilities found by the Red Team.
There is the logic that blue mixed with red makes purple, and using
inputs from the red and blue teams is correct answer.
D. They oversee security testing and results.
Testing and results can be managed by a wide range of individuals,
and is not the main responsibility of a Purple team
4. Your company leverages an employee self-service portal for common human-
resourcerelated tasks such as providing annual tax documents, changing direct-deposit
information, and signing up for health benefits. Several employees have complained
that they have not received their paychecks this month; everyone else received their
paychecks as usual. What is the MOST likely cause?
A. Their respective financial institutions were compromised right before payroll
was deposited and their accounts were emptied.
The impact was somewhat spotty – why a few but not all? A pattern
would emerge if a single bank was involved, which was not stated.
B. An accounting “glitch” skipped their pay accounts during the payroll audit and
failed to issue them a check.
If it was a glitch in the payment system there would be more
widespread impact.
C. They failed to submit their timecards by the deadline.
This is typically flagged before a payday, and would be discovered
through system reporting, making it not likely
D. Their company credentials were stolen and used to modify bank routing and
account information.
This would most likely, as a small number were impacted there was
no other correlating cause/effect.
5. Controlled phishing campaigns against your own employees:
A. Help you identify areas where you have the potential to improve your training
efforts to increase employee resilience against attacks.
Phishing campaigns result provide direct feedback on the
effectiveness of your employee training program
B. Target employees that are not following company policy and therefore must be
let go.
Phishing campaigns are not designed, by nature, to cull employees
from an organization
C. Reduces the amount of time that employees read real fraudulent email and
therefore prevents the opportunity to be compromised.
Phishing campaigns work to improve fraudulent email recognition,
not eliminate the reading of it
D. Should not be conducted because it desensitizes them to real-world threats,
hindering their ability to detect phishing attempts.
This is simply untrue – it improves their ability to recognize real-
world phishing attempts
DOMAIN 4
1. Advanced Persistent Threat (APT) is BEST characterized by which of the following?
A. High volumes of unauthorized insider activities such as copying data onto
portable storage devices or electronic destruction of high value assets.
This is typical ‘noisy’ insider threat activity
B. Creative insertions of malicious code into applications and databases using
known code vulnerabilities and weaknesses.
This is typical of cybercriminals as they gain entry into systems and
can be pretty ‘noisy’
C. Continuous flooding of network perimeters with system requests causing long-
term delays and interruptions.
This is VERY noisy - DDoS activity – that is easily spotted and
(hopefully) rectified
D. Methodical advancement of unauthorized access across systems as valuable
assets are discovered using a variety of penetration techniques.
This is indicative of APT – quiet, stealthy advancement through
infrastructure and systems
2. A vulnerability assessment discovers that it is possible for an attacker to force an
authorization step to take place before the authentication step is completed
successfully. What type of issue would ALLOW for this type of compromise to take
place ?
A. Maintenance hook.
This is a trap door in code that allows unauthorized access to
software
B. Backdoor.
This is the provisioning of methods to subvert security controls
C. Race condition.
A race condition introduces errors in which processes and steps
can be completed out of sequence, causing security issues
D. Data validation error.
This is a data input issue, not a serial step violation issue
3. A cloud computing environment that is bound together by technology that allows data
and applications to be shared between public and private clouds is BEST referred to as
a?
A. Hybrid cloud.
A hybrid could consists of both public and private clouds
B. Public cloud.
This is only available publicly, not privately
C. Community cloud.
This is a private cloud restricted to a community of users
D. Private cloud.
This is not available to the public
4. Which of the following physical security measures is LEAST effective at mitigating the
tailgating?
A. Mantrap.
Mantraps are an extremely effective control
B. Biometric scanner.
Biometrics applied to entry systems is highly effective
C. User awareness training (UAT).
User training does not provide a physical control as found in the
other answers
D. Turnstile
A turnstile might not be the most effective measure, but it does
provide a barrier and is relatively effective
5. If a Virtual Machine's (VM) data is being replicated and that data is corrupted, this
corruption will automatically be replicated to the other machine(s). What would be the
BEST control to safeguard data integrity?
A. Backup to tape.
This propagates the issue and does not resolve the core issue
B. Backup to a remote location.
Using a remote location does not solve the core issue
C. Maintain separate VM backups.
This provides separation between environments, halting the
propagation issue
D. Increase VM replication frequency.
Replicating frequently actually makes the situation worse!
DOMAIN 5
1. A CISO is considering a major security technology purchase and needs to
understand product capabilities, corporate history, customer feedback, and cost and
implementation effort. What is the BEST way to collect this type of initial information?
A. Use a Request for Proposal (RFP) approach for gathering information.
An RFP will provide you the information about the company and
product
B. Create a business case in order to communicate expected budget support
requirements.
The business case does not contain vendor or product details
C. Create a Return on Investment (ROI) document for executive peer budget
analysis and reviews
The ROI does not include product and vendor details, it is focused
on determining true value of the product or services.
D. Establish a competitive product review of a few selected technologies in a lab
environment.
This is used to compare competing technologies (‘bake-off’)
2. As CISO for a large corporation, you’ve outsourced your network security operations
center to a service provider. Which of the following are the two MOST important Key
Performance Indicators (KPIs) you would include in your Service-Level Agreement
(SLA)?
A. Incident response times and number of malicious events.
The number of malicious events will probably include a LOT of low
priority stuff, which is not a great metric to use
B. Incident reporting times and number of unmitigated network attacks.
Reporting is never as good as responding to an attack
C. Incident response times and number of unmitigated network attacks.
Response times and unmitigated attacks are crucial metrics for
determining the state of the security program and its needs
D. Incident reporting times and number of malicious events.
Again – reporting is NEVER as critical as responding
3. What is the MOST important thing to consider when writing the Statement of Work
(SOW)?
A. The Service-Level Agreements (SLA).
SLAs are critical because they ensure performance contract
performance quality
B. Appropriate allocation of dedicated resources.
Important, but not as much so as the SLA
C. Reduction of the number of malicious attacks during the contract period.
Not all contracts are focused on reducing attacks.
D. Ensure payment terms are at least NET 30.
Payment terms are less important the delivery quality
4. A CISO is required to create an annual security capital expense (CapEx) budget.
Which of the following would be INCLUDED in that part of her budget?
A. Fractional costs of employees from other business units who are required to
periodically perform security duties.
These are operational expenses,
B. Security equipment purchases which are amortized over a longer period than
the calendar budget year.
Capital expenditures are typically hardware related, and can be
amortized (gradually written off as an expense) as they are used
C. Supporting business unit costs, such as legal advisement and auditing support
for the program.
These are operational expenses
D. All labor expenses realized by employees directly assigned to the security
organization.
Labor is always an operational expense
5. A CISO observed that the organization’s web filtering solution has been superseded
by more advanced versions and should be replaced. Which of the following BEST
describes this analysis?
A. Technology obsolescence.
This best describes the situation – old tech is no longer supported
or capable of delivering to the needs of the org and has to be
replaced
B. Capital expense planning.
This is budgeting, nothing to do with poor tech performance
C. Return on investment.
This is used to determine the value of purchasing something or
evaluating something purchased
D. Cost-benefit analysis.
A CBA is a financial analysis of the value of a purchase