Instructor-Led Course

Practice Exam Answers and Justifications

©2022. ISACA. All Rights Reserved 1

 Quick Answer Key:

Question Answer Question Answer Question Answer

1 A 26 B 51 C
2 C 27 B 52 B
3 B 28 C 53 C
4 C 29 B 54 B
5 A 30 B 55 A
6 A 31 D 56 D
7 C 32 B 57 C
8 D 33 B 58 D
9 C 34 B 59 A
10 B 35 A 60 A
11 A 36 A 61 B
12 C 37 D 62 C
13 A 38 B 63 D
14 C 39 C 64 B
15 C 40 A 65 A
16 B 41 A 66 D
17 C 42 A 67 C
18 B 43 A 68 B
19 C 44 A 69 D
20 A 45 C 70 A
21 B 46 A 71 D
22 A 47 A 72 C
23 D 48 D 73 A
24 C 49 A 74 D
25 D 50 B 75 A

©2022. ISACA. All Rights Reserved 2

 Exam Questions
1. The MOST important component of a privacy policy is:
A. notifications.
B. warranties.
C. liabilities.
D. standards.
A is the correct answer.
Justification:
A. Privacy policies must contain notification requirements in the event of unauthorized
disclosure and opt-out provisions.
B. Privacy policies do not address warranties, which are generally unrelated to a privacy policy.
C. Privacy policies may address liabilities as a consequence of unauthorized disclosure, but that
is not the most important component.
D. Standards regarding privacy would be separate and not a part of the policy.

2. Which of the following is MOST likely to remain constant over time? An information security:
A. policy.
B. standard.
C. strategy.
D. procedure.
C is the correct answer.
Justification:
A. Policies do not change as frequently as procedures and standards; however, security policies
do change to adjust to new regulations or laws, to respond to organizational changes, or to
address emerging technology trends. These changes do not typically require adjustments to the
information security strategy.
B. Standards change more frequently because they must often be adjusted to allow for changes
in technology and business processes.
C. Of the choices provided, the information security strategy is the least likely to change.
An information security strategy is a reflection of high-level objectives and the direction
of the security program, as dictated by business leadership. Information security
policies, standards and procedures are derived from the information security strategy.
D. Procedures change more frequently because they must often be adjusted to allow for
changes in technology and business processes.

©2022. ISACA. All Rights Reserved 3

 3. What is the PRIMARY factor to be taken into account when designing a backup strategy that
will be consistent with a disaster recovery strategy?
A. Volume of sensitive data
B. Recovery point objective
C. Recovery time objective
D. Interruption window
B is the correct answer.
Justification:
A. The volume of data will be used to determine the capacity of the backup solution.
B. The recovery point objective defines the maximum loss of data acceptable by the
business (i.e., age of data to be restored). It will directly determine the basic elements of
the backup strategy— frequency of the backups and what kind of backup is the most
appropriate (disk-to-disk, on tape, mirroring).
C. The recovery time objective—the time between disaster and return to normal operation—will
not have any impact on the backup strategy.
D. The availability to restore backups in a time frame consistent with the interruption window will
have to be checked and will influence the strategy (e.g., full backup versus incremental), but it
will not be the primary factor.

4. When performing a business impact analysis, which of the following should calculate the
recovery time and cost estimates?
A. Business continuity coordinator
B. Information security manager
C. Business process owners
D. IT management
C is the correct answer.
Justification:
A. The business continuity coordinator will not be able to provide the correct level of detailed
knowledge.
B. The information security manager will not have the level of detailed knowledge needed.
C. Business process owners are in the best position to understand the true impact on the
business that a system outage would create.
D. IT management would not be able to provide the required level of detailed knowledge.

©2022. ISACA. All Rights Reserved 4

 5. What is the MOST important reason for formally documenting security procedures?
A. Ensure processes are repeatable and sustainable.
B. Ensure alignment with business objectives.
C. Ensure auditability by regulatory agencies.
D. Ensure objective criteria for the application of metrics.
A is the correct answer.
Justification:
A. Without formal documentation, it would be difficult to ensure that security processes
are performed correctly and consistently.
B. Alignment with business objectives is not a function of formally documenting security
procedures.
C. Processes should not be formally documented merely to satisfy an audit requirement.
D. Although potentially useful in the development of metrics, creating formal documentation to
assist in the creation of metrics is a secondary objective.

6. Which of the following choices should be assessed after the likelihood of a loss event has
been determined?
A. The magnitude of impact
B. Risk tolerance
C. The replacement cost of assets
D. The book value of assets
A is the correct answer.
Justification:
A. Disaster recovery is driven by risk, which is a combination of likelihood and
consequences. Once likelihood has been determined, the next step is to determine the
magnitude of impact.
B. Risk tolerance is the acceptable deviation from acceptable risk. This is taken into account
once risk has been quantified, which is dependent on determining the magnitude of impact.
C. Replacement cost is needed only when replacement is required.
D. Book value does not represent actual asset value and cannot be used to measure magnitude
of impact.

©2022. ISACA. All Rights Reserved 5

 7. What is the BEST method to confirm that all firewall rules and router configuration settings
are adequate?
A. Periodic review of network configuration
B. Review of intrusion detection system logs for evidence of attacks
C. Periodically perform penetration tests
D. Daily review of server logs for evidence of hacker activity
C is the correct answer.
Justification:
A. Due to the complexity of firewall rules and router tables, plus the sheer size of intrusion
detection systems (IDSs) and server logs, a physical review would be complex, time-consuming
and probably insufficient.
B. Reviewing IDS logs for evidence of attacks would not indicate whether the settings were
adequate.
C. The best approach for confirming the adequacy of these configuration settings is to
periodically perform attack and penetration tests.
D. Evidence of hacker activity has little to do with configuration adequacy.

8. Which of the following is the BEST method for ensuring that temporary employees do not
receive excessive access rights?
A. Mandatory access controls
B. Discretionary access controls
C. Lattice-based access controls
D. Role-based access controls
D is the correct answer.
Justification:
A. Mandatory access controls require users to have a clearance at or above the level of asset
classification, but providing clearances for temporary employees is time-consuming and
expensive.
B. Discretionary access control allows delegation based on the individual but requires
administrative action to grant and remove access.
C. Lattice-based access control is a mandatory access model based on the interaction between
any combination of objects (such as resources, computers and applications) and subjects.
D. Role-based access controls will grant temporary employee access based on the job
function to be performed. This provides a better means of ensuring that the access is not
more or less than what is required, and removing access requires less effort.

©2022. ISACA. All Rights Reserved 6

 9. When designing an intrusion detection system, the information security manager should
recommend that it be placed:
A. outside the firewall.
B. on the firewall server.
C. on a screened subnet.
D. on the external router.
C is the correct answer.
Justification:
A. Placing the intrusion detection system (IDS) on the Internet side of the firewall is not advised
because the system will generate alerts on all malicious traffic—even though 99 percent will be
stopped by the firewall and never reach the internal network.
B. Because firewalls should be installed on hardened servers with minimal services enabled, it
would be inappropriate to install the IDS on the same physical device.
C. An IDS should be placed on a screened subnet, which is a demilitarized zone.
D. Placing the IDS on the external server, even if it were feasible, is not advised because the
system will generate alerts on all malicious traffic—even though 99 percent will be stopped by
the firewall and never reach the internal network.

10. To BEST improve the alignment of the information security objectives in an enterprise, the
chief information security officer should:
A. revise the information security program.
B. evaluate a business balanced scorecard.
C. conduct regular user awareness sessions.
D. perform penetration tests.
B is the correct answer.
Justification:
A. Revising the information security program may be a solution, but it is not the best solution to
improve alignment of the information security objectives.
B. The business balanced scorecard (BSC) can track how effectively an enterprise
executes it information security strategy and determine areas of improvement.
C. User awareness is just one of the areas the enterprise must track through the business BSC.
D. Performing penetration tests does not affect alignment with information security objectives.

©2022. ISACA. All Rights Reserved 7

 11. Which of the following factors is MOST important for the successful implementation of an
enterprise’s information security program?
A. Senior management support
B. Budget for security activities
C. Regular vulnerability assessments
D. Knowledgeable security administrators
A is the correct answer.
Justification:
A. Senior management support is critical to the implementation of any security program.
B. An appropriate budget for security activities is not likely without the support of senior
management.
C. Vulnerability assessments are an important element of a successful security program but will
be of little use without management support for addressing issues that arise.
D. Knowledgeable security administrators are important for a successful security program, but
they are not likely to be effective without management support.

12. Management decided that the enterprise will not achieve compliance with a recently issued
set of regulations. Which of the following is the MOST likely reason for the decision?
A. The regulations are ambiguous and difficult to interpret.
B. Management has a low level of risk tolerance.
C. The cost of compliance exceeds the cost of possible sanctions.
D. The regulations are inconsistent with the organizational strategy.
C is the correct answer.
Justification:
A. Management should address ambiguous regulations by requesting clarification from the
issuer or the legal department.
B. Management decisions on compliance should be based on a cost-benefit analysis.
C. Management may decide it is less expensive to deal with possible sanctions than to
attempt to comply.
D. The fact that the regulations are inconsistent with the organizational strategy is not a major
factor in deciding not to comply.

©2022. ISACA. All Rights Reserved 8

 13. Enterprises implement ethics training PRIMARILY to provide guidance to individuals
engaged in:
A. monitoring user activities.
B. implementing security controls.
C. managing risk tolerance.
D. assigning access.
A is the correct answer.
Justification:
A. Monitoring user activities may result in access to sensitive corporate and personal
information. The enterprise should implement training that provides guidance on
appropriate legal behavior to reduce corporate liability and increase user awareness and
understanding of data privacy and ethical behavior.
B. While ethics training is good practice for all employees, those that implement security
controls are not necessarily privy to sensitive data.
C. Employees who manage risk tolerance may have access to high-level corporate information
but not necessarily to sensitive or private information. While ethics training is good practice, it is
not required to manage risk tolerance for an enterprise.
D. Employees who manage network access do not necessarily need ethics training.

14. To implement information security governance, an enterprise should FIRST:

A. adopt security standards.
B. determine security baselines.
C. define the security strategy.
D. establish security policies.
C is the correct answer.
Justification:
A. Adopting suitable security standards is based on the implementation of the intent of the
policies and is not the first step, as it follows the development of policies that support the
strategy.
B. Security baselines are established as a result of determining acceptable risk. Their
determination is not the first step in implementing information security, which is taken up as a
requirement prior to strategy development.
C. Security governance is based on the information security strategy, which is the first
step in the implementation. An information security strategy that meets and supports
business objectives must be developed first.
D. Policies are an instrument for governance and are developed to support the strategy; policies
are not the first among activities undertaken to implement information security governance.

©2022. ISACA. All Rights Reserved 9

 15. What is the BEST method to verify that all security patches applied to servers were properly
documented?
A. Trace change control requests to operating system (OS) patch logs.
B. Trace OS patch logs to OS vendor’s update documentation.
C. Trace OS patch logs to change control requests.
D. Review change control documentation for key servers.
C is the correct answer.
Justification:
A. Reviewing change control documents for key servers does not confirm that security patches
were properly approved and documented.
B. Tracing from the documentation to the patch log will not indicate if some patches were
applied without being documented.
C. To ensure that all patches applied went through the change control process, it is
necessary to use the operating system (OS) patch logs as a starting point and then
check to see if change control documents are on file for each of the changes.
D. Comparing patches applied to those recommended by the OS vendor’s website does not
confirm that the security patches were properly approved and documented.

16. Which of the following should be determined FIRST when establishing a business continuity
program?
A. Cost to rebuild information processing facilities
B. Incremental daily cost of the unavailability of systems
C. Location and cost of offsite recovery facilities
D. Composition and mission of individual recovery teams

B is the correct answer.

Justification:
A. The cost to rebuild information processing facilities would not be the first thing to determine.
B. Prior to creating a detailed business continuity plan, it is important to determine the
incremental daily cost of losing different systems. This will allow recovery time
objectives to be determined.
C. Location and cost of a recovery facility cannot be addressed until the potential losses are
calculated, which will determine the type of recovery site that is needed—and this will affect
cost.
D. Individual recovery team requirements will occur after the requirements for business
continuity are determined.

©2022. ISACA. All Rights Reserved 10

 17. Which of the following is the MAIN reason for performing risk assessment on a continuous
basis?
A. The security budget must be continually justified.
B. New vulnerabilities are discovered every day.
C. The risk environment is constantly changing.
D. Management needs to be continually informed about emerging risk.
C is the correct answer.
Justification:
A. Justification of a budget should never be the main reason for performing a risk assessment.
B. New vulnerabilities should be managed through a patch management process.
C. The risk environment is impacted by factors such as changes in technology and
business strategy. These changes introduce new threats and vulnerabilities to the
enterprise. As a result, risk assessment should be performed continuously.
D. Informing management about emerging risk is important but is not the main driver for
determining when a risk assessment should be performed.

18. What is the BEST way to ensure that security settings on each platform are in compliance
with information security policies and procedures?
A. Perform penetration testing.
B. Establish security baselines.
C. Implement vendor default settings.
D. Link policies to an independent standard.
B is the correct answer.
Justification:
A. Penetration testing will not be the most effective and can only be performed periodically.
B. Security baselines will provide the best assurance that each platform meets minimum
security criteria.
C. Vendor default settings will not necessarily meet the criteria set by the security policies.
D. Linking policies to an independent standard will not provide assurance that the platforms
meet the relevant security levels.

©2022. ISACA. All Rights Reserved 11

 19. New regulatory and legal compliance requirements that will have an effect on information
security will MOST likely come from the:
A. corporate legal officer.
B. internal audit department.
C. affected departments.
D. compliance officer.
C is the correct answer.
Justification:
A. Corporate legal officers are often focused on contractual matters and disclosure
requirements for reporting to the agencies regulating publicly held corporations.
B. Internal auditors would typically be concerned with review of existing compliance
requirements rather than with new legal or regulatory requirements.
C. The departments affected by legal and regulatory requirements (such as the human
resources department) are typically advised by their respective associations of new or
changing regulations and the probable impacts on various enterprises.
D. Compliance officers are typically charged with determining compliance with internal policies
and standards.

20. Addressing the root cause of an incident is one aspect of which of the following incident
management processes?
A. Eradication
B. Recovery
C. Lessons learned
D. Containment
A is the correct answer.
Justification:
A. Determining the root cause of an incident and eliminating it are key activities that
occur as part of the eradication process.
B. Recovery focuses on restoring systems or services to conditions specified in service delivery
objectives (SDOs) or business continuity plans (BCPs).
C. Lessons learned are documented at the end of the incident response process, after the root
cause has been identified and remediated.
D. Containment focuses on preventing the spread of damage associated with an incident,
typically while the root cause either is still unknown or is known but cannot yet be remediated.

©2022. ISACA. All Rights Reserved 12

 21. What is the PRIMARY objective of security awareness?
A. Ensure that security policies are understood.
B. Influence employee behavior.
C. Ensure legal and regulatory compliance.
D. Notify of actions for noncompliance.
B is the correct answer.
Justification:
A. Ensuring that policies are read and understood is important but secondary.
B. It is most important that security-conscious behavior be encouraged among
employees through training that influences expected responses to security incidents.
C. Meeting legal and regulatory requirements is important but secondary.
D. Giving employees fair warning of potential disciplinary action is important but secondary.

22. Which of the following is MOST important when collecting evidence for forensic analysis?
A. Ensure the assignment of qualified personnel.
B. Request the IT department do an image copy.
C. Disconnect from the network and isolate the affected devices.
D. Ensure law enforcement personnel are present before the forensic analysis commences.
A is the correct answer.
Justification:
A. Without the initial assignment of forensic expertise, the required levels of evidence
may not be preserved properly.
B. The IT department is unlikely to have the necessary level of expertise and should, therefore,
be prevented from taking action.
C. Disconnecting from the network may be a prudent step prior to collecting evidence but does
not eliminate the requirement for properly qualified forensic personnel.
D. Notifying law enforcement will likely occur after the forensic analysis has been completed.

©2022. ISACA. All Rights Reserved 13

 23. An enterprise is transferring its IT operations to an offshore location. An information security
manager should PRIMARILY focus on:
A. reviewing new laws and regulations.
B. updating operational procedures.
C. validating staff qualifications.
D. conducting a risk assessment.
D is the correct answer.
Justification:
A. Reviewing new laws and regulations may or may not be identified as a mitigating measure
based on the risk determined by the assessment.
B. Updating operational procedures may or may not be identified as a mitigating measure based
on the risk determined by the assessment.
C. Validating staff qualifications may or may not be identified as a mitigating measure based on
the risk determined by the assessment.
D. A risk assessment should be conducted to determine new risk introduced by the
outsourced processes.

24. Which of the following has the highest priority when defining an emergency response plan?
A. Critical data
B. Critical infrastructure
C. Safety of personnel
D. Vital records
C is the correct answer.
Justification:
A. Critical data are secondary to safety of personnel.
B. Critical infrastructure is secondary to safety of personnel.
C. The safety of an enterprise’s employees should be the most important consideration
given human safety laws. Human safety is considered first in any process or
management practice.
D. Vital records are secondary to safety of personnel.

©2022. ISACA. All Rights Reserved 14

 25. Who should be assigned as data owner for sensitive customer data that are used only by
the sales department and stored in a central database?
A. The sales department
B. The database administrator
C. The chief information officer
D. The head of the sales department
D is the correct answer.
Justification:
A. The sales department cannot be the owner of the asset because that removes personal
responsibility.
B. The database administrator is a custodian.
C. The chief information officer (CIO) is not an owner of this database because the CIO is less
likely to be knowledgeable about the specific needs of sales operations and security concerns.
D. The owner of the information asset should be the individual with the decision-making
power in the department deriving the most benefit from the asset. In this case, it is the
head of the sales department.

26. Which of the following do security policies need to be MOST closely aligned with?
A. Industry good practices
B. Organizational needs
C. Generally accepted standards
D. Local laws and regulations
B is the correct answer.
Justification:
A. Good practices are generally a substitute for a clear understanding of what exactly is needed
in a specific enterprise and may be too much or too little.
B. Policies must support the needs of the enterprise.
C. Generally accepted standards do not exist; they are always tailored to the requirements of
the enterprise.
D. Local law and regulation compliance may be identified in policies but would only be a small
part of overall policies that must support the needs of the enterprise.

©2022. ISACA. All Rights Reserved 15

 27. When creating an effective data-protection strategy, the information security manager must
understand the flow of data and its protection at various stages. This is BEST achieved with:
A. a third-party vulnerability assessment.
B. a tailored methodology based on exposure.
C. an insurance policy for accidental data losses.
D. a tokenization system set up in a secure network environment.
B is the correct answer.
Justification:
A. Vulnerability assessments, third-party or otherwise, do not provide information about data
flow, risk or threats that is needed to create a data protection strategy.
B. Enterprises classify data according to business value and risk exposure. The
enterprise can then develop a sensible plan to invest budget and effort to create the data
protection strategy based on the information gathered about the data assets.
C. An insurance policy is a risk treatment option for the transfer/sharing of risk and does not
provide the information necessary for creating a data protection strategy.
D. Tokenization is a technique used to protect data, and not a method to ascertain data flow or
other attributes relevant and necessary to create the data protection strategy.

28. Which of the following is MOST essential when assessing risk?

A. Providing equal coverage for all asset types
B. Benchmarking data from similar enterprises
C. Considering both monetary value and likelihood of loss
D. Focusing on valid past threats and business losses
C is the correct answer.
Justification:
A. Providing equal coverage for all asset types when assessing risk may not be relevant,
depending on the significance the asset type has to the enterprise (e.g., the automobile fleet is
not likely to have as much significance as the data center).
B. Benchmarking other enterprises when assessing risk is of relatively little value.
C. The likelihood of loss and the monetary value of those losses are the most essential
elements to consider in assessing risk.
D. Past threats and losses may be instructive of potential future events but are not the most
essential considerations when assessing risk.

©2022. ISACA. All Rights Reserved 16

 29. Which of the following is a key component of an incident response policy?
A. Updated call trees
B. Escalation criteria
C. Press release templates
D. Critical backup files inventory
B is the correct answer.
Justification:
A. Call trees are too detailed, change too frequently and are not a part of policy.
B. Escalation criteria, indicating the circumstances under which specific actions are to
be undertaken, should be contained within an incident response policy.
C. Press release templates are too detailed to be included in a policy document.
D. Lists of critical backup files are too detailed to be included in a policy document.

30. An enterprise has verified that its customer information was recently exposed. Which of the
following is the FIRST step a security manager should take in this situation?
A. Inform senior management.
B. Determine the extent of the compromise.
C. Report the incident to the authorities.
D. Communicate with the affected customers.
B is the correct answer.
Justification:
A. Before reporting to senior management, the extent of the exposure needs to be assessed.
B. Before reporting to senior management, affected customers or the authorities, the
extent of the exposure needs to be assessed.
C. Reporting the incident to authorities is a management decision and not up to the security
manager.
D. Communication with affected customers is a management task and is not the responsibility of
the security manager.

©2022. ISACA. All Rights Reserved 17

 31. Which of the following is the BEST approach for an enterprise desiring to protect its
intellectual property?
A. Conduct awareness sessions on intellectual property policy.
B. Require all employees to sign a nondisclosure agreement.
C. Promptly remove all access when an employee leaves the enterprise.
D. Restrict access to a need-to-know basis.
D is the correct answer.
Justification:
A. Security awareness regarding intellectual property policy will not prevent violations of this
policy.
B. Requiring all employees to sign a nondisclosure agreement is a good control but not as
effective as restricting access to a need-to-know basis.
C. Removing all access on termination does not protect intellectual property prior to an
employee leaving.
D. Restricting access to a need-to-know basis is the most effective approach to
protecting intellectual property.

32. Which of the following steps should be FIRST in developing an information security plan?
A. Perform a technical vulnerabilities assessment.
B. Analyze the current business strategy.
C. Perform a business impact analysis.
D. Assess the current levels of security awareness.
B is the correct answer.
Justification:
A. Technical vulnerabilities as a component of risk will be most relevant in the context of threats
to achieving the business objectives defined in the business strategy.
B. An information security manager needs to first gain an understanding of the current
business strategy and direction to understand the enterprise’s objectives and the impact
of the other answers on achieving those objectives.
C. A business impact analysis should be performed prior to developing a business continuity
plan, but this would not be an appropriate first step in developing an information security plan
because it focuses on impact due to non-availability, which is also primarily relevant in terms of
the business objectives that are the basis of the strategy.
D. Assessment of the current level of awareness is not the appropriate first step in developing
an information security plan because awareness is a component of the plan itself.

©2022. ISACA. All Rights Reserved 18

 33. Which of the following individuals would be in the BEST position to sponsor the creation of
an information security steering group?
A. Information security manager
B. Chief operating officer
C. Internal auditor
D. Legal counsel
B is the correct answer.
Justification:
A. Sponsoring the creation of the steering committee should be initiated by someone versed in
the strategy and direction of the business. A security manager would be looking to this group for
direction and is therefore not in the best position to oversee the formation of this group.
B. The chief operating officer (COO) represents senior management, which is
responsible for providing support for information security initiatives with a positive tone
at the top. The information security steering group should be sponsored by the COO
(senior management), as that individual would have the authority (and responsibility) to
direct the participation of business unit heads and authorize the mandate or charter.
C. The internal auditor may be a member of the steering group but would not have the authority
to make decisions or take actions to oversee the formation of the committee.
D. Legal counsel may be a member of a steering group but would not have the authority to
make decisions or take actions to oversee the formation of the committee.

34. What mechanism should be used to identify deficiencies that would provide attackers with
an opportunity to compromise a computer system?
A. Business impact analysis
B. Security gap analysis
C. System performance metrics
D. Incident response processes
B is the correct answer.
Justification:
A. A business impact analysis does not identify vulnerabilities.
B. Security gap analysis is a process that measures all security controls in place against
control objectives, which will identify gaps.
C. System performance metrics may indicate security weaknesses, but that is not their primary
purpose.
D. Incident response processes exist for cases in which security weaknesses are exploited.

©2022. ISACA. All Rights Reserved 19

 35. The MOST direct way to accurately determine the control baseline in an IT system is to do
which of the following activities?
A. Review standards and system compliance.
B. Sample hardware and software configurations.
C. Review system and server logs for anomalies.
D. Perform internal and external penetration tests.
A is the correct answer.
Justification:
A. A control baseline is obtained by reviewing the standards to determine whether the
baseline falls within the boundaries set by the standards.
B. Sampling hardware configurations without knowing the control requirements reflected in the
standards provides information on the current state but not on how that state relates to the
intended state.
C. Anomalies in system logs do not necessarily indicate that baseline security is incorrect, nor
does an absence of abnormalities mean that the baseline is correct.
D. Penetration tests that reveal vulnerabilities must be evaluated in the context of the control
requirements set by the standard.

36. Which of the following provides the BEST confirmation that the business continuity
plan/disaster recovery plan (BCP/DRP) objectives have been achieved?
A. The recovery time objective was not exceeded during testing.
B. Objective testing of the BCP/DRP has been carried out consistently.
C. The recovery point objective was proved inadequate by DRP testing.
D. Information assets have been valued and assigned to owners according to the BCP/DRP.
A is the correct answer.
Justification:
A. Consistent achievement of recovery time objectives during testing provides the most
objective evidence that business continuity plan/disaster recovery plan (BCP/DRP)
objectives have been achieved.
B. Objective testing of the BCP/DRP will not serve as a basis for evaluating the alignment of the
risk management process in business continuity/disaster recovery planning.
C. If the recovery point objective is inadequate, the objectives of BCPs have not been achieved.
D. Mere valuation and assignment of information assets to owners (according to the BCP/DRP)
will not serve as a basis for evaluating the alignment of the risk management process in
business continuity/disaster recovery planning.

©2022. ISACA. All Rights Reserved 20

 37. Which of the following situations would be of the MOST concern to a security manager?
A. Audit logs are not enabled on a production server.
B. The logon ID for a terminated systems analyst still exists on the system.
C. The help desk has received numerous reports of users receiving phishing emails.
D. A Trojan was found installed on a systems administrator’s laptop.
D is the correct answer.
Justification:
A. Failure to enable audit logs on a production server, although important, does not pose as
immediate or as critical a threat as a Trojan installed on a systems administrator’s laptop.
B. The logon ID for a terminated employee existing on the system poses a risk, but unless it is a
disgruntled or malicious employee, it is not likely to be a critical threat.
C. Numerous reports of phishing emails are a risk. But in this situation, employees recognize
the threat and are responding appropriately, so it is not a critical threat.
D. The discovery of a Trojan installed on a systems administrator’s laptop is a highly
significant threat from an attacker and may mean that privileged user accounts and
passwords have been compromised.

38. Which of the following would BEST prepare an information security manager for regulatory
reviews?
A. Assign an information security administrator as regulatory liaison.
B. Perform self-assessments using regulatory guidelines and reports.
C. Assess previous regulatory reports with process owner’s input.
D. Ensure all regulatory inquiries are sanctioned by the legal department.
B is the correct answer.
Justification:
A. Directing regulators to a specific person or department is not a method for being prepared for
a regulatory review as this will only serve as an action for facilitation of the review.
B. Self-assessments provide the best feedback on level of compliance or readiness and
permit identification of items requiring remediation.
C. Assessing previous regulatory reports is not as effective as performing self-assessments
because conditions may have changed.
D. The legal department should review all formal inquiries, but that would not help prepare for a
regulatory review.

©2022. ISACA. All Rights Reserved 21

 39. Which of the following BEST protects confidentiality of information?
A. Information classification
B. Segregation of duties
C. Least privilege
D. Systems monitoring
C is the correct answer.
Justification:
A. While classifying information can help focus the assignment of privileges, classification itself
does not provide enforcement.
B. Only in very specific situations does segregation of duties safeguard confidentiality of
information.
C. Restricting access to information to those who need to have access is the most
effective means of protecting confidentiality.
D. Systems monitoring is a detective control rather than a preventive control.

40. Which of the following techniques MOST clearly indicates whether specific risk-reduction
controls should be implemented?
A. Cost-benefit analysis
B. Penetration testing
C. Frequent risk assessment programs
D. Annual loss expectancy calculation
A is the correct answer.
Justification:
A. In a cost-benefit analysis, the annual cost of safeguards is compared with the
expected cost of loss. This comparison can then be used to justify a specific control
measure.
B. Penetration testing may indicate the extent of a weakness but, by itself, will not establish the
cost-benefit of a control.
C. Frequent risk assessment programs will certainly establish what risk exists but will not
determine the cost of controls.
D. Annual loss expectancy is a measure that will contribute to the potential cost associated with
the risk but does not address the benefit of a control.

©2022. ISACA. All Rights Reserved 22

 41. An information security manager is in the process of investigating a network intrusion. One
of the enterprise’s employees is a suspect. The manager has just obtained the suspect’s
computer and hard drive. Which of the following is the BEST next step?
A. Create an image of the hard drive.
B. Encrypt the data on the hard drive.
C. Examine the original hard drive.
D. Create a logical copy of the hard drive.
A is the correct answer.
Justification:
A. One of the first steps in an investigation is to create an image of the original hard
drive. A physical copy will copy the data, block by block, including any hidden data
blocks and hidden partitions that can be used to conceal evidence.
B. Encryption is not required.
C. Examining the hard drive is not good practice because it risks destroying or corrupting
evidence.
D. A logical copy will only copy the files and folders and may not copy other necessary data to
properly examine the hard drive for forensic evidence.

42. Which of the following choices is the BEST indicator of the state of information security
governance?
A. A defined maturity level
B. A developed security strategy
C. Complete policies and standards
D. Low numbers of incidents
A is the correct answer.
Justification:
A. A defined maturity level is the best overall indicator of the state of information security
governance. The maturity level indicates how mature a process is on a scale from 0
(incomplete process) to 5 (optimized process).
B. A developed security strategy is an important first step, but it must be implemented properly
to be effective; by itself, it is not an indication of the state of information security governance.
C. Complete policies and standards are required for effective governance but are only one part
of the requirement. By themselves, they are not an indicator of the effectiveness of information
security governance.
D. The number of incidents is relatively unconnected to the effectiveness of information security
governance. Trends in incidents would be a better indicator.

©2022. ISACA. All Rights Reserved 23

 43. What is a desirable sensitivity setting for a biometric access control system that protects a
high-security data center?
A. A high false reject rate
B. A high false acceptance rate
C. Lower than the crossover error rate
D. The exact crossover error rate
A is the correct answer.
Justification:
A. Biometric access control systems are not infallible. When tuning the solution, one has
to adjust the sensitivity level to give preference either to false reject rate (FRR) (type I
error rate) making the system more prone to err denying access to a valid user, or to err
allow access to an invalid user. The preferable setting will be in the FRR region of
sensitivity.
B. A high false acceptance rate (FAR) will marginalize security by allowing too much
unauthorized access. In systems in which the possibility of false rejects is a problem, it may be
necessary to reduce sensitivity and thereby increase the number of false accepts.
C. As the sensitivity of the biometric system is adjusted, the FRR and FAR change inversely. At
one point, the two values intersect and are equal. This condition creates the crossover error
rate, which is a measure of the system accuracy. Lower than the crossover error rate will create
too high a FAR for a high-security data center.
D. The crossover rate is sometimes referred to as equal error rate. In a very sensitive system, it
may be desirable to minimize the number of false accepts—the number of unauthorized
persons allowed access. To do this, the system is tuned to be more sensitive with a lower FAR,
which causes the FRR—the number of authorized persons disallowed access—to increase.

44. The MOST useful way to describe the objectives in the information security strategy is
through:
A. attributes and characteristics of the desired state.
B. overall control objectives of the security program.
C. mapping the IT systems to key business processes.
D. calculation of annual loss expectations.
A is the correct answer.
Justification:
A. The security strategy will typically cover a wide variety of issues, processes,
technologies and outcomes that can best be described by a set of desired characteristics
and attributes.
B. Control objectives are a function of acceptable risk determination and one part of strategy
development, but the desired state of the information security function is a better tool.

©2022. ISACA. All Rights Reserved 24

 C. Mapping IT to key business processes must occur as one part of strategy implementation but
it is an operational activity and not a way to describe strategy objectives.
D. Calculation of annual loss expectations is not a way to describe the objectives in the
information security strategy.

45. Quantifying the level of acceptable risk can BEST be indicated by which of the following
choices?
A. Surveying business process owners and senior managers
B. Determining the percentage of the IT budget allocated to security
C. Determining the ratio of business interruption insurance to its cost
D. Determining the number and severity of incidents impacting the enterprise
C is the correct answer.
Justification:
A. Surveying management typically provides a widely varying perspective on acceptable risk.
B. The amount spent on security is an indicator but does not quantify acceptable levels of risk.
C. The amount of business interruption insurance carried and the cost specifies a
directly quantifiable level of risk that the enterprise will accept, and at what cost.
D. The history of incidents will show what risk was not addressed and elicit comments about
acceptability but will not indicate what the enterprise is willing to spend on mitigation.

46. Which of the following control measures BEST addresses integrity?

A. Nonrepudiation
B. Time stamps
C. Biometric scanning
D. Encryption
A is the correct answer.
Justification:
A. Nonrepudiation is a control technique that addresses the integrity of information by
ensuring that the originator of a message or transaction cannot repudiate (deny or reject)
the message, so the message or transaction can be considered authorized, authentic and
valid.
B. Using time stamps is a control that addresses only one component of message integrity.
C. Biometric scanning is a control that addresses access.
D. Encryption is a control that addresses confidentiality; it may be an element of a data integrity
scheme, but it is not sufficient to achieve the same level of integrity as the set of measures used
to ensure nonrepudiation.

©2022. ISACA. All Rights Reserved 25

 47. Which of the following measures would be MOST effective against insider threats to
confidential information?
A. Role-based access control
B. Audit trail monitoring
C. Privacy policy
D. Defense in depth
A is the correct answer.
Justification:
A. Role-based access control is a preventive control that provides access according to
business needs; therefore, it reduces unnecessary access rights and enforces
accountability.
B. Audit trail monitoring is an after-the-fact detective control.
C. Privacy policy is not relevant to this risk.
D. Defense in depth primarily focuses on external threats and control layering.

48. With regard to the implementation of security awareness programs in an enterprise, it is

MOST relevant to understand that which one of the following aspects can change?
A. The security culture
B. The information technology
C. The compliance requirements
D. The threats and vulnerabilities
D is the correct answer.
Justification:
A. The security culture changes over time in part because of an effective security awareness
training program. It is not necessary that the workforce be told that the culture will change.
B. Changes in technology are only one part of security awareness.
C. Changes in compliance requirements are not a primary driver of security awareness training.
D. People tend to think that security awareness training can be completed once and it is
good forever. It is important for everyone, including management and the general
workforce, to understand that threats and vulnerabilities change constantly, and that
regular refresher training is an important part of security awareness.

©2022. ISACA. All Rights Reserved 26

 49. There is a delay between the time when a security vulnerability is first published, and the
time when a patch is delivered. Which of the following should be carried out FIRST to mitigate
the risk during this time period?
A. Identify the vulnerable systems and apply compensating controls.
B. Minimize the use of vulnerable systems.
C. Communicate the vulnerability to system users.
D. Update the signatures database of the intrusion detection system
A is the correct answer.
Justification:
A. The best protection is to identify the vulnerable systems and apply compensating
controls until a patch is installed.
B. Minimizing the use of vulnerable systems could be a compensating control but would not be
the first course of action.
C. Communicating the vulnerability to system users would not be of much benefit.
D. Updating the signatures database of the intrusion detection system (IDS) would not address
the timing of when the IDS signature list would be updated to accommodate the vulnerabilities
that are not yet publicly known. Therefore, this approach should not always be considered as
the first option.

50. Which of the following will MOST likely reduce the chances of an unauthorized individual
gaining access to computing resources by pretending to be an authorized individual needing to
have their password reset?
A. Performing reviews of password resets
B. Conducting security awareness programs
C. Increasing the frequency of password changes
D. Implementing automatic password syntax checking
B is the correct answer.
Justification:
A. Performing reviews of password resets may be desirable but will not be effective in reducing
the likelihood of a social engineering attack.
B. Social engineering can be mitigated best through periodic security awareness training
for staff members who may be the target of such an attempt.
C. Changing the frequency of password changes may be desirable but will not reduce the
likelihood of a social engineering attack.
D. Strengthening passwords is desirable but will not reduce the likelihood of a social
engineering attack.

©2022. ISACA. All Rights Reserved 27

 51. An information security strategy presented to senior management for approval MUST
incorporate:
A. specific technologies.
B. compliance mechanisms.
C. business priorities.
D. detailed procedures.
C is the correct answer.
Justification:
A. The strategy is a forward-looking document that reflects awareness of technological
baselines and developments in general, but specific technologies are typically addressed at
lower levels based on the strategy.
B. Mechanisms for compliance with legal and regulatory requirements are generally controls
implemented at the tactical level based on direction from the strategy.
C. Strategy is the high-level approach by which priorities and goals can be met. The
information security strategy must incorporate the priorities of the business to be
meaningful.
D. Detailed procedures are inappropriate at the strategic level.

52. When outsourcing, to ensure that third-party service providers comply with an enterprise
security policy, which of the following should occur?
A. A predefined meeting schedule
B. A periodic security audit
C. Inclusion in the contract of a list of individuals to be called in the event of an incident (call
tree)
D. Inclusion in the contract of a confidentiality clause
B is the correct answer.
Justification:
A. A predefined meeting schedule is a contributor to, but does not ensure, compliance.
B. A periodic security audit is a formal and documented way to determine compliance
level.
C. A call tree is useful for dealing with incidents but does nothing to ensure compliance.
D. Inclusion of a confidentiality clause does not ensure compliance.

©2022. ISACA. All Rights Reserved 28

 53. Which one of the following measures will BEST indicate the effectiveness of an incident
response process?
A. Number of open incidents
B. Reduction of the number of security incidents
C. Reduction of the average response time to an incident
D. Number of incidents handled per month
C is the correct answer.
Justification:
A. The total number of open incidents is not an indicator of incident response effectiveness
because the team does not have direct control over the number of incidents it must handle at
any given time.
B. Reduction of the number of security incidents generally cannot be attributed to the
effectiveness of the response team but rather to improved controls.
C. Reduction of response time helps minimize the impact of the incident and is the best
indicator of the effectiveness of the incident response process.
D. The number of incidents handled per month would not be a direct indicator of team
effectiveness.

54. The BEST process for assessing an existing risk level is:
A. an impact analysis.
B. a security review.
C. a vulnerability assessment.
D. a threat analysis.
B is the correct answer.
Justification:
A. An impact analysis is used to determine potential impact in the event of the loss of a
resource.
B. A security review is used to determine the current state of security for various
program components.
C. While vulnerability assessments help identify and classify weakness in the design,
implementation, operation or internal control of a process, they are only one aspect of a security
review.
D. A threat analysis is not normally a part of a security review. Threat assessments evaluate the
type, scope and nature of events or actions that can result in adverse consequences;
identification is made of the threats that exist against enterprise assets.

©2022. ISACA. All Rights Reserved 29

 55. The triage phase of the incident response plan provides:
A. a snapshot of the current status of all incident activity reported.
B. a global, high-level view of the open incidents.
C. a tactical review of an incident’s progression and resolution.
D. a comprehensive basis for changes to the enterprise architecture.
A is the correct answer.
Justification:
A. Triage gives a snapshot based on both strategic and tactical reviews for the purposes
of assigning limited resources to where they can be most effective.
B. Triage addresses the tactical level of the incident to be able to determine the best path to
resolution and does not focus exclusively on the high-level view.
C. Triage provides a view of both the tactical and strategic levels and occurs prior to resolution.
D. Triage occurs before root-cause analysis, so it does not provide a comprehensive basis for
changes to the enterprise architecture.

56. Which of the following poses the GREATEST challenge to an enterprise seeking to prioritize
risk management activities?
A. An incomplete catalog of information assets
B. A threat assessment that is not comprehensive
C. A vulnerability assessment that is outdated
D. An inaccurate valuation of information assets
D is the correct answer.
Justification:
A. Enterprises are only able to prioritize items they know to exist. An incomplete catalog of
information assets introduces the possibility that prioritization is overlooking assets that may
have substantial value, unintentionally resulting in the implicit acceptance of risk that may
exceed the risk appetite and tolerance. However, inaccurate valuation of known assets has a
greater negative impact on prioritization than the possibility of certain high-value assets not
being properly taken into account.
B. Evaluating the threat environment is the most challenging aspect of risk assessment, and it is
nearly always the case that a threat assessment excludes one or more threats. As a result, any
prioritization effort must assume that the threat assessment is not comprehensive.
C. It is common for a vulnerability assessment to be outdated at the start of each cycle of a risk
management program prior to the start of risk management activities, but the influence of
outdated vulnerability information is less a concern than inaccurate valuation of assets.
D. Although prioritization on the basis of risk requires knowledge of threat, vulnerability
and potential consequence, it is this last factor expressed in terms of value that is most

©2022. ISACA. All Rights Reserved 30

 influential when prioritizing risk management activities. If assets are valued incorrectly,
otherwise justifiable decisions of how to prioritize activities may be incorrect.

57. Which of the following is the MOST serious exposure of automatically updating virus
signature files on every desktop each Friday at 11:00 p.m. (2300 hours)?
A. Most new viruses’ signatures are identified over weekends.
B. Technical personnel are not available to support the operation.
C. Systems are vulnerable to new viruses during the intervening week.
D. The update’s success or failure is not known until Monday.
C is the correct answer.
Justification:
A. The fact that most new viruses’ signatures are identified over weekends is secondary to
leaving systems vulnerable during the intervening week.
B. The fact that technical personnel are not available is secondary to leaving systems
vulnerable during the intervening week.
C. Updating virus signature files on a weekly basis carries the risk that the systems will
be vulnerable to viruses released during the week; far more frequent updating is
essential.
D. The fact that success or failure is not known until Monday is secondary to leaving systems
vulnerable during the intervening week.

58. The factor that is MOST likely to result in identification of security incidents is:
A. effective communication and reporting processes.
B. clear policies detailing incident severity levels.
C. intrusion detection system capabilities.
D. security awareness training.
D is the correct answer.
Justification:
A. Timely communication and reporting is only useful after identification of an incident has
occurred.
B. Understanding how to establish severity levels is important, but it is not the essential element
for ensuring that the information security manager is aware of anomalous events that might
signal an incident.
C. Intrusion detection systems are useful for detecting IT-related incidents but are not useful for
identifying other types of incidents such as social engineering or physical intrusion.
D. Ensuring that employees have the knowledge to recognize and report a suspected
incident is most likely to result in identification of security incidents.

©2022. ISACA. All Rights Reserved 31

 59. The MOST basic requirement for an information security governance program is to:
A. be aligned with the corporate business strategy.
B. be based on a sound risk management approach.
C. provide adequate regulatory compliance.
D. provide good practices for security initiatives.
A is the correct answer.
Justification:
A. To be effective and receive senior management support, an information security
program must be aligned with the corporate business strategy.
B. An otherwise sound risk management approach may be of little benefit to an enterprise
unless it specifically addresses and is consistent with the enterprise’s business strategy.
C. The governance program must address regulatory requirements that affect that particular
enterprise to an extent determined by management, but this is not the most basic requirement.
D. Good practices are the foundation of the governance program but do not have precedence
over business strategy as the most basic requirement.

60. What is the BEST way to determine if an anomaly-based intrusion detection system (IDS) is
properly installed?
A. Simulate an attack and review IDS performance.
B. Use a honeypot to check for unusual activity.
C. Audit the configuration of the IDS.
D. Benchmark the IDS against a peer site.
A is the correct answer.
Justification:
A. Simulating an attack on the network demonstrates whether the intrusion detection
system (IDS) is properly tuned.
B. A honeypot would be a poor test to see if the IDS is working properly because attacking it is
discretionary and not representative of all attacks.
C. Reviewing the configuration may or may not reveal weaknesses because an anomaly-based
system uses trends to identify potential attacks.
D. Benchmarking against a peer site would generally not be practical or useful.

©2022. ISACA. All Rights Reserved 32

 61. Which of the following should be performed FIRST in the aftermath of a denial-of-service
(DoS) attack?
A. Restore servers from backup media stored offsite.
B. Conduct an assessment to determine system status.
C. Perform an impact analysis of the outage.
D. Isolate the screened subnet.
B is the correct answer.
Justification:
A. Servers may not have been affected, so it is not necessary at this point to rebuild any
servers.
B. An assessment should be conducted to determine the overall system status and
whether any permanent damage occurred.
C. An impact analysis of the outage will not provide any immediate benefit.
D. Isolating the screened subnet is after the fact and will not provide any benefit.

62. When should a request for proposal be issued?

A. At the project feasibility stage
B. Upon management project approval
C. Prior to developing a project budget
D. When developing the business case
C is the correct answer.
Justification:
A. Assessing project feasibility involves a variety of factors that must be determined prior to
issuing a request for proposal (RFP).
B. An RFP is a document distributed to vendors asking them to submit a proposal to develop or
provide a solution. Final management approval is likely to occur after receiving responses to an
RFP.
C. Development of a project budget depends on the responses to an RFP.
D. The business case will be developed as a part of determining feasibility, which occurs prior to
issuing an RFP.

©2022. ISACA. All Rights Reserved 33

 63. Which of the following factors is the MOST significant in determining an enterprise’s risk
appetite?
A. The nature and extent of threats
B. Organizational policies
C. The overall security strategy
D. The organizational culture
D is the correct answer.
Justification:
A. The threat environment is constantly changing and identification of risk against the enterprise
does not determine its tolerable limits or appetite.
B. Policies are written in support of business objectives and parameters and may refer to risk
appetite, but because it is not a constant value, risk appetite must be determined during the
course of a risk assessment.
C. Risk appetite is an input to the security strategy because the strategy is partly focused on
mitigating risk to acceptable levels.
D. The extent to which the culture is risk-averse or risk-aggressive, in the context of the
objective ability of the enterprise to recover from loss, is the main factor in determining
risk appetite.

64. From an information security perspective, which of the following will have the GREATEST
impact on a financial enterprise with offices in various countries and involved in transborder
transactions?
A. Current and future technologies
B. Evolving data protection regulations
C. Economizing the costs of network bandwidth
D. Economizing the costs of network bandwidth would be considered as part of business costs;
however, this is not a relevant consideration for information security.
B is the correct answer.
Justification:
A. Current and future technologies would be considered but will not generally be affected by
operational regions or countries.
B. Information security laws vary from country to country. An enterprise must be aware
of and comply with the applicable laws from each country, as noncompliance may have a
great impact on local operations.
C. Economizing the costs of network bandwidth is a part of business costs; however, this is not
a relevant consideration for information security.
D. Centralization of information security is a business decision and is not a significant factor in
multinational operations to impact security operations.

©2022. ISACA. All Rights Reserved 34

 65. With which of the following business functions is integration of information security MOST
likely to result in risk being addressed as a standard part of production processing?
A. Quality assurance
B. Procurement
C. Compliance
D. Project management
A is the correct answer.
Justification:
A. Quality assurance uses metrics as indicators to identify systemic problems in
processes that may result in unacceptable levels of output quality. Because this
monitoring is intended to be effectively continuous as a matter of statistical sampling,
integrating information security with quality assurance helps to ensure that risk is
addressed as a standard part of production processing.
B. Procurement approves initial acquisitions, but it has no involvement in implementation or
production monitoring.
C. Compliance focuses on legal and regulatory requirements, which represent a subset of
overall risk.
D. The involvement of the project management office is typically limited to planning and
implementation.

66. The MOST effective way to limit actual and potential impacts of e-discovery in the event of
litigation is to:
A. implement strong encryption of all sensitive documentation.
B. ensure segregation of duties and limited access to sensitive data.
C. enforce a policy of not writing or storing potentially sensitive information.
D. develop and enforce comprehensive retention policies.
D is the correct answer.
Justification:
A. Encryption will not prevent the legal requirements to produce documents in the event of legal
conflicts.
B. Limiting access to sensitive information based on the need to know may limit which
personnel can testify during legal proceedings but will not limit the requirement to produce
existing documents.
C. While some enterprises have practiced a policy of not committing to writing issues of dubious
legality, it is not a sound practice and may violate a variety of laws.
D. Compliance with legally acceptable defined retention policies will limit exposure to the
often difficult and costly demands for documentation during legal proceedings such as
lawsuits.

©2022. ISACA. All Rights Reserved 35

 67. Which of the following choices is the MOST significant single point of failure in a public key
infrastructure?
A. A certificate authority’s (CA) public key
B. A relying party’s private key
C. A CA’s private key
D. A relying party’s public key
C is the correct answer.
Justification:
A. The certificate authority’s (CA) public key is published and poses no risk.
B. If destroyed, lost or compromised, the private key of any relying party affects only that party.
C. The CA’s private key is the single point of failure for the entire public key
infrastructure (PKI) because it is unpublished and the system cannot function if the key
is destroyed, lost or compromised.
D. The public key is published and poses no risk.

68. Which of the following choices is the BEST input for the definition of escalation guidelines?
A. Risk management issues
B. A risk and impact analysis
C. Assurance review reports
D. The effectiveness of resources
B is the correct answer.
Justification:
A. Risk management deals primarily with controls and is not a viable basis for the definition of
escalation guidelines.
B. A risk and impact analysis will be a basis for determining what authority levels are
needed to respond to particular incidents.
C. Assurance review reports and results, such as the description of reporting effectiveness, are
primarily suited for the monitoring of stakeholder communications.
D. The effectiveness of resources belongs to the description of reporting and communication
and is not a viable basis for the definition of escalation guidelines.

©2022. ISACA. All Rights Reserved 36

 69. What is the BEST way to ensure users comply with organizational security requirements for
password complexity?
A. Include password construction requirements in the security standards.
B. Require each user to acknowledge the password requirements.
C. Implement strict penalties for user noncompliance.
D. Enable system-enforced password configuration.
D is the correct answer.
Justification:
A. Standards provide some deterrence but are not as effective as automated controls.
B. Requiring user acknowledgment will help but not to the extent of automatic system
enforcement.
C. Penalties for noncompliance may be fairly effective but will not provide the level of assurance
provided by automated system enforcement.
D. Automated system enforced password construction provides the highest level of
assurance of compliance.

70. Information security managers should use risk assessment techniques to:
A. justify selection of risk mitigation strategies.
B. maximize the return on investment.
C. provide documentation for auditors and regulators.
D. quantify risk that would otherwise be subjective.
A is the correct answer.
Justification:
A. Information security managers should use risk assessment techniques as one of the
main bases to justify and implement a risk mitigation strategy as efficiently as possible.
B. Risk assessment is only one part of determining return on investment.
C. Providing documentation for auditors and regulators is a secondary aspect of using risk
assessment techniques.
D. If assessed risk is subjective, risk assessment techniques will not meaningfully quantify them.

©2022. ISACA. All Rights Reserved 37

 71. Which of the following functions is responsible for determining the members of the
enterprise’s response teams?
A. Governance
B. Risk management
C. Compliance
D. Information security
D is the correct answer.
Justification:
A. The governance function will determine the strategy and policies that will set the scope and
charter for incident management and response capabilities.
B. While response is a component of managing risk, the basis for risk management is
determined by governance and strategy requirements.
C. Compliance would not be directly related to this activity, although this function may have
representation on the incident response team.
D. The information security manager, or designated manager for incident response,
should select the team members to ensure that all required disciplines are represented
on the team.

72. When a large enterprise discovers that it is the subject of a network probe, which of the
following actions should be taken?
A. Reboot the router connecting the demilitarized zone (DMZ) to the firewall.
B. Power down all servers located on the DMZ segment.
C. Monitor the probe and isolate the affected segment.
D. Enable server trace logging on the affected segment.
C is the correct answer.
Justification:
A. Rebooting the router is not warranted.
B. Powering down the demilitarized zone servers is not warranted.
C. In the case of a probe, the situation should be monitored and the affected network
segment isolated.
D. Enabling server trace routing is not warranted.

©2022. ISACA. All Rights Reserved 38

 73. The concept of governance, risk and compliance serves PRIMARILY to:
A. align enterprise assurance functions.
B. ensure that all three activities are addressed by policy.
C. present the correct sequence of security activities.
D. define the responsibilities of information security.
A is the correct answer.
Justification:
A. Governance, risk and compliance (GRC) is an effort to integrate assurance activities
across an enterprise to achieve greater efficiency and effectiveness.
B. It is unlikely that all three activities would not be covered by policies, but GRC may unify
existing policies to reduce complexity and any differences that exist.
C. GRC deals directly with sequence of security activities and all three may occur concurrently.
D. GRC is about integration of security activities, not specific responsibilities of various groups.

74. An enterprise’s board of directors is concerned about recent fraud attempts that originated
over the Internet. What action should the board take to address this concern?
A. Direct information security operations regarding specific solutions that are needed to address
the risk.
B. Research solutions to determine appropriate actions for the enterprise.
C. Take no action; information security does not report to the board.
D. Direct executive management to assess the risk and to report the results to the board.
D is the correct answer.
Justification:
A. The board does not direct security operations, which are delegated to executive
management.
B. The board would not research solutions but might direct executive management to do so.
C. Taking no action would not be a responsible course of action.
D. The board would typically direct executive management to assess the risk and report
results to enable informed decision-making.

©2022. ISACA. All Rights Reserved 39

 75. Under what circumstances do good information security practices dictate a full
reassessment of risk?
A. After a material control failure
B. When regular assessments show unremediated risk
C. Subsequent to installing an updated operating system
D. After emergency changes have been initiated
A is the correct answer.
Justification:
A. A significant control failure indicates that either the control was poorly designed or
the risk was not properly identified and classified.
B. Depending on the nature and extent of unremediated risk, reassessment may be warranted;
however, in some cases the process of change management while addressing the risk will have
provided adequate understanding of the risk and adequacy of treatment.
C. Updating an operating system under change management will include an incremental
assessment of any new risk and full reassessment is not likely to be needed.
D. Emergency changes usually require that the change management process be completed
subsequently and any specific new risk addressed, making it unlikely that a full risk
reassessment is required.

©2022. ISACA. All Rights Reserved 40