Which of the following is a limitation of the Common Vulnerability Scoring System (CVSS) as it relates to conducting code review?

A.

It has normalized severity ratings.

B.

It has many worksheets and practices to implement.

C.

It aims to calculate the risk of published vulnerabilities.

D.

It requires a robust risk management framework to be put in place

Which of the following is an essential element of a privileged identity lifecycle
management?

A.

Regularly perform account re-validation and approval

B.

Account provisioning based on multi-factor authentication

C.

Frequently review performed activities and request justification

D.

Account information to be provided by supervisor or line manager

An organization is selecting a service provider to assist in the consolidation of multiple
computing sites including development, implementation and ongoing support of various
computer systems. Which of the following MUST be verified by the Information Security
Department?

A.

The service provider's policies are consistent with ISO/IEC27001 and there is evidence that the service provider is following those policies.

B.

The service provider will segregate the data within its systems and ensure that each region's policies are met.

C.

The service provider will impose controls and protections that meet or exceed the current systems controls and produce audit logs as verification.

D.

The service provider's policies can meet the requirements imposed by the new
environment even if they differ from the organization's current policies

Which of the following would be the FIRST step to take when implementing a patch management program?

A.

Perform automatic deployment of patches.

B.

Monitor for vulnerabilities and threats.

C.

Prioritize vulnerability remediation.

D.

Create a system inventory

Which of the following is the MOST important consideration when storing and processing Personally Identifiable Information (PII)?

A.

Encrypt and hash all PII to avoid disclosure and tampering.

B.

Store PII for no more than one year.

C.

Avoid storing PII in a Cloud Service Provider.

D.

Adherence to collection limitation laws and regulations.

What is the FIRST step in developing a security test and its evaluation?

A.

Determine testing methods

B.

Develop testing procedures

C.

Identify all applicable security requirements

D.

Identify people, processes, and products not in compliance

Which of the following is a physical security control that protects Automated Teller
Machines (ATM) from skimming?

A.

Anti-tampering

B.

Secure card reader

C.

Radio Frequency (RF) scanner

D.

Intrusion Prevention System (IPS)

What would be the PRIMARY concern when designing and coordinating a security
assessment for an Automatic Teller Machine (ATM) system?

A.

Physical access to the electronic hardware

B.

Regularly scheduled maintenance process

C.

Availability of the network connection

D.

Processing delays

While impersonating an Information Security Officer (ISO), an attacker obtains information
from company employees about their User IDs and passwords. Which method of
information gathering has the attacker used?

A.

Trusted path

B.

Malicious logic

C.

Social engineering

D.

Passive misuse

Which of the following does the Encapsulating Security Payload (ESP) provide?

A.

Authorization and integrity

B.

Availability and integrity

C.

Integrity and confidentiality

D.

Authorization and confidentiality

The overall goal of a penetration test is to determine a system's

A.

ability to withstand an attack.

B.

capacity management.

C.

error recovery capabilities.

D.

reliability under stress.

The PRIMARY purpose of a security awareness program is to

A.

ensure that everyone understands the organization's policies and procedures.

B.

communicate that access to information will be granted on a need-to-know basis.

C.

warn all users that access to all systems will be monitored on a daily basis.

D.

comply with regulations related to data and information protection