An organization lacks a data retention policy. Of the following, who is the BEST person to consult for such requirement?

A.

Application Manager

B.

Database Administrator

C.

Privacy Officer

D.

Finance Manager

If compromised, which of the following would lead to the exploitation of multiple virtual machines?

A.

Virtual device drivers

B.

BVirtual machine monito

C.

Virtual machine instance

D.

Virtual machine file system

To protect auditable information, which of the following MUST be configured to only allow read access?

A.

Logging configurations

B.

Transaction log files

C.

User account configurations

D.

Access control lists (ACL)

What should happen when an emergency change to a system must be performed?

A.

The change must be given priority at the next meeting of the change control board.

B.

Testing and approvals must be performed quickly.

C.

The change must be performed immediately and then submitted to the change board.

D.

The change is performed and a notation is made in the system log

When planning a penetration test, the tester will be MOST interested in which information?

A.

Places to install back doors

B.

The main network access points

C.

Job application handouts and tours

D.

Exploits that can attack weaknesses

Which of the following describes the BEST configuration management practice?

A.

After installing a new system, the configuration files are copied to a separate back-up system and hashed to detect tampering.

B.

After installing a new system, the configuration files are copied to an air-gapped system and hashed to detect tampering.

C.

The firewall rules are backed up to an air-gapped system.

D.

A baseline configuration is created and maintained for all relevant systems.

What is the GREATEST challenge to identifying data leaks?

A.

Available technical tools that enable user activity monitoring.

B.

Documented asset classification policy and clear labeling of assets.

C.

Senior management cooperation in investigating suspicious behavior.

D.

Law enforcement participation to apprehend and interrogate suspects.

Which of the following is the BIGGEST weakness when using native Lightweight Directory
Access Protocol (LDAP) for authentication?

A.

Authorizations are not included in the server response

B.

Unsalted hashes are passed over the network

C.

The authentication session can be replayed

D.

Passwords are passed in cleartext

Are companies legally required to report all data breaches?

A.

No, different jurisdictions have different rules.

B.

No, not if the data is encrypted.

C.

No, companies' codes of ethics don't require it.

D.

No, only if the breach had a material impact.

For privacy protected data, which of the following roles has the highest authority for establishing dissemination rules for the data?

A.

Information Systems Security Officer

B.

Data Owner

C.

System Security Architect

D.

Security Requirements Analyst

Which of the following is most helpful in applying the principle of LEAST privilege?

A.

 Establishing a sandboxing environment

B.

Setting up a Virtual Private Network (VPN) tunnel

C.

Monitoring and reviewing privileged sessions

D.

Introducing a job rotation program

Sensitive customer data is going to be added to a database. What is the MOST effective
implementation for ensuring data privacy?

A.

Discretionary Access Control (DAC) procedures

B.

Mandatory Access Control (MAC) procedures

C.

Data link encryption

D.

Segregation of duties