Question 1

A security manager has created a risk program. Which of the following is a critical part of ensuring the program is successful?

Accepted Answer

Providing a risk program governance structure is critical as it establishes the framework for managing risk, ensuring accountability, and integrating risk management into the organization's overall strategy and operations.

Question 2

Your IT auditor is reviewing significant events from the previous year and has identified some procedural oversights. Which of the following would be the MOST concerning?

Accepted Answer

The lack of notification to the public of disclosure of confidential information is most concerning because it can lead to legal liabilities, loss of trust, and significant reputational damage.

Question 3

What is the definition of Risk in Information Security?

Accepted Answer

Risk in Information Security is typically defined as the product of the probability of a threat occurring and the impact it would have, which is represented by the formula Risk = Probability x Impact.

Question 4

A global retail company is creating a new compliance management process. Which of the following regulations is of MOST importance to be tracked and managed by this process?

Accepted Answer

PCI-DSS is crucial for a retail company as it governs the security of credit card transactions, which are integral to retail operations.

Question 5

Quantitative Risk Assessments have the following advantages over qualitative risk assessments:

Accepted Answer

Quantitative risk assessments are objective and use numerical data to express risk and cost in real numbers, providing a more precise and measurable evaluation compared to qualitative assessments.

Question 6

The PRIMARY objective for information security program development should be:

Accepted Answer

The primary objective of an information security program is to protect the organization's information assets by reducing the impact of risks to the business. This involves identifying potential threats and vulnerabilities and implementing measures to mitigate them, ensuring the continuity and resilience of business operations.

Question 7

Regulatory requirements typically force organizations to implement ____________.

Accepted Answer

Regulatory requirements often mandate organizations to implement mandatory controls to ensure compliance with laws and regulations.

Question 8

Which of the following international standards can be BEST used to define a Risk Management process in an organization?

Accepted Answer

ISO-27005 is specifically designed to provide guidelines for information security risk management, making it the best choice for defining a Risk Management process in an organization.

Question 9

When an organization claims it is secure because it is PCI-DSS certified, what is a good first question to ask towards assessing the effectiveness of their security program?

Accepted Answer

The scope of the PCI-DSS certification is crucial because it determines which parts of the organization's environment were assessed and certified. Understanding the scope helps evaluate whether all relevant systems and processes are covered by the certification.

Question 10

Which of the following has the GREATEST impact on the implementation of an information security governance model?

Accepted Answer

The complexity of the organizational structure has the greatest impact on the implementation of an information security governance model because it affects decision-making processes, communication, and the alignment of security policies across different departments and levels.

Question 11

If a competitor wants to cause damage to your organization, steal critical secrets, or put you out of business, they just have to find a job opening, prepare someone to pass the interview, have that person hired, and they will be in the organization. How would you prevent such type of attacks?

Accepted Answer

Conducting thorough background checks can help verify the authenticity and integrity of a candidate, reducing the risk of hiring someone with malicious intent.

Question 12

If the result of an NPV is positive, then the project should be selected. The net present value shows the present value of the project, based on the decisions taken for its selection. What is the net present value equal to?

Accepted Answer

The answer of If the result of an NPV is...

Question 13

Why is it vitally important that senior management endorse a security policy?

Accepted Answer

The answer of Why is it vitally important that senior...

Question 14

Which of the following is a strong post designed to stop a car?

Accepted Answer

A bollard is a strong post specifically designed to stop vehicles and provide security.

Question 15

Smith, the project manager for a larger multi-location firm, is leading a software project team that has 18 members, 5 of which are assigned to testing. Due to recent recommendations by an organizational quality audit team, the project manager is convinced to add a quality professional to lead to test team at additional cost to the project. The project manager is aware of the importance of communication for the success of the project and takes the step of introducing additional communication channels, making it more complex, in order to assure quality levels of the project. What will be the first project management document that Smith should change in order to accommodate additional communication channels?

Accepted Answer

The answer of Smith, the project manager for a larger...

Question 16

Which of the following is the MOST important benefit of an effective security governance process?

Accepted Answer

An effective security governance process primarily aims to reduce liability and overall risk to the organization by ensuring that security measures align with business objectives and regulatory requirements.

Question 17

The purpose of NIST SP 800-53 as part of the NIST System Certification and Accreditation Project is to establish a set of standardized, minimum security controls for IT systems addressing low, moderate, and high levels of concern for:

Accepted Answer

NIST SP 800-53 provides a catalog of security and privacy controls for federal information systems and organizations, aiming to protect the confidentiality, integrity, and availability of information.

Question 18

After a risk assessment is performed, a particular risk is considered to have the potential of costing the organization 1.2 Million USD. This is an example of____________.

Accepted Answer

Quantitative risk analysis involves the numerical estimation of the potential impact of risks, such as the financial cost, which in this case is 1.2 Million USD.

Question 19

Ensuring that the actions of a set of people, applications and systems follow the organization's rules is BEST described as:

Accepted Answer

Compliance management involves ensuring that the actions of people, applications, and systems adhere to the organization's rules and regulations.

Question 20

An organization is looking for a framework to measure the efficiency and effectiveness of their Information Security Management System. Which of the following international standards can BEST assist this organization?

Accepted Answer

ISO-27004 provides guidelines for monitoring, measurement, analysis, and evaluation of an Information Security Management System, making it the best choice for measuring efficiency and effectiveness.

Exam 2: Certified Network Defender