Question 1

What role should the CISO play in properly scoping a PCI environment?

Accepted Answer

The answer of What role should the CISO play in...

Question 2

What is the main purpose of the Incident Response Team?

Accepted Answer

The main purpose of the Incident Response Team is to ensure efficient recovery and reinstate repaired systems after an incident, minimizing impact and restoring normal operations.

Question 3

The implementation of anti-malware and anti-phishing controls on centralized email servers is an example of what type of security control?

Accepted Answer

Technical controls involve the use of technology to reduce vulnerabilities, and implementing anti-malware and anti-phishing controls on email servers is a technical measure to protect against threats.

Question 4

The Information Security Management program MUST protect:

Accepted Answer

The answer of The Information Security Management program MUST protect:
...

Question 5

Which of the following are the MOST important factors for proactively determining system vulnerabilities?

Accepted Answer

Conducting security testing, vulnerability scanning, and penetration testing are proactive measures that directly identify and assess system vulnerabilities, allowing for timely remediation.

Question 6

A new CISO just started with a company and on the CISO's desk is the last complete Information Security Management audit report. The audit report is over two years old. After reading it, what should be your first priority?

Accepted Answer

The first priority should be to review the recommendations and follow up to see if audit implemented the changes. This will help to ensure that the company is taking the necessary steps to protect its information assets.

Question 7

What should an organization do to ensure that they have a sound Business Continuity (BC) Plan?

Accepted Answer

Conducting periodic tabletop exercises helps refine and improve the BC plan by simulating different scenarios and identifying potential weaknesses or gaps.

Question 8

Which of the following tests is performed by an Information Systems (IS) auditor when a sample of programs is selected to determine if the source and object versions are the same?

Accepted Answer

A compliance test of program library controls is performed to ensure that the source and object versions of programs are the same, verifying adherence to procedures and controls.

Question 9

A global health insurance company is concerned about protecting confidential information. Which of the following is of MOST concern to this organization?

Accepted Answer

Compliance with patient data protection regulations is most critical for a health insurance company as it deals with sensitive health information, which is subject to strict privacy laws in many countries.

Question 10

An IT auditor has recently discovered that because of a shortage of skilled operations personnel, the security administrator has agreed to work one late night shift a week as the senior computer operator. The most appropriate course of action for the IT auditor is to:

Accepted Answer

The IT auditor should inform senior management of the risk involved because the security administrator's dual role could lead to a conflict of interest and potential security risks.

Question 11

What is the BEST way to achieve on-going compliance monitoring in an organization?

Accepted Answer

Partnering Compliance and Information Security to address issues as they arise ensures continuous monitoring and proactive management of compliance, rather than reactive measures.

Question 12

Which of the following represents the MOST negative impact resulting from an ineffective security governance program?

Accepted Answer

Fines for regulatory non-compliance represent a direct financial penalty and can have severe legal and reputational consequences, making it the most negative impact.

Question 13

A person in your security team calls you at night and informs you that one of your web applications is potentially under attack from a cross-site scripting vulnerability. What do you do?

Accepted Answer

The correct action is to invoke the incident response process, which is a structured approach to handle and manage the aftermath of a security breach or attack. This ensures that the situation is assessed, contained, and mitigated properly.

Question 14

Providing oversight of a comprehensive information security program for the entire organization is the primary responsibility of which group under the InfoSec governance framework?

Accepted Answer

Senior Executives are responsible for providing oversight and ensuring the implementation of a comprehensive information security program across the organization as part of their governance role.

Question 15

You work as a project manager for TYU project. You are planning for risk mitigation. You need to quickly identify high-level risks that will need a more in-depth analysis. Which one of the following approaches would you use?

Accepted Answer

Qualitative analysis is used to quickly identify and prioritize high-level risks for further analysis and action.

Question 16

Information security policies should be reviewed _____________________.

Accepted Answer

Information security policies should be reviewed by stakeholders at least annually to ensure they remain relevant and effective in addressing current security threats and organizational changes.

Question 17

Which of the following reports should you as an IT auditor use to check on compliance with a Service Level Agreement (SLA) requirement for uptime?

Accepted Answer

Availability reports provide information on system uptime and downtime, which is directly related to SLA compliance for uptime requirements.

Question 18

Which of the following activities results in change requests?

Accepted Answer

The answer of Which of the following activities results in...

Question 19

The CIO of an organization has decided to assign the responsibility of internal IT audit to the IT team. This is considering a bad practice MAINLY because_______________.

Accepted Answer

Assigning the internal IT audit to the IT team represents a conflict of interest because the team would be auditing its own work, which could lead to biased results and lack of objectivity.

Question 20

Which of the following is considered to be an IT governance framework and a supporting toolset that allows for managers to bridge the gap between control requirements, technical issues, and business risks?

Accepted Answer

COBIT (Control Objectives for Information and Related Technologies) is an IT governance framework that helps organizations manage and govern their IT environment, bridging the gap between control requirements, technical issues, and business risks.

Exam 2: Certified Network Defender