have an accountant who refuses to take their required time off. You must institute a policy that will force people in critical financial areas of the organization to take time off. Which of the following standard security practices do you institute?Separation of dutiesMandatory vacationForensic tasksTermination procedures
45 A small insurance business implemented least privilege. Management is concerned that staff might accidentally aid in fraud with the customers. Which of the following addresses security concerns with this risk?PolicyJob rotationSeparation of dutiesSecurity awareness training
46 A corporation expanded their business by acquiring several similar businesses. What should the security team first undertake?Development of an ISA and a risk analysisInstallation of firewalls between the businessesRemoval of unneeded assets and Internet accessScan of the new networks for vulnerabilities
47 Your company began the process of evaluating different technologies for a technical security-focused project. You narrowed down the selection to three organizations from which you received RFIs. What is the next request that you will make of those three vendors?RFQRFPRFCRFI
48 Your security team is small and must work economically to reduce risk. You do not have a lot of time to spend on reducing your attack surface. Which of the following might help reduce the time you spend on patching internal applications?VPNPaaSIaaSTerminal server
49 A competitor of your company was hacked, and the forensics show it was a social engineering phishing attack. What is the first thing you do to prevent this from happening at your company?Educate all employees about social engineering risks and countermeasures.Publish a new mission statement.Implement IPSec on all critical systems.Use encryption.
50 Many organizations prepare for highly technical attacks and forget about the simple low-tech means of gathering information. Dumpster diving can be useful in gaining access to unauthorized information. How should you reduce your company's dumpster-diving risk?Data classification and printer restrictions of intellectual property.Purchase shredders for the copy rooms.Create policies and procedures for document shredding.Employ an intern to shred all printed documentation.
51 Qualitative risk assessment is explained by which of the following?Can be completed by someone with a limited understanding of risk assessment and is easy to implementMust be completed by someone with expert understanding and uses detailed analysis for calculationIs completed by subject-matter experts and is difficult to implementBrings together SME with detailed metrics to handle a difficult implementation
52 What is the customary practice of responsible protection of an asset that affects an organization or community?Due diligenceRisk mitigationInsuranceDue care
53 Your global banking organization is acquiring a smaller local bank. As part of the security team, what will your risk assessment evaluate?Threats to assets, vulnerabilities present, the likelihood of an active threat, the impact of exposure, and residual riskThreats to assets, vulnerabilities present, the likelihood of a passive threat, the impact of exposure, and total riskThreats to assets, vulnerabilities present, the likelihood of a passive threat, the impact of exposure on the acquired bank, and total riskThreats to assets, vulnerabilities present, the likelihood of an active threat, the impact of exposure, and total inherent risk
54 During the risk analysis phase of planning, what would BEST mitigate and manage the effects of an incident?Modifying the scenario the risk is based onDeveloping an agenda for recoveryChoosing the members of the recovery teamImplementing procedural controls
55 You have been added to the team to conduct a business impact analysis (BIA). This BIA will identify:The impact of vulnerabilities to your organizationHow to best efficiently reduce threatsThe exposure to loss within your organizationHow to bring about change based on the impact on operations
56 You live and work in an area plagued by hurricanes. What BEST describes the effort you made to determine the consequence of a disruption due to this natural disaster?Business impact analysisRisk assessmentTable-top exercisesMitigating control analysis
57 You are a consultant for a cybersecurity firm and have been tasked with quantifying risks associated with information technology when validating the abilities of new security controls and countermeasures. What is the BEST way to identify the risks?Vulnerability managementPentestingThreat and risk assessmentData reclassification
58 You are employed in a high-risk, geographically diverse production environment. Which of these options would be the BEST reason to deploy link encryption to reduce risk?Link encryption provides better flow confidentiality and routing.Link encryption encrypts routing information and is often used with satellite communication.Link encryption is used for message confidentiality.Link encryption is implemented for better traffic integrity.
59 Your manufacturing organization implemented a new vulnerability management tool. As the security analyst, you are tasked with creating a successful process for vulnerability assessment. What do you have to fully understand before assuming this task?Threat definitions and identificationCVE and CVSS Risk assessments and threat identificationVulnerability appraisal and access review
60 Bob is conducting a risk assessment and wants to assign an asset value to the servers in the data center. The concern of his organization is to ensure there is a budget to rebuild in case of a natural disaster. What method should Bob use to evaluate the assets?Depreciated costPurchase costReplacement costConditional cost
61 Alice is responsible for PCI compliance for her organization. The policy requires she remove information from a database, but she cannot due to technical restrictions. She is pursuing a compensating control to mitigate the risk. What is her best option?InsuranceEncryptionDeletionExceptions
62 Bob is a security risk manager with a global organization. The organization recently evaluated the risk of flash floods on its operations in several regions and determined that the cost of responding is expensive. The organization chooses to take no action currently. What was the risk management strategy deployed?Risk mitigationRisk acceptanceRisk avoidanceRisk transference
63 Greg is a security researcher for a cybersecurity company. He is currently examining a third-party vendor and finds a way to use SQLi to deface their web server due to a missing patch in the company's web application. What is the threat of doing business with this organization?Web defacementUnpatched applicationsHackersEducation awareness
64 Your organization's primary network backup server went down at midnight. Your RPO is nine hours. At what time will you exceed the business process recovery tolerably, given the volume of data that has been lost in that time frame?6 A.M.9 A.M. Noon3 P.M.
65 Your company needs to decide on a data backup plan strategy. You established your RPO as 8 hours, and your RTO after any disaster, man-made or natural, as 48 hours. These RTOs were established by the business owner while developing the BIA. The RTO includes which of the following?Recovery, testing, and communicationsDecision timeParallel processingOnly the time for trying to fix the problem without a recovery
66 Your organization has a new policy to implement security based on least privilege and separation of duties. A key component is making a decision on data access. They decided it is BEST made by which of the following roles?Data stewardData ownerUser/managerSenior management
67 You are hired by an insurance company as their new data custodian. Which of the following best describes your new responsibilities?Writing and proofing administrative documentationEnsuring accessibility and appropriate access using policy and data ownership guidelinesConducting an audit of the data's strategic, tactical, and operation (STO) controlsImproving the data consistency and increasing data integration
68 Your healthcare organization decided to begin outsourcing some IT systems. Which of the following statements is true?All outsourcing frees your organization from any rules or requirements.All compliance and regulatory requirements are passed on to the provider.The IT systems are no longer configured, maintained, or evaluated by your organization.The outsourcing organization is free from any rules or regulations.
69 You work as a security analyst for a large banking organization that is about to disclose to the public that a substantial breach occurred. You are called into a meeting with the CISO and CEO to discuss how to ensure proper forensic action took place and that the incident