port numbers, IP addressing, and the protocols used. What document will you find this information in?Memorandum of understandingDisclosure of assetsOperation level agreementInterconnection security agreements
25 Your new line of business is selling directly to the public. Two major risks are your lack of experience with establishing and managing credit card processing and the additional compliance requirements. What is the BEST risk strategy?Transferring the initial risk by outsourcingTransferring the risk to another internal departmentMitigating the risks by hiring additional IT staffAccepting the risks and log acceptance
26 A large enterprise is expanding through the acquisition of a second corporation. What should be done first before connecting the networks?System and network vulnerability scanImplementation of a firewall systemDevelopment of a risk analysis for the two networksComplete review of the new corporation
27 The CISO is researching ways to reduce risk associated with the separation of duties. In the case where one person is not available, another needs to be able to perform all the duties of their co-workers. What should the CISO implement to reduce risk?Mandatory requirement of a shared account for administrative purposesAudit of all ongoing administration activitiesSeparation of duties to ensure no single administrator has accessRole-based security on the primary role and provisional access to the secondary role on a case-by-case basis
28 How can you secure third-party applications and introduce only acceptable risk into your environment?Code review and simulationRoundtable discussionsParallel trialsFull deployment
29 Your company policy states that only authorized software is allowed on the corporate network, and BYOD needs to be configured by IT for the proper software and security controls to adhere to company policy. The marketing manager plugs in a USB received at a conference into their laptop and it auto-launches. What is the greatest risk?Employee transferring the customer database and IPEmployee using non-approved accounting applicationsInfecting the network with malwareFile corruption by the USB exiting out improperly
30 What risks and mitigations are associated with BYOD?Risk: Data exfiltrationMitigation: Remote wipeRisk: Confidentiality leaksMitigation: Corporate policyRisk: TheftMitigation: Minimal storageRisk: GPS trackingMitigation: Minimal cost
31 Your software company is acquiring a new program from a competitor. All the people working with that company will become your employees. They will retain all access to their former network and resources for two weeks to ease the transition. For productivity, the decision was made to join the two networks. Which of the following threats is the highest risk for your company?IP filtersLoss of codeMalwareComingling the networks
32 Your bank outsourced the security department to an outside firm. The CISO just learned that this third-party outside firm subcontracted security operations to another organization. The board of directors is now pressuring the CISO to ensure that the bank is protected legally. What is the BEST course of action for the CISO to take?Creating another NDA directly with the subcontractorConfirming that the current outside firm has an SLA with the subcontractorPerforming a risk analysis on the subcontractorTerminating the contract immediately and looking for another outside firm
33 The CIO created a goal for the security team to reduce vulnerabilities. They are not high profile, but they still exist. Many of these vulnerabilities have compensating controls in place for security reasons. At this point in time, the budget has been exhausted. What is the BEST risk strategy to use?Accepting riskMitigating riskTransferring riskAvoiding risk
34 Your database team would like to use a service-oriented architecture (SOA). The CISO suggested you investigate the risk for adopting this type of architecture. What is the biggest security risk to adopting an SOA?SOA available only over the enterprise networkLack of understanding from stakeholders Risk of legacy networks and system vulnerabilitiesSource code
35 With traditional network architecture, one best practice is to limit network access points. This limitation allowed for a concentration of network security resources and a protected attack surface. With the introduction of 802.1x into enterprise network architecture, what was introduced into the network?Increased capability and increased risk and higher TCODecreased capability and increased risk and higher TCOIncreased capability and decreased risk and lower TCODecreased capability and decreased risk and lower TCO
36 Marketing asked for web-based meeting software with a third-party vendor. The software you reviewed requires user registration and installation, and the user has to share their desktop. To ensure that information is secure, which of the following controls is BEST?Disallow. Avoid the risk.Hire a third-party organization to perform the risk analysis, and based on outcomes, allow or disallow the software.Log and record every single web-based meeting.After evaluating several providers, ensure acceptable risk and that the read-write desktop mode can be prevented.
37 You are tasked with writing the security viewpoint of a new program that your organization is starting. Which of the following techniques make this a repeatable process and can be used for creating the best security architecture?Data classification, CIA triad, minimum security required, and risk analysisHistorical documentation, continuous monitoring, and mitigation of high risksImplementation of proper controls, performance of qualitative analysis, and continuous monitoringRisk analysis; avoidance of critical risks, threats, and vulnerabilities; and the transference of medium risk
38 Because of time constraints and budget, your organization has opted to hire a third-party organization to begin working on an important new project. From a security point of view, what BEST balances the needs of the organization and managing the risk of a third-party vendor?Outsourcing is a valid option and not much of a concern for security because any damage is the responsibility of the third party.If the company has an acceptable security record, then it makes perfect sense to outsource.You should never outsource. It leads to legal and compliance issues.The third party should have the proper NDA, SLA, and OLA in place and should be obligated to perform adequate security activities.
39 Your organization must perform vast amounts of computations of big data overnight. To minimize TCO, you rely on elastic cloud services. The virtual machines and containers are created and destroyed nightly. What is the biggest risk to confidentiality?Data center distributionEncryptionPhysical loss of control of assetsData scraping
40 You work for a SOHO and replace servers whenever there is money readily available for expenditure. Over the past few tech-refresh cycles, you have received many servers and workstations from several different vendors. What is the challenge and risk of this style of asset management?OS and asset EOL issues and updatesOS complexities and OS patch version dependenciesFailure rate of legacy equipment, replacement parts, and firmware updates and managementPoor security posture, inability to manage performance on old OS
41 You are brought in as a consultant to improve the security of business processes. You improve security by applying the proper controls, including transport encryption, interface restrictions, and code review. What else can you do to improve business processes now that you've already done all the technical improvements?Modify the company security policies and procedures.Meet with upper management to approve new company standards and a mission statement.Conduct another technical quantitative risk analysis on all current controls.Conduct a gap analysis and give a recommendation on nontechnical controls to be incorporated into company documentation.
42 Your bank's board of directors want to perform monthly security testing. As CISO, you must form a plan specifically for its development. This test must have a low risk of impacting system stability because the company is in production. The suggestion was made to outsource this to a third party. The board of directors argue that a third party will not be as knowledgeable as the development team. What will satisfy the board of directors?Gray-box testing by a major consulting firmBlack-box testing by a major external consulting firmGray-box testing by the development and security assurance teamsWhite-box testing by the development and security assurance teams
43 A vendor of software deployed across your corporate network announced that an update is needed for a specific vulnerability. Your CIO wants to know the vulnerability time (Vt). When can you give them that information?After the patch is downloaded and installed in the affected system or deviceAfter the patch is released and available to the public After the patch is created by the vendorAfter the vulnerability is discovered
44 You