The implementation of anti-malware and anti-phishing controls on centralized email servers is an example of what type of security control?

A.

Organization control

B.

Procedural control

C.

Management control

D.

Technical control

An information security department is required to remediate system vulnerabilities when they are discovered. Please select the three primary remediation methods that can be used on an affected system.

A.

Install software patch, Operate system, Maintain system

B.

Discover software, Remove affected software, Apply software patch

C.

Install software patch, configuration adjustment, Software Removal

D.

Software removal, install software patch, maintain system

The CIO of an organization has decided to assign the responsibility of internal IT audit to the IT team. This is consider a bad practice MAINLY because

A.

The IT team is not familiar in IT audit practices

B.

This represents a bad implementation of the Least Privilege principle

C.

This represents a conflict of interest

D.

The IT team is not certified to perform audits

When measuring the effectiveness of an Information Security Management System which one of the following would be MOST LIKELY used as a metric framework?

A.

ISO 27001

B.

PRINCE2

C.

ISO 27004

D.

ITILv3

Which of the following activities must be completed BEFORE you can calculate risk?

A.

Determining the likelihood that vulnerable systems will be attacked by specific threats

B.

Calculating the risks to which assets are exposed in their current setting

C.

Assigning a value to each information asset

D.

Assessing the relative risk facing the organization’s information assets

A recent audit has identified a few control exceptions and is recommending the implementation of technology and processes to address the finding. Which of the following is the MOST likely reason for the organization to reject the implementation of the recommended technology and processes?

A.

The auditors have not followed proper auditing processes

B.

The CIO of the organization disagrees with the finding

C.

The risk tolerance of the organization permits this risk

D.

The organization has purchased cyber insurance

Which of the following are primary concerns for management with regard to assessing internal control objectives?

A.

Confidentiality, Availability, Integrity

B.

Compliance, Effectiveness, Efficiency

C.

Communication, Reliability, Cost

D.

Confidentiality, Compliance, Cost

Which of the following is the PRIMARY purpose of International Organization for Standardization (ISO) 27001?

A.

Use within an organization to formulate security requirements and objectives

B.

Implementation of business-enabling information security

C.

Use within an organization to ensure compliance with laws and regulations

D.

To enable organizations that adopt it to obtain certifications

Which of the following is a fundamental component of an audit record?

A.

Date and time of the event

B.

Failure of the event

C.

Originating IP-Address

D.

Authentication type

Which of the following best describes the purpose of the International Organization for Standardization (ISO) 27002 standard?

A.

To give information security management recommendations to those who are responsible for initiating, implementing, or maintaining security in their organization.

B.

To provide a common basis for developing organizational security standards

C.

To provide effective security management practice and to provide confidence in interorganizational dealings

D.

To established guidelines and general principles for initiating, implementing, maintaining, and improving information security management within an organization