An organization has defined a set of standard security controls. This organization has also defined the circumstances and conditions in which they must be applied.

What is the NEXT logical step in applying the controls in the organization?

A. Determine the risk tolerance

B. Perform an asset classification

C. Analyze existing controls on systems

D. Create an architecture gap analysis

You have implemented a new security control. Which of the following risk strategy options have you engaged in?

A. Risk Transfer

B. Risk Mitigation

C. Risk Avoidance

D. Risk Acceptance

Within an organization's vulnerability management program, who has the responsibility to implement remediation actions?

A. Data owner

B. Data center manager

C. Network architect

D. System administrator

The patching and monitoring of systems on a consistent schedule is required by?

A. Industry best practices

B. Audit best practices

C. Risk Management framework

D. Local privacy laws

The Annualized Loss Expectancy (Before) minus Annualized Loss Expectancy (After) minus Annual Safeguard Cost is the formula for determining:

A. Single Loss Expectancy

B. Life Cycle Loss Expectancy

C. Safeguard Value

D. Cost Benefit Analysis

Scenario: A Chief Information Security Officer (CISO) recently had a third party conduct an audit of the security program. Internal policies and international standards were used as audit baselines. The audit report was presented to the CISO and a variety of high, medium and low rated gaps were identified.

Which of the following is the FIRST action the CISO will perform after receiving the audit report?

A. Inform peer executives of the audit results

B. Validate gaps and accepts or dispute the audit findings

C. Create remediation plans to address program gaps

D. Determine if security policies and procedures are adequate

Scenario: The new CISO was informed of all the Information Security projects that the section has in progress. Two projects are over a year behind schedule and way over budget. Using the best business practices for project management, you determine that the project correctly aligns with the organization goals.

What should be verified next?

A. Scope

B. Constraints

C. Resources

D. Budget

Scenario: The new CISO was informed of all the Information Security projects that the section has in progress. Two projects are over a year behind schedule and way over budget.

Which of the following will be most helpful for getting an Information Security project that is behind schedule back on schedule?

A. Upper management support

B. Involve internal audit

C. More frequent project milestone meetings

D. More training of staff members

A newly-hired CISO needs to understand the organization's financial management standards for business units and operations. Which of the following would be the best source of this information?

A. The internal accounting department

B. The Chief Financial Officer (CFO)

C. The external financial audit service

D. The managers of the accounts payables and accounts receivables teams

When reviewing a Solution as a Service (SaaS) provider's security health and posture, which key document should you review?

A. SaaS provider's website certifications and representations (certs and reps)

B. SOC-2 Report

C. Metasploit Audit Report

D. Statement from SaaS provider attesting their ability to secure your data