Which of the following provides the BEST audit evidence that a firewall is configured in compliance with the organization’s security policy?

A. Analyzing how the configuration changes are performed
B. Performing penetration testing
C. Analyzing log files
D. Reviewing the rule base

An enterprise receiving email should have procedures to control:

A. insufficient end-points.
B. unsolicited executable code.
C. outdated protocols.
D. insufficient connectivity.

The lack of which of the following represents the GREATEST risk to the quality of developed software?

A. Code reviews
B. Periodic internal audits
C. Load testing
D. An enterprise architecture

Capacity management enables organizations to:

A. establish the capacity of network communication links.
B. determine business transaction volumes.
C. forecast technology trends.
D. identify the extent to which components need to be upgraded.

Which of the following management decisions presents the GREATEST risk associated with data leakage?

A. Security awareness training is not provided to staff.
B. There is no requirement for desktops to be encrypted.
C. Security policies have not been updated in the past year.
D. Staff are allowed to work remotely.

Which of the following is the MOST effective control to ensure electronic records beyond their retention periods are deleted from IT systems?

A. Review the record retention register regularly to initiate data deletion.
B. Build in system logic to trigger data deletion at predefined times.
C. Perform a sample check of current data against the retention schedule.
D. Execute all data deletions at a predefined month during the year.

Which of the following is the MOST important reason to periodically review data that has already been classified?

A. The associated risk may change over time.
B. Additional data may have been added to the inventory.
C. Older data may need to be archived on removable media.
D. The classification nomenclature has changed.

Which of the following would be MOST important to include in a data security policy to adequately manage the privacy of customer information?

A. Information classification criteria
B. Encryption technology
C. Backup strategy
D. Data ownership

Which of the following BEST determines if a batch update job was completed?

A. Reviewing the job log
B. Testing a sample of transactions
C. Reviewing a copy of the script
D. Obtaining process owner confirmation

Digital signatures are an effective control method for information exchange over an insecure network because they:

A. enable nonrepudiation.
B. are under the sole custody of the receiver.
C. are constant over time.
D. authenticate the user biometrically.