Which of the following is MOST helpful to management in determining whether risks are within an organization’s tolerance level?

A. Audit findings
B. Heat map
C. Penetration test results
D. Maturity level

Relying on which of the following methods when detecting new threats using IDS should be of MOST concern?

A. Statistical pattern recognition
B. Attack signatures
C. Heuristic analysis
D. Traffic analysis

An information security manager learns of a new international standard related to information security.
Which of the following would be the BEST course of action?

A. Review industry peers’ responses to the new standard.
B. Consult with legal counsel on the standard’s applicability to regulations.
C. Determine whether the organization can benefit from adopting the new standard.
D. Perform a gap analysis between the new standard and existing practices.

What would be an information security manager’s BEST course of action when notified that the implementation of some security controls is being delayed due to budget constraints?

A. Prioritize security controls based on risk.
B. Request a budget exception for the security controls.
C. Begin the risk acceptance process.
D. Suggest less expensive alternative security controls.

An organization’s information security strategy for the coming year emphasizes reducing the risk of ransomware. Which of the following would be MOST helpful to support this strategy?

A. Provide relevant training to all staff.
B. Create a penetration testing plan.
C. Perform a controls gap analysis.
D. Strengthen security controls for the IT environment.

Which of the following should be done FIRST when selecting performance metrics to report on the vendor risk management process?

A. Review the confidentiality requirements.
B. Identity the data owner.
C. Select the data source.
D. Identity the intended audience.

Recovery time objectives (RTOs) are an output of which of the following?

A. Business continuity plan
B. Disaster recovery plan
C. Service level agreement (SLA)
D. Business impact analysis (BIA)

Which of the following is the BEST way to increase the visibility of information security within an organization’s culture?

A. Requiring cross-functional information security training
B. Implementing user awareness campaigns for the entire company
C. Publishing an acceptable use policy
D. Establishing security policies based on industry standards

Exceptions to a security policy should be approved based PRIMARILY on:

A. risk appetite.
B. the external threat probability.
C. results of a business impact analysis (BIA).
D. the number of security incidents.

The MAIN reason for an information security manager to monitor industry level changes in the business and IT is to:

A. evaluate the effect of the changes on the levels of residual risk.
B. identify changes in the risk environment.
C. update information security policies in accordance with the changes.
D. change business objectives based on potential impact.