The BEST way to ensure that information security policies are followed is to:

A. distribute printed copies to all employees.
B. perform periodic reviews for compliance.
C. include escalating penalties for noncompliance.
D. establish an anonymous hotline to report policy abuses.

A web-based business application is being migrated from test to production. Which of the following is the MOST important management signoff for this migration?

A. User
B. Network
C. Operations
D. Database

The BEST way to ensure that security settings on each platform are in compliance with information security policies and procedures is to:

A. perform penetration testing.
B. establish security baselines.
C. implement vendor default settings.
D. link policies to an independent standard.

During the security review of a legacy business application, it was discovered that sensitive client data is not encrypted in storage, which does not comply with the organization’s information security policy. Which of the following would be the information security manager’s BEST course of action?

A. Implement encryption on client data.
B. Report the noncompliance to senior management.
C. Analyze compensating controls and assess the associated risk.
D. Determine the cost of encryption and discuss with the application owner.

Which of the following is MOST relevant for an information security manager to communicate to IT operations?

A. The level of inherent risk
B. Vulnerability assessments
C. Threat assessments
D. The level of exposure

During a review to approve a penetration test plan, which of the following should be an information security manager’s PRIMARY concern?

A. Penetration test team’s deviation from scope
B. Unauthorized access to administrative utilities
C. False positive alarms to operations staff
D. Impact on production systems

Which of the following is MOST helpful to maintain cohesiveness within an organization’s information security resource?

A. Information security architecture
B. Security gap analysis
C. Business impact analysis
D. Information security steering committee

A validated patch to address a new vulnerability that may affect a mission-critical server has been released. What should be done immediately?

A. Add mitigating controls.
B. Take the server off-line and install the patch.
C. Check the server’s security and install the patch.
D. Conduct an impact analysis.

Which of the following is the BEST method to defend against social engineering attacks?

A. Periodically perform antivirus scans to identify malware.
B. Communicate guidelines to limit information posted to public sites.
C. Employ the use of a web-content filtering solution.
D. Monitor for unauthorized access attempts and failed logins.

Which of the following is the BEST way to identify the potential impact of a successful attack on an organization’s mission critical applications?

A. Conduct penetration testing.
B. Execute regular vulnerability scans.
C. Perform independent code review.
D. Perform application vulnerability review.