The PRIMARY goal of a security infrastructure design is the:

A. reduction of security incidents.
B. protection of corporate assets.
C. elimination of risk exposures.
D. optimization of IT resources.

The BEST way to minimize errors in the response to an incident is to:

A. follow standard operating procedures.
B. analyze the situation during the incident.
C. implement vendor recommendations.
D. reference system administration manuals.

During an incident, which of the following entities would MOST likely be contacted directly by an organization's incident response team without management approval?

A. Industry regulators
B. Technology vendor
C. Law enforcement
D. Internal audit

An information security manager discovers that newly hired privileged users are not taking necessary steps to protect critical information at their workstations. Which of the following is the BEST way to address this situation?

A. Communicate the responsibility and provide appropriate training.
B. Publish an acceptable use policy and require signed acknowledgment.
C. Turn on logging and record user activity.
D. Implement a data loss prevention (DLP) solution.

For an organization that is experiencing outages due to malicious code, which of the following is the BEST index of the effectiveness of countermeasures?

A. Number of virus infections detected
B. Amount of infection-related downtime
C. Average recovery time per incident
D. Number of downtime-related help desk calls

Senior management wants to provide mobile devices to its sales force. Which of the following should the information security manager do FIRST to support this objective?

A. Assess risks introduced by the technology.
B. Develop an acceptable use policy.
C. Conduct a vulnerability assessment on the devices.
D. Research mobile device management (MDM) solutions.

An organization is implementing an information security governance framework. To communicate the program's effectiveness to stakeholders, it is MOST important to establish:

A. automated reporting to stakeholders.
B. a control self-assessment process.
C. metrics for each milestone.
D. a monitoring process for the security policy.

An executive's personal mobile device used for business purposes is reported lost. The information security manager should respond based on:

A. mobile device configuration.
B. asset management guidelines.
C. the business impact analysis (BIA).
D. incident classification.

When developing a new system, detailed information security functionality should FIRST be addressed:

A. as part of prototyping.
B. during the system design phase.
C. when system requirements are defined.
D. as part of application development.

Which of the following is the MOST important reason for performing a cost-benefit analysis when implementing a security control?

A. To present a realistic information security budget
B. To ensure that benefits are aligned with business strategies
C. To ensure that the mitigation effort does not exceed the asset value
D. To justify information security program activities