Penetration testing is MOST appropriate when a:

A. new system is about to go live.
B. security incident has occurred.
C. security policy is being developed.
D. new system is being designed.

Which of the following is the MOST important outcome of a well-implemented awareness program?

A. The board is held accountable for risk management.
B. The number of reported security incidents steadily decreases.
C. The number of successful social engineering attacks is reduced.
D. Help desk response time to resolve incidents is improved.

An employee is found to be using an external cloud storage service to share corporate information with a third-party consultant, which is against company policy. Which of the following should be the information security manager's FIRST course of action?

A. Determine the classification level of the information.
B. Seek business justification from the employee.
C. Block access to the cloud storage service.
D. Inform higher management a security breach.

Using which of the following metrics will BEST help to determine the resiliency of IT infrastructure security controls?

A. Number of successful disaster recovery tests
B. Percentage of outstanding high-risk audit issues
C. Frequency of updates to system software
D. Number of incidents resulting in disruptions

Which of the following should cause the GREATEST concern for an information security manager reviewing the effectiveness of an intrusion prevention system (IPS)?

A. Increase in false negatives
B. Decrease in malicious packets
C. Decrease in false positives
D. Increase in crossover error rate

Which of the following is the BEST mechanism to prevent data loss in the event personal computing equipment is stolen or lost?

A. Data encryption
B. Remote access to device
C. Data leakage prevention (DLP)
D. Personal firewall

Which of the following is the BEST type of access control for an organization with employees who move between departments?

A. Mandatory
B. Role-based
C. Identity
D. Discretionary

Which of the following metrics provides the BEST indication of the effectiveness of a security awareness campaign?

A. The number of reported security events
B. Quiz scores for users who took security awareness classes
C. User approval rating of security awareness classes
D. Percentage of users who have taken the courses

Which of the following is the PRIMARY reason to avoid alerting certain users of an upcoming penetration test?

A. To prevent exploitation by malicious parties
B. To aid in the success of the penetration
C. To evaluate detection and response capabilities
D. To reduce the scope and duration of the test

Which of the following is MOST relevant for an information security manager to communicate to business units?

A. Threat assessments
B. Vulnerability assessments
C. Risk ownership
D. Business impact analysis (BIA)