Which of the following is the FIRST thing to consider when reviewing Information Technology (IT) internal controls?

A. The risk culture of the organization
B. The impact of the control
C. The nature of the risk
D. The cost of the control

A security engineer is tasked with implementing a new identity solution. The client doesn’t want to install or maintain the infrastructure. Which of the following would qualify as the BEST solution?

A. Microsoft Identity Manager (MIM)
B. Azure Active Directory (AD)
C. Active Directory Federation Services (ADFS)
D. Active Directory (AD)

An organization discovers that its Secure File Transfer Protocol (SFTP) server has been accessed by an unauthorized person to download an unreleased game. A recent security audit found weaknesses in some of the organization’s general Information Technology (IT) controls, specifically pertaining to software change control and security patch management, but not in other control areas.
Which of the following is the MOST probable attack vector used in the security breach?

A. Buffer overflow
B. Distributed Denial of Service (DDoS)
C. Cross-Site Scripting (XSS)
D. Weak password due to lack of complexity rules

Which of the following questions will be addressed through the use of a Privacy Impact Assessment (PIA)?

A. How the information is to be maintained
B. Why the information is to be collected
C. What information is to be destroyed
D. Where the information is to be stored

What Service Organization Controls (SOC) report can be freely distributed and used by customers to gain confidence in a service organization’s systems?

A. SOC 1 Type 1
B. SOC 1 Type 2
C. SOC 2
D. SOC 3

Which of the following is a credible source to validate that security testing of Commercial Off-The-Shelf (COTS) software has been performed with international standards?

A. Common Criteria (CC)
B. Evaluation Assurance Level (EAL)
C. National Information Assurance Partnership (NIAP)
D. International Standards Organization (ISO)

What is the BEST approach to annual safety training?

A. Base safety training requirements on staff member job descriptions.
B. Safety training should address any gaps in a staff member’s skill set.
C. Ensure that staff members in positions with known safety risks are given proper training.
D. Ensure that all staff members are provided with identical safety training.

Lack of which of the following options could cause a negative effect on an organization’s reputation, revenue, and result in legal action, if the organization fails to perform due diligence?

A. Threat modeling methodologies
B. Service Level Requirement (SLR)
C. Service Level Agreement (SLA)
D. Third-party risk management

Which of the following does Secure Sockets Layer (SSL) encryption protect?

A. Data availability
B. Data at rest
C. Data in transit
D. Data integrity

Which of the following is the BEST type of authentication and encryption for a Secure Shell (SSH) implementation when network traffic traverses between a host and an infrastructure device?

A. Lightweight Directory Access Protocol (LDAP)
B. Public-key cryptography
C. Remote Authentication Dial-In User Service (RADIUS)
D. Private-key cryptography