What is the MOST common component of a vulnerability management framework?

A. Risk analysis
B. Patch management
C. Threat analysis
D. Backup management

Asymmetric algorithms are used for which of the following when using Secure Sockets Layer/Transport Layer Security (SSL/ TLS) for implementing network security?

A. Peer authentication
B. Payload data encryption
C. Session encryption
D. Hashing digest

Which of the following is the MOST important activity an organization performs to ensure that security is part of the overall organization culture?

A. Perform formal reviews of security incidents.
B. Work with senior management to meet business goals.
C. Ensure security policies are issued to all employees.
D. Manage a program of security audits.

What testing technique enables the designer to develop mitigation strategies for potential vulnerabilities?

A. Manual inspections and reviews
B. Penetration testing
C. Threat modeling
D. Source code review

Which of the following is true of Service Organization Control (SOC) reports?

A. SOC 1 Type 2 reports assess the security, confidentiality, integrity, and availability of an organization’s controls
B. SOC 2 Type 2 reports include information of interest to the service organization’s management
C. SOC 2 Type 2 reports assess internal controls for financial reporting
D. SOC 3 Type 2 reports assess internal controls for financial reporting

Continuity of operations is BEST supported by which of the following?

A. Confidentiality, availability, and reliability
B. Connectivity, reliability, and redundancy
C. Connectivity, reliability, and recovery
D. Confidentiality, integrity, and availability

Which of the following is the MOST important output from a mobile application threat modeling exercise according to Open Web Application Security Project (OWASP)?

A. The likelihood and impact of a vulnerability
B. Application interface entry and endpoints
C. Countermeasures and mitigations for vulnerabilities
D. A data flow diagram for the application and attack surface analysis

As users switch roles within an organization, their accounts are given additional permissions to perform the duties of their new position. After a recent audit, it was discovered that many of these accounts maintained their old permissions as well. The obsolete permissions identified by the audit have been remediated and accounts have only the appropriate permissions to complete their jobs.
Which of the following is the BEST way to prevent access privilege creep?

A. Implementing Identity and Access Management (IAM) solution
B. Time-based review and certification
C. Internet audit
D. Trigger-based review and certification

The design review for an application has been completed and is ready for release. What technique should an organization use to assure application integrity?

A. Application authentication
B. Input validation
C. Digital signing
D. Device encryption

Which one of the following is an advantage of an effective release control strategy form a configuration control standpoint?

A. Ensures that a trace for all deliverables is maintained and auditable
B. Enforces backward compatibility between releases
C. Ensures that there is no loss of functionality between releases
D. Allows for future enhancements to existing features