OS patch version dependenciesFailure rate of legacy equipment, replacement parts, and firmware updates and managementPoor security posture, inability to manage performance on old OS41 You are brought in as a consultant to improve the security of business processes. You improve security by applying the proper controls, including transport encryption, interface restrictions, and code review. What else can you do to improve business processes now that you've already done all the technical improvements?Modify the company security policies and procedures.Meet with upper management to approve new company standards and a mission statement.Conduct another technical quantitative risk analysis on all current controls.Conduct a gap analysis and give a recommendation on nontechnical controls to be incorporated into company documentation.
42 Your bank's board of directors want to perform monthly security testing. As CISO, you must form a plan specifically for its development. This test must have a low risk of impacting system stability because the company is in production. The suggestion was made to outsource this to a third party. The board of directors argue that a third party will not be as knowledgeable as the development team. What will satisfy the board of directors?Gray-box testing by a major consulting firmBlack-box testing by a major external consulting firmGray-box testing by the development and security assurance teamsWhite-box testing by the development and security assurance teams
43 A vendor of software deployed across your corporate network announced that an update is needed for a specific vulnerability. Your CIO wants to know the vulnerability time (Vt). When can you give them that information?After the patch is downloaded and installed in the affected system or deviceAfter the patch is released and available to the public After the patch is created by the vendorAfter the vulnerability is discovered
44 You have an accountant who refuses to take their required time off. You must institute a policy that will force people in critical financial areas of the organization to take time off. Which of the following standard security practices do you institute?Separation of dutiesMandatory vacationForensic tasksTermination procedures
45 A small insurance business implemented least privilege. Management is concerned that staff might accidentally aid in fraud with the customers. Which of the following addresses security concerns with this risk?PolicyJob rotationSeparation of dutiesSecurity awareness training
46 A corporation expanded their business by acquiring several similar businesses. What should the security team first undertake?Development of an ISA and a risk analysisInstallation of firewalls between the businessesRemoval of unneeded assets and Internet accessScan of the new networks for vulnerabilities
47 Your company began the process of evaluating different technologies for a technical security-focused project. You narrowed down the selection to three organizations from which you received RFIs. What is the next request that you will make of those three vendors?RFQRFPRFCRFI
48 Your security team is small and must work economically to reduce risk. You do not have a lot of time to spend on reducing your attack surface. Which of the following might help reduce the time you spend on patching internal applications?VPNPaaSIaaSTerminal server
49 A competitor of your company was hacked, and the forensics show it was a social engineering phishing attack. What is the first thing you do to prevent this from happening at your company?Educate all employees about social engineering risks and countermeasures.Publish a new mission statement.Implement IPSec on all critical systems.Use encryption.
50 Many organizations prepare for highly technical attacks and forget about the simple low-tech means of gathering information. Dumpster diving can be useful in gaining access to unauthorized information. How should you reduce your company's dumpster-diving risk?Data classification and printer restrictions of intellectual property.Purchase shredders for the copy rooms.Create policies and procedures for document shredding.Employ an intern to shred all printed documentation.
51 Qualitative risk assessment is explained by which of the following?Can be completed by someone with a limited understanding of risk assessment and is easy to implementMust be completed by someone with expert understanding and uses detailed analysis for calculationIs completed by subject-matter experts and is difficult to implementBrings together SME with detailed metrics to handle a difficult implementation
52 What is the customary practice of responsible protection of an asset that affects an organization or community?Due diligenceRisk mitigationInsuranceDue care
53 Your global banking organization is acquiring a smaller local bank. As part of the security team, what will your risk assessment evaluate?Threats to assets, vulnerabilities present, the likelihood of an active threat, the impact of exposure, and residual riskThreats to assets, vulnerabilities present, the likelihood of a passive threat, the impact of exposure, and total riskThreats to assets, vulnerabilities present, the likelihood of a passive threat, the impact of exposure on the acquired bank, and total riskThreats to assets, vulnerabilities present, the likelihood of an active threat, the impact of exposure, and total inherent risk
54 During the risk analysis phase of planning, what would BEST mitigate and manage the effects of an incident?Modifying the scenario the risk is based onDeveloping an agenda for recoveryChoosing the members of the recovery teamImplementing procedural controls
55 You have been added to the team to conduct a business impact analysis (BIA). This BIA will identify:The impact of vulnerabilities to your organizationHow to best efficiently reduce threatsThe exposure to loss within your organizationHow to bring about change based on the impact on operations
56 You live and work in an area plagued by hurricanes. What BEST describes the effort you made to determine the consequence of a disruption due to this natural disaster?Business impact analysisRisk assessmentTable-top exercisesMitigating control analysis
57 You are a consultant for a cybersecurity firm and have been tasked with quantifying risks associated with information technology when validating the abilities of new security controls and countermeasures. What is the BEST way to identify the risks?Vulnerability managementPentestingThreat and risk assessmentData reclassification
58 You are employed in a high-risk, geographically diverse production environment. Which of these options would be the BEST reason to deploy link encryption to reduce risk?Link encryption provides better flow confidentiality and routing.Link encryption encrypts routing information and is often used with satellite communication.Link encryption is used for message confidentiality.Link encryption is implemented for better traffic integrity.
59 Your manufacturing organization implemented a new vulnerability management tool. As the security analyst, you are tasked with creating a successful process for vulnerability assessment. What do you have to fully understand before assuming this task?Threat definitions and identificationCVE and CVSS Risk assessments and threat identificationVulnerability appraisal and access review
60 Bob is conducting a risk assessment and wants to assign an asset value to the servers in the data center. The concern of his organization is to ensure there is a budget to rebuild in case of a natural disaster. What method should Bob use to evaluate the assets?Depreciated costPurchase costReplacement costConditional cost
61 Alice is responsible for PCI compliance for her organization. The policy requires she remove information from a database, but she cannot due to technical restrictions. She is pursuing a compensating control to mitigate the risk. What is her best option?InsuranceEncryptionDeletionExceptions
62 Bob is a security risk manager with a global organization. The organization recently evaluated the risk of flash floods on its operations in several regions and determined that the cost of responding is expensive. The organization chooses to take no action currently. What was the risk management strategy deployed?Risk mitigationRisk acceptanceRisk avoidanceRisk transference
63 Greg is a
