CISM1 (dragged) 3.pdf

Full Transcript

IT Certification Guaranteed, The Easy Way!

A. Determine recovery priorities.
B. Define the recovery point objective (RPO).
C. Confirm control effectiveness.
D. Analyze vulnerabilities.
Answer: A
Explanation:
The primary objective of a business impact analysis (BIA) is to determine recovery priorities. The BIA
is used to identify and analyze the potential effects of an incident on the organization, including the
financial impact, operational impact, and reputational impact. The BIA also helps to identify critical
resources and processes, determine recovery objectives and strategies, and develop recovery plans.
Reference: Certified Information Security Manager (CISM) Study Manual, Chapter 4, Business Impact
Analysis.

NO.79 Which of the following is MOST important to include in an information security status report
management?
A. List of recent security events
B. Key risk indication (KRIs)
C. Review of information security policies
D. information security budget requests
Answer: B
Explanation:
Key risk indicators (KRIs) are the most useful to include in an information security status report for
management because they measure and report the level of risk exposure or performance against
predefined risk thresholds or targets, and alert management of any deviations or issues that may
require attention or action. List of recent security events is not very useful to include in an
information security status report for management because it does not provide any analysis or
evaluation of the events or their impact on the organization's objectives or performance. Review of
information security policies is not very useful to include in an information security status report for
management because it does not reflect any progress or results of implementing or enforcing the
policies. Information security budget requests are not very useful to include in an information
security status report for management because they do not indicate any value or benefit of investing
in information security initiatives or controls. Reference: https:/ /www.isaca.org/resources/isacajournal/issues/2016/volume-6/how-to-measure-the-effectiveness-of-information-security-using-iso27004

NO.80 Which of the following is MOST important to have in place for an organization's information
security program to be effective?
A. Documented information security processes
B. A comprehensive IT strategy
C. Senior management support
D. Defined and allocated budget
Answer: C
Explanation:
Senior management support is the most important factor to have in place for an organization's
information security program to be effective because it helps to establish the vision, direction, and
28

IT Certification Guaranteed, The Easy Way!

goals of the program, as well as to allocate the necessary resources and authority to implement and
maintain it. Senior management support also helps to foster a security culture within the
organization, where security is seen as a shared responsibility and a business enabler. Senior
management support also helps to ensure compliance with internal and external security policies and
standards, as well as to communicate the value and impact of security to stakeholders. Therefore,
senior management support is the correct answer.
Reference:
https:/ /www.isaca.org/resources/isaca-journal/issues/2020/volume-6/key-performance-indicatorsfor-security-governance-part-1
https:/ /www.ffiec.gov/press/PDF/FFIEC_IT_Handbook_Information_Security_Booklet.pdf
https:/ /www.cdse.edu/Portals/124/Documents/student-guides/IF011guide.pdf?ver=UA7IDZRN_y066rLB8oAW_w%3d%3d

NO.81 Which of the following metrics is MOST appropriate for evaluating the incident notification
process?
A. Average total cost of downtime per reported incident
B. Elapsed time between response and resolution
C. Average number of incidents per reporting period
D. Elapsed time between detection, reporting, and response
Answer: D
Explanation:
Elapsed time between detection, reporting, and response is the most appropriate metric for
evaluating the incident notification process because it measures how quickly and effectively the
organization identifies, communicates, and responds to security incidents. The incident notification
process is a critical part of the incident response plan that defines the roles and responsibilities,
procedures, and channels for reporting and escalating security incidents to the relevant stakeholders.
Elapsed time between detection, reporting, and response helps to assess the performance and
efficiency of the incident notification process, as well as to identify any bottlenecks or delays that
may affect the incident resolution and recovery. Therefore, elapsed time between detection,
reporting, and response is the correct answer.
Reference:
https:/ /www.atlassian.com/incident-management/kpis/common-metrics
https:/ /securityscorecard.com/blog/how-to-use-incident-response-metrics/
https:/ /www.cisa.gov/sites/default/files/publications/Incident-Response-Plan-Basics_508c.pdf

NO.82 Which of the following is the GREATEST value provided by a security information and event
management (SIEM) system?
A. Maintaining a repository base of security policies
B. Measuring impact of exploits on business processes
C. Facilitating the monitoring of risk occurrences
D. Redirecting event logs to an alternate location for business continuity plan
Answer: C
Explanation:
The greatest value provided by a Security Information and Event Management (SIEM) system is
facilitating the monitoring of risk occurrences. SIEM systems collect, analyze and alert on security29

IT Certification Guaranteed, The Easy Way!

related data from various sources such as firewall logs, intrusion detection/prevention systems, and
system logs. This allows organizations to identify security threats in real-time and respond quickly,
helping to mitigate potential harm to their systems and data.

NO.83 Which of the following is the BEST technical defense against unauthorized access to a
corporate network through social engineering?
A. Requiring challenge/response information
B. Requiring multi factor authentication
C. Enforcing frequent password changes
D. Enforcing complex password formats
Answer: B
Explanation:
Social engineering is a technique used by attackers to manipulate individuals into divulging sensitive
information or performing actions that can compromise the security of an organization. Multi-factor
authentication (MFA) is a security mechanism that requires users to provide at least two forms of
authentication to verify their identity. By requiring MFA, even if an attacker successfully obtains a
user's credentials through social engineering, they will not be able to access the network without the
additional form of authentication.

NO.84 The PRIMARY objective of performing a post-incident review is to:
A. re-evaluate the impact of incidents
B. identify vulnerabilities
C. identify control improvements.
D. identify the root cause.
Answer: D
Explanation:
The primary objective of performing a post-incident review is to identify the root cause of the
incident. After an incident has occurred, the post-incident review process involves gathering and
analyzing evidence to determine the cause of the incident. This analysis will help to identify both the
underlying vulnerability that allowed the incident to occur, as well as any control improvements that
should be implemented to prevent similar incidents from occurring in the future. Additionally, the
post-incident review process can also be used to re-evaluate the impact of the incident, as well as
any potential implications for the organization.

NO.85 An organization faces severe fines and penalties if not in compliance with local regulatory
requirements by an established deadline. Senior management has asked the information security
manager to prepare an action plan to achieve compliance.
Which of the following would provide the MOST useful information for planning purposes?
A. Results from a business impact analysis (BIA)
B. Deadlines and penalties for noncompliance
C. Results from a gap analysis
D. An inventory of security controls currently in place
Answer: C
Explanation:
Results from a gap analysis would provide the most useful information for planning purposes when
30

IT Certification Guaranteed, The Easy Way!

preparing an action plan to achieve compliance with local regulatory requirements by an established
deadline. A gap analysis is an assessment of the difference between an organization's current state of
compliance and its desired level or standard. It is a process used to identify potential areas for
improvement by comparing actual performance with expected performance. A gap analysis can help
to prioritize the actions needed to close the gaps and comply with the regulatory requirements, as
well as to estimate the resources and time required for each action1. The other options are not as
useful as results from a gap analysis for planning purposes when preparing an action plan to achieve
compliance with local regulatory requirements by an established deadline. Deadlines and penalties
for noncompliance are important factors to consider, but they do not provide information on how to
achieve compliance or what actions are needed2. Results from a business impact analysis (BIA) are
useful for identifying the critical processes and assets that need to be protected, but they do not
provide information on how to comply with the regulatory requirements or what actions are
needed3. An inventory of security controls currently in place is useful for assessing the current state
of compliance, but it does not provide information on how to comply with the regulatory
requirements or what actions are needed4. Reference: 3: Business impact analysis (BIA) - Wikipedia 2:
Compliance Gap Analysis & Effectiveness Evaluation | SMS 1: What is Gap Analysis in Compliance |
Scytale 4: Gap Analysis & Risk Assessment - Riddle Compliance

NO.86 Which of the following is the BEST evidence of alignment between corporate and information
security governance?
A. Security key performance indicators (KPIs)
B. Project resource optimization
C. Regular security policy reviews
D. Senior management sponsorship
Answer: D

NO.87 A multinational organization is required to follow governmental regulations with different
security requirements at each of its operating locations. The chief information security officer (CISO)
should be MOST concerned with:
A. developing a security program that meets global and regional requirements.
B. ensuring effective communication with local regulatory bodies.
C. using industry best practice to meet local legal regulatory requirements.
D. monitoring compliance with defined security policies and standards.
Answer: A
Explanation:
In this scenario, the chief information security officer (CISO) should be most concerned with
developing a security program that meets the global and regional requirements of the organization.
This includes considering the different legal and regulatory requirements of each operating location,
and designing a security program that meets all of these requirements. The CISO should also ensure
effective communication with local regulatory bodies to ensure compliance and understanding of the
security program. Additionally, the CISO should use industry best practices and defined security
policies and standards to ensure the program meets all applicable requirements.

NO.88 In a call center, the BEST reason to conduct a social engineering is to:
A. Identify candidates for additional security training.
31

IT Certification Guaranteed, The Easy Way!

B. minimize the likelihood of successful attacks.
C. gain funding for information security initiatives.
D. improve password policy.
Answer: A
Explanation:
The best reason to conduct a social engineering test in a call center is to identify candidates for
additional security training because it helps to assess the level of awareness and skills of the call
center staff in recognizing and resisting social engineering attacks, and provide them with the
necessary training or education to improve their security posture. Minimizing the likelihood of
successful attacks is not a reason to conduct a social engineering test, but rather a possible outcome
or benefit of conducting such a test. Gaining funding for information security initiatives is not a
reason to conduct a social engineering test, but rather a possible outcome or benefit of conducting
such a test. Improving password policy is not a reason to conduct a social engineering test, but rather
a possible outcome or benefit of conducting such a test. Reference:
https:/ /www.isaca.org/resources/isaca-journal/issues/2017/volume-6/the-value-of-penetrationtesting https:/ /www.isaca.org/resources/isaca-journal/issues/2016/volume-5/security-scanningversus-penetration-testing

NO.89 An information security team has discovered that users are sharing a login account to an
application with sensitive information, in violation of the access policy. Business management
indicates that the practice creates operational efficiencies. What is the information security
manager's BEST course of action?
A. Enforce the policy.
B. Modify the policy.
C. Present the risk to senior management.
D. Create an exception for the deviation.
Answer: C

NO.90 Which of the following MUST be defined in order for an information security manager to
evaluate the appropriateness of controls currently in place?
A. Security policy
B. Risk management framework
C. Risk appetite
D. Security standards
Answer: A

NO.91 A penetration test against an organization's external web application shows several
vulnerabilities. Which of the following presents the GREATEST concern?
A. A rules of engagement form was not signed prior to the penetration test
B. Vulnerabilities were not found by internal tests
C. Vulnerabilities were caused by insufficient user acceptance testing (UAT)
D. Exploit code for one of the vulnerabilities is publicly available
Answer: D
Explanation:
32

IT Certification Guaranteed, The Easy Way!

Exploit code for one of the vulnerabilities is publicly available presents the greatest concern because
it means that anyone can easily exploit the vulnerability and compromise the web application. This
increases the risk of data breach, denial of service, or other malicious attacks. Therefore, exploit code
for one of the vulnerabilities is publicly available is the correct answer.
Reference:
https:/ /www.imperva.com/learn/application-security/penetration-testing/
https:/ /www.netspi.com/blog/technical/web-application-penetration-testing/are-you-testing-yourweb-application-for-vulnerabilities/

NO.92 Which of the following BEST ensures timely and reliable access to services?
A. Nonrepudiation
B. Authenticity
C. Availability
D. Recovery time objective (RTO)
Answer: C
NO.93 Which of the following is the BEST way to assess the risk associated with using a Software as a
Service (SaaS) vendor?
A. Verify that information security requirements are included in the contract.
B. Request customer references from the vendor.
C. Require vendors to complete information security questionnaires.
D. Review the results of the vendor's independent control reports.
Answer: A

NO.94 Which of the following is the BEST defense-in-depth implementation for protecting high value
assets or for handling environments that have trust concerns?
A. Compartmentalization
B. Overlapping redundancy
C. Continuous monitoring
D. Multi-factor authentication
Answer: A
Explanation:
Compartmentalization is the best defense-in-depth implementation for protecting high value assets
or for handling environments that have trust concerns because it is a strategy that divides the
network or system into smaller segments or compartments, each with its own security policies,
controls, and access rules. Compartmentalization helps to isolate and protect the most sensitive or
critical data and functions from unauthorized or malicious access, as well as to limit the damage or
impact of a breach or compromise. Compartmentalization also helps to enforce the principle of least
privilege, which grants users or processes only the minimum access rights they need to perform their
tasks. Therefore, compartmentalization is the correct answer.
Reference:
https:/ /www.csoonline.com/article/3667476/defense-in-depth-explained-layering-tools-andprocesses-for-better-security.html
https:/ /www.fortinet.com/resources/cyberglossary/defense-in-depth
https:/ /sciencepublishinggroup.com/journal/paperinfo?journalid=542&doi=10.11648/j.ajai.2019030
33

IT Certification Guaranteed, The Easy Way!

2.11

NO.95 Which of the following is the BEST way to help ensure an organization's risk appetite will be
considered as part of the risk treatment process?
A. Establish key risk indicators (KRIs).
B. Use quantitative risk assessment methods.
C. Provide regular reporting on risk treatment to senior management
D. Require steering committee approval of risk treatment plans.
Answer: D

NO.96 Which of the following BEST indicates the effectiveness of a recent information security
awareness campaign delivered across the organization?
A. Decrease in the number of security incidents
B. Increase in the frequency of security incident escalations
C. Reduction in the impact of security incidents
D. Increase in the number of reported security incidents
Answer: A

NO.97 Which of the following should be the PRIMARY consideration when developing an incident
response plan?
A. The definition of an incident
B. Compliance with regulations
C. Management support
D. Previously reported incidents
Answer: B

NO.98 Which of the following MUST happen immediately following the identification of a malware
incident?
A. Preparation
B. Recovery
C. Containment
D. Eradication
Answer: B

NO.99 The PRIMARY benefit of introducing a single point of administration in network monitoring is
that it:
A. reduces unauthorized access to systems.
B. promotes efficiency in control of the environment.
C. prevents inconsistencies in information in the distributed environment.
D. allows administrative staff to make management decisions.
Answer: D

NO.100 Which of the following would MOST effectively ensure that a new server is appropriately
34

IT Certification Guaranteed, The Easy Way!

secured?
A. Performing secure code reviews
B. Enforcing technical security standards
C. Conducting penetration testing
D. Initiating security scanning
Answer: B
Explanation:
Enforcing technical security standards is the most effective way to ensure that a new server is
appropriately secured because it ensures that the server complies with the organization's security
policies and best practices, such as encryption, authentication, patching, and hardening. Performing
secure code reviews is not relevant for securing a new server, unless it is running custom applications
that need to be verified for security flaws. Conducting penetration testing is not sufficient for
securing a new server, because it only identifies vulnerabilities that can be exploited by attackers, but
does not fix them. Initiating security scanning is not sufficient for securing a new server, because it
only detects known vulnerabilities or misconfigurations, but does not enforce security standards or
remediate issues. Reference: https:/ /www.isaca.org/resources/isaca-journal/issues/2016/volume4/technical-security-standards-for-information-systems https:/ /www.isaca.org/resources/isacajournal/issues/2017/volume-3/secure-code-review https:/ /www.isaca.org/resources/isacajournal/issues/2017/volume-2/the-value-of-penetration-testing
https:/ /www.isaca.org/resources/isaca-journal/issues/2016/volume-5/security-scanning-versuspenetration-testing

NO.101 The PRIMARY reason to create and externally store the disk hash value when performing
forensic data acquisition from a hard disk is to:
A. validate the confidentiality during analysis.
B. reinstate original data when accidental changes occur.
C. validate the integrity during analysis.
D. provide backup in case of media failure.
Answer: C
Explanation:
The main purpose of creating and storing an external disk hash value when performing forensic data
acquisition from a hard disk is to validate the integrity of the data during the analysis. This is done by
comparing the original hash value of the disk to the hash value created during the acquisition
process, which can be used to ensure that the data has not been tampered with or corrupted in any
way. Additionally, by creating a hash value of the disk, it can be used to quickly verify the integrity of
any data that is accessed from the disk in the future.

NO.102 After a recovery from a successful malware attack, instances of the malware continue to be
discovered. Which phase of incident response was not successful?
A. Eradication
B Recovery
C. Lessons learned review
D. Incident declaration
Answer: A
Explanation:
35

IT Certification Guaranteed, The Easy Way!

Eradication is the phase of incident response where the incident team removes the threat from the
affected systems and restores them to a secure state. If this phase is not successful, the malware may
persist or reappear on the systems, causing further damage or compromise. Therefore, eradication is
the correct answer.
Reference:
https:/ /www.securitymetrics.com/blog/6-phases-incident-response-plan
https:/ /www.atlassian.com/incident-management/incident-response
https:/ /eccouncil.org/cybersecurity-exchange/incident-handling/what-is-incident-response-life-cycle
/

NO.103 A cloud application used by an organization is found to have a serious vulnerability. After
assessing the risk, which of the following would be the information security manager's BEST course of
action?
A. Instruct the vendor to conduct penetration testing.
B. Suspend the connection to the application in the firewall
C. Report the situation to the business owner of the application.
D. Initiate the organization's incident response process.
Answer: C

NO.104 Which of the following is the BEST indication of an effective information security awareness
training program?
A. An increase in the frequency of phishing tests
B. An increase in positive user feedback
C. An increase in the speed of incident resolution
D. An increase in the identification rate during phishing simulations
Answer: D

NO.105 Of the following, whose input is of GREATEST importance in the development of an
information security strategy?
A. Process owners
B. End users
C. Security architects.
D. Corporate auditors
Answer: A

NO.106 Which of the following is the BEST way lo monitor for advanced persistent threats (APT) in
an organization?
A. Network with peers in the industry to share information.
B. Browse the Internet to team of potential events
C. Search for anomalies in the environment
D. Search for threat signatures in the environment.
Answer: C
Explanation:
An advanced persistent threat (APT) is a stealthy and sophisticated attack that aims to compromise
36

IT Certification Guaranteed, The Easy Way!

and maintain access to a target network or system over a long period of time, often for espionage or
sabotage purposes. APTs are difficult to detect by conventional security tools, such as antivirus or
firewalls, that rely on signatures or rules to identify threats. Therefore, the best way to monitor for
APTs is to search for anomalies in the environment, such as unusual network traffic, user behavior,
file activity, or system configuration changes, that may indicate a compromise or an ongoing attack.
Reference: https:/ /www.isaca.org/credentialing/cism
https:/ /www.nist.gov/publications/information-security-handbook-guide-managers

NO.107 Which of the following is MOST important to consider when determining asset valuation?
A. Asset recovery cost
B. Asset classification level
C. Cost of insurance premiums
D. Potential business loss
Answer: D
NO.108 Which of the following should be the FIRST step in developing an information security
strategy?
A. Perform a gap analysis based on the current state
B. Create a roadmap to identify security baselines and controls.
C. Identify key stakeholders to champion information security.
D. Determine acceptable levels of information security risk.
Answer: A
Explanation:
first step in developing an information security strategy is to conduct a risk-aware and
comprehensive inventory of your company's context, including all digital assets, employees, and
vendors. Then you need to know about the threat environment and which types of attacks are a
threat to your company1. This is similar to performing a gap analysis based on the current state3.

NO.109 What should be an information security manager's MOST important consideration when
developing a multi-year plan?
A. Ensuring contingency plans are in place for potential information security risks
B. Ensuring alignment with the plans of other business units
C. Allowing the information security program to expand its capabilities
D. Demonstrating projected budget increases year after year
Answer: B

NO.110 In the context of developing an information security strategy, which of the following
provides the MOST useful input to determine the or
A. Security budget
B. Risk register
C. Risk score
D. Laws and regulations
Answer: D
Explanation:
37

IT Certification Guaranteed, The Easy Way!

Laws and regulations provide the most useful input to determine the organization's information
security strategy because they define the legal and compliance requirements and obligations that the
organization must adhere to, and guide the development and implementation of the security policies
and controls that support them. Security budget is not a useful input to determine the organization's
information security strategy because it does not reflect the organization's security needs or goals,
but rather a resource to enable the security activities and initiatives. Risk register is not a useful input
to determine the organization's information security strategy because it does not reflect the
organization's security vision or mission, but rather a tool to identify and manage the security risks.
Risk score is not a useful input to determine the organization's information security strategy because
it does not reflect the organization's security priorities or objectives, but rather a measure of the level
of risk exposure or performance. Reference: https:/ /www.isaca.org/resources/isacajournal/issues/2016/volume-4/technical-security-standards-for-information-systems
https:/ /www.isaca.org/resources/isaca-journal/issues/2017/volume-2/how-to-align-securityinitiatives-with-business-goals-and-objectives

NO.111 An information security manager believes that information has been classified
inappropriately, = the risk of a breach. Which of the following is the information security manager's
BEST action?
A. Refer the issue to internal audit for a recommendation.
B. Re-classify the data and increase the security level to meet business risk.
C. Instruct the relevant system owners to reclassify the data.
D. Complete a risk assessment and refer the results to the data owners.
Answer: D

NO.112 Which of the following should an information security manager do FIRST after a new
cybersecunty regulation has been introduced?
A. Conduct a cost-benefit analysis.
B. Consult corporate legal counsel
C. Update the information security policy.
D. Perform a gap analysis.
Answer: D
Explanation:
When a new cybersecurity regulation has been introduced, an information security manager should
first consult corporate legal counsel to understand the scope, applicability, and implications of the
regulation for the organization. Legal counsel can also advise on the compliance obligations and
deadlines, as well as the potential penalties or sanctions for non-compliance. Based on this
information, the information security manager can then perform a gap analysis to assess the current
state of compliance and identify any areas that need improvement. The information security policy
can then be updated accordingly to reflect the new regulatory requirements. Reference:
https:/ /www.isaca.org/credentialing/cism https:/ /www.wiley.com/enus/CISM+Certified+Information+Security+Manager+Study+Guide-p-9781119801948

NO.113 Which of the following is the BEST justification for making a revision to a password policy?
A. Vendor recommendation
B. Audit recommendation
38

IT Certification Guaranteed, The Easy Way!

C. A risk assessment
D. Industry best practice
Answer: C
Explanation:
The best justification for making a revision to a password policy is a risk assessment. A risk
assessment is a process of identifying, analyzing, and evaluating the potential threats and
vulnerabilities that may affect the confidentiality, integrity, and availability of information assets and
systems. By conducting a risk assessment, the organization can determine the appropriate level of
security controls and measures to protect its information assets and systems, including password
policies. A risk assessment can also help identify any gaps or weaknesses in the existing password
policy, and provide recommendations for improvement based on the organization's risk appetite and
tolerance. The other options are not the best justification for making a revision to a password policy,
although they may be some inputs or outputs of the risk assessment process. A vendor
recommendation is an external source of advice or guidance that may or may not be relevant or
applicable to the organization's specific context and needs. A vendor recommendation should not be
followed blindly without conducting a risk assessment to evaluate its suitability and effectiveness. An
audit recommendation is an internal source of feedback or suggestion that may or may not be
accurate or complete. An audit recommendation should not be implemented without conducting a
risk assessment to verify its validity and feasibility. An industry best practice is a general standard or
guideline that may or may not reflect the organization's unique characteristics and requirements. An
industry best practice should not be adopted without conducting a risk assessment to customize it
according to the organization's goals and priorities

NO.114 What is the PRIMARY objective of performing a vulnerability assessment following a
business system update?
A. Determine operational losses.
B. Improve the change control process.
C. Update the threat landscape.
D. Review the effectiveness of controls
Answer: D
Explanation:
The primary objective of performing a vulnerability assessment following a business system update is
to review the effectiveness of controls. A vulnerability assessment is a systematic review of security
weaknesses in an information system. It evaluates if the system is susceptible to any known
vulnerabilities, assigns severity levels to those vulnerabilities, and recommends remediation or
mitigation, if and whenever needed1. A business system update is a process of modifying or
enhancing an information system to improve its functionality, performance, security, or
compatibility. A business system update may introduce new features, fix bugs, patch vulnerabilities,
or comply with new standards or regulations2. Performing a vulnerability assessment following a
business system update is important because it helps to:
* Review the effectiveness of controls that are implemented to protect the information sys-tem from
threats and risks
* Identify any new or residual vulnerabilities that may have been introduced or exposed by the
update
* Evaluate the impact and likelihood of potential incidents that may exploit the vulnerabili-ties

39

IT Certification Guaranteed, The Easy Way!

* Prioritize and implement appropriate actions to address the vulnerabilities
* Verify and validate the security posture and compliance of the updated information sys-tem
Therefore, the primary objective of performing a vulnerability assessment following a business
system update is to review the effectiveness of controls that are designed to ensure the
confidentiality, integrity, and availability of the information system and its dat a. The other options
are not the primary objectives of performing a vulnerability as-sessment following a business system
update. Determining operational losses is not an objective, but rather a possible consequence of not
performing a vulnerability as-sessment or not addressing the identified vulnerabilities. Improving the
change control process is not an objective, but rather a possible outcome of performing a
vulnerability assessment and incorporating its results and recommendations into the change management cycle. Updating the threat landscape is not an objective, but rather a prereq-uisite for
performing a vulnerability assessment that requires using up-to-date sources of threat intelligence
and vulnerability information. Reference: 1: Vulnerability As-sessment - NIST 2: System Update
- Techopedia : Vulnerability Assessment vs Penetra-tion Testing - Imperva : Change Control Process
- NIST : Threat Landscape - NIST

NO.115 Which of the following is the PRIMARY objective of incident triage?
A. Coordination of communications
B. Mitigation of vulnerabilities
C. Categorization of events
D. Containment of threats
Answer: C
Explanation:
Incident triage is the process of quickly assessing an incident and determining its severity in order to
prioritize the response. This involves categorizing the events based on their potential impact, which
helps to determine the right response and the most effective use of resources. It also helps to
identify potential threats and vulnerabilities, and to coordinate communications and response
activities.

NO.116 Which of the following would be the BEST way for an information security manager to
improve the effectiveness of an organization's information security program?
A. Focus on addressing conflicts between security and performance.
B. Collaborate with business and IT functions in determining controls.
C. Include information security requirements in the change control process.
D. Obtain assistance from IT to implement automated security cantrals.
Answer: B

NO.117 Which of the following is the GREATEST challenge with assessing emerging risk in an
organization?
A. Lack of a risk framework
B. Ineffective security controls
C. Presence of known vulnerabilities
D. Incomplete identification of threats
Answer: D
Explanation:
40