- A CISO is asked to demonstrate that the information security program directly supports the organization's strategic objectives. Which artifact best establishes this linkage?
- An inventory of endpoint protection license counts
- A vulnerability scan report covering all internet-facing assets
- A list of firewall rules approved by the change advisory board
- A security strategy document that maps program initiatives to business goals and risk appetite
Correct answer: A security strategy document that maps program initiatives to business goals and risk appetite
Strategic alignment is demonstrated by a security strategy that explicitly maps initiatives to business goals and the organization's risk appetite. Operational artifacts like scans or rule sets do not establish governance-level alignment.
- A security manager wants to communicate program value to the board using a financial measure. Which metric most directly expresses the value of a security investment relative to expected loss reduction?
- Return on security investment (ROSI)
- Number of patches deployed per quarter
- Percentage of staff who completed phishing training
- Mean time to detect (MTTD)
Correct answer: Return on security investment (ROSI)
ROSI expresses the financial value of a control investment by comparing its cost to the reduction in expected annualized loss. The other metrics are operational or activity measures, not value measures.
- An organization is establishing a security governance committee. What is the primary purpose of this committee?
- To conduct penetration tests on production systems
- To perform daily monitoring of intrusion detection alerts
- To configure and maintain the SIEM platform
- To set security direction, approve policy, and ensure accountability across business units
Correct answer: To set security direction, approve policy, and ensure accountability across business units
A governance committee provides direction, approves policy, and enforces accountability at the enterprise level. Monitoring, tooling, and testing are operational functions, not governance responsibilities.
- When developing a security awareness program, which approach is most effective for sustaining behavioral change among employees?
- Posting the acceptable use policy on the intranet
- A single annual training session delivered to all staff
- Requiring employees to sign a confidentiality agreement at hire
- Continuous, role-tailored education reinforced by simulations and metrics
Correct answer: Continuous, role-tailored education reinforced by simulations and metrics
Sustained behavioral change requires continuous, role-relevant reinforcement supported by simulations and measurement. One-time training and passive policy posting produce limited lasting effect.
- A security manager must establish budget priorities. Which method best ensures resources are allocated to the areas of greatest organizational exposure?
- Allocating equal budget to every department
- Funding initiatives in the order requests arrive
- Spending the entire budget on the newest available technology
- Prioritizing investments based on a risk-ranked assessment of business impact
Correct answer: Prioritizing investments based on a risk-ranked assessment of business impact
Risk-ranked prioritization directs limited funding to the highest-impact exposures, aligning spend with business risk. Equal allocation, first-come ordering, and technology-chasing ignore relative risk.
- Which document defines the high-level mandatory rules and management intent for protecting information, from which standards and procedures derive?
- A network diagram
- A runbook
- A security policy
- A baseline configuration guide
Correct answer: A security policy
A security policy states management intent and mandatory rules at a high level; standards, baselines, and procedures derive from it. The other items are operational artifacts.
- A manager needs to demonstrate due care to regulators after a breach. Which evidence most strongly supports a due care claim?
- A press release describing the company's commitment to security
- A statement that no breaches had occurred previously
- Records showing reasonable, documented security measures were established and maintained
- An expensive security tool purchased after the breach
Correct answer: Records showing reasonable, documented security measures were established and maintained
Due care is demonstrated by documented evidence that reasonable protective measures were implemented and maintained over time. Post-incident purchases and public statements do not establish prior diligence.
- What is the most important reason for a security leader to obtain executive sponsorship for a new security program?
- It guarantees the program will pass external audits
- It eliminates the need for a written security policy
- It transfers all security liability to executives
- It provides authority, funding, and organizational buy-in necessary for enforcement
Correct answer: It provides authority, funding, and organizational buy-in necessary for enforcement
Executive sponsorship confers the authority, funding, and cultural buy-in required to enforce a program across the enterprise. It does not guarantee audit outcomes, replace policy, or transfer liability.
- A security manager is evaluating whether to build an internal SOC or use a managed service. Which factor is the most appropriate primary basis for the decision?
- The personal preference of the IT director
- A total-cost and capability analysis weighed against organizational risk and strategic needs
- Whichever option the largest competitor chose
- The vendor offering the lowest first-year price
Correct answer: A total-cost and capability analysis weighed against organizational risk and strategic needs
Make-or-buy decisions should rest on a total-cost and capability analysis aligned to organizational risk and strategy. Preference, imitation, and lowest price alone ignore long-term fit and risk.
- Which of the following best describes the role of a security steering committee in resolving conflicts between business units over security requirements?
- It escalates every disagreement directly to external auditors
- It allows each unit to set its own independent security rules
- It applies enterprise risk priorities and policy to arbitrate and align competing needs
- It defers all decisions to the most senior business unit leader
Correct answer: It applies enterprise risk priorities and policy to arbitrate and align competing needs
A steering committee uses enterprise risk priorities and policy to arbitrate conflicts so decisions serve the whole organization. Deference, fragmentation, and external escalation do not provide consistent governance.
- When establishing security metrics for executive reporting, which characteristic is most essential?
- The metrics should be highly technical to demonstrate expertise
- The metrics should be tied to business outcomes and decisions executives can act on
- The metrics should change format every reporting period
- The metrics should include every log event collected
Correct answer: The metrics should be tied to business outcomes and decisions executives can act on
Executive metrics must connect to business outcomes and support actionable decisions. Excessive technical detail, volatility, and raw event volume reduce usefulness at the leadership level.
- A new security manager finds that policies exist but are widely ignored. What is the most effective first step to improve compliance?
- Immediately terminate non-compliant employees
- Rewrite all policies in more technical language
- Assess root causes and secure management enforcement with clear accountability
- Remove the policies entirely to avoid liability
Correct answer: Assess root causes and secure management enforcement with clear accountability
Understanding why policies are ignored and securing management enforcement with accountability addresses the root cause of non-compliance. Punitive, cosmetic, or removal actions do not fix systemic adoption problems.
- Which approach best integrates security requirements into a new software development initiative from the outset?
- Relying on the development team's discretion without defined requirements
- Conducting a single penetration test just before release
- Embedding security activities and gates throughout the SDLC (security by design)
- Adding security controls only after the first production incident
Correct answer: Embedding security activities and gates throughout the SDLC (security by design)
Security by design embeds requirements, activities, and gates across every SDLC phase, catching issues early and cheaply. Late testing, reactive controls, and undefined expectations leave significant gaps.
- During the requirements phase of a system project, what is the primary security objective?
- To define and document security and compliance requirements that the system must meet
- To perform the final acceptance test
- To select the production hosting provider
- To write the source code securely
Correct answer: To define and document security and compliance requirements that the system must meet
The requirements phase is where security and compliance needs are defined and documented so they guide design and build. Coding, hosting selection, and acceptance testing occur in later phases.
- A security manager wants to ensure that changes to a production system do not introduce unmanaged risk. Which process most directly provides this assurance?
- Physical access badge audits
- Quarterly marketing reviews
- Configuration and change management with security review of changes
- Annual user awareness training
Correct answer: Configuration and change management with security review of changes
Change and configuration management with security review ensures modifications are assessed, approved, and tracked, preventing unmanaged risk. The other activities do not control system changes.
- What is the main security benefit of establishing secure configuration baselines for systems?
- They eliminate the need for patch management
- They remove the need for access controls
- They define a known, hardened starting state against which drift can be detected and corrected
- They guarantee zero vulnerabilities for the system's lifetime
Correct answer: They define a known, hardened starting state against which drift can be detected and corrected
Baselines define a hardened reference state, enabling detection and remediation of configuration drift. They do not replace patching or access controls, nor guarantee permanent freedom from vulnerabilities.
- When acquiring a third-party software product, which activity best manages supply chain security risk before deployment?
- Assuming the vendor's marketing claims about security are accurate
- Deploying immediately and monitoring for problems later
- Performing security due diligence including assessment of the vendor and the product's components
- Relying solely on the purchase contract's liability clause
Correct answer: Performing security due diligence including assessment of the vendor and the product's components
Supply chain risk is managed by performing due diligence on the vendor and the product's components before deployment. Trusting marketing, deploying blindly, or relying only on contractual clauses leaves risk unassessed.
- During system decommissioning, which security activity is most critical?
- Adding new user accounts for archival purposes
- Publishing the system's IP addresses publicly
- Increasing the system's processing capacity
- Sanitizing or destroying media and ensuring secure disposal of sensitive data
Correct answer: Sanitizing or destroying media and ensuring secure disposal of sensitive data
Secure media sanitization or destruction prevents residual sensitive data from being recovered after a system is retired. The other options either add risk or are irrelevant to disposal.
- A security manager is integrating security into an agile/DevOps environment. Which practice best fits this delivery model?
- Automating security testing within the CI/CD pipeline (shift-left)
- Reviewing only the final release manually
- Prohibiting all automation to maintain manual control
- Holding a single large security review at the end of the year
Correct answer: Automating security testing within the CI/CD pipeline (shift-left)
In DevOps, automating security testing within the CI/CD pipeline (shift-left) provides continuous assurance matching rapid release cadence. Periodic or end-only manual reviews cannot keep pace.
- Which document establishes the security responsibilities allocated between a cloud customer and the cloud provider?
- The provider's quarterly earnings report
- The shared responsibility model defined in the cloud service agreement
- A generic industry whitepaper unrelated to the contract
- The customer's internal org chart
Correct answer: The shared responsibility model defined in the cloud service agreement
The shared responsibility model in the service agreement defines which security duties belong to the provider versus the customer. Internal charts and unrelated documents do not allocate these responsibilities.
- What is the primary purpose of a certification and accreditation (authorization) process for a system before it goes live?
- To confirm marketing approval of the system's features
- To set the retail price of the system
- To assign the system a brand name
- To formally evaluate security controls and have an authorizing official accept residual risk
Correct answer: To formally evaluate security controls and have an authorizing official accept residual risk
Authorization formally evaluates implemented controls and records an authorizing official's acceptance of residual risk before operation. The other choices are unrelated to security authorization.
- When defining security requirements for outsourced development, which contractual element most directly enforces secure coding expectations?
- A clause about employee parking
- A clause stating the project's start date
- A clause specifying the developer's office location
- Defined security requirements, testing obligations, and right-to-audit provisions
Correct answer: Defined security requirements, testing obligations, and right-to-audit provisions
Contractual security requirements, testing obligations, and right-to-audit provisions enforce and verify secure development by the outsourced party. Logistical clauses do not address security.
- A security manager observes that vulnerabilities discovered late in development are far more costly to fix. What management practice most reduces this cost?
- Introducing threat modeling and security requirements early in the lifecycle
- Eliminating code reviews to speed delivery
- Deferring all security review until production
- Reducing the number of test environments
Correct answer: Introducing threat modeling and security requirements early in the lifecycle
Early threat modeling and requirements catch flaws when they are cheapest to remediate. Deferring review, cutting test environments, or skipping code reviews increase late-stage cost and risk.
- Which activity best ensures that a system continues to meet its security requirements after deployment?
- A one-time review at go-live with no follow-up
- Continuous monitoring and periodic reassessment of controls
- Deleting all audit logs to save storage
- Removing the system from the asset inventory
Correct answer: Continuous monitoring and periodic reassessment of controls
Continuous monitoring and periodic reassessment confirm controls remain effective as threats and configurations evolve. The other options abandon ongoing assurance or actively reduce visibility.
- A security manager must calculate annualized loss expectancy (ALE) for a risk. Which formula is correct?
- ALE = SLE divided by exposure factor
- ALE = asset value multiplied by recovery time
- ALE = SLE multiplied by ARO
- ALE = ARO divided by SLE
Correct answer: ALE = SLE multiplied by ARO
ALE equals the single loss expectancy (SLE) multiplied by the annualized rate of occurrence (ARO). The other formulas do not represent annualized loss correctly.
- After analyzing a risk, leadership chooses to purchase cyber insurance to cover potential losses. Which risk treatment does this represent?
- Risk elimination
- Risk avoidance
- Risk acceptance
- Risk transfer
Correct answer: Risk transfer
Buying insurance shifts the financial consequence of a risk to a third party, which is risk transfer. Avoidance removes the activity, acceptance retains the risk, and elimination is not a standard treatment category.
- A residual risk remains after controls are applied and falls within the organization's defined tolerance. What is the most appropriate action?
- Implement every available control regardless of cost
- Formally document and have management accept the residual risk
- Ignore it and remove it from the risk register
- Transfer it even though it is within tolerance
Correct answer: Formally document and have management accept the residual risk
When residual risk falls within tolerance, the appropriate action is formal, documented management acceptance. Over-controlling, ignoring, or unnecessary transfer wastes resources or hides the decision.
- Which describes the primary difference between qualitative and quantitative risk analysis?
- Qualitative uses descriptive ratings; quantitative uses numeric and monetary values
- Neither can be used for prioritization
- Both produce identical monetary outputs
- Qualitative uses numeric monetary values; quantitative uses descriptive ratings
Correct answer: Qualitative uses descriptive ratings; quantitative uses numeric and monetary values
Qualitative analysis uses descriptive scales such as high/medium/low, while quantitative analysis assigns numeric and monetary values. Both can support prioritization, contrary to the last option.
- What is the main purpose of maintaining a risk register?
- To record physical asset purchase prices for accounting
- To list approved software vendors only
- To track identified risks, their treatment status, and ownership over time
- To store employee performance reviews
Correct answer: To track identified risks, their treatment status, and ownership over time
A risk register centrally tracks identified risks, their treatment decisions, status, and owners, supporting ongoing governance. It is not an HR, procurement, or accounting tool.
- An organization wants to prioritize remediation among many findings. Which factor combination best supports risk-based prioritization?
- Likelihood of exploitation combined with business impact
- Alphabetical order of the affected systems
- The vendor that reported the finding
- The age of the hardware only
Correct answer: Likelihood of exploitation combined with business impact
Risk-based prioritization weighs likelihood of exploitation against business impact to focus effort where it matters most. Alphabetical order, hardware age alone, or reporter identity are not risk measures.
- A security manager is selecting a risk management framework to structure the program. Which framework is specifically designed to guide information security risk management processes?
- ITIL incident pricing model
- OSHA workplace safety standard
- GAAP accounting standards
- ISO/IEC 27005 (or NIST SP 800-37)
Correct answer: ISO/IEC 27005 (or NIST SP 800-37)
ISO/IEC 27005 and NIST SP 800-37 are recognized frameworks for managing information security risk. GAAP, OSHA, and pricing models address other disciplines.
- What is the most accurate definition of risk appetite?
- The amount and type of risk an organization is willing to pursue or retain to meet its objectives
- The total budget allocated to the security team
- The number of incidents reported last year
- The maximum number of vulnerabilities allowed per server
Correct answer: The amount and type of risk an organization is willing to pursue or retain to meet its objectives
Risk appetite is the amount and type of risk leadership is willing to pursue or retain in pursuit of objectives. It is a strategic statement, not a count, budget, or technical threshold.
- When a third-party vendor will process sensitive data, which assessment best informs the associated risk decision?
- The number of years the vendor has had a website
- A review of the vendor's logo design
- The vendor's social media follower count
- A third-party risk assessment of the vendor's security controls and compliance posture
Correct answer: A third-party risk assessment of the vendor's security controls and compliance posture
A structured third-party risk assessment of the vendor's controls and compliance posture informs the risk decision. Branding and popularity metrics do not measure security risk.
- A control reduces the likelihood that a threat will successfully exploit a vulnerability. This type of control is best classified as which?
- A corrective control
- A preventive control
- A compensating control by definition
- A recovery control
Correct answer: A preventive control
A control that reduces the likelihood of successful exploitation acts before the event and is preventive. Corrective and recovery controls act after an event, and compensating is a deployment context rather than a function.
- Why should risk assessments be performed periodically rather than only once?
- Because periodic assessment eliminates all residual risk
- Because regulators forbid using prior assessment data
- Because assets, threats, and the environment change over time
- Because risk never changes after the first assessment
Correct answer: Because assets, threats, and the environment change over time
Risk is dynamic because assets, threats, vulnerabilities, and business context evolve, so assessments must be repeated. The other statements are factually incorrect.
- A security manager wants to express the maximum tolerable loss from a single event to guide control investment. Which concept does this represent?
- Mean time between failures
- Service availability percentage
- Single loss expectancy threshold tied to risk tolerance
- Total cost of ownership
Correct answer: Single loss expectancy threshold tied to risk tolerance
Defining the maximum tolerable loss from one event relates single loss expectancy to the organization's risk tolerance, guiding control spend. The other metrics measure reliability, cost, or uptime, not loss tolerance.
- An organization accepts a high risk because no cost-effective control exists and the activity is essential. What must accompany this decision to be defensible?
- Formal documentation, an accountable owner, and management sign-off
- Deletion of the risk from all records
- Immediate disclosure to all competitors
- Nothing; acceptance requires no documentation
Correct answer: Formal documentation, an accountable owner, and management sign-off
Defensible risk acceptance requires formal documentation, a named accountable owner, and explicit management approval. Undocumented acceptance, public disclosure, or record deletion would undermine accountability.
- What is the primary purpose of a threat intelligence program within a security management function?
- To generate marketing material for the security team
- To replace the need for any detective controls
- To provide actionable insight about adversaries that informs defensive decisions
- To eliminate the requirement for incident response planning
Correct answer: To provide actionable insight about adversaries that informs defensive decisions
Threat intelligence delivers actionable insight about adversary capabilities and intent to inform defensive priorities and decisions. It supplements, rather than replaces, detective controls and incident response.
- Which describes strategic threat intelligence as opposed to tactical intelligence?
- Specific indicators of compromise such as malicious IP addresses
- Real-time firewall block lists
- Individual malware hash values
- High-level analysis of adversary trends and risks that informs leadership and long-term planning
Correct answer: High-level analysis of adversary trends and risks that informs leadership and long-term planning
Strategic intelligence provides high-level analysis of threat trends and risks to guide leadership and long-term planning. Indicators, block lists, and hashes are tactical or operational artifacts.
- In an incident response plan, what is the primary objective of the containment phase?
- To limit the scope and prevent further damage from the incident
- To restore systems to full production immediately
- To assign blame to responsible employees
- To permanently delete all affected systems
Correct answer: To limit the scope and prevent further damage from the incident
Containment aims to limit the incident's scope and prevent additional damage while investigation and eradication proceed. Restoration, attribution of blame, and indiscriminate deletion are not the containment objective.
- Which sequence correctly reflects the typical incident response lifecycle?
- Recovery, containment, preparation, detection, eradication
- Eradication, preparation, detection, recovery, containment
- Preparation, detection and analysis, containment, eradication, recovery, post-incident activity
- Detection, recovery, preparation, eradication, containment
Correct answer: Preparation, detection and analysis, containment, eradication, recovery, post-incident activity
The standard lifecycle proceeds from preparation, to detection and analysis, containment, eradication, recovery, and post-incident lessons learned. The other sequences are out of order.
- Why is a post-incident review (lessons learned) a critical management activity?
- It is only needed when an incident reaches the media
- It identifies improvements to controls and processes to reduce future incident likelihood and impact
- It replaces the need for documented procedures
- It assigns punishment to the response team
Correct answer: It identifies improvements to controls and processes to reduce future incident likelihood and impact
A post-incident review captures lessons that drive improvements to controls and processes, strengthening future resilience. It is not a punitive exercise, nor limited to publicized incidents.
- A security manager must decide when to escalate an incident to executive leadership and legal counsel. Which factor most appropriately triggers escalation?
- Routine completion of a daily backup
- A single failed login on a test account
- Potential regulatory, legal, or significant business impact from the incident
- Any change to a desktop wallpaper
Correct answer: Potential regulatory, legal, or significant business impact from the incident
Escalation is warranted when an incident carries potential regulatory, legal, or material business impact, since leadership and counsel must be engaged. Routine or trivial events do not meet escalation thresholds.
- What is the main purpose of preserving the chain of custody for digital evidence during incident handling?
- To maintain the integrity and admissibility of evidence for potential legal proceedings
- To speed up system restoration
- To reduce storage costs
- To allow anyone to modify the evidence freely
Correct answer: To maintain the integrity and admissibility of evidence for potential legal proceedings
Chain of custody documents who handled evidence and how, preserving its integrity and admissibility in legal proceedings. It is unrelated to restoration speed or storage cost and forbids uncontrolled modification.
- An organization wants to proactively search for adversaries already present in its environment that evaded automated detection. Which activity describes this?
- Patch management
- License auditing
- Threat hunting
- Capacity planning
Correct answer: Threat hunting
Threat hunting is the proactive, hypothesis-driven search for adversaries that bypassed automated detection. Patching, capacity planning, and license auditing serve other purposes.
- Which establishes predefined criteria for classifying incidents by severity so that response efforts are appropriately scaled?
- A vendor pricing matrix
- A facilities maintenance schedule
- A marketing communications calendar
- An incident severity and prioritization scheme
Correct answer: An incident severity and prioritization scheme
An incident severity and prioritization scheme defines criteria for ranking incidents so resources scale to impact and urgency. The other options are unrelated business artifacts.
- When sharing threat intelligence with external partners, which framework helps standardize the meaning of sensitivity and handling of shared information?
- A generic project Gantt chart
- The OSI seven-layer model
- The Traffic Light Protocol (TLP)
- The CIA triad alone
Correct answer: The Traffic Light Protocol (TLP)
The Traffic Light Protocol standardizes how the sensitivity and permitted distribution of shared intelligence are communicated. The OSI model, CIA triad, and Gantt charts do not govern information-sharing handling.
- Why should an incident response plan define roles and responsibilities in advance?
- To eliminate the need for any communication during an incident
- So that responders act quickly and coordinate effectively under pressure without confusion
- So that the plan can be sold to other organizations
- To increase the number of approval signatures required during an incident
Correct answer: So that responders act quickly and coordinate effectively under pressure without confusion
Predefined roles enable fast, coordinated action during the stress of an incident, reducing confusion and delay. Adding approvals or removing communication would impair response.
- A SOC analyst correlates internal alerts with external indicators to enrich an investigation. This use of threat intelligence is best categorized as which type?
- Marketing intelligence
- Financial audit intelligence
- Strategic intelligence for the board
- Operational and tactical intelligence
Correct answer: Operational and tactical intelligence
Correlating alerts with indicators to support active investigations is operational and tactical intelligence. Strategic intelligence targets leadership planning, and the other categories are unrelated.
- What is the primary purpose of conducting a Business Impact Analysis (BIA)?
- To select the cheapest backup vendor
- To configure the production firewall
- To identify critical processes and quantify the impact of their disruption over time
- To draft employee job descriptions
Correct answer: To identify critical processes and quantify the impact of their disruption over time
A BIA identifies critical business processes and quantifies the impact of disruption over time, forming the foundation for continuity planning. Vendor selection, firewall configuration, and HR tasks are not its purpose.
- Which metric defines the maximum acceptable amount of data loss measured in time?
- Maximum Tolerable Downtime (MTD)
- Recovery Time Objective (RTO)
- Mean Time To Repair (MTTR)
- Recovery Point Objective (RPO)
Correct answer: Recovery Point Objective (RPO)
RPO defines the maximum acceptable data loss expressed as a point in time to which data must be recoverable. RTO and MTD address downtime duration, while MTTR measures repair time.
- An organization needs the fastest possible recovery and is willing to pay a premium for a fully equipped, continuously updated alternate site. Which site type fits?
- Mobile site with no equipment
- Warm site
- Cold site
- Hot site
Correct answer: Hot site
A hot site is fully equipped and kept current, enabling near-immediate recovery at higher cost. Cold and warm sites require more setup time, and an unequipped mobile site provides no rapid recovery.
- Why is regular testing of the disaster recovery plan essential?
- Testing is only required after an actual disaster occurs
- Testing is unnecessary if the plan is well written
- Testing should be avoided to prevent disruption
- Testing validates that the plan works, reveals gaps, and keeps staff prepared
Correct answer: Testing validates that the plan works, reveals gaps, and keeps staff prepared
Regular testing validates plan effectiveness, exposes gaps, and maintains staff readiness before a real event. A well-written but untested plan provides no proven assurance.
- Which test method walks participants through the continuity plan in a discussion-based scenario without affecting production systems?
- Full interruption test
- Tabletop exercise
- Failover to the hot site
- Parallel test
Correct answer: Tabletop exercise
A tabletop exercise is a discussion-based walkthrough of the plan that does not disturb production systems. Full interruption and parallel tests and live failover involve actual systems.
- What is the relationship between the Recovery Time Objective (RTO) and the Maximum Tolerable Downtime (MTD)?
- RTO must be equal to or less than MTD
- RTO and MTD are unrelated concepts
- MTD must always be zero
- RTO must be longer than MTD
Correct answer: RTO must be equal to or less than MTD
RTO must be equal to or less than the MTD; recovery must complete before downtime becomes intolerable to the business. An RTO exceeding MTD would mean unacceptable disruption.
- During continuity planning, what is the main purpose of identifying critical dependencies (such as suppliers and infrastructure)?
- To eliminate the need for a BIA
- To reduce the security budget
- To ensure recovery strategies account for everything a critical process needs to operate
- To increase the number of vendors for marketing reasons
Correct answer: To ensure recovery strategies account for everything a critical process needs to operate
Identifying dependencies ensures recovery strategies address every resource a critical process relies on, preventing overlooked single points of failure. It complements, not replaces, the BIA.
- A continuity strategy must balance recovery capability against cost. Which principle should guide the level of investment in recovery capabilities?
- Spend the minimum regardless of process criticality
- Invest equally in all processes ignoring impact
- Align recovery investment with the criticality and impact established in the BIA
- Always choose the most expensive recovery option available
Correct answer: Align recovery investment with the criticality and impact established in the BIA
Recovery investment should be proportional to the criticality and impact identified in the BIA, ensuring resources match business need. Maximum, minimum, or equal spending ignores relative criticality.
- What distinguishes a business continuity plan (BCP) from a disaster recovery plan (DRP)?
- DRP addresses the whole business; BCP addresses only printers
- They are identical and interchangeable terms
- BCP focuses on sustaining critical business functions; DRP focuses on restoring IT systems and infrastructure
- BCP only covers IT; DRP only covers marketing
Correct answer: BCP focuses on sustaining critical business functions; DRP focuses on restoring IT systems and infrastructure
The BCP focuses on keeping critical business functions operating, while the DRP focuses specifically on restoring IT systems and infrastructure. They are complementary but distinct.
- After a disaster recovery test, what is the most important management follow-up activity?
- Discarding the test results
- Reducing the testing frequency permanently
- Archiving the plan without review
- Updating the plan to address identified gaps and re-testing as needed
Correct answer: Updating the plan to address identified gaps and re-testing as needed
Test findings should drive plan updates that close identified gaps, followed by re-testing to confirm improvements. Archiving, discarding, or reducing rigor abandons the value of the exercise.
- Which factor most directly determines how frequently data backups should be performed?
- The CEO's personal schedule
- The organization's Recovery Point Objective (RPO)
- The brand of the backup hardware
- The color of the server room walls
Correct answer: The organization's Recovery Point Objective (RPO)
Backup frequency is driven by the RPO, since backups must occur often enough to stay within acceptable data loss limits. Hardware brand and irrelevant factors do not determine cadence.
- Why should senior management formally approve and sponsor the business continuity program?
- To provide authority, resources, and organizational commitment necessary for effective continuity
- To transfer all continuity duties to the IT help desk
- To avoid having to fund the program
- To make the program optional for all departments
Correct answer: To provide authority, resources, and organizational commitment necessary for effective continuity
Senior management sponsorship supplies the authority, resources, and enterprise commitment needed for an effective continuity program. It does not eliminate funding needs or make participation optional.
- Which type of law involves disputes between individuals or organizations, typically resulting in monetary damages rather than imprisonment?
- Constitutional law
- Administrative law
- Criminal law
- Civil (tort) law
Correct answer: Civil (tort) law
Civil or tort law governs disputes between parties and generally results in monetary damages, not imprisonment. Criminal law involves punishment by the state, and administrative and constitutional law address other domains.
- Under the ISC2 Code of Ethics, which canon takes precedence when canons appear to conflict?
- Advance and protect the profession
- Act honorably for individual clients only
- Protect society, the common good, necessary public trust and confidence, and the infrastructure
- Provide diligent service to employers exclusively
Correct answer: Protect society, the common good, necessary public trust and confidence, and the infrastructure
The ISC2 canons are applied in order, and protecting society and the public infrastructure is the first and highest-priority canon. The remaining canons follow it in precedence.
- An organization processes personal data of EU residents. Which regulation primarily governs its data protection obligations?
Correct answer: GDPR
The General Data Protection Regulation (GDPR) governs protection of personal data of EU residents. HIPAA covers US health data, SOX covers financial reporting, and PCI DSS is a payment-card standard.
- What is the primary purpose of a compliance management program?
- To guarantee the organization will never be audited
- To replace the need for a security policy
- To ensure the organization systematically meets applicable legal, regulatory, and contractual requirements
- To increase the marketing budget
Correct answer: To ensure the organization systematically meets applicable legal, regulatory, and contractual requirements
A compliance program ensures the organization systematically identifies and meets its legal, regulatory, and contractual obligations. It does not prevent audits, replace policy, or relate to marketing.
- Which best describes intellectual property protection provided by a patent?
- Protection of original creative works such as books
- Protection of confidential business information kept secret
- Exclusive rights to an invention for a limited period in exchange for public disclosure
- Protection of brand names and logos
Correct answer: Exclusive rights to an invention for a limited period in exchange for public disclosure
A patent grants exclusive rights to an invention for a limited time in exchange for public disclosure. Trademarks protect brands, trade secrets protect confidential information, and copyrights protect creative works.
- A security manager must ensure evidence collected during an investigation will be admissible in court. Which principle is most important?
- Allowing any employee to handle the evidence
- Following lawful, documented procedures that preserve integrity and chain of custody
- Modifying evidence to make it clearer
- Collecting evidence quickly regardless of method
Correct answer: Following lawful, documented procedures that preserve integrity and chain of custody
Admissibility depends on lawful, documented collection that preserves evidence integrity and chain of custody. Hasty, uncontrolled, or altered handling can render evidence inadmissible.
- Which type of intellectual property protects confidential, commercially valuable information that derives value from not being publicly known?
- Trade secret
- Trademark
- Copyright
- Patent
Correct answer: Trade secret
A trade secret protects confidential information that has commercial value precisely because it is not publicly known and is subject to reasonable secrecy measures. The other categories protect brands, creative works, or disclosed inventions.
- When an organization operates across multiple countries, which challenge most complicates data protection compliance?
- Differing and sometimes conflicting national privacy and data transfer laws
- There are no privacy laws outside the home country
- Privacy laws never apply to multinational companies
- All countries share one identical privacy law
Correct answer: Differing and sometimes conflicting national privacy and data transfer laws
Multinational operations face differing and sometimes conflicting national privacy and cross-border data transfer laws, complicating compliance. The other statements misrepresent the legal landscape.
- What is the main purpose of a records retention and destruction policy?
- To store records only on personal devices
- To allow employees to delete records at will
- To define how long records are kept and when they are securely destroyed, balancing legal and business needs
- To keep all data forever to be safe
Correct answer: To define how long records are kept and when they are securely destroyed, balancing legal and business needs
A retention and destruction policy defines required retention periods and secure disposal timing, balancing legal, regulatory, and business needs. Keeping everything forever or ad hoc deletion creates legal and risk exposure.
- A security manager learns of a legal hold related to pending litigation. What must happen to relevant records?
- Their routine destruction must be suspended and the records preserved
- They must be deleted immediately to save space
- They should be moved off-site and forgotten
- They can be edited to remove sensitive details
Correct answer: Their routine destruction must be suspended and the records preserved
A legal hold requires suspending routine destruction and preserving relevant records for litigation. Deleting, editing, or abandoning them could constitute spoliation of evidence.
- Which standard is specifically focused on protecting cardholder data in payment processing environments?
Correct answer: PCI DSS
PCI DSS sets requirements specifically for protecting cardholder data in payment environments. ISO 9001 addresses quality management, FISMA covers US federal systems, and GDPR addresses EU personal data.
- An employee reports being asked by a manager to falsify a compliance report. Under professional ethics, what is the most appropriate action for a certified professional?
- Ignore the request without addressing it
- Decline to act dishonestly and report the matter through appropriate channels
- Comply silently to protect their job
- Falsify the report but keep private notes
Correct answer: Decline to act dishonestly and report the matter through appropriate channels
Professional ethics require acting honestly and legally; the professional should refuse to falsify records and escalate through appropriate channels. Complying, secretly falsifying, or ignoring the request all violate ethical obligations.
- A security leader is asked to align the security organization's structure with the business. Which organizational design principle best supports clear accountability?
- Having all employees report directly to the CEO
- Rotating responsibilities daily without documentation
- Defining clear roles, reporting lines, and segregation of duties
- Leaving reporting lines undefined to encourage flexibility
Correct answer: Defining clear roles, reporting lines, and segregation of duties
Clear roles, reporting lines, and segregation of duties create accountability and reduce conflicts of interest. Undefined or undocumented structures and excessive centralization undermine clarity.
- Which best describes the purpose of a security awareness, training, and education hierarchy?
- Awareness changes attitudes, training builds skills, and education provides deeper understanding for decision-makers
- All three terms mean exactly the same thing
- Education is for new hires only and training is for executives only
- Awareness is more advanced than education
Correct answer: Awareness changes attitudes, training builds skills, and education provides deeper understanding for decision-makers
Awareness shapes attitudes and focus, training develops specific skills, and education builds the deeper understanding needed by professionals and leaders. The terms represent distinct, escalating levels.
- A vendor contract is being negotiated for a critical service. Which clause most directly protects the organization's ability to verify the vendor's security posture over time?
- A clause limiting the contract to one fiscal year
- A clause about office holiday schedules
- A right-to-audit clause with defined security requirements and SLAs
- A clause specifying the font used in invoices
Correct answer: A right-to-audit clause with defined security requirements and SLAs
A right-to-audit clause with defined security requirements and SLAs lets the organization verify the vendor's posture throughout the relationship. The other clauses do not address ongoing security assurance.
- When integrating security into procurement, at what point should security requirements be introduced?
- Never, because procurement is unrelated to security
- Only after the contract is signed
- Early, during requirements definition and vendor selection
- Only when an incident occurs involving the vendor
Correct answer: Early, during requirements definition and vendor selection
Security requirements should be defined early in procurement so they shape vendor selection and contract terms. Introducing them post-signing or only after incidents leaves the organization exposed.
- A development team requests an exception to a security standard to meet a deadline. What is the most appropriate management response?
- Deny the request automatically without analysis
- Permanently waive the standard for that team
- Grant the exception verbally with no record
- Evaluate the risk, document a formal exception with compensating controls and an expiration, and obtain approval
Correct answer: Evaluate the risk, document a formal exception with compensating controls and an expiration, and obtain approval
Exceptions should be risk-evaluated, documented with compensating controls and an expiration date, and formally approved. Informal grants, blanket denials, or permanent waivers bypass governance.
- Which best explains why asset classification is a prerequisite for applying appropriate security controls across the system lifecycle?
- Classification determines the color of the asset tags
- Classification is only used for accounting depreciation
- Classification eliminates the need to identify owners
- Classification establishes the sensitivity and value of assets so controls can be scaled appropriately
Correct answer: Classification establishes the sensitivity and value of assets so controls can be scaled appropriately
Asset classification establishes sensitivity and value, enabling controls to be scaled to the protection each asset requires. It is not an accounting or labeling exercise and does not remove the need for ownership.
- A quantitative risk analysis shows a control costs more annually than the loss it prevents. What is the most rational management decision, all else equal?
- Implement the control regardless of cost
- Ignore the analysis entirely
- Reconsider the control, since its cost exceeds the expected benefit
- Double the control budget
Correct answer: Reconsider the control, since its cost exceeds the expected benefit
If a control's annual cost exceeds the expected loss it prevents, it is not cost-effective and should be reconsidered. Implementing it anyway or ignoring the analysis is economically irrational.
- Which describes inherent risk?
- The risk remaining after controls are applied
- The risk that has been transferred to an insurer
- The level of risk present before any controls are applied
- The risk that has been fully eliminated
Correct answer: The level of risk present before any controls are applied
Inherent risk is the risk level that exists before any controls are applied. Residual risk is what remains after controls, and transfer or elimination describe treatments.
- A board asks the CISO how much risk reduction a proposed program delivers. Which approach best answers this in business terms?
- Listing the technical specifications of each tool
- Describing the brand reputation of the chosen vendors
- Counting the number of controls implemented
- Comparing expected loss before and after the program (risk reduction in monetary terms)
Correct answer: Comparing expected loss before and after the program (risk reduction in monetary terms)
Expressing risk reduction as the change in expected loss before and after the program answers the board in business terms. Tool specifications, vendor reputation, and control counts do not quantify risk reduction.
- Which threat intelligence source provides information shared among trusted organizations within the same industry sector?
- An internal payroll system
- An Information Sharing and Analysis Center (ISAC)
- A public social media trending feed
- A consumer product review website
Correct answer: An Information Sharing and Analysis Center (ISAC)
An ISAC enables trusted, sector-specific sharing of threat information among member organizations. Social feeds, payroll systems, and review sites are not structured industry intelligence-sharing bodies.
- During an incident, communication with external parties such as customers and regulators should be governed by what?
- Withholding all information indefinitely regardless of obligations
- A predefined communication and notification plan coordinated with legal and PR
- Each responder's individual judgment in the moment
- Posting raw technical details on public forums
Correct answer: A predefined communication and notification plan coordinated with legal and PR
External communications should follow a predefined plan coordinated with legal and public relations to ensure accuracy and compliance. Ad hoc disclosure or indefinite withholding can create legal and reputational harm.
- What is the primary benefit of mapping observed adversary behavior to a framework such as MITRE ATT&CK during incident analysis?
- It guarantees the attacker will not return
- It automatically removes malware from systems
- It replaces the need for an incident response team
- It provides a common language to understand techniques and identify detection and defensive gaps
Correct answer: It provides a common language to understand techniques and identify detection and defensive gaps
Mapping behavior to MITRE ATT&CK gives a shared vocabulary for understanding techniques and pinpointing detection and defensive gaps. It does not itself remediate systems or guarantee outcomes.
- When determining the Maximum Tolerable Downtime (MTD) for a process, whose input is most essential?
- The building's janitorial staff
- The vendor selling backup software
- External marketing consultants
- The business process owners who understand operational impact
Correct answer: The business process owners who understand operational impact
Business process owners understand the operational impact of disruption and are essential to setting a realistic MTD. Vendors and unrelated parties cannot define business tolerance for downtime.
- Which backup strategy element most directly protects against a ransomware event that encrypts both production and connected backup data?
- Keeping backups solely on the production server
- Storing the only backup copy on the same writable network share
- Disabling backups to reduce attack surface
- Maintaining offline or immutable backup copies separated from production
Correct answer: Maintaining offline or immutable backup copies separated from production
Offline or immutable backups isolated from production cannot be encrypted by ransomware that reaches connected systems, ensuring recoverability. On-share or production-resident copies share the same exposure.
- A multinational organization must transfer personal data from the EU to a country without an adequacy decision. Which mechanism can lawfully enable this transfer?
- Posting the data publicly online
- Standard Contractual Clauses or other approved transfer safeguards
- No mechanism is ever permitted
- Ignoring GDPR because the data leaves the EU
Correct answer: Standard Contractual Clauses or other approved transfer safeguards
Standard Contractual Clauses and other approved safeguards can lawfully enable EU personal data transfers to countries lacking an adequacy decision. Public posting or ignoring GDPR are not lawful options.
- A certified professional discovers a serious vulnerability in a client's system. Under the ISC2 Code of Ethics, what is the appropriate handling of this discovery?
- Use it to access the client's data for personal benefit
- Act honestly and responsibly, informing the client and protecting confidentiality while addressing the risk
- Sell the vulnerability to a third party
- Publicly disclose the details immediately to gain recognition
Correct answer: Act honestly and responsibly, informing the client and protecting confidentiality while addressing the risk
Ethical handling requires acting honestly and responsibly, informing the client, preserving confidentiality, and helping remediate the risk. Public disclosure for recognition, selling, or exploiting the flaw all violate the code.
- Which best describes the management value of conducting a gap analysis against a recognized security framework?
- It eliminates all compliance obligations
- It guarantees certification without any further work
- It replaces the need for a risk assessment
- It identifies differences between current and target control states to prioritize improvement
Correct answer: It identifies differences between current and target control states to prioritize improvement
A gap analysis compares current controls to a target framework state, helping prioritize improvements. It does not guarantee certification, replace risk assessment, or remove compliance obligations.
- A CISO must justify a multi-year security roadmap to the board. Which framing is most persuasive at the executive level?
- How the roadmap reduces enterprise risk and enables business objectives over time
- The seating arrangement of the security team
- The specific command-line syntax for new tools
- A detailed list of every server to be patched
Correct answer: How the roadmap reduces enterprise risk and enables business objectives over time
Boards respond to how a roadmap reduces enterprise risk and enables strategic objectives over time. Technical minutiae and operational details are not persuasive at the executive level.
- Why should security policies be reviewed and updated on a regular cycle?
- Because policies expire automatically after printing
- Because business, technology, threats, and regulations change, requiring policies to stay current
- Because auditors prefer longer documents
- Because review eliminates the need for enforcement
Correct answer: Because business, technology, threats, and regulations change, requiring policies to stay current
Regular review keeps policies aligned with evolving business needs, technology, threats, and regulatory requirements. Review is about relevance, not document length or replacing enforcement.
- An organization wants assurance that a newly integrated acquisition's systems meet its security standards before connecting them. Which lifecycle activity addresses this?
- A security assessment and integration plan with remediation before interconnection
- Immediately connecting the systems and assessing later
- Assuming the acquired company had equivalent controls
- Disabling logging during the integration
Correct answer: A security assessment and integration plan with remediation before interconnection
A security assessment and integration plan with remediation before interconnection ensures the acquired systems meet standards prior to exposing the environment. Connecting first or assuming parity introduces unmanaged risk.
- Which statement best captures the relationship between threat, vulnerability, and risk?
- A threat with no vulnerability always produces high risk
- Risk is unrelated to threats and vulnerabilities
- Risk exists only when a threat can exploit a vulnerability to cause impact
- A vulnerability alone with no threat always produces high risk
Correct answer: Risk exists only when a threat can exploit a vulnerability to cause impact
Risk arises when a threat is able to exploit a vulnerability and cause impact; the presence of one factor alone does not by itself create risk. Risk is fundamentally a function of these elements together.
- A security manager wants to ensure incident response capability is sustained as staff turn over. Which practice best supports this goal?
- Outsourcing all knowledge to a vendor with no internal record
- Relying on a single expert's undocumented knowledge
- Avoiding documentation to keep procedures flexible
- Maintaining documented playbooks and conducting regular cross-training and exercises
Correct answer: Maintaining documented playbooks and conducting regular cross-training and exercises
Documented playbooks plus regular cross-training and exercises preserve response capability despite staff turnover. Dependence on a single undocumented expert creates fragile, unsustainable capability.
- Which best explains why a continuity plan should include succession and delegation of authority provisions?
- To create additional management titles for prestige
- To reduce the number of employees permanently
- To ensure decisions can still be made if key leaders are unavailable during a disruption
- To eliminate the need for a communications plan
Correct answer: To ensure decisions can still be made if key leaders are unavailable during a disruption
Succession and delegation provisions ensure essential decisions can still be made when key leaders are unavailable during a disruption. They are about continuity of authority, not titles or headcount.
- In the ISSMP framework, security governance and security management are distinct functions. Which statement correctly distinguishes them?
- Governance executes day-to-day controls while management sets enterprise direction
- Governance and management are interchangeable terms for the same activity
- Governance is performed only by external auditors while management is performed by the board
- Governance sets direction, risk appetite, and accountability while management implements and operates controls to achieve that direction
Correct answer: Governance sets direction, risk appetite, and accountability while management implements and operates controls to achieve that direction
Governance sets direction, defines risk appetite, and establishes accountability, while management implements and operates the controls and processes that carry out that direction. Governance is a board- and executive-level steering function; management is the execution layer, so the two are complementary but not the same activity, and neither is owned by external auditors.
- A CISO is drafting the foundational statement that explains why the security function exists and the enduring value it provides to the enterprise. Which document element is being created?
- The annual vulnerability scan schedule
- The security mission statement
- The incident severity matrix
- The firewall change log
Correct answer: The security mission statement
The security mission statement articulates why the security function exists and the enduring value it delivers, anchoring security culture to organizational purpose. A vision describes the desired future state while the mission expresses present purpose; scan schedules, change logs, and severity matrices are operational artifacts, not cultural foundation statements.
- A security leader wants to embed security into organizational culture so employees treat protection as a shared value rather than an imposed rule. Which approach most directly builds that culture?
- Increasing the number of mandatory technical controls on endpoints
- Publishing a longer acceptable use policy and requiring annual sign-off
- Tying leadership tone, role modeling, recognition, and a clear vision and mission to everyday behavior
- Restricting security discussions to the security team only
Correct answer: Tying leadership tone, role modeling, recognition, and a clear vision and mission to everyday behavior
Embedding security in culture comes from visible leadership tone, role modeling, recognition, and a shared vision and mission that connect protection to everyday behavior. Culture is shaped by what leaders reward and demonstrate, not by longer policies or more endpoint controls, and limiting security conversations to one team works against a shared-value culture.
- An organization is formalizing how the information security program connects to its enterprise governance structures. Which action best aligns the security program with organizational governance?
- Mapping security objectives, policies, and reporting lines to the board's governance framework and risk appetite
- Adopting a competitor's security policies without modification
- Reporting security status only to the IT help desk
- Letting the security team operate independently of corporate committees
Correct answer: Mapping security objectives, policies, and reporting lines to the board's governance framework and risk appetite
Aligning the security program with organizational governance means mapping its objectives, policies, and reporting lines into the board's governance framework and risk appetite. Alignment requires integration with existing corporate governance and oversight bodies, not independent operation, copied policies, or reporting confined to the help desk.
- Which statement best defines a security program in the context of organizational security management?
- A single tool that automatically blocks all malicious traffic
- The contract signed with a managed detection and response vendor
- A one-time project to deploy antivirus across all endpoints
- The structured, ongoing set of governance, policies, controls, people, and processes that manage information security to meet business objectives
Correct answer: The structured, ongoing set of governance, policies, controls, people, and processes that manage information security to meet business objectives
A security program is the structured, ongoing set of governance, policies, controls, people, and processes that manage information security in support of business objectives. It is a sustained organizational capability, not a single tool, a one-time deployment project, or a vendor contract.
- A program manager is building a RACI matrix for a security control implementation. Which definition correctly distinguishes the Responsible role from the Accountable role?
- Responsible signs off on the outcome; Accountable performs the hands-on work
- Responsible is always a committee; Accountable is always external to the organization
- Responsible and Accountable both perform the work equally
- Responsible performs the work to complete the task; Accountable is the single person who is ultimately answerable and signs off on the outcome
Correct answer: Responsible performs the work to complete the task; Accountable is the single person who is ultimately answerable and signs off on the outcome
In RACI, the Responsible party performs the work to complete the task, while the Accountable party is the single person ultimately answerable for the result who signs off on the outcome. A task can have several Responsible doers, but accountability should rest with exactly one person to preserve clear ownership; the two roles are not equal and accountability is not assigned externally by default.
- A security manager is creating a responsibility assignment chart to clarify who does what across a multi-team security initiative. What is a RACI matrix in a security context?
- A chart that assigns Responsible, Accountable, Consulted, and Informed roles to stakeholders for each security task or deliverable
- A risk scoring scale used to rank vulnerabilities by severity
- A list of required encryption algorithms for regulated data
- A schedule of penetration tests for the coming year
Correct answer: A chart that assigns Responsible, Accountable, Consulted, and Informed roles to stakeholders for each security task or deliverable
A RACI matrix is a chart that assigns the Responsible, Accountable, Consulted, and Informed roles to stakeholders for each security task or deliverable. It clarifies ownership and communication so security work does not fall through gaps; it is not a vulnerability scoring scale, an algorithm list, or a test schedule.
- On a RACI chart for a data classification project, two managers are both marked Accountable for the same deliverable. Why is this a problem the security leader should correct?
- RACI charts are not allowed to list managers at all
- Only the Consulted role may have more than one person
- Having two Accountable parties speeds delivery and should be encouraged
- Accountability should rest with a single person so ownership and final sign-off are unambiguous
Correct answer: Accountability should rest with a single person so ownership and final sign-off are unambiguous
Accountability should rest with a single person so final sign-off and ownership are unambiguous; two Accountable parties create competing authority and diffuse responsibility. Multiple Responsible, Consulted, or Informed parties are acceptable, but split accountability undermines clear decision-making rather than speeding delivery.
- A board member asks the CISO to express, in financial terms, how much value a proposed security control delivers relative to its cost. Which metric answers this question?
- Return on security investment (ROSI)
- Mean time to detect (MTTD)
- System availability percentage
- Number of open vulnerabilities
Correct answer: Return on security investment (ROSI)
Return on security investment (ROSI) expresses the financial value of a control by comparing the monetary loss it prevents against its cost. MTTD measures detection speed, vulnerability counts measure exposure, and availability measures uptime, so none of those translate a control's benefit into a financial return figure.
- A security manager wants to compute ROSI for a control that reduces expected annual loss. Which calculation correctly produces ROSI?
- Annualized rate of occurrence multiplied by the single loss expectancy
- (Monetary risk reduction achieved by the control minus the cost of the control) divided by the cost of the control
- Cost of the control divided by the asset value
- Total cost of ownership minus the purchase price
Correct answer: (Monetary risk reduction achieved by the control minus the cost of the control) divided by the cost of the control
ROSI is calculated as the monetary risk reduction the control achieves, minus the control's cost, divided by the control's cost, yielding a percentage return. The risk reduction itself is the difference in annualized loss expectancy before and after the control; ALE (ARO times SLE) is an input to that reduction, not the ROSI formula, and TCO is a separate cost concept.
- An executive uses the terms ROI and ROSI interchangeably when discussing security spending. How should the CISO clarify the distinction?
- ROI and ROSI are identical and the executive is correct
- ROSI applies only to hardware while ROI applies only to software
- ROSI measures revenue growth while ROI measures loss avoidance
- Traditional ROI measures profit generated by an investment, while ROSI measures value as loss avoided or risk reduced relative to cost, because security typically prevents loss rather than generating revenue
Correct answer: Traditional ROI measures profit generated by an investment, while ROSI measures value as loss avoided or risk reduced relative to cost, because security typically prevents loss rather than generating revenue
Traditional ROI measures profit an investment generates, while ROSI measures value as loss avoided or risk reduced relative to cost, because security controls usually prevent losses rather than produce revenue. The terms are therefore not identical, and the distinction is about benefit type (loss avoidance versus profit), not hardware versus software.
- When evaluating a security platform, a manager insists on counting not just the license price but also implementation, training, integration, maintenance, and eventual decommissioning costs. Which concept is being applied?
- Recovery point objective (RPO)
- Total cost of ownership (TCO)
- Annualized rate of occurrence (ARO)
- Single loss expectancy (SLE)
Correct answer: Total cost of ownership (TCO)
Total cost of ownership (TCO) captures the full lifecycle cost of an asset, including acquisition, implementation, training, integration, maintenance, and decommissioning, not just the purchase price. SLE and ARO are risk-quantification inputs and RPO is a recovery metric, so none of those represent lifecycle cost.
- Two vendor solutions have the same upfront license price, but one requires far more staffing and integration over five years. Which analysis best supports an objective selection decision?
- Selecting whichever vendor responds to email fastest
- Comparing the total cost of ownership across the full expected lifecycle of each solution
- Comparing only the first-year license cost
- Choosing the vendor with the larger marketing budget
Correct answer: Comparing the total cost of ownership across the full expected lifecycle of each solution
Comparing total cost of ownership across each solution's full expected lifecycle reveals the true long-term cost, including staffing, integration, and maintenance, that an upfront price hides. First-year price alone, marketing spend, and responsiveness do not measure long-term financial impact.
- A security leader is structuring the program's documentation hierarchy. Which ordering correctly reflects the relationship from most authoritative and general to most specific and operational?
- Policy, standard, procedure, guideline
- Procedure, guideline, standard, policy
- Standard, policy, guideline, procedure
- Guideline, procedure, standard, policy
Correct answer: Policy, standard, procedure, guideline
The documentation hierarchy flows from policy, which states mandatory high-level management intent, to standards that specify mandatory requirements, to procedures that give step-by-step instructions, with guidelines offering recommended but non-mandatory advice. Policies are the most authoritative and general, while procedures and guidelines are the most specific and operational.
- An auditor asks the difference between a standard and a guideline in the organization's security documentation. How should the security manager respond?
- A standard is optional advice while a guideline is mandatory
- Standards and guidelines are both legally binding contracts
- A standard applies only to hardware and a guideline only to software
- A standard is a mandatory, specific requirement that supports policy, while a guideline is recommended, non-mandatory best-practice advice
Correct answer: A standard is a mandatory, specific requirement that supports policy, while a guideline is recommended, non-mandatory best-practice advice
A standard is a mandatory, specific requirement that operationalizes policy, whereas a guideline is recommended, non-mandatory best-practice advice that helps but does not compel. The mandatory-versus-recommended distinction is the key difference; neither is a legal contract, and the split is not based on hardware versus software.
- A development team needs exact, step-by-step instructions to configure a hardened web server consistently every time. Which type of security document should provide this?
- A policy
- A guideline
- A procedure
- A mission statement
Correct answer: A procedure
A procedure provides the exact, repeatable step-by-step instructions needed to perform a task consistently, such as hardening a web server. A policy states intent at a high level, a guideline offers optional advice, and a mission statement expresses purpose, none of which deliver detailed operational steps.
- A security manager is designing a security awareness training program for all employees. Which design choice most improves the program's effectiveness at reducing human-driven risk?
- Limiting training to the IT department because they handle systems
- Tailoring content to job roles, reinforcing it continuously, and measuring behavior change through metrics such as phishing-simulation results
- Replacing training with a signed acknowledgment of the policy
- Delivering identical generic content to every employee once at onboarding
Correct answer: Tailoring content to job roles, reinforcing it continuously, and measuring behavior change through metrics such as phishing-simulation results
An effective security awareness training program tailors content to roles, reinforces it continuously, and measures behavior change through metrics like phishing-simulation click rates. Risk reduction requires sustained, relevant, measurable engagement; one-time generic content, a signed acknowledgment, or IT-only training leave most of the workforce unprepared.
- After running a security awareness training program for a year, a CISO wants to demonstrate its impact to leadership. Which evidence most credibly shows the program is working?
- The number of employees who logged into the training portal once
- The total number of training slides produced
- The amount of money spent on the training platform
- A measurable decline in phishing-simulation click rates and reported security incidents attributable to user behavior
Correct answer: A measurable decline in phishing-simulation click rates and reported security incidents attributable to user behavior
A measurable decline in phishing-simulation click rates and behavior-driven incidents credibly demonstrates that a security awareness training program is changing behavior and reducing risk. Slide counts, spend, and single logins are activity or cost inputs that do not prove the program improved security outcomes.
- A board wants the security leader to report a small set of measures showing how well the program is performing against its objectives. Which category of measure fits this need?
- Key performance indicators (KPIs)
- Recovery time objectives (RTOs)
- Key risk indicators (KRIs)
- Indicators of compromise (IOCs)
Correct answer: Key performance indicators (KPIs)
Key performance indicators (KPIs) measure how well the security program is performing against its objectives, such as patch timeliness or training completion. KRIs signal rising risk exposure, IOCs are forensic artifacts of compromise, and RTOs are recovery targets, so those do not measure program performance.
- A CISO wants an early-warning metric that signals when the organization's risk exposure is trending toward an unacceptable level before an incident occurs. Which type of metric provides this?
- A key performance indicator (KPI)
- A service availability percentage
- A key risk indicator (KRI)
- A total cost of ownership figure
Correct answer: A key risk indicator (KRI)
A key risk indicator (KRI) is a forward-looking metric that signals rising risk exposure before an incident occurs, enabling proactive intervention. A KPI looks backward at how well the program performed, while TCO and availability measure cost and uptime rather than emerging risk.
- A security leader is deciding which metrics to track. How should KPIs and KRIs be distinguished when designing a measurement dashboard?
- KPIs apply only to executives and KRIs apply only to technicians
- KPIs and KRIs are different names for the same metric
- KPIs predict future risk while KRIs report past performance
- KPIs measure how well objectives are being met, while KRIs are forward-looking signals that exposure to risk is increasing
Correct answer: KPIs measure how well objectives are being met, while KRIs are forward-looking signals that exposure to risk is increasing
KPIs measure how well objectives are being met, while KRIs are forward-looking signals that risk exposure is increasing and may breach tolerance. They serve different purposes on a dashboard (performance versus emerging risk) and are not synonyms or split by audience seniority.
- An organization wants a cross-functional body of senior leaders to set security priorities, approve funding, and resolve conflicts between business units. What is this body called?
- A change advisory board
- A security operations center
- An incident response team
- A security steering committee
Correct answer: A security steering committee
A security steering committee is a cross-functional body of senior leaders that sets security priorities, approves funding, and arbitrates conflicts between business units. A security operations center monitors threats, a change advisory board reviews changes, and an incident response team handles incidents, none of which provide enterprise security steering.
- Membership on a security steering committee is being defined. Which composition best enables the committee to fulfill its governance purpose?
- Entry-level analysts rotated weekly
- Senior representatives from across business units, IT, legal, risk, and the security function
- Only members of the security operations team
- External penetration testers contracted for a single engagement
Correct answer: Senior representatives from across business units, IT, legal, risk, and the security function
A security steering committee should include senior representatives from business units, IT, legal, risk, and security so decisions reflect enterprise-wide priorities and carry authority. Limiting membership to the SOC, contracted testers, or rotating junior analysts would lack the cross-functional authority needed for governance.
- A CISO is justifying the program to the board and must choose a way to express security's value that resonates at the executive level. Which framing is most appropriate?
- A detailed list of every firewall rule deployed last quarter
- The brand names of the security tools in use
- The count of signatures collected on acceptable use policies
- How security initiatives reduce business risk and enable strategic objectives, supported by financial measures such as ROSI
Correct answer: How security initiatives reduce business risk and enable strategic objectives, supported by financial measures such as ROSI
Executives respond to framing that ties security initiatives to reduced business risk and enabled strategic objectives, supported by financial measures such as ROSI. Boards make resource decisions in business and risk terms; signature counts, firewall rule lists, and tool brand names are operational details that do not convey strategic value.
- A newly hired CISO must establish strategic direction for the security program. Which sequence best reflects sound strategy development?
- Adopt the strategy of the previous employer unchanged
- Understand business objectives and risk appetite, assess the current state, then define a strategy and roadmap aligned to those objectives
- Wait for an incident before defining any direction
- Purchase tools first, then write policies, then assess risk
Correct answer: Understand business objectives and risk appetite, assess the current state, then define a strategy and roadmap aligned to those objectives
Sound security strategy starts by understanding business objectives and risk appetite, assessing the current state, then defining a strategy and roadmap aligned to those objectives. Buying tools first, copying a prior employer's strategy, or waiting for an incident all skip the alignment that makes a strategy effective.
- A data owner must label information so that handling rules can be applied consistently. Which set represents typical data classification levels in a commercial organization?
- Online, offline, archived, deleted
- Daily, weekly, monthly, yearly
- Read, write, execute, delete
- Public, internal, confidential, restricted
Correct answer: Public, internal, confidential, restricted
A common commercial data classification scheme uses levels such as public, internal, confidential, and restricted to drive consistent handling, access, and protection rules. The other sets describe storage states, file permissions, or backup frequencies, none of which classify data by sensitivity.
- What is the primary management purpose of assigning data classification levels to organizational information?
- To decide the physical color of storage media
- To schedule routine server reboots
- To ensure protection, access, and handling controls are applied in proportion to the data's sensitivity and value
- To determine which employees receive bonuses
Correct answer: To ensure protection, access, and handling controls are applied in proportion to the data's sensitivity and value
Data classification ensures protection, access, and handling controls are applied in proportion to each information set's sensitivity and value, so resources focus where risk is greatest. It is not a tool for compensation, media coloring, or maintenance scheduling.
- Who in the organization is normally responsible for assigning the classification level to a given set of data?
- The night-shift security guard
- The data owner who has business responsibility for the information
- The most junior analyst available
- Any external vendor that touches the data
Correct answer: The data owner who has business responsibility for the information
The data owner, who holds business responsibility for the information, normally assigns its classification level because they understand its sensitivity and value. Custodians implement protections and users follow handling rules, but a guard, external vendor, or junior analyst is not positioned to set the classification.
- A security manager must build a multi-year security roadmap. Which element most ensures the roadmap remains aligned to the business as priorities shift?
- Basing every initiative on the newest available technology
- Delegating all roadmap decisions to individual project teams
- Locking the roadmap for five years with no review
- Tying roadmap initiatives to evolving business objectives and reassessing them on a defined governance cycle
Correct answer: Tying roadmap initiatives to evolving business objectives and reassessing them on a defined governance cycle
A roadmap stays aligned when its initiatives are tied to evolving business objectives and reassessed on a defined governance cycle. Business priorities change, so a locked multi-year plan, technology-chasing, or fragmented team-by-team decisions would drift away from organizational needs.
- A CISO must staff a growing security program but cannot fill all senior roles quickly. Which talent-management approach best sustains capability over time?
- Avoiding documentation so knowledge stays with individuals
- Combining targeted hiring with internal development, cross-training, and succession planning for critical roles
- Assigning every task to the single most experienced engineer
- Relying only on emergency hiring after a key person leaves
Correct answer: Combining targeted hiring with internal development, cross-training, and succession planning for critical roles
Sustaining capability requires combining targeted hiring with internal development, cross-training, and succession planning for critical roles. Reactive emergency hiring, overloading one expert, and hoarding undocumented knowledge create single points of failure rather than durable team capacity.
- A security leader proposes an investment that reduces expected annual loss from a threat by far more than the control costs, with a strongly positive ROSI. What does this result indicate to management?
- The control is financially justified because the value of loss avoided exceeds its cost
- The control must be deployed regardless of any other organizational priorities
- ROSI is irrelevant to investment decisions
- The control should be rejected because any spending on security is wasteful
Correct answer: The control is financially justified because the value of loss avoided exceeds its cost
A strongly positive ROSI indicates the control is financially justified because the value of loss avoided exceeds its cost. ROSI is a decision-support input, not a mandate; it informs prioritization against other investments rather than forcing deployment or proving all security spend wasteful.
- A security manager needs to assign clear ownership across many overlapping security tasks so that no task is left without a responsible doer or an accountable owner. Which tool most directly accomplishes this?
- A network topology diagram
- A data flow diagram
- A risk heat map
- A RACI matrix mapping each task to Responsible, Accountable, Consulted, and Informed parties
Correct answer: A RACI matrix mapping each task to Responsible, Accountable, Consulted, and Informed parties
A RACI matrix maps each task to its Responsible, Accountable, Consulted, and Informed parties, ensuring every task has a doer and a single accountable owner. Topology diagrams, data flow diagrams, and risk heat maps describe systems or risks but do not assign role-based ownership of tasks.
- A CISO presents both a backward-looking measure of patch compliance and a forward-looking measure of how quickly unpatched critical systems are accumulating. Which pairing correctly labels these two measures?
- Patch compliance is a KRI; the accumulation trend is a KPI
- Patch compliance is a KPI; the accumulation trend of unpatched critical systems is a KRI
- Both are KRIs
- Both are KPIs
Correct answer: Patch compliance is a KPI; the accumulation trend of unpatched critical systems is a KRI
Patch compliance reports how well the program performed, making it a KPI, while the accumulating count of unpatched critical systems is a forward-looking warning of rising exposure, making it a KRI. The two measures serve different purposes, so labeling both identically would obscure the performance-versus-risk distinction.
- A steering committee must decide between two security initiatives competing for the same budget. Which decision basis best reflects the committee's governance role?
- Funding whichever sponsor argues most loudly
- Splitting the budget evenly to avoid conflict
- Prioritizing the initiative that reduces the greatest business risk relative to its cost, consistent with enterprise risk appetite
- Deferring the decision indefinitely
Correct answer: Prioritizing the initiative that reduces the greatest business risk relative to its cost, consistent with enterprise risk appetite
A steering committee should prioritize the initiative that reduces the greatest business risk relative to cost, consistent with the enterprise's risk appetite. Governance bodies allocate scarce resources by risk-based value, not by who argues loudest, arbitrary even splits, or indefinite deferral.
- An organization's security vision describes the desired future state of its security posture, while its security mission describes present purpose. Why does leadership articulate both?
- The vision replaces the need for any security strategy
- They are redundant and only one is ever needed
- The vision provides aspirational direction to guide strategy, while the mission grounds daily decisions in present purpose, together shaping security culture
- The vision is for regulators and the mission is for auditors
Correct answer: The vision provides aspirational direction to guide strategy, while the mission grounds daily decisions in present purpose, together shaping security culture
Leadership articulates both because the vision provides aspirational direction that guides long-term strategy, while the mission grounds daily decisions in present purpose, and together they shape security culture. They are complementary rather than redundant, are not split by external audience, and neither replaces a concrete strategy.
- A CISO must demonstrate to the board that the security function is governed rather than merely operated. Which combination of artifacts best evidences security governance?
- A spreadsheet of help-desk tickets and a printer inventory
- A board-approved security policy, a defined risk appetite, assigned accountability, and oversight reporting to a governance body
- A list of antivirus signatures and a patch log
- A collection of vendor brochures
Correct answer: A board-approved security policy, a defined risk appetite, assigned accountability, and oversight reporting to a governance body
Security governance is evidenced by a board-approved policy, a defined risk appetite, assigned accountability, and oversight reporting to a governance body, which together show direction and accountability above the operational layer. Signature lists, patch logs, ticket spreadsheets, and brochures are operational or procurement artifacts, not governance evidence.
- A security program's effectiveness is being reported to executives. Which presentation of metrics best supports executive decision-making?
- Every raw log entry collected during the period
- A single number with no context or trend
- A concise set of KPIs and KRIs tied to business objectives and risk appetite, with trends and recommended actions
- A highly technical packet-capture analysis
Correct answer: A concise set of KPIs and KRIs tied to business objectives and risk appetite, with trends and recommended actions
Executives are best served by a concise set of KPIs and KRIs tied to business objectives and risk appetite, presented with trends and recommended actions they can act on. Raw logs, a context-free single number, and packet-level technical analysis do not support strategic decisions at the board level.
- When justifying a security control purchase, a manager compares only its sticker price to a competing option's higher sticker price and recommends the cheaper one. What flaw does an ISSMP identify in this reasoning?
- The comparison ignores total cost of ownership, so the cheaper sticker price may cost more across its lifecycle
- Sticker price is the only valid basis for any purchase decision
- Security purchases should never consider cost at all
- The more expensive option is always the better security choice
Correct answer: The comparison ignores total cost of ownership, so the cheaper sticker price may cost more across its lifecycle
The reasoning is flawed because it ignores total cost of ownership; a lower sticker price can carry higher implementation, staffing, and maintenance costs over the lifecycle, making it more expensive overall. Sound decisions weigh full TCO against value, not sticker price alone, and neither ignoring cost nor assuming pricier is better is correct.
- A security leader wants the security function to be seen as a business enabler that supports strategic goals rather than a cost center that blocks progress. Which leadership action most advances this positioning?
- Saying no to every new business initiative by default
- Framing security decisions in terms of business risk and demonstrating how security enables initiatives to proceed safely
- Operating the security team in isolation from business units
- Withholding security metrics from business leaders
Correct answer: Framing security decisions in terms of business risk and demonstrating how security enables initiatives to proceed safely
Positioning security as a business enabler comes from framing decisions in business-risk terms and showing how security lets initiatives proceed safely rather than blocking them. Default refusals, hidden metrics, and operating in isolation reinforce the perception of security as an obstacle and a cost center.
- An organization is defining who sets security policy versus who carries it out day to day. Which allocation correctly separates governance from management responsibilities?
- The board and executives set direction, policy, and risk appetite (governance), while the security team implements and operates controls (management)
- The SOC analysts set risk appetite and the board configures firewalls
- External auditors both set policy and operate the controls
- Each individual employee independently sets organizational risk appetite
Correct answer: The board and executives set direction, policy, and risk appetite (governance), while the security team implements and operates controls (management)
Governance belongs to the board and executives, who set direction, policy, and risk appetite, while management belongs to the security team, which implements and operates controls. Risk appetite is an executive-level decision, control configuration is an operational task, and auditors provide independent assurance rather than setting or running the program.
- A CISO must decide how to allocate a fixed security budget across competing initiatives. Which approach best demonstrates risk- and value-based financial stewardship to the board?
- Allocating the entire budget to a single flagship tool
- Ranking initiatives by their risk reduction relative to cost, using measures such as ROSI and total cost of ownership, then funding the highest-value first
- Returning the budget unspent to appear frugal
- Spending the budget on whatever was popular at the last conference
Correct answer: Ranking initiatives by their risk reduction relative to cost, using measures such as ROSI and total cost of ownership, then funding the highest-value first
Sound financial stewardship ranks initiatives by risk reduction relative to cost, using ROSI and total cost of ownership, then funds the highest-value items first. Conference-driven spending, betting everything on one tool, or leaving the budget unspent all fail to align security spending with business risk and value.
- A new CISO inherits scattered security activities with no unifying structure. Which characteristic most clearly indicates the organization has a true security program rather than disconnected efforts?
- Each team buys its own tools independently with no coordination
- Security work happens only in reaction to incidents
- Security spending is the largest line item in the IT budget
- A defined structure of governance, documented policies, assigned roles, measurable objectives, and continuous improvement ties security activities together toward business goals
Correct answer: A defined structure of governance, documented policies, assigned roles, measurable objectives, and continuous improvement ties security activities together toward business goals
A true security program is marked by a defined structure of governance, documented policies, assigned roles, measurable objectives, and continuous improvement that connects activities to business goals. Independent tool buying, purely reactive work, and raw spending levels indicate fragmented effort, not a coherent program.
- A security manager is asked to explain how configuration management differs from change management to a newly formed governance board. Which statement most accurately distinguishes the two disciplines?
- Configuration management is performed by auditors, while change management is performed by end users without approval
- Configuration management authorizes production deployments, while change management inventories hardware assets
- Configuration management applies only to software, while change management applies only to hardware
- Configuration management identifies, records, and maintains the authoritative state of configuration items, while change management is the governed process for authorizing and assessing modifications to that state
Correct answer: Configuration management identifies, records, and maintains the authoritative state of configuration items, while change management is the governed process for authorizing and assessing modifications to that state
Configuration management identifies, records, and maintains the authoritative baseline state of configuration items, while change management is the governed process that authorizes, assesses, and tracks modifications to that state. Configuration management answers what the system should look like; change management governs how it is allowed to be altered. The notion that one applies only to hardware and the other only to software is incorrect, as both span all configuration items.
- A CISO wants to clarify for IT operations why the organization needs both a vulnerability management program and a patch management program. Which description best captures the relationship between them?
- Vulnerability management deploys updates, while patch management ranks risk
- Vulnerability management identifies, classifies, and prioritizes weaknesses, while patch management is one remediation path that tests and deploys vendor updates
- They are interchangeable terms for the same scanning activity
- Patch management replaces vulnerability management once a scanner is deployed
Correct answer: Vulnerability management identifies, classifies, and prioritizes weaknesses, while patch management is one remediation path that tests and deploys vendor updates
Vulnerability management is the broader security function that identifies, classifies, and prioritizes weaknesses by risk, while patch management is one remediation path that tests and deploys vendor updates. Many vulnerabilities, such as misconfigurations, weak credentials, or design flaws, cannot be fixed by a patch, so patch management alone cannot close every finding. The two are complementary, not interchangeable.
- A security manager is documenting the organization's vulnerability management process for a maturity assessment. Which ordered set of activities best represents a sound vulnerability management lifecycle?
- Discover and inventory assets, scan to identify vulnerabilities, assess and prioritize by risk, remediate or mitigate, then verify and report
- Deploy patches, then discover assets, then ignore findings
- Wait for an audit, then scan once, then close the program
- Purchase tooling, terminate staff, archive logs, and disable scanning
Correct answer: Discover and inventory assets, scan to identify vulnerabilities, assess and prioritize by risk, remediate or mitigate, then verify and report
A sound vulnerability management lifecycle discovers and inventories assets, scans to identify vulnerabilities, assesses and prioritizes by risk, remediates or mitigates, then verifies and reports before repeating continuously. Asset discovery comes first because unknown assets cannot be assessed, and verification confirms that remediation actually closed the exposure. A one-time scan or patch-first approach skips the prioritization and verification that make the process effective.
- When defining a secure software development lifecycle (secure SDLC), a security manager must articulate its core premise to executives. What is secure SDLC fundamentally?
- An approach that integrates security requirements, activities, and verification gates into every phase of development from initiation through disposal
- A separate security project executed after the software is built
- A one-time penetration test conducted just before release
- A contractual clause requiring vendors to indemnify the buyer
Correct answer: An approach that integrates security requirements, activities, and verification gates into every phase of development from initiation through disposal
A secure SDLC integrates security requirements, activities, and verification gates into every phase of development, from initiation and requirements through design, build, testing, deployment, maintenance, and disposal. Treating security as a late penetration test or a separate post-build project leaves flaws embedded and expensive to remediate. The defining trait is that security is continuous and built in, not bolted on.
- A security manager is mapping which security activities belong in each secure SDLC phase. Which sequence correctly pairs phases with their primary security focus?
- Testing defines security needs and requirements verifies the running production system
- Disposal gathers requirements, operations writes code, and design retires the system
- Requirements define security needs, design includes threat modeling, development applies secure coding, testing performs security verification, and operations adds monitoring and secure disposal
- Development defines security needs, requirements writes code, disposal designs the architecture, and testing procures hardware
Correct answer: Requirements define security needs, design includes threat modeling, development applies secure coding, testing performs security verification, and operations adds monitoring and secure disposal
Across secure SDLC phases, requirements define security needs, design incorporates threat modeling and architecture, development applies secure coding, testing performs security verification, and operations adds monitoring and eventual secure disposal. Each phase has a distinct security purpose that builds on the prior one. The other orderings scramble the phases, which would place activities such as coding before requirements are even known.
- During the requirements phase of a new system, the project team is unsure how to capture security expectations so they are testable later. What is the most effective way to define security requirements in the SDLC?
- Document only the desired features and add security after go-live
- Express security requirements as specific, verifiable statements derived from policy, regulation, and risk assessment, traceable through design and testing
- Leave security to the discretion of individual developers during coding
- Reference the marketing brochure as the source of security expectations
Correct answer: Express security requirements as specific, verifiable statements derived from policy, regulation, and risk assessment, traceable through design and testing
Security requirements should be expressed as specific, verifiable statements derived from policy, regulation, and risk assessment, and kept traceable through design and testing so each can be validated. Vague or developer-discretion approaches produce requirements that cannot be tested or proven met. Traceability is what lets the organization confirm at acceptance that every security requirement was satisfied.
- An organization is acquiring a commercial off-the-shelf application rather than building it. Which set of software acquisition security requirements should the security manager insist be embedded in the procurement?
- Color scheme, font licensing, and office location of the vendor
- Only the lowest purchase price and the fastest delivery date
- Security functional requirements, evidence of secure development practices, vulnerability disclosure and patching commitments, and a right to audit or assess
- A promise that the product will never contain any vulnerability for its lifetime
Correct answer: Security functional requirements, evidence of secure development practices, vulnerability disclosure and patching commitments, and a right to audit or assess
Software acquisition security requirements should specify security functional requirements, evidence of secure development practices, vulnerability disclosure and patching commitments, and a right to audit or assess the product and vendor. These embed accountability and verification into the contract before deployment. A blanket promise of zero vulnerabilities is unrealistic and unenforceable, and price or aesthetics do not address security risk.
- A change to a production system has been requested. Within a security-aware change management process, which step most directly prevents a change from introducing unacceptable risk?
- Skipping testing because the change appears minor
- Announcing the change only after it has already failed in production
- Letting the requester apply the change immediately and document it later
- Performing a security impact assessment and obtaining approval from the change advisory board before implementation
Correct answer: Performing a security impact assessment and obtaining approval from the change advisory board before implementation
Performing a security impact assessment and obtaining change advisory board approval before implementation is what keeps a change from introducing unacceptable risk. Assessing the security impact first ensures the change is understood, tested, and authorized, with a rollback path defined. Applying changes immediately or skipping testing bypasses the controls that detect harmful side effects.
- A security manager finds that emergency changes are routinely bypassing the standard change process during outages. What is the most appropriate governance response?
- Forbid all emergency changes regardless of business need
- Define a documented emergency change procedure with expedited approval and mandatory retroactive review and documentation
- Route every emergency change to a year-end review with no interim controls
- Allow emergency changes with no record because speed matters most
Correct answer: Define a documented emergency change procedure with expedited approval and mandatory retroactive review and documentation
The appropriate response is a documented emergency change procedure that provides expedited approval during the incident and requires retroactive review and documentation afterward. This preserves operational speed while maintaining accountability and an audit trail. Forbidding emergency changes harms availability, and allowing unrecorded changes destroys traceability and control.
- A security manager wants to ensure that prioritization of vulnerabilities reflects real exposure rather than raw scanner severity. Which approach best supports risk-based vulnerability prioritization?
- Combine technical severity with asset criticality, exploitability, exposure, and the presence of compensating controls
- Remediate strictly in the order vulnerabilities were discovered
- Patch only the systems with the most available updates
- Address vulnerabilities alphabetically by hostname
Correct answer: Combine technical severity with asset criticality, exploitability, exposure, and the presence of compensating controls
Risk-based prioritization combines technical severity with asset criticality, exploitability, exposure, and any compensating controls to focus effort where real risk is highest. A high-severity flaw on an isolated, low-value asset may matter less than a moderate flaw on an internet-facing critical system. Ordering by discovery date or alphabetically ignores business impact entirely.
- An organization runs frequent vulnerability scans but findings are rarely closed. From a management perspective, which addition would most improve remediation outcomes?
- Disabling scanning to reduce the backlog of findings
- Establishing remediation service-level agreements with assigned owners and tracking metrics to closure
- Sending all findings to a shared mailbox no one monitors
- Buying a second scanning tool to double the number of findings
Correct answer: Establishing remediation service-level agreements with assigned owners and tracking metrics to closure
Establishing remediation service-level agreements with assigned owners and tracking findings to closure most improves outcomes, because scanning only produces value when results are acted upon. Accountability and measurable timelines convert visibility into reduced risk. Adding more scanners or disabling scanning addresses the wrong end of the process and leaves the remediation gap untouched.
- A security manager is integrating threat modeling into the system development process. At which point does threat modeling deliver the greatest value?
- Exclusively after the final release has shipped
- After a breach has occurred in production
- During design, so threats and mitigations are identified before the architecture is built
- Only during decommissioning of the system
Correct answer: During design, so threats and mitigations are identified before the architecture is built
Threat modeling delivers the greatest value during the design phase, when threats and mitigations can be identified and addressed before the architecture is committed and built. Catching design-level weaknesses early avoids costly rework and reduces exploitable flaws in production. Performing it only after release or after a breach forfeits the preventive benefit.
- A patch for a critical vulnerability has been released, but the affected system supports a revenue-critical process that cannot tolerate unplanned downtime. What is the most defensible management decision?
- Ignore the patch indefinitely because the system is important
- Apply the patch instantly to production without testing
- Assess the risk, test the patch, schedule deployment through change management, and apply interim compensating controls until the patch is live
- Remove the system from the vulnerability program so it stops appearing in scans
Correct answer: Assess the risk, test the patch, schedule deployment through change management, and apply interim compensating controls until the patch is live
The defensible decision is to assess the risk, test the patch, schedule deployment through change management, and apply interim compensating controls until the patch is live. This balances the urgency of the vulnerability against availability needs while still reducing exposure in the interim. Applying untested patches to critical systems or hiding the system from scans trades one risk for a larger one.
- A security manager must explain why configuration management baselines are essential to managing change over a system's life. What is the primary value of an authoritative configuration baseline?
- It provides a known reference state so that unauthorized drift can be detected and changes can be assessed against a stable point
- It guarantees the system will never require future changes
- It eliminates the need for any change approvals
- It permanently removes all vulnerabilities from the environment
Correct answer: It provides a known reference state so that unauthorized drift can be detected and changes can be assessed against a stable point
An authoritative configuration baseline provides a known reference state so unauthorized drift can be detected and proposed changes can be assessed against a stable, documented point. Without a baseline, the organization cannot tell intended configuration from drift or compromise. A baseline supports change control rather than eliminating the need for approvals.
- An organization is adopting DevSecOps and wants vulnerability management to keep pace with frequent releases. Which practice best aligns vulnerability management with continuous delivery?
- Integrating automated scanning of code, dependencies, and infrastructure into the CI/CD pipeline with policy gates
- Scanning only after a customer reports a problem
- Performing a single manual scan once per year
- Disabling automated checks to speed up releases
Correct answer: Integrating automated scanning of code, dependencies, and infrastructure into the CI/CD pipeline with policy gates
Integrating automated scanning of code, dependencies, and infrastructure into the CI/CD pipeline with policy gates aligns vulnerability management with continuous delivery. Automated, in-pipeline checks catch issues at the speed of release rather than letting them accumulate. Annual or reactive scanning cannot keep pace with rapid deployment cadences.
- A security manager is establishing acceptance criteria for a system before it moves to production. Which gate most directly verifies that defined security requirements were met?
- A marketing readiness review
- Confirmation that the user manual has been printed
- A check that the project finished under budget
- Security testing and a formal control assessment mapped to the documented security requirements
Correct answer: Security testing and a formal control assessment mapped to the documented security requirements
Security testing and a formal control assessment mapped to the documented security requirements is the gate that verifies the requirements were actually met before production. This closes the traceability loop established when requirements were defined. Budget, manuals, and marketing readiness do not demonstrate that security controls function as specified.
- A software supplier delivers a third-party library bundled inside its product. To manage software supply chain risk, which artifact most helps the acquiring organization understand and monitor the components it is taking on?
- A software bill of materials (SBOM) enumerating the product's components and dependencies
- The vendor's quarterly sales projection
- A list of the vendor's office holidays
- A press release announcing the product launch
Correct answer: A software bill of materials (SBOM) enumerating the product's components and dependencies
A software bill of materials (SBOM) enumerates the product's components and dependencies, helping the acquiring organization understand and monitor its supply chain exposure. When a new vulnerability emerges in a component, the SBOM lets the organization quickly determine whether it is affected. Sales projections and press releases provide no component-level visibility.
- A security manager is asked whether change management or configuration management should own the record of approved modifications and the resulting updated baseline. How are these responsibilities best allocated?
- Neither process records changes; updates are tracked informally by memory
- Change management authorizes the modification, and configuration management updates and maintains the baseline to reflect the approved change
- Configuration management approves changes, and change management ignores the baseline
- Both processes are unnecessary once a system reaches production
Correct answer: Change management authorizes the modification, and configuration management updates and maintains the baseline to reflect the approved change
Change management authorizes the modification, and configuration management then updates and maintains the baseline so it reflects the approved change. The two processes interlock: authorization governs whether a change happens, and configuration management keeps the system of record accurate afterward. Tracking changes informally or abandoning these processes in production leads to drift and loss of control.
- A legacy application has reached end of vendor support, and no patches will be issued for newly discovered vulnerabilities. From a lifecycle management perspective, which response best controls the resulting risk?
- Assess the risk and apply compensating controls such as isolation and enhanced monitoring while planning migration or decommissioning
- Expose it to the internet to encourage faster discovery of issues
- Continue operating it indefinitely with no additional measures
- Remove it from the asset inventory so it no longer appears in reports
Correct answer: Assess the risk and apply compensating controls such as isolation and enhanced monitoring while planning migration or decommissioning
When an application loses vendor support, the best response is to assess the risk and apply compensating controls such as network isolation and enhanced monitoring while planning migration or decommissioning. Unsupported systems cannot be patched, so other safeguards must compensate until they are retired. Hiding the system from inventory or leaving it unmanaged increases unaddressed exposure.
- A security manager is reviewing whether a vendor's secure development practices are adequate before acquisition. Which evidence most credibly demonstrates the vendor builds security into its products?
- The size of the vendor's advertising budget
- The number of awards the product has won
- A salesperson's verbal assurance that the product is secure
- Documentation of a secure SDLC, results of independent security testing, and a published vulnerability handling and patching process
Correct answer: Documentation of a secure SDLC, results of independent security testing, and a published vulnerability handling and patching process
Documentation of a secure SDLC, results of independent security testing, and a published vulnerability handling and patching process most credibly demonstrate that a vendor builds security into its products. These are verifiable artifacts of process and outcome rather than claims. Verbal assurances, awards, and advertising spend do not provide evidence of secure engineering.
- An organization wants to ensure that operating system and application updates are deployed reliably and safely across thousands of endpoints. Which patch management practice most reduces the chance that a patch causes an outage?
- Allowing each user to decide whether to install updates
- Testing patches in a representative environment and rolling them out in phased waves with a rollback plan
- Deploying every patch to all systems at once with no testing
- Applying patches only after a vendor announces end of support
Correct answer: Testing patches in a representative environment and rolling them out in phased waves with a rollback plan
Testing patches in a representative environment and rolling them out in phased waves with a rollback plan most reduces the chance of an outage. Phased deployment limits blast radius and lets the team catch incompatibilities before they reach the whole estate. Mass untested deployment or user-discretion patching produces inconsistent coverage and higher operational risk.
- During the design phase of a new system, architects must decide how to handle a sensitive data store. Which secure SDLC practice should drive this design decision?
- Copying the design from an unrelated public sample with no review
- Applying security design principles such as least privilege, defense in depth, and secure defaults informed by the threat model
- Deferring all security considerations until the system is in production
- Choosing the design that is cheapest to implement regardless of exposure
Correct answer: Applying security design principles such as least privilege, defense in depth, and secure defaults informed by the threat model
The design should apply security design principles such as least privilege, defense in depth, and secure defaults, informed by the threat model produced for the system. These principles translate identified threats into concrete architectural protections during design, when they are most effective. Deferring security to production or copying unreviewed designs leaves the data store exposed.
- A security manager is asked to establish criteria for when a change requires re-authorization of a previously accredited system. Which trigger most appropriately requires re-authorization?
- Routine log rotation that occurs every night
- A change to the office cafeteria menu
- Any change of desktop wallpaper on user machines
- A significant change to the system's security posture, architecture, or risk that may invalidate prior authorization
Correct answer: A significant change to the system's security posture, architecture, or risk that may invalidate prior authorization
A significant change to the system's security posture, architecture, or risk that may invalidate prior authorization is the trigger that appropriately requires re-authorization. When a change materially alters the basis on which residual risk was accepted, the authorizing official must reassess. Trivial or routine operational events do not affect the authorization basis.
- A security manager must ensure that data is rendered unrecoverable when storage media leave the organization at end of life. Which approach aligns with secure lifecycle disposal requirements?
- Selecting a media sanitization method appropriate to the data sensitivity and media type, with verification and documented disposal
- Reformatting once and assuming the data is gone
- Storing the media in an unlocked closet indefinitely
- Deleting files and reusing the media without further action
Correct answer: Selecting a media sanitization method appropriate to the data sensitivity and media type, with verification and documented disposal
Secure disposal requires selecting a media sanitization method appropriate to the data sensitivity and media type, then verifying and documenting the disposal. A simple delete or single reformat can leave recoverable data, and method selection must match both the sensitivity and the physical media. Verification and documentation provide the assurance and audit trail that disposal was completed.
- An organization is establishing how vulnerability management and patch management hand off to each other operationally. Which handoff model is most accurate?
- Vulnerability management identifies and prioritizes a weakness, assigns a remediation, and when that remediation is a vendor update, patch management tests and deploys it and reports completion back
- Patch management discovers vulnerabilities and vulnerability management deploys the fixes
- The two programs never interact and operate in isolation
- Both programs only run after an external auditor requests them
Correct answer: Vulnerability management identifies and prioritizes a weakness, assigns a remediation, and when that remediation is a vendor update, patch management tests and deploys it and reports completion back
In the accurate handoff, vulnerability management identifies and prioritizes a weakness and assigns a remediation, and when that remediation is a vendor update, patch management tests and deploys it and reports completion back for verification. This closes the loop so the vulnerability program can confirm the exposure is resolved. Reversing the roles or operating the programs in isolation breaks the remediation chain.
- A security manager wants to confirm, after deployment, that a system's configuration still matches its approved secure baseline. Which ongoing practice provides this assurance?
- Reviewing the configuration only at the next hardware refresh years later
- Continuous configuration monitoring with automated drift detection against the baseline
- Deleting the baseline once the system is live
- Assuming the configuration is unchanged because no one reported a problem
Correct answer: Continuous configuration monitoring with automated drift detection against the baseline
Continuous configuration monitoring with automated drift detection against the baseline confirms that a deployed system still matches its approved secure state. Detecting drift quickly allows unauthorized or accidental changes to be investigated and corrected before they become exploitable. Assuming stability or waiting years between reviews lets drift accumulate undetected.
- A board asks a CISO to clarify the difference between the organization's risk appetite and its risk tolerance. Which explanation is most accurate?
- Risk appetite is the granular threshold for a single control, while risk tolerance is the enterprise-wide strategic statement
- Risk appetite and risk tolerance are interchangeable terms that both describe the security budget
- Risk tolerance is always set higher than the organization's financial risk capacity to encourage growth
- Risk appetite is the broad, strategic amount and type of risk the organization is willing to pursue to meet objectives, while risk tolerance is the acceptable variation around a specific objective or individual risk
Correct answer: Risk appetite is the broad, strategic amount and type of risk the organization is willing to pursue to meet objectives, while risk tolerance is the acceptable variation around a specific objective or individual risk
Risk appetite is the broad, strategic amount and type of risk an organization is willing to pursue to meet its objectives, while risk tolerance is the acceptable variation around a specific objective or individual risk. Appetite is aggregate and directional; tolerance is granular and measurable, and it is normally set within capacity rather than above it.
- A risk analyst calculates the single loss expectancy (SLE) for a database server. Which formula should be used?
- SLE = asset value (AV) multiplied by exposure factor (EF)
- SLE = exposure factor (EF) multiplied by annualized rate of occurrence (ARO)
- SLE = asset value (AV) divided by annualized rate of occurrence (ARO)
- SLE = annualized rate of occurrence (ARO) multiplied by exposure factor (EF)
Correct answer: SLE = asset value (AV) multiplied by exposure factor (EF)
Single loss expectancy equals asset value multiplied by exposure factor (SLE = AV x EF). The exposure factor is the percentage of the asset's value expected to be lost in a single event, so multiplying it by the asset value yields the monetary loss from one occurrence.
- An asset is valued at $500,000, and a particular fire event is estimated to destroy 40 percent of its value. What is the single loss expectancy?
- $40,000
- $300,000
- $200,000
- $500,000
Correct answer: $200,000
The single loss expectancy is $200,000, calculated as asset value times exposure factor ($500,000 x 0.40). The 40 percent exposure factor represents the proportion of the asset's value lost in one event, so the SLE is the dollar amount of that single loss.
- In quantitative risk analysis, what does the exposure factor (EF) represent?
- The dollar value of loss expected across an entire year
- The number of times per year a threat is expected to occur
- The total replacement cost of the asset in dollars
- The percentage of an asset's value that is expected to be lost if a specific threat is realized
Correct answer: The percentage of an asset's value that is expected to be lost if a specific threat is realized
The exposure factor is the percentage of an asset's value expected to be lost if a specific threat is realized, expressed as a value between 0 and 100 percent. It is multiplied by asset value to derive single loss expectancy; the annual frequency is the separate ARO term.
- A risk manager needs the annualized rate of occurrence (ARO) to complete an analysis. What does ARO express?
- The percentage of asset value lost in one incident
- The estimated number of times a specific threat is expected to occur in a single year
- The maximum tolerable downtime for the affected asset
- The total monetary loss expected from all incidents over a decade
Correct answer: The estimated number of times a specific threat is expected to occur in a single year
The annualized rate of occurrence is the estimated number of times a specific threat is expected to materialize in one year. A threat expected once every four years has an ARO of 0.25, while one expected three times yearly has an ARO of 3.
- A risk analyst must compute annualized loss expectancy. The single loss expectancy is $80,000 and the threat is expected to occur twice per year. What is the ALE, and how is it derived?
- $160,000, derived by multiplying SLE by ARO (SLE x ARO)
- $40,000, derived by dividing SLE by ARO
- $82,000, derived by adding SLE and ARO
- $80,000, because ALE always equals SLE
Correct answer: $160,000, derived by multiplying SLE by ARO (SLE x ARO)
The annualized loss expectancy is $160,000, derived by multiplying single loss expectancy by the annualized rate of occurrence ($80,000 x 2). ALE = SLE x ARO converts a per-event loss into an expected yearly figure used to justify control spending.
- A team is computing ALE end to end starting from raw inputs. Which sequence correctly chains the quantitative formulas?
- Compute SLE as ARO times EF, then compute ALE as SLE divided by AV
- Compute SLE as AV times EF, then compute ALE as SLE times ARO
- Compute ALE as AV times EF, then compute SLE as ALE times ARO
- Compute ALE as AV times ARO, then compute SLE as ALE times EF
Correct answer: Compute SLE as AV times EF, then compute ALE as SLE times ARO
The correct chain is to compute single loss expectancy as asset value times exposure factor, then compute annualized loss expectancy as SLE times the annualized rate of occurrence. SLE captures the cost of one event and ARO scales it to an annual figure.
- A CISO wants to define risk treatment options for the program's risk policy. Which set correctly names the four recognized risk treatment options?
- Detect, prevent, correct, and recover
- Insure, ignore, escalate, and delegate
- Avoid, mitigate (reduce), transfer (share), and accept (retain)
- Identify, assess, monitor, and report
Correct answer: Avoid, mitigate (reduce), transfer (share), and accept (retain)
The four recognized risk treatment options are to avoid, mitigate (reduce), transfer (share), and accept (retain) the risk. Detect/prevent/correct describe control types, and identify/assess/monitor describe risk process steps, not treatment choices.
- A company decides to stop offering a legacy online service entirely because the cybersecurity risk cannot be reduced to an acceptable level. Which risk treatment option does this represent?
- Risk avoidance
- Risk acceptance
- Risk transfer
- Risk mitigation
Correct answer: Risk avoidance
Discontinuing the activity that generates the risk is risk avoidance, which eliminates exposure by ceasing the risky undertaking. Mitigation reduces but retains the activity, transfer shifts financial consequences to a third party, and acceptance retains the risk as-is.
- A security manager deploys additional controls that lower a risk's likelihood and impact but keeps the business process running. Which treatment option best describes this action?
- Risk transfer
- Risk acceptance
- Risk avoidance
- Risk mitigation (reduction)
Correct answer: Risk mitigation (reduction)
Adding controls to lower likelihood or impact while continuing the activity is risk mitigation, also called risk reduction. Avoidance would stop the activity, transfer would shift the loss to a third party such as an insurer, and acceptance would take no further action.
- A manager is asked to define residual risk for an audit. Which definition is correct?
- The total risk present before any controls are implemented
- The risk that has been fully transferred to an insurer
- The risk that remains after controls and other treatments have been applied
- The difference between two unrelated business risks
Correct answer: The risk that remains after controls and other treatments have been applied
Residual risk is the risk that remains after controls and other treatments have been applied. It is distinct from inherent risk, which is the exposure before controls, and it is the residual amount that management must evaluate against risk tolerance and formally accept.
- A security manager must explain the difference between a threat, a vulnerability, and a risk to executives. Which set of definitions is correct?
- A threat is a weakness in a system, a vulnerability is the likelihood of an event, and risk is an external attacker
- A threat and a vulnerability are identical, and risk is simply the asset's dollar value
- A vulnerability is a potential cause of harm, a threat is a system weakness, and risk is the cost of insurance
- A threat is a potential cause of harm, a vulnerability is a weakness that a threat can exploit, and risk is the potential for loss when a threat exploits a vulnerability
Correct answer: A threat is a potential cause of harm, a vulnerability is a weakness that a threat can exploit, and risk is the potential for loss when a threat exploits a vulnerability
A threat is a potential cause of harm, a vulnerability is a weakness that a threat can exploit, and risk is the potential for loss that arises when a threat exploits a vulnerability against an asset. Risk therefore depends on the combination of threat, vulnerability, and impact rather than any single element.
- A CISO is documenting what belongs in the organization's risk register. Which description best captures the purpose of a risk register?
- A living record that captures identified risks along with their description, likelihood, impact, owner, treatment decision, and current status
- A log of every firewall rule change approved during the year
- A list of employees authorized to access sensitive systems
- A static inventory of hardware assets and their purchase prices
Correct answer: A living record that captures identified risks along with their description, likelihood, impact, owner, treatment decision, and current status
A risk register is a living record that captures identified risks together with their description, likelihood, impact, assigned owner, chosen treatment, and current status. It is the central governance artifact for tracking risks over time, not an asset inventory or access list.
- A program manager wants to define supply chain risk management for a new policy. Which statement best describes cybersecurity supply chain risk management (C-SCRM)?
- A method for forecasting customer demand to optimize inventory levels
- The practice of negotiating the lowest possible price from every supplier
- The process of physically tracking shipments of hardware between warehouses
- The process of identifying, assessing, and mitigating cybersecurity risks introduced by suppliers, contractors, products, and services across the supply chain
Correct answer: The process of identifying, assessing, and mitigating cybersecurity risks introduced by suppliers, contractors, products, and services across the supply chain
Cybersecurity supply chain risk management is the process of identifying, assessing, and mitigating cybersecurity risks introduced by suppliers, contractors, products, and services across the supply chain. Guidance such as NIST SP 800-161 frames it as a tiered, risk-based discipline rather than a procurement-cost or logistics function.
- Following NIST SP 800-161 guidance, which combination best characterizes a mature third-party (supplier) risk approach?
- Annual replacement of all suppliers regardless of performance or risk
- Reliance on the supplier's marketing materials to confirm security posture
- Pre-award supplier evaluation, post-award continuous monitoring, and supply chain incident response coordination supported by documented procedures
- A single signed contract clause and no further oversight after onboarding
Correct answer: Pre-award supplier evaluation, post-award continuous monitoring, and supply chain incident response coordination supported by documented procedures
A mature supplier risk approach combines pre-award evaluation, post-award continuous monitoring, and supply chain incident response coordination, all backed by documented procedures and evidence. A one-time contract clause or reliance on marketing claims leaves third-party risk largely unmanaged.
- Before onboarding a SaaS vendor that will process regulated customer data, which activity best supports a defensible third-party risk assessment?
- Verifying the vendor's office is located in the same city
- Checking how many social media followers the vendor has
- Reviewing the vendor's independent audit reports, security questionnaire responses, and evidence of control effectiveness against the organization's requirements
- Confirming the vendor has an attractive, modern website
Correct answer: Reviewing the vendor's independent audit reports, security questionnaire responses, and evidence of control effectiveness against the organization's requirements
A defensible third-party risk assessment reviews independent audit reports, security questionnaire responses, and evidence of control effectiveness mapped to the organization's own requirements. Brand presence, popularity, and location are not indicators of a vendor's security control maturity.
- A security manager is formalizing the vendor risk management process. Which sequence reflects the typical lifecycle stages?
- Offboard the vendor before performing any due diligence
- Sign the contract first, then determine whether the vendor is needed
- Monitor the vendor only after a breach has already occurred
- Identify and tier vendors, perform due-diligence assessment, define contractual security requirements, monitor continuously, and offboard securely
Correct answer: Identify and tier vendors, perform due-diligence assessment, define contractual security requirements, monitor continuously, and offboard securely
The vendor risk management lifecycle typically moves from identifying and tiering vendors, to due-diligence assessment, to embedding contractual security requirements, to continuous monitoring, and finally to secure offboarding. Contracting before assessment or monitoring only after a breach inverts the controls and leaves gaps.
- A CISO wants the appropriate depth of due diligence applied to each supplier. Which approach is most consistent with a risk-based vendor program?
- Skip assessment for any vendor below a fixed contract dollar amount
- Tier vendors by the criticality and sensitivity of the data and services they touch, then apply deeper assessment to higher-tier vendors
- Apply the same exhaustive assessment to every vendor regardless of risk
- Assess only the vendors that request to be assessed
Correct answer: Tier vendors by the criticality and sensitivity of the data and services they touch, then apply deeper assessment to higher-tier vendors
A risk-based vendor program tiers suppliers by the criticality and sensitivity of the data and services they handle, concentrating deeper assessment on higher-tier vendors. Uniform exhaustive assessment wastes limited resources, while contract-value or voluntary triggers can leave high-risk, low-cost vendors unchecked.
- When should a security leader prefer quantitative over qualitative risk analysis?
- When no historical or loss data is available and only expert judgment can be applied
- When the goal is to avoid producing any numeric output
- When leadership wants only simple high, medium, and low ratings
- When sufficient reliable data exists to assign monetary values and the organization needs financially justified, comparable results
Correct answer: When sufficient reliable data exists to assign monetary values and the organization needs financially justified, comparable results
Quantitative analysis is preferred when sufficient reliable data exists to assign monetary values and the organization needs financially justified, comparable results such as ALE figures. When data is scarce and judgment-based, qualitative high/medium/low ratings are more practical.
- A new analyst asks what quantitative risk analysis actually produces. Which answer is correct?
- Descriptive labels such as high, medium, and low with no monetary value
- A narrative opinion that deliberately avoids any calculation
- Numeric, monetary estimates of risk such as single loss expectancy and annualized loss expectancy that support cost-benefit decisions
- A ranked list of vendors by their marketing reputation
Correct answer: Numeric, monetary estimates of risk such as single loss expectancy and annualized loss expectancy that support cost-benefit decisions
Quantitative risk analysis produces numeric, monetary estimates of risk, such as single loss expectancy and annualized loss expectancy, that support cost-benefit and control-investment decisions. Descriptive high/medium/low labels are the output of qualitative analysis instead.
- A risk team has little historical loss data for an emerging threat and must still prioritize it quickly. Which analysis method is most appropriate?
- Quantitative analysis requiring precise dollar exposure factors
- No analysis until several years of incident data accumulate
- Transferring the risk before any analysis is performed
- Qualitative analysis using expert-judgment likelihood and impact ratings
Correct answer: Qualitative analysis using expert-judgment likelihood and impact ratings
When historical loss data is scarce, qualitative analysis using expert-judgment likelihood and impact ratings allows the team to prioritize quickly. Quantitative analysis depends on reliable numeric inputs that are not yet available, and deferring all analysis would leave the emerging threat unmanaged.
- An organization is acquiring and deploying generative AI tools. Under the updated ISSMP risk emphasis, which framework is specifically designed to help govern AI-related risk?
- The NIST AI Risk Management Framework (AI RMF) and ISO/IEC 42001
- PCI DSS
- The OSI seven-layer model
- ISO 9001 quality management
Correct answer: The NIST AI Risk Management Framework (AI RMF) and ISO/IEC 42001
The NIST AI Risk Management Framework and ISO/IEC 42001 are designed to govern AI-related risk, including the ethical use and procurement of generative AI. PCI DSS addresses cardholder data, ISO 9001 covers quality management, and the OSI model is a networking reference, none of which target AI risk governance.
- A security committee debates whether risk assessment should be a single annual event. Which statement reflects the modern risk management posture the ISSMP outline emphasizes?
- Risk management is unnecessary once a framework has been selected
- Risk management should be a dynamic, continuous discipline because assets, threats, and the environment change constantly
- Risk management is a one-time, point-in-time activity that rarely needs revisiting
- Risk management should be paused entirely between annual audits
Correct answer: Risk management should be a dynamic, continuous discipline because assets, threats, and the environment change constantly
Modern risk management is a dynamic, continuous discipline because assets, threats, vulnerabilities, and the business environment change constantly. The outdated point-in-time model leaves the organization blind to newly emerging exposures between assessments.
- A risk owner must decide on treatment for a risk whose annualized loss expectancy is $30,000, while the control that would reduce it costs $90,000 per year. Which decision is most defensible from a cost-benefit standpoint?
- Avoid the activity entirely regardless of business value
- Accept the risk or seek a lower-cost control, because the control cost exceeds the expected annual loss it would prevent
- Transfer the risk through insurance priced at $200,000 per year
- Implement the control immediately because more security is always better
Correct answer: Accept the risk or seek a lower-cost control, because the control cost exceeds the expected annual loss it would prevent
Accepting the risk or seeking a lower-cost control is most defensible because the $90,000 control cost exceeds the $30,000 annualized loss it would prevent. Spending more to mitigate than the expected loss, or transferring at an even higher premium, fails a basic cost-benefit test.
- A risk manager wants a structured way to relate identified vulnerabilities to the threats that could exploit them and the resulting business impact. Which technique best supports this analysis?
- Threat modeling that maps threats, vulnerabilities, and impacts to prioritize risk
- A backup rotation schedule
- A help-desk ticket triage matrix
- A marketing campaign calendar
Correct answer: Threat modeling that maps threats, vulnerabilities, and impacts to prioritize risk
Threat modeling maps threats, vulnerabilities, and potential impacts together, enabling the team to reason about and prioritize risk systematically. Backup schedules and ticket triage serve operational purposes and do not analyze the threat-vulnerability-impact relationship.
- An authorizing official is presented with a system's residual risk after controls are applied. What is the official's core responsibility at this decision point?
- To delegate the entire decision to the development team
- To recalculate every control's cost from scratch
- To remove the risk from the register so it no longer appears
- To formally accept the residual risk on behalf of the organization or require additional treatment before authorizing operation
Correct answer: To formally accept the residual risk on behalf of the organization or require additional treatment before authorizing operation
The authorizing official must formally accept the residual risk on behalf of the organization or require additional treatment before authorizing the system to operate. Deleting the risk or delegating the accountability would undermine the formal acceptance that authorization requires.
- A risk leader wants to ensure each entry in the risk register drives action. Which field is most essential for accountability?
- A designated risk owner responsible for the treatment decision and its status
- The number of words in the risk description
- The date the spreadsheet file was created
- The font and color used to format the entry
Correct answer: A designated risk owner responsible for the treatment decision and its status
A designated risk owner responsible for the treatment decision and its ongoing status is the most essential field for accountability in a risk register. Without a named owner, risks may be tracked but never driven to resolution; formatting and file metadata do not affect accountability.
- Two risks share the same potential financial impact, but one is far more likely to occur this year. How should a risk-based program treat them?
- Ignore likelihood and prioritize only by asset purchase price
- Rank the more likely risk higher because risk is a function of both impact and likelihood
- Treat them identically because their financial impacts are equal
- Rank the less likely risk higher to be conservative
Correct answer: Rank the more likely risk higher because risk is a function of both impact and likelihood
The more likely risk should rank higher because risk is a function of both impact and likelihood, not impact alone. When impacts are equal, the higher probability of occurrence increases expected loss and therefore priority.
- A CISO is establishing risk appetite statements for the enterprise. Who is ultimately responsible for setting and approving the organization's risk appetite?
- The external penetration testing vendor
- The SOC analysts who monitor alerts each day
- Senior leadership and the board, who own the strategic decision about how much risk the organization will pursue
- Individual end users selecting their own tolerance
Correct answer: Senior leadership and the board, who own the strategic decision about how much risk the organization will pursue
Senior leadership and the board are ultimately responsible for setting and approving risk appetite because it is a strategic decision about how much risk the organization will pursue to meet objectives. Analysts, testers, and end users operate within that appetite rather than defining it.
- A manufacturer discovers that a critical component supplier was itself compromised, exposing downstream products. Which risk category does this scenario primarily illustrate?
- Insider threat originating from the organization's own employees
- Capacity planning risk from insufficient compute resources
- Physical environmental risk from a natural disaster
- Supply chain (third-party) risk propagating to the organization through its suppliers
Correct answer: Supply chain (third-party) risk propagating to the organization through its suppliers
A compromise at a critical supplier that flows downstream to products is supply chain (third-party) risk, where exposure propagates through the organization's suppliers. It is distinct from insider threats, environmental hazards, or capacity constraints, which arise from different sources.
- A risk team must aggregate many individual risk ratings into an enterprise view for leadership. Which tool most directly supports communicating relative risk severity at a glance?
- A network topology diagram
- A payroll ledger
- A risk matrix (heat map) plotting likelihood against impact
- A software license inventory
Correct answer: A risk matrix (heat map) plotting likelihood against impact
A risk matrix or heat map plots likelihood against impact, communicating relative severity at a glance and supporting prioritization conversations with leadership. Topology diagrams, payroll ledgers, and license inventories serve unrelated operational purposes.
- A control's annual cost is $15,000 and it reduces a risk's ALE from $100,000 to $20,000. What is the value the control delivers, and how is it derived?
- $15,000 of net benefit, equal to the control cost itself
- $80,000 of net benefit, because the control cost is ignored
- $120,000 of net benefit, derived by adding the two ALE figures
- $65,000 of net benefit, derived as the ALE reduction of $80,000 minus the $15,000 control cost
Correct answer: $65,000 of net benefit, derived as the ALE reduction of $80,000 minus the $15,000 control cost
The control delivers $65,000 of net benefit, derived by subtracting its $15,000 annual cost from the $80,000 reduction in annualized loss expectancy (from $100,000 down to $20,000). This control-value comparison of loss reduction against cost justifies the investment quantitatively.
- A risk falls outside the organization's stated risk tolerance after initial controls. What is the appropriate next step?
- Automatically accept the risk because some controls already exist
- Delete the risk from the register to close it
- Disclose the risk publicly to transfer responsibility
- Apply additional treatment to bring the residual risk within tolerance, or escalate for an explicit exception decision
Correct answer: Apply additional treatment to bring the residual risk within tolerance, or escalate for an explicit exception decision
When residual risk exceeds tolerance, the organization should apply additional treatment to bring it within tolerance or escalate for an explicit, documented exception decision. Silently accepting an out-of-tolerance risk or deleting it from the register bypasses the governance that tolerance thresholds are meant to enforce.
- A risk owner chooses to transfer a risk via a contractual indemnification clause with a service provider. Which limitation should the owner keep in mind about transfer?
- Transfer converts the risk into an avoided risk automatically
- Transfer fully eliminates the risk so no residual risk remains
- Transfer removes the need to monitor the provider afterward
- Transfer shifts financial or legal consequences but the organization typically retains accountability and reputational impact
Correct answer: Transfer shifts financial or legal consequences but the organization typically retains accountability and reputational impact
Risk transfer shifts financial or legal consequences to another party, but the organization typically retains accountability and reputational impact for the underlying risk. Transfer neither eliminates residual risk nor removes the duty to monitor the third party that now shares the exposure.
- A CISO wants risk decisions to be repeatable and traceable across the enterprise. Which governance practice best achieves this?
- Defining a documented risk management process with consistent criteria for assessment, treatment selection, approval authority, and review
- Letting each manager improvise risk decisions case by case
- Reassessing risks only when an auditor specifically requests it
- Recording risk decisions only verbally in meetings
Correct answer: Defining a documented risk management process with consistent criteria for assessment, treatment selection, approval authority, and review
A documented risk management process with consistent criteria for assessment, treatment selection, approval authority, and review makes risk decisions repeatable and traceable. Improvised, verbal, or audit-driven-only approaches produce inconsistent decisions that are hard to defend.
- A security manager must distinguish inherent risk from residual risk when reporting to leadership. Which pairing is correct?
- Inherent risk is what remains after controls; residual risk is the exposure before controls
- Inherent risk and residual risk are identical measurements
- Inherent risk is the cost of insurance; residual risk is the deductible
- Inherent risk is the exposure before controls are applied; residual risk is what remains after controls are applied
Correct answer: Inherent risk is the exposure before controls are applied; residual risk is what remains after controls are applied
Inherent risk is the exposure that exists before controls are applied, while residual risk is what remains after controls and other treatments are in place. Reporting both lets leadership see how much risk the control environment is actually reducing.
- A vendor risk team finds that a critical supplier's security posture has degraded a year after onboarding. Which earlier program decision would have surfaced this soonest?
- Reducing the number of security questions in the onboarding questionnaire
- Choosing the vendor solely on lowest price at onboarding
- Signing a longer contract term to lock in the relationship
- Establishing continuous or periodic monitoring of the vendor rather than relying only on the point-in-time onboarding assessment
Correct answer: Establishing continuous or periodic monitoring of the vendor rather than relying only on the point-in-time onboarding assessment
Establishing continuous or periodic monitoring of the vendor would have surfaced the degraded posture soonest, because a single onboarding assessment captures only a point in time. Vendor security changes over the relationship, so ongoing monitoring is the control that detects drift.
- A CISO presents a quantitative ALE figure to the board, but a director questions its precision. What is the most honest characterization of quantitative risk results?
- They are estimates whose accuracy depends on the quality of the input data and assumptions, not exact predictions of future loss
- They are precise guarantees of the exact loss the organization will incur next year
- They are unaffected by the quality of the underlying data inputs
- They are purely subjective opinions with no numeric basis
Correct answer: They are estimates whose accuracy depends on the quality of the input data and assumptions, not exact predictions of future loss
Quantitative risk results are estimates whose accuracy depends on the quality of the input data and assumptions, not exact predictions of future loss. Figures like ALE are useful for cost-benefit comparison, but presenting them as guarantees overstates their precision while calling them purely subjective understates their numeric basis.
- A security manager is briefing executives on what a security operations center is. Which description most accurately captures its core function?
- A quarterly committee that approves the organization's security policies and budgets
- A software platform that automatically encrypts all data at rest and in transit
- A regulatory body that certifies the organization against compliance frameworks
- A centralized team and facility that continuously monitors, detects, analyzes, and responds to security events across the organization
Correct answer: A centralized team and facility that continuously monitors, detects, analyzes, and responds to security events across the organization
A security operations center (SOC) is a centralized team and facility that continuously monitors, detects, analyzes, and responds to security events across the organization. It is an operational function combining people, processes, and technology, not a single tool, a governance committee, or an external certifier. The policy-approval body describes a steering committee, which is a governance function rather than operations.
- Executives ask the security manager to clarify the difference between a SIEM and a SOC. Which statement is correct?
- A SIEM is a team of analysts, while a SOC is a software licensing model
- A SIEM and a SOC are interchangeable names for the same monitoring appliance
- A SIEM is a technology platform that aggregates and correlates security data, while a SOC is the team and process that monitors and acts on it
- A SIEM responds to incidents and a SOC only stores backups
Correct answer: A SIEM is a technology platform that aggregates and correlates security data, while a SOC is the team and process that monitors and acts on it
A SIEM is a technology platform that aggregates and correlates security data, whereas a SOC is the team and operating process that monitors the SIEM output and acts on it. The SIEM is a tool that the SOC uses; the two are complementary, not interchangeable. A SIEM without analysts watching and responding produces alerts that no one acts on.
- A CISO must select a published reference to structure the organization's incident response program. Which sequence reflects the incident response life cycle as described in NIST SP 800-61 Revision 2?
- Identification; quotation; negotiation; settlement
- Preparation; detection and analysis; containment, eradication, and recovery; post-incident activity
- Procurement; deployment; auditing; decommissioning
- Planning; coding; testing; release
Correct answer: Preparation; detection and analysis; containment, eradication, and recovery; post-incident activity
NIST SP 800-61 Revision 2 defines a four-phase incident response life cycle: preparation; detection and analysis; containment, eradication, and recovery; and post-incident activity. This four-phase model is the widely taught management reference for incident response programs. NIST SP 800-61 Revision 3 (April 2025) restructured guidance around the CSF 2.0 functions rather than preserving the four-phase lifecycle as formal phases. The other sequences describe procurement, sales, or software development processes, not incident response.
- Within the incident response life cycle, what is the correct order of the three activities that follow detection and analysis?
- Eradication, then recovery, then containment
- Recovery, then containment, then eradication
- Recovery, then eradication, then containment
- Containment, then eradication, then recovery
Correct answer: Containment, then eradication, then recovery
The correct order is containment, then eradication, then recovery. Containment limits the spread and damage, eradication removes the threat such as malware or compromised accounts, and recovery restores systems to normal operation and validates them. Attempting recovery before the threat is contained and eradicated risks reinfection of restored systems.
- A security operations manager is documenting the incident response life cycle steps so analysts apply them consistently. Which activity belongs to the eradication step rather than the containment step?
- Blocking a malicious external IP address at the firewall
- Removing malware and disabling compromised accounts from affected systems
- Disconnecting a compromised laptop from wireless access
- Isolating an infected subnet from the rest of the network
Correct answer: Removing malware and disabling compromised accounts from affected systems
Removing malware and disabling compromised accounts is eradication, which eliminates the root cause and artifacts of the incident. Isolating subnets, disconnecting hosts, and blocking malicious IPs are containment actions that limit spread while investigation continues. Eradication occurs after the incident is contained and the affected components are understood.
- A development program manager wants to embed threat modeling in the SDLC. At which point does threat modeling deliver the most value?
- Only after the application is in production and an incident occurs
- During design, so threats and countermeasures are identified before code is written
- Only when a regulator specifically requests it
- Only during the final user acceptance testing window
Correct answer: During design, so threats and countermeasures are identified before code is written
Threat modeling delivers the most value during the design phase of the SDLC, when threats and countermeasures can be identified before code is written and changes are cheap. Deferring it to production or to a single late test misses the architectural decisions that shape the attack surface. The Security Operations domain treats threat modeling as input to detection and response design, not a one-time compliance task.
- A major ransomware event has shut down operations and is generating press inquiries. The security manager must distinguish crisis management from incident management. Which statement is accurate?
- Incident management and crisis management are identical processes with different names
- Crisis management is a subset of incident management performed only by SOC analysts
- Crisis management handles routine alerts while incident management handles executive communications
- Incident management handles the technical detection and resolution of the event, while crisis management addresses enterprise-wide consequences such as reputation, stakeholders, and continuity
Correct answer: Incident management handles the technical detection and resolution of the event, while crisis management addresses enterprise-wide consequences such as reputation, stakeholders, and continuity
Incident management handles the technical detection, containment, and resolution of an event, while crisis management addresses the broader enterprise consequences such as reputation, stakeholder communication, regulatory exposure, and business continuity. They are distinct but coordinated; a severe incident can escalate into a crisis requiring executive leadership beyond the SOC. They are not the same process, and crisis management is not a SOC analyst task.
- A forensic examiner is documenting the digital forensics process steps for an investigation. Which ordering reflects the formal forensic process phases as described in NIST SP 800-86?
- Collection, reporting, analysis, and examination
- Reporting, analysis, examination, and collection
- Collection, examination, analysis, and reporting
- Analysis, reporting, collection, and examination
Correct answer: Collection, examination, analysis, and reporting
NIST SP 800-86 defines four formal forensic process phases: collection, examination, analysis, and reporting. During collection, data is identified, acquired, and preserved. Examination extracts relevant data from the collected sources. Analysis interprets findings to reconstruct events. Reporting communicates findings and methodology. The other orderings invert these dependent stages.
- An analyst seizes a hard drive that may become evidence in litigation. What is chain of custody in digital forensics, and why does it matter?
- A backup schedule that determines how often evidence drives are overwritten
- A documented record of who collected, handled, transferred, and stored evidence, which preserves its integrity and admissibility
- A list of analysts authorized to delete evidence after an investigation
- A network diagram showing how evidence is routed through the SIEM
Correct answer: A documented record of who collected, handled, transferred, and stored evidence, which preserves its integrity and admissibility
Chain of custody is a documented record of every person who collected, handled, transferred, and stored a piece of evidence, including dates, times, and purposes. It preserves the integrity and admissibility of evidence by proving it was not altered or tampered with. Without an unbroken chain, evidence can be challenged or excluded in legal proceedings.
- A SOC relies heavily on a SIEM but struggles with alert fatigue and slow response. Which capability most directly automates and orchestrates routine response actions to address this?
- A standalone antivirus signature update service
- SOAR (security orchestration, automation, and response)
- A static network address translation table
- A quarterly vulnerability scan schedule
Correct answer: SOAR (security orchestration, automation, and response)
SOAR (security orchestration, automation, and response) integrates tools and automates routine response workflows, reducing alert fatigue and accelerating consistent handling. It complements the SIEM by acting on correlated alerts through playbooks. Antivirus updates, NAT tables, and scan schedules do not orchestrate response.
- A security manager wants the SOC to map observed adversary behaviors to a common knowledge base of tactics and techniques to improve detection coverage. Which resource is purpose-built for this?
- The ISO 9001 quality standard
- The MITRE ATT&CK framework
- The CIA triad
- The OSI seven-layer reference model
Correct answer: The MITRE ATT&CK framework
The MITRE ATT&CK framework catalogs real-world adversary tactics and techniques, letting a SOC map detections to known behaviors and find coverage gaps. The OSI model describes network layers, ISO 9001 addresses quality management, and the CIA triad is a high-level security principle, none of which provide an adversary behavior taxonomy.
- A security operations program manager must establish a vulnerability management program. Which sequence best describes its core operational cycle?
- Discover and inventory assets, scan for vulnerabilities, prioritize by risk, remediate, and verify
- Wait for incidents to reveal which vulnerabilities exist, then react
- Purchase scanning software, install it, and assume coverage is complete
- Patch every system at random intervals without scanning
Correct answer: Discover and inventory assets, scan for vulnerabilities, prioritize by risk, remediate, and verify
A vulnerability management program discovers and inventories assets, scans for vulnerabilities, prioritizes findings by risk, remediates, and verifies the fixes. This continuous cycle is risk-driven and proactive. Buying a scanner alone, patching randomly, or waiting for incidents leaves exposure unmanaged.
- After analyzing a large set of vulnerability findings, the SOC must decide remediation order. Which approach reflects sound security operations practice?
- Defer all remediation until the annual audit
- Remediate strictly in the order the scanner lists findings
- Fix only the vulnerabilities on internal systems and ignore internet-facing ones
- Prioritize based on exploitability, exposure, and business impact rather than raw severity scores alone
Correct answer: Prioritize based on exploitability, exposure, and business impact rather than raw severity scores alone
Sound practice prioritizes remediation based on exploitability, exposure, and business impact rather than raw severity scores alone, so effort targets the findings most likely to cause harm. Scanner list order, ignoring internet-facing assets, or deferring to the annual audit all misallocate limited remediation capacity.
- A SOC manager is defining what detection engineering should produce. What is the primary goal of building well-tuned detection rules and use cases?
- To encrypt all log data so it cannot be read
- To reliably identify malicious or anomalous activity while minimizing false positives and false negatives
- To replace the need for any human analysts in the SOC
- To generate the largest possible volume of alerts for the analysts
Correct answer: To reliably identify malicious or anomalous activity while minimizing false positives and false negatives
The goal of detection engineering is to reliably identify malicious or anomalous activity while minimizing both false positives and false negatives. Maximizing raw alert volume causes fatigue and missed true threats, and tuned detections support analysts rather than eliminating the human role. Encrypting logs is unrelated to detection quality.
- A SOC establishes baselines of normal system and network behavior. What is the primary operational benefit of doing so?
- It guarantees that no incidents will ever occur
- It automatically patches all discovered vulnerabilities
- It enables anomaly detection by making deviations from normal behavior visible
- It eliminates the need to collect logs
Correct answer: It enables anomaly detection by making deviations from normal behavior visible
Establishing behavioral baselines enables anomaly detection by making deviations from normal patterns visible and investigable. Baselines do not prevent incidents, remove the need for logging, or perform patching; they provide the reference against which suspicious activity is recognized.
- An analyst notices several low-severity events across different systems that, viewed together, suggest a coordinated attack. Which SOC capability is designed to surface this pattern?
- Single-source log retention with no analysis
- Software license reconciliation
- Event correlation across multiple data sources
- Physical access badge auditing
Correct answer: Event correlation across multiple data sources
Event correlation across multiple data sources links individually low-severity events into a meaningful pattern, revealing coordinated activity a single source would miss. Retaining logs without analysis, badge auditing, and license reconciliation do not connect distributed indicators into actionable detection.
- A SOC is flooded with alerts and the manager wants analysts to focus on what matters. Which practice most directly converts noisy alerts into actionable ones?
- Disabling logging on noisy systems to reduce alert counts
- Tuning, enrichment, and prioritization of alerts so analysts act on high-fidelity signals
- Deleting alerts that are not understood immediately
- Forwarding every alert directly to the CEO
Correct answer: Tuning, enrichment, and prioritization of alerts so analysts act on high-fidelity signals
Tuning, enrichment, and prioritization turn noisy alerts into high-fidelity, actionable signals so analysts spend effort where it counts. Disabling logging creates blind spots, escalating everything to the CEO is unworkable, and deleting misunderstood alerts discards potential indicators of real attacks.
- A security manager must staff round-the-clock monitoring but lacks budget for a 24/7 in-house team. Which option best preserves continuous detection coverage?
- Turn off alerting outside of business hours to reduce noise
- Engage a managed detection and response (MDR) or co-managed SOC provider with defined SLAs
- Rely solely on employees checking email for alerts
- Limit monitoring to business hours and accept blind spots overnight
Correct answer: Engage a managed detection and response (MDR) or co-managed SOC provider with defined SLAs
Engaging a managed detection and response or co-managed SOC provider with defined service levels preserves continuous coverage when in-house staffing is not feasible. Monitoring only during business hours, depending on ad hoc email checks, or disabling off-hours alerting leaves the highest-risk periods unwatched.
- A security manager is categorizing attack types to design appropriate detections. Which pairing correctly matches an attack category to its description?
- A phishing attack primarily exhausts network bandwidth
- A denial-of-service attack aims to disrupt availability of a system or service
- A privilege escalation attack only affects physical door locks
- A denial-of-service attack primarily steals confidential data without disruption
Correct answer: A denial-of-service attack aims to disrupt availability of a system or service
A denial-of-service attack aims to disrupt the availability of a system or service, overwhelming it so legitimate users cannot access it. Data theft describes a confidentiality attack, phishing targets users to harvest credentials or deliver payloads, and privilege escalation elevates access within systems, not physical locks. Correctly categorizing attacks guides detection and response design.
- During an active incident, the SOC must decide between immediate containment that disrupts a production service and delayed containment that preserves evidence and uptime. What should guide this decision?
- Whatever the most junior analyst on shift prefers
- Always choosing the option that is fastest to execute regardless of consequences
- Deferring the decision until the next scheduled change advisory board meeting
- A predefined containment strategy weighing business impact, evidence preservation, and threat spread, approved by the appropriate authority
Correct answer: A predefined containment strategy weighing business impact, evidence preservation, and threat spread, approved by the appropriate authority
The choice should follow a predefined containment strategy that weighs business impact, evidence preservation, and threat spread, with decisions made by the appropriate authority. Defaulting to the fastest action, leaving it to a junior analyst, or waiting for a routine change board can either destroy evidence or let an attack spread. Containment criteria are decided in advance during preparation.
- A SOC discovers evidence of a compromise and needs to capture volatile data. Which order of volatility principle should guide collection?
- Collect the most volatile data such as memory and running state first, before less volatile data like disk and archives
- Collect only data that is convenient and skip volatile sources
- Collect archived backups first because they are easiest to obtain
- Power off the system immediately before collecting anything
Correct answer: Collect the most volatile data such as memory and running state first, before less volatile data like disk and archives
The order of volatility principle directs collecting the most volatile data first, such as memory contents and running process state, before less volatile data like disk images and archives. Volatile data is lost when a system is powered off or rebooted, so capturing it early preserves critical evidence. Powering off first or starting with backups can destroy or miss transient artifacts.
- A forensic analyst makes a working copy of a seized drive for examination. Which practice best preserves the integrity of the original evidence?
- Reformat the original drive after copying to reclaim space
- Open and edit files directly on the original drive to save time
- Share the original drive among multiple analysts simultaneously
- Create a bit-for-bit forensic image and verify it with cryptographic hashing, working only on the copy
Correct answer: Create a bit-for-bit forensic image and verify it with cryptographic hashing, working only on the copy
Creating a bit-for-bit forensic image verified with cryptographic hashing, and working only on the copy, preserves the original evidence unaltered and provable. Editing the original, reformatting it, or passing it among analysts compromises integrity and breaks the chain of custody, undermining admissibility.
- After containing and eradicating an incident, the SOC begins recovery. Which action is essential before declaring affected systems fully restored?
- Restore from any available backup without checking its integrity
- Skip validation to minimize downtime
- Validate that systems are clean, monitor them closely, and confirm normal operation before returning to production
- Immediately delete all incident logs to free storage
Correct answer: Validate that systems are clean, monitor them closely, and confirm normal operation before returning to production
Before declaring restoration complete, the SOC must validate that systems are clean, monitor them closely for signs of reinfection, and confirm normal operation. Deleting incident logs destroys evidence and lessons-learned input, skipping validation risks restoring compromised systems, and restoring from an unverified backup may reintroduce the threat.
- Following resolution of a significant incident, the security manager leads a root cause analysis. What is its primary purpose within security operations?
- To assign individual blame and discipline the responders
- To satisfy a checkbox with no follow-up actions
- To identify the underlying cause so controls and processes can be improved to prevent recurrence
- To immediately close the incident and avoid documentation
Correct answer: To identify the underlying cause so controls and processes can be improved to prevent recurrence
Root cause analysis identifies the underlying cause of an incident so controls and processes can be improved to prevent recurrence. It is a learning and improvement activity feeding the post-incident phase, not a blame exercise or a formality. Skipping documentation or follow-up wastes the most valuable output of the incident.
- After a breach, the security manager must quantify the impact for leadership and decide on disclosures. Which combination of factors best represents a complete impact quantification?
- Financial loss, operational disruption, data exposed, regulatory consequences, and reputational harm
- Only the number of alerts the SIEM generated during the event
- Only the brand of the firewall that was bypassed
- Only the number of hours the SOC analysts worked
Correct answer: Financial loss, operational disruption, data exposed, regulatory consequences, and reputational harm
A complete impact quantification considers financial loss, operational disruption, the data exposed, regulatory consequences, and reputational harm. This holistic view informs stakeholder reporting and disclosure decisions. Alert counts, hardware brands, or analyst hours alone do not represent the business impact leadership needs to act on.
- A security manager is defining how the SOC reports incidents to different audiences. Which principle should guide stakeholder reporting?
- Withhold all reporting until litigation is certain
- Tailor content and detail to each audience, giving executives business impact and technical teams remediation detail
- Report incidents only to the SOC team and no one else
- Send the same raw technical log dump to every stakeholder
Correct answer: Tailor content and detail to each audience, giving executives business impact and technical teams remediation detail
Stakeholder reporting should tailor content and detail to each audience, giving executives business impact and decisions and giving technical teams remediation detail. Sending identical raw logs to everyone, limiting reporting to the SOC, or withholding reports undermines coordinated response and informed decision-making.
- A security manager is formalizing the team that handles incidents. What is the primary role of a computer security incident response team (CSIRT)?
- To design the corporate website's user interface
- To manage employee payroll and benefits
- To provide a coordinated, predefined capability to detect, respond to, and recover from security incidents
- To approve the organization's annual marketing budget
Correct answer: To provide a coordinated, predefined capability to detect, respond to, and recover from security incidents
A computer security incident response team provides a coordinated, predefined capability to detect, respond to, and recover from security incidents. Having a designated team with clear authority enables fast, consistent action under pressure. Marketing, web design, and payroll are unrelated business functions.
- An organization must define when an event becomes a reportable incident. What is the best basis for this determination?
- Whether the event occurred during business hours
- Documented incident classification and severity criteria established in advance
- The seniority of the employee who first saw the alert
- The personal judgment of whoever happens to notice the event, with no criteria
Correct answer: Documented incident classification and severity criteria established in advance
Documented incident classification and severity criteria established in advance give a consistent, defensible basis for deciding when an event becomes a reportable incident. Ad hoc judgment, time of day, or employee seniority produce inconsistent decisions and missed or over-reported incidents.
- A SOC ingests external threat intelligence to improve detection. Which use of that intelligence is most operationally effective?
- Forwarding raw feeds to all employees as email attachments
- Filing the intelligence reports without applying them to any tooling
- Using it only to justify the SOC's annual budget request
- Integrating indicators and behavioral patterns into detection rules and proactive hunting
Correct answer: Integrating indicators and behavioral patterns into detection rules and proactive hunting
Threat intelligence is most effective when its indicators and behavioral patterns are integrated into detection rules and proactive hunting, directly improving the SOC's ability to find threats. Filing reports unused, mass-emailing raw feeds, or using intelligence only for budget justification fails to operationalize it.
- A security manager evaluates SOC performance for executives. Which metric most directly measures how quickly the SOC identifies that an incident is occurring?
- Number of firewall rules configured
- Count of employees who completed annual training
- Mean time to detect (MTTD)
- Total gigabytes of logs stored
Correct answer: Mean time to detect (MTTD)
Mean time to detect (MTTD) measures how quickly the SOC identifies that an incident is occurring, a core indicator of detection effectiveness. Firewall rule counts, log storage volume, and training completion are activity or capacity figures that do not reflect detection speed.
- A security manager wants to measure how effectively the SOC limits damage once an incident is detected. Which metric is most appropriate?
- The number of vendors at the last security conference
- Mean time to respond or contain (MTTR)
- The age of the oldest server in the data center
- The number of dashboards displayed in the SOC
Correct answer: Mean time to respond or contain (MTTR)
Mean time to respond or contain (MTTR) measures how quickly the SOC acts to limit damage after detection, reflecting response effectiveness. Dashboard counts, server age, and conference attendance have no bearing on how fast the SOC contains incidents.
- An incident reveals that a vendor's compromised software update was the entry point. Within security operations, what is the most appropriate follow-up to reduce similar future exposure?
- Remove monitoring from vendor-supplied systems to reduce alert volume
- Strengthen monitoring and validation of third-party software and integrate supplier risk signals into detection
- Stop using all software permanently
- Assume the vendor will prevent any future compromise without verification
Correct answer: Strengthen monitoring and validation of third-party software and integrate supplier risk signals into detection
The appropriate follow-up is to strengthen monitoring and validation of third-party software and integrate supplier risk signals into detection, addressing the supply-chain attack vector operationally. Abandoning all software is impractical, trusting the vendor blindly repeats the failure, and removing monitoring increases blindness to the very threat that materialized.
- A security manager institutes a patch management process for the SOC's operational scope. Which step most directly reduces the risk that a patch itself causes an outage?
- Deploying every patch to production immediately upon release
- Testing patches in a representative environment before deploying to production
- Applying patches only to systems no one uses
- Skipping all patches to avoid any change risk
Correct answer: Testing patches in a representative environment before deploying to production
Testing patches in a representative environment before production deployment reduces the risk that a patch causes an outage while still closing vulnerabilities promptly. Deploying untested patches risks disruption, skipping patches leaves systems exposed, and patching only unused systems ignores the at-risk production assets.
- A SOC analyst escalates a suspected intrusion, but responders waste time deciding who does what. Which preparation-phase artifact most directly prevents this confusion in future incidents?
- Incident response playbooks and runbooks defining roles, decisions, and step-by-step actions
- A list of preferred office supply vendors
- A marketing brochure describing the security team
- A spreadsheet of past conference expenses
Correct answer: Incident response playbooks and runbooks defining roles, decisions, and step-by-step actions
Incident response playbooks and runbooks define roles, decision points, and step-by-step actions so responders act quickly and consistently rather than improvising. They are produced during the preparation phase. Brochures, expense spreadsheets, and supply vendor lists provide no operational guidance during an incident.
- A security manager must decide what telemetry the SOC should collect to support detection and investigation. Which approach best balances visibility with manageability?
- Collect every possible log with no prioritization and never review what is useful
- Collect no logs to avoid storage costs
- Collect log sources prioritized by risk and detection value, ensuring coverage of critical assets and key attack paths
- Collect logs only from the least important systems
Correct answer: Collect log sources prioritized by risk and detection value, ensuring coverage of critical assets and key attack paths
The SOC should collect log sources prioritized by risk and detection value, ensuring critical assets and key attack paths are covered while keeping data manageable. Collecting everything without prioritization overwhelms analysts and storage, collecting nothing creates total blindness, and logging only unimportant systems misses the assets attackers target.
- During a fast-moving incident, a junior responder wants to wipe and rebuild a compromised server immediately to restore service. What should the security manager weigh before approving this?
- Whether the rebuild can be scheduled around lunch breaks
- Whether the server's chassis color matches the data center theme
- Whether wiping the system would destroy evidence needed for investigation and potential legal action
- Whether the responder prefers a different operating system
Correct answer: Whether wiping the system would destroy evidence needed for investigation and potential legal action
Before approving an immediate wipe, the manager must weigh whether doing so would destroy evidence needed for investigation and potential legal action, since premature rebuilding can eliminate forensic artifacts and break chain of custody. Forensic imaging should typically precede eradication and rebuild. Cosmetic preferences and scheduling around breaks are irrelevant to this judgment.
- A new ISSMP wants to explain to the board, in plain terms, what a business continuity plan actually is. Which description is most accurate?
- A technical runbook that tells engineers how to rebuild specific servers after they fail
- An insurance policy that reimburses the organization for losses caused by a disaster
- A list of the firewall and antivirus products the company has purchased for protection
- A documented, management-approved set of strategies and procedures that keeps the organization's critical business functions operating, or restores them quickly, during and after a disruption
Correct answer: A documented, management-approved set of strategies and procedures that keeps the organization's critical business functions operating, or restores them quickly, during and after a disruption
A business continuity plan (BCP) is a documented, management-approved set of strategies and procedures for keeping critical business functions running, or restoring them quickly, during and after a disruption. It is a business-level plan covering people, processes, facilities, and dependencies; a server rebuild runbook is part of the narrower disaster recovery plan, while insurance is a risk-transfer mechanism rather than a continuity plan.
- An ISSMP is briefing executives on what a business impact analysis (BIA) delivers. Which outcome is the BIA's primary product?
- A penetration test report identifying exploitable vulnerabilities in production systems
- A ranked list of the cheapest cloud backup vendors available to the company
- A signed acceptable use policy acknowledgment from every employee
- A prioritized understanding of critical processes, their recovery objectives, and the impact of disruption over time
Correct answer: A prioritized understanding of critical processes, their recovery objectives, and the impact of disruption over time
A business impact analysis identifies the organization's critical processes, quantifies how impact grows over time when they are disrupted, and establishes the recovery objectives (such as MTD, RTO, and RPO) that drive continuity strategy. It is an analysis of business consequences, not a vendor comparison, a vulnerability scan, or an HR control.
- During a BIA, a manager establishes that an order-processing system has a maximum tolerable downtime of 8 hours. The recovery time objective is set at 5 hours. According to standard continuity practice, how much time remains for work recovery time (WRT)?
- 13 hours
- 5 hours
- 8 hours
- 3 hours
Correct answer: 3 hours
3 hours remain for work recovery time, because MTD equals RTO plus WRT, so WRT equals MTD minus RTO (8 hours minus 5 hours). RTO is the time to restore the technical system, while WRT is the additional time to validate data, clear backlogs, and return the business function to normal operation; together they must not exceed the MTD.
- An ISSMP is documenting recovery metrics and needs to define work recovery time (WRT) for the continuity team. Which description fits WRT?
- The total time a process can be down before causing unacceptable harm to the organization
- The maximum amount of data, measured in time, the organization can afford to lose
- The time needed after systems are technically restored to verify data, clear transaction backlogs, and return the business process to normal operation
- The point in time to which data must be recoverable after an outage
Correct answer: The time needed after systems are technically restored to verify data, clear transaction backlogs, and return the business process to normal operation
Work recovery time is the period after technical systems are restored that is needed to verify data integrity, process accumulated backlogs, and bring the business function back to normal operation. It is distinct from RTO (which covers technical restoration), from RPO (acceptable data loss), and from MTD (the total tolerable outage, which equals RTO plus WRT).
- A planner needs to determine how to calculate the maximum tolerable downtime (MTD) for a critical process. Which relationship correctly expresses MTD?
- MTD = WRT - RTO
- MTD = RTO + WRT
- MTD = RTO - RPO
- MTD = RPO x ARO
Correct answer: MTD = RTO + WRT
MTD equals RTO plus WRT, combining the time to restore the technical system with the additional time to return the business process to normal operation. The MTD is the ceiling the business cannot exceed; subtracting RPO, multiplying by an annualized rate, or subtracting RTO from WRT do not represent how maximum tolerable downtime is derived.
- An ISSMP must clearly distinguish RTO from RPO when setting recovery requirements. Which statement correctly contrasts the two?
- RTO is the target time to restore a process after an outage, while RPO is the maximum acceptable amount of data loss expressed as a point in time
- RTO and RPO both measure how long a backup takes to complete
- RTO is the maximum acceptable data loss, while RPO is the time to restore a process
- RTO defines backup frequency, while RPO defines how many staff are on the recovery team
Correct answer: RTO is the target time to restore a process after an outage, while RPO is the maximum acceptable amount of data loss expressed as a point in time
RTO (recovery time objective) is the target duration within which a process or system must be restored after a disruption, whereas RPO (recovery point objective) is the maximum acceptable data loss, expressed as the point in time to which data must be recoverable. RTO governs how fast you recover; RPO governs how much data you can afford to lose and therefore how often you back up.
- A continuity team is ordering three recovery metrics from the most stringent (shortest tolerance) perspective for a single process. Which statement correctly relates MTD, RTO, and RPO?
- RPO measures tolerable data loss before the event, RTO measures restoration time after the event, and the MTD is the overall outage ceiling that RTO plus WRT must fit within
- RPO is always longer than the MTD, and RTO is always longer than the RPO
- RTO measures data loss, RPO measures downtime, and MTD measures backup cost
- MTD, RTO, and RPO are interchangeable terms for the same recovery target
Correct answer: RPO measures tolerable data loss before the event, RTO measures restoration time after the event, and the MTD is the overall outage ceiling that RTO plus WRT must fit within
RPO looks backward from the moment of disruption to define how much data loss is tolerable, RTO looks forward to define how quickly the system is restored, and MTD is the total tolerable outage that RTO plus WRT must not exceed. They are three distinct measures, not interchangeable, and RPO is not inherently longer than the MTD.
- An ISSMP is selecting an alternate recovery site and must explain the trade-offs of hot, warm, and cold sites. Which comparison is accurate?
- Hot, warm, and cold sites all provide identical recovery speeds and differ only in monthly price
- A cold site is the most expensive and recovers fastest, while a hot site is the cheapest and slowest
- A warm site is fully operational at all times, while a hot site provides only empty floor space
- A hot site is fully equipped and ready for near-immediate cutover at the highest cost, a warm site has infrastructure and some equipment but needs data and final setup, and a cold site provides only space and utilities at the lowest cost and longest recovery time
Correct answer: A hot site is fully equipped and ready for near-immediate cutover at the highest cost, a warm site has infrastructure and some equipment but needs data and final setup, and a cold site provides only space and utilities at the lowest cost and longest recovery time
A hot site is fully equipped and continuously ready, enabling near-immediate recovery at the highest cost; a warm site has infrastructure and partial equipment but still needs current data and final configuration; and a cold site provides only space and utilities, costing the least but taking the longest to bring online. Cost and recovery speed move in opposite directions across the three.
- A budget-conscious organization needs an alternate site that has network connectivity, power, HVAC, and some hardware in place, but accepts that data must still be loaded and final configuration completed before operations resume. Which site type best matches this description?
- Cold site
- Warm site
- Hot site
- Reciprocal agreement
Correct answer: Warm site
A warm site disaster recovery facility has connectivity, power, environmental controls, and some pre-staged hardware, but requires loading current data and completing configuration before it can take over. A hot site would already be fully ready, a cold site would offer only space and utilities, and a reciprocal agreement is a mutual-aid arrangement rather than a dedicated facility.
- An ISSMP wants the lowest-risk, least-disruptive way to validate a continuity plan by having stakeholders discuss their roles and walk through a hypothetical scenario in a conference room. Which exercise type is this, and how does it differ from a full interruption test?
- A tabletop exercise is a discussion-based walkthrough that does not touch production, whereas a full interruption test actually shuts down primary systems and runs operations from the recovery environment, carrying the highest risk and realism
- A tabletop exercise shuts down production systems, while a full interruption test is only a paper review
- A tabletop exercise and a full interruption test are identical in scope and disruption
- A tabletop exercise requires failing over to the hot site, while a full interruption test stays purely theoretical
Correct answer: A tabletop exercise is a discussion-based walkthrough that does not touch production, whereas a full interruption test actually shuts down primary systems and runs operations from the recovery environment, carrying the highest risk and realism
A tabletop exercise is a discussion-based walkthrough where participants talk through their roles against a scenario without affecting production, making it low risk. A full interruption test, by contrast, actually shuts down primary systems and operates entirely from the recovery environment, providing the most realistic validation but carrying the greatest risk of real disruption.
- An ISSMP defines a tabletop exercise for the continuity steering committee. Which statement best captures what a tabletop exercise is?
- A facilitated, discussion-based session in which participants review and validate their continuity roles and decisions against a simulated scenario, without activating systems
- A live failover in which production traffic is redirected to the disaster recovery site
- A surprise shutdown of the primary data center to test staff under real conditions
- An automated script that restores backups to a duplicate environment overnight
Correct answer: A facilitated, discussion-based session in which participants review and validate their continuity roles and decisions against a simulated scenario, without activating systems
A tabletop exercise is a facilitated, discussion-based session where participants walk through their continuity roles and decisions against a simulated scenario without activating any systems. Because nothing is actually switched over or shut down, it is ideal for clarifying responsibilities and surfacing gaps before more disruptive tests are attempted.
- A continuity manager is planning a progression of disaster recovery testing types and wants to order them from least to most disruptive. Which ordering is correct?
- Parallel test, checklist review, full interruption test, tabletop, simulation
- Checklist review, structured walkthrough/tabletop, simulation, parallel test, full interruption test
- Full interruption test, parallel test, simulation, tabletop, checklist review
- Simulation, full interruption test, checklist review, parallel test, tabletop
Correct answer: Checklist review, structured walkthrough/tabletop, simulation, parallel test, full interruption test
The standard progression of disaster recovery testing types runs from least to most disruptive: a checklist review, then a structured walkthrough or tabletop, then a simulation, then a parallel test (recovery systems run alongside production without taking over), and finally a full interruption test (production is shut down and operations move to the recovery site). Maturing through this sequence builds confidence while limiting risk.
- An ISSMP must explain the difference between a business continuity plan and a disaster recovery plan to a project sponsor. Which distinction is correct?
- The BCP addresses sustaining the full range of critical business functions during a disruption, while the DRP is a subordinate plan focused specifically on restoring IT systems, data, and infrastructure
- The DRP covers the entire enterprise, while the BCP covers only desktop hardware
- The BCP and DRP are the same document with two different titles
- The BCP restores servers, while the DRP handles employee scheduling and payroll
Correct answer: The BCP addresses sustaining the full range of critical business functions during a disruption, while the DRP is a subordinate plan focused specifically on restoring IT systems, data, and infrastructure
The business continuity plan focuses on sustaining critical business functions (people, processes, facilities, suppliers) during and after a disruption, while the disaster recovery plan is a narrower, subordinate plan focused on restoring IT systems, data, and infrastructure. The DRP supports the BCP; they are complementary rather than identical or reversed in scope.
- A CISO is asked to mature the program from simply recovering after incidents toward true organizational resilience. Which definition best describes organizational resilience?
- The practice of avoiding all risk by ceasing any activity that could be disrupted
- The exclusive responsibility of the IT department to restore servers within the RTO
- A one-time certification proving the company has purchased a hot site
- The organization's ability to anticipate, prepare for, respond to, and adapt to disruptions so it can continue delivering its core mission and outcomes
Correct answer: The organization's ability to anticipate, prepare for, respond to, and adapt to disruptions so it can continue delivering its core mission and outcomes
Organizational resilience is the enterprise-wide capability to anticipate, prepare for, respond to, and adapt to disruptions so the organization continues delivering its core mission. It is broader than IT recovery and is an ongoing, adaptive capacity rather than a single certificate or a strategy of avoiding all activity.
- After a tabletop exercise reveals that the call tree lists three employees who left the company, what is the most appropriate management action?
- Reduce the frequency of future exercises to avoid surfacing problems
- Update the continuity and notification documentation to correct the gap, then re-validate it in a subsequent test
- Discard the exercise findings because the plan was approved when it was written
- Replace the tabletop format permanently with checklist reviews only
Correct answer: Update the continuity and notification documentation to correct the gap, then re-validate it in a subsequent test
Exercise findings exist precisely to drive corrective action, so the right move is to update the continuity and notification documentation and re-validate it in a later test. Ignoring findings, testing less often, or downgrading to the least rigorous test type would leave the plan stale and unreliable when a real disruption occurs.
- An ISSMP is structuring the continuity program and needs to determine the correct sequence of foundational activities. Which order reflects sound continuity-program practice?
- Obtain management sponsorship, conduct the BIA, define recovery strategies, develop the plan, then test and maintain it
- Develop the plan first, then run a full interruption test, and only afterward perform a BIA
- Test the plan, obtain sponsorship, then decide whether critical processes exist
- Purchase a hot site, then write the plan, and skip the BIA to save time
Correct answer: Obtain management sponsorship, conduct the BIA, define recovery strategies, develop the plan, then test and maintain it
A sound continuity program begins with management sponsorship to secure authority and resources, performs a BIA to identify critical processes and recovery objectives, defines recovery strategies sized to that impact, develops the plan, and then tests and maintains it on a cycle. Building strategies or buying sites before the BIA risks misaligning investment with actual business impact.
- A multinational firm wants its recovery strategy to address not only technology but also alternate workspace, trained backup personnel, and supplier substitutions. Which planning concept ensures these non-technical dependencies are recovered?
- A patch management schedule covering all internet-facing assets
- A data classification policy that labels documents by sensitivity
- A configuration baseline that hardens every production server
- Recovery strategies derived from the BIA that address people, facilities, suppliers, and processes, not just IT systems
Correct answer: Recovery strategies derived from the BIA that address people, facilities, suppliers, and processes, not just IT systems
Recovery strategies built from the BIA must cover all resources a critical process depends on, including people, alternate facilities, suppliers, and process workarounds, not just IT systems. Configuration baselines, patch schedules, and data classification are valuable security controls but do not, by themselves, ensure that the full set of business dependencies can be recovered.
- An ISSMP must justify why the continuity plan should be maintained on a defined cycle rather than treated as a one-time deliverable. Which rationale is strongest?
- Business processes, personnel, technology, and dependencies change over time, so an unmaintained plan steadily loses accuracy and may fail when activated
- Maintenance is only needed after the organization has experienced an actual disaster
- Regulators require that a plan never be modified once it is first approved
- A well-written plan is permanently accurate and never requires review
Correct answer: Business processes, personnel, technology, and dependencies change over time, so an unmaintained plan steadily loses accuracy and may fail when activated
Continuity plans must be maintained on a defined cycle because processes, staff, systems, and dependencies change continuously, and an out-of-date plan can fail at the moment it is needed. Waiting for a real disaster, assuming a plan is permanently accurate, or believing regulators forbid updates all leave the organization exposed.
- A security manager is explaining the difference between due care and due diligence to an executive. Which statement most accurately distinguishes the two?
- Due care and due diligence are interchangeable terms with no practical distinction
- Due care is the ongoing practice of implementing and maintaining reasonable protective measures, while due diligence is the investigation and ongoing verification that those measures are adequate and working
- Due diligence means doing the bare minimum, while due care means exceeding all legal requirements
- Due care applies only to third-party vendors, while due diligence applies only to internal staff
Correct answer: Due care is the ongoing practice of implementing and maintaining reasonable protective measures, while due diligence is the investigation and ongoing verification that those measures are adequate and working
Due care is the ongoing practice of implementing and maintaining reasonable protective measures, while due diligence is the investigation and verification that confirms those measures are adequate and operating. A useful illustration: requiring staff to keep systems patched is due care, and verifying that the patches were actually applied is due diligence. They are complementary, not interchangeable, so the claim that they are the same is wrong.
- A board member asks the CISO what specifically constitutes 'due care' in the organization's security program. Which example best represents due care?
- Auditing a prospective acquisition target's security posture during a merger investigation
- Buying the most expensive security product on the market after a breach occurs
- Hiring an outside firm one time to assess whether the firewall is configured correctly
- Establishing and consistently maintaining baseline security controls, enforced policies, and routine awareness training aligned with accepted standards
Correct answer: Establishing and consistently maintaining baseline security controls, enforced policies, and routine awareness training aligned with accepted standards
Due care in security is the habitual practice of establishing and maintaining reasonable, standards-aligned protective measures such as baseline controls, enforced policies, and ongoing awareness training. A one-time investigation of a target's posture or a single assessment is due diligence, an investigative act, rather than the continuous duty of care; reactive post-breach spending does not demonstrate prior diligence.
- Which set correctly lists the four canons of the ISC2 Code of Ethics in their order of priority?
- Advance and protect the profession; Protect society; Act honorably; Provide diligent service to principals
- Act honorably; Advance and protect the profession; Provide diligent service to principals; Protect society
- Provide diligent service to principals; Act honorably; Protect society; Advance and protect the profession
- Protect society, the common good, necessary public trust and confidence, and the infrastructure; Act honorably, honestly, justly, responsibly, and legally; Provide diligent and competent service to principals; Advance and protect the profession
Correct answer: Protect society, the common good, necessary public trust and confidence, and the infrastructure; Act honorably, honestly, justly, responsibly, and legally; Provide diligent and competent service to principals; Advance and protect the profession
The four ISC2 canons, in priority order, are: protect society, the common good, necessary public trust and confidence, and the infrastructure; act honorably, honestly, justly, responsibly, and legally; provide diligent and competent service to principals; and advance and protect the profession. The order matters because canons are applied in sequence when they appear to conflict, with protection of society always first.
- An ISSMP-certified manager discovers that a fellow ISC2 member is knowingly misrepresenting their credentials to clients. Under the ISC2 Code of Ethics, which canon most directly addresses the obligation to respond to such conduct?
- Protect society, the common good, and the infrastructure
- Maximize the member's individual earnings
- Advance and protect the profession
- Provide diligent and competent service to principals
Correct answer: Advance and protect the profession
Advancing and protecting the profession is the canon that obligates members to uphold the reputation and integrity of the field, which includes not tolerating colleagues who misrepresent credentials. Service to principals concerns duties to employers and clients, and protecting society addresses public safety; neither is the primary canon for safeguarding the profession's integrity. There is no ISC2 canon about maximizing personal earnings.
- A startup develops a unique manufacturing formula and decides to protect it as a trade secret rather than patent it. What is the defining characteristic of trade secret protection that drives this decision?
- It grants a government-issued monopoly for exactly 20 years after which it expires
- It requires public disclosure of the formula in exchange for legal protection
- It protects information that derives independent economic value from not being generally known, and lasts indefinitely as long as reasonable secrecy measures are maintained
- It automatically protects the formula the moment it is written down, with no obligation to keep it secret
Correct answer: It protects information that derives independent economic value from not being generally known, and lasts indefinitely as long as reasonable secrecy measures are maintained
A trade secret protects information that derives independent economic value from not being generally known and that is subject to reasonable measures to keep it secret; its protection can last indefinitely as long as secrecy is maintained. Unlike a patent, it requires no public disclosure and has no fixed expiration, which is precisely why a firm may choose it over patenting; however, if the secret is leaked or independently discovered, protection is lost.
- A product team must choose intellectual property protection for four assets: a novel circuit design, a company logo, a software user manual, and a secret customer-pricing algorithm. Which mapping of protection types is correct?
- Patent for the circuit design, trademark for the logo, copyright for the manual, and trade secret for the pricing algorithm
- Trademark for the circuit design, patent for the logo, trade secret for the manual, and copyright for the pricing algorithm
- Trade secret for the circuit design, copyright for the logo, trademark for the manual, and patent for the pricing algorithm
- Copyright for the circuit design, trade secret for the logo, patent for the manual, and trademark for the pricing algorithm
Correct answer: Patent for the circuit design, trademark for the logo, copyright for the manual, and trade secret for the pricing algorithm
The correct mapping is a patent for the novel circuit design (a new, useful invention), a trademark for the logo (a brand identifier), a copyright for the user manual (an original written work), and a trade secret for the confidential pricing algorithm (commercially valuable information kept secret). Each IP category protects a distinct kind of asset, so the alternatives that scramble these assignments are incorrect.
- A US hospital system expands to serve patients in the EU. A manager must explain how its GDPR obligations differ from its existing HIPAA obligations. Which statement is accurate?
- HIPAA governs protected health information held by covered entities and business associates in the US, while GDPR governs all personal data of individuals in the EU regardless of industry
- Both laws are enforced by the same single global authority using identical penalty schedules
- GDPR applies only to healthcare data, while HIPAA applies to any personal data of any individual
- HIPAA grants a broad right to erasure, while GDPR contains no individual data rights
Correct answer: HIPAA governs protected health information held by covered entities and business associates in the US, while GDPR governs all personal data of individuals in the EU regardless of industry
HIPAA governs protected health information handled by covered entities and their business associates in the US, whereas GDPR governs all personal data of individuals in the EU across every industry, not just healthcare. GDPR also grants broad individual rights such as erasure and portability and is enforced by national data protection authorities, while HIPAA is enforced by the US HHS Office for Civil Rights; the two are not administered by one global authority.
- An organization wants a defensible standard for what level of security is 'reasonable' so it can argue it acted responsibly if sued after an incident. Which concept provides this legal benchmark?
- The single loss expectancy formula
- The prudent person rule, which asks whether the organization took the precautions a reasonable, prudent person would take in similar circumstances
- The Traffic Light Protocol for information sharing
- The principle of least privilege
Correct answer: The prudent person rule, which asks whether the organization took the precautions a reasonable, prudent person would take in similar circumstances
The prudent person (reasonable person) rule provides the legal benchmark for whether an organization exercised due care, asking whether it took the precautions a reasonable, prudent person would take in similar circumstances. Single loss expectancy is a quantitative risk metric, least privilege is an access-control principle, and the Traffic Light Protocol governs information-sharing sensitivity; none of these establish the legal reasonableness standard.
- A multinational company must transfer employee personal data from its EU subsidiary to its US headquarters. Which mechanism is specifically designed to provide a lawful basis for such cross-border transfers under GDPR?
- Standard Contractual Clauses (SCCs) approved by the European Commission
- A PCI DSS attestation of compliance
- A signed non-disclosure agreement between two employees
- An internal acceptable use policy posted on the intranet
Correct answer: Standard Contractual Clauses (SCCs) approved by the European Commission
Standard Contractual Clauses are European Commission-approved contractual terms that provide a recognized lawful basis for transferring personal data out of the EU to countries lacking an adequacy decision. An NDA, a PCI DSS attestation, and an internal acceptable use policy do not satisfy GDPR cross-border transfer requirements; SCCs (or comparable safeguards like binding corporate rules) are the appropriate mechanism.
- A company licenses open-source software under a copyleft license but ships a modified version in a proprietary product without releasing the source code. What is the primary compliance exposure?
- A patent infringement, because all open-source code is automatically patented
- No exposure, because open-source software has no enforceable license terms
- A trademark dilution claim, because the product name resembles the open-source project
- Software license violation, because copyleft terms require derivative works to be distributed under the same open-source license terms
Correct answer: Software license violation, because copyleft terms require derivative works to be distributed under the same open-source license terms
The exposure is a software license violation, because copyleft (such as GPL-style) licenses require that derivative and modified works be distributed under the same open-source terms, including making source available. Open-source code carries enforceable license obligations, so the claim of no exposure is wrong; the issue is license compliance, not automatic patenting or trademark dilution.
- A security manager is building a compliance program and must distinguish between a law, a regulation, and a standard. Which description is correct?
- A regulation is created by private industry, while a standard is enacted by a legislature
- Laws, regulations, and standards are identical and carry the same enforcement authority
- A law is enacted by a legislature, a regulation is issued by a government agency to implement a law, and a standard is a defined specification that may be mandated by law, contract, or chosen voluntarily
- A standard is always legally binding, while laws and regulations are always optional guidance
Correct answer: A law is enacted by a legislature, a regulation is issued by a government agency to implement a law, and a standard is a defined specification that may be mandated by law, contract, or chosen voluntarily
A law is enacted by a legislature, a regulation is issued by a government agency to implement and enforce a law, and a standard is a defined specification that may be mandated by law or contract or adopted voluntarily. Standards are not inherently legally binding by themselves, and regulations come from government agencies rather than private industry, so the other descriptions misstate the hierarchy.
- During a forensic investigation, an analyst makes a bit-for-bit forensic image of a suspect drive and works only from a verified copy. Which legal principle does this practice most directly support?
- Satisfying the data minimization principle of GDPR
- Reducing the storage cost of the investigation
- Preserving the integrity of original evidence so it remains admissible and is not altered during examination
- Accelerating the recovery time objective for the affected system
Correct answer: Preserving the integrity of original evidence so it remains admissible and is not altered during examination
Working from a verified forensic image preserves the integrity of the original evidence, ensuring it is not altered during examination and remains admissible in legal proceedings. This is an evidence-handling and admissibility concern, not a matter of storage cost, recovery time objectives, or GDPR data minimization, which address unrelated objectives.
- An ISSMP holder is asked by their employer to deploy monitoring software on employee devices in a jurisdiction where such monitoring without notice is illegal. The employer insists it is company policy. What does the ISC2 Code of Ethics require?
- Comply with the employer's instruction because the duty to serve principals overrides all other obligations
- Deploy the software quietly and document the objection only in private notes
- Resign immediately without raising the legal concern with anyone
- Act legally and honorably, which means the member cannot carry out the illegal monitoring even at the employer's direction, and should seek a lawful alternative
Correct answer: Act legally and honorably, which means the member cannot carry out the illegal monitoring even at the employer's direction, and should seek a lawful alternative
The canon to act honorably, honestly, justly, responsibly, and legally means the member cannot perform an illegal act even when directed by an employer, and should instead seek a lawful alternative. The duty of diligent service to principals does not override the obligation to act legally; silently complying or quietly resigning without surfacing the legal issue fails the ethical obligation to act responsibly.
- A compliance officer must demonstrate ongoing conformance with a regulatory requirement to an external auditor. Which artifact provides the strongest evidence that a control operated effectively over the audit period?
- A verbal assurance from the control owner that the control usually works
- Records and logs showing the control was performed consistently throughout the period, with documented exceptions and remediation
- A vendor brochure describing the security product's features
- A policy document stating the control should be performed
Correct answer: Records and logs showing the control was performed consistently throughout the period, with documented exceptions and remediation
Records and logs showing the control operated consistently across the audit period, with documented exceptions and remediation, provide the strongest evidence of operating effectiveness. A policy states intent but not performance, verbal assurances are not auditable evidence, and a vendor brochure describes capabilities rather than demonstrating the control actually ran in this environment.
- A global organization is subject to GDPR and discovers a personal data breach affecting EU residents. Which obligation is most specific to GDPR's breach requirements?
- Notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach
- Notify the US Office for Civil Rights within 60 days as the primary regulator
- File a Form with the Securities and Exchange Commission within four business days
- Report the breach only at the next annual compliance review
Correct answer: Notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach
GDPR requires notifying the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of a personal data breach. Notification to the US HHS Office for Civil Rights is a HIPAA obligation, the four-business-day filing is a US securities disclosure rule, and waiting for an annual review would violate GDPR's prompt-notification requirement.
- A security manager must select a control framework to map the organization's controls to multiple overlapping regulations efficiently. What is the primary benefit of using a common controls framework for this purpose?
- It guarantees the organization will never experience a security incident
- It lets one control satisfy requirements across several regulations through crosswalk mapping, reducing duplicate effort and evidence collection
- It eliminates the organization's obligation to comply with any of the regulations
- It replaces the need for any internal audit function
Correct answer: It lets one control satisfy requirements across several regulations through crosswalk mapping, reducing duplicate effort and evidence collection
A common controls framework lets a single control satisfy requirements across several regulations through crosswalk mapping, reducing duplicate effort and consolidating evidence collection. It does not remove compliance obligations, guarantee incident-free operation, or replace internal audit; its value is efficient, consistent coverage of overlapping mandates.
- An employee is caught using their access to view confidential records out of curiosity, with no malicious intent and no data exfiltration. From a compliance and ethics standpoint, how should the security manager characterize this act?
- As outside the scope of compliance, since curiosity is not addressed by any policy
- As a policy and potential legal violation, because unauthorized access to data is improper regardless of intent or whether data was copied
- As acceptable, because no data was copied or removed
- As acceptable, because the employee already had legitimate system access
Correct answer: As a policy and potential legal violation, because unauthorized access to data is improper regardless of intent or whether data was copied
Viewing confidential records without a legitimate business need is a policy and potentially a legal violation, because authorization is tied to need-to-know, not merely to having technical access. The absence of malicious intent or exfiltration does not make the access acceptable; many privacy laws and acceptable-use policies prohibit unauthorized viewing itself.
- A company that handles payment cards, EU personal data, and US health records asks which compliance regimes apply. Which combination correctly matches each data type to its primary regime?
- PCI DSS for payment cards, GDPR for EU personal data, and HIPAA for US protected health information
- GDPR for payment cards, HIPAA for EU personal data, and PCI DSS for US health records
- SOX for payment cards, PCI DSS for EU personal data, and GDPR for US health records
- HIPAA for payment cards, PCI DSS for EU personal data, and GDPR for US health records
Correct answer: PCI DSS for payment cards, GDPR for EU personal data, and HIPAA for US protected health information
Payment card data falls under PCI DSS, EU personal data falls under GDPR, and US protected health information falls under HIPAA. Each regime has a distinct subject-matter scope, so the alternatives that mismatch the data types to the wrong frameworks are incorrect. An organization handling all three must satisfy each applicable regime concurrently.
- A security leader wants to ensure the organization can prove it considered relevant legal and regulatory obligations before launching a new data-collection product. Which governance activity best provides this assurance?
- Relying on the absence of past complaints as proof of compliance
- Posting the privacy notice on the website after launch
- Asking the marketing team to confirm the product is compliant
- Conducting and documenting a privacy and regulatory impact assessment before launch
Correct answer: Conducting and documenting a privacy and regulatory impact assessment before launch
Conducting and documenting a privacy and regulatory impact assessment before launch demonstrates that legal and regulatory obligations were proactively considered, supporting a due diligence and accountability record. A post-launch notice, an informal marketing confirmation, or the mere absence of prior complaints does not evidence that obligations were assessed beforehand.
- An organization's contract with a cloud processor that handles EU personal data must, under GDPR, include specific terms governing the processor's conduct. What is this contractual instrument called?
- A statement of work that lists only deliverables and milestones
- A non-disclosure agreement that addresses only confidentiality of negotiations
- A data processing agreement that binds the processor to act only on documented instructions and to implement appropriate security measures
- A service-level agreement that addresses only uptime percentages
Correct answer: A data processing agreement that binds the processor to act only on documented instructions and to implement appropriate security measures
A data processing agreement is the GDPR-required instrument that binds a processor to act only on the controller's documented instructions and to implement appropriate technical and organizational security measures. A statement of work, an uptime-focused SLA, or a confidentiality-only NDA do not establish the processor obligations GDPR mandates between controller and processor.