Which of the following would be BEST for a technician to review to determine the total risk an organization can bear when assessing a "cloud-first" adoption strategy?

Which of the following would help ensure a security analyst is able to accurately measure the overall risk to an organization when a new vulnerability is disclosed?

A threat actor used a sophisticated attack to breach a well-known ride-sharing website. company. The threat actor posted on social media that this action was in response to the company's treatment of its drivers. Which of the following best describes the type of threat actor?

Which of the following job roles would sponsor data quality and data entry initiatives that ensure business and regulatory requirements are met?

Two hospitals merged into a single organization. The privacy officer requested a review of all records to ensure encryption was used during record storage, in compliance with regulations. During the review, the officer discovered that medical diagnosis codes and patient names were left unsecured. Which of the following types of data does this combination BEST represent?

When selecting a technical solution for identity management, an architect chooses to go from an in-house to a third-party SaaS provider. Which of the following risk management strategies is this an example of?

A Chief Executive Officer's (CEO) personal information was stolen in a social engineering attack. Which of the following sources would reveal if the CEO's personal information is for sale?

A company is auditing the manner in which its European customers' personal information is handled. Which of the following should the company consult?

Which of the following is MOST likely to contain ranked and ordered information on the likelihood and potential impact of catastrophic events that may affect business processes and systems, while also highlighting the residual risks that need to be managed after mitigating controls have been implemented?

Security analyst (or technician) has to implement a control in a cost effective way (with low budget) in order to limit unauthorized access physically?

A security practitioner is performing due diligence on a vendor that is being considered for cloud services.Which of the following should the practitioner consult for the best insight into the current security posture of the vendor?

An organization's finance department is implementing a policy to protect against collusion. Which of the following control types and corresponding procedures should the organization implement to fulfill this policy's requirement?

Which of the following documents provides expectations at a technical level for quality, availability, and responsibilities?

Which of the following scenarios BEST describes a risk reduction technique?

A company is focused on reducing risks from removable media threats. Due to certain primary applications, removable media cannot be entirely prohibited at this time. Which of the following best describes the company's approach?

After consulting with the Chief Risk Officer (CRO), a manager decides to acquire cybersecurity insurance for the company. Which of the following risk management strategies is the manager adopting?

A security administrator wants to implement a program that tests a user's ability to recognize attacks over the organization's email system. Which of the following would be BEST suited for this task?

A security team is engaging a third-party vendor to do a penetration test of a new proprietary application prior to its release. Which of the following documents would the third-party vendor most likely be required to review and sign?

An organization just experienced a major cyber attack incident. The attack was well coordinated, sophisticated and highly skilled. Which of the following targeted the organization?

Which of the following describes a maintenance metric that measures the average time required to troubleshoot and restore failed equipment?

An IT manager is estimating the mobile device budget for the upcoming year Over the last five years, the number of devices that were replaced due to loss damage or theft steadily increased by 10%. Which of the following would BEST describe the estimated number of devices to be replaced next year?

A preventive control differs from a compensating control in that a preventive control is:

Which of the following corporate policies is used to help prevent employee fraud and to detect system log modifications or other malicious activity based on tenure?

Which of the following should a data owner require all personnel to sign to legally protect intellectual property?

An information security incident recently occurred at an organization, and the organization was required to report the incident to authorities and notify the affected parties. When the organization's customers became aware of the incident, some reduced their orders or stopped placing orders entirely. Which of the following is the organization experiencing?

In which of the following risk management strategies would cybersecurity insurance be used?

A company recently set up an e-commerce portal to sell its product online. The company wants to start accepting credit cards for payment, which requires compliance with a security standard. Which of the following standards must the company comply with before accepting credit cards on its e-commerce platform?

A junior human resources administrator was gathering data about employees to submit to a new company awards program. The employee data included job title business phone number location first initial with last name and race. Which of the following best describes this type of information?

Users are presented with a banner upon each login to a workstation. The banner mentions that users are not entitled to any reasonable expectation of privacy and access is for authorized personnel only. In order to proceed past that banner. users must click the OK button. Which of the following is this an example of?

A routine audit of medical billing claims revealed that several claims were submitted without the subscriber's knowledge. A review of the audit logs for the medical billing company's system indicated a company employee downloaded customer records and adjusted the direct deposit information to a personal bank account. Which of the following does this action describe?

Which of the following should be monitored by threat intelligence researchers who search for leaked credentials?

A vulnerability has been discovered and a known patch to address the vulnerability does not exist. Which of the following controls works BEST until a proper fix is released?

A company posts a sign indicating its server room is . Which of the following control types is represented?

Which of the following is the MOST secure but LEAST expensive data destruction method for data that is stored on hard drives?

Which of the following describes where an attacker can purchase DDoS or ransomware services?

Which of the following is a known security risk associated with data archives that contain financial Information?

Which of the following secure coding techniques makes compromised code more difficult for hackers to use?

The IT department at a university is concerned about professors placing servers on the university network in an attempt to bypass security controls. Which of the following BEST represents this type of threat?

A security team is conducting a security review of a hosted data provider. The management team has asked the hosted data provider to share proof that customer data is being appropriately protected. Which of the following would provide the best proof that customer data is being protected?

An information security officer at a credit card transaction company is conducting a framework-mapping exercise with the internal controls. The company recently established a new office in Europe. To which of the following frameworks should the security officer map the existing controls? (Select TWO)

Two organizations plan to collaborate on the evaluation of new SIEM solutions for their respective companies. A combined effort from both organizations' SOC teams would speed up the effort. Which of the following can be written to document this agreement?

Which of the following roles would MOST likely have direct access to the senior management team?

Which of the following is a benefit of including a risk management framework into an organization's security approach?

Which of the following agreements defines response time, escalation points, and performance metrics?

After a recent external audit, the compliance team provided a list of several non- compliant, in-scope hosts that were not encrypting cardholder data at rest, Which of the following compliance frameworks would address the compliance team's GREATEST concern?

Which of the following control types fixes a previously identified issue and mitigates a risk?

Which of the following prevents an employee from seeing a colleague who is visiting an inappropriate website?

A company's Chief Information Office (CIO) is meeting with the Chief Information Security Officer (CISO) to plan some activities to enhance the skill levels of the company's developers. Which of the following would be MOST suitable for training the developers?

Which of the following control types is patch management classified under?

Two organizations are discussing a possible merger, Both organizations’ Chief Financial Officers would like to safely share payroll data with each other to determine if the pay scales for different roles are similar at both organizations. Which of the following techniques would be BEST to protect employee data while allowing the companies to successfully share this information?

An information security policy states that separation of duties is required for all highly sensitive database changes that involve customers' financial data. Which of the following will this be BEST to prevent?

Which of the following organizations sets frameworks and controls for optimal security configuration on systems?

When selecting a technical solution for identity management, an architect chooses to go from an in-house to a third-party SaaS provider. Which of the following risk management strategies is this an example of?

A system that requires an operation availability of 99.99% and has an annual maintenance window available to patching and fixes will require the HIGHEST:

Which of the following is MOST likely to outline the roles and responsibilities of data controllers and data processors?

A security analyst is designing the appropriate controls to limit unauthorized access to a physical site. The analyst has a directive to utilize the lowest possible budget Which of the following would BEST meet the requirements?

In which of the following scenarios is tokenization the best privacy technique to use?

Which of the following control types is patch management classified under?

The president of a regional bank likes to frequently provide SOC tours to potential investors. Which of the following policies BEST reduces the risk of malicious activity occurring after a tour?

Which of the following terms describes a broad range of information that is sensitive to a specific organization?

The Chief Compliance Officer from a bank has approved a background check policy for all new hires Which of the following is the policy MOST likely protecting against?

Which of the following would a security analyst use to determine if other companies in the same sector have seen similar malicious activity against their systems?

Which of the following BEST reduces the security risks introduced when running systems that have expired vendor support(legacy systems) and lack an immediate replacement?

Which of the following ISO standards is certified for privacy?

Which of the following refers to applications and systems that are used within an organization without consent or approval?

An organization recently acquired an ISO 27001 certification. Which of the following would MOST likely be considered a benefit of this certification?

A security team discovered a large number of company-issued devices with non-work-related software installed. Which of the following policies would most likely contain language that would prohibit this activity?

Which of the following is a reason why an organization would define an AUP (acceptable use policy)?

A company has determined that if its computer-based manufacturing is not functioning for 12 consecutive hours, it will lose more money that it costs to maintain the equipment. Which of the following must be less than 12 hours to maintain a positive total cost of ownership?

Which of the following can be used to calculate the total loss expected per year due to a threat targeting an Asset?

A Chief Information Security Officer (CISO) needs to create a policy set that meets international standards for data privacy and sharing. Which of the following should the CISO read and understand before writing the policies?

Which of the following should be monitored by threat intelligence researchers who search for leaked credentials?

A security analyst needs to find real-time data on the latest malware and locs which of the following best describe the solution the analyst should pursue?Threat feeds

Which of the following types of controls is a CCTV camera that is not being monitored?

A security analyst is tasked with classifying data to be stored on company servers. Which of the following should be classified as proprietary?

Which of the following employee roles is responsible for protecting an organization's collected personal information?

Which of the following documents provides guidance regarding the recommended deployment of network security systems from the manufacturer?

An organization wants to ensure that proprietary information is not inadvertently exposed during facility tours. Which of the following would the organization implement to mitigate this risk?

Which of the following describes business units that purchase and implement scripting software without approval from an organization's technology Support staff?

Which of the following BEST explains the difference between a data owner and a data custodian?

An organization suffered an outage and a critical system took 90 minutes to come back online. Though there was no data loss during the outage, the expectation was that the critical system would be available again within 60 minutes. Which of the following is the 60-minute expectation an example of:

Which of the following controls is used to make an organization initially aware of a data compromise?

A company purchased cyber insurance to address items listed on the risk register. Which of the following strategies does this represent?

A financial institution recently joined a bug bounty program to identify security issues in the institution's new public platform. Which of the following best describes who the institution is working with to identify security Issues?

Which of the following explains why RTO is included in a BIA?

Ann, a customer, received a notification from her mortgage company stating her PII may be shared with partners, affiliates, and associates to maintain day-to-day business operations. Which of the following documents did Ann receive?

Which of the following threat actors is MOST likely to be motivated by ideology?

Which of the following provides a catalog of security and privacy controls related to the United States federal information systems?

Which of the following are requirements that must be configured for PCI DSS compliance? (Select TWO) A. Testing security systems and processes regularly B. Installing and maintaining a web proxy to protect cardholder data C. Assigning a unique ID to each person with computer access D. Encrypting transmission of cardholder data across private networks E. Benchmarking security awareness training for contractors F. Using vendor-supplied default passwords for system passwords

A company is developing a new initiative to reduce insider threats. Which of the following should the company focus on to make the greatest impact?

Which of the following is an example of risk avoidance?

A network manager is concerned that business may be negatively impacted if the firewall in its datacenter goes offline. The manager would like to implement a high availability pair to:

Which of the following is an example of risk avoidance?

Which of the following would an organization use to assign a value to risks based on probability of occurrence and impact?

A company policy requires third-party suppliers to self-report data breaches within a specific time frame. Which of the following third-party risk management policies is the company complying with?

Which of the following security concepts should an e-commerce organization apply for protection against erroneous purchases?

Which of the following control types is focused primarily on reducing risk before an incident occurs?

The Chief Information Security Officer (CISO) has requested that a third-party vendor provide supporting documents that show proper controls are in place to protect customer data. Which of the following would be BEST for the third-party vendor to provide to the CISO?

Which of the following uses six initial steps that provide basic control over system security by including hardware and software inventory, vulnerability management, and continuous monitoring to minimize risk in all network environments?

A company's security team received notice of a critical vulnerability affecting a high-profile device within the web infrastructure. The vendor patch was just made available online but has not yet been regression tested in development environments. In the interim, firewall rules were implemented to reduce the access to the interface affected by the vulnerability. Which of the following controls does this scenario describe?